Simple and practical DIQKD security analysis via BB84-type uncertainty relations and Pauli correlation constraints

According to the entropy accumulation theorem, proving the unconditional security of a device-independent quantum key distribution protocol reduces to deriving tradeoff functions, i.e., bounds on the single-round von Neumann entropy of the raw key as a function of Bell linear functionals, conditioned on an eavesdropper's quantum side information. In this work, we describe how the conditional entropy can be bounded in the 2-input/2-output setting, where the analysis can be reduced to qubit systems, by combining entropy bounds for variants of the well-known BB84 protocol with quantum constraints on qubit operators on the bipartite system shared by Alice and Bob. The approach gives analytic bounds on the entropy, or semi-analytic ones in reasonable computation time, which are typically close to optimal. We illustrate the approach on a variant of the device-independent CHSH QKD protocol where both bases are used to generate the key as well as on a more refined analysis of the original single-basis variant with respect to losses. We obtain in particular a detection efficiency threshold slightly below 80.26%, within reach of current experimental capabilities.


Introduction
Based on Bell's theorem [1,2], device-independent quantum key distribution (DIQKD) aims to allow cryptographic keys to be generated and proved secure based on minimal assumptions about the quantum devices [3]. Following its proposal fifteen years ago, realizing a working DIQKD protocol has long presented a significant challenge both to theorists, due to the mathematical difficulty of devising practical and rigorous security proofs, and to experimental researchers, due to the difficulty of distributing entangled quantum systems with low noise and high detection rates over long distances. Recent advances paved the way to three successful proof-of-principle experiments demonstrating the feasibility of this technology [4][5][6]. However, there is still a long way from these proof-of-principle experiments to practical Michele Masini: michele.masini@ulb.be Stefano Pironio: stefano.pironio@ulb.be Erik Woodhead: erik.woodhead@ulb.be DIQKD implementations, with the necessity to improve the distance and the rate at which the keys are distributed.
One major theoretical advance introduced a few years ago is the entropy accumulation theorem [7], and the related technique of quantum probability estimation [8], which reduces proving the unconditional security of a generic DIQKD protocol in the finitekey regime to the problem of obtaining a lower bound (called a min-tradeoff function in [7]) on the conditional von Neumann entropy H(K A |E) of Alice's raw key variable K A conditioned on an eavesdropper's possible quantum side information E, as a function of the expected value of a Bell expression. For instance the security of the simplest DIQKD protocol based on the CHSH inequality follows from the following lower bound on the conditional von Neumann entropy of Alice's measurement outcome A 1 where φ(x) = h 1 2 + 1 2 x , h(x) is the binary entropy, and S = A 1 B 1 + A 1 B 2 + A 2 B 1 − A 2 B 2 is the expected value of the CHSH Bell expression [3].
The basic CHSH protocol based on the above lower bound is, however, not optimal in a number of respects. There has thus been in the last few years a search for ways to bound the conditional entropy for more general DIQKD protocols, either focusing on the 2-input/2-output setting [9][10][11], or finding numerical methods to tackle the problem in a more general way [12,13]. Despite these efforts, bounding the entropy can be a numerically-intensive problem, with one recent approach [11] notably requiring thousands of processor core-hours of computing time to numerically bound the average entropy for a two-basis variant [10] of the CHSH-based DIQKD protocol. This has significant drawbacks, reducing confidence in the results (as they are harder for others to reproduce), increasing the difficulty to optimize over parameters in simulations, and generally increasing the time and computing resources necessary just to calculate a key rate.
In this work, we present a new and versatile approach to bound the conditional entropy in the 2-input/2-output device-independent setting that is conceptually and technically relatively simple. It is a generalization of the approach in [14] that was used to derive an analytical bound on the conditional en-tropy for a family of asymmetric CHSH inequalities. As we explain here, the main conceptual steps of this security analysis are not specific to the protocol considered in [14] but can actually be easily adapted to other 2-input/2-output device-independent protocols.
The starting point is, as usual in the 2-input/2output scenario, to use Jordan's lemma to reduce the analysis to convex combinations of qubit strategies. From there, our approach is based on three steps. First, as in a standard qubit QKD protocol like BB84, we bound the conditional entropy of Alice's key generating measurement, say, A 1 through an uncertainty relation involving the correlations Ā 1 ⊗ B between an orthogonal measurementĀ 1 on Alice's subsystem and a binary observable B on Bob's system. In a device-independent setting, though, and contrarily to, e.g., BB84, we cannot have direct access to the correlations Ā 1 ⊗ B as we cannot assume that Alice's measurement devices perform measurements in two orthogonal bases A 1 ,Ā 1 . The second step is then to establish a device-independent qubit constraint on Ā 1 ⊗ B which is based on correlations between Alice and Bob that are actually observed in the protocol, e.g., the CHSH expectation value or some other Bell expression. Combining the first and second step, we obtain a bound on the conditional entropy which is device-independent, apart from the assumptions that Alice and Bob are measuring qubits. The third step then involves a convexity analysis: either the resulting bound happens to be convex or, if this is not the case, we convexify it. In this way, we get a lower bound that is valid for convex combination of qubit strategies, and thus by Jordan's lemma, for arbitrary, dimension-free strategies.
We illustrate this new approach in detail on two variants of the CHSH-based DIQKD protocol: the two-basis variant [10] and a new variant that incorporates, in addition to the CHSH value, information about the bias in the key generating measurement A 1 . This last feature is particularly relevant for photonic implementations of DIQKD where no-click outcomes ∅ are mapped to a given key bit value, say ∅ → +1, resulting in highly biased outcomes. The bounds that we obtain are optimal or close to optimal and significantly simpler technically and less computationally demanding than other approaches. We show in particular that a qubit DIQKD protocol can tolerate detector efficiencies as low as 80.26%.
We first provide in Section 2 a high-level description of our approach to bounding the conditional entropy in 2-input/2-output scenarios and then illustrate it in detail on the two-basis variant of the CHSH DIQKD protocol in Section 3.1 and on the variant optimized for losses in Section 3.2.

Description of our approach
We start by specifying the class of problems that we aim to solve. We consider a tripartite setup involving a state ρ ABE shared among Alice, Bob, and the eavesdropper Eve. We assume that Alice can measure one of two ±1-valued observables A 1 or A 2 on her system, and similarly Bob can measure one of two ±1valued observables B 1 or B 2 . We refer to the tuple Q ≡ (ρ ABE , A 1 , A 2 , B 1 , B 2 ) as a strategy.
A strategy Q can be seen as describing a single round of a multi-round DIQKD protocol. The measurements by Alice and Bob serve two purposes: generating some random variable K A on Alice's side (which will constitute Alice's copy of the raw key in the DIQKD protocol) and establishing some correlations between Alice and Bob (which will be estimated in a parameter estimation step of the DIQKD protocol). Any strategy Q implies some tradeoff between how random K A is to Eve and how correlated Alice's and Bob's measurement outcomes are. This tradeoff can be formalized as follows.
Eve's information on the raw key K A . Let us assume that Alice uses the following general procedure to generate a random key value K A : she first selects a measurement choice X = 1, 2 according to a probability distribution µ X , she measures the corresponding observable A 1 or A 2 , she gets the classical output A = ±1, and finally she applies to A a (possibly stochastic) map $ x : {±1} → K A : A → K A to obtain a value K A in some finite alphabet K A . A measure of how random K A is to Eve, given knowledge of the measurement choice X, is the conditional von Neumann entropy where H(ρ) = − Tr[ρ log 2 (ρ)] is the von Neumann entropy and ρ XE = Tr is the classical-quantum state describing the correlations between K A , X, and E. In the above expression, the reduced states of Eve are given by where p x (k|a) are the transition probabilities of the map $ x .
In this paper, we will often be interested in the case where K A is simply obtained as the outcome of one of Alice's measurement, e.g., A 1 (i.e., there is no random input choice X and no classical preprocessing.) By a slight abuse of notation, we write A 1 both for the random variable denoting the measurement outcome of A 1 and for the measurement A 1 itself. We thus write in such cases K A = A 1 and H(K A |XE) = H(A 1 |E). We will also consider noisy preprocessing [15,16], where Alice's raw key bit K A is again the outcome of the measurement A 1 , but with probability q she flips it and with probability 1 − q she keeps it as it is. We write K A = A q 1 for the corresponding random variable and thus H(K A |XE) = H(A q 1 |E) for the conditional entropy. Finally, the last case we will consider is one where K A is obtained by choosing the observables A 1 and A 2 with probabilities p andp = 1 − p, respectively, and applying noisy preprocessing with flip probability q to the measurement output. We then Alice-Bob correlations. In a device-independent setting, the correlations between Alice and Bob can be characterized through Bell linear functionals, which are linear functions of 1-body and 2-body correlators.
In the 2-input/2-output scenario, 1-body and 2-body correlators can all be written in the common form functional S is then specified by 9 real coefficients {S xy } x,y=0,1,2 (x, y = 0, 1, 2) and its value on a given set of correlators { A x ⊗ B y } is given by We refer to S as a Bell expectation. We will particularly be interested in the following in the CHSH functional Tradeoff between Eve's information on the raw key and Alice-Bob correlations. Assume that a procedure for generating a raw key value (as specified by a measurement probability distribution µ X and preprocessing maps $ x ) and a series of m ≥ 1 Bell expectation values S = (S 1 , . . . , S m ) 1 are fixed. Our objective is to establish a lower bound that is device independent, in the sense that it is satisfied by every quantum strategy Q. For technical reasons, we require f to be a convex function of its arguments 2 .
Relation to the security of DIQKD protocols. In a typical DIQKD protocol, Alice's and Bob's devices are successively used for n rounds. Some of the rounds are used to generate raw key values K A on Alice's side and K B on Bob's side. Some of the rounds are used to gather statistical data to decide, based on whether one or several Bell statistics are above some thresholds, if the protocol should be aborted or if it can proceed. In the latter case, error correction and privacy amplification are applied to the final raw key string. Following the application of the entropy accumulation theorem [7], the security of such a generic multi-round protocol can be reduced to deriving a tradeoff bound (8), which can be understood as characterizing the behavior of a single round 3 in expectation. In particular a tradeoff bound allows one to compute the key rate in the finite-key regime and in the asymptotic one, where it simply reduces to the Devetak-Winter formula [17] where H(K A |K B ) is the conditional Shannon entropy of the classical random variables K A and K B .

Reduction to qubits
The lower bounds (8) we aim to derive must be proven valid for any quantum strategy Q = (ρ ABE , A 1 , A 2 , B 1 , B 2 ), defined a priori on Hilbert spaces of arbitrary dimension. However, because the strategies we consider involve only two binary measurements for Alice and for Bob, it is well-known that it is sufficient, thanks to Jordan's lemma, to consider pure qubit strategies [18]. More specifically, suppose that we have derived a lower bound H(K A |XE) ≥ f (S), that is valid for any strategy Q = (|Ψ ABE , A 1 , A 2 , B 1 , B 2 ) where i) Alice's and Bob's systems are two-dimensional, ii) |Ψ ABE is a pure state, iii) A 1 , A 2 , B 1 , B 2 are qubit, non-degenerate Pauli observables constrained to the Z-X plane on the Bloch sphere, and where iv) the function f is convex. Then this lower bound is valid for arbitrary strategies. For details, see for instance [14].
Note that the "2-input/2-output" restriction, which allows to make this qubit simplification, only applies to Alice's measurements and to those measurements of Bob that are involved in the definition of the Bell functionals S, as these are the only measurements involved in the relation (8). The raw key generation procedure on Bob's side leading to the raw key qubits. Furthermore, if f defines a bound on H(K|XE) that is tight, it must necessarily be convex by concavity of the conditional entropy and because any convex mixture of two strategies defines a valid strategy.
value K B can, however, involve further measurement choices with more outputs, see examples in the Section 3.
We now assume the above simplification and present our approach to deriving tradeoff bounds, which follows three technical steps described in the next three subsections.

BB84-type uncertainty relations
The first non-trivial step in our approach is devicedependent and consists in deriving a qubit uncertainty relation akin to those used in the analysis of the standard entanglement-based BB84 protocol and variants of it. Let us illustrate this on several examples. In the following, Consider first the simple situation where Alice's raw key bit K A = A 1 is simply obtained as the outcome of the measurement A 1 , i.e., there is no random input choice X and no classical preprocessing. We then have the following bound.

Entropy bound 1 (BB84).
whereĀ 1 is a Pauli observable orthogonal to A 1 on the Bloch sphere and B any given ±1-valued observable on Bob's subsystem.
This bound is simply a reexpression of the onesided device-independent entropy bound H(Z|E) ≥ 1 − φ | X ⊗ B | for the BB84 protocol [19] that relates the information Eve has about the outcome of a Z measurement by how much Bob is correlated to the complementary X measurement. The bound (10) directly follows from the fact that A 1 andĀ 1 are Pauli operators, which we can identify with the Z and X operators.
As a second example, let us add noisy preprocessing [15,16] to the raw key procedure: Alice's raw key bit K A = A q 1 is again the outcome of the measurement A 1 , but with probability q she flips it and with probability 1 − q she keeps it as it is.
Entropy bound 2 (BB84 bound with noisy preprocessing). where andĀ 1 is a Pauli observable orthogonal to A 1 on the Bloch sphere and B any given ±1-valued observable on Bob's subsystem.
This again follows by identifying A 1 andĀ 1 with the Z and X operators and reusing a one-sided deviceindependent bound known for BB84 with noisy preprocessing [14,20].
The two above bounds were used in [14] to analyze the security of a family of CHSH-based DIQKD protocols. But more generally, it is also possible to obtain other bounds, such as the two ones below, which we will apply to other variants of CHSH-based DIQKD protocols in Section 3.

Entropy bound 3 (BB84 with noisy preprocessing and bias).
where with andĀ 1 is a Pauli observable orthogonal to A 1 on the Bloch sphere and B any given ±1-valued observable on Bob's subsystem.
This bound represents a refinement of the bound 2, as it depends not only on Ā 1 ⊗ B , but also on the value of the 1-body correlator A 1 measuring how much Alice's raw output is biased.
Our last example is one where Alice's raw key bit K A = A q X is obtained by choosing the observables A 1 and A 2 with probability p andp = 1 − p, respectively, and applying noisy preprocessing with flip probability q to the measurement output. The conditional entropy is then and one has the following bound.
The above bounds are essentially similar to those used in the analysis of standard entanglement-based QKD. They are valid for arbitrary entangled states |Ψ ABE where Alice's and Bob's systems are two dimensional and are expressed in terms of correlators A ⊗ B between Alice and Bob that involve (contrarily to the device-independent case) specific, fixed observables, such asĀ 1 on Alice's side. As such they can be derived using existing techniques.
We remark that all of these bounds can be derived from bound 3, which we derive in detail in Appendix A. In particular, bound 2 is a special a case of bound 3 evaluated with A 1 = 0 4 , while bound 1 is obtained by further setting q = 0. Bound 4 follows from bounding both contributions to the average entropy separately using bound 2, and then using that the function [14] for a proof of this property).
Importantly, we also show in Appendix A that all the above bounds satisfy a type of monotonicity property. We say that a bound H( holds for all x − ≤ x and similarly in the multivariate case for each variable independently, e.g., Note that this monotonicity property is weaker than monotonicity of the function f itself: if the function f is monotonically increasing then the bound H(K A |XE) ≥ f (x) is monotone, but the converse does not necessarily hold. (10) and (11)

Monotonicity property. The entropy bounds
The monotonicity of the bound (13) is established in Appendix A from which the monotonicity of the other bounds follows 5 . This property will be important in Section 2.3 as it allows replacing in the entropy bounds the correlators on which they depend in the right-hand side by a lower bound on these correlators and in Section 2.4 where it allows the systematic computation of a convex envelope based on a discrete set of points.

Pauli correlation constraints
The bounds on the conditional entropy H(K A |XE) that we have given in the previous subsection are expressed in terms of correlators involving observables which are not necessarily accessible through the devices, e.g., the correlator Ā 1 ⊗ B involving the ob-servableĀ 1 . The second step of our approach consists in deriving a constraint on these correlators in terms 4 The resulting bound holds independently of the actual value of A 1 thanks to the monotonicity property discussed below: if we make in bound 3 the replacement | A 1 | → 0 we obtain a bound that remains valid. 5 In the case of bounds (10), (11), (17), it also follows from the stronger property that the function fq(x) is monotonically increasing in x, as shown in Appendix B. of [14].
of correlators involving only the observables A 1 , A 2 , B 1 , B 2 actually measured by the devices.
For instance, it is a straightforward exercise, see [14], to show the following bound.

Correlation bound 1 (CHSH).
More generally, one can also consider a family of asymmetric versions of the CHSH statistic for which the following bounds are shown in [14].

Correlation bound 2 (asymmetric CHSH). Let
where The correlation bounds (19) and (20) can be derived analytically. But more generically, one can derive numerical lower bounds on polynomial functions of arbitrary qubit correlators, such as Ā 1 ⊗ B or Ā 2 ⊗ B , in terms of Bell functionals involving only the accessible correlators A x ⊗ B y (x, y = 0, 1, 2), using the Lasserre hierarchy of semidefinite programming relaxations for polynomial optimization [21,22]. This can be done by parameterizing explicitly all qubit operators in the Z-X plane.
We illustrate this general idea on the specific problem of deriving a lower bound for the expression appearing on the right-hand side of (17) in terms of the CHSH expectation value S. We first recall that we can use any ±1-valued observables B and B in (17). Taking these to be of the form and then choosing the angles ϕ B and ϕ B that maximize (23) we obtain We then choose Alice's basis such that 27) and the complementary operators arē for some unknown angle ϕ A . Using these in the above expression we obtain, explicitly, where we note the expectation values of products of Pauli operators E xx = X ⊗ X and similarly for E xz , E zx , and E zz . We wish to constrain (30) for a given value of the CHSH expectation value which, in the choice of basis made above, takes the form Maximizing the second line over (nondegenerate) ±1valued observables B 1 and B 2 in the Z-X plane gives which can be read as a constraint on the unknown angle ϕ A and Pauli correlations E xx , E xz , E zx , and E zz appearing in (30).
To complete the problem, we finally remark that E xx , E xz , E zx , and E zz can be interpreted as expectations of products of the Z and X Pauli operators for some underlying state only if they satisfy and as shown in Section 4.3 of [14].
To get a valid lower bound on (40), it is thus sufficient to minimize the left-hand side of (30) given the constraints (32)- (35). The problem can be simplified by introducing the new variables Using the trigonometric identity cos ϕ A 2 2 + sin ϕ A 2 2 = 1 and that we can drop the absolute values from (32) without substantially changing the problem, we arrive at the following.

Correlation bound 3 (two-basis).
There exist ±1valued qubit operators B and B acting on Bob's subsystem such that where E p (S) 2 is the solution to the minimization problem in the five variables λ, µ, c, s, ∆ ∈ R.
As the above is a polynomial optimization problem, it can be reduced to a sequence of semidefinite programs using the Lasserre hierarchy [21,22]. Importantly, every SDP relaxation at a given order in the hierarchy provides a valid lower bound to the optimization problem and consequently a valid lower bound of the form (40). At level 3 of the Lasserre hierarchy, the problem takes less than a second to solve and appears to already give the optimal solution.
In the case in which p = 1/2, the above problem can actually be solved analytically, as shown in Appendix B. The result in that case is Eq. (43) can be rearranged to a root-finding problem for a degree 4 polynomial in x and can thus be solved analytically, though the solution is quite lengthy and we do not explicitly report it here.

Convexity and fully device-independent bounds
Combining the above correlation bounds and the entropy bounds of the previous section, one obtains bounds on the conditional entropy that are device independent modulo the qubit reduction. For instance, using the CHSH correlation bound (19) in the BB84 entropy bound (10), where the substitution of (19) in (10) is possible thanks to the monotonicity property of the BB84 entropy bound, we recover the CHSH entropy bound given in the introduction and originally derived in [3].
Using (20) in the BB84 bound with noisy preprocessing (11), one obtains the more general qubit bound derived in [14]. But other combinations are also possible, such as the two original following ones, which we are going to consider in more detail in Section 3.
The first, which gives a bound on the entropy in terms of A 1 in addition to CHSH, is simply obtained by combining (19) and (13): For the second, letẼ p (S) 2 denote any lower bound to E p (S) 2 obtained by solving analytically or numerically the polynomial optimization problem (41) or any of its relaxations in the Lasserre hierarchy. Then using such a bound in (17), we obtain

Convexity analysis
Regardless of the combination used, the result is a bound on the conditional entropy valid for two-qubit systems, which can only be extended to give a fully device-independent bound, valid in arbitrary dimension, if it is convex. The third and final step thus consists of a convexity analysis.
If we obtain a qubit bound on the conditional entropy with a reasonably simple analytic expression then it may be feasible to study its properties directly. Either we simply prove it is convex, as can be done for (45), or more generally as was done in [14] for (46) for |α| ≥ 1. Or we analytically establish that it is not convex and determine its convex envelope, as was done in [14] for (46) for |α| < 1.
More generally, however, the qubit bound may be obtained numerically or it may be analytic but of a form that does not easily lend itself to an analytic convexity analysis, as is the case for the bounds (47) and (48). In such cases, we need a way of constructing a convex lower bound on whatever qubit bound we obtain.

Convex lower bounds through linear programming
A simple solution that we can use, provided our entropy bounds satisfy the monotonicity property introduced in subsection 2.2, is based on a discretization of the qubit bound, similar to the approach used in [10]. In the following, let us generically write the bound valid for two-qubit systems as where f : D → R is a function, defined on some domain D, that we either know analytically or can compute numerically, of one or more Bell expectation values S = (S 1 , S 2 , . . . , S n ) ∈ D.
Let us introduce a covering K = {K} of the domain D by polytopes {K}, such that every S ∈ D is contained in at least one of the polytopes K. In practice, we would typically use a grid partition in terms of hyperrectangles where each point (outside of vertices and shared edges) is contained in only one hyperrectangle K (but this is not strictly necessary for the method to work).
Let us suppose, furthermore, that for every K we have a way of identifying a value f [K] that we can use as a lower qubit bound on the conditional entropy valid for the entire polytope, i.e., such that We can then define a discretized qubit bound, where f K is defined as where the minimization is taken over all polytopes K that contain S. This, in particular, associates unique values f K (S j ) to the vertices S j of the polytopes. The convex envelope of the discretized function f K , finally, is readily given by the solution to the following linear programming problem, where the S j are the combined vertices of all the polytopes K in K. We thus obtain a bound on the conditional entropy that is convex and extends to the fully device-independent setting. We have not explained, however, how one can identify in (50) the lower-bound values f [K] for each polytope K, which is crucial to define a discretized qubit bound. This can be done if the bound (49) is monotone in |S| = (|S 1 |, |S 2 |, . . . , |S n |), i.e., if the bound still holds if we replace in (49) any of the n Bell expectation values S i by a value s i that is smaller in absolute value, |s i | ≤ |S i |. This is in particular the case for all the bounds (45)-(48) presented above since they are obtained by combining the monotone entropy bounds of subsection 2.2 with the monotonically increasing correlation bounds of subsection 2.3. Using this monotonicity property, we can now simply divide the domain D into hyperrectangles K and use as the lower-bound value f [K] for each hyperrectangle K, the value of the qubit bound evaluated at the corner that is closest to the origin.
Finally, in the special case that we are working with a qubit entropy bound H(K A |XE) ≥ f (S) of a single variable S, we remark that one can avoid the linear program and compute f K (S) very rapidly essentially by eliminating the redundant vertices and interpolating between the remaining ones, as illustrated in Figure 1. This can be done in linear time in the number of vertices [23,24]. We in particular applied this technique to the two-basis bound (48) to compute the key-rate bounds obtained in Section 3.1 below.

Certifying an affine tradeoff bound
While we can always use the above approach when we have a qubit entropy bound satisfying the monotonicity property, it is not always necessary to solve the linear programming problem to obtain a valid convex lower bound on the conditional entropy. An alternative approach, which would ultimately lend itself to more direct use in the entropy accumulation theorem, is to certify a linear or affine lower bound on the entropy.
Here, let us suppose we believe that the conditional entropy respects an affine lower bound that we wish to certify up to some precision ε. Such a bound may be obtained, for example, by computing at a particular point the tangent of a functionf (S) that we believe to be the convex hull of a known qubit bound f (S). As above, we introduce a covering K = {K} of the domain D with polytopes K and assume for every K a lower bound f [K] on the conditional entropy, as defined in (50). We also define where Vert(K) are the vertices of K. To check that (55) holds, we then only need to verify that holds for all polytopes K in the covering K, which is now a finite problem. Alternatively, we can compute the maximal value over K of β + α[K] − f [K] to determine the best possible precision ε we can achieve given our covering choice. An important difference with the linear programming approach above is that we do not necessarily have to decide on a covering K in advance. In fact, this is often very wasteful as, to obtain a good bound with a small tolerance, we would typically find we need a fine discretization of the domain only close to where the bound coincides with its tangent. Finding a suitable discretization can then be done naturally, and in practice often very rapidly, by starting by testing (57) for the polytopes K in an initially coarse covering (which could consist of just one polytope containing the entire domain) and then, for each K for which the test fails, subdividing K into smaller polytopes and recursively applying the test to each of those (see illustration in Figure 2).
Application to the bound (47) including the bias A 1 . We used this recursive certification method, coupled with a guess on the optimal linear tradeoff functions, for the qubit bound (47) which depends on the two variables A 1 and S. The functiong q ( A 1 , S) ≡ g q | A 1 |, S 2 /4 − 1 defining this bound is not convex as its Hessian matrix is not positive semidefinite everywhere. It appears, though, to be convex in each of the parameters A 1 2) (green point). From this, we can compute a candidate affine function (55) that optimally certifies the entropy of the point (0.5, 2.2). Setting a value for ε, we then run a recursive algorithm to find a rectangle covering, depicted in the figure, that certifies the candidate affine function. We chose a value ε = 0.025 such that the resultant covering is coarse enough that it can be visualized, but much smaller values, e.g., ε ≈ 10 −8 or less can readily be used. and S individually, and more generally in any direction passing through the positive orthant in the plane A 1 -S. This implies that the convex envelope ofg q ( A 1 , S) can be constructed by considering at most convex combinations of two points in the plane, instead of three points as follows by Carathéodory's theorem. Indeed, any non-trivial convex combination of three points in the plane A 1 -S would have at least two of those points joined by a segment aligned in the direction of the positive orthant. But since the function is convex in that direction, one can advantageously replace the two points by a mixture of those.
Furthermore, if we are interested in computing a valid entropy bound for a point with A 1 positive, it is sufficient to consider convex combinations in the domain D ⊂ [0, 1] × [2, 2 √ 2] of the plane A 1 -S, i.e., points with negative values of A 1 can be neglected. To see this, consider a convex combination where A 1 < 0 is negative for the point ( A 1 , S) yielding a corresponding value for the entropy function that is a valid lower bound for H(A q 1 |E). Replace now this convex strategy by the (valid) convex combination The corresponding value for the entropy function is which is still a valid lower bound for H(A q 1 |E) because of the monotonicity property of the bound and the fact that A1 1−t ≤ A 1 (since A 1 < 0). Finally, we numerically observed that the convex envelope ofg q ( A 1 , S) in the domain [0, 1] × [2, 2 √ 2] was always obtained by taking a convex decomposition of two particular points: the point (1, 2) and a point on the line from (1, 2) to ( A 1 , S). This observation gives a conjecture for the convex envelope of the qubit bound (47), from which candidate linear tradeoff functions of the form (55) can readily be computed as tangents to this envelope. We can then attempt to certify that such candidates are indeed proper tradeoff functions through a rectangle covering and the recursive procedure described above, as illustrated in Figure 2. We can in principle perform such certification to arbitrary precision ε, though, in practice, we may be limited by the number of rectangles required to reach a very small ε and by the limited precision of hardware floating-point arithmetic on typical computers. The key rates and results presented in Section 3.2 have been computed using this procedure. From our results, it appears that our conjecture on the convex envelope ofg q ( A 1 , S) is correct as we are always able to certify the resultant linear tradeoff functions up to a precision of the order of ε ≈ 10 −6 or better.

Applications
Here, we apply our method to bound the asymptotic one-way key rate, given by the Devetak-Winter rate for DIQKD in two situations of interest: white noise, where we assume that Alice and Bob share an attenuated version, depending on some visibility v, of the ideal maximallyentangled state and limited detection efficiency, where we assume that Alice's and Bob's devices return one of the expected outcomes ±1 with a probability η less than one.
The qubit bound (45) (which is already convex) was used in [3] to compute the key rate of the standard CHSH DIQKD protocol and the convexification of (46) was used in [14] to generalize the analysis in terms of the asymmetric CHSH expressions S α and incorporating noisy preprocessing. We will now illustrate the use of the two other qubit bounds (47) and (48) given in the preceding section, in subsections 3.2 and 3.1, respectively.
In [14], the asymmetric CHSH expressions were chosen for parameter estimation because they retain the same symmetries as the version of the DIQKD protocol where only one of Alice's measurements, A 1 , is used to generate the key and they can be used to derive the optimal one-way key rate for that protocol with respect to white noise. There is no analogous connection between the asymmetric CHSH expressions and losses and, in fact, the lowest threshold, η ≈ 82.57%, on the global detection efficiency reported in [14] was obtained using CHSH (the special case of S α with α = 1).
In the following, we reanalyze these correlation models using different setups. In particular, as [14] already does an optimal analysis for white noise using one measurement basis for key generation and with noisy preprocessing, the only remaining way to improve the noise robustness is to use a different protocol. For that case, we apply our approach to a variant of the protocol based on CHSH, proposed recently in [10], in which both of Alice's measurements A 1 and A 2 are used to generate the key. For losses, by contrast, as remarked in [14] the analysis performed there was likely not optimal as the treatment of losses introduced biases in the probabilities of Alice's and Bob's measurement outcomes, while the analytic bound on the entropy used there was optimized for the case that Alice's outcomes are obtained equiprobably. For losses, therefore, we concentrate on bounding the key rate using the expectation value A 1 of Alice's keygeneration measurement in addition to the Bell violation.

White noise analysis for the two-basis protocol
In the two-basis protocol of [10], Alice and Bob ideally share a maximally-entangled state |φ + and have devices that, for Alice, ideally perform the two measurements and, for Bob, the four measurements This ideal realization is designed so that the measurements A 1 , A 2 , B 1 , and B 2 yield a maximal violation of the CHSH Bell inequality while Bob's measurements B 3 and B 4 yield outcomes that are perfectly correlated with Alice's when she measures, respectively, A 1 and A 2 , i.e., In the protocol, Alice and Bob use rounds where Bob measures B 1 or B 2 to estimate CHSH; they use a small fraction of the rounds where Bob measures B 3 and B 4 to estimate how correlated the outcomes are with A 1 and A 2 , and use the results of the remaining rounds where Alice and Bob measured A 1 and B 3 or A 2 and B 4 as their raw key. We also assume in the following that Alice flips her outcomes in the key generation rounds (i.e., applies noisy preprocessing) with some probability q.
Let us suppose that Alice uses the measurements A 1 and A 2 with probabilities p andp = 1 − p and that Bob uses the measurements B 3 and B 4 with the same relative probabilities. Then, out of the rounds not used for parameter estimation, the asymptotic key rate, taking into account the effect of sifting 6 , is r = p 2 r 13 +p 2 r 24 = (p 2 +p 2 )(p r 13 +p r 24 where and we introduced p = p 2 /(p 2 +p 2 ) andp = 1 − p in the second line. Here, H(A q 1 |B 3 ) and H(A q 2 |B 4 ) depend only on the correlations between Alice's and Bob's measurement outcomes, which they know from parameter estimation. Assuming Alice and Bob perform the ideal measurements on an attenuated state (63), the entropies of Alice's outcomes conditioned on Bob are where the channel error rate δ is related to the visibility v in (63) by v = 1 − 2δ, while the CHSH expectation value is Bounding the key rate thus amounts to establishing a lower bound on the weighted average conditional entropy depending on the CHSH violation. A valid qubit bound in terms of the CHSH expectation value S is given by (48), from which a valid, fully deviceindependent, convex lower bound can be obtained using the techniques discussed in Section 2.4.2. 6 In particular, the key rate is attenuated by the probability p 2 +p 2 that Alice and Bob use matching bases. It has been pointed out in [11] that this can be avoided, but this requires the parties to either possess quantum memories or to use a very long preshared key to coordinate the measurement choices.
We can thus express the bound we obtain on the key rate, via CHSH, in terms of δ using our approach as (73) wheref q (S) is the convex lower bound we obtain for the entropy, evaluated at S = 2 √ 2(1 − 2δ). We remark here that we could, in principle, bound the average entropy in terms of any correlation Bell inequality. We use only the CHSH expectation value here both for simplicity and because, in the most interesting case where the bases are used equiprobably (i.e., p = 1/2), we can infer from the symmetries of the protocol that CHSH is already the optimal measure of nonlocality for white noise (see Appendix C for details).
The key rate we obtain using our approach for p = 0.5 and p = 0.75 are illustrated, and compared with the known analytical bounds for p = 1, without noisy preprocessing (i.e., q = 0) and with the optimal amount of noisy preprocessing applied in Figures 3  and 4. The threshold noise rates up to which we obtain a positive key rate are reported for different values of q in Table 1. For q = 0 and q close to 1/2, the results essentially rigorously confirm the thresholds of 8.36% and 9.24% that were anticipated could be obtained in the conclusion of [14]. For 0 < p < 1/2, similar to [10], we did not see any improvement to the key rate; the highest rate appeared to always be obtained with either p = 1 or p = 1/2, depending on the value of S. However, as it may not be realistic to be sure that the measurements are used exactly equiprobably in a real implementation, we note that it is important to be able to bound the entropy for values of p that may deviate a little from 0.5. The key rate is in fact very robust against deviations of p from 0.5, as can be seen comparing the results for p = 0.5 and p = 0.75 in Figures 3 and 4.
The best threshold of 9.24% obtained for q close to 1/2 using our method is close to the best threshold of 9.33% recently reported in [11] and obtained for q = 0.3, although the method we have used allows the key rate to be bounded much more rapidly 7 . Without noisy preprocessing, the threshold of 8.36% we obtain is slightly better than the threshold around 8.24% found in [10] and the same as the threshold that would be obtained using the "conjectured alternative proof" (after taking the convex envelope of the result) proposed in section I.H of the supplementary information to the same paper 8 . 7 Ref. [11] reports requiring ∼ 5000 processor-core hours to obtain a numerical bound on the average conditional entropy. For comparison, using our method we could generate a plot of the conditional entropy with 500 points in a minute or two on a regular laptop using the Lasserre hierarchy or almost instantaneously using the analytic method for p = 1/2 described in Appendix B.  Table 1: Threshold error rates (%) obtained for different probabilities p of measuring A1 after sifting non-matching basis.
to bound the key rate using a lower bound on the conditional entropy in terms of the fidelity of Eve's marginal states. This is very closely related to the BB84 bound [25] and, in fact, all of the lower bounds we derive on the correlation terms | Ā x ⊗ B | appearing in the BB84 bounds we use are also (typically tight) lower bounds on the fidelity of Eve's marginals following the qubit reduction.
We provide an indication of how close the key-rate bound we obtain in the case p = 1/2 is to being optimal by comparing with a specific strategy, which was already identified as a likely candidate for the optimal collective attack for q = 0 in [14], and described in Appendix D. This attack yields the following value for the average entropy wherē and where f q (x) is defined in Eq. (12).
The results of numerical tests done without noisy preprocessing in [14] and [26] strongly suggest that (74) actually gives the optimal bound on the average entropy for q = 0. Additional tests we did for this work did not find a counterexample for q = 0. But even without a proof of optimality, as (74) is obtained with a known collective attack it gives an upper bound on the one-way asymptotic key rate with noisy preprocessing. A comparison of the key rates, optimized over q, using our numerical lower bound (already given in Figure 4) and using (74) is given in Figure 5 and shows the two to be very close. The threshold error rate obtained using (74) ranges from δ ≈ 8.4447% for q = 0 up to δ ≈ 9.4756% for q → 1/2, and is compared with the threshold obtained using our numerical method in Figure 6. Explicit attack Lower bound Figure 6: Thresholds for the channel error rate as a function of the noisy preprocessing computed using the conjectured optimal attack and our lower bound on the conditional entropy.

More refined loss analysis exploiting bias
Here, we consider a setup where we suppose that the main imperfection is that Alice's and Bob's devices have a detection efficiency that is less than perfect, i.e., we suppose that, in each protocol round, each of their devices outputs one of the regular outcomes ±1 with probability η and outputs nothing, or a "nondetection" outcome ∅, with probability 1 − η. In order to use our approach, which strictly applies to protocols in which the measurements in the Bell test have binary outcomes, we map nondetection events resulting from the measurements A 1 , A 2 , B 1 , and B 2 used to perform the Bell test to +1.
In this case we consider the usual, single-basis, version of the DIQKD protocol, but with different states and measurements. Similar to the Eberhard scheme [27], we suppose that Alice and Bob (ideally) share a partially-entangled two-qubit state and that Alice and Bob (ideally) perform, respectively, two and three measurements B y = cos(ϕ B,y )Z + sin(ϕ B,y )X , y = 1, 2, 3 , (79) determined by angles ϕ A,x and ϕ B,y that we will optimize over when bounding the key rate 9 . Alice and Bob use the measurements A 1 , A 2 , B 1 , and B 2 to estimate the CHSH expectation value and use A 1 and B 3 to generate the key.
As we are only considering the usual single-basis version of the protocol, the asymptotic key rate is where the Shannon entropy of Alice's outcome conditioned on Bob, depends on the joint probability p(a, b) that Alice obtains the outcome a ∈ {+1, −1} from measuring A 1 after mapping nondetection events to +1 and flipping the result with probability q, and Bob obtains the outcome b ∈ {+1, −1, ∅} from measuring B 3 and possibly obtaining the loss outcome ∅ with probability 1 − η.
To bound the key rate we need to bound H(A q 1 |E). As mentioned above, mapping nondetection events deterministically to +1 and deliberately using a partially-entangled state bias Alice's and Bob's measurements to giving one of the outcomes more frequently than the other. We can exploit this by taking into account the expectation value A 1 of Alice's key generation measurement, in addition to the CHSH expectation value S, to derive a better lower bound on the entropy.
The expectation value A 1 can be taken into account using the qubit bound (47) and the convexification procedure discussed at the end of Section 2.4.3 and illustrated in Figure 2. Using this approach, we optimized the key rate numerically over the angles ϕ Aj , ϕ B k , and θ. The optimized key rates, both assuming no noise and a white noise rate of δ = 0.5% are represented both for q = 0 and with optimized q in Figure 7.
As one can see in the figure, the highest key rate is very small for a significant range of global detection efficiencies close to the threshold as a result of being obtained for values of q close to 1/2 and very weakly entangled states. Due to this, the threshold detector efficiency above which a positive key rate can be certified is very sensitive and, for example, significantly worsened by the addition of even a small amount of depolarizing noise. To illustrate this, we plot the threshold global detection efficiency as a function of the error rate δ in Figure 8, where a comparison is provided   with the earlier results of [14] using the analytic entropy bound for the asymmetric CHSH expressions. Table 2 gives the thresholds on the detection efficiency that we find using our approach for different values of q assuming no additional noise. We include in the table both the thresholds for which we can certify a positive key rate and the ones obtained using our conjecture regarding the convex envelope of the qubit bound. The small discrepancy between the two values, particularly for larger values of q, is due to the difficulty of numerically certifying the key rate accurately when the key rate becomes very small (the key rate for the last column of Table 2 is of O(10 −12 )). Indeed to certify the entropy to a very high precision using a discretized qubit bound requires using a very dense covering, which at some point becomes too timeconsuming computationally.
This issue however only affects the certification of extremely small asymptotic key rates, such as the long tail observed in Figure 7, which are probably too low to be of practical value and likely to be dwarfed by the difference made by even small amounts of noise or corrections due to finite-key effects. To illustrate this, in Table 3 we report the detection efficiency thresholds in the presence of a channel noise rate of δ = 0.5. In this case, the thresholds using the conjectured convex envelope and those that can be properly certified are the same up to the precision to which we report the results.  Finally, we remark that the qubit bound (47) is tight in A 1 and S for all q as there is an explicit attack, described in Appendix E, that saturates it. This means that our conjecture regarding the convex envelope of the qubit bound represents a valid attack yielding upper bounds on the key rate (as it corresponds to an explicit mixture of two-qubit strategies). This means that the certified bounds that we report in Table 3 are, up to the precision we use, optimal in terms of A 1 and S, and that the second line of Table 2 corresponds to the minimal detection thresholds one can hope to attain using only information about A 1 and S.

Discussion
Building on [14], we have introduced a flexible approach to derive practical and fully deviceindependent bounds on the key rate for DIQKD in the 2-input/2-output setting. We have illustrated it on to the two-basis variant of the CHSH DIQKD protocol as well as to undertake a more optimized analysis of the single-basis variant when the main anticipated experimental imperfection is losses. Contrarily to [14], we used numerical methods to solve part of the problem in both cases and obtain optimal or close to optimal bounds on the conditional entropy within a very low amount of computation time. The results may be used to derive bounds on the key rate in the asymptotic limit or in the finite-key regime via the entropy accumulation theorem. They may also be useful as a point of comparison with different numerical approaches used to bound the conditional entropy in the device-independent setting.
When considering losses we found that the global detection efficiency can be brought under 80.26%. This is notably below the detection efficiency of 87.49% attained in the recent experimental demonstration of device-independent quantum key distribution based on a photonic setup [6]. As we remarked in the previous section, however, our threshold is attained using a very weakly entangled state and increases significantly if any realistic amount of noise is added to the model we studied. (Separately, a finitekey analysis would likely have the same effect.) While writing this manuscript, a new promising numerical method to bound the conditional entropy in general DI scenarios was proposed [13]. Our detection threshold, derived using only the expectation value A 1 of Alice's key-generation measurement in addition to CHSH, is slightly lower than the threshold of 80.5% reported in [13] using full statistics. This is not a limitation of the method of [13], but rather a matter of using a suboptimal state and measurement implementation parameters in that work. Indeed, running their method on the correlations achieving the threshold of 80.2593% in Table 2, the authors of [13] confirmed to us that they also find a positive key rate [28] (though, again, using full statistics instead of only A 1 and S). This illustrates the interest of having complementary methods. While [13] can in principle be used to tackle very general problems, our method specializing on the 2-input/2-output scenario allows us to rapidly explore the parameter space to find a good implementation. Moreover, there exist scenarios in which our analysis can provide slightly better bounds compared to the numerical method as one can observe from [13, Figure 6b].
A recent result [29] obtained lower bounds on the key rate for the finite-size case without the use of the entropy accumulation theorem in the two-input/twooutput scenario. It might be interesting to investigate whether our results involving different parameters to bound the conditional Von Neumann entropy can be used in combination with their technique.
Finally, although we discussed in detail two specific examples illustrating our approach to bounding the conditional von Neumann entropy, we point out that other bounds can be derived. For instance, we could combine the BB84-type bound (13) using bias with the correlation bound (20) in terms of the asymmetric CHSH expectations. As suggested by Figure 8, this should slightly improve the analysis presented here (are least for larger amounts of noise δ). One could also, much more generally, use numerical techniques [30] to derive device-dependent bounds on the conditional von Neumann entropy that are more stringent and combine them with correlation bounds involving full-statistics obtained through relaxations of the Lasserre hierarchy. Our method can also in principle be applied to the n-partite setting, e.g., to derive entropy bounds based on Mermin-type Bell inequalities [31,32].
The code used to obtain the numerical results in this paper is available on GitHub [33].

A Derivation of BB84 bound with bias
The BB84 entropy bound (13) is a generalization of the two bounds (10) and (11), which give the special cases of (13) with A 1 = 0 and both with A 1 = 0 and no noisy preprocessing (q = 0). It can be derived, in a way that also confirms the monotonicity property, essentially by modifying the symmetrization step in the derivation done in section 4.2 of the paper [14]. We do this in detail here.
As in the derivation of [14], we suppose that Alice, Bob, and Eve share a pure tripartite state where |0 and |1 are the eigenstates of A 1 , which we identify here with Z, and |ψ 0 and |ψ 1 are arbitrary (and not necessarily orthogonal) states shared by Bob and Eve normalized so that ψ 0 |ψ 0 + ψ 1 |ψ 1 = 1 .
After Alice measures A 1 = Z and flips the outcome with probability q, the correlations between Alice and Eve are described by the classical-quantum state We rewrite this as with the (unnormalized) states The state can be obtained as the marginal of an extended one, where |χ = , |χ = ∈ H B ⊗ H E ⊗ H E ⊗ H F ⊗ H F are unnormalized pure states |χ = = p|ψ 0 |φ 0 |00 + √ p|ψ 1 |φ 1 |11 , (93) in which where B is a Hermitian unitary operator (thus satisfying B 2 = 1 B ) acting on H B and ϕ is a phase chosen such that ψ 0 |ψ 1 is real and nonnegative, and are normalized states chosen to have some nonnegative real overlap φ 0 |φ 1 = λ X ∈ [0, 1].