Security of two-way quantum key distribution

Quantum key distribution protocols typically make use of a one-way quantum channel to distribute a shared secret string to two distant users. However, protocols exploiting a two-way quantum channel have been proposed as an alternative route to the same goal, with the potential advantage of outperforming one-way protocols. Here we provide a strategy to prove security for two-way quantum key distribution protocols against the most general quantum attack possible by an eavesdropper. We utilize an entropic uncertainty relation, and only a few assumptions need to be made about the devices used in the protocol. We also show that a two-way protocol can outperform comparable one-way protocols.


INTRODUCTION
Quantum key distribution (QKD) research has been primarily focused on one-way protocols: one party, Alice, prepares states, sends them through an insecure quantum channel, and then another party, Bob, does a measurement [1,2]. However, in the last decade, two-way protocols have been proposed where Bob prepares states, sends them to Alice through an insecure quantum channel, Alice does an encoding on the states, sends them backwards through the same quantum channel, and then Bob performs a measurement [3][4][5][6][7]. Paradigmatic examples of these kind of protocols are the so-called "Ping-Pong" protocol [6] and the LM05 protocol [7]. The former uses entangled states, while the latter uses non-orthogonal states. They have also been experimentally realized [8][9][10][11].
It is not yet clear what the full potential of two-way protocols is, but there are at least several reasons why they are interesting. One motivation is that some twoway protocols are deterministic, that is, they do not require any sifting of the raw keys generated due to a mismatch of basis choices. For example, the LM05 protocol [7] has this advantage. The Ping-Pong protocol, which is based on super dense coding (SDC) [12], has no basis choices and therefore is also deterministic. Moreover, this protocol is conceptually interesting, as SDC can be turned into a QKD protocol.
One implementation of two-way protocols is to use polarization encoding of photons in fiber optics. The polarization drift caused by the fiber then needs to be actively corrected [13][14][15]. However, if signals are sent backwards through the same channel, then the polarization drift is passively corrected by the use of a Faraday mirror at Alice's side. This means that there may be experimental situations in which one-way QKD does not succeed because the error rate is too high but two-way QKD may still be possible. One QKD protocol that exploits this fact is the "Plug & Play" BB84 protocol [16,17]. This implementation ideally yields one raw key bit for each qubit signal sent from Bob to Alice and then from Alice to Bob. From SDC we know that two bits can be communicated by only sending one qubit in this manner. Therefore, another motivation is that the key rate can be increased by using the SDC protocol instead of Plug & Play BB84 by using the same channel resources and without the need of higher dimensional states or more complicated measurements.
A major difficulty when studying the security of twoway protocols is that the eavesdropper, Eve, can attack each signal twice: once on the way from Bob to Alice, and later on its way back from Alice to Bob. This gives her more strategies than in a one-way QKD protocol. In fact, the Ping-Pong protocol has been shown to be insecure [18,19], while recently the LM05 protocol was proven secure, but by assuming the use of qubits and the full characterization of all of the devices [20,21]. Also, the Plug & Play protocol was proven secure [22,23] but by using strong assumptions (e.g. an intensity monitor, phase randomizer, and attenuator are required, and all devices, except the source, are fully characterized).
Unlike these previous approaches, we propose a general security proof strategy through which devices used in the protocol only need to be characterized by a few assumptions. Our assumptions are on the same level as one-way QKD security proofs that use uncertainty and complimentarity, such as the proofs by Mayers [24] and Koashi [25]. This is in contrast to device-independent security proofs where no assumptions are made about devices used in the protocol. However, they require loophole free Bell tests, which are not possible with current technology [26][27][28]. Our assumptions lie between the device-dependent scenario, where devices are completely characterized, and the device-independent scenario. For example, a device may be characterised by a single constant that can be experimentally bounded.
Our proof strategy consists of two main steps. First we show how to "purify" prepare and measure protocols into entanglement based protocols. Second, we apply the entropic uncertainty relation proposed as a tool for security proofs of one-way protocols to the purified protocols [29]. An entanglement-based or purified protocol is one where Eve prepares a state, sends a part of the state to Alice and another part to Bob, and then Alice and Bob perform measurements. The uncertainty relation we use states [29]: given a tri-partite quantum state ρ ABE and two measurements on system A, F X and F Z , described by elements of a positive-operator valued measure (POVM) {F i X } i and {F i Z } i with classical outcomes X and Z respectively, then where H(A|B) is the conditional von Neumann entropy, ∞ (which we call the overlap between the measurements F X and F Z ). Given an operator F acting on a Hilbert space H such that F ≥ 0, then F ∞ := max{ φ|F |φ : φ ∈ H, φ|φ = 1} is the operator norm on positive operators. Using this uncertainty relation and the Devetak-Winter security bound [30], we demonstrate how to prove security against the most general type of attacks for two-way protocols.
Actually we use this method to prove security for two example protocols: a super dense coding (SDC) protocol similar to the Ping-Pong protocol [6] and a protocol similar to LM05 (which we will also refer to as LM05) [7]. For the LM05 protocol we show an improvement of the key rate of [20]. Furthermore, we provide a comparison among relevant two-way and one-way protocols showing that the former can outperform the latter.
Our proof clarifies the analysis of two-way QKD protocols and provides an important step towards deviceindependent security of quantum cryptography in this framework. In addition, our results illustrate that the uncertainty relation Eq. 1 can be useful to prove security of QKD protocols other than BB84.
We proceed by first defining the SDC and LM05 protocols in the scenario where only qubits are used. Second, we describe purified versions of these protocols in order apply the uncertainty relation Eq. 1. Third, we list the assumptions that are needed for the application of this security proof to implementations of these protocols. Fourth, we prove the security of the protocols. Lastly, we compare the key rates to different implementations of the BB84 protocol.

PROTOCOL DEFINITIONS
In the descriptions of the SDC and LM05 protocols below we assume that the states are deterministically prepared and all devices are completely characterised. This is for the ease of describing the protocols and this assumption is not be necessary for the security proofs.
There are some similarities between both protocols: they have two quantum channels between Alice and Bob, Q 1 and Q 2 , which can be attacked by the eavesdropper, Eve, using any strategy allowed by quantum mechanics. Also, Alice and Bob will be performing some X-and Zbasis measurements. These refer to the projections onto the eigenvectors of the Pauli operators σ X and σ Z respectively. In addition, Alice and Bob will do parameter estimation, error correction, and privacy amplification on their raw data after the steps outlined below. They abort their protocol if during parameter estimation they find that one of their relevant error rates is beyond a certain threshold.

Qubit SDC Protocol
Bob's preparation: Bob prepares a maximally entangled state |ψ + = 1/ √ 2(|00 + |11 ) and keeps one half of it in a quantum memory. He sends the other half to Alice through channel Q 1 (see Fig. 1).
Alice: With probability c ≈ 1 Alice applies one of the four Pauli operators 1, σ X , σ Y , σ Z (choosing each with probability 1/4) to the state from the channel Q 1 . She records her choice by storing two classical bits: 00, 10, 11, 01, respectivly. Alice then sends this state into channel Q 2 back to Bob. With probability 1 − c Alice measures the state from channel Q 1 in the Z-basis. She then prepares |+ with probability 1/2 or |− with probability 1/2, where |± := 1/ √ 2(|0 ± |1 ), and sends it into channel Q 2 to Bob.
Bob's measurement: With probability c Bob performs a Bell measurement jointly on his stored qubit and his received qubit from the channel Q 2 . He gets possible outcomes |ψ + , |ψ − , |φ + , |φ − , and then will store the bits 00, 01, 10, 11 respectively. With probability 1 − c he measures his stored qubit in the Z-basis and his received qubit in the X-basis.
Post-processing: Alice and Bob repeat the above procedure N times. Their raw key is the concatenation of all of their two-bit strings together respectively. Alice publicly announces which signals she encoded and which signals she measured.

Qubit LM05 Protocol
In the LM05 protocol [7] Alice and Bob will have the choice to perform either an X-or Z-basis measurement. We use a parameter p to denote the probability that Alice and Bob choose the Z-basis, so 1 − p is the probability that they choose the X-basis. We will consider two possible versions of the protocol for the simplicity of presentation. Version 1 is when p ≈ 1, and Alice and Bob will only use their X-basis measurement for parameter estimation (see Fig. 2). Version 2 is when p = 1/2 and then they will use both X-and Z-basis measurements for parameter estimation and key generation. Note that the choice of p will not affect the key rate.
Bob's preparation: Bob prepares one of the four states |0 , |1 , |+ , |− . He chooses |0 or |1 each with probability p/2, and |+ or |− each with probability (1 − p)/2. When he picks either |0 or |+ he classically stores a 0, when he picks either |1 or |− , he stores a 1 (we refer to this bit as the preparation bit). Bob also stores the basis the state is in. He sends the state to Alice through channel Q 1 (see Fig. 2).
Alice: With probability c ≈ 1 Alice applies one of 1, σ X , σ Y , σ Z (choosing each with probability 1/4) to the state from the channel Q 1 . She records her choice of encoding. With probability 1 − c she applies a X-basis measurement (Version 1), or randomly chooses either an X-or Z-basis measurement (Version 2). Alice then takes the post-measurement state (when a measurement was performed) or the encoded state (where a Pauli-operator was applied) and sends it to Bob through channel Q 2 . Bob's measurement: Bob does a measurement in the same basis he prepared his state in: if he prepared |0 or |1 then he measures in the Z-basis, if he prepared |+ or |− then he measures in the X-basis.
Post-processing: Alice and Bob repeat this procedure N times. If they perform reverse reconciliation then Bob publicly reveals which basis he used for each signal, and Alice reveals which signals she measured and which she encoded. In Version 2 Alice also reveals which basis she measured in for each signal and then Alice and Bob discard their measurement results wherever they measure in different bases. Bob's raw key is the result of the XOR of his measurement outcomes with his preparation bits. Alice's raw key is made up of one of the two classical bits 00, 10, 11, 01 corresponding to the encodings 1, σ X , σ Y , σ Z , respectively. Whenever Bob measured in the Z-basis Alice keeps her first bit, and when Bob measured in the X-basis Alice keeps the second bit.
In direct reconciliation, Bob does not reveal his basis choice and instead Alice reveals whether she applied one of the encodings from the set S 0 := {1, σ Y } or the set S 1 := {σ X , σ Z }. Alice corresponds the encodings 1, σ X , σ Y , σ Z with the bits 0, 1, 1, 0 respectively. Bob then needs to flip his raw bit for each signal that he used the X-basis and Alice announces she applied an encoding from S 1 . Bob performs a measurement in the Z-or X-basis whenever he prepared states in the Z-or X-basis respectively. Bob then does an XOR of his measured bit and his preparation bit corresponding to his prepared state.
We now purify these two prepare and measure QKD protocols by showing that they are equivalent to protocols that start with entangled states distributed by Eve followed by measurements by Alice and Bob.

PURIFIED PROTOCOLS
We introduce two purified protocols that are structured such that a pure state is shared between Alice, Bob, and Eve; and then Alice and Bob perform measurements on this state. These purified protocols are equivalent to the prepare and measure protocols described above. However, less assumptions are needed about the devices used. In the next section we will explain exactly which assumptions about the devices in the prepare and measure protocol are necessary in order to apply our security proofs. Afterwards we will prove the security of the purified protocols.
We can purify Alice's encoding operation in both protocols by finding an equivalence to a POVM acting on the input of the encoding and half of a pure state such that the other half of the pure state is the same as the output from Alice's encoding (see Fig. 3). In addition, the outcome of the POVM is two random bits independent of the input and therefore is the same as Alice's choice of encoding operation using a random string. We use the following lemma to achieve this equivalence (see the appendix for the proof). For the lemma, we define the set of normalized positive semi-definite operators on a Hilbert space H : S(H) := {τ ∈ P(H) : Tr(τ ) = 1}), where P(H) is the set of positive semi-definite operators on H.
.n be a set of n completely positive trace-preserving maps from Hilbert space H A to Hilbert space H D and σ D ∈ S(H D ) be a fixed density operator on H D such that Then there exists a fixed pure state |φ CD in H CD := FIG. 3: A depiction of Lemma 1. An encoding that takes a quantum state and a random string as input, which is used to choose which encoding to perform, always outputs a fixed state (averaged over all encoding choices). This encoding is equivalent to the scenario where a measurement, F , acts jointly on the same quantum state input as the encoding and half of a bipartite pure state |φ . The output of the measurement is a random string, and the other half of |φ is then the same fixed state output from the encoding, averaged over all measurement outcomes of F .
In the prepare and measure protocol there were four encodings that Alice could do, and therefore n = 4 for the application of this lemma. Now that the encoding is purified, we purify all of the preparations of both protocols.
In the perfect qubit version of both protocols, Alice and Bob's preparations are equivalent to starting with a maximally entangled state |ψ + = 1/ √ 2(|00 + |11 ) followed by a Z-or X-basis measurement (or probabilistic distribution over the choice of the two measurements). More generally, if we only assume that the preparations are of qubits then they are equivalent to the maximally entangled state |ψ + , followed by a measurement on one of the two qubits. The non-measured qubit is then the same as the prepared qubit [31]. It only makes Eve more powerful to prepare both entangled states from Alice's encoding and from the purifications of the preparations, so we can let her prepare these states. Now the protocols can be described as follows. Eve prepares a state ρ ABE and sends A to Alice and B to Bob, and keeps part E. Alice and Bob perform one of two measurements on each of their systems. Then Alice and Bob do post-processing as in the prepare and measure protocol. Before we prove the purified protocol's security, we outline which assumptions we will make for the security proof to hold.

ASSUMPTIONS
To specify exactly when our security proofs will apply, we explicitly state the assumptions we will make about the devices used in the protocols. Afterward we will discuss how these assumptions can be justified. 5. There are no losses in the channels or detectors.
Assumption 1 is needed in order to purify the preparation process. Assumption 2 is needed in order for the encoding to have a purified form. Assumption 3 is needed so that we can analyze the measurement outcomes in an i.i.d. way. Assumption 4 is needed to apply the uncertainty relation Eq. 1. Assumption 5 is made for the convenience of the security analysis, but can be removed if Alice and Bob randomly assign a bit value for their measurement in a time where a signal was sent but they did not receive a measurement outcome. Assumption 1 is valid if the preparations are done in a purified way. Assumptions 2 and 3 are idealized assumptions necessary for our security proof method. However, Assumption 3 is common for both device-independent and device-dependent security proofs [26][27][28]. Assumption 2 requires knowledge about Alice's encoding device, and could be justified to a good approximation. Such assumptions are typical for device-dependent security proofs [1]. However, Assumption 2 is not necessary if the purified protocol is implemented directly.
The overlap γ that characterises the devices in Assumption 4 cannot be obtained without a description of the POVMs for the measurements (if reverse reconciliation is performed), or a description of the encoding map (if direct reconciliation is performed). However, Alice and Bob can put a bound on a so-called 'effective overlap': γ * . This effective overlap is defined differently than the overlap in Eq. 1 (see Definition 7.2 in [32]), but it satisfies the same uncertainty relation: The effective overlap has the advantage that it can be upper bounded by measuring a CHSH value [33] if the measurements have binary outcomes. We now define the CHSH value and then we will describe the upper bound on the effective overlap. Given a bipartite system, let M and N be random variables representing the measurement outcomes from choosing one of two measurements randomly on one part of the system, and let R and S be random variables representing the measurement outcomes from choosing one of two measurements randomly on the other half of the system. Then the CHSH value, β, is defined as Since the LM05 protocol measurements and encoding choice are binary, the CHSH value provides an upper bound for the effective overlap. It is not yet known if the same relation between the effective overlap and a CHSH value holds for more than two measurement outcomes [34]. Therefore, it is not known how the effective overlap may be upper bounded by the CHSH value for the SDC protocol since there are four measurement outcomes and four encoding choices in this protocol.
For the LM05 protocol, as long as preparations are done in a purified way, Alice and Bob can run Version 2 of the LM05 QKD setup and find the CHSH value between Alice's encoding choice and Bob's measurement outcomes. More precisely, Bob's XOR of his Z-and Xbasis measurement outcomes with his preparation bit define the random variables R and S, while Alice's bit values that correspond to the encoding sets S 0 and S 1 define M and N . Despite Alice not performing a measurement we can still define the CHSH value this way, since from Assumption 2 we are guaranteed that Alice's encoding corresponds to a measurement via Lemma 1, where her encoding choice corresponds to the measurement's outcomes.
The effective overlap is bounded by Note that no additional devices are needed to put a bound on the effective overlap. Also, if desired, Alice or Bob (depending on whether direct or reverse reconciliation is performed) can measure the CHSH value by themselves by using another measurement device on their side. Alice can measure her CHSH value in the same way as Alice and Bob did it jointly. Bob can measure his CHSH value by running the purified QKD setup. In summary, Assumption 4 can be justified by an experimental test on the devices used in the LM05 protocol (see [32,34] for more details).
For the security proofs below we fix the overlap in Assumption 4 for each protocol. The overlap for the SDC protocol, when reverse reconciliation is performed, between Bob's two measurements is assumed to be 1/4 (which is true for the ideal Bell and Z ⊗ X-basis measurements). For the LM05 protocol, where Bob's preparations are done with a bipartite state and a measurement, we assume that there are two measurements that have an overlap of 1/2 with Bob's measurements followed by an XOR of the outcomes. The first is his measurement on half of his prepared pure state in the other basis and the second is his measurement in the other basis on channel Q 2 . Note that this overlap occurs between the ideal Z ⊗ Z-basis measurement followed by an XOR of the outcomes and the X-basis measurement on his prepared pure state and his X-basis measurement on the input from channel Q 2 . In the case of direct reconciliation this assumption changes to the overlap between Alice's POVM associated with her encoding (via Lemma 1) and her measurement tensored with her purified preparation measurement. While we have made these rigid assumptions for the security proofs, we can relax the assumption that these overlap is exactly 1/2 for the LM05 protocol and instead use the CHSH value bound on the effective overlap [32,34].
Assumption 5 is clearly not experimentally justifiable. However, it can be removed if, whenever there is a missing measurement outcome at Alice or Bob's detector, Alice and Bob randomly assign a bit value. The error rates will be increased, decreasing the key rate significantly. We leave a more detailed analysis of loss as future work, which could follow along similar lines as [31].
It is important to note that no assumptions are necessary about the Hilbert space that the signals of the protocols are in (except, possibly, qubit preparations). In addition, no assumptions need to be made about the internal structure of the measurements on each signal, descriptions of the preparations of bipartite states, or the quantum memory used in the SDC protocol.

SECURITY PROOFS
The security proofs of the purified protocols can be found via the Devetak-Winter rate [30], followed by the application of the uncertainty relation of Eq. 1 [29]. The security proofs can then be applied to the non-purified SDC and LM05 protocols since they are equivalent to the purified protocols. This equivalence is guaranteed under Assumptions 1 and 2 of the previous section.

SDC Protocol
Now we define some states useful for the security proof. The state that Alice, Bob, and Eve share after Alice and Bob have done their measurements is where Z A and Z B are the classical strings that result from Alice and Bob's measurements, F A and F B , which are represented as completely positive trace preserving (CPTP) maps. We assume that the measurements F A and F B act independently on each signal, so that we can apply the uncertainty relation to each measurement independently. Using Assumption 3 from the previous section, the measurement's POVM elements have the form . . . We also define another state, ξ, where we only change Alice's measurement. This state has the important property that H(Z B |E) τ = H(Z B |E) ξ . Intuitively this means that Eve's information about Bob's string does not depend on Alice's measurement. The state ξ is defined as where X A is the classical string output from the measurement G A on Alice's side. We do not characterize G A . However, we assume that the POVM elements of G A are independent, and therefore have the form { j G ij A } i (Assumption 3). We now define a third state that will be used for the application of the uncertainty relation [29]: where G B have POVM elements of the form { j G ij B } i (Assumption 3) and its classical output is denoted as X B .
In addition, the only characterization we make for any of the measurements is that the overlap between G B and . If Alice and Bob do one-way classical communication for the post-processing after the protocol from Alice to Bob and Bob's measurement outcomes are used as the raw key (which we call reverse reconciliation), then we can write the Devetak-Winter rate [30] as where h d is the d-ary Shannon entropy, q F is the error rate probability distribution generated from Z A and Z B , and q G is the error rate probability distribution generated from X A and X B . Specifically, these error rate probability distributions consist of the probability that both bits are the same, both bits are different, only the first bit is different, and only the second bit is different.
In going from Eq. 9 to Eq. 10 we use the fact that H(Z B |E) τ = H(Z B |E) ξ and we upper bound the entropy H(Z B |Z A ) τ by h 4 (q F ) by using the method of types (Lemma II.2 of [35]). From Eq. 10 to Eq. 11 we use the uncertainty relation Eq. 1 with the measurements F B and G B . In Eq. 12 we use the method of types to bound H(X B |X A ) σ by h 4 (q G ).
Alice and Bob estimate the error rates q G and q F by revealing X A and X B as well as a small fraction of their Z A and Z B strings in jointly specified positions chosen uniformly at random. Alice and Bob have access to these strings in the prepare and measure SDC protocol because Bob actually performs F B and G B (these are the Bell and Z ⊗ X-measurements in the perfect qubit scenario respectively); Alice uses her encoding bits (which correspond to her string Z A in the purified protocol via Lemma 1); and her measurement and her resending of the post-measurement state correspond to X A .
We have permutation invariance of the two-bit outcomes and so we can apply the quantum de Finetti theorem of Renner [36] to the protocol. Therefore the key rate Eq. 12 is applicable for the most general type of attacks by Eve. Due to the symmetry of the purified protocol we could equivalently do direct reconciliation, where Alice uses her classical string as the key and Bob corrects his raw string. In this case the key rate is the same.

LM05 Protocol
The security proof of this protocol follows the same method as the proof for the SDC protocol, however, there are two differences that need to be taken into account. The first is that Bob chooses a different basis for each of his individual inputs from the channel Q 2 according to a classical string, Θ. When a bit of Θ is 0, Bob will measure in the Z-basis, and when a bit of Θ is 1, Bob will measure in the X-basis. The other difference is that there are two different measurements that have the desired overlap with Bob's measurement F B in the uncertainty relation Eq. 1 in the main text. In the perfect purified protocol, Bob's measurement is a Z ⊗ Z-basis measurement followed by an XOR of the two measurement outcomes. Note that this measurement only has a one bit outcome, and therefore the minimum overlap it can have with another measurement is 1/2. The Z ⊗ Z measurement with an XOR has two measurements with overlap 1/2, as can be easily verified: measuring the first qubit in the X-basis and discarding the second qubit or measuring the second qubit in the X-basis and discarding the first qubit.
Now we define three states as we did in the SDC protocol's security proof. We consider the case where reverse reconciliation is performed and we discuss the case of direct reconciliation at the end of this section. The state that Alice and Bob share after they have done their measurements, Bob has publicly announced his basis choices, and Alice has done the sifting of her encoding bits is The classical outcomes of the measurements for Alice and Bob are written as W A and W B respectively. We assume (Assumption 3) that F Θ A and F Θ B have POVM elements that are independent on each signal so that the uncertainty relation can be applied to each individual measurement. They have the form For the second state, we change Alice's measurement to be G Θ,i A , which has classical outcome V i A , and i ∈ {0, 1} is a bit denoting two different measurements Alice could choose. As with the SDC protocol, we do not specify the measurements G Θ,i A . However, we do require that G Θ,i A has POVM elements of the form { k G Θ,i,j k A } j (Assumption 3). This gives the state Now we also define another state (which we'll use for the uncertainty relation), where we change the measurement on Bob's side to be G Θ,i B . That is The measurement G Θ,i B has classical outcome V i B . The measurement G Θ,i We can now consider the Devetak-Winter rate [30]: The error rates q G i are generated from V i A and V i B , and q F is generated from W A and W B . Also, the binary entropy is defined as h(q) := q log 2 q + (1 − q) log 2 (1 − q).
From Eq. 16 to Eq. 17 we use the data processing inequality on the second term to trace out Θ. From Eq. 17 to Eq. 18 we use the fact that H(W B |EΘ) τ = H(W B |EΘ) ξ i , as well as the method of types to bound the entropy H(W B |W A ) by h(q F ) (Lemma II.2 of [35]). In going from Eq. 18 to Eq. 19 we apply the uncertainty relation Eq. 1 of the main text using the overlap of 1/2 between the measurements G Θ,i B and F Θ B . In the last line, Eq. 20, we use the method of types to bound H(V i B |V i B ) σ i by h(q G i ). Since Eqs. 16 to 20 hold for i = 0 or i = 1 we can choose which lower bound on the rate r we would like to use. We would like to have a high lower bound and therefore we pick the minimum of the two binary entropies: To estimate the error rates q G i and q F for Version 1 of the LM05 protocol, Alice and Bob reveal V i A and V i B as well as a small fraction of their W A and W B strings in jointly specified positions chosen uniformly at random. In Version 2, Alice and Bob reveal a small fraction of both their V i strings and W strings in jointly specified uniformly random positions. Alice and Bob have access to these strings in the prepare and measure LM05 protocol because V 0 A is the string of Alice's measurement outcomes and V 0 B is the string of Bob's preparation bits, while V 1 A is the string of Alice's preparation bits (i.e. from her post-measurement state) and V 1 B is the string of Bob's measurement outcomes before doing his XOR. W A and W B come from Alice's encoding bit (see Lemma 1), and Bob's XOR of his measurement outcomes and preparation bits. In both versions, the resulting key rate is the same.
It is important to note that since there is a minimization in Eq. 21 Alice can choose to either not do a measurement or not do a preparation and then the key rate loses the minimization, and instead she just uses the error rate that is estimated (q G 1 for the former choice and q G 0 in the latter).
Also, we have permutation invariance of the outcomes (due to the i.i.d. form of the measurements from Assumption 3) and so we can apply the quantum de Finetti theorem of [36] to this protocol. Therefore the key rate Eq. 21 is applicable for the most general type of attacks by Eve.
In addition, we could have chosen to do direct reconciliation instead of reverse reconciliation. In this case, the string Θ would represent Alice's choice of encoding from the set S 0 or S 1 . The proof continues in the same manner and the resulting key rate is the same.

COMPARISON WITH BB84
If we set the quantum channels to be fixed resources, then we can use two BB84 protocol implementations to compare with the SDC and LM05 protocols. The first is two one-way BB84 protocols from Alice to Bob (with an asymmetric basis choice so that basis sifting is negligible in the infinite key limit). The second is the Plug & Play version of BB84 using strong laser pulses (see [2] and references therein). Note that Plug & Play BB84 does not have the same level of security as oneway BB84 [22,23], LM05, or SDC as the measurement devices need to be characterized. If we model the two channels as depolarizing independent identical channels [8,9,11] where q is the probability of depolarizing and d the dimension of the Hilbert space on which ρ acts, then we see the key rates of Fig. 4 (Top). The error rate plotted is q/2: the probability of having an error when measuring a signal sent through one of the channels, since with probability q the state is maximally mixed. Since the channels are independent, the probability of being depolarized after passing through both channels in succession is 2q − q 2 .
If instead only one channel is used for communication from Alice to Bob and Bob to Alice, with the polarization drift on the forward channel partially corrected by going back through the channel [37], then the key rates follow Fig. 4 (Bottom). That is, the probability of a state being depolarized after passing through the channel is q and the probability of a state being depolarized after passing through the channel one way and then being sent backwards through the same channel is then only q (which is less than 2q − q 2 , which would be the error rate if the channels were independent). In Fig. 4 (Bottom) the error rate of the x-axis is also q/2 for easy comparison with Fig. 4 (Top).
Note that the error rates used to calculate the key rate of the SDC protocol depend upon the probability of getting errors in the first bit only, the second bit only, and both bits of the two-bit measurement outcomes. This means that these error rates for the G-measurement basis (the Z ⊗ X-basis in the perfect implementation) are q/2(1 − q/2), (1 − q/2)q/2, and q 2 /4 respectively for the situations in Fig. 4. For the F -measurement basis (the Bell-basis measurement in the perfect implementation) the error rates are all (2q − q 2 )/4 for the situation in Fig. 4 (Top) and q/4 for the situation in Fig. 4   the error rate (i.e. half the probability of having a state depolarized) for uncorrelated independent identical depolarizing channels. Bottom: Log base 10 of the key rates vs. the error rate (i.e. half the probability of having a state depolarized) in one channel, where the channels are correlated such that the probability of becoming depolarized through one channel is the same as the probability of being depolarized when going forwards and backwards through the same channel. The plotted key rates are: two copies of the one-way BB84 protocol performed from Alice to Bob and from Bob to Alice (blue, solid), the SDC protocol (green, dashed), the LM05 protocol (cyan, dot dashed), the Plug & Play protocol (red, dotted).

tom).
Importantly, the SDC protocol key rate exceeds both BB84 key rates in the scenario of Fig. 4 (Bottom), and it can also tolerate a higher error rate of 11.8%. This is because the correlation between the forward and backward channel makes the error rate in the F -measurement basis lower. This advantage increases if the error rate of passing forwards and then backwards through the channel is smaller. CONCLUSION We have shown a general method to prove security of two-way QKD protocols. We have applied this proof method to two such protocols, namely one based on super dense coding (SDC), and another based on a previously proposed two-way protocol (LM05) [7]. These two protocols are secure against the most general types of attacks by an eavesdropper and provide the following key rates: where in the later i = 0, 1 denotes two possible measurements Alice could choose. Importantly, few assumptions are needed about the devices used. This is a step towards device independence for two-way QKD protocols. We make the following assumptions to apply our security proof: preparations are done in a purified way (i.e. an arbitrary bipartite state is prepared and half of it is measured, while the other half is used as the preparation), Alice's encoding output is a fixed state, measurements are done independently on each signal, and a fixed overlap constant characterizes either Bob or Alice's devices (depending on whether reverse or direct reconciliation is performed). The first assumption can instead be the assumption that qubits are prepared. Interesting future work could be to remove some of these assumptions while still providing the same rates of security. We have shown that these protocols have comparable performance to different implementations of the BB84 protocol, and can even exceed the BB84 rate in certain relevant parameter regimes. In addition, the key rate we obtain for the LM05 protocol is higher than that of [20].
The determinism of two-way protocols in the infinitekey case is not an advantage since an asymmetrical basis choice in the BB84 protocol makes it deterministic as well. However, in the finite-key regime, the BB84 protocol is not deterministic [31]. Therefore both the SDC and LM05 protocols will have an advantage over BB84 implementations when finite keys are used.
In addition, an advantage that the LM05 protocol has, which is not apparent in the infinite key limit, is that there is a higher fraction of key bits per signal sent compared to the BB84 and SDC protocols. If the basis bias for BB84 and the SDC protocol used for parameter estimation is p, then 2p(1 − p) fraction of the signals are lost due to basis sifting. However, in the LM05 protocol, if c is the probability that Alice does her measurement, and p is the probability that Alice and Bob use the Z-basis, then only 2p(1 − p)c fraction of the signals are lost. This advantage would have a positive effect on the finite-key rate.
Our work paves the way for fully exploiting the potential of entropic uncertainty relations in two-way QKD with finite-key sizes for any possible implementation. We did not evaluate the finite-key regime here, but the techniques of [31,38] could be used to show security for twoway protocols. We leave this as future work.

APPENDIX
Here we provide the proof of Lemma 1 that purifies Alice's encoding operation. It establishes an equivalence between a POVM acting on half of a pure state and a CPTP map of a particular form. 1 AC ), such that ∀i, ∀ρ A ∈ S(H A ) we have Proof. Summing over i in Eq. 23 implies that we require Tr C (|φ CD φ|)=σ D , and therefore we fix |φ CD to be a purification of σ D . Now we can constructively determine what the POVM elements F i AC are in terms of σ D and the maps E i . Then we will show that this construction of the POVM satisfies all necessary requirements above.
Let σ D = j λ j |j D j|, so then |ψ CD = j λ j |jj CD . Expanding ρ A in an orthonormal basis {|ψ m } m gives ρ A = ml r ml |ψ m A ψ l |, which allows us to write Eq. 23 as jkml nTr AC F i AC r ml |ψ m A ψ l | ⊗ λ j λ k |jj CD kk| = jkml nr ml λ j λ k AC ψ l k|F i AC |ψ m j AC |j D k| = ml r ml E i (|ψ m A ψ l |).
This must be true for all ρ A and therefore we have ∀ m, l jk n λ j λ k ψ l k|F i AC |ψ m j |j D k| = E i (|ψ m ψ l |), n λ j λ k ψ l k|F i AC |ψ m j = j|E i (|ψ m ψ l |)|k ∀m, l, j, k.
Eq. 25 gives a constructive way of finding the POVM elements F i AC . If σ D has full rank then F i AC is completely determined by this equation. If σ D is not of full rank then F i AC can be decomposed into a part on the support of σ C := Tr D (|φ CD φ|) and its kernel: . The block on the suppσ C is completely specified by Eq. 25, and the block on kernσ C can be chosen arbitrarily as long as F i AC kernσ C ≥ 0, for all i and satisfy i F i AC kernσ C = 1 AC kernσ C . It is clear from Eq. 25 that i F i ACsuppσ C = 1 ACsuppσ C . Now we need to verify that the POVM elements satisfy F i AC ≥ 0 for all i. We write the maps in their Choi-Jamio lkowski representation [39,40]: where J i AD are the Choi-Jamio lkowski matrices for the maps E i . Now we can write F i ACsuppσ C from Eq. 25 as where J i AC := jk |j CD j|J i AD |k DC k|. From this form it is clear that this block is positive, and so F i AC ≥ 0 for all i.