Practical device-independent quantum cryptography via entropy accumulation

Abstract

Device-independent cryptography goes beyond conventional quantum cryptography by providing security that holds independently of the quality of the underlying physical devices. Device-independent protocols are based on the quantum phenomena of non-locality and the violation of Bell inequalities. This high level of security could so far only be established under conditions which are not achievable experimentally. Here we present a property of entropy, termed "entropy accumulation", which asserts that the total amount of entropy of a large system is the sum of its parts. We use this property to prove the security of cryptographic protocols, including device-independent quantum key distribution, while achieving essentially optimal parameters. Recent experimental progress, which enabled loophole-free Bell tests, suggests that the achieved parameters are technologically accessible. Our work hence provides the theoretical groundwork for experimental demonstrations of device-independent cryptography.

Fig. 1

The Clauser–Horne–Shimony–Holt game. Alice and Bob input bits, separately, into their parts of the shared device. Each part of the device supplies an output. The game is won if a ⊕ b = x ⋅ y. The optimal winning probability in this game for a classical device is 75%. A quantum device can get up to approximately 86% by measuring the maximally entangled state $∣{\mathrm{\Phi }}^{+}⟩$ = $\left(∣00⟩+∣11⟩\right)\mathrm{∕}\sqrt{2}$ with the following measurements: Alice’s measurements x = 0 and x = 1 correspond to the Pauli operators σ_z and σ_x, respectively, and Bob’s measurements y = 0 and y = 1 to $\left({\sigma }_z+{\sigma }_x\right)\mathrm{∕}\sqrt{2}$ and $\left({\sigma }_z-{\sigma }_x\right)\mathrm{∕}\sqrt{2}$, respectively

Fig. 2

Secrecy for the Clauser–Horne–Shimony–Holt game vs. winning probability. The amount of secret randomness is quantified by the conditional von Neumann entropy $H\left(A∣E\right)$. As soon as the winning probability is above the classical threshold of 75% some secret randomness is produced. The analytical bound is stated as Eq. (2)

Fig. 3

An independent and identically distributed device vs. a general one. An independent and identically distributed (i.i.d.) device (left) is initialised in some (unknown) i.i.d. state σ^⊗n; each “small device” is described by one copy of the same bipartite state σ and all copies are measured in the same way. A general device (right) is described by a bipartite quantum state ρ; in contrast to the i.i.d. case, any further division into subsystems is unknown. During the protocol, the state is measured through a sequential process: Alice and Bob use the device in the first round of the protocol and only then proceed to the second round, and so on

Fig. 4

Sequential processes. Each map in the sequence ${\mathcal{M}}_i$ outputs O_i, which describes the information that should be kept secret, and S_i, describing some side information leaked by the map, together with a “memory” system R_i, which gets passed on to the next map ${\mathcal{M}}_{i+1}$. In each step, an additional classical value C_i is calculated from O_i and S_i

Fig. 5

Key rate in a DIQKD protocol. The plots show the key rate r as a function of a the quantum bit error rate Q and b the number of signals n. The completeness error, i.e., the probability that the protocol aborts when using an honest implementation of the device, e.g., due to statistical fluctuations, was chosen to be ${\epsilon }_{\mathrm{QKD}}^c=10^{-2}$. The soundness error, which quantifies the maximum tolerated deviation of the actual protocol from a hypothetical one where a perfectly random and completely secret key is produced for Alice and Bob, is taken to be ${\epsilon }_{\mathrm{QKD}}^s=10^{-5}$. Both of these values are considered to be realistic and relevant for actual applications. The rates are calculated using Eq. (35) which is derived in the Methods section

Fig. 6

The construction of the min-tradeoff function f_min. The plot shows the values of the min-tradeoff function on a slice $\tilde{p}\left(0\right)+\tilde{p}\left(1\right)=1-{\left(1-\gamma \right)}^{s_{\max }}$

Fig. 7

Entropy rate for entropy accumulation protocol. η_opt(ω_exp) for γ = 1, s_max = 1 and several choices of δ_est, n, ε_EA, and ε_s. We optimise the rates over all parameters which are not explicitly stated in the figure. The dashed line shows the optimal asymptotic (n → ∞) rate under the assumption that the devices are such that Alice, Bob, and Eve share an (unknown) i.i.d. state and n → ∞