Unbounded device-independent quantum key rates from arbitrarily small non-locality

Device-independent quantum key distribution allows for proving the security of a shared cryptographic key between two distant parties with potentially untrusted devices. The security proof is based on the measurement outcome statistics (correlation) of a Bell experiment, and security is guaranteed by the laws of quantum theory. While it is known that the observed correlation must be Bell non-local in order to prove security, recent results show that Bell non-locality is in general not sufficient for standard device-independent quantum key distribution. In this work, we show that conversely, there is no lower bound on the amount of non-locality that is sufficient for device-independent quantum key distribution. Even more so, we show that from certain correlations that exhibit arbitrarily small non-locality, one can still extract unbounded device-independent key rates. Therefore, a quantitative relation between device-independent key rates and Bell non-locality cannot be drawn in general. Our main technique comprises a rigorous connection between self-testing and device-independent quantum key distribution, applied to a recently discovered family of Bell inequalities with arbitrarily many measurement outcomes.

Introduction.-Device-independentquantum key distribution (DIQKD) allows two distant parties to establish a secure cryptographic key without having to trust the devices they use in the protocol [1][2][3][4].The security of the key is guaranteed solely by the laws of quantum physics.DIQKD solves two problems present in other types of key distribution protocols: it does not rely either on computational assumptions (like most non-quantum key distribution schemes [5][6][7]), or on the characterisation of the devices used in the protocol (like standard quantum key distribution schemes [8][9][10]).While the practicality of DIQKD still poses challenges, the first proof-of-principle experiments were carried out recently [11][12][13], demonstrating that DIQKD can be achieved with current technology.Remaining challenges include increasing the key rates and the distance over which the protocols can be implemented, noting that increasing the key rates naturally leads to an increase in the achievable distance as well [3,4].This work is concerned with precisely these challenges, in particular, with key rates.The key rate of a protocol is the number of secret bits that can be produced in a given round of the protocol, and we will compare key rates with Bell non-locality [14], a naturally connected notion: in a DIQKD protocol, two parties measure a bipartite quantum system locally, and the final key is extracted from the measurement outcomes.It is known that DIQKD is possible only if these measurement outcome statistics demonstrate non-local correlations (i.e. they violate a Bell inequality) [1,2].It is, however, less clear how the amount of non-locality (or Bell inequality violation) relates to the achievable key rate.In fact, recently it was shown that non-locality in itself is not sufficient for the security of a large class of DIQKD protocols [15].That is, there exist correlations that violate a Bell inequality, but cannot be used for DIQKD using standard techniques.In this work, we show a somewhat opposing statement: one can extract unbounded key rates from certain correlations that violate Bell inequalities arbitrarily weakly.Furthermore, these protocols also only use standard techniques.Therefore, one can conclude that (standard) DIQKD key rates and Bell non-locality are incomparable resources.
Preliminaries.-Any DIQKD protocol starts with the measurement stage: two parties, Alice and Bob, locally measure their part of a fresh copy of a bipartite quantum state ρ defined on the tensor product of two Hilbert spaces, H A ⊗ H B .Every time they measure, it constitutes a round of the protocol.In every round, they can decide to perform one of (finitely) many available measurements.For Alice, these measurement settings are denoted x ∈ {0, 1, . . ., n A − 1} =: [n A ], and for Bob, y ∈ [n B ].In each round they obtain a measurement outcome, labelled by a ∈ [k A ] for Alice and b ∈ [k B ] for Bob.Once they have obtained their respective outcomes, a new round begins with a fresh copy of ρ.They perform many rounds (in this work we are interested in the asymptotic limit of infinitely many rounds) and record their settings and outcomes, which concludes the measurement stage.
After this, Alice and Bob estimate the correlation, that is, the joint probability distribution p(a, b|x, y) of the outcomes conditioned on the measurement settings.The estimation is done by publicly announcing a small subset of their inputs and outputs, after which this subset of their data is discarded.
Quantum theory dictates that the correlation will be given by the Born rule, where {A It is important to note at this point that certain quantum correlations are non-local [14].Non-local correlations cannot be written in the form p L (a, b|x, y) = λ p Λ (λ)p A (a|x, λ)p B (b|y, λ), (2) where λ is usually referred to as a hidden variable, and p Λ ( • ), p A ( • |x, λ) and p B ( • |y, λ) are probability distributions.Correlations of the form (2) are called local correlations (and are considered "classical" in the context of Bell non-locality), and they form a convex polytope L (for fixed n A , n B , k A , and k B ). Since L is convex, nonlocal correlations can be witnessed by separating hyperplanes, usually called Bell inequalities in this context.A (non-trivial) Bell inequality is a linear functional on the correlations p(a, b|x, y) such that its maximal value attained by local correlations can be exceeded by certain quantum correlations.In such a case, we say that the quantum correlation violates a Bell inequality, and is therefore non-local.It is an important pre-requisite for a correlation to violate a Bell inequality in order for it to be useful for DIQKD [1,2].
Returning to the steps of a DIQKD protocol, once they have estimated the correlation, Alice and Bob decide whether the correlation is satisfactory for DIQKD (based on criteria that we will discuss next).If it is not, they abort the protocol.If the correlation passes the test, they employ privacy amplification and error correction on their remaining data (on the recorded inputs and outputs that were not discarded) [16][17][18].This is done via public, but authenticated classical communication channels.At the end of the privacy amplification and error correction stage, Alice and Bob are each left with a string of bits that are perfectly random (as a result of privacy amplification) to any potential eavesdropper limited by the laws of quantum physics.Moreover, these strings of bits are exactly the same for Alice and Bob, as a result of error correction.The asymptotic key rate, r, is then defined as the length of this bit string, divided by the number of rounds, taking the limit of infinitely many rounds.
One of the seminal results of (device-independent) quantum key distribution is a universal lower bound on the achievable key rate from a given correlation.The bound quantifies the key rate that can be extracted from the outcomes of the "key settings" x on Alice's side and ŷ on Bob's side, by performing privacy amplification and error correction via one-way communication from Alice to Bob.The bound is referred to as the Devetak-Winter rate [19], and in our context it is given by where

and over all
POVMs A x a on H A and B y b on H B such that the state and the measurements are compatible with the observed correlation, Furthermore, H(A|E) σ is the conditional von Neumann entropy of the corresponding classical-quantum state and H(A|B) is the conditional Shannon entropy of the distribution p(a, b|x, ŷ).Note that an analogous bound holds for the case of one-way communication from Bob to Alice, and that the bound on r only depends on the observed correlation p(a, b|x, y).Furthermore, this bound is valid against the most powerful, so-called coherent eavesdropping attacks [20][21][22].If Alice and Bob cannot establish a positive lower bound for their key rate, they abort the protocol.
The term H(A|E) captures the cost of privacy amplification: to model an eavesdropper (Eve) limited by quantum physics, we consider a tripartite quantum state on some Hilbert space H A ⊗ H B ⊗ H E such that Eve holds the subsystem E.Then, H(A|E) quantifies Eve's uncertainty of Alice's outcome of measurement x, given her quantum side-information in the worst-case scenario, optimised over the possible tripartite states and measurements compatible with the observed correlation.In other words, H(A|E) quantifies the device-independent (private) randomness of Alice's outcome of her measurement x.
The term H(A|B) captures the cost of error-correction, since it quantifies Bob's uncertainty of Alice's outcome of measurement x given his classical information, which is the outcome of his measurement ŷ.Since H(A|B) can be directly computed from the correlation, the difficulty in estimating the Devetak-Winter bound is in bounding H(A|E).Indeed, various methods have been proposed to bound this quantity for arbitrary correlations.General analytic techniques are lacking, while numerical techniques scale rather badly in the number of settings and outcomes [23][24][25][26][27].It is important to note, however, that once we have a bound on H(A|E), the lower bound on the key rate can be boosted by finding an appropriate measurement ŷ for Bob that results in small conditional entropy H(A|B).
Self-testing and DIQKD.-Inthis work, we analytically tackle the problem of bounding private randomness from a specific type of correlations.In particular, we expose a rigorous connection between DIQKD and a strong certification technique in Bell non-locality called self-testing [28].We say that a correlation p(a, b|x, y) and for all x, y, a, b.The primary aim of self-testing is to characterise quantum states and measurements solely from the observed correlation in a Bell experiment, and many examples of self-testing are known [28].
Our main technical observation linking self-testing and DIQKD is that whenever a correlation self-tests some quantum state and measurements, the parties can extract private randomness from their measurements.In fact, it is sufficient that the weaker form of Eq. ( 6), ) holds for some fixed x and for all a. Eq. ( 7) follows from Eq. ( 6) by fixing x = x and summing up over b, and note that further summing up over a, we obtain The reason why condition ( 6) is sufficient for certifying private randomness is because the term H(A|E) in Eq. ( 3) can be computed analytically if the correlation is self-testing (or the weaker condition (7) holds) as follows.For all tripartite states |ψ and measurements A x a compatible with the observed correlation, we have where σ E = tr A ′ B ′ |aux aux| A ′ B ′ E is some fixed quantum state on H E , p A (a|x) = b p(a, b|x, y) is Alice's marginal distribution, and we used the conditions (7) and (8).The conditional von Neumann entropy in Eq. ( 3) is then given by (for all states and measurements compatible with the correlation) where we used that the von Neumann entropy is additive under the tensor product.Therefore, the entropy H(A) of Alice's outcome from measurement x is private, that is, no eavesdropper can guess it better than random.Note that a similar argument is used in the proofs of Ref. [29].
In order to promote this device-independent randomness certification statement to device-independent quantum key distribution, we need a measurement on Bob's side such that its outcome is correlated with the outcome of setting x of Alice.Such a choice maximises the Devetak-Winter bound in Eq. ( 3) by minimising H(A|B).While such a highly correlated measurement setting ŷ might already be part of the setup that gives rise to the self-testing correlation, notice that adding an extra setting on Bob's side does not change the calculation for Alice's private randomness.Therefore, for every self-testing correlation one can aim to find the best possible measurement for Bob that maximises the deviceindependent key rate.Note once again that this maximisation is much less cumbersome than computing H(A|E), since H(A|B) can be directly computed from the observed correlation p(a, b|x, y).Therefore, given | ψ and { Ãx a } a from the self-testing statement, one can attempt to find a measurement {B ŷ b } b minimising H(A|B).
Unbounded key from arbitrarily small non-locality.-Usingthe above techniques, we will now prove that from correlations arbitrarily close to the local set (and therefore violating any Bell inequality arbitrarily weakly) one can extract log(d) bits of device-independent key for any integer d ≥ 2. For this purpose, we use the Bell inequalities from Ref. [30].The inequalities are parametrised by an integer d ≥ 2 and and overlap matrix O, whose elements are characterised by two orthonormal bases on C d , which we choose to be {|j } d−1 j=0 and {|e k } d−1 k=0 .The elements of the overlap matrix are then given by In the Bell scenario, Alice has 2 measurement settings with d outcomes each and Bob has d 2 settings with 3 outcomes each (notice that we swapped the role of Alice and Bob compared to Ref. [30]).For every d ≥ 2 and every overlap matrix such that O jk < 1 for all j, k (equivalently, O jk > 0 for all j, k) the authors of Ref. [30]  While the maximal violation of these inequalities does not provide a self-test in the usual sense, in Ref. [30] it is shown that for every state ρ on H A ⊗ H B giving rise to the maximal violation, there exist local isometries for some quantum state Furthermore, it can be shown from the maximal violation [31] that Alice's measurement corresponding to setting x = 1 satisfies for some fixed operator Ã on H A ′ and for some fixed operator B on H B ′ .By an argument similar to the one in the previous section, it can be shown [31] using Eqs.( 12), (13), and ( 14) that for every purification |ψ ABE of ρ, the resulting conditional von Neumann entropy will again satisfy for the setting x = 1 of Alice [the specific value log(d) follows from the fact that p A (a|1 d due to the relations ( 12) and ( 13)].Then, introducing a measurement for Bob that is perfectly correlated to the x = 1 setting of Alice (e.g. in the ideal realisation one can choose B ŷ b = |b b|), we get a lower bound on the key rate, for all d ≥ 2 and for all overlap matrices with O jk > 0.
That is, we obtain a family of correlations that certify log(d) bits of secret key.Notice that while these correlations maximally violate a Bell inequality, in some cases they might be arbitrarily close to the set of local correlations.
Exploiting precisely this fact, we now show that for every d ≥ 2, there exist correlations arbitrarily close to the local set, but still certifying log(d) bits of secret key.To do so, we need to provide an overlap matrix O such that the correlation maximising the corresponding Bell inequality from Ref. [30] is arbitrarily close to the local set.Consider the trivial case of |e k = |k for all k ∈ [d], leading to an overlap matrix O jk = δ jk .The corresponding correlation that arises by measuring |φ + d with the measurements {|j j |} for both settings x = 1 and x = 2 is local, since Alice's measurements are compatible (they are equal) [32].Now let us perturb {|e k } by a small unitary transformation in a way that leads to a non-trivial overlap matrix with all elements strictly positive.One particularly symmetric way to achieve this is by taking the generalised Pauli X operator where Then, consider the unitary operator parametrised by ε ∈ [0, 1], Clearly, U 0 = I, and U ε is continuous in ε, a consequence of the well-known fact that the map t → e tM is continuous in t for any matrix M (see e.g.[33,Chapter 2]).Also, for every ε ∈ (0, 1) we have that the overlap matrix of {|j } d−1 j=0 and {U ε |k } d−1 k=0 is non-trivial, that is, all of its elements are strictly positive [31].As such, by the above arguments, the correlation that arises by measuring |φ + d with the measurements {|j j |} d−1 j=0 and (and the appropriate measurements for Bob) certifies log(d) bits of secure key for every ε ∈ (0, 1) and every integer d ≥ 2.
If we now choose ε to be arbitrarily small (but positive), the resulting correlation, p ε (a, b|x, y) gets arbitrarily close (e.g. in ℓ 1 norm) to the local correlation p ε=0 (a, b|x, y), since the correlation is also continuous in ε (it is quadratic in U ε = e εG ).Therefore, for any integer d ≥ 2, for arbitrarily small ε > 0 the correlation p ε (a, b|x, y) certifies log(d) bits of device-independent key, but the correlation is arbitrarily close to the set of local correlations.That is, from arbitrarily small nonlocality, one can still certify unbounded (with increasing d) device-independent key.
Conclusion.-In this work, we exposed a rigorous connection between self-testing and DIQKD as well as device-independent randomness generation.Thanks to this connection and the latest developments in highdimensional Bell non-locality, we showed that unbounded device-independent key rates can be certified from correlations with arbitrarily small non-locality.This result together with recent findings indicates that DIQKD and Bell non-locality might be incomparable resources, and in the search for a fundamental quantum resource for DIQKD, the amount of non-locality is not the right quantity to consider.
Note added.-During the completion of this work, the author became aware of the related independent work of Ref. [34].The authors there derive new self-testing statements in the simplest Bell scenario and prove that constant DIQKD rates (1 bit) can be achieved from arbitrarily small non-locality.

Supplemental Material
The local isometries In this section, we prove Eqs. ( 13) and ( 14) from the main text.In order to do so, we introduce some notation, following Ref.[30].We denote the operators corresponding to Alice's setting x = 1 by {P a } d−1 a=0 and those corresponding to setting x = 2 by {Q a } d−1 a=0 .In Ref. [30], the authors show that the maximal violation of the Bell inequalities corresponding to a given overlap matrix O certifies that Alice's measurements satisfy for all j, k ∈ [d].This also implies that both {P a } and {Q a } are projective measurements, by summing over the middle index in the above relations.The isometry on Alice's side is then given by V A : for some fixed (but arbitrary) j, and such that H A ′ ≃ H A .Then, we have where we used that P k P a P ℓ = δ k,a δ ℓ,a P a and the relations in Eqs.(19) and (20).This proves Eq. ( 13) in the main text.
In order to prove Eq. ( 14) in the main text, we recall from Ref. [30] that the isometry on Bob's side is given by where Pj and Qk are operators on H B ′ ≃ H B ≃ H A satisfying the same relations as the operators of Alice, that is, the relations in Eqs. ( 19) and ( 20), and j is again fixed but arbitrary.Then, we have where we used that Pk Pℓ = δ kl Pk and the relations (19) and (20) for Pj and Qk .This proves Eq. ( 14) in the main text.

Privacy from maximal Bell inequality violation
In this section, we show that the conditions in Eqs. ( 12), ( 13) and ( 14) are sufficient for certifying the secrecy of Alice's outcome.First, we have that for every state ρ on H A ⊗ H B and every measurement A 1 a that give rise to the maximal violation of the corresponding Bell inequality, we have as a direct consequence of Eqs. ( 12), ( 13) and (14).Since the trace of the left-hand side is the marginal probability of Alice, p(a|1) = 1 d , and the operator on the left-hand side is positive semidefinite, we have that ( Ã ⊗ B)σ A ′ B ′ is a quantum state.
Eq. ( 25) is reminiscent of the "matrix form" self-testing [35] with the difference that Bob's measurement operators do not appear.It can be shown that this matrix form condition is equivalent to the vector form condition [36], that is, Eq. ( 25) is equivalent to for all purifications |ψ ABE of ρ, for some |aux A ′ B ′ E .This condition is exactly of the form of Eq. ( 7) in the main text, and therefore the secrecy of Alice's outcome from the measurement setting x = 1 follows by the arguments in the main text.
Non-trivial overlap matrix from the perturbed basis In this section we show that the overlap matrix satisfies O jk > 0 for all j, k whenever ε ∈ (0, 1).We have where in the last step we used the formula for a geometric sum.Notice that for ε ∈ (0, 1), the condition ε − k + j = 0 cannot hold, so we can always consider the second case.As such, using the fact that for any α ∈ R we have we obtain and equality holds if and only if cos [2π(ε − k + j)] = 1, that is, if and only if (ε − k + j) ∈ N, which cannot hold if ε ∈ (0, 1).Therefore, we conclude that | j |U ε |k | 2 > 0, as required.
x a } a and {B y b } b represent positive-operatorvalued measures (POVMs) for every x and y.That is, A x a are positive semidefinite operators on H A such that a∈[kA] A x a = I A , the identity operator on H A , for all x ∈ [n A ]. Similarly, B y b are positive semidefinite operators on H B such that b∈[kB ] B y b = I B for all y ∈ [n B ].

j
|U ε |k = j | B and all measurements A x a on H A and B y b on H B such that p(a, b|x, y) = tr[(A x a ⊗B y b )ρ], we have that for every purification |ψ ∈ H A ⊗H B ⊗H E of ρ there exist Hilbert spaces H A ′ and H B ′ and local isometries V self-tests the quantum state | ψ ∈ H Ã ⊗ H B and the measurements Ãx a on H Ã and By b on H B , if for all quantum states ρ on some Hilbert spaces H A ⊗ H