Fidelity Bounds for Device-Independent Advantage Distillation

It is known that advantage distillation (that is, information reconciliation using two-way communication) improves noise tolerances for quantum key distribution (QKD) setups. Two-way communication is hence also of interest in the device-independent case, where noise tolerance bounds for one-way error correction are currently too low to be experimentally feasible. Existing security proofs for the device-independent repetition-code protocol (the most prominent form of advantage distillation) rely on fidelity-related security conditions, but previous bounds on the fidelity were not tight. We improve on those results by developing an algorithm that returns arbitrarily tight lower bounds on the fidelity. Our results give new insight on how strong the fidelity-related security conditions are, and could also be used to compute some lower bounds on one-way protocol keyrates. Finally, we conjecture a necessary security condition for the protocol studied in this work, that naturally complements the existing sufficient conditions.


I. INTRODUCTION
The ultimate goal of key distribution protocols is to generate secure keys between two parties, Alice and Bob. To this end, device-independent quantum key distribution (DIQKD) schemes aim to provide informationtheoretically secure keys by taking advantage of non-local correlations, which can be verified via Bell inequalities [1][2][3][4]. Critically, Bell violations rely only on the measurement statistics, Pr (ab|xy), where a (b) is Alice's (Bob's) measurement outcome and x (y) is Alice's (Bob's) measurement setting [5]. By basing security on Bell inequalities, DIQKD protocols do not require any knowledge of the bipartite state that Alice and Bob share, nor of the measurements both parties conduct, apart from the assumption that they act on separate Hilbert spaces [1,5]. (To guarantee security, it is still important to ensure that information about the device outputs themselves is not simply leaked to the adversary. Also, if the devices are reused, they must not access any registers retaining memory of 'private data', in order to avoid the memory attack of [6].) We consider all Hilbert spaces to be finitedimensional.
Although DIQKD allows for the creation of secret keys under very weak assumptions, there is a trade-off when it comes to noise tolerances [1,7]. Standard DIQKD protocols which apply one-way error-correction steps have fairly low noise robustness, and are therefore not currently experimentally feasible [1,3]. To improve noise tolerances, one may implement techniques such as noisy pre-preprocessing [8], basing the protocol on asymmetric CHSH inequalities [9,10], or applying advantage distillation [11]. In this work we focus solely on advantage distillation, which refers to using two-way communication for information reconciliation, in place of one-way error-correction.
In device-dependent QKD [7,[12][13][14][15][16][17], as well as clas- * thomas.hahn@weizmann.ac.il † yzetan@uwaterloo.ca sical key distillation scenarios [18,19], advantage distillation can perform better than standard one-way protocols in terms of noise tolerance. As for DIQKD, it has been shown that advantage distillation leads to an improvement of noise tolerance as well [11], but the results obtained in that work may not be optimal. Specifically, a sufficient condition was derived there for the security of advantage distillation against collective attacks, based on the fidelity between an appropriate pair of conditional states (see Theorem 1 below). However, the approach used in [11] to bound this fidelity is suboptimal, and hence the results were not tight.
Our main contribution in this work is to derive an algorithm based on semidefinite programs (SDPs) that yields arbitrarily tight lower bounds on the relevant fidelity quantity considered in [11]. We apply this algorithm to several DIQKD scenarios studied in that work, and compare the resulting bounds. Surprisingly, while we find improved noise tolerance for some scenarios, we do not have such improvements for the scenario that gave the best noise tolerances in [11], which relied on a more specialized security argument. An important consequence of this finding is that it serves as strong evidence that the general sufficient condition described in [11] is in fact not necessary in the DIQKD setting, in stark contrast to the device-dependent QKD protocols in [14,15], where it is both necessary and sufficient (when focusing on the repetition-code advantage distillation protocol; see below). In light of this fact, we describe an analogous condition that we conjecture to be necessary, and discuss possible directions for further progress.
We consider the following set-up for two parties, Alice and Bob [2,11]. The only key-generating measurements are A 0 and B 0 . We consider Eve to be restricted to collective attacks [20], where it is assumed that the measurements Alice and Bob may conduct, as well as the single-round tripartite state, ρ ABE , that Alice, Bob, and an adversary, Eve, share are independent and identical for each round. Since we are working in the device-independent setting, we consider Alice and Bob's measurements to be otherwise uncharacterized. For ease of applying the results from [11], we assume that they perform a symmetrization step, in which Alice and Bob publicly communicate a uniformly random bit and XOR it with their raw outputs (see [11] for details on when this step can be omitted). We use to denote the quantum bit error rate (QBER), i.e. the probability of obtaining different outcomes from measurements A 0 , B 0 .
We consider the repetition-code protocol for advantage distillation [13-15, 18, 19], which proceeds as follows. After gathering the raw output strings from their devices, Alice and Bob split the key-generating rounds into blocks of size n each, and from each block they will attempt to generate a single highly-correlated bit. For each block, Alice generates a secret, uniformly random bit, C, and adds it to her n bits, A 0 . She then sends this 'encoded' bitstring, M = A 0 ⊕(C, ..., C), as a message to Bob via an authenticated channel. He then tries to decode the message by adding his own bitstring, B 0 , to it. He accepts the block of n bits if and only if M ⊕ B 0 = (C , ..., C ). If accepted, he indicates this to Alice by sending her a bit D = 1 via an authenticated channel. Otherwise, he sends D = 0. Considering only the accepted blocks, this process has therefore reduced each block of n bitpairs to a single highly correlated bitpair, (C, C ). Alice and Bob then apply a one-way error correction procedure (from Alice to Bob) on the resulting bitpairs over asymptotically many rounds, followed by privacy amplification to produce a final secret key. This procedure can achieve a positive asymptotic keyrate if the bitpairs in the accepted blocks satisfy some conditions we shall now describe.
The protocol can be used to distill a secret key if [21] r := H(C|EM; where E is Eve's side-information across one block of n rounds and H is the von Neumann entropy [3,21]. The second entropy term, H(C|C ; D = 1), can easily be determined via the QBER [1,11]. In [11], Eve's conditional entropy H(C|EM; D = 1) was lower-bounded using inequalities that are not necessarily tight, leading to the following result based on the (root-)fidelity F(ρ, σ) := √ ρ √ σ 1 : where ρ E|a0b0 denotes Eve's conditional state (in a single round) after Alice and Bob use inputs A 0 and B 0 and obtain outcomes a 0 and b 0 .
Our goal will be to find a general method to certify the condition in Theorem 1. For later use, we also note that in the case where both parties have binary inputs and outputs, an alternative condition was derived [11] based on the trace distance d(ρ, σ) := (1/2) ρ − σ 1 : 1} and all measurements have binary outcomes, a secret key can be generated if

II. RESULTS
To find optimal bounds for Theorem 1, we need to minimize the fidelity for a given observed distribution. We show that this can be written as an SDP in Sec. II A, and use this to calculate noise tolerances for a range of repetition-code advantage distillation setups in Sec. II B. We conclude the Results section with a conjecture for a necessary condition that naturally complements the sufficient condition in [11].

A. SDP Formulation of Minimum Fidelity Condition
To see if Eve can minimize the fidelity such that (2) does not hold, we must first solve the following constrained optimization over all possible ρ ABE and possible measurements by Alice and Bob: where Pr(ab|xy) ρ denotes the combined outcome probability distribution that would be obtained from ρ ABE (and some measurements), and p represents the measurement distribution Alice and Bob actually observe. We observe that after Alice and Bob perform the keygenerating measurements, the resulting tripartite state is of the form a,b∈{0,1} where for brevity we use Pr(ab) to denote the probability of getting outcomes (a, b) when the key-generating measurements are performed, i.e. Pr(ab|00) ρ . To turn this optimization into an SDP, we first note that for any pair (ρ E|00 , ρ E|11 ), there exists a measurement Eve can perform that leaves the fidelity invariant [22]. Also, since this measurement is on Eve's system only, performing it does not change the value Pr(ab|xy) ρ in the constraint either. Therefore, given any feasible ρ ABE and measurements in the optimization, we can produce another feasible state and measurements with the same objective value but with Eve having performed the [22] measurement that leaves the fidelity between the original (ρ E|00 , ρ E|11 ) states invariant.
After performing this measurement, the state (5) becomes a,b∈{0,1} i Pr(ab|i) Pr(i) |abi abi| , where the index i represents the possible outcomes for Eve's measurement (we do not limit the number of such outcomes for now). For these states, the fidelity can be written (assuming the distribution is symmetrized) as Pr(00|i) Pr(11|i) Pr(00) Pr(i) . (7) As for the constraints, we note that this measurement by Eve commutes with Alice and Bob's measurements, hence we can write Pr(ab|xy) ρ = i Pr(i)p i , where p i denotes the Alice-Bob distribution conditioned on Eve getting outcome i. Note that p i is always a distribution realizable by quantum states and measurements, since conditioning on Eve getting outcome i produces a valid quantum state on Alice and Bob's systems. The solution to (4) is therefore equal to the output of the optimization problem inf where Q X ,Y represents the set of quantum realizable distributions, and P(I) is the set of probability distributions Pr(i) on Eve's (now classical) side-information. We note that the constraints can be relaxed to a convergent hierarchy of SDP conditions, following the approach in [23][24][25], but the objective function is not affine. To address this, we show in Sec. IV B that since the objective function is a convex sum of bounded concave functions, it can be approximated arbitrarily well using upper envelopes of convex polytopes. This will allow us to lowerbound this optimization using an SDP hierarchy, and do so without any knowledge about the dimension of Eve's system other than the assumption that all Hilbert spaces are finite-dimensional. Critically, SDPs have the important property that they yield certified lower bounds on the minimum value (via the dual value), so we can be certain that we truly have a lower bound on the optimization (4). Our approach is based on the SDP reduction in [26]; however, we give a more detailed description and convergence analysis for the situation where the optimization involves concave functions of more than one variable (which is required in our work but not necessarily in [26]).
We remark that in this work, we focus on the situation where the constraints in (8) involve the full list of output probabilities. However, our analysis generalizes straightforwardly to situations where the constraints only consist of one or more linear combinations of these probabilities (though it is still necessary to have an estimate of the Pr(00) term in the denominator of the objective function), which can slightly simplify the corresponding DIQKD protocols.

B. Results From SDP
With the exception of the 2-input scenario for both parties (where Theorem 2 can be applied instead of Theorem 1), previous bounds for the fidelity were calculated via the Fuchs-van de Graaf inequalities [11,27]. To compare this against our method, we consider the depolarizing noise model [28], i.e. where the observed statistics have the form where Pr target refers to some target distribution in the absence of noise. We consider three possible choices for the target distribution, and show our results for these scenarios in Fig. 1: (a) Both Alice and Bob have four possible measurement settings. The target distribution is generated by: Alice has two measurement settings, whereas Bob has three. The target distribution is generated by: (c) Both Alice and Bob have two possible measurement settings. The target distribution is generated by: Case (a) is meant to include the Mayers-Yao self-test [29] and measurements that maximize the CHSH value. Alternatively, it can be viewed as having both parties perform all four of the measurements from (c). The results of [11] were able to prove security of this advantage distillation protocol up to q ≈ 6.8% in this case. FIG. 1. Fidelity bounds as a function of depolarizing noise in several scenarios (described in main text), regarding the repetition-code protocol defined in Sec. I. The blue and black solid lines respectively represent the fidelity bounds derived via the previous approach (based on the Fuchs-van de Graaf inequality) and our new algorithm. It can be seen that the latter yields substantially better bounds. The dashed lines show the value of /(1 − ), so the points where they intersect the solid lines give the threshold values for which advantage distillation is possible according to the condition (2). For our approach, these thresholds are q ≈ 8.3%, q ≈ 7.0%, and q ≈ 6.7% (from top to bottom in the scenarios shown here).
We manage to improve the noise tolerance to q ≈ 8.3%, which represents an increase of 1.5%.
As for case (b), the measurements A 0 , A 1 , B 1 , B 2 maximize the CHSH value, and the key-generating measurement B 0 is chosen such that the QBER is zero in Pr target . Again, our approach allows us to improve the noise tolerance threshold from q ≈ 6.0% to q ≈ 7.0%.
The final case is a simple CHSH-maximizing setup, where both parties only have two measurements (this is similar to (b), but without the QBER-minimizing measurement for Bob). If we apply Theorem 1 for this case, our approach improves the threshold from q ≈ 3.6% to q ≈ 6.7%. Also, if we instead optimize the measurements for robustness against depolarizing noise, this threshold can be increased to q ≈ 7.6% (these optimized measurements correspond to measurements in the x-z plane at angles θ A0 = 0, θ A1 ≈ 4.50, θ B0 ≈ 3.61, and θ B1 ≈ 5.39 from the z-axis).
However, it is important to note that in case (c), Theorem 2 could be applied instead to yield a noise tolerance bound of q ≈ 7.7%, or q ≈ 9.1% with optimized measurements [11]. These values are higher than those obtained above by applying our approach to case (c) with Theorem 1. This gives strong evidence that the sufficient condition in Theorem 1 is not a necessary one, because our approach should yield threshold values close to the optimal ones that could be obtained based only on that sufficient condition. (In principle, there may still be a gap between the true fidelity values and the bounds we computed; however, we consider this somewhat unlikely -see Sec. IV C.) Furthermore, we remark that it also suggests that the states ρ E|00 , ρ E|11 that minimize the fidelity in this scenario cannot be pure. This is because in [11], the critical inequalites used in the proof of Theorem 1 are all saturated (in the large-n limit, at least) if those states are pure, indicating that the resulting sufficient condition should be basically 'tight' (i.e. a necessary condition) in this case. Since our results indicate that the sufficient condition is not a necessary one, this implies that the relevant states ρ E|00 , ρ E|11 cannot be pure.
Given the above observations, we now conjecture what might be a necessary condition for security of the repetition-code protocol, to serve as a counterpart to Theorem 1.

C. Conjectured Necessary Condition for Secret Key Distillation
While our result in this section can be stated in terms of the fidelity, we note that the reasoning holds for any distinguishability measure g(ρ, σ) that has the following properties: The first line states that it is symmetric, the second that it is multiplicative across tensor products, and the last two lines correspond to the Fuchs-van de Graaf inequality in the case of the fidelity. An example of another distinguishability measure that satisfies these properties is the pretty-good fidelity [30][31][32], defined as To keep our result more general, we shall first present it in terms of any such measure g, and discuss at the end of this section which choices yield better bounds. (In fact, we will only need (10)- (12) for this section. We list (13) as well because it can be used when studying sufficient conditions; see Sec. IV D.) For any such g, we shall show that under a particular assumption, the condition is necessary for the repetition-code protocol as described above to achieve positive asymptotic keyrate. (Note that this claim is restricted to the specific protocol description above; in particular, we require that after the initial blockwise 'distillation' procedure, only one-way error correction from Alice to Bob is performed, without any further processing such as another iteration of the blockwise 'distillation'.) Specifically, the assumption is that given some state and measurements compatible with the observed statistics, Eve can produce some other state and measurements (with the same measurement-outcome probability distribution) that have the same value of g(ρ E|00 , ρ E|11 ), but with ρ E|01 = ρ E|10 . This assumption seems reasonable because ρ E|01 = ρ E|10 describes a situation where Eve is unable to distinguish the cases where Alice and Bob's outcomes are 01 versus 10, i.e. in some sense this appears to be a 'suboptimal' attack by Eve. (It might seem that this could be trivially satisfied by having Eve erase her side-information conditioned on Alice and Bob obtaining different outcomes. However, for Eve to do so, she would need to know when Alice and Bob obtain different outcomes, and it is not clear that this is always possible for the states in Eve's optimal attacks in DIQKD scenarios. This property does hold for the QKD protocols studied in [14,15], and they use it as part of the proof that their condition is also necessary.) To prove that (14) is in fact necessary (given the stated assumption), we show that if it is not satisfied, then regardless of the choice of block size in the repetition-code protocol, in each block Eve can always produce a classical bit C such that This in turn implies (as noted in [15], using the results for binary symmetric channels in [18]) that the repetitioncode protocol as described above cannot achieve positive asymptotic keyrate. To prove that Eve can indeed do this, we first derive an 'intermediate' implication (we give the proof in Sec. IV D, based on the arguments in [11,14,15]): Proposition 3. Let g be a function satisfying (10)- (12). If Eve's side-information satisfies ρ E|01 = ρ E|10 and then for all n, Eve can use the information available to her (i.e. E, M, and D = 1) to construct a guess C for the bit C that satisfies We now observe that the following relations hold (the first by Fano's inequality, the second by a straightforward calculation using the fact that the bits C, C have uniform marginal distributions in the accepted blocks): where h 2 is the binary entropy function. With this we see that Eve can indeed produce a bit such that (15) holds, thereby concluding the proof.
If it could be shown that ρ E|01 = ρ E|10 is in fact always possible to achieve for Eve without compromising g(ρ E|00 , ρ E|11 ) or the post-measurement probability distribution, then (14) would genuinely be a necessary condition for security. It could then be used to find upper bounds for noise tolerance of the repetition-code protocol.
Regarding specific choices of the measure g, note that the pretty-good fidelity and the fidelity are related by F(ρ, σ) ≥ F pg (ρ, σ) ≥ F(ρ, σ) 2 [31], with the first inequality being saturated for commuting states and the second inequality for pure states. In particular, the F(ρ, σ) ≥ F pg (ρ, σ) side of the inequality implies that when aiming to find upper bounds on noise tolerance of this protocol using the condition (14), it is always better to consider pretty-good fidelity rather than fidelity (since all states satisfying the condition (14) with g = F pg also must satisfy it with g = F, but not vice versa). We leave for future work the question of whether there are other more useful choices for the measure g.

III. DISCUSSION
We discuss several consequences of our findings in this section. With regards to noise tolerances, our results show that by calculating bounds directly via the fidelity, a significant improvement can be achieved over the results based on Theorem 1 in [11]. This is especially important for the 3-input-scenario for Bob, as the previous advantage distillation bound falls well short of the bound for standard one-way error correction (even when only accounting for the QBER and CHSH value) [1,9,10]. As advantage distillation improves the key rate for device-dependent QKD [7,[12][13][14][15][16][17], it is expected to behave analogously for the device-independent setting. Our bound of q ≈ 7.0% lies within 0.15% of the noise threshold for one-way protocols using the CHSH inequality [1] and within 0.40% of those using asymmetric CHSH inequalities [9,10], thereby substantially reducing this gap; however, it still does not yield an overall improvement. Again, this suggests that the sufficient condition (2) is in fact not necessary.
This brings us to the question of finding a condition that is both necessary and sufficient for security (of the repetition-code protocol) in the DIQKD setting. Note that while one could view the results of [14,15] as stating that condition (2) is both necessary and sufficient in the device-dependent QKD scenarios studied there, there are some subtleties to consider. Namely, that condition could be rewritten in several ways that are equivalent in those QKD scenarios, but not necessarily in DIQKD. For instance, in those QKD scenarios the states ρ E|ab are all pure, which means that F(ρ E|00 , ρ E|11 ) 2 could be rewritten as 1 − d(ρ E|00 , ρ E|11 ) 2 ; however, this equivalence may not hold in the DIQKD setting, where those states might not be pure in general. Hence if we think in terms of trying to extend the necessary and sufficient condition in [14,15] to DIQKD, we would first need to address the question of finding the 'right' way to formulate that condition.
Indeed, our findings raise the question of whether attempting to determine security via F(ρ E|00 , ρ E|11 ) is the right approach at all, because of the following informal argument. First, assuming that the fidelity bounds we obtained were essentially tight, our results indicate that there are scenarios where condition (2) is violated but the repetition-code protocol is still secure (via Theorem 2 instead), implying that it is not a necessary condition. However, if it is not necessary, it is not immediately clear how one might improve upon it. In particular, it seems unlikely that our conjectured necessary condition (14) could also be sufficient -after all, for the device-dependent QKD protocols studied in [14,15], it is condition (2) rather than (14) that is both sufficient and necessary. Since a Fuchs-van de Graaf inequality was used to incorporate the fidelity into the security condition and this inequality is most likely the reason that (2) is not necessary, finding a new, completely device-independent approach might necessitate using different inequalities.
A speculative, but interesting, alternative approach could be to instead consider the (non-logarithmic) quantum Chernoff bound [33,34], This is because this measure yields asymptotically tight bounds on the distinguishability of the states ρ ⊗n and σ ⊗n [34], which we might be able to use. However, there is still some work that needs to be done before noise tolerances can be calculated via this method. For example, in contrast to the fidelity, it still not known whether there exists a measurement that preserves this distinguishability measure (this is the main reason we could construct an SDP for bounding the fidelity). Moreover, a security condition for the repetition-code protocol will in all likelihood require a measure of distinguishability between states that are not of the form ρ ⊗n and σ ⊗n , albeit with some similarities (see Sec. IV D). Hence one would need to investigate which aspects of the proof in [34] could be generalized to such states as well. We discuss this further in Sec. IV D. Similar to [1], one could conduct a qubit analysis in the hopes that this approach produces fidelity bounds that are 'strong enough'. We show in [35], however, that this is not the case. Moreover, we prove for maximal CHSH violation, i.e. S = 2 √ 2, that F(ρ E|00 , ρ E|11 ) = 1 must hold for qubit strategies. As can be seen in [35], this will no longer generally be the case in higher dimensions.
In principle, by combining the bounds we computed here with the security proof in [11], one could compute lower bounds on the keyrates under the I.I.D. assumption (both in the asymptotic limit and for finite sample sizes, by using the finite version of the quantum asymptotic equipartition property). However, some numerical estimates we performed indicate that the resulting values are very low, even in the asymptotic case. Informally, this is likely because the proof in [11] bounds the von Neumann entropy in terms of fidelity with an inequality that is suboptimal in this context, as previously discussed. However, in the case of device-dependent QKD, the keyrates of this protocol are more reasonable, so it is possible that with better proof techniques, the same may hold for DIQKD.
We conclude by mentioning that it should be possible to use our algorithm to obtain keyrate lower bounds for one-way communication protocols as well. This is because the keyrate in such protocols is given by [21] H and the main challenge in computing this value is finding lower bounds on H(A 0 |E) (again, the H(A 0 |B 0 ) term is straightforward to handle, e.g. by estimating the QBER).
Taking A 0 to be symmetrized as previously mentioned, we can apply the following inequality [36]: where the states ρ E|a0 refer to conditioning on the outcome A 0 only. Hence H(A 0 |E) can be bounded in terms of F(ρ E|0 , ρ E|1 ). It should be straightforward to adapt our algorithm to bound such a fidelity expression as well, in which case our approach would also be useful to compute keyrates for non-advantage distillation setups. We aim to investigate this in future work.

A. Fidelity For Post-Measurement Tripartite States
Proposition 4. The fidelity, F(ρ E|00 , ρ E|11 ), of a state of the form (6) is given by Proof. It is easily verified that: We note that Pr(00) = Pr(11) due to the symmetrization step. Since these states are diagonal in the same basis, we can directly compute the fidelity: = Tr ρ as claimed.

B. Approximating The Fidelity With Polytope Hyperplanes
Our goal in this section will be to find a lower bound on Pr(00|i) Pr(11|i) that can be written as a pointwise minimum of affine functions (of p i ). Note that this function depends only on Pr(00|i) and Pr(11|i). (We need to consider both Pr(00|i) and Pr(11|i) without assuming they are equal, as we cannot assume the distributions conditioned on i are still symmetrized. This is because Eve's measurement takes place after the symmetrization step, and does not have to respect the symmetry.) Hence for the purposes of this section, we shall focus on 2dimensional vectors x, with the implicit understanding that An affine function of such a vector x straightforwardly defines a corresponding affine function of p i , by considering the latter to depend only on the terms Pr(00|i) and Pr(11|i).
We begin the construction by defining an appropriate lattice of points: Definition 5. For each n ∈ N, let L n denote a uniformly spaced grid of (2 n + 1) · (2 n + 1) points in [0, 1] 2 , i.e.
(The above definition naturally generalizes to higherdimensional arrays.) Proposition 6. Let P n denote the convex hull of the union of the n th order lattice of f (x) := √ x 1 x 2 and the n th order lattice of g(x) := 0. Then P n is a convex polytope that lies on or beneath the graph of the function Proof.
Step 1: Show that the 2 · (2 n + 1) 2 lattice points lie on or beneath the graph of f (x).
The lattice points of f (x) automatically lie on the function graph as desired. Also, since f (x) is always nonnegative, the lattice points of g(x) also lie on or beneath the function graph.
Step 2: Show that the convex hull of the union of both lattices lies on or beneath the graph of f (x). All points in the convex hull are a convex sum of the lattice points. As f (x) is a concave function, such convex sums must lie on or beneath the graph of f (x) as well.
We can use P n to construct the desired lower bound on f (x), as follows. As we shall formally prove in Proposition 7, this process is basically constructing the upper envelope of P n (i.e. the function whose graph is the 'upper surface' of P n ; this is formally defined by (37) below).
We first transform P n to its facet representation [37], i.e. the description of the polytope by its facet-defining half-spaces. This gives us a set of inequalities described by parameters {(a j , b j , c j , d j )} j , such that (x 1 , x 2 , x 3 ) ∈ P n if and only if To only retrieve the facets that will be used to approximate f (x), i.e. the facets that describe the upper envelope of the polytope we constructed, keep only the facets for which c j > 0. Geometrically, this corresponds to facets such that the normal vector (directed outwards from the polytope) has a vertical component that points upwards.
In our case, this means we remove the facets −x 3 ≤ 0 (32) which correspond to a lower horizontal facet and two vertical facets, respectively. (For more general concave f , there would be more vertical facets to remove, but the subsequent analysis still holds as it is based only on the fact that we keep exactly the facets with c j > 0.) Let S denote the set of indices of the remaining facets. For each j ∈ S, we define a corresponding affine function, and use these to define a function (denoted f n ) that is meant to bound f (x): We verify that the above procedure indeed produces the upper envelope of P n : Proposition 7. For all n ∈ N and x ∈ [0, 1] 2 , f n as defined above satisfies Proof. We first remark that it is indeed valid to write the expression (37) as a maximum rather than a supremum, because by construction of P n , the feasible set in (37) is non-empty (for x ∈ [0, 1] 2 ) and compact.
To prove the desired equality, we start by considering a fixed x ∈ [0, 1] 2 , and arguing that the expression (37) is in fact equal to where the values a j , b j , c j , d j are from the facet inequalities (31). This is because P n is exactly the set of points which satisfy the facet inequalities (31) for all j, so the only difference between (37) and (38) is that the latter maximization has omitted the facet inequalities such that c j ≤ 0. Removing these inequalities does not change the maximum value, by the following argument. The inequalities with c j = 0 are independent of x 3 , so either they are satisfied for all x 3 or for no x 3 ; however, as previously noted the feasible set of (37) is non-empty (for x ∈ [0, 1] 2 ), so the former must be the case. This implies that removing them does not change the maximum value. As for the inequalities with c j < 0, notice that they are lower bounds on x 3 , which means that removing them also does not change the maximum value (as long as the original maximization (37) is feasible, which it indeed is as noted previously). Thus the expressions (37) and (38) are equal for any x ∈ [0, 1] 2 . It remains to show that the original definition (36) of f n is equal to (38) (when treating the latter as a function of x on the same domain). To do so, we show that they have the same subgraph. The subgraph of (36) is using the fact that c j > 0 for all j ∈ S. (To be precise, in those expressions x should be restricted to the function domain, but the argument at this step holds regardless of whether we take the domain to be [0, 1] 2 or R 2 .) The last line is the subgraph of (38), so indeed the functions are equal.
With the formula (37), we can prove some intuitive properties of f n , which will be useful in subsequent arguments: Proof. We showed in Proposition 6 that P n lies on or below the graph of f . Hence (42) follows immediately from the formula (37). As for the equality condition, we note that for all x ∈ L n we have that (x, f (x)) lies in P n (by construction). Hence (37) implies f n (x) ≥ f (x), which implies they must be equal since the reverse inequality (42) holds in general.
Proof. By increasing n by one, we don't remove any lattice points, but rather just add additional points by halving the intervals in both directions. Thus we have P n ⊆ P n+1 , which yields the desired inequality via (37).
We now show the sequence f n indeed converges uniformly to f , so it yields arbitrarily tight bounds. The main intuition is that f n forms a monotone sequence of uniformly continuous functions that have the same value as f on an increasingly fine grid.
Proposition 10. As n → ∞, f n converges uniformly to f . Proof. We note that three conditions must hold: The first statement just says that one can create an arbitrarily fine grid L n . The other two statements follow from the fact that continuous functions on compact sets are automatically uniformly continuous.
To show uniform convergence, we would need to prove that To prove this, consider any > 0, and choose n by the following procedure: set 1 < /2 and 2 < /2, and take some corresponding δ 1 , δ 2 according to (45)-(46). Then set δ < min(δ 1 , δ 2 ), and take a corresponding n ∈ N according to (44). This choice of n has the desired property: for all n ≥ n and for all x ∈ [0, 1] 2 , (44) ensures that there exists some y ∈ L n satisfying |x − y| < δ, hence where the first line follows from Propositions 8 and 9, while the third line follows from Proposition 8.

C. Creating An SDP Algorithm That Minimizes The Fidelity
Without loss of generality, we ignore the factor 1/ Pr(00) in the fidelity expression, as it is a positive constant (for a given distribution Pr(ab|xy)). We consider the functions f and f n defined in the previous section, but as previously discussed, we now view them as functions of p i (though with dependence only on the Pr(00|i), Pr(11|i) terms), i.e. so we have f (p i ) = Pr(00|i) Pr(11|i) and analogously for f n . Since f n is a lower bound on f , our optimization problem (after dropping the 1/ Pr(00) factor) is clearly lower bounded by the following: inf We can show that this lower bound converges uniformly to the original problem (8) as n → ∞, using our previous results about convergence of f n : Proposition 11. As n → ∞, the optimal value of (52) converges uniformly to that of (8) (rescaled by the constant factor of 1/ Pr(00)).
Proof. We denote the solutions to the original and approximate optimization problems by f (p) and f n (p), respectively. For all p ∈ Q X ,Y , for all n ∈ N, and for all 1 > 0, there exists a probability distribution Pr(i) and a set of quantum realizable probability distributions p i that satisfy the optimization constraints, such that i f n (p i ) Pr(i) − f n (p) < 1 . (53) As f n (p i ) converges uniformly to f (p i ), for all 2 > 0, there exists an n such that for all n ≥ n and all p i ∈ Q X ,Y , If one chooses 1 + 2 < , then as desired.
We now describe how to bound (52) using SDPs.
Proof. To reduce the sum to a bounded number of terms, we adopt the approach from [24,25]. Specifically, consider any feasible point of the optimization (52), i.e. some feasible values for p i and Pr(i). Following the previous section, let S denote the indices of the affine functions used to define f n . Partition the summation domain of i into subsets {R j } j∈S , such that i ∈ R j implies the minimum in the definition (36) of f n (p i ) is attained by the index j. In other words, i ∈ R j implies f n (p i ) = h j (p i ). (Geometrically speaking, we are partitioning the terms based on which facet of P n they lie on.) Let us definẽ Note that the choice of partition may not be unique, e.g. if the feasible point being considered has a p i term where the minimum in the definition (36) is attained by more than one j ∈ S. However, this nonuniqueness is not a problem; any partition with the specified property suffices. Also, some R j may be empty, but this is not a problem either; one should simply select an arbitrary distributionp j ∈ Q X ,Y instead of using (59) (since the denominator is zero if R j is empty). Then we can rewrite where in the third line we used the fact that h j is affine and {Pr(i)/P j } i forms a normalized probability distribution over i ∈ R j . Observe thatp j ∈ Q X ,Y (by convexity of Q X ,Y ), and thatP j is a valid probability distribution (over j ∈ S) since the sets R j partition the sum over i. Together with the expression (62), this implies that if we replace the original objective function with the value of the optimization will not increase, since every feasible point of the original optimization yields another feasible point with the same objective value but in the form (63). In other words, by rewriting the objective function in the form (63), we have essentially taken p i and Pr(i) to be thep j andP j we constructed above. Furthermore, since we constructed f n via (36), holds for all p i ∈ Q X ,Y . Thus (63) is a natural upper bound on our previous objective function in (52), so replacing the latter with the former will not decrease the optimal value either. In summary, we can replace the objective function with (63) without changing the optimal value, which is useful because it is the sum of a (known) finite number of terms; also, we no longer need to address the minimization in the definition of f n . However, since h i (p i ) Pr(i) is a product of affine functions of the optimization variables, (63) is still not an affine function. To deal with this, we consider subnormalized probability distributions, i.e. the terms in the distribution sum up to a value in [0, 1] instead of having to sum to 1 (here we mean summing over (a, b) for each choice of (x, y); also, we impose that all (x, y) have the same normalization factor). In our case, we scale the probability distributions p i by the scaling factor Pr(i), i.e. we define new variablesp i = Pr(i)p i . To verify that the objective function is affine in these new variables, we show that each term in the summation is affine. Writing h i (p i ) in the form a i +a i ·p i for some scalar a i and vector a i , we have where z is a vector, which contains only zeroes and ones, that specifies the terms summed over in (67) (this is possible since each Pr(ab|00i) Pr(i) term is equal to an element ofp i ; also, note that the choice to use the input pair xy = 00 at that step is arbitrary and any other pair would suffice). This is indeed affine (in fact linear) inp i . As for the constraints, observe that the first constraint is linear inp i . Also, as long as p is normalized, we can replace the second and third constraints by a single constraintp i ∈Q X ,Y , whereQ X ,Y denotes subnormalized distributions compatible with quantum theory (and with a common normalization factor for all input pairs (x, y)). This is because when p is normalized, the first constraint implicitly imposes a normalization condition on the variablesp i that subsumes the original third constraint. In summary, the optimal value of (52) is the same as where a i , a i , z are the values described above regarding (68). Finally, we use the fact that there exists a SDP hierarchy for the verification of subnormalized quantum probability distributionsQ X ,Y [23][24][25]. Hence, the entire constrained optimization can be lower-bounded by using this hierarchy of SDP relaxations to impose theQ X ,Y constraint, yielding a sequence of increasingly tight lower bounds on the optimization. Note that each level of the hierarchy yields a certified lower bound, i.e. our results are never an over-estimate of the true minimum of the optimization.
We close this section with some implementation remarks. For Fig. 1a, we used a 4 × 4 lattice to construct the bound f n , and NPA level 2. For Figs. 1b-1c, we used an 8 × 8 lattice and NPA level 3 (for the latter case, we found that NPA levels 2 and 4 also gave basically the same results). The SDP runtime was not too long in all cases, ranging from a few seconds to under 15 minutes (for each data point on the graphs), depending on the size of the scenarios.
In principle, there are two ways in which our bounds might not be tight: first, we have replaced f with f n ; second, the SDP hierarchy of [23] may not have converged to a sufficiently tight bound. We consider the latter to be less of an issue, because this hierarchy typically performs well in situations with few inputs and outputs (for instance in Fig. 1c, which was the main example supporting our reasoning that Theorem 1 may not be a necessary condition). As for the former, we performed some checks by noting that every feasible point of the optimization we solve (namely, (69) with the constraintp i ∈Q X ,Y relaxed to the SDP hierarchy) gives us a feasible point of the original optimization (8) (albeit with the constraint p i ∈ Q X ,Y relaxed to the SDP hierarchy). We found that for points near the thresholds shown in Figs. 1b-1c, the corresponding feasible values in that original optimization were within 0.0003 of the lower bounds we obtained, indicating that the bounds are almost tight. (For Fig. 1a we found a bigger gap of about 0.03 using a 6 × 6 lattice to find feasible points, but this is also not too large.) Note that by applying Carathéodory's theorem for convex hulls, we can argue the minimum value in the optimization (52) can always be attained by a distribution Pr(i) with at most d + 2 nonzero terms, where d is the dimension of p. This eventually implies that the minimum value in our final optimization (69) can be attained with at most d + 2 of the subnormalized distributionsp i being nonzero. In practice, d + 2 is often smaller than the number of affine bounds h i (i.e. |S|). Hence if the optimization (69) is too large to solve directly, an alternative approach in principle is to run it for every subset of S with size d+2, then take the smallest of the resulting values. This reduces the size of each individual optimization, but comes at the cost of having to run many more of them.
As another point regarding efficiency, note that our construction of f n involves a transformation to the facet representation of P n . While this can be quickly implemented when x is 2-dimensional, the transformation may be computationally demanding in high dimensions [37]. It would be interesting to know whether there are more efficiently computable alternatives.
A natural attempt would be to partition the domain of f into triangles (more generally, simplices) and construct an affine lower bound in each triangle, yielding a piecewise affine lower bound on f . One benefit of this approach is that it may be usable (though not necessarily straightforward) in some cases when f is not concave, whereas our current construction of f n relies heavily on concavity of f . However, it runs into the subtle issue that having f n be a pointwise minimum of affine functions is a stronger condition than simply requiring it to be piecewise affine; in particular, our analysis used the structure in the former. (Note that it is not useful to simply take the pointwise minimum of the affine bounds constructed this way -there can be very large gaps between f and the resulting bound.) Still, it may be possible to adapt our analysis to this case. To sketch a rough outline, we would again aim to partition the sum in (52) into finitely many subsets, but this time by which of the triangles each p i lies in. Transforming to a new feasible point as in (59) (here we would need to use the convexity of the triangles to argue that eachp j still lies within its defining triangle), we should be able to perform a similar analysis to reduce the objective to the form (63), but with the summation index ranging over the triangles in the domain instead. However, to proceed further we would need to constrain eachp j to remain within the corresponding triangle, appearing as additional constraints in (52). Since these constraints can be imposed as affine constraints, the final result should still be solvable using the SDP hierarchy.
Finally, we note that in [26], the authors do not convert their optimization to the form (69), but rather to a dual form via a somewhat different argument. A similar argument is possible in principle here (see [35]), but we choose to present our result in the form (69) since it seems most straightforward for implementation. We thank the authors of [26] for clarifications on these different approaches.

D. Proof of Proposition 3
Proof. After Alice and Bob conduct n key-generating measurements, the resulting classical-classical-quantum tripartite state is of the form a,b∈{0,1} n Pr (ab) |ab ab| ⊗ ρ E|ab .
Considering that Alice and Bob only take accepted blocks into account, i.e. D = 1, and Alice sends the message M = m, it is simple to construct the bipartite state ρ CE|M=m∧D=1 , which denotes the state that describes both the value of the bit C and Eve's corresponding sideinformation. As D = 1 implies that Alice's and Bob's measurement devices either output m or m = m ⊕ 1, the resulting state is given by where ω 0 = Pr (mm) ρ E|mm + Pr (mm) ρ E|mm Pr (mm) + Pr (mm) (72) denotes Eve's conditioned side-information [11]. Moreover, after symmetrization, we get Pr (mm) = Pr (mm) = (1− ) n 2 n and Pr (mm) = Pr (mm) = n 2 n , which further simplifies (72) and (73).
Eve's ability to correctly guess C therefore depends on the distinguishability of ω 0 and ω 1 . As C, and consequently ω i , is distributed uniformly, we may use the operational interpretation of the trace distance to derive Eve's optimal guessing probability. The optimal probability of guessing it incorrectly is thus given by We first consider Bob's guess.
We now consider Eve's guess. By using the reverse triangle inequality of the 1-norm, we can get a lower bound on d (ω 0 , ω 1 ) in terms of δ n : and substituting this into (74) yields where to get the second line we used the hypothesis ρ E|01 = ρ E|10 (which implies ρ E|mm = ρ E|mm ). The 'Fuchs-van de Graaf-type' inequality (12) then implies that Moreover, note that we have g ρ E|mm , ρ E|mm = g ρ E|00 , ρ E|11 n (by applying the I.I.D. assumption together with the multiplicative property (11), followed by the symmetry property (10)). Therefore a sufficient condition for (17) to hold is We conclude the proof by showing that for all n ∈ N, (16) is equivalent to (79). Note that the inequality (12) (together with the fact that d(ρ, σ) ≤ 1) implies that g(ρ, σ) is always non-negative. Hence for all n ∈ N the inequality (16) is equivalent to This inequality can be rewritten as The previous inequality is equivalent to and dividing both sides by 2 gives (79).
We note that the current gap between the suffi-cient and necessary conditions can be viewed as arising from the 'Fuchs-van de Graaf-type' inequalities (12) and (13). This is because the sufficient condition (Theorem 1) proof requires lower bounds on H(C|EM; D = 1), whereas the conjectured necessary condition needs upper bounds. As noted in the supplemental material for [11], the analysis we performed above also serves an alternative approach for proving Theorem 1 (the main proof in [11] instead used the inequality from [36] to lower-bound H(C|EM; D = 1)). The main idea is that H(C|EM; D = 1) can be lower bounded by the minentropy, which simply equals − log((1 − d (ω 0 , ω 1 ))/2). By performing an analysis similar to the above but using the inequality (13) instead of (12), we end up (after some asymptotic analysis) with a sufficient condition for (1) to hold, which turns out to be exactly the same as Theorem 1 (except that since the only properties of g required for this argument are (10)- (13), it would hold with any g satisfying those properties in place of the fidelity F). Note that no assumption is needed on d(ρ E|01 , ρ E|10 ) for this direction of the proof. From this perspective, it appears that the main contribution to the gap is the difference between the bounds (12) and (13), since other steps of the proof have comparatively small effects asymptotically. However, regarding possible choices of distinguishability measure g in this generalized version of Theorem 1, note that replacing the fidelity in the theorem statement with the pretty-good fidelity yields a worse result, due to the inequality F(ρ, σ) ≥ F pg (ρ, σ). (The opposite was true for the necessary condition, Proposition 3.) The question remains of whether there are choices for the measure g that yield better bounds for the sufficient condition.
Finally, we remark that the above analysis essentially centers around distinguishing ρ E|mm and ρ E|mm . Returning to our discussion of the quantum Chernoff bound, we observe that unless M = 0 or M = 1, these states are not of the form ρ ⊗n and σ ⊗n studied in the quantum Chernoff bound, though there are some structural similarities. (If M were restrained to M = 0 or M = 1, one may consider only M = 0, as M = 1 can be thought of as a relabeling of measurement outcomes.) Since M is not restricted to these cases in general, we would need to study whether these other structurally similar states could still be analyzed using the proof techniques for the quantum Chernoff bound.
As another perspective, note that the quantum Chernoff bound in fact satisfies almost all the properties (10)-(13) [31]. However, instead of the equality (11), it only satisfies the inequality g(ρ ⊗ ρ , σ ⊗ σ ) ≥ g(ρ, σ)g(ρ , σ ). Looking through the proofs described above for the necessary versus sufficient conditions, this means that only the proof of the latter generalizes directly if we choose g = Q. Unfortunately, Theorem 1 with the fidelity simply replaced by the quantum Chernoff bound is a worse result, because the quantities are related by F(ρ, σ) ≥ Q(ρ, σ) [33] (similar to the previous situation for pretty-good fidelity). Hence an argument that simply follows the proof structure sketched above with g = Q would not yield a better result than the the original Theorem 1 statement based on fidelity -to get better results using the quantum Chernoff bound, one would need a different proof structure.

DATA AVAILABILITY
The datasets produced in this work are available from the authors upon reasonable request.

CODE AVAILABILITY
The MATLAB code for this paper can be found at the following URL: https://github.com/Thomas0501/Fidelity-Optimization