Numerical approach for unstructured quantum key distribution

Quantum key distribution (QKD) allows for communication with security guaranteed by quantum theory. The main theoretical problem in QKD is to calculate the secret key rate for a given protocol. Analytical formulas are known for protocols with symmetries, since symmetry simplifies the analysis. However, experimental imperfections break symmetries, hence the effect of imperfections on key rates is difficult to estimate. Furthermore, it is an interesting question whether (intentionally) asymmetric protocols could outperform symmetric ones. Here we develop a robust numerical approach for calculating the key rate for arbitrary discrete-variable QKD protocols. Ultimately this will allow researchers to study ‘unstructured' protocols, that is, those that lack symmetry. Our approach relies on transforming the key rate calculation to the dual optimization problem, which markedly reduces the number of parameters and hence the calculation time. We illustrate our method by investigating some unstructured protocols for which the key rate was previously unknown.

Quantum key distribution (QKD) will play an important role in quantum-safe cryptography, i.e., cryptography that addresses the emerging threat of quantum computers [1].Since its original proposal [2,3], QKD has developed dramatically over the past three decades [4,5], both in theory and implementation.Indeed, QKD is now a commercial technology, with the prospect of global QKD networks on the horizon [6,7].
The main theoretical problem in QKD is to calculate how much secret key can be distributed by a given protocol.A crucial practical issue is that the QKD protocols that are easiest to implement with existing optical technology do not necessarily coincide with the protocols that are easiest to analyze theoretically [4].Currently, calculating the secret key output of a protocol is typically extremely technical, and hence only performed by skilled experts.Furthermore, each new protocol idea requires a new calculation, tailored to that protocol.Ultimately the technical nature of these calculations combined with the lack of universal tools limits the pace at which new QKD protocols can be discovered and analyzed.Here, we address this problem by developing a robust, user-friendly framework for calculating the secret key output, with the hope of bringing such calculations "to the masses".
The secret key output is typically quantified by the key rate, which refers to the number of bits of secret key established divided by the number of distributed quantum systems.Operationally this corresponds to the question of how much privacy amplification Alice and Bob must apply to transform their raw key into the final secure key.Analytical simplifications of the key rate calculation can be made for some special protocols that have a high degree of symmetry [8].Examples of such symmetric protocols, where the signal states have a group-theoretic structure, include the BB84 [3] and six-state protocols [9].Indeed the key rate is known for these protocols.However, in practice, lack of symmetry is the rule rather * Electronic address: pcoles@uwaterloo.cathan the exception.That is, even if experimentalists try to implement a symmetric protocol, experimental imperfections tend to break symmetries [10].Furthermore, it is sometimes desirable due to optical hardware issues to implement asymmetric protocols, e.g., as in Ref. [11].
We refer to general QKD protocols involving signal states or measurement choices that lack symmetry as "unstructured" protocols.Some recent work has made progress in bounding the key rate for special kinds of unstructured protocols, such as four-state protocols in Ref. [12,13] and qubit protocols in Ref. [14].Still, there is no general method for computing tight bounds on the key rate for arbitrary unstructured protocols.Yet, these are the protocols that are most relevant to experimental implementations.
This motivates our present work, in which we develop an efficient, numerical approach to calculating key rates.Our ultimate aim is to develop a computer program, where Alice and Bob input a description of their protocol (e.g., their signal states, measurement devices, sifting procedure, and key map) and their experimental observations, and the computer outputs the key rate for their protocol.This program would allow for any protocol, including those that lack structure.
At the technical level, the key rate problem is an optimization problem, since one must minimize the wellknown entropic formula for the key rate [15] over all states ρ AB that satisfy Alice's and Bob's experimental data.The main challenge here is that this optimization problem is unreliable and inefficient.In this work, we give a novel insight that transforming to the dual problem (e.g., see [16]) resolves these issues, hence paving the way for automated key rate calculations.
Specifically, the unreliable (or unphysical) aspect of the primal problem is that it is a minimization, hence the output will in general be an upper bound on the key rate.But one is typically more interested in reliable lower bounds, i.e., physically achievable key rates.Transforming to the dual problem allows one to formulate the problem as a maximization, and hence approach the key rate from below.Therefore, every number outputted from our computer program represents an achievable asymptotic key rate, even if the computer did not reach the global maximum.
The inefficient aspect of the primal problem is that the number of parameters grows as d 2  A d 2 B for a state ρ AB with d A = dim(H A ) and d B = dim(H B ).For example, if d A = d B = 10, the number of parameters that one would have to optimize over is 10000.In contrast, in the dual problem, the number of parameters is equal to the number of experimental constraints that Alice and Bob choose to impose.For example, in the generalization of the BB84 protocol to arbitrary dimensions [17,18], Alice and Bob typically consider two constraints, their error rates in the two mutually-unbiased bases (MUBs).So, for this protocol, we have reduced the number of parameters to something that is constant in dimension.We therefore believe that our approach (of solving the dual problem) is ideally suited to efficiently calculate key rates in high dimensions.
We have written a MATLAB program to implement our key rate calculations.To illustrate the validity of our program, we show (see Fig. 1) that it exactly reproduces the known theoretical dependence of the key rate on error rate, for both the BB84 and six-state protocols.
But ultimately the strength of our approach is its ability to handle unstructured protocols.We demonstrate this by investigating some unstructured protocols for which the key rates were not previously known.For example, we study a general class of protocols where Alice and Bob measure n MUBs, with 2 n d+1, in dimension d.Also, we investigate the B92 protocol [19], which involves two signal states whose inner product is arbitrary.Our key rates are higher than known analytical lower bounds [20,21] for B92.Finally, we argue that our approach typically gives dramatically higher key rates than those obtained from an analytical approach based on the entropic uncertainty relation [22,23].
We focus on asymptotic key rates in this work.Nevertheless, the optimization problem that we solve is also at the heart of finite-key analysis, e.g., see Refs.[24,25].We therefore hope to extend our approach to the finitekey scenario in future efforts.We remark that finite-size effects generally reduce the key rate below its asymptotic value.
In what follows we first present our main result: a reformulation of the key rate optimization problem in such a way that it is easily computable.We then outline our general framework for treating a broad range of protocols.Finally we illustrate our approach with various examples.

Setup of the problem.
Consider a general entanglement-based (EB) QKD protocol involving finitedimensional quantum systems A and B that are respectively received by Alice and Bob.Note that prepare-andmeasure QKD protocols can be recast as EB protocols,  1: Key rate for two well-known QKD protocols.Here we compare our numerics (from Theorem 1) with the theoretical curves.The results of our numerical optimization for the BB84 and six-state protocols are respectively shown as red and blue dots.The known theoretical curves for these protocols are also shown as black dashed lines.The dots should be viewed as reliable lower bounds on the key rate, but in this case they happen to be perfectly tight, coinciding with the theoretical curves.
as discussed below.For simplicity of presentation, we consider protocols where Alice's raw key is derived from a measurement on her system, possibly after some postselection corresponding to a public announcement with a binary outcome, "pass" or "fail".However, our approach can easily be extended to more general protocols.
Let Z A (Z B ) denote the measurement that Alice (Bob) performs on system A (B) in order to derive the raw key.Suppose they use one-way direct reconciliation for the classical post-processing and that their error correction is optimal (i.e., leaks out the minimum number of bits), then the asymptotic key rate is given by the Devetak-Winter formula [15]: In ( 1), H(X|Y Here, ρ ABE is the tripartite density operator shared by Alice, Bob, and Eve (and it may be the state after some post-selection procedure, see our general framework below).Also, {Z j A } and {Z k B } are the sets of positive operator valued measure (POVM) elements associated with Alice's and Bob's key-generating measurements.In what follows we refer to {Z j A } as the key-map POVM.
In the previous paragraph and in what follows, we assume that the state shared by Alice, Bob, and Eve has an i.i.d.(independent, identically distributed) structure, and hence it makes sense to discuss the state ρ ABE associated with a single round of quantum communication.To avoid confusion, we emphasize that our approach is "unstructured" in the sense of lacking structure for a given round of quantum communication, but we do impose the i.i.d.structure that relates one round to the other rounds.This i.i.d.structure corresponds to Eve doing a so-called collective attack.However, the security of our derived asymptotic key rate also holds against the most general attacks (coherent attacks) if one imposes that the protocol involves a random permutation of the rounds (a symmetrization step) such that the de Finetti theorem [26,27] or the postselection technique [28] applies.
Typically Alice's and Bob's shared density operator ρ AB is unknown to them.A standard part of QKD protocols is for Alice and Bob to gather data through local measurements, and in a procedure known as parameter estimation, they use this data to constrain the form of ρ AB .The measurements used for this purpose can, in general, be described by bounded Hermitian operators Γ i , with the set of such operators denoted by Γ = {Γ i }.
From their data, Alice and Bob determine the average value of each of these measurements: and this gives a set of experimental constraints: We denote the set of density operators that are consistent with these constraints as: where P AB denotes the set of positive semidefinite operators on H AB , and an additional constraint 1 1 = 1 is assumed to be added to the set C to enforce normalization.
Because Alice and Bob typically do not perform full tomography on the state, C includes many density operators, and hence the term H(Z A |E) in ( 1) is unknown.To evaluate the key rate, Alice and Bob must consider the most pessimistic of scenarios where H(Z A |E) takes on its smallest possible value that is consistent with their data.This is a constrained optimization problem, given by where Eve's system E can be assumed to purify ρ AB since it gives Eve the most information.Here the number of parameters in the optimization is (d A d B ) 2 , corresponding to the number of parameters in a positive semidefinite operator on H AB .We refer to (7) as the primal problem.
Main result.Our main result is a reformulation of the optimization problem in (7).
Theorem 1: The solution of the minimization problem in (7) is lower bounded by the following maximization problem: where and In ( 9), the optimization is over all vectors λ = {λ i }, where the λ i are arbitrary real numbers and the cardinality of λ is equal to that of Γ.Also, M denotes the supremum norm of M , which is the maximum eigenvalue of M when M is positive semidefinite, as in (9).
The proof of Theorem 1 is given in the Methods section.It relies on the duality of convex optimization problems, as well as some entropic identities that allow us to simplify the dual problem.Note that the term H(Z A |Z B ) in ( 8) is pulled outside of the optimization since Alice and Bob can compute it directly from their data.
The cardinalities of the sets λ and Γ are the same.This means that the number of parameters λ i that one must optimize over, to solve (9), is equal to the number of experimental constraints that Alice and Bob have.(More precisely this is the number of independent constraints, since one can eliminate constraints that carry redundant information).This has the potential to be significantly less than the number of parameters in the primal problem.Indeed we demonstrate below that (9) can be easily solved using MATLAB on a personal computer for a variety of interesting QKD protocols.
Formulating constraints.For a given protocol, how does one decide which constraints to include in the set C? Consider the following remarks.First, adding in more constraints will never decrease the key rate obtained from our optimization.This follows since adding a new constraint gives an additional λ i to maximize over, while setting this new λ i to zero recovers the old problem.Second, coarse-graining constraints, i.e., merging two constraints Γ i = γ i and Γ j = γ j into a single constraint Γ i + Γ j = γ i + γ j , will never increase the key rate obtained from our optimization.This follows since merging two constraints means that two λ i 's are merged into a single λ i , thus restricting the optimization.Hence, to obtain the highest key rates, one should input all of one's refined knowledge that is available into our optimization.On the other hand, coarse-graining reduces the number of constraints and thus may help to simplify the optimization problem, possibly at the cost of a reduced key rate.
One's refined knowledge is captured as follows.In a general EB protocol, Alice measures a POVM (whose elements may be non-commuting, e.g., if she randomly measures one of two MUBs), which we denote as Γ A = {Γ A,i }.Likewise Bob's corresponding POVM is Γ B = {Γ B,i }.Hence, through public discussion, Alice and Bob obtain knowledge of expectation values of the form These constraints form the set C in (5).We remark that it is common in the QKD field to express correlations in terms of average error rates rather than in terms of the joint probability distribution in (11).This is an example of the coarse-graining that we mentioned above.For simplicity of presentation, we will do this sort of coarsegraining for some protocols that we investigate below, although (11) represents our general framework for constructing C.
Framework for prepare-and-measure.While our approach is stated in the EB scenario, let us note how it applies to prepare-and-measure (PM) protocols.Consider a PM protocol involving a set of N signal states {|φ j }, which Alice sends with probabilities {p j }.It is well-known that PM protocols can be recast as EB protocols using the source-replacement scheme (see, e.g., [4,8,29]).Namely, one forms the entangled state: One imagines that Alice keeps system A, while system A is sent over an insecure quantum channel E to Bob, resulting in The numerical optimization approach described above can then be applied to the state ρ AB in (13).However, in addition to the constraints obtained from Alice's and Bob's measurement results, we must add in further constraints to account for the special form of ρ AB .In particular, note that the partial trace over B gives The form of ρ A , which is closely related to Gram matrix, depends on the inner products between the signal states, which (we assume) Alice knows.Suppose {Ω i } is a set of tomographically complete observables on system A, then one can add in the calculated expectation values {ω i } of these observables into the set of constraints.That is, add to the set C in ( 5).This will capture Alice's knowledge of her reduced density operator.
Framework for decoy states.In decoy-state QKD [30], which aims to combat photon-number splitting attacks, Alice prepares coherent states of various intensities and then randomizes their phases before sending them to Bob.Our framework can handle decoy states simply by allowing for additional signal states to be added to the set {|φ j } in (12).For example, to treat decoy protocols with partial phase randomization [31], one can consider signal states that are bipartite (on the signal mode S and the reference mode R) of the form where α j is the amplitude of the coherent state associated with the j-th intensity setting, θ k is the k-th phase used in phase randomization, and φ l is the phase Alice uses to encode her information (e.g., for generating key).Decoy protocols with complete phase randomization are also treatable in our framework, namely, by adding in a signal state for each photon-number basis state (up to a cut-off), and treating multi-photon signals as orthogonal states (so-called "tagged states") since Eve can perfectly distinguish them.
Framework for MDI QKD.A special kind of PM protocol is measurement-device-independent (MDI) QKD [32].In MDI QKD, Alice prepares states {|φ j } with probabilities {p j } and sends them to Charlie, and Bob does the same procedure as Alice (see Fig. 2).Charlie typically does a Bell-basis measurement, however the security proof does not assume this particular form of measurement.Charlie announces the outcome of his measurement, which we denote by the classical register M .Our framework for treating MDI QKD considers the tripartite state ρ ABM , where A and B respectively are Alice's and Bob's systems in the sourcereplacement scheme, playing the same role as system A in (12) (see Supplementary Note 1 for elaboration).For our numerics, we impose the constraint that the marginal ρ AB = ρ A ⊗ ρ B is fixed (since Eve cannot access A and B), with ρ A and ρ B given by the form in (14).We enforce this constraint using the same approach as used in (15) to fix ρ A for PM protocols.The only other constraints we impose are the usual correlation constraints, i.e., a description of the joint probability distribution for the standard bases on A, B, and M , of the form Framework for post-selection and announcements.In general, a QKD protocol may involve postselection.As an example, if Alice sends photons to Bob over a lossy channel, then they may post-select on rounds in which Bob detects a photon.As noted above, for simplicity we consider protocols where the post-selection involves a binary announcement, and Alice and Bob keep (discard) rounds when "pass" ("fail") is announced.Let G be the completely-positive (CP) linear map corresponding to the post-selection.The action of given by a single Kraus operator G, corresponding to the "pass" announcement.
The key rate formula (1) should be applied to the postselected state: ρAB = G(ρ AB )/p pass (18) where p pass = Tr(G(ρ AB )) is the probability for passing the post-selection filter.We remark that since G is given by a single Kraus operator, it maps pure states to pure states, and hence taking Eve's system to purify the postselected state ρAB is equivalent to taking it to purify ρ AB .Hence applying the key rate formula to ρAB does not give Eve access to any more than she already has, and hence does not introduce any looseness into our bound.Future extension of our work to more general maps G will need to carefully account for how Eve's system is affected by G, so as not to lose key rate from this proof technique.
The only issue is that Alice's and Bob's experimental constraints C in (5) are still in terms of state ρ AB .
To solve for the key rate, one must transform these constraints into constraints on ρAB .For the special case where G has an inverse G −1 that is also CP, one can simply insert the identity channel Using cyclic permutation under the trace, we transform (5) into a set of constraints on ρAB , where the Γi = (G −1 ) † (Γ i ) are Hermitian operators, with (G −1 ) † being the adjoint of G −1 , and γi = γ i /p pass .Note that p pass is determined experimentally and hence the γi are known to Alice and Bob.More generally, we provide a method for obtaining C for arbitrary G, as described in Supplementary Note 2.
We remark that public announcements can be treated with a simple extension of our post-selection framework.While our framework directly applies to announcements with only two outcomes corresponding to "pass" or "fail" (as discussed above), more general announcements can be treated by adding classical registers that store the announcement outcomes.Our treatment of MDI QKD is an example of this approach (see Fig. 2 and Supplementary Note 1).Additional examples that could be treated in this way are protocols with two-way classical communication [33] such as advantage distillation.
Outline of examples.We now illustrate our numerical approach for lower bounding the key rate by considering some well-known protocols.First, we consider the BB84 and six-state protocols (Fig. 1), MDI QKD with BB84 states (Fig. 2), and the generalized BB84 protocol involving two MUBs in any dimension (Fig. 3).In each case, the dependence of the key rate on error rate is known, and we show that our numerical approach exactly reproduces these theoretical dependences.After considering these structured protocols, we move on to using our numerical optimization for its intended purpose: studying The inset shows the basic idea of MDI QKD: Alice and Bob each prepare a signal state and send it to an untrusted node, which performs an (untrusted) Bell-basis measurement and announces the outcome.Our numerics (circular dots) essentially reproduce the known theoretical dependence of the key rate on the error rate (dashed curve), which is the same expression as that given in (20).See Supplementary Note 1 for elaboration.
unstructured protocols.The fact that our bound is tight for the structured protocols mentioned above gives reason to suspect that we will get strong bounds in the unstructured case.We investigate below a protocol involving n MUBs, a protocol involving bases with arbitrary angle between them, and the B92 protocol.
Example: BB84.Consider an entanglement-based version of the BB84 protocol [3], where Alice and Bob each receive a qubit and measure either in the For all protocols that we discuss, we assume perfect sifting efficiency, which can be accomplished asymptotically via asymmetric basis choice [34].Let us suppose that Alice and Bob each use their Z basis in order to generate key.For simplicity, suppose they observe that their error rates in the Z and X bases are identical and equal to Q, then it is known (see, e.g., [4]) that the key rate is given by where is the binary entropy.
To reproduce this result using our numerics, we write the optimization problem as follows: where the error operators are defined as Equations ( 21)-( 24) highlight the fact that, as far as the optimization in ( 9) is concerned, a QKD protocol is defined by the POVM elements used for generating the key and the experimental constraints used for "parameter estimation" (and also the post-selection map G, but this is trivial for the ideal BB84 protocol.).Once these things are specified, the protocol is defined and the key rate is determined.Numerically solving the problem defined in ( 21)-( 24) for several values of Q leads to the red dots in Fig. 1, which agree perfectly with the theory curve.
Example: Six state.Now consider an entanglementbased version of the six-state protocol, where Alice and Bob each measure one of three MUBs (X, Y , or Z) on their qubit.Suppose that Alice and Bob observe that their error rates in all three bases are identical, where with (Our definition of E Y reflects the fact that the standard Bell state is correlated in Z and X but anti-correlated in Y .)To reproduce the known key rate [9,21], we write the optimization problem as: where E XY := (E X + E Y )/2 quantifies the average error for X and Y .Note that the constraint E XY = Q is obtained by coarse-graining the individual error rates.In theory, one can get a stronger bound on the key rate by splitting up this constraint into E X = Q and E Y = Q.However, our numerics show that this does not improve the key rate, and the constraints in ( 29)-( 31) are enough to reproduce the theory curve.Indeed, numerically solving the problem in ( 28)-( 31) leads to the blue dots in Fig. 1, which agree with the theory curve.
Example: Two MUBs in higher dimensions.A distinct advantage of our approach of solving (9) instead of the primal problem ( 7) is that we can easily perform the optimization in higher dimensions, where the number of parameters in (7) would be quite large.To illustrate this, we consider a generalization of BB84 to arbitrary dimension, where Alice and Bob measure generalized versions of the X and Z bases.This protocol has been implemented, e.g., in Ref. [18] using orbital angular momentum.Taking Z as the standard basis {|j }, Alice's X basis can be taken as the Fourier transform {F |j }, where is the Fourier matrix, with ω = e 2πi/d , and for simplicity we choose Alice's and Bob's dimension to be equal: where F * denotes the conjugate of F in the standard basis.
Suppose that Alice and Bob observe that their error rates in Z and X are identical.The theoretical key rates [8,17] for the cases d = 6, 8, 10 are shown as dashed curves in Fig. 3, while our numerics are shown as circular dots.Clearly there is perfect agreement with the theory.
For our numerics we employ the same constraints as used for BB84 in ( 21)- (24), but generalized to higher d.We again emphasize that the calculation of Θ here is very efficient and can easily handle higher dimension.This is because the number of parameters one is optimizing over is independent of dimension -equal to the number of constraints, which in this case is 3.This is in sharp contrast to the primal problem in (7), where the number of parameters is d 4 , which would be 10000 for d = 10.
Example: n MUBs.A simple generalization of the above protocols is to consider a set of n MUBs in dimension d.For example, in prime power dimensions there exist explicit constructions for sets of n MUBs with 2 n d + 1 [35].Consider a protocol where we fix the set of n MUBs, and in each round, Alice and Bob each measure their d dimensional system in one basis chosen from this set.For general n the symmetry group is not known for this protocol [8], so one can consider it an unstructured protocol.Indeed, only for the special cases n = 2 and n = d + 1 do we have analytical formulas for the key rate [8].Nevertheless it is straightforward to apply our numerics to this protocol for any n.Our results are shown in Fig. 4 for d = 5.To obtain these curves The key rate is plotted for various n ∈ {2, 3, 4, 5, 6} and for dA = dB = 5.This is an unstructured protocol, since for intermediate values of n the symmetry group and hence the key rate is unknown.However, our numerics provides the dependence of key rate on error rate for any n, as shown.
The inset shows the error tolerance -the smallest error rate that makes the key rate vanish -as a function of n.Note that the largest jump in the error tolerance occurs from n = 2 to n = 3.
we only need three constraints, which are analogous to ( 29)- (31), but generalized such that E XY is replaced by the average error rate in all n − 1 bases, excluding the basis used for key generation (the Z basis).Interestingly, Fig. 4 shows that just adding one basis, going from n = 2 to n = 3, gives a large jump in the key rate, whereas there are diminishing returns as one adds more bases.This can be seen in the inset of Fig. 4, which plots the error tolerance (i.e., the value of Q for which the key rate goes to zero) as a function of n.We have seen similar behavior for other d besides d = 5.After completion of this work, an analytical formula for n = 3 was discovered [36], and we have verified that it agrees perfectly with our numerics.
In Supplementary Note 3, we analytically prove the following.
Proposition 2: Our numerical results are perfectly tight for the protocols discussed in Figs. 1, 3, and 4. That is, for these protocols, our optimization exactly reproduces the primal optimization (7).
Note that this observation implies that key rate for protocols involving n MUBs (as in Fig. 4) is now known; namely it is given by our numerical optimization.
Example: Arbitrary angle between bases.While MUBs are a special case, our approach can handle arbitrary angles between the different measurements or signal states.For example, we consider a simple qubit protocol [37] where Alice and Bob each measure either the Z or W basis, where W is rotated by an angle θ away from Here Z is the standard basis and the W basis is rotated by an angle θ away from the X basis.The key rate versus θ is shown with the error rate set to Q = 0.01.Our numerics give a hierarchy of four lower bounds on the key rate, corresponding to adding in additional constraints from ( 33)- (37).All of our bounds are tighter than the bound obtained from the entropic uncertainty principle.The plot indicates that the uncertainty principle gives a dramatically pessimistic key rate, much lower than the true key rate of the protocol.
the ideal X basis.This protocol provides the opportunity to compare our numerical approach to an analytical approach based on the entropic uncertainty principle, introduced in Refs.[22,23].This is the state-of-the-art method for lower bounding the key rate.So for comparison, Fig. 5 plots the bound obtained from the entropic uncertainty principle for bases Z and W .We apply our numerical approach with the constraints: where σ Z and σ W are the Pauli operators associated with the Z and W bases. Fig. 5 plots a hierarchy of lower bounds obtained from gradually adding in more of the constraints in ( 33)- (37).As the plot shows, we already beat the entropic uncertainty principle with only the first two constraints.Furthermore, adding in all these constraints gives a dramatically higher bound, showing the uncertainty principle gives highly pessimistic key rates for this protocol.From an experimental perspective, Fig. 5 is reassuring, in that small variations in θ away from the ideal BB84 protocol (θ = 0) have essentially no effect on the key rate.Fig. 5 also highlights the fact that our approach allows us to systematically study the effect on the key rate of Alice and Bob using more or less of their data.In this example, we see that it is useful to keep data that one will usually discard in the sifting step of the protocol.
Example: B92.Next we consider the B92 protocol [19], which is a simple, practical, unstructured protocol.It nicely illustrates our framework because it is inherently a prepare-and-measure protocol and it involves post-selection.In the protocol, Alice sends one of two non-orthogonal states {|φ 0 , |φ 1 } to Bob.Since the Bloch-sphere angle θ between the two states is arbitrary, with φ 0 |φ 1 = cos(θ/2), the protocol is unstructured.Bob randomly (with equal probability) measures either in basis B 0 = {|φ 0 , |φ 0 } or basis B 1 = {|φ 1 , |φ 1 }, where φ 0 |φ 0 = φ 1 |φ 1 = 0.If Bob gets outcome |φ 0 or |φ 1 , then he publicly announces "pass", and he assigns a bit value of 1 or 0, respectively, to his key.Otherwise, Bob announces "fail" and they discard the round.A detailed description of the constraints we employed for B92 can be found in Supplementary Note 4. Our numerical results are shown in Fig. 6.Fig. 6 shows that the optimal angle for maximizing key rate depends on the depolarizing noise p, although small deviations ±5 • from the optimal angle do not affect the key rate much.
Our results give higher key rates for B92 than Refs.
[20] and [21], which respectively predicted positive key rates for p 0.034 and p 0.048, while we predict it for p 0.053.On the other hand, Ref. [38] directly solved the primal problem (7) for B92 by brute-force numerics, and achieves positive key rate for p 0.065.We have verified that the gap between our results and those of Ref. [38] is due to the looseness of our usage of the Golden-Thompson inequality (see Eq. ( 60) in the Methods section).However, Ref. [38] only showed a plot for p 0.046, noting that the numerical optimization for the primal problem did not converge for smaller p values.This highlights a benefit of going to the dual prob-lem, in that we have no trouble with obtaining the full dependence on p.

DISCUSSION
In conclusion, we address one of the main outstanding problems in QKD theory: how to calculate key rates for arbitrary protocols.Our main result is a numerical method for lower-bounding key rates that is both efficient and reliable.It is reliable in the sense that, by reformulating the problem as a maximization, every solution that one's computer outputs is an achievable key rate.It is efficient in the sense that we have reduced the number of parameters in the optimization problem from B down to the number of experimental constraints, which in some cases is independent of dimension.
The motivation for our work is two-fold.First, experimental imperfections tend to break symmetries, so theoretical techniques that exploit symmetries do not apply.Hence there is no general method currently available for calculating the effect of imperfections on the key rate.Second, it is interesting to ask whether protocols that are intentionally designed to lack symmetry might outperform the well-known symmetric protocols.Such a question cannot be posed without a method for calculating key rates for unstructured protocols.Just to give an example where the key rate is currently unknown, we plan to apply our approach to protocols where a small, discrete set of coherent states are the signal states and information is encoded in the phase [39].
We envision that our method could be a standard tool for QKD researchers.In future work we hope to extend our approach to the finite-key scenario.Indeed, the optimization problem we solve is closely related to one appearing in finite-key analysis [24].

METHODS
Outline.Here we prove our main result, Theorem 1.Our proof relies on several technical tools.First is the notion of the duality of optimization, i.e., transforming the primal problem to its dual problem.Second, we employ several entropic identities to simplify the dual problem.Third, we use a recent, important result from Ref. [40] that solves a relative entropy optimization problem.
For readability, we prove Theorem 1 here for the special case where the key-map POVM Z A = {Z j A } is a projective measurement, i.e., where the Z j A are projectors (of arbitrary rank).We postpone the proof for arbitrary POVMs to Supplementary Note 5.
The primal problem.First we rewrite (7) as: noting that the second term in (38), H(Z A |Z B ), will be determined experimentally and hence can be pulled out of the optimization.We remark that, simply for illustration purposes we used Fano's inequality to upper-bound H(Z A |Z B ) in our figures; however, in practice H(Z A |Z B ) would be directly calculated from the data.Since we only need to optimize the first term, we redefine the primal problem as and note that we can take E to be a purifying system of ρ AB , since that gives Eve the most information.Next we use a result for tripartite pure states ρ ABE = |ψ ψ| ABE from Refs.[41,42] that relates the conditional entropy to the relative entropy: where the relative entropy is defined by We remark that the joint convexity of the relative entropy implies that the right-hand side of ( 40) is a convex function of ρ AB .(See [43] for an alternative proof of convexity.)Because of this, and the fact that the constraints in ( 5) are linear functions of ρ AB , ( 39) is a convex optimization problem [16].
It is interesting to point out the connection to coherence [44].For some set of orthogonal projectors Π = {Π j } that decompose the identity, j Π j = 1 1, the coherence (sometimes called relative entropy of coherence) of state ρ is defined as [44]: Rewriting the primal problem in terms of coherence gives Hence we make the connection that calculating the secret key rate is related to optimizing the coherence.This observation is important since the coherence is a continuous function of ρ (see Supplementary Note 6).This allows us to argue in Supplementary Note 6 that our optimization problem satisfies the strong duality criterion [16], which means that the solution of the dual problem is precisely equal to that of primal problem.
The dual problem.Now we transform to the dual problem.Due to a pesky factor of ln(2), it is useful to rescale the primal problem as follows: where, henceforth, we generally use the notation M := M ln(2), for any quantity M .The dual problem [16] of ( 44) is given by the following unconstrained optimization: where P is the set of positive semidefinite operators: Here the Lagrangian is given by where the λ = {λ i } are Lagrange multipliers.Strong duality implies that In what follows, we go through several steps to simplify the dual problem.It helps to first state the following lemma.
Lemma 3: [42,45] For any ρ and Π = {Π j }, the coherence can be rewritten as where D is the set of density operators.Hence we have where we define the quantum channel Z A whose action on an operator O is given by Next, we interchange the two minimizations in ( 45) where Ref. [40] solved a relative entropy optimization problem, a special case of which is our problem: From [40], the unique solution of (54) is Inserting (55) into (53) gives the optimal value: In summary the dual problem becomes with A lower bound.We can obtain a simple lower bound on η( λ) as follows.The Golden-Thompson inequality states that Applying this inequality gives: where R( λ) = exp −1 1− λ• Γ was defined in (10).Next, note that Hence, we arrive at our final result where the right-hand side is denoted as Θ in Theorem 1.
SUPPLEMENTARY NOTE 1: MDI QKD In the Results section, we outlined our framework for handling MDI QKD protocols.Here we elaborate on this framework, and we also give more details on the example calculation shown in Fig. 2.

Framework for MDI QKD (continued)
Our framework considers the tripartite state ρ ABM , where A and B are respectively the systems held by Alice and Bob in the source-replacement scheme, and M is the classical register that stores the outcome of the measurement performed by the untrusted node.Let us elaborate on the origin of ρ ABM .Recall that, in the source-replacement scheme, Alice prepares a bipartite entangled state of the form and in the MDI scenario, Bob prepares a similar state Hence, the initial state (prior to the action of Eve) is For notational convenience, it is helpful to permute the order of the subsystems, as follows where F is the quantum channel that switches the ordering of subsystems A and B. Now note that Eve only has access to A B and not AB.Likewise the untrusted node performs a measurement only on A B , while A and B remain respectively in Alice's and Bob's laboratories.We combine the action of Eve together with the action of the untrusted measurement, and model it as a single quantum channel E that maps A B → M , where M is a classical register.That is, we obtain the state where I AB is the identity channel on AB.We apply our numerical approach to the state ρ ABM in Supplementary Eq. ( 69).The beauty of the MDI protocol is that we do not need to consider the process of how we arrived at the state ρ ABM , i.e., we do not need to discuss the details of the channel E. We only need to specify the experimental constraints on ρ ABM , which we stated in the Results section (although we repeat them here for convenience), In addition, we also enforce constraints that fix the form of the marginal ρ AB , which has the form One could also add constraints that enforce that M is a classical system.However, we choose not to do this for the following reason.The worst-case scenario, i.e., the scenario that gives Eve the most information, corresponds to M being classical, and hence the key rate is not improved by enforcing the classicality of M .We state this in the following lemma.
Lemma 4: Let {|m } be the standard basis for system M , and let M be the quantum channel that diagonalizes (i.e., decoheres) system M in this basis.That is, M(O) = m |m m|O|m m| for any operator O. Consider a set of constraints C on ρ ABM and let C denote the set of density operators ρ ABM that satisfy C. Suppose that the constraints C do not preclude M from being decohered in the standard basis, i.e., if ρ ABM ∈ C, then (I AB ⊗ M)(ρ ABM ) ∈ C. Define the set In other words, C M ⊆ C is the set of states in C that are diagonal in the standard basis on M .Then, Eve's ignorance about Alice's key is the same regardless of whether we impose that M is decohered in the standard basis, i.e., min Proof.For notational simplicity we drop the subscript A from Z A in what follows.Since C M ⊆ C, then we obviously have so we just need to show the inequality in the opposite direction.In particular we will show that for each state in C there is a corresponding state in C M where Eve's ignorance is lower.Let ρ ABM ∈ C, then Let E and Ẽ be purifying systems for ρ ABM and ρABM , respectively.Then the states are pure states.Here, V is an isometry that maps A → ZZ A, defined by where the set {Z j A } forms a POVM (Alice's key-map POVM).Let us take a moment to clarify the meaning of the conditional entropy H(Z|E).Note that, by convention, when we casually refer to H(Z|E) for the state ρ ABM E , we precisely mean the conditional von Neumann entropy of the state σ ZZ ABM E , which we denote H(Z|E) σ .Typically one refers to σ ZZ ABM E as the post-measurement state associated with a given (pre-measurement) state ρ ABM E .Likewise H(Z| Ẽ) for the state ρABM Ẽ actually refers to the conditional von Neumann entropy of σZZ ABM Ẽ denoted by H(Z| Ẽ) σ .
The duality [46] of the von Neumann entropy says that H(A|B) τ = −H(A|C) τ for any tripartite pure state τ ABC .Applying this duality relation to the pure state σ ZZ ABM E gives where the inequality is due to the data-processing inequality, i.e., acting with channel M on M can never reduce the entropy.Hence we have shown that Eve's ignorance for the state ρABM Ẽ is not larger than her ignorance for the state ρ ABM E , which is the desired result.
Example: MDI QKD with BB84 states Here we elaborate on how we obtain the data in Fig. 2. To obtain this data, we consider the most common MDI protocol, where Alice and Bob each prepare and send the BB84 signal states {|0 , |1 , |+ , |− } with probabilities p z /2 and (1 − p z )/2 respectively for the Zand X-basis states.For simplicity we consider a protocol that does not do sifting and distills key out of both the Zand X-bases.This corresponds to choosing the key map as Key-map POVM: where Alice's source-replacement state from Eq. ( 12) is To obtain large key rates we employ biased basis choices [34], i.e., p z = 1 − with 0 < 1.As noted above, we impose the correlation constraints in Supplementary Eq. (70) as well as constraints that fix the form of the marginals ρ A and ρ B , Supplementary Eq. (71).It is encouraging that our numerics reproduce the known theoretical curve [32], as shown in Fig. 2. trace constraints Tr(ρ AB Ω n ) = ω n for each n.Then the primal problem is: where To apply our standard optimization algorithm, we need to optimize over a set of all positive semidefinite operators in a Hilbert space.Since G is a CP map, G(P AB ) ⊆ G(H AB ) + , where G(H AB ) + is the set of positive semidefinite operators in G(H AB ).The inclusion need not be with equality, so we have the inequality: where C is the set of ρAB ∈ G(H AB ) + such that Tr(ρ AB Ω n ) = ω n for each n, or equivalently, the set of ρAB ∈ PAB such that Tr(ρ AB Ω n ) = ω n for each n and Tr(ρ AB Λ ) = 0 for each .With the reformulation of the optimization problem in Supplementary Eq. ( 92), we have (at the expense of introducing an inequality) recast the optimization with post-selection into the usual form treated in the Methods section.However, note that when G has an inverse G −1 that is CP, Supplementary Eq. ( 92) is satisfied with equality.This follows from the fact that G(P AB ) = G(H AB ) + in this case.This special case was discussed in the Results section.Furthermore, we note that the B92 protocol (see Supplementary Note 4) involves a post-selection map that has a CP inverse.So for that protocol, the step in Supplementary Eq. ( 92) does not introduce any looseness.

SUPPLEMENTARY NOTE 3: TIGHTNESS FOR PROTOCOLS WITH MUBS
Here we analytically prove Prop. 2. This states that our numerical approach is perfectly tight for the entanglementbased protocols involving MUBs discussed in the main text.
First we note that the only potential source of looseness in our bound is our usage in Eq. (60) of the Golden-Thompson (GT) inequality Eq. (59).The question, then, is under what conditions is Eq.(60) saturated.

A general lemma
We begin by stating a general lemma, which gives a sufficient set of criteria that guarantee our method is tight.Note that these sufficient criteria might not be necessary for tightness.
Lemma 5: The GT inequality invoked in Eq. (60) is saturated, and hence our method tight, for a QKD protocol satisfying the following two conditions: Proof.In general, the GT inequality Eq. (59) is satisfied with equality if and only if the two operators commute.In our case, the saturation of the GT inequality is equivalent to the vanishing of the following commutator where Q( λ) := −1 1 − λ • Γ, and where σ * AB is a maximal eigenvector of i.e., an eigenvector of T whose eigenvalue is the largest.In general σ * AB is not uniquely defined if the maximal eigenvalue is degenerate.However, this issue does not affect the proof below.This is because, for tightness, we only need the GT inequality to be saturated for one particular σ * AB , i.e., one particular σ AB that achieves the optimization in Eq. (63).
As Z A (σ * AB ) is positive semidefinite, it can be shown that the vanishing of Supplementary Eq. ( 93), and thus the saturation of the GT inequality, is equivalent to the vanishing of This follows from the fact that ln Z A (σ * AB ) and Z A (σ * AB ) = exp(ln Z A (σ * AB )) are diagonal in the same basis.Now suppose that conditions (a) and (b) are satisfied.It follows from (a) that the measurement operators {Γ i } can be simultaneously diagonalized in an orthonormal eigenbasis {|e k }.The operators Q( λ) and R( λ) = exp(Q( λ)) are also diagonal in such a basis.
From condition (b), we note that Z A maps an eigenstate |e k e k | to a linear combination of |e e | terms.Let the coefficients of that combination be b k and let the eigenvalues of R( λ) be a k .Then T is also diagonalizable in the {|e k } eigenbasis since Since σ * AB is a maximal eigenvector of T , and T is diagonal in the {|e k } basis, then let us choose σ * AB = |e m e m | to correspond to a state |e m from this basis.While T may have more than one eigenbasis, we remark that we have the freedom to choose σ * AB from the {|e k } basis, since (as noted above) we only need the GT inequality to be saturated for a particular choice of σ * AB .We find that Supplementary Eq. (95) vanishes: and thus the GT inequality is saturated if conditions (a) and (b) are satisfied.

Specific protocols
We now show that conditions (a) and (b) in Supplementary Lemma 5 are satisfied for the protocols involving MUBs in the main text.
First we define some notation.The generalized Pauli operators in dimension d are with ω = e 2πi/d .From these operators one can construct the Bell basis states {|φ q,r }, i.e., a set of d 2 orthonormal states of the form where Our proof of tightness will proceed by showing that the Γ i operators of interest are all diagonal in the Bell basis (Supplementary Eq. ( 100)), and furthermore that the Bell basis satisfies condition (b) in Supplementary Lemma 5. Let us first show the latter, since it will be used repeatedly below.
Lemma 6: The Bell basis {|φ q,r } satisfies condition (b) in Supplementary Lemma 5.That is, φ ,m |Z A (|φ q,r φ q,r |)|φ ,m = 0, ∀( , m) = ( , m ) and ∀(q, r) . (102) Proof.In all the protocols under consideration, is taken to be the standard basis on system A. Hence we can rewrite the action of the channel Z A on some operator O as for some operator O, where T is the transpose in the standard basis.Hence we have Finally, using the definition in Supplementary Eq. (100), we have Clearly Supplementary Eq. ( 112) is diagonal in the Bell basis, proving the desired result.
Therefore, in the specific protocols considered below, we only need to show that the {Γ i } operators are diagonal in the Bell basis, to prove tightness of our method.
where Supplementary Eq. (120) used the relation Clearly the final expression for C X is diagonal in the Bell basis.This proves that our numerical approach is tight for the protocol discussed in Fig. 3 of the main text.

Six-state protocol
The six-state protocol (see Fig. 1) is a qubit protocol involving the operators {Γ i } = {1 1, E Z , E X + E Y }.We already showed that E Z and E X are diagonal in the Bell basis, so we just need to do the same for E Y .Note that we can write E Y = ( 1 (124) Hence our method is tight for the six-state protocol.
n MUBs The protocol considered in Fig. 4 involved n MUBs in d = 5.These MUBs were chosen based on a construction in Ref. [35].Namely, in prime dimension, the eigenvectors of the operators σ Z , σ X , σ X σ Z , ..., σ X σ d−1 Z (125) form a set of d + 1 MUBs.In Fig. 4, we considered a subset of size n of the MUBs in Supplementary Eq. (125).
The measurement operators are: where E XZ k denotes the error operator for the basis associated with σ X σ k Z .We already showed above that E Z and E X are diagonal in the Bell basis, so it remains to show this for E XZ , ..., E XZ n−2 .Again let us use the notation where H k is the Hadamard (unitary) matrix that rotates the standard basis to the eigenbasis of σ X σ k Z , and H * k denotes its conjugate in the standard basis.
Consider the case where d is an odd prime.Note that the only even prime is d = 2 which we already covered above.We restrict to odd primes here, since the following construction applies to them where s j := (d − j)(d + j − 1)/2.Proceeding similarly to Supplementary Eq. ( 116), we write which is diagonal in the Bell basis.In Supplementary Eq. ( 133), we used and noted that the phase factor ω −kr(r+1)/2 disappears when multiplied by its conjugate.

FIG. 2 :
FIG.2: Key rate for MDI QKD with the BB84 signal states.The inset shows the basic idea of MDI QKD: Alice and Bob each prepare a signal state and send it to an untrusted node, which performs an (untrusted) Bell-basis measurement and announces the outcome.Our numerics (circular dots) essentially reproduce the known theoretical dependence of the key rate on the error rate (dashed curve), which is the same expression as that given in(20).See Supplementary Note 1 for elaboration.

FIG. 3 :
FIG.3: Higher dimensional analog of BB84, using two MUBs.This plot shows the theoretical key rate as solid curves, and the result of our numerical optimization as circular dots, for dA = dB = d, with d = 6 (blue), d = 8 (red), and d = 10 (black).Again, the dots should be viewed as reliable lower bounds, but in this case they are perfectly tight.

FIG. 4 :
FIG. 4: Protocol where Alice and Bob each use n MUBs.The key rate is plotted for various n ∈ {2, 3, 4, 5, 6} and for dA = dB = 5.This is an unstructured protocol, since for intermediate values of n the symmetry group and hence the key rate is unknown.However, our numerics provides the dependence of key rate on error rate for any n, as shown.The inset shows the error tolerance -the smallest error rate that makes the key rate vanish -as a function of n.Note that the largest jump in the error tolerance occurs from n = 2 to n = 3.

FIG. 5 :
FIG.5: Protocol where Alice and Bob each measure Z or W .Here Z is the standard basis and the W basis is rotated by an angle θ away from the X basis.The key rate versus θ is shown with the error rate set to Q = 0.01.Our numerics give a hierarchy of four lower bounds on the key rate, corresponding to adding in additional constraints from (33)-(37).All of our bounds are tighter than the bound obtained from the entropic uncertainty principle.The plot indicates that the uncertainty principle gives a dramatically pessimistic key rate, much lower than the true key rate of the protocol.

FIG. 6 :
FIG.6:The B92 protocol.The key rate (in bits per photon sent by Ailce) is plotted versus the Bloch-sphere angle between the two signal states.Curves are shown for various values of the depolarizing probability p.
b) e |Z A (|e k e k |)|e = 0 for = and ∀k in a common eigenbasis {|e k } of all {Γ i }.