Characterising the correlations of prepare-and-measure quantum networks

Prepare-and-measure (P&M) quantum networks are the basic building blocks of quantum communication and cryptography. These networks crucially rely on non-orthogonal quantum encodings to distribute quantum correlations, thus enabling superior communication rates and information-theoretic security. Here, we present a computational toolbox that can efficiently characterise the set of input–output probability distributions for any discrete-variable P&M quantum network, assuming only the inner-product information of the quantum encodings. Our toolbox is thus highly versatile and can be used to analyse a wide range of quantum network protocols, including those that employ infinite-dimensional quantum code states. To demonstrate the feasibility and efficacy of our toolbox, we use it to solve open problems in multipartite quantum distributed computing and quantum cryptography. Taken together, these findings suggest that our method may have implications for quantum network information theory and the development of new quantum technologies.


Introduction.
Quantum correlations [1][2][3] (namely, entanglement, nonlocality, steering correlations, etc) are essential resources in quantum information processing.In short, they are the reason why we see such unique advantages in quantum communication, cryptography, computing, and imaging.The general observation is that the stronger these correlations are, the more powerful quantum information becomes.This is especially the case for quantum communication [4] and quantum cryptography [5], where stronger entanglement means higher quantum fidelity and stronger information security.For this reason, the characterisation of quantum correlations is an integral step in many quantum information protocols and a central research topic in quantum information science.
In this work, we are interested in characterising the correlations of prepare-and-measure (P&M) quantum networks.These are the basic building blocks of quantum communication and quantum cryptography.The central task of a P&M quantum network is to send a classical message z over a quantum network to a group of receivers.This message could be anything, e.g., a secret key, elements of a database, or a signed certificate-it depends on the function of the protocol.Quantum encoding is done by preparing a quantum signal in one of the n predefined pure states, {|ψ z } n z=1 (determined by the input z), and decoding is accomplished by making a measurement (sampled from a finite set of decoding settings) on the output quantum signal.For a generic P&M quantum network with k spatially separated receivers, we write p(a 1 a 2 . . .a m |x 1 x 2 . . .x k , z) to denote the probability of obtaining outcomes a 1 a 2 . . .a k given decoding functions x 1 x 2 . . .x k and message z.We further use p to denote the entire list of input-output probability distributions.
Our broad goal is to reveal the fundamental limits of P&M quantum networks without restrictions on the network and local decoding strategies.In particular, we are interested in identifying the set of quantum-realisable correlations p (henceforth called the quantum set) using only the knowledge of the quantum encoding scheme {|ψ z } z as the constraining factor.This type of approach is extremely useful for analysing the performance of quantum communication and quantum cryptography.For instance, one can use the quantum set to derive lower bounds on the quantum network's error probabilities [6][7][8].These bounds essentially tell us what the quantum encoding {|ψ z } z could achieve in practice, be it for quantum cryptography, communication, or distributed computing purposes, as we shall show later.
Also, from the perspective of quantum information theory, this approach draws a direct connection between the distinguishability of quantum states and quantum correlations.More concretely, we first note that if the quantum encoding {|ψ z } z is completely orthogonal, i.e., ψ z |ψ z = δ zz , then p is generally 'unconstrained'.That is, such encodings are classical states and hence can be arbitrarily copied-as such, there are no physical principles that constrain what the input-output probability distribution could be (except for the usual normalisation requirements).The interesting part comes when the encoding {|ψ z } z is non-orthogonal.In this case, there are two unique consequences.Firstly, it is generally impossible for every receiver to learn the same information about z.This is due to the fact that one cannot clone non-orthogonal states [9], and consequently, there is a global trade-off between the amount of accessible information that each receiver can receive [10,11].Secondly, no receiver can completely learn z even if he or she has received |ψ z with perfect fidelity.This is because non-orthogonal states are fundamentally indistinguishable: there is no measurement that can discriminate them with perfect reliability [12].Consequently, probability assignments like p(a = z|x) = 1 are forbidden.
Results.To tackle the above characterisation problem, we propose a general computational method that is able to approximate (from the outside) the quantum set of any P&M quantum network.The approximation is based on a hierarchy of semidefinite relaxations, which is a generalisation and novel application of earlier research in quantum nonlocality [2,[15][16][17][18][19][20].A key feature of our method is that it is semi-device-independent (SDI) [21][22][23][24][25][26][27].That is, the analysis provided is independent of how the network and measurements are implemented (as required above).The method only requires that the quantum encoding {|ψ z } z is characterised in terms of its Gram matrix, i.e., ψ z |ψ z = λ zz , which in practice can be easily obtained by taking the inner products of the quantum code states (i.e., using their specifications).
The main advantage with this approach is that the dimension of the encoding system is no longer necessary in the analysis: using the Gram matrix information alone is enough to characterise the quantum set.In this sense, our approach is more practical than the standard SDI approach, which assumes the dimension of the quantum encoding system [21][22][23][24]; notice that physical dimension is generally difficult to fix in practice as actual systems have multiple degrees of freedom.We remark that alternative SDI approaches based on bounded energy constraints [26] and the transmission of non-orthogonal binary states [27] have also been proposed.These have similar advantages as our approach, but present analyses using these approaches are so far limited to binary code states.It remains to be seen if these can be readily generalised to multiple code states, schemes which are often used in quantum technologies.In the following, we show that our method can be used to efficiently analyse any practical quantum communication protocol [28], including those that use multiple infinite-dimensional code states.
To keep our presentation concise, we restrict the discussion to two-receiver P&M quantum networks (see Figure 1); extension to larger networks is straightforward.Consider a prepare-and-measure quantum task, where random code states are sent across a network to two independent receivers, called Alice and Bob, for measurement.For simplicity, we divide the task into two phases: a distribution phase and a measurement phase.In the first phase, a classical random source z is encoded into a quantum system |ψ z and distributed to Alice and Bob via an untrusted quantum network.For this type of transmission, it is useful to work in the purification picture, where state transformations are given by unitary evolutions [29].That is, by working in a higherdimensional Hilbert space, we may see the transmission as an isometric evolution that takes |ψ z to some pure output state |φ z , which is now shared between the re-ceivers and the network environment (the purification system).The key advantage of this picture is that while the dimension and possibly other properties of |ψ z may change after the transmission, the inner-product information of {|φ z } z remains the same: φ z |φ z = ψ z |ψ z .Importantly, this means that our initial knowledge about ψ z |ψ z = λ zz is preserved in the transformed states.
In the measurement phase, Alice and Bob perform independent and random measurements on |φ z to gain information about z.Since there are only two receivers here, we revert back to the usual convention and denote Alice's and Bob's measurements by x and y and their corresponding measurement outcomes by a and b, respectively.Then, using the quantum Born rule, we have that the probability of observing outcomes a, b given measurements x, y and |φ z is where {E a x } and {E b y } are projective measurements satisfying the following properties: and (iv ) [E a x , E b y ] = 0. We note that there is no loss of generality in assuming projective measurements here.Indeed, we can always lift any measurement to a projective one by working in a higher-dimensional Hilbert space; in our case this is possible since the dimension of the network is not fixed.The last property reflects the fact that Alice's and Bob's measurements are separable and hence the application of one has no effect on the outcome of the other.
Our characterisation problem is thus the following: Given an n × n Hermitian positive-semidefinite matrix λ, what is the corresponding quantum set p? We denote this set by Q(λ).In principle, solving this problem would require optimising over all possible quantum states and measurements in equation ( 1) subject to the constraints φ z |φ z = λ zz .However, this task is computationally intractable: the dimension of the network is not fixed and thus could be infinite.To overcome this obstacle, we take inspiration from the characterisation techniques [16][17][18][19][20] developed in Bell nonlocality research [2,15], which is a special case of our problem.Recall that in a Bell experiment, local random measurements are made on a fixed source |φ instead of a varying source |φ z .Notably, it was shown in refs [19,20] that the set of quantum probabilities derived from Bell experiments can be approximated via a hierarchy of membership tests.There, the basic idea is to bound the quantum set using a sequence of weaker (but tractable) characterisation tasks, which nevertheless still represent very well the original problem.
In this work, we show that a similar characterisation technique can also be devised for the general problem.More specifically, we give a general procedure for deriving (tractable) necessary conditions for any discrete-variable P&M quantum network.To start with, consider a quantum probability distribution p(ab|xy, z which expresses the probability of z transiting to outcomes a, b given measurement inputs x, y.In the quantum setting, the set of conditional probabilities are given by p(ab|xy, z) = φz|E a x E b y |φz , with the constraint that φz|φ z = λ zz is fixed.Our consideration hence assumes three conditions: (1) the set of code states are pure states, (2) the Gram matrix of these states is known, and (3) the receivers are independent of each other (they do not share any quantum resources, although classical randomness is allowed).
where φ z |φ z = λ zz , and with {E a x , E b y } a,x,b,y satisfying properties (i )-(iv ).Let S = {S 1 , . . ., S m } be a finite set of m operators, where each element is a linear combination of products of {E a x , E b y } a,x,b,y .Then define G to be the nm × nm block matrix Here we denote by {|e z } n z=1 the standard orthonormal basis of C n and by G zz (i,j) the ij-entry of the matrix G zz .By construction, the matrix G is Hermitian and positivesemidefinite (PSD) [30].Furthermore, properties (i )-(iv ) of the measurement operators and the inner-product constraints φ z |φ z = λ zz translate to linear conditions on the entries of G. To see this, we note that if the set S contains operators {E a x } a,x and {E b y } b,y , then it can be easily verified that G satisfies Therefore, for any discretely modulated P&M quantum network, it is always possible to define a PSD matrix that captures the original quantum model (1) in terms of constraints that are linear in its entries.Importantly, the existence of such a matrix provides us with a powerful means to check if a given p is of quantum origin.More specifically, we can use semidefinite programming (SDP) techniques [31] to verify if p is in the set of compatible PSD matrices: if p is not a member, we conclude that it is not quantum realisable.However, successful membership does not necessarily mean p is of quantum origin.This is due to the fact that our characterisation method is a semidefinite relaxation [32] of the original problem and hence can only provide an outer-approximation of Q(λ).
However, by introducing additional linear constraints via a hierarchical procedure, it is possible to gain a tighter characterisation of Q(λ).In particular, we could use the hierarchy proposed in refs.[19,20] to build a series of increasingly stringent membership tests, where the associated Gram matrix G grows bigger in each step and more constraints are generated.More precisely, we define a sequence of hierarchical sets , where S k is defined inductively as the set of all operator sequences constructed from E a x , E b y satisfying S k ⊆ S k+1 .This corresponds to a sequence of Gram matrices, G 1 , G 2 , . . .with increasing size and constraints.Since the Gram matrix G k of a particular kth step is at least as informative as a smaller sized Gram matrix G k , we conclude that the approximated set Q(λ) k is a subset of Q(λ) k .Therefore, moving up the hierarchy gives a tighter approximation of the quantum set: . .. In Appendix A, we prove that this hierarchy is in fact sufficient: it converges to the quantum set, lim k→∞ Q(λ) k = Q(λ).Nevertheless, in the applications below, we see that lowlevel approximations are already enough to achieve very tight bounds.
Applications.Our method can be applied to any quantum communication task that employs the prepare-andmeasure scheme.To illustrate this point, we provide two examples of application: (1) distributed quantum random access coding (QRAC) [33,34] and (2) quantum key distribution (QKD) [35,36].
In the first, we consider a distributed computing task where two random bits z 0 z 1 are encoded into a quantum state |ψ z0z1 and sent to Alice and Bob for selective decoding.For the decoding part, Alice and Bob are each given a random position bit and their goal is to guess the input bit that is associated with the position bit.For example, if Alice receives x = 1, she has to guess the value of z 1 via measurement on her share of |ψ z0z1 .This task can be seen as a type of distributed quantum database, where network users can choose to learn any entry of the database; this includes the case whereby multiple users can choose to learn the same entry.To this end, we quantify the network's ability to distribute information by Alice's and Bob's guessing probabilities, which we denote by p(a = z x ) and p(b = z y ), respectively.
At this point, it is useful to recall that if |ψ z0z1 is a two-level quantum system (i.e., a qubit), then the best encoding strategy (in the case of the standard twoparty QRAC) is to use the so-called conjugate coding scheme [37]: √ 2 /2 ≈ 0.853 [33,34], which is optimal for qubit code states.Interestingly, using our method, we find that similar bounds can be established using only the Gram matrix information of the code states.In particular, we consider a set of code states {|ψ 00 , |ψ 11 , |ψ 10 , |ψ 01 }, whose Gram matrix is fixed to that of {|+ , |− , |+i , |−i }, and ask what is Alice's optimal guessing probability given Bob's guessing probability is fixed.Our method predicts the following quantum boundary: (2p(a = z x ) − 1) 2 + (2p(b = z y ) − 1) 2 ≤ 1/2, which is drawn in Figure 2. The semidefinite program for this optimisation is provided in Appendix B.
Three remarks are in order here.Firstly, we see that the boundary (obtained from Q(λ) 1 ) gives the same upper bound as ref.[33] when one of the receivers is restricted to random guessing.This can be seen as the case in which one party receives |ψ z0z1 with perfect fidelity and the other party receives a dummy state.Secondly, the boundary specifies a non-trivial trade-off function between Alice's and Bob's guessing probabilities, which is independent of their measurement strategies.This implies that the bound is absolute and cannot be improved upon with better measurement strategies, even if Alice and Bob are allowed to use shared randomness.Thirdly, although our method can only provide an outerapproximation of the quantum set, it turns out that the first level of the hierarchy is already tight.More specifically, there is a concrete example which saturates the boundary predicted by Q(λ) 1 ; see Figure 2 for more details.This example is given by the optimal asymmetric qubit cloning machine [38], which optimally splits the qubit information between multiple parties (according to some predefined ratio); this is indeed a natural choice as the goal of the network is to preserve as much quantum information as possible for each party while splitting it.
In the second application, we prove the security of coherent-state QKD.Here, one of the receivers (Alice) is the eavesdropper (renamed to Eve) and her goal is to eavesdrop on the quantum channel connecting the transmitter and the other receiver (Bob).For concreteness, For the decoding, we assume that Alice and Bob perform the optimal QRAC qubit measurements: we first consider a phase encoded coherent-state QKD protocol [39], which uses the encoding scheme |ψ z0z1 : Correspondingly on Bob's side, we have that he uses measurement y = 0 for key recovery and measurement y = 1 for estimating the channel noise; we write ε 0 and ε 1 to denote the error probabilities observed in the key basis and the test basis, respectively.In this case, the sifting rate of the protocol tends to 1 (in the limit of infinite keys) when the probability of choosing the key basis goes to 1 [35].
In Appendix C, we show that the expected secret key rate (per signal sent) is where ε ph is the so-called phase error rate of the key basis [41], p det is the probability of detection, and h 2 (•) is the binary entropy function.The quantity of interest here is ε ph , which is maximised assuming fixed system FIG.3. Phase encoded coherent-state QKD We compare our secret key rate against the one given in ref. [40].For the key rate simulation, we assume a detector dark count rate of p dc = 10 −7 and an intrinsic optical error rate of 2%.For a given channel loss 1 − η, the probability of detecting a signal is p det = 1 − (1 − p dc ) 2 exp(−2ηµ) and the error probability is ε = (p dc + (1 − exp (−2µη))0.02)/pdet .Using these, we maximise the expected secret key rate (2).More precisely, we perform two optimisations.First, for a given µ we maximise the phase error rate over Q(λ) 2 subject to the above constraints.This gives us a lower bound on the achievable secret key rate.Then, we optimise the secret key rate over µ.This gives us an estimate of the optimal secret key rate.Comparing to the secret key rate of ref. [40] (red line), we see that our method predicts a higher secret key rate (blue line) for any loss point.For further comparison, we also plotted the collective beam-splitting attack bound [42] (the top curve: black dashed line), which serves as an upper-bound on the achievable secret key rate; note that this bound is not tight and it assumes zero errors.
parameters (e.g., µ, ε 0 and ε 1 ).More specifically, we use the second level of the hierarchy S 2 and maximise ε ph over the set of compatible probabilities in Q(λ) 2 .The outcome of the numerical optimisation is shown in Figure 3 along with the simulation parameters.To benchmark our results against the best known security analysis for the protocol, we also plot the security bound of ref [40] using the same constraints.From the figure, it is evident that our secret key rates are always higher than the ones given by ref. [40].Importantly, this shows that our method significantly improves the security and feasibility of practical QKD, despite making only a few assumptions about the implementation.For completeness, we note that refs.[43,44] have also recently proposed a new security proof technique based on semidefinite programming (but using a completely different approach).In the case of the current protocol, their simulation outcomes are similar to ours, however their method additionally requires that Bob's measurements are fully characterised and an optical squashing model exists for the measurements [45].
To demonstrate the ability of our method to handle non-standard QKD protocols, we consider the security of a modified coherent-one-way (COW) QKD pro- Here, we use δ = 0.01.On the receiver side, we assume that the beamsplitter in the measurement scheme of ref. [48] has a ratio of 51/49 instead of the ideal 50/50.Using these component models and assuming that each detector has a dark count rate of p dc = 10 −7 , we run the optimisation as per the previous QKD application and obtain four sets of data points using the original COW QKD encoding and a new encoding strategy where the test sequence is optimised.For each of these, we compute the secret key rates with and without errors.
tocol [46,47] and the last sequence is a test state used to estimate Eve's information about the secret bit.For Bob's measurements, we use the active switching measurement scheme proposed in ref. [48] instead of the original passive switching scheme [46].In this setup, Bob employs an optical switch to send the incoming states either into the data line or the monitoring line: the former measures the arrival time of the incoming states while the latter measures the coherence (the interference visibility) between two adjacent states.The advantage of this scheme is that it yields higher detection probabilities than the passive scheme.Another major modification is that only the coherence of the test sequence |α |α is measured.More specifically, the variant protocol does not measure the coherence between adjacent encodings (e.g., in cases like |0 |α ; |α |0 or |α |α ; |α |0 ) like in the original protocol.This modification is largely motivated by earlier research which showed that knowing the coherence information between adjacent encodings does not significantly improve the security of the protocol [48].Importantly, in discarding these events, we have two benefits.Firstly, the security analysis is greatly simplified, i.e., we only need to analyse a single encoding instead of a sequence of en-codings, which can be unwieldy.Secondly, this opens up the possibility to explore scenarios whereby the mean photon number of the test sequence |α |α is optimised.More concretely, we can now adjust the mean photon number of the test sequence to maximise the secret key rate.In the following, we will use |β |β to represent the optimised test sequence.
Using the same approach as before (i.e., equation ( 2)), we compute the secret key rate of the variant protocol using a realistic error model that assumes an imperfect intensity modulator (on the transmitter side) and an imbalanced beam-splitter on the receiver side; see the description of Figure 4 for more details.We first simulate the expected secret key rates of the protocol using the original COW QKD test sequence |β = α |β = α with errors (red curve) and without errors (yellow curve).Both of these curves show that secret keys can only be distributed in the low loss regime (i.e., less than 4 dB loss; or equivalently 20 km of optical fibre length).Comparing to the collective beam-splitting attack curve [42] (black dashed curve), we observe that the original COW QKD encoding may be sub-optimal.To investigate this possibility, we use the flexibility of our method and further optimise |β |β over a discrete set of ratios β/α to search for the best test sequence for a given loss point.We find that the improvement is highly significant.In the case with zero errors, the optimal ratio is β = α/2 and the tolerable loss is extended to more than 35 dB, which spells a ≥ 30 dB improvement over the original COW QKD encoding.The secret key rates (green curve) are also significantly higher and are close to the collective beam-splitting attack bound (in the low loss regime).In the case with errors, we also see similar improvements.More concretely, the optimised variant protocol is now able to distribute secret keys up to about 21 dB loss with errors, which translates to a fibre distance of about 110 km.In conclusion, our findings strongly indicate that it is much more secure to vary the mean photon number of the test sequence.
Outlook.Taken together, our findings thus provide a powerful method to analyse the quantum set of any discretely modulated P&M quantum network, independently of how the network and decoding measurements are implemented.From the perspective of quantum information theory, the toolbox can help to reveal the fundamental limits of quantum communication and to analyse the performance of any quantum coding scheme.On the application side, the toolbox can be used to analyse the performance of quantum network protocols and the security of quantum cryptography, as evidenced by the three examples given above.Concerning the latter, it would be interesting to investigate how the toolbox could be utilised to solve the other open problems in quantum cryptography.For example, the security of round-robin differential phase-shift QKD [49] or continuous variable QKD protocols with discrete modulations [50].
where the quantum code states and measurements are assumed to be randomly chosen (this can be easily generalised to an arbitrary distribution).To characterise the quantum behaviour of the protocol, we maximise Alice's guessing probability given that Bob's guessing probability is set to some fixed value τ ∈ (A1) However, as mentioned in the main text, this optimisation problem is computationally intractable.To this end, we consider instead the SDP relaxation of (A1) corresponding to the set of operators S 1 = {I, A 0 0 , A 1 0 , A 0 1 , A 1 1 , B 0 0 , B 1 0 , B 0 1 , B 1 1 }.Using the label z = (z 0 , z 1 ) ∈ {0, 1} 2 as a classifier, we can partition any feasible solution G to the SDP into 16 blocks {G zz } zz , each having size 9 × 9. We index the rows and columns of G zz by 0, 1, . . ., 8. The reader may refer to the following exposition of G zz for reference: As explained in the main text, the matrix G = n z,z G zz ⊗ |e z e z |, where z = (z 0 , z 1 ) ∈ {0, 1} 2 , is Hermitian PSD and furthermore, its entries satisfy certain linear relations corresponding to the algebraic constraints of the measurement operators and the Gram matrix of the code states.More specifically, we have that:

and |ψ 11 =
|−i √ µ , where µ is the mean photon number of the coherent state.To maximise the sifting efficiency of the protocol, we use {| √ µ , |− √ µ } for key generation and {|i √ µ , |−i √ µ } for testing the security of the channel.

FIG. 4 .
FIG.4.Time encoded coherent-state QKD For this simulation, we consider an error model that is based on imperfect intensity modulation and imperfect mixing of coherent states.On the transmitter's side, we assume that the intensity modulator used to perform the on-off keying has finite extinction ratio, i.e., states are prepared as | √ 1 − δα and | √ δα instead of |α and |0 .Here, we use δ = 0.01.On the receiver side, we assume that the beamsplitter in the measurement scheme of ref.[48] has a ratio of 51/49 instead of the ideal 50/50.Using these component models and assuming that each detector has a dark count rate of p dc = 10 −7 , we run the optimisation as per the previous QKD application and obtain four sets of data points using the original COW QKD encoding and a new encoding strategy where the test sequence is optimised.For each of these, we compute the secret key rates with and without errors.