Symmetries in protocols

In this section we show that the density operator ρopt_AB corresponding to the optimal attack lies in a “symmetrized” set ¯Γ, instead of Γ. If ρopt_AB lies in ¯Γ, we call the optimal attack a symmetric optimal attack. The symmetric states in the set ¯Γ are easily characterized using representation theory and Schur’s lemma shown in Sec. 2.4.

4.2.1

Symmetries of signal states and measurements

Let G be a group with a unitary representation_{Ug; g ∈ G} on the Hilbert space H of the signal states S =_{|ϕxi}x of a protocol. The group is said to be the symmetry group of the signal states, if S is G-invariant, namely, if for all_|ϕxi ∈ S, the transformed states

|ϕg(x)i := Ug|ϕxi (4.1)

are again in the set S for all g_{∈ G and all |ϕ}xi ∈ S. Here the index g(x) denotes the index of the state Ug|ϕxi.

If the set of signal states of a protocol is G-invariant, the POVM elements Fx

A and the reduced state ρA appearing the source-replacement scheme in Eqs. (3.3) and (3.4) also have certain symmetry properties.

Lemma 3 If the initial probability distribution p(x) is uniform (p(x) = 1/_{|S| for all x)} and the set of signal states is G-invariant, then the POVM MA ={FAx}x and the reduced state ρA are G∗-invariant, namely

U_g∗Fx

AUgT = F

g(x)

A ∈ MA, (4.2)

U_g∗ρAUgT = ρA, (4.3)

for all g _{∈ G. The symbols ∗ and T denote the complex conjugate and the transpose with} respect to the fixed Schmidt basis _B.

We prove Lemma3in Appendix A.3. Note that, with our particular definition of_{∗ and T} with respect to the Schmidt basis, the operators U_g∗ and U_gT are well-defined.

In the following, we only consider protocols in which Bob’s POVM MB = {FBy}y is equipped with the G-invariance

UgFByU †

g = F

g(y)

B ∈ MB. (4.4)

4.2.2

Coarse-grained parameter estimation

In many cases, the parameter estimation is based on a set of coarse-grained or averaged quantities, instead of the more detailed distribution p(x, y). Often there is only one coarse- grained quantity, Q, for example, the quantum bit error rate (QBER) averaged over all signal states.

The coarse-grained quantity Q is defined as a linear function of the probability distri- bution p(x, y) with the invariance property

Q[_{{p(x, y)}] = Q[{p}g(x, y)}] ∀g ∈ G. (4.5) In this expression, the distribution

pg(x, y) = tr{F g(x)

A ⊗ F

g(y)

B ρAB} (4.6)

is generated by relabelling the POVM elements F_Ax_{⊗ FB}y by F_Ag(x)_{⊗ FB}g(y).

In a coarse-grained parameter estimation scenario, the set of states that are compatible with Q and ρA is given by Γave. This new set is a superset of the previously defined set Γ, because for each ρAB ∈ Γ, an entire equivalence class of states {Ug[ρAB] : g∈ G} of the form

Ug[ρAB] = Ug∗⊗ UgρABUgT ⊗ U †

g, (4.7)

are found in Γave. These states are (i) compatible with Q, because of the invariance property of Q, and (ii) have a reduced state trB{Ug[ρAB]} = ρA because of the G∗-invariance of ρA. Furthermore, for all ρAB ∈ Γ, the set Γave contains all symmetrized states

TG [ρAB]≡ ¯ρAB = 1 |G| X g∈G ρ(Ug) AB , (4.8)

because of the linearity of Q. In this definition_{|G| is the number of group elements in G.} The map _TG is commonly known as the twirling map in the literature. The symmetrized

states form a subset ¯Γ of the set Γave. The subset ¯Γ is obtained by applying the twirling map to all density operators ρAB in Γave.

The symmetrized states have some nice properties: they commute with all tensor prod- ucts U_g∗ _{⊗ U}g,

 ¯ρAB, Ug∗⊗ Ug = 0 ∀g ∈ G. (4.9) Furthermore, a purification of ¯ρAB can be chosen to satisfy the invariance

U_g∗_{⊗ U}g⊗ Ug⊗ Ug∗|Ψi = |Ψi ∀g ∈ G. (4.10) The existence of this particular choice of the purification has been proven in Ref. [25] for permutation groups, but the same proof holds for arbitrary groups as well.

In the coarse-grained parameter estimation scenario, the optimization of the key rate is changed. Since the set Γaveis a superset of Γ, we can safely evaluate the key rate ¯r(E(ρAB)) over the enlarged set without running the risk of underestimating Eve. Therefore, we can bound the key rate by

rmin= inf ρAB∈Γ ¯ r(_E(ρAB))≥ inf ρAB∈Γave ¯ r(_E(ρAB)). (4.11)

4.2.3

Symmetric optimal attack

We show here that for any state ρAB ∈ Γave, the key rate is bounded by

r( ¯ρAB)≤ r(ρAB). (4.12)

Proof. Recall that the key rate is defined as the difference r( ¯ρAB) = I(ρAB, MAB) − χ(ρAB, MA). Since the POVMs MA and MB are G∗- and G-invariant (see Eqs. (4.2) and (4.4)), we apply Lemma 2to I and χ, which shows that all states in the equivalence class {Ug[ρAB] : g ∈ G} in Γave yield equivalent key rates

r(_Ug[ρAB]) = r(ρAB) (4.13)

Moreover, because the reduced state ρA of each state in Γave is invariant by definition, the a priori probability distribution p(x) = trA{FAxρA} is fixed throughout the entire set Γave. Using the theorems about the convexity and concavity of I and χ (Theorems 7and 8), it

follows that the key rate of the symmetrized state ¯ρAB is bounded by r( ¯ρAB) = I( ¯ρAB, MAB)− χ(¯ρAB, MA) (4.14) ≤ 1 |G| X g I(_Ug[ρAB], MAB)− χ(Ug[ρAB], MA) (4.15) = 1 |G| X g r(_Ug[ρAB]). (4.16)

We can now use the equivalence property in Eq. (4.13) to show that 1

|G| X

g

r(_Ug[ρAB]) = r(ρAB). (4.17)

This last equation together with Eq. (4.16) implies the desired result. _ If there is a postselection step in a protocol, we need to extend the equivalence property in Eq. (4.13) and the convexity property in Eq. (4.16) to the key rate ¯r(_E(ρAB)), namely,

¯ r(_E(ρAB)) = ¯r(E(Ug[ρAB])), (4.18) ¯ r(_E(¯ρAB))≤ 1 |G| X g ¯ r(_E(Ug[ρAB])). (4.19)

These properties do not necessarily hold in general. For example, under certain postselec- tion strategies, the restriction on p(x) that is needed in Theorem 7 may be violated. We will later analyze a family of protocols with a special postselection where the convexity and equivalence properties of key rate ¯r(_E(ρAB)) always holds.

However, if Eqs. (4.19) and (4.18) hold, then for any state ρAB ∈ Γave, the key rate is bounded by

r(_E(ρAB))≥ r(E(¯ρAB)). (4.20)

This implies that the optimization can be carried out over the symmetric set ¯Γ inf ρAB∈Γave ¯ r(_E(ρAB))≥ inf ¯ ρAB∈ ¯Γ ¯ r(_E(¯ρAB)). (4.21)

Therefore, we can continue the estimation of the key rate in Eq. (4.11) and restrict the search for the optimal attack to a search over the set ¯Γ:

rmin ≥ inf ¯ ρAB∈ ¯Γ

¯

r(_E(¯ρAB)). (4.22)

In Fig. 4.1 we represent the transition from Γ to ¯Γ schematically. The symmetrized states ¯

ρAB can be characterized using representation theory, as shown for two examples in Sec.

Weak convexity of r

Γ

Γ_ave

¯Γ

Figure 4.1: By only using coarse-grained quantities Q for parameter estimation, the set Γ is replaced by a bigger set Γave. Using the weak convexity of the key rate, the optimal attack can be chosen from a symmetrized set ¯Γ.