Bell nonlocality is not sufficient for the security of standard device-independent quantum key distribution protocols

Device-independent quantum key distribution is a secure quantum cryptographic paradigm that allows two honest users to establish a secret key, while putting minimal trust in their devices. Most of the existing protocols have the following structure: first, a bipartite nonlocal quantum state is distributed between the honest users, who perform local measurements to establish nonlocal correlations. Then, they announce the implemented measurements and extract a secure key by post-processing their measurement outcomes. We show that no protocol of this form allows for establishing a secret key when implemented on any correlation obtained by measuring local projective measurements on certain entangled nonlocal states, namely on a range of entangled two-qubit Werner states. To prove this result, we introduce a technique for upper-bounding the asymptotic key rate of device-independent quantum key distribution protocols, based on a simple eavesdropping attack. Our results imply that either different reconciliation techniques are needed for device-independent quantum key distribution in the large-noise regime, or Bell nonlocality is not sufficient for this task.

In this work, we show this not to be the case for DIQKD protocols consisting of the following two steps: (i) nonlocal correlations are established by applying local measurements on an entangled quantum state; (ii) the implemented measurements are announced and the key is constructed by classically post-processing the outcomes. Most of the existing DIQKD protocols have this form and, hence, in what follows we refer to such protocols as standard protocols. To prove the result, we provide a generic tool for upper-bounding key rates in DIQKD. We then apply our tool to standard protocols implemented on a two-qubit Werner state [18] using an arbitrary number of projective measurements. We show that for a range of visibilities for which the Werner state is known to be nonlocal, the upper bound on the key rate is zero, and therefore no standard DIQKD protocol can be secure. This means that there exist nonlocal correlations that cannot be used for standard DIQKD, and, furthermore, that there exist nonlocal quantum states that cannot be used for standard DIQKD with projective measurements. We also show how the provable region of insecurity can arXiv:2103.02639v2 [quant-ph] 2 Aug 2021 be enlarged when fixing the number of measurements in the protocol. In particular, we compute visibilities for which the commonly used protocols based on the (biased) CHSH inequality [1,2,9,[11][12][13][14] all become insecure despite the correlations still being nonlocal.
Methods.-Formally, in a DIQKD protocol two parties, Alice and Bob, have access to a bipartite quantum state, ρ AB , represented by a positive semidefinite operator with unit trace on the tensor product Hilbert space, H A ⊗ H B . The protocol consists of several rounds, in each of which Alice and Bob choose a particular quantum measurement to measure their part of a fresh copy of ρ AB . In particular, Alice chooses a measurement labelled by x ∈ {0, 1, . . . , n A − 1} ≡ [n A ], and Bob chooses a measurement labelled by y ∈ [n B ]. Without loss of generality, we assume that each of Alice's (Bob's) measurements has k A (k B ) possible outcomes. According to quantum theory, k A -(k B -)outcome measurements correspond to a set of k A (k B ) positive semidefinite operators on H A (H B ), adding up to the identity operator I A (I B ). We denote these measurement operators by A Then, the correlation shared by Alice and Bob reads specifying the probabilities of observing the outcomes a and b, given that the measurements x and y were selected. The raw data in the protocol corresponds to the pair of strings held by Alice and Bob containing the measurement outcomes and the implemented measurements, collected over all protocol rounds. Since individually Alice and Bob only have access to their marginal statistics, they publicly reveal the measurement settings and outcomes for a fraction of this data to estimate the joint statistics and detect its nonlocality. This part of the dataset is discarded. The secret key is distilled by classically post-processing the remaining dataset with the help of public communication, so that they finally hold identical strings that must appear perfectly random to any third party.
As stated earlier, in this work we consider what we call standard protocols, in which the measurements implemented by Alice and Bob are announced in the key distillation part. Apart from this constraint, the rest of the protocol is arbitrary. This family is quite broad and covers most DIQKD protocols introduced so far [1,2,9,[11][12][13][14], with only a few exceptions proposed to date (see e.g. Ref. [19]).
In order to upper-bound the key rate for a given DIQKD protocol, it suffices to consider a particular model of the eavesdropper, Eve. Here, we restrict the analysis to individual attacks that do not require any quantum memory [20]. In device-independent protocols, Alice and Bob have no knowledge of the form of the state ρ AB and the measurements {A x a }, {B y b }, and it is precisely this lack of knowledge that Eve makes use of in her attack. In particular, we assume that she knows the precise form of the measurement operators and that she is the one distributing the quantum state (therefore effectively distributing quantum correlations) to Alice and Bob in each round.
In our convex combination (CC) attack-originally considered for eavesdroppers limited only by the nosignalling principle [19,21]-Eve distributes local deterministic correlations with certain probabilities that give rise to a local correlation p L AB (a, b|x, y) with overall probability q L , and she distributes a nonlocal quantum correlation p NL AB (a, b|x, y) with probability 1 − q L . While presented in this form for the sake of simplicity, Eve can equally implement the attack by fixing the measurements of Alice and Bob and preparing a unique quantum state ρ ABE . Eventually, the observed correlation of Alice and Bob takes the form and we call q L ∈ [0, 1] the local weight. Since nonlocality is necessary for secure DIQKD, in the CC attack Eve maximises q L for the given observed correlation p AB (a, b|x, y) and a judiciously chosen nonlocal quantum correlation p NL AB (a, b|x, y). We apply the CC attack to the standard DIQKD protocols introduced above. Since Alice and Bob announce their inputs for every round, Eve knows their outcomes in all rounds in which she distributes a local correlation. We represent this knowledge by the classical variable e, and we write e = (a, b) for the local rounds. On the other hand, we assume in what follows that Eve is not correlated to the nonlocal part of the correlation of Alice and Bob, denoted by e =?. Therefore, for any combination of inputs x and y, Alice, Bob and Eve share correlated random variables distributed as p ABE (a, b, e|x, y) = q L · p L AB (a, b|x, y) · δ e,(a,b) where δ is the Kronecker delta. Well-established results in classical cryptography prove that the asymptotic key rate r extractable from a dataset of strings distributed according to p ABE (a, b, e) is upperbounded by the intrinsic information [22,23], where I(A : B|F ) = f p F (f ) · I(A : B|F = f ) is the conditional mutual information of p ABF (a, b, f ), and the minimisation is taken over all stochastic maps E → F that map the variable E (with values e) to a new variable F (with values f ), such that the alphabet size of F is at most that of E [24]. While this minimisation may be hard, any candidate stochastic map provides a valid upper bound.
When applying this bound to the CC attack, the key rate is upper-bounded by where the sum runs over all those settings (x, y) from which the key is distilled, p xy is the probability of Alice and Bob choosing the settings x and y, respectively, and I xy (A : B ↓ E) is the intrinsic information of the distribution in Eq. (3). Note that the bound in Eq. (5) is based only on the observed correlation, without any assumption on the state or the measurements. Nonlocality is not sufficient for DIQKD.-In what follows, we prove that there exist nonlocal correlations that cannot be used for secure key extraction with standard DIQKD. We do this by applying the CC attack on any correlation obtained by performing arbitrary projective measurements on the two-qubit Werner state [18] with visibility v ∈ [0, 1], where It is known that for arbitrary (even infinitely many) projective measure- [25]. On the other hand, it is also known that there exist projective measurements that give rise to nonlocal correlations for v ≥ v w NL :≈ 0.6964, see Ref. [26]. Let us consider all DIQKD protocols that use correlations obtained by implementing arbitrarily many projective measurements on the Werner state. The measurements can be written as , α x and β y are unit vectors in R 3 , and σ = (X, Y, Z) is a vector containing the Pauli matrices. It is easy to verify that where . The CC attack we consider is rather intuitive: it uses the nonlocal correlation p NL AB = p v=1 AB , and local deterministic correlations that sum up to the correlation for the provable local Werner state, p L AB = p v=v w L AB . It is easy to verify that in this case we have that . For now, let us assume that s 1 xy ≡ s v=1 xy ≥ 1 2 . This implies that in the ideal (v = 1) case, the outcomes of Alice and Bob are correlated, i.e., they observe a = b more often than a = b [see Eq. (7)]. For this reason, in her stochastic relabelling E → F , Eve will attempt to become as correlated to the a = b events as possible, that is, she picks f = a whenever the correlation is local and a = b. In order to reduce the conditional mutual information of all the other events, she sets f =? for all the remaining cases. The resulting distribution reads Note that a similar distribution can be introduced for the case of s 1 xy < 1 2 , in which case Eve becomes correlated with the a = b events. For the distribution in Eq. (8) we have that I xy (A : B|F = a) = 0 for all a, so the final bound on the key rate is given by where I xy (A : To compute the upper bound, we need to calculate the terms I xy (A : B|F =?) in Eq. (9), that is, the mutual information of the distribution where s w xy = s v=v w L xy and s 1 xy = s v=1 xy . The mutual information is clearly zero whenever Note that while I xy (A : B|F =?) is in general positive for v < v xy , a slight modification of the CC attack leads to I xy (A : B|F =?) = 0 for any v ≤ v xy . This is achieved by a stochastic relabelling E → F in which Eve only maps some fraction λ xy of her variables e = (a, b) with a = b to f =?, and leaves the remaining fraction 1−λ xy invariant.
It is straightforward to verify that with a properly chosen λ xy , this relabelling leads to I xy (A : B|F ) = 0 for any v ≤ v xy . Also note that v xy is monotonically decreasing in s 1 xy , and hence, it reaches its lowest possible value at s 1 xy = 1. This gives rise to the critical visibility of the Werner state, An analogous derivation yields the same critical visibility for s 1 xy < 1 2 . From the above arguments, it follows that whenever the visibility is v w NL ≤ v ≤ v w crit , Alice and Bob cannot extract a secure key from correlations obtained from the Werner state with any (even infinite) number of projective measurements, even though the state is nonlocal (i.e., there exist projective measurements that, measured on the state, give rise to nonlocal correlations) and distillable [27]. This means that the Bell nonlocality of the observed correlation is in general not sufficient for DIQKD whenever Alice and Bob announce their measurement settings, and, moreover, that there exist nonlocal states that cannot be used for standard DIQKD with projective measurements.
However, for a fixed protocol, the bound on the critical visibility can be improved. This is because in the setting of the CHSH-based protocols, the polytope of local correlations is completely characterised [28]. One can verify that in the CHSH-based protocols, if Alice and Bob observe a correlation that corresponds to the Werner state with visibility v, then this correlation is local if and only if v ≤ v θ L := 1/(cos θ +sin θ) [29]. Therefore, an improved bound on the critical visibility for the CHSH-based protocols is given by That is, for a range of visibilities for which the observed correlation is nonlocal, Alice and Bob cannot extract a secure key. Note that the same critical visibility holds for the recently introduced modification of the standard CHSH-based protocol in Ref. [30], where the authors add  [15], the dashed line is the upper bound from [17], and the solid line is the bound in Eq. (14). Note that the visibility can be converted into the CHSH violation S via S = 2 √ 2v. The shaded area represents the lower bound from [1]. a fourth setting for Bob. Indeed, since the local polytope is completely characterised in this case as well [28], one can verify that the correlation becomes local at the same visibility v θ L [29]. Last, we note that in the CHSH-based protocols, Alice and Bob usually extract their key from the setting pair x = 0 and y = 2, by setting p 02 in Eq. (5) arbitrarily close to 1. In this case, it is possible to compute the upper bound in Eq. (9) for any visibility v ≥ v θ crit , and we get where s θ = 1 2 (1 + v θ L ) and q θ L = (1 − v)/(1 − v θ L ). In Fig. 1 we plot the bound for the standard CHSH protocol (θ = π 4 ), and show that it outperforms the recently derived upper bounds [15,17] near the critical visibility. In the Supplemental Material we also describe a two-dimensional region in the set of quantum correlations corresponding to correlations from the biased CHSH protocol that are nonlocal but cannot be used to extract a key using standard DIQKD [29].
Discussion.-We introduced a generic tool for upperbounding DIQKD key rates using a simple eavesdropping attack. Using our tool, we showed that Bell nonlocality is not sufficient for secure DIQKD when the honest parties announce their measurement settings. Our results also imply that all the commonly used DIQKD protocols become insecure in the noisy case already in the nonlocal regime, even when assisted by arbitrary two-way communication. Our analysis does not prove that the consid-ered nonlocal correlations are useless for secure key distribution, but it shows that the standard reconciliationwhere the settings are announced by both parties-does not work for all nonlocal correlations.
Given the above, one possibility to lower the stringent requirements on noise parameters is to employ protocols such as that of Ref. [19], in which only one party announces their settings. Indeed, for this protocol we were not able to find an upper bound that vanishes in the nonlocal regime. Whether a secure key can be distilled from all nonlocal correlations using these protocols is an open question that deserves further investigation. Another possibility for improving the key rates extractable from a given quantum state is to employ measurements that are not projective. However, we note that no state is known thus far that is local for all arrangements of projective measurements, while exhibiting nonlocality for some arrangement of non-projective measurements. Hence, the critical visibilities of the Werner state derived in this work also hold for all the hitherto studied arrangements of nonprojective measurements. Another question worth investigating is whether tighter upper bounds can be derived using collective or coherent attacks. Nonetheless, let us note that our (individual) CC attack can be applied to a broad class of DIQKD protocols, and gives rise to bounds on the critical visibility in experimentally relevant scenarios. We elaborate on these findings in [31].

Supplemental Material
Local visibility for CHSH-based protocols Consider the correlation p θ,v AB (a, b|x, y) = tr{ρ v AB [A x a ⊗ B y b (θ)]}, obtained by measuring the Werner state with the projective measurements A x a = 1 Note that with the above notation, we have that p θ,v AB (a, b|x, y) In order to prove this, we note that for the case of two binary measurements on Alice's side and three binary measurements on Bob's side, the polytope of local correlations is completely characterised [28]. In particular, all the facets that correspond to non-trivial constraints (i.e., do not correspond to the positivity and normalisation of the probabilities) are of the CHSH-type: where are the correlators. In other words, a correlation p AB (a, b|x, y) in this setting is local if and only if it satisfies all the inequalities in Eq. (18).
By comparing Eqs. (20) and (22), it is straightforward to verify that p θ,v AB (a, b|x, y) is local if and only if v ≤ v θ L = 1/(cos θ + sin θ).
The local polytope is completely characterised in this scenario as well [28], and all the non-trivial facets are of the CHSH-type: Hence, it is clear that these new correlations are also local in the noisy case if and only if v ≤ v θ L .
A two-dimensional region of quantum correlations with zero key In this section, we describe a two-dimensional region in the set of quantum correlations that is nonlocal but cannot be used to extract a secure key using standard DIQKD. This region corresponds to correlations based on the biased CHSH inequality (see the main text), and is depicted in Fig. 2. The points in the figure are based on correlations with two inputs and two outputs, p AB (a, b|x, y) = tr[ρ AB (A x a ⊗ B y b )], such that a, b, x, y ∈ {0, 1}. The full set of these correlations can be embedded in an 8-dimensional real vector space [28]. To see this, let us define the observables The original measurement operators can be recovered from the observables via In terms of these observables, we define the marginals and the correlators [notice that these correlators are the same as those in Eq. (19)]. Indeed, any correlation can be written in terms of the marginals and the correlators as In order to describe a 2-dimensional slice of the set of correlations in this scenario, we need to describe all correlators and marginals in terms of affine functions of two real variables, which we will denote by s and t. The slice we are interested in is given by The set of quantum correlations in this case is bounded by the relation s 2 + t 2 ≤ 1, which corresponds to the maximal possible quantum violation of the biased CHSH inequalities [10]. The local set is bounded by four constraints, ±s ± t ≤ 1, which are various relabellings of the CHSH inequality, and the inequality s + t ≤ 1 corresponds to the standard CHSH inequality Using this parametrisation, the local points on the CHSH facet correspond to s + t = 1, with the two endpoints being (s, t) = (1, 0) and (s, t) = (0, 1). The boundary of the quantum set (with all points being extremal) corresponds to the curve s 2 + t 2 = 1. We will be interested in the region s + t > 1, i.e., correlations violating the standard CHSH inequality, while still being quantum, i.e., s 2 + t 2 ≤ 1. It is convenient to parametrise this region with the polar coordinates (s, t) = (v cos θ, v sin θ): where 0 < θ < π 2 and v θ L < v ≤ 1 [let us recall that v θ L = 1/(cos θ + sin θ), see the previous section]. The region depicted in Fig. 2 corresponds to DIQKD protocols with two binary measurements on Alice's side and three binary measurements on Bob's side. The correlation observed in the protocol is given by Eq. (32) with an added binary measurement, y = 2, on Bob's side, that gives rise to the final correlation It is clear that this correlation can be obtained by measuring the state in Eq. (15) with the projective measurements described in Eq. (16).
The region depicted in Fig. 2 corresponds to the set of correlations of the form (33) with 0 < θ < π 2 and v θ L < v ≤ 1 [this region is depicted using the coordinates (s, t) = (v cos θ, v sin θ)]. The black dashed line corresponds to v = v θ L , and the blue curved boundary on the edge corresponds to v = 1. The green line is given by θ = π 4 . The red region corresponds to v θ L < v ≤ v θ crit = (v θ L + 1)/(3 − v θ L ). As explained in the main text, Alice and Bob cannot extract a secure key if they observe a correlation in the red region and publicly announce their settings for each round, even though these correlations are nonlocal. We depict a 2-dimensional slice of the set of correlations in the scenario with two binary measurements on Alice's side and three binary measurements on Bob's side. We can see that there are three different regions: in red, we show the region of nonlocal quantum correlations that cannot be used for key extraction if the honest parties announce their settings. In yellow, we depict (part of) the region of local correlations, and the dashed black line represents the CHSH facet of the local polytope.
In light blue, we show the region of nonlocal quantum correlations for which our upper bound on the key rate is non-zero. The dark blue curve corresponds to the maximal possible quantum violation of the biased CHSH inequalities, that is, the ideal correlations for 0 < θ < π/2. Finally, the green line corresponds to the correlations obtained from the noisy standard CHSH protocol.