Security proof for quantum key recycling with noise

Quantum Key Recycling aims to re-use the keys employed in quantum encryption and quantum authentication schemes. QKR protocols can achieve better round complexity than Quantum Key Distribution. We consider a QKR protocol that works with qubits, as opposed to high-dimensional qudits. A security proof was given by Fehr and Salvail [1] in the case where there is practically no noise. A high-rate scheme for the noisy case was proposed by ˇSkori´c and de Vries [2], based on eight-state encoding. However, a security proof was not given. In this paper we introduce a protocol modiﬁcation to [2] and provide a security proof. The modiﬁed protocol has high rate not only for 8-state encoding, but also 6-state and BB84 encoding. Our proof is based on a bound on the trace distance between the real quantum state of the system and a state in which the keys are completely secure. It turns out that the rate is higher than suggested by previous results. Asymptotically the rate equals the rate of Quantum Key Distribution with one-way postprocessing.


Quantum Key Recycling
Quantum cryptography uses the properties of quantum physics to achieve security feats that are impossible with classical communication.Best known is Quantum Key Distribution (QKD), first described in the famous BB84 paper [3].QKD establishes a random secret key known only to Alice and Bob, and exploits the no-cloning theorem for unknown quantum states [4] to detect any manipulation of the quantum states.Already two years before the invention of QKD, the possibility of Quantum Key Recycling (QKR) was considered [5].Let Alice and Bob encrypt classical data as quantum states, using a classical key to determine the basis in which the data is encoded.If they do not detect any manipulation of the quantum states, then Eve has learned almost nothing about the encryption key, and hence it is safe for Alice and Bob to re-use the key.A QKR protocol can achieve better round complexity than QKD, since communication about basis choices is avoided.After the discovery of QKD, interest in QKR was practically nonexistent for a long time.QKR received some attention again in 2003 when Gottesman [6] proposed an Unclonable Encryption scheme with partially re-usable keys.In 2005 Damgård, Pedersen and Salvail introduced a scheme that allows for complete key recycling, based on mutually unbiased bases in a high-dimensional Hilbert space [7,8].Though elegant, their scheme unfortunately needs a quantum computer for encryption and decryption.In 2017 Fehr and Salvail [1] introduced a qubit-based QKR scheme (similar to [5]) that does not need a quantum computer, and they were able to prove its security in the regime of extremely low noise.Škorić and de Vries [2] proposed a variant with 8-state encoding, which drastically reduces the need for privacy amplification and tolerates higher noise levels, but the security was not proven.Attacks on the qubit-based QKR schemes of [1,2] were studied in [9], but that did not yield a security proof.

Contributions and outline
We investigate qubit-based Quantum Key Recycling, taking an 'engineering' point of view: we do not aim for complete key re-use, but rather for a high ratio of message length versus expended key bits.
• We introduce a modification in the QKR protocol of Škorić and de Vries [2].The basis key now gets refreshed even in case of an Accept; the key update is done by hashing the payload of the qubits into the old key, without using up existing key material.Furthermore, we modify the privacy amplification: instead of deriving a classical one-time pad from the qubits' payload solely, we compress the payload and the old basis key together.For simplicity we combine the privacy amplification and the key refreshment into a single hashing operation.
• We provide a security proof.Our proof technique differs from [1].We treat all keys on the same footing and show that they remain close to uniform given Eve's side information, whereas in [1] some keys become non-uniform.
Our approach is as follows.We switch to an EPR formulation of our protocol.First we consider attacks in which Eve collects quantum side information from one EPR pair at a time; we apply symmetrisation of the noisy Alice-Bob system as introduced in [10,11].We upper bound the trace distance between the real state and an ideal state in which all the keys are decoupled from the subsystem available to Eve.Finally we invoke the post-selection method [12] in order to obtain security against general attacks.
For asymptotically large n (number of qubits) the steps in our derivation are very similar to [13,14]; we make use of smooth Rényi entropies, which asymptotically tend to the von Neumann entropy.For finite n we present a separate result without smoothing, based on straightforward diagonalisation.
• The QKR rate is defined as the message length minus the key expenditure, divided by n.
From our bound on the trace distance we obtain an expression for the QKR rate as a function of n and the tolerated bit error rate (β).For n → ∞ the rate equals the rate of QKD with one-way postprocessing (i.e.without two-way advantage distillation).This means that whenever it is possible to do one-way-postprocessing-QKD, it is also possible to do QKR at the same asymptotic rate and hence get the benefit of reduced communication complexity.
For finite n, our approach without smoothing yields a rate where h is the binary entropy function.Both these results are more favourable than what one would expect based on the min-entropy analysis in [9] and straightforward generalisations of [1] to the noisy case.
It is interesting to note that the asymptotic equivalence of the QKR and QKD rate holds not only for 8-state encoding.For 6-state and 4-state (BB84) encoding there is a severe leakage of the qubit payload if Eve intercepts the whole cipherstate.From [2] and [9] it would seem that this leakage necessarily implies low QKR rate.However, in our protocol the leak is masked by the secret key that is used for privacy amplification.
The outline of the paper is as follows.In the preliminaries section we introduce notation; we briefly review smooth Rényi entropies, proof techniques and methods for embedding classical bits in qubits, and we summarise known results regarding Eve's optimal extraction of information from a qubit into a four-dimensional ancilla state.In Section 3 we motivate why we depart from the entanglement-monogamy based proof technique.In Section 4 we present the modified QKR protocol.Section 5 states the main theorems and discusses rates and optimal parameter choices.In Section 6 we compare to existing results, discuss erasures, and suggest topics for future work.

Notation and terminology
Classical Random Variables (RVs) are denoted with capital letters, and their realisations with lowercase letters.The probability that a RV X takes value x is written as Pr[X = x].The expectation with respect to RV X is denoted as E x f (x) = x∈X Pr[X = x]f (x).Sets are denoted in calligraphic font.We write [n] for the set {1, . . ., n}.For a string x and a set of indices I the notation x I means the restriction of x to the indices in I.The notation 'log' stands for the logarithm with base 2. The notation h stands for the binary entropy function h(p) = p log 1 p + (1 − p) log 1 1−p .Sometimes we will write h({p 1 , . . ., p k }) meaning i p i log 1 pi .Bitwise XOR of binary strings is written as '⊕'.The Kronecker delta is denoted as δ ab .The inverse of a bit b ∈ {0, 1} is written as b = 1 − b.The Hamming weight of a binary string x is written as |x|.We will speak about 'the bit error rate γ of a quantum channel'.This is defined as the probability that a classical bit g, sent by Alice embedded in a qubit, arrives at Bob's side as ḡ.
For quantum states we use Dirac notation, with the standard qubit basis states |0 and |1 represented as 1 0 and 0 1 respectively.The Pauli matrices are denoted as σ x , σ y , σ z .The standard basis is the eigenbasis of σ z , with |0 in the positive z-direction.We write 1 for the identity matrix.The notation 'tr' stands for trace.The Hermitian conjugate of an operator A is written as A † .The complex conjugate of z is denoted as z * .Let A have eigenvalues λ i .The 1-norm of A is written as The trace distance between matrices ρ and σ is denoted as δ(ρ; σ) = 1 2 ||ρ − σ|| 1 .It is a generalisation of the statistical distance and represents the maximum possible advantage one can have in distinguishing ρ from σ.
Consider uniform classical variables X, Y and a quantum system labeled 'E' (under Eve's control) that depends on X and Y .The combined classical-quantum state is xy .The state of a sub-system is obtained by tracing out a subspace, e.g.
The fully mixed state of subsystem X is denoted as µ X .The security of the variable X, given that Eve holds the 'E' subsystem, can be expressed in terms of a trace distance as follows [13], i.e. the distance between the true classical-quantum state and a state in which X is completely unknown to Eve.X is said to be ε-secure with respect to ρ if d(X|E) ≤ ε.When this is the case, it can be considered that X is 'ideal' except with probability ε.
A family of hash functions H = {h : X → T } is called pairwise independent (a.k.a.2independent or strongly universal) [15] if for all distinct pairs x, x ∈ X and all pairs y, y ∈ T it holds that Pr h∈H Here the probability is over random h ∈ H. Pairwise independence can be achieved with a hash family of size |H| = |X |.

QKR security definition and proof structure
The aim of QKR is to send private authenticated messages, with a better round complexity than QKD.The protocol (see Section 4) has three basic steps.(i) Alice sends quantum states and classical data to Bob. (ii) Bob responds with a decision bit c ∈ {Accept, Reject}.(iii) In case of Accept, most of the key material K is re-used; in case of Reject, the key material is refreshed from K to K .In order to be considered secure, a QKR protocol must satisfy two properties: (1) even if Eve intercepts everything that Alice sends, she must learn only negligible information about the message; (2) if Eve knows the plaintext and Bob Accepts, Eve's knowledge about the keys used in the next round should be negligible.
For the security of the keys under known-plaintext we will use a recursive proof structure as in [1].The starting situation is an 'ideal' state ρ (0) = ρ K ⊗ ρ E , in which the key material K is decoupled from Eve's state.After one round of QKR the state has evolved to ρ The notion of secure key re-use is expressed as follows.Under known-plaintext conditions, a bound is derived on the distance between ρ (1) c and the ideal state ρ (0) , given that Eve observes the decision bit: ) is the state after N rounds.This can be seen as follows.After two rounds the state is ρ c1c2 , and the security quantity of interest is acc,acc − ρ (0) 1 +P rej ε.Using the triangle inequality the first term is upperbounded as acc,acc − ρ acc 1 +P acc ε.Finally it is used that the mapping from ρ (i) to ρ (i+1) is a CPTP map, which cannot increase distance.Hence ρ

Post-selection
In a collective attack Eve acts on individual qudits.This is not the most general attack.For protocols that are invariant under permutation of the qubits, a post-selection argument [12] can be used to show that ε-security against collective attacks implies ε -security against general attacks, with ε = ε(n + 1) d 4 −1 , where d is the dimension (d = 2 for qubits).Hence, by paying a modest price in terms of privacy amplification, e.g.changing the usual privacy amplification term 2 log 1 ε to 2 log 1 ε + 2(d 4 − 1) log(n + 1), one can 'buy' security against general attacks.

Encoding a classical bit in a qubit
We briefly review methods for embedding a classical bit g ∈ {0, 1} into a qubit state.The standard basis is |0 , |1 with |0 the positive z-direction on the Bloch sphere.The set of bases used is denoted as B, and a basis choice as b ∈ B. The encoding of bit value g in basis b is written as |ψ bg .In BB84 encoding we write B = {0, 1}, with In six-state encoding [16] the vectors are ±x, ±y, ±z on the Bloch sphere.For 8-state encoding [2] we have B = {0, 1, 2, 3} and the eight states are the corner points of a cube on the Bloch sphere.We write b = 2u + w, with u, w ∈ {0, 1}.The states are The angle α is defined as cos α = 1/ √ 3.For given g, the four states |ψ uwg are the Quantum One-Time Pad (QOTP) encryptions [17,18,19] of |ψ 00g .The 'plaintext' states |ψ 000 , |ψ 001 correspond to the vectors ±(1, 1, 1)/ √ 3 on the Bloch sphere.

Eve's ancilla state
Attacks on QKR were studied in some detail in [9].They formulated an EPR version of qubit-based QKR protocol.Instead of creating |ψ bixi and sending it to Bob, Alice performs a measurement on one half an EPR singlet state (using basis b i ) while the other half goes to Bob.Eve may manipulate the EPR state; this turns the pure EPR state into a mixed state.
The noise symmetrisation technique of [11] was applied to simplify the state.If Eve's actions induce bit error probability γ (defined as a bit mismatch in x i between Alice and Bob), then this corresponds to a state of the AB subsystem of the form ρAB = (1 and denote the Bell basis states.a Eve's state is obtained by purifying ρAB .The pure state is , where |m i is an orthonormal basis in Eve's four-dimensional ancilla space.Let v = (v 1 , v 2 , v 3 ) be a 3-component vector on the Bloch sphere describing the '0' bit value in a certain basis.Let |v • m be shorthand notation for v 1 |m 1 + v 2 |m 2 + v 3 |m 3 .Let x be the bit value that Alice measures, and y Bob's bit value.(In the noiseless case we have y = x because of the anti-correlation in the singlet state.)One of the results of [9] is an expression for Eve's mixed ancilla state when v, x, y are fixed, The E-vectors are not all orthogonal.We have The state |E v 00 looks complicated, but the projector is given by the more simple expression where ε jkp stands for the antisymmetric Levi-Civita symbol.For a given basis set B and b ∈ B we will write σ b xy instead of σ v xy , as the vector v is implicitly defined by the pair (B, b).The following useful identity holds,

Motivation
It is possible to add noise tolerance to the construction of Fehr and Salvail [1], but this leads to a result that is unsatisfactory in two respects.(i) For 4-state and 6-state encoding the scheme has a low rate.Even at zero noise the rate is below 1. (ii) For 8-state encoding it is a For 4-state QKR an extra ingredient is needed to arrive at this expression: the use of test states so as to probe more than a circle on the Bloch sphere.
known [9] that the zero-noise rate should be 1, but the proof technique of [1] does not show it.We explain this below.
A straightforward way of adding more noise tolerance to the construction of Fehr and Salvail [1] is as follows.Alice sends to Bob an encrypted syndrome.The encryption is done with a one-time pad, i.e. a certain amount of existing key material has to be spent.Let the number of qubits be n; the length of the secret after privacy amplification is ; the tolerated bit error rate is β.The proof technique in [1] is based on an entanglement monogamy game [20].It yields a trace distance 2 p win between ideality and reality, where p win is the winning probability, x is the projection operator that corresponds to data bit x ∈ {0, 1} in the basis b.The value of µ is given by 3 ≈ 0.86 for 4-state, 6-state and 8-state encoding respectively.b Given that an amount nh(β) of key material has to be spent, the asymptotic QKR rate −expenditure n is upper bounded by 1−log(2µ)−2h(β).This bound on the rate is unfavourable for the 8-state case, even though it is known that QKR with 8-state encoding has good properties [9], e.g.no leakage of the qubit payload at zero noise.Our aim is to obtain a tighter bound on the rate, for all encoding schemes.

Our adapted QKR protocol
In this paper we consider the QKR scheme #2 proposed in [2], which is a slightly modified version of the QEMC * scheme of Fehr and Salvail [1].We introduce a small change in the protocol: • Some key refreshment of the basis key occurs even in case of an Accept.
• The one time pad is derived not only from the qubits' payload but also from the basis key.
The key material shared between Alice and Bob consists of four parts: a basis sequence b ∈ B n , a MAC key k MAC ∈ {0, 1} λ , an extractor key c u ∈ U, and a classical OTP k syn ∈ {0, 1} a for protecting the syndrome.The plaintext is m ∈ {0, 1} .
Alice and Bob have agreed on a pairwise independent hash function Ext : b We note that the p win obtained numerically with Semidefinite Programming is the same for 6-state and 8-state.c The extractor key was not mentioned explicitly in [2].d Alternatively, it is an arbitrary information-theoretically secure MAC and the MAC key is re-used indefinitely; but then the tag has to be one-time padded and the pad has to be refreshed in every round.This construction leads to the same amount of key expenditure and involves a few more operations.The replacement of k MAC consumes a small constant amount of existing secret key material shared between Alice and Bob.The replacement of k syn on the other hand consumes a noisedependent amount of key material proportional to n. See Section 5.6 for a discussion of the balance between message length and key expenditure.The replacement of k MAC consumes a small constant amount of existing secret key material shared between Alice and Bob.The replacement of k syn on the other hand consumes a noisedependent amount of key material proportional to n. See Section 5.5 for a discussion of the balance between message length and key expenditure.@@ protocol-plaatje?? @@ Fig. 1.EPR version of the QKR protocol.The EPR pairs are in the singlet state.

Decryption
5 Main result

Attacker model and proof method
The attacker model is the one used in most works on QKD.Eve is able to manipulate the classical channel and the quantum channel between Alice and Bob in any way.Eve has no access to the private computations taking place in Alice and Bob's devices.Eve has unbounded (quantum) computation power and unbounded quantum memory.
We work with the EPR version of the protocol (Fig. 1).The protocol steps are practically the same as in Section 4. The only difference is that Alice does not prepare the state |Ψ ; instead Eve hands the parts of a noisy EPR pair to Alice and Bob whereupon Alice performs a measurement in the b-basis, resulting in a state |Ψ with random payload x.
First we consider attacks where Eve entangles her quantum system with individual EPR pairs.Eve is allowed to postpone measurements.For this limited class of attacks we derive a bound (Theorems 1 and 2) on the trace distance between the real state and an ideal state, as explained in Section 2.3.Finally we invoke post-selection to extend the validity of the security proof to general attacks.
In Section 5.4 we present an asymptotic result for n → ∞.We follow proof steps as in [13,14].Smoothing is introduced, after which the trace distance is upperbounded in a number of steps.First the trace operation and the average over the hashing key u are pulled into the square root using Jensen's inequality; then the properties of pairwise independent hashes are used to evaluate the average over u; this results in an expression that can be written in terms of smooth Rényi entropies S ε 0 and S ε 2 .Finally Lemma 1 is invoked to make the transition from smooth Rényi entropies to non-smooth von Neumann entropies, which are then easily evaluated.
In Section 5.5 we present a non-asymptotic result without smoothing.The proof follows similar steps up to and including the average over u, except that the trace operation is kept outside the square root.The operator square root is evaluated explicitly, which is feasible because of the diagonal form of the operator.No use is made of entropies.

What to prove
Alice and Bob's shared key material consists of k syn , k MAC , b, u.The only keys open to attack are b and u, since k syn and k MAC get discarded after each round.Eve's classical side information consists of s (OTP'ed syndrome), τ (authentication tag), the ciphertext c = z⊕m, and the Accept/Reject bit.The s and τ carry no information about b, u, x.Hence we will need to prove (i) that µ, b, u are safe given c, the Accept/Reject bit and Eve's quantum side information; (ii) that b, u are safe given c, known plaintext m, the Accept/Reject bit and Eve's quantum side information.
Eve's quantum side information consists of her ancilla particles which have interacted with the EPR pairs.The state of the i'th ancilla depends on x i , y i , b i and is given by the 4-dimensional matrix σ bi xiyi as specified in (6).We introduce the binary variable Ω, with Ω = 1 indicating that Alice receives a properly authenticated Accept message from Bob.The keys after execution of one QKR round are denoted with a tilde, i.e. ũ, b.We work with quantum-classical states; each classical variable is assigned a quantum register, indicated as a capital-letter superscript on the state ρ.Eve's ancillas are denoted as the subsystem "E".The two quantities of interest are the trace distances ρ Below we will see that they reduce to the same expression.
We introduce a binary variable θ xy which indicates whether the error correction succeeds.
(Note that ȳ appears instead of y, because of the anti-correlation in the singlet state.)We write p xy = p x p y|x with p x = 2 −n and p y|x = γ |x⊕ȳ| (1 − γ) n−|x⊕ȳ| .The probability that the error correction succeeds is given by Alice will re-use keys (Ω = 1) if she receives an authenticated Accept bit from Bob.The probability of this event can be bounded as P acc (t, γ) ≤ P corr (t, γ) + 2 • 2 −λ .Here λ is the size of the authentication tag.One term 2 −λ comes from the possibility that Eve forges Alice's MAC.Another term 2 −λ comes from the possibility that Eve forges Bob's MAC on a Reject message and turns it into an Accept message.In the rest of the paper we will ignore these MAC forgery complications when writing down states, but it is understood that we will always have to add a term 2 • 2 −λ to the trace distance.

Description of the state
We introduce notation |U | , and in slight abuse of notation we define E b, E ũ in the same way.Furthermore we introduce E xy def = x,y∈{0,1} n p xy .The full quantum-classical state of all the relevant classical variables and Eve's system together is Note that in (11) we have written ρ E bxy without dependence on the classical variable c, which is in principle available to Eve at the moment when she creates the "E" subsystem.(And m, z in case of known plaintext).We are allowed to do this because the pairwise independent hash function Ext completely decouples x from z.It holds that Pr U [Z = z|X = x, B = b] = 2 − , where U is the random variable.This implies that X given Z is also uniform.When Eve acts on the individual EPR pairs, she has no information that could lead her to treat any position i ∈ [n] differently from the other positions.Thus we have ρ E bxy = n i=1 σ bi xiyi , with σ b xy as defined in ( 6). e By applying the appropriate partial traces to (11) we get e One may want to formally write ρ E bxycm instead of ρ E bxy .Then this notation can be kept in the derivation below up to (27), where it becomes necessary to use the fact that the ancilla states do not actually depend on c and m. and further tracing yields ) Here we have used the property , which means that the security of B Ũ M given CΩE is the same as the security of B Ũ given M CΩE.

Asymptotic result
Theorem 1 Consider one round of the QKR protocol (Section 4) with 6-state or 8-state encoding.Let Eve cause noise described by parameter γ as discussed in Section 2.6.Let t be the number of errors that can be corrected by the error-correcting code.In the limit n → ∞ it holds that with P corr as defined in (10).
Let β def = t/n.For γ > β the probability P corr is exponentially small.For γ ≤ β, the second expression can be made exponentially small for < n + nh(γ) − nh({1 − 3 2 γ, γ 2 , γ 2 , γ 2 }).Asymptotically the length of the syndrome is a = nh(β), and the O(log n) contribution from post-selection (Section 2.4) becomes negligible compared to n.The QKR rate which is exactly the asymptotic rate of 6-state QKD.
Proof of Theorem 1: First of all there is the contribution 2 1−λ from the possibility of forging the MACs, as explained in Section 5.2.Next we write We introduce smoothing as in [13,10,14] by allowing states ρ that are ε-close to ρ in terms of trace distance.This yields D ≤ 2ε+ D, with In slight abuse of notation we have written The ρE bũmc,ω=1 and ρE ω=1 are both sub-normalised states; their trace equals P corr (t, γ).Hence it holds that D ≤ 2P corr (t, γ).This corresponds to the first expression in the 'min' in (18).For γ ≤ t/n we f The ω = 0 part disappears, since the Reject event of the real protocol is identical to the Reject in the 'ideal' case.Even in case of a Reject the plaintext M is secure; no matter how much leaks about X, the X is masked by U , which is then discarded.derive a bound as follows. Jensen In ( 23) we used that rank(ρ E bũmc − ρE ) ≤ rank(ρ E bũmc )+rank(ρ E ) and g rank(ρ E bũmc ) ≤ rank(ρ E ).From the properties of two-universal hash functions we get Substitution into (25) gives (In the last two lines we have x, y ∈ {0, 1} and b ∈ B in contrast to the previous lines.)From ( 8) we have In the last line we used that the projectors σ b xx and σ b xx are orthogonal to each other.Note that the description of Eve's ancilla state in Section 2.6 is valid for 4-state (BB84) encoding under the condition that test states are used which probe the whole Bloch sphere; then the QKR rate is given by (19).If only the xz-plane of the Bloch sphere is involved in the protocol, then (33) still holds, but with different σ b xy matrices, yielding a QKR rate equal to the BB84 QKD rate.
g This holds because ρE is a sum of many terms ρE bũmc .

Non-asymptotic result without smoothing
We want to have a bound on d( B Ũ |M CΩE) also for finite n.One approach would be to start from (32) and analyse the smooth entropies S ε 0 and S ε 2 for finite n and ε, and minimise over ε.However, that is a cumbersome procedure.Below we present a less tight but easier to derive bound, obtained by setting ε to zero.
Theorem 2 Consider one round of the QKR protocol (Section 4).Let Eve cause noise described by parameter γ as discussed in Section 2.6.Let t be the number of errors that can be corrected by the error-correcting code.Let the function f be defined as The trace distance between the real state and the ideal state can be bounded as For large γ the probability P corr (t, γ) is exponentially small in n.Note that 2 log f (γ) ∈ [0, 1) for γ ∈ [0, 1  2 ).For any γ < 1 2 it is possible to choose such that the √ • • • in (38) becomes exponentially small in n.However, this is only half of the story, because the QKR rate is obtained by subtracting the key expenditure from .Proof of Theorem 2: We follow the proof of Theorem 1 up to (21) but without smoothing (ε = 0).Using Jensen's inequality for concave operators we write The last equality holds because E ũρ E bũmc = ρ E .Next we use ( 27), but without the trace.This gives Next we show that the expression under the square root is diagonal.Using from which it follows that Theorem 3 Consider the context of Theorem 2. Let β = t/n.Let σ be a security parameter.Let be chosen as Proof: See Appendix 1.
If according to (45) the length becomes negative then this means that the desired security level σ cannot be achieved.
A typical choice for the tag length would be λ = σ + 1, yielding 2/2 σ in the right hand side of (47).Several things are worth noting.
• The ξ is of order 1.Hence the term ξ √ σn scales as √ n.
• The function f is concave.There is no advantage for Eve in choosing a position-dependent noise level γ i instead of the same noise level γ for all i ∈ [n].
• Analysis of QKD instead of QKR using the same technique yields a result similar to Theorem 2, but with a slightly more favourable function instead of f (γ), namely (We mention this without showing the proof.)Nevertheless, the asymptotics of QKD and QKR are the same.
As explained in Section 2.4, by invoking post-selection we can 'buy' security against general attacks by reducing the message length a bit.The bound (38) changes by a factor (n + 1) 15 , which can be compensated by shrinking from (45) to 5.6 Non-asymptotic QKR rate; Choosing the parameter values We want to characterize the non-asymptotic performance of our QKR scheme under ideal circumstances.Consider a sequence of QKR rounds with a large number of consecutive Accepts.Let η = 2 • 2 −λ + 2 −σ be the 'imperfection' induced by one round of QKR.Let θ be the maximum distance that Alice and Bob are willing to tolerate between reality and the ideal state ρ (0) .After N = θ/η rounds they have to refresh all their key material.The QKR rate is rate = total message data sent in N rounds − expended key material The total message size is N , with specified in (48).The total key expenditure consists of N times two λ-bit authentication tags, N a-bit OTPs that protect the syndromes (asymptotically a ≈ nh(β)), n log |B| bits of basis key b, and n bits of extractor key u.This gives Note that η can be made exponentially small (N exponentially large) by increasing λ and σ.
For large n and N the rate (50) tends to 1 − h(β) − 2 log f (β), which is lower than the asymptotic result of Section 5.4.The discrepancy is of course caused by the fact that we did not use smoothing in Theorem 2. Fig. 2 shows the asymptotic (QKR=QKD) rate (19) as well as the ε = 0 rate (50) in the limit n → ∞, N → ∞ and the rates obtained from the Entanglement Monogamy approach (Section 3).Obviously smoothing improves the tightness of the provable bounds significantly.Furthermore it is also clear that the Entanglement Monogamy bounds are very far from tight.
It is possible to reduce the key expenditure."Scheme #3" in [2] greatly reduces the key material spent on protecting the syndrome, but it increases the number of qubits needed to convey the message.It does not modify the rate (50).
Instead of pairwise independent hashing one may use 'δ-almost pairwise independent' hash functions.A small security penalty δ is incurred, but the length of the extractor key u is reduced from n to approximately min(n − , + 2 log 1 δ ).Furthermore, it is possible to send keys for the next round (k syn and the two MAC-padding OTPs) as part of the payload in the current round.This trick completely nullifies the key expenditure in case of Accept, but reduces the message size by a + 2λ.The rate is unaffected.
Typically θ is fixed.Then it remains to tune N (which via η = θ/N fixes σ) and n for fixed (θ, β) so as to optimise the rate.In Fig. 3 the non-asymptotic rate is plotted for θ = 2 −256 and various values of β, N and n.We see that the asymptotic rate can be approached well for realistic values of N and n.

Comparison to existing results
The proof technique of [1] requires a special 'key privacy' property of the MAC function, and has to keep track of the security of the MAC key.We avoid this requirement at the cost of spending λ additional bits of key.An interesting difference with respect to [1] is that we was found for 8-state encoding; that is more than our leakage result 2 log f (β).We conclude that non-smooth min-entropy is too pessimistic as a measure of security in this context.
It was pointed out in [2,9] that with 8-state encoding there is no leakage about the qubit payload X, whereas 6-state and BB84 encoding allow Eve to learn a lot about X in case of a Reject.One may conclude that more privacy amplification is needed for 6-state and BB84 encoding than for 8-state.However, it turns out that the situation is the same for all encoding schemes: the privacy amplification key U adequately masks X and gets replaced upon Reject.

Dealing with erasures
Our analysis has not taken into account quantum channels with erasures.(Particles failing to arrive.)Consider a channel with erasure rate η and bit error rate β for the non-erased states.The Alice-to-Bob channel capacity is (1 − η)(1 − h(β)).A capacity-achieving linear errorcorrecting code that is able to deal with such a channel has a syndrome of size nh(β) + nη[1 − h(β)].Imagine the QKR scheme 4 employing such an error-correcting code.On the one hand, the key expenditure increases from nh(β) to nh(β) + nη[1 − h(β)].On the other hand, the leakage increases.Every qubit not arriving at Bob's side must be considered to be in Eve's possession; since an erasure can be parametrised as a qubit with β = 1 2 , the leakage is 1 bit per erased qubit.Hence the leakage term n • 2 log f (β) changes to n(1 − η)2 log f (β) + nη.The combined effect of the syndrome size and the leakage increase has a serious effect on the QKR rate.The asymptotic rate becomes 1 − h(β) − η[1 − h(β)] − (1 − η)2 log f (β) − η.For β = 0 this is 1 − 2η; at zero bit error rate no more than 50% erasures can be accommodated by the scheme.In long fiber optic cables the erasure rate can be larger than 90%.Under such circumstances the QKR scheme of Section 4 simply does not work.(Note that continuousvariable schemes do not have erasures but instead have large β.) One can think of a number of straightforward ways to make the QKR protocol erasureresistant.Below we sketch a protocol variant in which Alice sends qubits, and Bob returns an authenticated and encrypted message.
1. Alice sends a random string x ∈ {0, 1} q encoded in q qubits, with q(1 − η) > n.The security is not negatively affected by the existence of erasures.Assume that Eve holds all the qubits that have not reached Bob.Since the data in the qubits is random, and does not contribute to the computation of z , it holds that (i) it is not important if Eve learns the content of these bits, (ii) known plaintext does not translate to partial knowledge of the data content of these qubits, which would endanger the basis key b and the extractor key u.
h Alice may send the (authenticated) Accept/Reject bit along with the next batch of qubits; then the protocol has only two rounds.

Future work
It is possible to evaluate or bound the S ε 0 (ρ E ) and S ε 2 (ρ BXE ) in (31) for finite n and ε 'by hand', i.e. specifically for ρ E bxy = ⊗ n i=1 σ bi xiyi .That would yield a non-asymptotic result for that is more favorable than Theorem 3.
It is interesting to note that QKR protocols which derive an OTP z from the qubit payload and then use z for encryption look a lot like Quantum Key Distribution, but with reduced communication complexity.This changes when the message is put directly into the qubits, e.g. as is done in Gottesman's Unclonable Encryption [6].It remains a topic for future work to prove security of such a QKR scheme.
The QKR scheme of Section 4 can be improved and embellished in various ways.For instance, Alice's λ-bit key expenditure for one-time MACing may not be necessary.The authentication tag may simply be generated as part of the Ext function's output, and then the security of the MAC key can be proven just by proving the security of the extractor key u (similar to what is done in [1]).
Furthermore, as mentioned in Section 5.6, one may use 'scheme #3' of [2] which protects the syndrome by sending it through the quantum channel instead of classically OTP-ing it.This too reduces the key expenditure, and it does not affect the rate.
Another interesting option is to deploy the Quantum One Time Pad with approximately half the key length, which still yields information-theoretic security.This would slightly improve the rate (50) by reducing the amortised cost of refreshing b from 2 N to approximately 1 N .Finally, various tricks known from QKD may be applied to improve the noise tolerance of QKR, e.g.artificial noise added by Alice.
by Eve as well as key updates by Alice and Bob.Accept happens with probability P acc and leads to a state ρ (1) acc = E k |k k| ⊗ ρE k in which Eve has potentially gained knowledge about K; Reject happens with probability P rej and yields a state ρ (1) rej = ρK ⊗ ρE which has factorised form due to the key refreshment.
Bob receives |Ψ , s , c , τ .He performs the following steps.Measure |Ψ in the b-basis.This yields x ∈ {0, 1} n .Recover x = x ⊕ SynDec(k syn ⊕ s ⊕ Syn x ).Compute ẑ||b = Ext(u, x||b) and m = c ⊕ ẑ.Accept only if τ = Γ(k MAC , x||c ||s ) holds and the syndrome decoding was successful.Communicate Accept/Reject to Alice (publicly but with authentication).Key update Alice and Bob perform the following actions.• In case of Reject: Take new keys k syn , k MAC , b, u. • In case of Accept: Take new keys k syn and k MAC .The key u is re-used.Alice replaces b by b .Bob replaces b by b .

2 . 3 .
Bob receives qubits in positions i ∈ I, I ⊆ [q] and measures x i in those positions.He aborts the protocol if |I| < n. Bob selects a random subset J ⊂ I, with |J | = n.He constructs a string y = x J .He computes s = k syn ⊕ S(y ), z ||b = Ext(u, y ||b), c = m ⊕ z , t = Γ(k MAC , J ||y ||c ||s ).He sends J , s , c , t .Alice receives this data as J , s, c, t.She computes y by doing error correction on x J aided by the syndrome k syn ⊕ s.Then she computes z||b = Ext(u, y||b), m = z ⊕ c and τ = Γ(k MAC , J ||y||c||s).Alice Accepts the message m if τ = t and Rejects otherwise.h Key refreshment is as in the original protocol.