Ernest Y.-Z. Tan

We develop a flexible and robust framework for finite-size security proofs of quantum key distribution (QKD) protocols under coherent attacks, applicable to both fixed- and variable-length protocols. Our methods achieve high finite-size key rates across a broad class of protocols while imposing minimal requirements. In particular, it eliminates the need for restrictive assumptions such as limited repetition rates or the implementation of virtual tomography procedures. To achieve this goal, we introduce new numerical techniques for the evaluation of conditional sandwiched Renyi entropies, enabling tight key rate bounds without compromising generality. In doing so, we find an alternative formulation of the ``QKD cone'' studied in previous work, which may be of independent interest. Moreover, we illustrate the versatility of our framework by applying it to several practically relevant protocols, including decoy-state protocols. Furthermore, we extend the analysis to accommodate realistic device imperfections, such as independent intensity and phase imperfections. Overall, our framework provides both greater scope of applicability and better key rates than existing techniques, especially for small block sizes, offering a scalable path toward secure quantum communication under realistic conditions.

We derive a novel chain rule for a family of channel conditional entropies, covering von Neumann and sandwiched R\'{e}nyi entropies. In the process, we show that these channel conditional entropies are equal to their regularized version, and more generally, additive across tensor products of channels. For the purposes of cryptography, applying our chain rule to sequences of channels yields a new variant of R\'{e}nyi entropy accumulation, in which we can impose some specific forms of marginal-state constraint on the input states to each individual channel. This generalizes a recently introduced security proof technique that was developed to analyze prepare-and-measure QKD with no limitations on the repetition rate. In particular, our generalization yields ``fully adaptive'' protocols that can in principle update the entropy estimation procedure during the protocol itself, similar to the quantum probability estimation framework.

In this work we derive a number of chain rules for mutual information quantities, suitable for analyzing quantum cryptography with imperfect devices that leak additional information to an adversary. First, we derive a chain rule between smooth min-entropy and smooth max-information, which improves over previous chain rules for characterizing one-shot information leakage caused by an additional conditioning register. Second, we derive an information accumulation theorem that bounds the Rényi mutual information of a state produced by a sequence of channels, in terms of the Rényi mutual information of the individual channel outputs. In particular, this yields simple bounds on the smooth max-information in the preceding chain rule. Third, we derive chain rules between Rényi entropies and Rényi mutual information, which can be used to modify the entropy accumulation theorem to accommodate leakage registers sent to the adversary in each round of a protocol. We show that these results can be used to handle some device imperfections in a variety of device-dependent and device-independent protocols, such as randomness generation and quantum key distribution.

We present a security proof for variable-length QKD against IID collective attacks. Our proof can be lifted to coherent attacks using the postselection technique. Our first main result is a theorem to convert a sequence of security proofs for fixed-length protocols satisfying certain conditions to a security proof for a variable-length protocol. This conversion requires no new calculations, does not require any changes to the final key lengths or the amount of error-correction information, and at most doubles the security parameter. Our second main result is the description and security proof of a more general class of variable-length QKD protocols, which does not require characterizing the honest behaviour of the channel connecting the users before the execution of the QKD protocol. Instead, these protocols adaptively determine the length of the final key, and the amount of information to be used for error-correction, based upon the observations made during the protocol. We apply these results to the qubit BB84 protocol, and show that variable-length implementations lead to higher expected key rates than the fixed-length implementations. Finally, we point out a critical flaw in the analysis of privacy amplification that arises due to sifting. We provide an elegant solution that retroactively fixes this flaw.

Proving the security of quantum key distribution (QKD) protocols against arbitrary attacks is a challenging task for arbitrary protocols. Here, we accomplish this task by extending and improving both the decoy-state analysis against collective attacks, and the postselection technique to uplift this security proof to arbitrary attacks. First, we improve the postselection technique - both by improving the cost paid for the uplift, and by rigorously showing how it can be applied to generic optical protocols. Second, we fundamentally improve the decoy-state analysis in such a way that we require only one decoy intensity to achieve the same performance as prior analysis with two decoy intensities. This has two consequences - it makes the protocol easier to practically implement, and reduces the penalty incurred by using the postselection technique. Third, we extend the finite-size QKD analysis to decoy-state protocols and generically improve the finite-size correction terms that appear. Thus, we provide a full security proof against arbitrary attacks for generic decoy-state protocols.

Abstract We study the task of encryption with certified deletion (ECD) introduced by Broadbent and Islam (2019), but in a device-independent setting: we show that it is possible to achieve this task even when the honest parties do not trust their quantum devices. Moreover, we define security for the ECD task in a composable manner and show that our ECD protocol achieves composable security. Our protocol is based on device-independent quantum key distribution (DIQKD), and in particular the parallel DIQKD protocol based on the magic square non-local game, given by Jain, Miller and Shi (2017). To achieve certified deletion, we use a property of the magic square game observed by Fu and Miller (2017), namely that a two-round variant of the game can be used to certify deletion of a single random bit. In order to achieve certified deletion security for arbitrarily long messages from this property, we prove a parallel repetition theorem for two-round non-local games, which may be of independent interest.

We discuss the status of security proofs for practical decoy-state Quantum Key Distribution using the BB84 protocol, pertaining to optical implementations using weak coherent pulses and threshold photo-detectors. Our focus is on the gaps in the existing literature. Gaps might result, for example, from a mismatch of protocol detail choices and proof technique elements, from proofs relying on earlier results that made different assumptions, or from protocol choices that do not consider real-world requirements. While substantial progress has been made, our overview draws attention to the details that still require our attention.

The entropy accumulation theorem, and its subsequent generalized version, is a powerful tool in the security analysis of many device-dependent and device-independent cryptography protocols. However, it has the drawback that the finite-size bounds it yields are not necessarily optimal, and furthermore, it relies on the construction of an affine min-tradeoff function, which in practice can often be challenging to construct optimally. In this work, we address both of these challenges simultaneously by deriving a new entropy-accumulation bound. Our bound yields significantly better finite-size performance, and can be computed as a convex optimization without any specification of affine min-tradeoff functions. Furthermore, it can be applied directly at the level of Rényi entropies if desired, yielding fully-Rényi security proofs. Our proof techniques are based on elaborating on a connection between entropy accumulation and the framework of quantum probability estimation, and in the process we obtain some new results with respect to the latter framework as well.

In device-independent cryptography, it is known that reuse of devices across multiple protocol instances can introduce a vulnerability against memory attacks. We highlight in this work that device-dependent or measurement-device-independent protocols are in fact also susceptible to similar attacks. Furthermore, even if we only consider a single protocol instance, memory effects across rounds are enough to cause substantial difficulties in applying many existing non-IID proof techniques for device-dependent or measurement-device-independent protocols, such as de Finetti reductions and complementarity-based arguments (e.g. analysis of phase errors). We present a quick discussion of these issues, including some tailored scenarios where protocols admitting security proofs via those techniques become insecure when memory effects are allowed, and we highlight connections to recently discussed attacks on DIQKD protocols that have public announcements based on the measurement outcomes. This discussion indicates the challenges that would need to be addressed in order to apply those techniques in the presence of memory effects (for either the device-dependent or device-independent case), whether for devices reused across multiple protocol instances, or for a single protocol instance.

One of the main challenges in device-independent quantum key distribution (DIQKD) is achieving the required Bell violation over long distances, as the channel losses result in low overall detection efficiencies. Recent works have explored the concept of certifying nonlocal correlations over extended distances through the use of a local Bell test. Here, an additional quantum device is placed in close proximity to one party, using short-distance correlations to verify nonlocal behavior at long distances. However, existing works have either not resolved the question of DIQKD security against active attackers in this setup, or used methods that do not yield tight bounds on the keyrates. In this work, we introduce a general formulation of the key rate computation task in this setup that can be combined with recently developed methods for analyzing standard DIQKD. Using this method, we show that if the short-distance devices exhibit sufficiently high detection efficiencies, positive key rates can be achieved in the long-distance branch with lower detection efficiencies as compared to standard DIQKD setups. This highlights the potential for improved performance of DIQKD over extended distances in scenarios where short-distance correlations are leveraged to validate quantum correlations.

Variational techniques have been recently developed to find incredibly tight bounds on the von Neumann entropy in a completely device-independent (DI) setting. This, in turn, has led to significantly improved key rates of DI protocols, in both the asymptotic limit as well as in the finite-size regime. In this paper, we discuss two approaches towards applying these variational methods for Petz-Rényi divergences instead. We then show how this can be used to further improve the finite-size key rate of DI protocols, utilizing a fully-Rényi entropy accumulation theorem developed in a partner work. Petz-Rényi divergences can also be applied to study DI advantage distillation, in which two-way communication is used to improve the noise tolerance of quantum key distribution (QKD) protocols. We implement these techniques to derive increased noise tolerances for DIQKD protocols, which surpass all previous known bounds.

An important goal in quantum key distribution (QKD) is the task of providing a finite-size security proof without the assumption of collective attacks. For prepare-and-measure QKD, one approach for obtaining such proofs is the generalized entropy accumulation theorem (GEAT), but thus far it has only been applied to study a small selection of protocols. In this work, we present techniques for applying the GEAT in finite-size analysis of generic prepare-and-measure protocols, with a focus on decoy-state protocols. In particular, we present an improved approach for computing entropy bounds for decoy-state protocols, which has the dual benefits of providing tighter bounds than previous approaches (even asymptotically) and being compatible with methods for computing min-tradeoff functions in the GEAT. Furthermore, we develop methods to incorporate some improvements to the finite-size terms in the GEAT, and implement techniques to automatically optimize the min-tradeoff function. Our approach also addresses some numerical stability challenges specific to prepare-and-measure protocols, which were not addressed in previous works.

An important goal in quantum key distribution (QKD) is the task of providing a finite-size security proof without assuming that the states across the protocol rounds are independent and identically distributed (IID). For prepare-and-measure QKD, one recently developed approach for obtaining such proofs is the generalized entropy accumulation theorem (GEAT), but thus far it has only been applied to study a small selection of protocols. In this work, we present techniques for applying the GEAT in finite-size analysis of generic prepare-and-measure protocols, incorporating several methods to optimize the min-tradeoff function and minimize the second-order term in the GEAT. As a particular focus, we analyze decoy-state protocols and present a method for generically obtaining min-tradeoff functions for such protocols, even those where a closed-form expression for the asymptotic rate is not known. Furthermore, we highlight that the techniques we develop in the process should also yield improved bounds on the keyrates of decoy-state protocols even in the asymptotic limit.

Device-independent (DI) protocols have experienced significant progress in recent years, with a series of demonstrations of DI randomness generation or expansion, as well as DI quantum key distribution. However, existing security proofs for those demonstrations rely on a typical assumption in DI cryptography, that the devices do not leak any unwanted information to each other or to an adversary. This assumption may be difficult to perfectly enforce in practice. While there exist other DI security proofs that account for a constrained amount of such leakage, the techniques used are somewhat unsuited for analyzing the recent DI protocol demonstrations. In this work, we address this issue by studying a constrained leakage model suited for this purpose, which should also be relevant for future similar experiments. Our proof structure is compatible with recent proof techniques for flexibly analyzing a wide range of DI protocol implementations. With our approach, we compute some estimates of the effects of leakage on the keyrates of those protocols, hence providing a clearer understanding of the amount of leakage that can be allowed while still obtaining positive keyrates. Our results and techniques should also be relevant in proving security of device-dependent QKD against constrained leakage.

Uncloneable encryption, first introduced by Broadbent and Lord (TQC 2020) is a quantum encryption scheme in which a quantum ciphertext cannot be distributed between two non-communicating parties such that, given access to the decryption key, both parties cannot learn the underlying plaintext. In this work, we introduce a variant of uncloneable encryption in which several possible decryption keys can decrypt a particular encryption, and the security requirement is that two parties who receive independently generated decryption keys cannot both learn the underlying ciphertext. We show that this variant of uncloneable encryption can be achieved device-independently, i.e., without trusting the quantum states and measurements used in the scheme. Moreover, we show our variant of uncloneable encryption works just as well as the original definition in constructing quantum money, and can be used to get uncloneable bits without using the quantum random oracle model. Finally, we show that a simple modification of our scheme yields a single-decryptor encryption scheme, which was a related notion introduced by Georgiou and Zhandry. In particular, the resulting single-decryptor encryption scheme achieves device-independent security with respect to a standard definition of security against random plaintexts.

Quantum key distribution (QKD) aims to extract secret keys from correlations between quantum systems. Most QKD research focuses on "device-dependent" protocols whose security is conditioned on their quantum devices operating within specified tolerances. These assumptions on device operation render device-dependent protocols vulnerable to attacks that exploit the differences in real devices and their models in security proofs, and hence threaten the security of such protocols. Alternatively, Device-independent (DI) QKD seeks to achieve security with minimal assumptions on quantum devices by relying on quantum correlations that violate Bell inequalities, overcoming this short-coming of device-dependent QKD. Our work is motivated by the following two observations. First, DIQKD is more secure but has worse noise and loss tolerances than device-dependent QKD. This point has motivated investigations into new techniques to improve these tolerance thresholds such as random key generation, random post-selection, noisy pre-processing and advantage distillation, the last of which we investigate, and which describes a two-way communication procedure in the error correction step of the protocol. Second, the precise circumstances in which DIQKD is possible are unclear, since not all correlations that violate Bell inequalities can be used to distill a secret key in DIQKD. Under the independent and identically distributed (IID) collective attacks framework, previous work sought to resolve both problems by implementing DIQKD with an advantage distillation protocol called the repetition-code protocol. The authors derived both a sufficient and a conjectured necessary condition for security based on the fidelity between some states in the protocol. However, the significance of their results was limited by a gap between the two security conditions, which prevented the calculation of tight noise tolerance bounds and suggested that the fidelity is not the right quantity to consider to characterize exactly when key distillation in DIQKD is possible. Furthermore, in our work we replace the fidelity in the security proofs with the quantum Chernoff divergence, a measure of distinguishability in symmetric hypothesis testing, and achieve equivalent sufficient and necessary conditions for security for the repetition-code DIQKD protocol under the i.i.d collective attacks framework. Consequently, our work strongly indicates that quantum Chernoff divergence is the relevant quantity to describe the security of the repetition-code DIQKD protocol. With our new security condition, we show that the noise tolerance thresholds of the repetition-code DIQKD protocol outperform even one-way DIQKD protocols implemented with noisy pre-processing and random key measurements.