Security of Device-Independent Quantum Key Distribution in the Bounded-Quantum-Storage Model

Device-independent quantum key distribution (DIQKD) is a formalism that supersedes traditional quantum key distribution, as its security does not rely on any detailed modeling of the internal working of the devices. This strong form of security is only possible using devices producing correlations that violate a Bell inequality. Full security proofs of DIQKD have recently been reported, but they tolerate zero or small amounts of noise and are restricted to protocols based on speciﬁc Bell inequalities. Here, we provide a security proof of DIQKD that is both more efﬁcient and noise resistant, and also more general, as it applies to protocols based on arbitrary Bell inequalities and can be adapted to cover supraquantum eavesdroppers limited by the no-signaling principle only. It is formulated, however, in the bounded-quantum-storage model, where an upper bound on the adversary’s quantum memory is a priori known. This condition is not a limitation at present, since the best existing quantum memories have very short coherence times.


Introduction
Quantum key distribution is the art of distilling a secret key between two distant parties, Alice and Bob, who have access to an untrusted quantum channel [1].In this scenario, one typically assumes that the equipment in Alice and Bob's labs can be trusted, and moreover, that its behavior is accurately described by a given theoretical model.Unfortunately, this often turns out to be a very strong assumption which is not justified in practice [2].In particular, many loopholes can be exploited by an eavesdropper to get around the usual security proofs: for instance, the state preparation might be imperfect [3], or the eavesdropper might perform a blinding attack to take control of the detectors at a distance [4].
One way around such problems consists in exhaustively listing all the potential mismatches between the theoretical model and the real implementation and taking care of each one of them individually.However, this approach is dubious as it is impossible to be sure that all loopholes have really been addressed.Another, more promising, approach is inspired by the recent framework of device-independent quantum information processing [5,6].Here, the idea is that if Alice and Bob are able to experimentally violate a Bell inequality [7], it means that their data exhibit intrinsic randomness as well as secrecy [8,9], independently of the internal operation of the devices [5].In the recent years, this framework has been used to prove the security of device-independent key distribution [11,12,13,14,15,16,17,18], to certify randomness expansion [20,21,22,23,24], self-testing of quantum computers [25] and states [26,27], and guarantee the presence of entanglement [28].
In the present work, we focus on the cryptographic task of key distribution, which has been the subject of many very recent developments.Until recently, security proofs were restricted to scenarios where Alice and Bob have access to a pair of memoryless devices or n independent pairs of devices, thus ensuring that the measurements inside their own labs were causally disconnected [11] or commuting [13,14].This is reminiscent of the notion of collective attacks in standard QKD, where some independence assumption is required.Ideally, one would like a protocol where only one device is required per party, and for which no assumption is needed for the device.This is indeed the motivation for doing device-independent cryptography in the first place.
Recent works have been able to get rid of this assumption.In Ref. [15], the authors introduced a protocol based on the chained Bell inequality [29] and established its security against arbitrary adversaries.The protocol, however, only produces a single secret bit and does not tolerate any noise.In Ref. [16,17], the authors proved a strong converse of Tsirelson's optimality result for the Clauser-Horne-Shimony-Holt (CHSH) game, based on the CHSH inequality [30]: the only way using quantum resources to win the game as predicted by Tsirelson's bound is to use a strategy close to the optimal one for independent and identically distributed states, that is, applying the optimal measurements on copies of a two-qubit maximally entangled state.This theorem provides a security proof for DIQKD based on the CHSH inequality.Unfortunately, the security proof does not resistant any constant amount of noise.While this work was completed, Vazirani and Vidick gave a universally composable security proof of DIQKD against arbitrary attacks [18].Their protocol, based again on the CHSH inequality, is both reasonably efficient (the key length scales linearly with the number of measurements) and tolerant to a constant fraction of noise.A drawback, however, is that the maximum amount of noise tolerated is of the order of 1%, significantly lower than the bounds obtained for protocols using n pairs of devices.
In the present paper, we present a security proof that (i) works for only two devices, that is, does not require commuting measurements or memoryless devices, (ii) can be applied to generic DIQKD protocols based on arbitrary Bell inequalities, (iii) has the same efficiency and tolerance to noise than previous proofs using memoryless devices.All these nice properties, however, come at the price of assuming that the adversary only holds classical information.While this may seem a strong requirement, it can be easily enforced in any realistic implementation by delaying the reconciliation process, since the best existing quantum memories have very short coherence times [19].Another advantage of our general framework is that it can also provide security beyond quantum theory, that is, against eavesdroppers that are only limited by the no-signalling principle.
The outline of the paper is the following.We first give a brief reminder of the relation between non locality, that is, violation of a Bell inequality, and randomness.We then describe the quantum key distribution protocol and present its secret key rate.We prove the security of the protocol under the assumption that the eavesdropper does not have access to a long-term quantum memory.We conclude by briefly comparing our results with the existing security proofs, and discussing some rather natural follow-up questions.

Nonlocality and randomness
In the following, we consider a bipartite scenario where Alice and Bob input random variables X and Y in their respective devices and obtain classical outputs A and B, respectively.We denote λ A , λ B , λ X , λ Y the sizes of the alphabets of A, B, X, Y , respectively.Moreover, we denote by P (a, b|x, y) the probability of getting the specific results A = a, B = b when the inputs are X = x, Y = y, and P (A, B|X, Y ) the vector with components P (a, b|x, y).
A Bell inequality can be written as where I cl is the classical upper-bound.To any such Bell inequality, one can associate a bound on the randomness of the output A given the input X = x through a function τ x such that Such a function can be computed using the techniques given in [31], as explained in [21].Without loss of generality, this function can be assumed to be monotonically non-increasing and such that − log(τ x (•)) is convex.
For simplicity, we consider the case where there exist an input-independent bound, i.e. a function τ such that τ (I) = τ x (I) for all x ∈ λ X .Examples of Bell inequalities satisfying this property are: the CHSH inequality [30], the chained inequality [29], and the Collins-Gisin-Linden-Massar-Popescu (CGLMP) inequality [32].Our results, however, can easily be generalised to cover the case of input-dependent bounds.

Description of the protocol
The DIQKD protocol that we consider in this paper is very general in the sense that it is compatible with arbitrary Bell inequalities, in particular with the various examples of Bell inequalities mentioned above.Our protocol consists of four steps: measurements, estimation of the Bell violation, error correction and privacy amplification.We note n the number of times each device is used during the protocol.
1. Measurements.Alice and Bob respectively generate the random variables U j , V j ∈ {0, 1} with distribution Pr{U j = 1} = Pr{V j = 1} = q = n −1/8 for j = 1, . . .n.If U j = 0 then Alice measures round j with input 0 obtaining outcome A j .If U j = 1 then Alice generates X j with uniform distribution P (x j ) = 1/λ X and measures round j with input X j obtaining outcome A j .Bob does the analog with V j , input Y j , and outcome B j .In other words, events where U j = V j = 0 are used to establish a raw key, while events where U j = V j = 1 are used to test the Bell inequality and guarantee that a secret key can indeed be extracted from the raw key.
2. Estimation.Alice and Bob publish (u j , v j ) for all j, and discard the data corresponding to the rounds with u j = v j .The data corresponding to the m post-selected rounds (u j , a j , b j , x j , y j ) with v j = u j is relabeled with the index i = 1, . . .m keeping the time order.The data corresponding to the rounds of the set is also published and used to estimate the Bell-inequality violation.More specifically, Alice and Bob can use the public data to compute the following quantity: The data of the rounds not in E constitutes the raw key of Alice R = (A i ) i / ∈E and Bob S = (B i ) i / ∈E .
3. Error correction.Alice and Bob publish n C bits in order to correct Bob's errors S → S ′ .For sufficiently large n C , all errors are corrected S ′ = R with high probability.Note that some of the published bits are used to estimate how many more bits need to be publish for a successful error correction.For large n, publishing n C ≈ nH(A|B) bits is enough.
For more details about the functioning of error correction, we refer to [33].
4. Privacy amplification.Alice generates and publishes a two-universal [34] random function F which maps R to an n K -bit string K = F (R).The number n K depends on the published information as where ⌊γ⌋ is the largest integer not bigger than γ.Alice and Bob then compute (F (R), F (S ′ )), obtaining two copies of the secret key.
Note that if the adversary holds a quantum memory, but cannot keep it for an arbitrary long time, the honest parties should implement the protocol in two steps: (i) they receive the quantum systems from the source and perform the measurements, (ii) some time T later they perform the rest of the protocol involving the public communication for the estimation, error correction, and privacy amplification.We show security under the assumption that the adversary cannot keep a quantum memory for a time T .According to current and near-future technology, this assumption can be enforced by taking T of the order of a few minutes [19].

Security and efficiency
To prove security, we will not make any assumption on the behaviour of the devices of Alice and Bob, except that they do not broadcast information about the inputs and outputs towards the adversary (a condition without which there is no hope of ever establishing any secret).Modulo this requirement, we can even assume for simplicity that the devices have been built by the adversary.The eavesdropper could in particular hold quantum systems that are entangled with the systems in the users' devices.However, our proof of security only holds under the condition that the eavesdropper cannot store this quantum information past the measurement step of the protocol.After this step, she should thus perform a measurement M on his quantum system, which would give him some classical information E about the behaviour of Alice's and Bob's devices.But since until this point no public communication has been exchanged between Alice and Bob, we can as well assume that the eavesdropper has performed his measurement before the users received their devices from the source.The fact that our proof of security holds independently of the behaviour of the devices, then implies that it holds independently of the prior classical information E that Eve holds on the devices, and we can thus forget E in the following.
At the end of the protocol, Alice holds the secret key K, and Eve holds the information published in the estimation step W = [(U 1 , . . .U m ), (A i , B i , X i , Y i ) i∈E ], in the error correction step C = θ(R), and in the privacy amplification step F .Note that here we consider the worst case, where all the messages published within the error-correction step are a function θ of Alice's raw key R. Let P (k, f, w, c) be the probability distribution for these random variables.
We say that K is an ideal secret key if it is uniformly distributed and uncorrelated with all the rest: P (k, f, w, c) = 2 −n K (w) P (f, w, c) for all k, f, w, c.
Note that since E and I est are functions of w, so is n K .It is unrealistic to expect that a protocol can generate an ideal secret key.Instead, what we demand is that the distribution generated by the above protocol is indistinguishable from an ideal secret key.It is known that the optimal success probability when discriminating the two distributions is [33] The main result of this work (see the Theorem below) is to shows that where γ is a constant and For large n, the success probability (7) tends to 1/2, which makes the optimal discriminating strategy not better than a random guess.
Let us now discuss the efficiency of the protocol in the asymptotic limit where n tends to infinity.For large n one expects, with high probability.This gives an asymptotic secret key rate of This is the same rate as the one given in [13] for memoryless devices but with security against full quantum adversaries.
In the case of the CHSH inequality, β(a, b, x, y, ) = (−1) a⊕b⊕x•y , we define τ QM and τ NS such that p(a|x) ≤ τ QM (I[P (A, B|X, Y )]) holds against an adversary limited by quantum theory and p(a|x) ≤ τ NS (I[P (A, B|X, Y )]) holds against an adversary limited by the no-signalling principle.The specific values of these functions was derived in [21,13]: In Fig. 1, we plot the asymptotic secret key rate as a function of the visibility of the state ρ ν = ν|φ φ| + (1 − ν)½/4 shared by Alice and Bob.

Proof
We now proceed with a detailed security proof for the protocol described above.Before we present and prove our main result which is an explicit bound on p succ , we need three technical lemmas.
Let us introduce a more compact notation and that the raw key is r = (a i ) i / ∈E .Let g = (a i , b i ) i∈E and note that t m = (r, g) and w = (z m , g).
Lemma 1.The no-signaling constraints imposed by the causal structure of the protocol imply for all (t m , z m ), where Note that above, in Proof.This proof is based on an argument introduced in [21].A useful observation is that bound (2) implies The following chain of equalities and inequalities follows from: Bayes rule, no-signaling to the future, bounds (2) and ( 15), and the concavity of the function log(τ (•)).
Lemma 2. The numbers |E|, I est , Ī are functions of the random variable (T m , Z m ), and satisfy where (Here a comment is in order.Actually, Ī is not only a function of (T m , Z m ) but also depends on the global probability distribution P (T m , Z m ).But we think of this distribution as given, fixed and unknown.This dependence prevents the straight generalization of the results in this paper to a quantum adversary.) Proof.The function for all i.Consider the sequence of functions of (t m , z m ) defined by for l = 1, . . .m.The fact that implies that the sequence of random variables α l (T l , Z l ) is a martingale [35] with respect to the sequence (T l , Z l ).Also, using the fact that P (x, y) = (λ X λ Y ) −1 and Pr{U = 1|U = V } = q 2 / q 2 + (1 − q) 2 ≥ q 2 , the differences are bounded for all values of (t m , z m ).Constraints ( 21) and ( 22) constitute the premises for Azuma's inequality [35] Pr for any µ > 0. Using ( 18), ( 19) and ( 21) we obtain and setting µ = q = n −1/8 gives (17).
Lemma 3.There is a good event G with probability such that for all w such that P (w|G) > 0.
Proof.This proof uses a trick introduced in [23].The values of (t m , z m ) in the set are the good ones, since Alice and Bob correctly lower-bound Ī (and hence n K ) from the values |E| and I est determined in the estimation step.In the condition defining G 1 above, every symbol is a constant except for Ī, |E|, I est which are functions of (t m , z m ).Note that Ī also depends on the global distribution P (t m , z m ), which prevents the generalization of this results to the case of quantum adversary.Fortunately, according to Lemma 2, the probability of G 1 is large Note the abuse of notation and note that P (not G 1 |not G 2 ) > 1/2.Using this and P (not G 1 ) ≥ P (not G 1 |not G 2 ) P (not G 2 ) we obtain P (not G 2 ) < 2P (not G 1 ).Recall G = (A i , B i ) i∈E and note that T m = (R, G) and W = (Z m , G). Define the set and note that where we have used g 1 = (λ A λ B ) |E| .The good event mentioned in the statement of this lemma is G ="G 1 and G 2 and G 3 ", and has probability P (G) ≥ 1 − P (not G 1 ) − P (not G 2 ) − P (not G 3 ), as in (24).We assume (g, z m ) ∈ G 2 ∩ G 3 , since it is a premise of the lemma.If (r, g, z m ) / ∈ G 1 then P (r|g, z m , G 1 ) = 0. Hence, the non-trivial case happens for (r, g, z m ) ∈ G 1 , which we assume in what follows.Using Bayes rule, the definition of G 2 and G 3 , Lemma 1, and (26), we obtain which shows the lemma.
Theorem.The distance between the secret key generated by the protocol and an ideal key is k,f,w,c Proof.Using definitions ( 4) and (34), Lemma 3, and c 1 = 2 n C , we obtain: The symbol P guess (R|C; w, G) denotes the knowledge of R with respect to C (see Appendix) when the statistics is conditioned on the events W = w and G. Next, we use the identity with the event G introduced in Lemma 3. Noticing that (K, F, W, C) is a function of (T m , Z m , F ), using (32), the triangular inequality, and Lemma 4, we see that

Conclusions
In this work, we provide a novel security proof for DIQKD.Contrary to most of the existing proofs, it applies to the situation in which Alice and Bob generate the raw key using two devices.
In particular, it does not need to assume that the devices are memoryless or, equivalently, that each raw-key symbol is generated using a different device.While there exist other recent proofs that also work without this assumption, they tolerate zero [15,16,17] or rather small amounts of noise [18].Another important feature of our proof is that it can also be applied to non-signalling supra-quantum eavesdroppers.All these advantages come at the price of making an extra assumption on Eve: she does not have access to a long-term quantum memory and, therefore, effectively she cannot store quantum information.While this may at first be considered a strong assumption (and is actually not needed in new security proofs for DIQKD [15,16,17,18]), it is a very realistic assumption taking into account current technology.
The natural open question is to understand how the assumption on the memory can be removed within the framework presented here, or how the other proofs [15,16,17,18] could be improved to tolerate realistic noise rates.In the case of no-signalling eavesdroppers, there is some evidence suggesting that the fact that Eve can store information and delay her measurement prevents any form of privacy amplification between the honest parties [36].However, the recent results of [18] imply that privacy amplification is indeed possible against quantum eavesdroppers.A good understanding of privacy amplification in the device-independent quantum scenario is probably the missing ingredient to get robust and practical fully device-independent security proofs.
Figure 1: Asymptotic secret key rate k vs noise 1 − ν for the CHSH protocol and a state ρ ν = ν|φ φ| + (1 − ν)½/4, where |ψ is maximally entangled.The upper curve corresponds to a quantum adversary while the lower one considers an adversary only limited by the no-signalling principle.
for i = 1, . . .m. Variables with super-index i represent the chain of variables associated to time steps equal or earlier than i, that is t i = (t 1 , t 2 , . . .t i ).Recall that the information made public in the estimation step is w