Generalised Entropy Accumulation

Abstract

Consider a sequential process in which each step outputs a system $A_i$ and updates a side information register E. We prove that if this process satisfies a natural “non-signalling” condition between past outputs and future side information, the min-entropy of the outputs $A_1,\cdots ,A_n$ conditioned on the side information E at the end of the process can be bounded from below by a sum of von Neumann entropies associated with the individual steps. This is a generalisation of the entropy accumulation theorem (EAT) (Dupuis et al. in Commun Math Phys 379: 867–913, 2020), which deals with a more restrictive model of side information: there, past side information cannot be updated in subsequent rounds, and newly generated side information has to satisfy a Markov condition. Due to its more general model of side-information, our generalised EAT can be applied more easily and to a broader range of cryptographic protocols. As examples, we give the first multi-round security proof for blind randomness expansion and a simplified analysis of the E91 QKD protocol. The proof of our generalised EAT relies on a new variant of Uhlmann’s theorem and new chain rules for the Rényi divergence and entropy, which might be of independent interest.

Introduction

Suppose that Alice and Eve share a quantum state ${\rho }_{A^{n}E}$. From her systems $A^n:=A_1\cdots A_n$, Alice would like to extract bits that look uniformly random to Eve, except with some small failure probability $\epsilon$ [1]. The number of such random bits that Alice can extract is given by the smooth min-entropy $H_{\text{min}}^{\epsilon }{(A^n|E)}_{\rho }$ [2]. This quantity plays a central role in quantum cryptography: for example, the main task in security proofs of quantum key distribution (QKD) protocols is usually finding a lower bound for the smooth min-entropy.

Unfortunately, for many cryptographic protocols deriving such a bound is challenging. Intuitively, the reason is the following: the state ${\rho }_{A^{n}E}$ is usually created as the output of a multi-round protocol, where each round produces one of Alice’s systems $A_i$ and allows Eve to execute some attack to gain information about $A_1,\cdots ,A_i$. These attacks can depend on each other, i.e., Eve may use what she learnt in round $i-1$ to plan her attack in round i. This non-i.i.d. nature of the attacks makes it hard to find a lower bound on $H_{\text{min}}^{\epsilon }{(A^n|E)}_{\rho }$ that holds for any possible attack that Eve can execute. In contrast, it is typically much easier to compute a conditional von Neumann entropy associated with a single-round of the protocol, where the non-i.i.d. nature of Eve’s attack plays no role. Therefore, it is desirable to relate the smooth min-entropy of the output of the multi-round protocol to the von Neumann entropies associated with the individual rounds.

From an information-theoretic point of view, this question can be phrased as follows: can the smooth min-entropy $H_{\text{min}}^{\epsilon }{(A^n|E)}_{\rho }$ be bounded from below in terms of von Neumann entropies $H{(A_i|E_i)}_{{\rho }_{A_i{E}_i}^i}$ for some (yet to be determined) systems $E_i$ and states ${\rho }_{A_i{E}_i}^i$ related to $\rho$? While for general states ${\rho }_{A^{n}E}$ no useful lower bound can be found, previous works have established such bounds under additional assumptions on the state ${\rho }_{A^{n}E}$.

The first bound of this form was proven via the asymptotic equipartition property (AEP) [3]. It assumes that the system E is n-partite (i.e., we replace E by $E^n=E_1\cdots E_n$) and that the state ${\rho }_{A^n{E}^n}={\rho }_{A_1{E}_1}\otimes \cdots \otimes {\rho }_{A_n{E}_n}$ is a product of identical states. Then, the AEP shows that1

$$\begin{array}{c}\hfill H_{min}^{\epsilon }{(A^n|E^n)}_{\rho }\ge \sum _{i=1}^{n}H{(A_i|E_i)}_{\rho }-O(\sqrt{n}).\end{array}$$

For applications in cryptography, the assumption that $\rho$ is an i.i.d. product state is usually too strong: it corresponds to the (unrealistic) assumption that Eve executes the same independent attack in each round, a so-called collective attack.

The entropy accumulation theorem (EAT) [1] is a generalisation of the AEP which requires far weaker assumptions on the state ${\rho }_{A^{n}E}$. Specifically, the EAT considers states that result from a sequential process that starts with a state ${\rho }_{R_0{E}^{\prime }}^0$ and in every step outputs a system $A_i$ and a piece of side information $I_i$. The system $E^{\prime }$ is not acted upon during the process. The full side information at the end of this process is $E=I_1\cdots I_n{E}^{\prime }$. We can represent such a process by the following diagram, where ${\mathcal{M}}_i$ are quantum channels. The EAT requires an additional condition on the side information: the new side information $I_i$ generated in round i must be independent from the past outputs $A^{i-1}$ conditioned on the existing side information $I^{i-1}{E}^{\prime }$. Mathematically, this is captured by the condition that the systems $A^{i-1}\leftrightarrow I^{i-1}{E}^{\prime }\leftrightarrow I_i$ form a Markov chain for any initial state ${\rho }_{R_0{E}^{\prime }}^0$. With this Markov condition, the EAT states that2

$$\begin{array}{c}\hfill H_{min}^{\epsilon }{(A^n|I^n{E}^{\prime })}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}^{\prime }}^0)}\ge \sum _{i=1}^n\underset{\omega }{inf}H{(A_i|I_i\tilde{E})}_{{\mathcal{M}}_i(\omega )}-O(\sqrt{n}),\end{array}$$ 1.1

where $\tilde{E}$ is a purifying system isomorphic to $R_{i-1}$ and the infimum is taken over all states $\omega$ on systems $R_{i-1}\tilde{E}$.3

Let us discuss the model of side information used by the EAT in more detail. The EAT considers side information consisting of two parts: the initial side information $E^{\prime }$ (which is not acted upon during the process) and the outputs $I^n=I_1\cdots I_n$. This splitting of side information into a “static” part $E^{\prime }$ and a part $I^n$ which is generated in each step of the process is particularly suited to device-independent cryptography: there, Eve prepares a device in an initial state ${\rho }_{R_0{E}^{\prime }}^0$, where $R_0$ is the device’s internal memory and $E^{\prime }$ is Eve’s initial side information from preparing the device. Then, Alice (and Bob, though we only consider Alice’s system here) executes a multi-round protocol with this device, where each round leaks some additional piece of information $I_i$ to Eve, so that Eve’s side information at the end of the protocol is $I^n{E}^{\prime }$. Indeed, the EAT has been used to establish tight security proofs in the device-independent setting, see e.g., [4, 5].

The Markov condition in the EAT captures the following intuition: if we want to find a bound on $H_{min}^{\epsilon }(A^n|I^n{E}^{\prime })$ in terms of single-round quantities, it is required that side information about $A_i$ is itself output in step i, as otherwise we cannot hope to estimate the contribution to the total entropy from step i. To illustrate what could happen without such a condition, consider a case where $A_i$ is classical and no side information is output in the first $n-1$ rounds, but the side information $I_n$ in the last round contains a copy of the systems $A^n$ (which can be passed along during the process in the systems $R_i$). Then, clearly $H_{min}^{\epsilon }(A^n|I^n{E}^{\prime })=0$, but for the first $n-1$ rounds, each single-round entropy bound that only considers the systems $A_i$ and $I_i$ can be positive.

Main result In this work, we further relax the assumptions on how the final state ${\rho }_{A^{n}E}$ is generated. Specifically, we consider sequential processes as in the EAT, but with a fully general model of side information, i.e., the side information can be updated in each step in the process. Diagrammatically, such a process can be represented as follows:

Our generalised EAT then states the following.

Theorem 1.1

Consider quantum channels ${\mathcal{M}}_i:R_{i-1}{E}_{i-1}\to A_i{R}_i{E}_i$ that satisfy the following “non-signalling” condition (discussed in detail below): for each ${\mathcal{M}}_i$, there must exist a quantum channel ${\mathcal{R}}_i:E_{i-1}\to E_i$ such that

$$\begin{array}{c}\hfill {\text{Tr}}_{A_i{R}_i}\circ {\mathcal{M}}_i={\mathcal{R}}_i\circ {\text{Tr}}_{R_{i-1}}.\end{array}$$ 1.2

Then, the min-entropy of the outputs $A^n$ conditioned on the final side information $E_n$ can be bounded as

$$\begin{array}{c}\hfill H_{\text{min}}^{\epsilon }{(A^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0}^0)}\ge \sum _{i=1}^n\underset{\omega }{inf}H{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}-O(\sqrt{n}),\end{array}$$ 1.3

where ${\tilde{E}}_{i-1}\equiv R_{i-1}{E}_{i-1}$ is a purifying system for the input to ${\mathcal{M}}_i$ and the infimum is taken over all states $\omega$ on systems $R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1}$.4

We give a formal statement and proof in Sect. 4 and also show that, similarly to the EAT, statistics collected during the process can be used to restrict the minimization over $\omega$ (see Theorem 4.3 for the formal statement). By a simple duality argument, Eq. (1.3) also implies an upper bound on the smooth max-entropy $H_{\text{max}}$, which we explain in Appendix A. This generalises a similar result from [1], although in [1] one could not make use of duality due to the Markov condition and instead had to prove the statement about $H_{\text{max}}$ separately, again highlighting that our generalised EAT is easier to work with.

The intuition behind the non-signalling condition in our generalised EAT is similar to the Markov condition in the original EAT: by the same reasoning as for the Markov condition, since the lower bound is made up of terms of the form $H{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}$, it is required that side information about $A_i$ that is present in the final system $E_n$ is already present in $E_i$. This means that side information about $A_i$ should not be passed on via the R-systems and later be included in the E-systems. The non-signalling condition captures this requirement: it demands that if one only considers the marginal of the new side information $E_i$ (without the new output $A_i$), it must be possible to generate this state from the past side information $E_{i-1}$ alone, without access to the system $R_{i-1}$. This means that any side information that $E_i$ contains about the past outputs $A_1\cdots A_{i-1}$ must have essentially already been present in $E_{i-1}$ and could not have been stored in $R_{i-1}$.

The name “non-signalling condition” is due to the fact that Eq. (1.2) is a natural generalisation of the standard non-signalling conditions in non-local games: if we view the systems $R_{i-1}$ and $R_i{A}_i$ as the inputs and outputs on “Alice’s side” of ${\mathcal{M}}_i$, and $E_{i-1}$ and $E_i$ as the inputs and outputs on “Eve’s side”, then Eq. (1.2) states that the marginal of the output on Eve’s side cannot depend on the input on Alice’s side. This is exactly the non-signalling condition in non-local games, except that here the inputs and outputs are allowed to be fully quantum.

To understand the relation between the Markov and non-signalling conditions, it is instructive to consider the setting of the original EAT as a special case of our generalised EAT. In the original EAT, the full side information available after step i is $E^{\prime }{I}^i$, and past side information is not updated during the process. For our generalised EAT, we therefore set $E_i=E^{\prime }{I}^i$ and consider maps ${\mathcal{M}}_i={\mathcal{M}}_i^{\prime }\otimes {\text{id}}_{E_{i-1}}$, where ${\mathcal{M}}_i^{\prime }:R_{i-1}\to A_i{I}_i{R}_i$ is the map used in the original EAT. We need to check that with this choice of systems and maps, the Markov condition of the original EAT implies the non-signalling condition of our generalised EAT. The Markov condition requires that for any state input ${\omega }_{A^{i-1}{I}^{i-1}{R}_{i-1}{E}^{\prime }}^{i-1}$, the output state ${\omega }_{A^i{I}^i{R}_i{E}^{\prime }}^i={\mathcal{M}}_i({\omega }^{i-1})$ satisfies $A^{i-1}\leftrightarrow I^{i-1}{E}^{\prime }\leftrightarrow I_i$.5 It is then a standard result on quantum Markov chains [6] that there must exist a quantum channel ${\mathcal{R}}_i:I^{i-1}{E}^{\prime }\to I^i{E}^{\prime }$ such that ${\omega }_{I^i{E}^{\prime }}^i={\mathcal{R}}_i({\omega }_{I^{i-1}{E}^{\prime }}^{i-1})$. Remembering that we defined $E_i=E^{\prime }{I}^i$ (so that ${\mathcal{R}}_i:E_{i-1}\to E_i$) and adding the systems $A^{i-1}$ (on which both ${\mathcal{M}}_i$ and ${\mathcal{R}}_i$ act as identity), we find that ${\mathcal{M}}_i$ satisfies the non-signalling condition:

$$\begin{array}{c}\hfill {\text{Tr}}_{A_i{R}_i}\circ {\mathcal{M}}_i({\omega }_{A^{i-1}{R}_{i-1}{E}_{i-1}}^{i-1})={\omega }_{A^{i-1}{E}_i}^i={\mathcal{R}}_i({\omega }_{A^{i-1}{E}_{i-1}}^{i-1})={\mathcal{R}}_i\circ {\text{Tr}}_{R_{i-1}}({\omega }_{A^{i-1}{R}_{i-1}{E}_{i-1}}^{i-1}).\end{array}$$

Then, noting that all conditioning systems on which ${\mathcal{M}}_i$ acts as the identity map can collectively be replaced by a single purifying system isomorphic to the input, we see that we recover the original EAT (Eq. (1.1)) from our generalised EAT (Eq. (1.3)).

We emphasise that while the original EAT with the Markov condition can be recovered as a special case, our model of side information and the non-signalling condition are much more general than the original EAT; arguably, for a sequential process they are the most natural and general way of expressing the notion that future side information should not contain new information about past outputs, which appears to be necessary for an EAT-like result. To demonstrate the greater generality of our result, in Sect. 5 we use it to give the first multi-round proof for blind randomness expansion, a task to which the original EAT could not be applied, and a more direct proof of the E91 QKD protocol than was possible with the original EAT. Our generalised EAT can also be used to prove security of a much larger class of QKD protocols than the original EAT. Interestingly, for (device-dependent) QKD protocols, no “hidden system” R is needed and therefore the non-signalling condition is trivially satisfied, i.e., the advantage of our generalised EAT for QKD security proofs stems entirely from the more general model of side information, not from replacing the Markov condition by the non-signalling condition; see Sect. 5.2 for an informal comparison of how the original and generalised EAT can be applied to QKD, and [7] for a detailed treatment of the application of our generalised EAT to QKD, including protocols to which the original EAT could not be applied.

Proof sketch. The generalised EAT involves both the min-entropy, which can be viewed as a “worst-case entropy”, and the von Neumann entropy, which can be viewed as an “average case entropy”. These two entropies are special cases of a more general family of entropies called Rényi entropies, which are denoted by $H_{\alpha }$ for a parameter $\alpha >1$ (see Sect. 2.2 for a formal definition).6 The min-entropy can be obtained from the Rényi entropy by taking $\alpha \to \infty$, whereas the von Neumann entropy corresponds to the limit $\alpha \to 1$. Hence, the Rényi entropies interpolate between the min-entropy and the von Neumann entropy, and they will play a crucial role in our proof.

The key technical ingredient for our generalised EAT is a new chain rule for Rényi entropies (Theorem 3.6 in the main text).

Lemma 1.2

Let $\alpha \in (1,2)$, ${\rho }_{\mathit{ARE}}$ a quantum state, and $\mathcal{M}:RE\to A^{\prime }{R}^{\prime }{E}^{\prime }$ a quantum channel which satisfies the non-signalling condition in Eq. (1.2), i.e. there exists a channel $\mathcal{R}:E\to E^{\prime }$ such that ${\text{Tr}}_{A^{\prime }{R}^{\prime }}\circ \mathcal{M}=\mathcal{R}\circ {\text{Tr}}_R$. Then

$$\begin{array}{c}\hfill H_{\alpha }{(A{A}^{\prime }|E^{\prime })}_{\mathcal{M}(\rho )}\ge H_{\alpha }{(A|E)}_{\rho }+\underset{{\omega }_{RE\tilde{E}}}{inf}{H}_{\frac{1}{2-\alpha }}{(A^{\prime }|E^{\prime }\tilde{E})}_{\mathcal{M}(\omega )}\end{array}$$ 1.4

for a purifying system $\tilde{E}\equiv RE$, where the infinimum is over all quantum states $\omega$ on systems $RE\tilde{E}$.

We first describe how this chain rule implies our generalised EAT, following the same idea as in [1, 8]. For this, recall that our goal is to find a lower bound on $H_{\text{min}}^{\epsilon }{(A^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0}^0)}$ for a sequence of maps satisfying the non-signalling condition ${\text{Tr}}_{A_i{R}_i}\circ {\mathcal{M}}_i={\mathcal{R}}_i\circ {\text{Tr}}_{R_{i-1}}$. As a first step, we use a known relation between the smooth min-entropy and the Rényi entropy [3], which (up to a small penalty term depending on $\epsilon$ and $\alpha$) reduces the problem to lower-bounding

$$\begin{array}{c}\hfill H_{\alpha }{(A^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0}^0)}=H_{\alpha }{(A_n{A}^{n-1}|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0}^0)}.\end{array}$$

To this, we can apply Lemma 1.2 by choosing $A=A^{n-1}$, $A^{\prime }=A_n$, $E=E_{n-1}$, $E^{\prime }=E_n$, $R=R_{n-1}$, $R^{\prime }=R_n$, and $\rho ={\mathcal{M}}_{n-1}\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0}^0)$. Then, since the map ${\mathcal{M}}_n$ satisfies the non-signalling condition, Lemma 1.2 implies that

$$\begin{array}{cc}\hfill H_{\alpha }{(A_1^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0})}& \ge H_{\alpha }{(A_1^{n-1}|E_{n-1})}_{{\mathcal{M}}_{n-1}\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0})}\hfill \\ \hfill & +\underset{\omega \in \text{S}(R_{n-1}{E}_{n-1}{\tilde{E}}_{n-1})}{inf}{H}_{\frac{1}{2-\alpha }}{(A_n|E_n{\tilde{E}}_{n-1})}_{{\mathcal{M}}_n(\omega )}.\hfill \end{array}$$

We can now repeat this argument for the term $H_{\alpha }{(A_1^{n-1}|E_{n-1})}_{{\mathcal{M}}_{n-1}\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0})}$. After n applications of Lemma 1.2, we find that

$$\begin{array}{cc}\hfill H_{\alpha }{(A_1^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0})}& \ge \sum _{i=1}^n\underset{\omega \in \text{S}(R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1})}{inf}{H}_{\frac{1}{2-\alpha }}{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}.\hfill \end{array}$$

To conclude, we use a continuity bound from [8] to relate $H_{\frac{1}{2-\alpha }}{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}$ to $H{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}$. It can be shown that for a suitable choice of $\alpha$, the penalty terms we incur by switching from the min-entropy to the Rényi entropy and then to the von Neumann entropy scale as $O(\sqrt{n})$. Therefore, we obtain Eq. (1.3). We also provide a version that allows for “testing” (which is crucial for application in quantum cryptography and explained in detail in Sect. 4.2) and features explicit second-order terms similar to those in [8].

We now turn our attention to the proof of Lemma 1.2. For this, we need to introduce the (sandwiched) Rényi divergence of order $\alpha$ between two (possibly unnormalised) quantum states $\rho$ and $\sigma$, denoted by $D_{\alpha }\left(\rho ,,\Vert ,,\sigma \right)$. We refer to Sect. 2.2 for a formal definition; for this overview, it suffices to know that $D_{\alpha }\left(\rho ,,\Vert ,,\sigma \right)$ is a measure of how different $\rho$ is from $\sigma$, and that the conditional Rényi entropy is related to the Rényi divergence by

$$\begin{array}{c}\hfill H_{\alpha }{(A|B)}_{\rho }=-D_{\alpha }\left({\rho }_{\mathit{AB}},,\Vert ,,{\mathbb{1}}_A,\otimes ,{\rho }_B\right).\end{array}$$

Our starting point for proving Lemma 1.2 is the following chain rule for the Rényi divergence from [9]:

$$\begin{array}{c}\hfill D_{\alpha }\left(\mathcal{M},(,\rho ,),,\Vert ,,\mathcal{F},(,\sigma ,)\right)\le D_{\alpha }\left({\rho }_{\mathit{ARE}},,\Vert ,,{\sigma }_{\mathit{ARE}}\right)+\underset{n\to \infty }{lim}\frac{1}{n}\underset{{\omega }_{R^n{E}^n{\tilde{E}}^n}}{sup}{D}_{\alpha }\left({\mathcal{M}}^{\otimes n},(\omega ),,\Vert ,,{\mathcal{F}}^{\otimes n},(\omega )\right),\end{array}$$ 1.5

where $\mathcal{M}$ and $\mathcal{F}$ are (not necessarily trace preserving) quantum channels from RE to $A^{\prime }{R}^{\prime }{E}^{\prime }$, and $\rho$ and $\sigma$ are any quantum states on ARE. The optimization is over all quantum states $\omega$ on n copies of the systems $RE\tilde{E}$ (with $\tilde{E}\equiv RE$ as before).

Making a suitable choice of $\mathcal{F}$ (which depends on $\mathcal{M}$) and $\sigma$ (which depends on $\rho$), one can turn Eq. (1.5) into the following chain rule for the conditional Rényi entropy:

$$\begin{array}{c}\hfill H_{\alpha }{(A{A}^{\prime }|E^{\prime })}_{\mathcal{M}(\rho )}\ge H_{\alpha }{(A|RE)}_{\rho }+\underset{n\to \infty }{lim}\frac{1}{n}\underset{{\omega }_{R^n{E}^n{\tilde{E}}^n}}{inf}{H}_{\alpha }{({(A^{\prime })}^n|{(E^{\prime })}^n{\tilde{E}}^n)}_{{\mathcal{M}}^{\otimes n}(\omega )}.\end{array}$$ 1.6

This chain rule resembles Lemma 1.2, but is significantly weaker and cannot be used to prove a useful entropy accumulation theorem. The reason for this is twofold:

• (i)Equation (1.6) provides a lower bound in terms of $H_{\alpha }(A|RE)$, not $H_{\alpha }(A|E)$. The additional conditioning on the R-system can drastically lower the entropy: for example, in a device-independent scenario, R would describe the internal memory of the device. Then, Alice’s output A contains no entropy when conditioned on the internal memory of the device that produced the output, i.e. $H_{\alpha }(A|RE)=0$. On the other hand, Alice’s output conditioned only on Eve’s side information E may be quite large (and can usually be certified by playing a non-local game), i.e. $H_{\alpha }(A|E)>0$.
• (ii)Equation (1.6) contains the regularised quantity ${lim}_{n\to \infty }\frac{1}{n}{inf}_{{\omega }_{R^n{E}^n{\tilde{E}}^n}}{H}_{\alpha }{({(A^{\prime })}^n|{(E^{\prime })}^n{\tilde{E}}^n)}_{{\mathcal{M}}^{\otimes n}(\omega )}$. Due to the limit $n\to \infty$, this quantity cannot be computed numerically and therefore the bound in Eq. (1.6) cannot be evaluated for concrete examples.

We now describe how we overcome each of these issues in turn.

• (i)
  We prove a new variant of Uhlmann’s theorem [10], a foundational result in quantum information theory. The original version of Uhlmann’s theorem deals with the case of $\alpha =1/2$; we show that for $\alpha >1$, a similar result holds, but an additional regularisation is required. Concretely, we prove that for any states ${\rho }_{\mathit{ARE}}$ and ${\sigma }_{\mathit{AE}}$:

  $$\begin{array}{c}\hfill \underset{k\to \infty }{lim}\frac{1}{k}\underset{\begin{array}{c}{\widehat{\sigma }}_{A^k{R}^k{E}^k}\\ \text{s.t.}{\widehat{\sigma }}_{A^k{E}^k}={\sigma }_{\mathit{AE}}^{\otimes k}\end{array}}{inf}{D}_{\alpha }\left({\rho }_{\mathit{ARE}}^{\otimes k},,\Vert ,,{\widehat{\sigma }}_{A^k{R}^k{E}^k}\right)=D_{\alpha }\left({\rho }_{\mathit{AE}},,\Vert ,,{\sigma }_{\mathit{AE}}\right).\end{array}$$ 1.7

  The proof of this result relies heavily on the spectral pinching technique [11, 12] and we refer to Lemma 3.3 for details as well as a non-asymptotic statement with explicit error bounds. We make use of this extended Uhlmann’s theorem as follows: for the case we are interested in, the map $\mathcal{F}$ in Eq. (1.5) satisfies a non-signalling condition. We can show that this condition implies that for any state ${\widehat{\sigma }}_{A^k{R}^k{E}^k}\text{s.t.}{\widehat{\sigma }}_{A^k{E}^k}={\sigma }_{\mathit{AE}}^{\otimes k}$:

  $$\begin{array}{c}\hfill D_{\alpha }\left(\mathcal{M},(,\rho ,),,\Vert ,,\mathcal{F},(,\sigma ,)\right)=\frac{1}{k}{D}_{\alpha }\left({\mathcal{M}}^{\otimes k},({\rho }_{\mathit{ARE}}^{\otimes k}),,\Vert ,,{\mathcal{F}}^{\otimes k},({\widehat{\sigma }}_{A^k{R}^k{E}^k})\right).\end{array}$$

  Applying Eq. (1.5) to the r.h.s. of this equality results in a bound that contains $D_{\alpha }\left({\rho }_{\mathit{ARE}}^{\otimes k},,\Vert ,,{\widehat{\sigma }}_{A^k{R}^k{E}^k}\right)$. We can now minimise over all states ${\widehat{\sigma }}_{A^k{R}^k{E}^k}\text{s.t.}{\widehat{\sigma }}_{A^k{E}^k}={\sigma }_{\mathit{AE}}^{\otimes k}$ and take the limit $k\to \infty$. Then, Eq. (1.7) allows us to drop the R-system. Therefore, under the non-signalling condition on $\mathcal{F}$, we obtain the following improved chain rule for the sandwiched Rènyi divergence, which might be of independent interest:

  $$\begin{array}{c}\hfill D_{\alpha }\left(\mathcal{M},(,\rho ,),,\Vert ,,\mathcal{F},(,\sigma ,)\right)\le D_{\alpha }\left({\rho }_{\mathit{AE}},,\Vert ,,{\sigma }_{\mathit{AE}}\right)+\underset{n\to \infty }{lim}\frac{1}{n}\underset{{\omega }_{R^n{E}^n{\tilde{E}}^n}}{sup}{D}_{\alpha }\left({\mathcal{M}}^{\otimes n},(\omega ),,\Vert ,,{\mathcal{F}}^{\otimes n},(\omega )\right).\end{array}$$

  Using this chain rule, we can show that Eq. (1.6) still holds if $H_{\alpha }(A|RE)$ is replaced by $H_{\alpha }(A|E)$.
• (ii)
  To remove the need for a regularisation in Eq. (1.6), we show that due to the permutation-invariance of ${\mathcal{M}}^{\otimes n}$ and ${\mathcal{F}}^{\otimes n}$, for $\alpha >1$ and $n\to \infty$ one can replace the optimization over ${\omega }_{R^n{E}^n{\tilde{E}}^n}$ with a fixed input state, namely the projector onto the symmetric subspace of $R^n{E}^n{\tilde{E}}^n$. For this replacement, one incurs a small loss in $\alpha$, replacing it by $\frac{1}{2-\alpha }$ (which is only slightly larger than $\alpha$ in the typical regime where $\alpha$ is close to 1). The projector onto the symmetric subspace has a known representation as a mixture of tensor product states [13]. Combining these two steps, we show that the optimization over ${\omega }_{R^n{E}^n{\tilde{E}}^n}$ can be restricted to tensor product states, which means that the regularisation in Eq. (1.6) can be removed (see Sect. 3.2 for details):

  $$\begin{array}{c}\hfill \underset{n\to \infty }{lim}\frac{1}{n}\underset{{\omega }_{R^n{E}^n{\tilde{E}}^n}}{inf}{H}_{\alpha }{({(A^{\prime })}^n|{(E^{\prime })}^n{\tilde{E}}^n)}_{{\mathcal{M}}^{\otimes n}(\omega )}\ge \underset{{\omega }_{RE\tilde{E}}}{inf}{H}_{\frac{1}{2-\alpha }}{(A^{\prime }|E^{\prime }\tilde{E})}_{\mathcal{M}(\omega )}.\end{array}$$

Combining these results yields Lemma 1.2 and, as a result, our generalised EAT.

Sample application: blind randomness expansion. The main advantage of the generalised EAT over previous results is its broader applicability. For example, as demonstrated in [7], the generalised EAT can be used to prove the security of prepare-and-measure QKD protocols, which is of immediate practical relevance, and can also simplify the analysis of entanglement-based QKD protocols as discussed in Sect. 5.2. Here, we focus on the application of our generalised EAT to mistrustful device-independent (DI) cryptography. In mistrustful DI cryptography, multiple parties each use a quantum device to execute a protocol with one another. Each party trusts neither its quantum device nor the other parties in the protocol. Hence, from the point of view of one party, say Alice, all the remaining parties in the protocol are collectively treated as an adversary Eve, who may also have prepared Alice’s untrusted device.

While the original EAT could be used to analyse DI protocols in which the parties trust each other, e.g. DIQKD [14], the setting of mistrustful DI cryptography is significantly harder to analyse because the adversary Eve actively participates in the protocol and may update her side information during the protocol in arbitrary ways. Analysing such protocols requires the more general model of side information we deal with in this paper. As a concrete example for mistrustful DI cryptography, we consider blind randomness expansion, a primitive introduced in [15]. Previous work [15, 16] could only analyse blind randomness expansion under the i.i.d. assumption. Here, we give the first proof that blind randomness expansion is possible for general adversaries. The proof is a straightforward application of our generalised EAT and briefly sketched below; we refer to Sect. 5.1 for a detailed treatment.

In blind randomness expansion, Alice receives an untrusted quantum device from the adversary Eve. Alice then plays a non-local game, e.g. the CHSH game, with this device and Eve, and wants to extract certified randomness from her outputs of the non-local game, i.e. we need to show that Alice’s outputs contain a certain amount of min-entropy conditioned on Eve’s side information. Concretely, in each round of the protocol Alice samples inputs x and y for the non-local game, inputs x into her device to receive outcome a, and sends y to Eve to receive outcome b; Alice then checks whether (x, y, a, b) satisfies the winning condition of the non-local game. For comparison, recall that in standard DI randomness expansion [17–21], Alice receives two devices from Eve and uses them to play the non-local game. This means that in standard DI randomness expansion, Eve never learns any of the inputs and outputs of the game. In contrast, in blind randomness expansion Eve learns one of the inputs, y, and is free to choose one of the outputs, b, herself. Hence, Eve can choose the output b based on past side information and update her side information in each round of the protocol using the values of y and b.

To analyse such a protocol, we use the setting of Theorem 1.1, with $A_i$ representing the output of Alice’s device D from the non-local game in the i-th round, $R_i$ the internal memory of D after the i-th round, and $E_i$ Eve’s side information after the i-th round, which can be generated arbitrarily from entanglement shared between Eve and D at the start of the protocol and information Eve gathered during the first i rounds of the protocol. The map ${\mathcal{M}}_i$ describes one round of the protocol, and because Alice’s device and Eve cannot communicate during the protocol it is easy to show that the non-signalling condition from Theorem 1.1 is satisfied. Therefore, we can apply Theorem 1.1 to lower-bound Alice’s conditional min-entropy $H_{\text{min}}(A^n|E_n)$ in terms of the single-round quantities ${inf}_{\omega }H{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}$.7 This single-round quantity corresponds to the i.i.d. scenario, i.e. the generalised EAT has reduced the problem of showing blind randomness expansion against general adversaries to the (much simpler) problem of showing it against i.i.d. adversaries. The quantity ${inf}_{\omega }H{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}$ can be computed using a general numerical technique [22], and for certain classes of non-local games it may also be possible to find an analytical lower bound using ideas from [15, 16]. Inserting the single-round bound, we obtain a lower bound on $H_{\text{min}}(A^n|E_n)$ that scales linearly with n, showing that blind randomness expansion is possible against general adversaries. We also note that as explained in [15], this result immediately implies that unbounded randomness expansion is possible with only three devices, whereas previous works required four devices [21, 23, 24].

Future work In this work, we have developed a new information-theoretic tool, the generalised EAT. The generalised EAT deals with a more general model of side information than previous techniques and is therefore more broadly and easily applicable. In particular, our generalised EAT can be used to analyse mistrustful DI cryptography. We have demonstrated this by giving the first proof of blind randomness expansion against general adversaries. We expect that the generalised EAT could similarly be used for other protocols such as two-party cryptography in the noisy storage model [25] or certified deletion [16, 26, 27]. In addition to mistrustful DI cryptography, our result can also be used to give new proofs for device-dependent QKD, as demonstrated in Sect. 5.2 and [7], and is applicable to proving the security of commercial quantum random number generators, which typically have correlations between rounds due to experimental imperfections [28].

Beyond cryptography, the generalised EAT is useful whenever one is interested in bounding the min-entropy of a large system that can be decomposed in a sequential way. Such problems are abundant in physics. For example, the dynamics of an open quantum system can be described in terms of interactions that take place sequentially with different parts of the system’s environment [29]. In quantum thermodynamics, such a description is commonly employed to model the thermalisation of a system that is brought in contact with a thermal bath. For a lack of techniques, the entropy flow during a thermalisation process of this type is usually quantified in terms of von Neumann entropy rather than the operationally more relevant smooth min- and max-entropies [30]. The generalised EAT may be used to remedy this situation. A similar situation arises in quantum gravity, where smooth entropies play a role in the study of black holes [31].

In a different direction, one can also try to further improve the generalised EAT itself. Compared to the original EAT [1], our generalised EAT features a more general model of side information and a weaker condition on the relation between different rounds, replacing the Markov condition of [1] with our weaker non-signalling condition in Eq. (1.2). It is natural to ask whether a further step in this direction is possible: while the model of side information we consider is fully general, it may be possible to replace the non-signalling condition with a weaker requirement. We have argued above that our non-signalling condition appears to be the most general way of stating the requirement that future side information does not reveal information about past outputs, which seems necessary for an EAT-like theorem.8 It would be interesting to formalise this intuition and see whether our theorem is provably “tight” in terms of the conditions placed on the sequential process. Furthermore, it might be possible to improve the way the statistical condition in Theorem 4.3 is dealt with in the proof, e.g. using ideas from [33, 34].

Finally, one could attempt to extend entropy accumulation from conditional entropies to relative entropies. Such a relative entropy accumulation theorem (REAT) would be the following statement: for two sequences of channels $\{{\mathcal{E}}_1,\cdots ,{\mathcal{E}}_n\}$ and $\{{\mathcal{F}}_1,\cdots ,{\mathcal{F}}_n\}$ (where ${\mathcal{F}}_i$ need not necessarily be trace-preserving), and $\epsilon >0$,

$$\begin{array}{c}\hfill D_{\text{max}}^{\epsilon }\left({\mathcal{E}}_n,\circ ,\cdots ,\circ ,{\mathcal{E}}_1,,\Vert ,,{\mathcal{F}}_n,\circ ,\cdots ,\circ ,{\mathcal{F}}_1\right)\stackrel{?}{\le }\sum _{i=1}^n{D}^{\text{reg}}\left({\mathcal{E}}_i,,\Vert ,,{\mathcal{F}}_i\right)+O(\sqrt{n}).\end{array}$$

Here, $D_{\text{max}}^{\epsilon }$ is the $\epsilon$-smooth max-relative entropy [11] and we used the (regularised) channel divergences defined in Definition 2.5. The key technical challenge in proving this result is to show that the regularised channel divergence $D_{\alpha }^{\text{reg}}\left({\mathcal{E}}_i,,\Vert ,,{\mathcal{F}}_i\right)$ is continuous in $\alpha$ at $\alpha =1$, which is an important technical open question. If one had such a continuity statement and the maps ${\mathcal{F}}_i$ additionally satisfied a non-signalling condition (which is not required for the statement above), one could also use our Theorem 3.1 to derive a more general REAT, which would imply our generalised EAT.

Preliminaries

Notation

Throughout this paper, we restrict ourselves to finite-dimensional Hilbert spaces. The set of positive semidefinite operators on a quantum system A (with associated Hilbert space ${\mathcal{H}}_A$) is denoted by $\text{Pos}(A)$. The set of quantum states is given by $\text{S}(A)=\{\rho \in \text{Pos}(A)|\text{Tr}\left[\rho \right]=1\}$. The set of completely positive maps from linear operators on A to linear operators on $A^{\prime }$ is denoted by $\text{CP}(A,A^{\prime })$. If such a map is additionally trace preserving, we call it a quantum channel and denote the set of such maps by $\text{CPTP}(A,A^{\prime })$. The identity channel on system A is denoted as ${\text{id}}_A$. The spectral norm is denoted by ${∥·∥}_{\infty }$.

A cq-state is a quantum state $\rho \in \text{S}(XA)$ on a classical system X (with alphabet $\mathcal{X}$) and a quantum system A, i.e. a state that can be written as

$$\begin{array}{c}\hfill {\rho }_{\mathit{XA}}=\sum _{x\in \mathcal{X}}|x⟩⟨x|\otimes {\rho }_{A,x}\end{array}$$

for subnormalised ${\rho }_{A,x}\in \text{Pos}(A)$. For $\mathrm{\Omega }\subset \mathcal{X}$, we define the conditional state

$$\begin{array}{c}\hfill {\rho }_{XA|\mathrm{\Omega }}=\frac{1}{{\text{Pr}}_{\rho }\left[\mathrm{\Omega }\right]}\sum _{x\in \mathrm{\Omega }}|x⟩⟨x|\otimes {\rho }_{A,x},\text{where}{\text{Pr}}_{\rho }\left[\mathrm{\Omega }\right]:=\sum _{x\in \mathrm{\Omega }}\text{Tr}\left[{\rho }_{A,x}\right].\end{array}$$

If $\mathrm{\Omega }=\{x\}$, we also write ${\rho }_{XA|x}$ for ${\rho }_{XA|\mathrm{\Omega }}$.

Rényi divergence and entropy

We will make extensive use of the sandwiched Rényi divergence [35, 36] and quantities associated with it, namely Rényi entropies and channel divergences. We recall the relevant definitions here.

Definition 2.1

(Rényi divergence). For $\rho \in \text{S}(A)$, $\sigma \in \text{Pos}(A)$, and $\alpha \in [1/2,1)\cup (1,\infty )$ the (sandwiched) Rényi divergence is defined as

$$\begin{array}{c}\hfill D_{\alpha }\left(\rho ,,\Vert ,,\sigma \right):=\frac{1}{\alpha -1}log\text{Tr}\left[(,{\sigma }^{\frac{1-\alpha }{2\alpha }},\rho ,{\sigma }^{\frac{1-\alpha }{2\alpha }},{)}^{\alpha }\right]\end{array}$$

for $\text{supp}(\rho )\subseteq \text{supp}(\sigma )$, and $+\infty$ otherwise.

From the Rényi divergence, one can define the conditional Rényi entropies as follows (see [11] for more details).

Definition 2.2

(Conditional Rényi entropy). For a bipartite state ${\rho }_{\mathit{AB}}\in \text{S}(AB)$ and $\alpha \in [1/2,1)\cup (1,\infty )$, we define the following two conditional Rényi entropies:

From the definition it is clear that . Importantly, a relation for the other direction also holds.

Lemma 2.3

([11, Corollary 5.3]). For ${\rho }_{\mathit{AB}}\in \text{S}(AB)$ and $\alpha \in (1,2)$:

In the limit $\alpha \to 1$ the sandwiched Rényi divergence converges to the relative entropy:

$$\begin{array}{c}\hfill \underset{\alpha \to 1}{lim}{D}_{\alpha }\left(\rho ,,\Vert ,,\sigma \right)=D(\rho \Vert \sigma )=\text{Tr}\left[\rho ,(,log,\rho ,-,log,\sigma ,)\right].\end{array}$$

Accordingly, the conditional Rényi entropy converges to the conditional von Neumann entropy:

$$\begin{array}{c}\hfill \underset{\alpha \to 1}{lim}{H}_{\alpha }{(A|B)}_{\rho }=H{(A|B)}_{\rho }=H{(AB)}_{\rho }-H{(B)}_{\rho }=-\text{Tr}\left[{\rho }_{\mathit{AB}},log,{\rho }_{\mathit{AB}}\right]+\text{Tr}\left[{\rho }_B,log,{\rho }_B\right].\end{array}$$

Conversely, in the limit $\alpha \to \infty$, the Rényi entropy converges to the min-entropy. We will make use of a smoothed version of the min-entropy, which is defined as follows [2].

Definition 2.4

(Smoothed min-entropy). For ${\rho }_{\mathit{AB}}\in \text{S}(AB)$ and $\epsilon \in [0,1]$, the $\epsilon$-smoothed min-entropy of A conditioned on B is

$$\begin{array}{c}\hfill H_{min}^{\epsilon }{(A|B)}_{\rho }=-log\underset{{\tilde{\rho }}_{\mathit{AB}}\in {\mathcal{B}}_{\epsilon }({\rho }_{\mathit{AB}})}{inf}\underset{{\sigma }_B\in \text{S}(B)}{inf}{∥{\sigma }_B^{-\frac{1}{2}},{\tilde{\rho }}_{\mathit{AB}},{\sigma }_B^{-\frac{1}{2}}∥}_{\infty },\end{array}$$

where ${∥·∥}_{\infty }$ denotes the spectral norm and ${\mathcal{B}}_{\epsilon }({\rho }_{\mathit{AB}})$ is the $\epsilon$-ball around ${\rho }_{\mathit{AB}}$ in term of the purified distance [11].

Finally, we can extend the definition of the Rényi divergence from states to channels. The resulting quantity, the channel divergence (and its regularised version), will play an important role in the rest of the manuscript.

Definition 2.5

(Channel divergence). For $\mathcal{E}\in \text{CPTP}(A,A^{\prime })$, $\mathcal{F}\in \text{CP}(A,A^{\prime })$, and $\alpha \in [1/2,1)\cup (1,\infty )$, the (stabilised) channel divergence9 is defined as

$$\begin{array}{c}\hfill D_{\alpha }\left(\mathcal{E},,\Vert ,,\mathcal{F}\right)=\underset{\omega \in \text{S}(A\tilde{A})}{sup}{D}_{\alpha }\left(\mathcal{E},(,\omega ,),,\Vert ,,\mathcal{F},(,\omega ,)\right),\end{array}$$ 2.1

where without loss of generality $\tilde{A}\equiv A$. The regularised channel divergence is defined as

$$\begin{array}{c}\hfill D_{\alpha }^{\text{reg}}\left(\mathcal{E},,\Vert ,,\mathcal{F}\right):=\underset{n\to \infty }{lim}\frac{1}{n}{D}_{\alpha }\left({\mathcal{E}}^{\otimes n},,\Vert ,,{\mathcal{F}}^{\otimes n}\right)=\underset{n}{sup}\frac{1}{n}{D}_{\alpha }\left({\mathcal{E}}^{\otimes n},,\Vert ,,{\mathcal{F}}^{\otimes n}\right).\end{array}$$

We note that the channel divergence is in general not additive under the tensor product [37, Proposition 3.1], so the regularised channel divergence can be strictly larger that the non-regularised one, i.e., $D_{\alpha }^{\text{reg}}\left(\mathcal{E},,\Vert ,,\mathcal{F}\right)>D_{\alpha }\left(\mathcal{E},,\Vert ,,\mathcal{F}\right)$. The regularised channel divergence, however, does satisfy an additivity property:

$$\begin{array}{cc}& D_{\alpha }^{\text{reg}}\left({\mathcal{E}}^{\otimes k},,\Vert ,,{\mathcal{F}}^{\otimes k}\right)\hfill \\ \hfill & =\underset{n\to \infty }{lim}\frac{1}{n}{D}_{\alpha }\left({\mathcal{E}}^{\otimes kn},,\Vert ,,{\mathcal{F}}^{\otimes kn}\right)=k\underset{n\to \infty }{lim}\frac{1}{n^{\prime }}{D}_{\alpha }\left({\mathcal{E}}^{\otimes n^{\prime }},,\Vert ,,{\mathcal{F}}^{\otimes n^{\prime }}\right)=k{D}_{\alpha }^{\text{reg}}\left(\mathcal{E},,\Vert ,,\mathcal{F}\right),\hfill \end{array}$$ 2.2

where we switched to the index $n^{\prime }=kn$ for the second equality.

Spectral pinching

A key technical tool in our proof will be the use of spectral pinching maps [38], which are defined as follows (see [12, Chapter 3] for a more detailed introduction).

Definition 2.6

(Spectral pinching map). Let $\rho \in \text{Pos}(A)$ with spectral decomposition $\rho ={\sum }_{\lambda }\lambda P_{\lambda }$, where $\lambda \in \text{Spec}(\rho )\subset {\mathbb{R}}_{\ge 0}$ are the distinct eigenvalues of $\rho$ and $P_{\lambda }$ are mutually orthogonal projectors. The (spectral) pinching map ${\mathcal{P}}_{\rho }\in \text{CPTP}(A,A)$ associated with $\rho$ is given by

$$\begin{array}{c}\hfill {\mathcal{P}}_{\rho }(\omega ):=\sum _{\lambda \in \text{Spec}(\rho )}{P}_{\lambda }\omega P_{\lambda }.\end{array}$$

We will need a few basic properties of pinching maps.

Lemma 2.7

(Properties of pinching maps). For any $\rho ,\sigma \in \text{Pos}(A)$, the following properties hold:

• (i)Invariance: ${\mathcal{P}}_{\rho }(\rho )=\rho$ .
• (ii)Commutation of pinched state: $[\sigma ,{\mathcal{P}}_{\sigma }(\rho )]=0$ .
• (iii)Pinching inequality: ${\mathcal{P}}_{\sigma }(\rho )\ge \frac{1}{|\text{Spec}(\sigma )|}\rho$ .
• (iv)Commutation of pinching maps: if $[\rho ,\sigma ]=0$, then ${\mathcal{P}}_{\rho }\circ {\mathcal{P}}_{\sigma }={\mathcal{P}}_{\sigma }\circ {\mathcal{P}}_{\rho }$ .
• (v)Partial trace: ${\text{Tr}}_B\left[{\mathcal{P}}_{{\rho }_A\otimes {\mathbb{1}}_B},({\omega }_{\mathit{AB}})\right]={\mathcal{P}}_{{\rho }_A}({\omega }_A)\forall {\omega }_{\mathit{AB}}\in \text{Pos}(AB)$.

Proof

Properties (i)–(iii) follow from the definition and [3, Chapter 2.6.3] or [12, Lemma 3.5].

For the fourth statement, note that since $[\rho ,\sigma ]=0$, there exists a joint orthonormal eigenbasis $\{|x_i⟩\}$ of $\rho$ and $\sigma$. Let $P_{\lambda }$ be the projector onto the eigenspace of $\rho$ with eigenvalue $\lambda$, and $Q_{\mu }$ the projector onto the eigenspace of $\sigma$ with eigenvalue $\mu$. We can expand

$$\begin{array}{c}\hfill P_{\lambda }=\sum _{i\text{s.t.}\rho |x_i⟩=\lambda |x_i⟩}|x_i⟩⟨x_i|\text{and}{Q}_{\mu }=\sum _{j\text{s.t.}\sigma |x_j⟩=\mu |x_j⟩}|x_j⟩⟨x_j|.\end{array}$$

Since $\{|x_i⟩\}$ is a family of orthonormal vectors,

$$\begin{array}{c}\hfill P_{\lambda }{Q}_{\mu }=\sum _{\begin{array}{c}i\text{s.t.}\rho |x_i⟩=\lambda |x_i⟩\\ \text{and}\sigma |x_i⟩=\mu |x_i⟩\end{array}}|x_i⟩⟨x_i|=Q_{\mu }{P}_{\lambda },\end{array}$$

which implies commutation of the pinching maps.

For the fifth statement, note that if we write $\rho ={\sum }_{\lambda }\lambda P_{\lambda }$ with eigenprojectors $P_{\lambda }$, then the set of eigenprojectors of ${\rho }_A\otimes {\mathbb{1}}_B$ is simply $\{P_{\lambda }\otimes {\mathbb{1}}_B\}$. Hence,

$$\begin{array}{cc}\hfill {\text{Tr}}_B\left[{\mathcal{P}}_{{\rho }_A\otimes {\mathbb{1}}_B},({\omega }_{\mathit{AB}})\right]& =\sum _{\lambda }{\text{Tr}}_B\left[P_{\lambda },\otimes ,{\mathbb{1}}_B,{\omega }_{\mathit{AB}},P_{\lambda },\otimes ,{\mathbb{1}}_B\right]\hfill \\ \hfill & =\sum _{\lambda }{P}_{\lambda }{\text{Tr}}_B\left[{\omega }_{\mathit{AB}}\right]P_{\lambda }={\mathcal{P}}_{{\rho }_A}({\omega }_A).\hfill \end{array}$$

$\square$

It is often useful to use the pinching map associated with tensor power states, i.e., ${\mathcal{P}}_{{\rho }^{\otimes n}}$. This is because for $\rho \in \text{Pos}(A)$, the factor $|\text{Spec}({\rho }^{\otimes n})|$ from the pinching inequality (see Lemma 2.7) only scales polynomially in n (see e.g. [12, Remark 3.9]):

$$\begin{array}{c}\hfill |\text{Spec}({\rho }^{\otimes n})|\le {(n+1)}^{dim(A)-1}.\end{array}$$ 2.3

In fact, we can show a similar property for all permutation-invariant states, not just tensor product states.

Lemma 2.8

Let $\rho \in \text{Pos}(A^{\otimes n})$ be permutation invariant and denote $d=dim(A)$. Then

$$\begin{array}{c}\hfill |\text{Spec}(\rho )|\le {(n+d)}^{d(d+1)/2}.\end{array}$$

Proof

By Schur-Weyl duality and Schur’s lemma (see e.g. [39, Lemma 0.8 and Theorem 1.10]), since $\rho$ is permutation-invariant, we have

$$\begin{array}{c}\hfill \rho \cong \underset{\lambda \in {\mathcal{I}}_{d,n}}{⨁}\rho {(\lambda )}_{Q_{\lambda }}\otimes {\mathbb{1}}_{P_{\lambda }},\end{array}$$

where $\cong$ denotes equality up to unitary conjugation (which leaves the spectrum invariant), ${\mathcal{I}}_{d,n}$ is the set of Young diagrams with n boxes and at most d rows, $Q_{\lambda }$ and $P_{\lambda }$ are systems whose details need not concern us, and $\rho (\lambda )\in \text{Pos}(Q_{\lambda })$. From this it is clear that

$$\begin{array}{c}\hfill |\text{Spec}(\rho )|\le \sum _{\lambda \in {\mathcal{I}}_{d,n}}|\text{Spec}(\rho (\lambda ))|\le \sum _{\lambda \in {\mathcal{I}}_{d,n}}dim(Q_{\lambda }).\end{array}$$

It is known that $|{\mathcal{I}}_{d,n}{|\le (n+1)}^d$ and $dim(Q_{\lambda })\le {(n+d)}^{d(d-1)/2}$ (see e.g. [40, Section 6.2]). Hence

$$\begin{array}{c}\hfill |\text{Spec}(\rho )|\le {(n+1)}^d{(n+d)}^{d(d-1)/2}\le {(n+d)}^{d(d+1)/2}.\end{array}$$

$\square$

Corollary 2.9

Let $\rho ,\sigma \in \text{Pos}(A)$ and $d=dim(A)$. Then

$$\begin{array}{c}\hfill |\text{Spec}\left({\mathcal{P}}_{{\rho }^{\otimes n}},({\sigma }^{\otimes n})\right){|\le (n+d)}^{d(d+1)/2}.\end{array}$$

Proof

Note that ${\mathcal{P}}_{{\rho }^{\otimes n}}({\sigma }^{\otimes n})$ is itself not a product state because the eigenprojectors of ${\rho }^{\otimes n}$ do not have a product form. However, since every eigenspace of ${\rho }^{\otimes n}$ is permutation-invariant, ${\mathcal{P}}_{{\rho }^{\otimes n}}({\sigma }^{\otimes n})$ is permutation-invariant, too, so we can apply Lemma 2.8. $\square$

Strengthened Chain Rules

One of the crucial properties of entropies are chain rules, which allow us to relate entropies of large composite systems to sums of entropies of the individual subsystems. In this section, we prove two new such chain rules, one for the Rényi divergence (Theorem 3.1, which is a generalisation of [9, Corollary 5.1]) and one for the conditional entropy (Theorem 3.6). The chain rule from Theorem 3.6 is the key ingredient for our generalised EAT, to which we will turn our attention in Sect. 4. Theorem 3.6 plays a similar role for our generalised EAT as [1, Corollary 3.5] does for the original EAT, but while the latter requires a Markov condition, the former does not. As a result, our generalised EAT based on Theorem 3.6 also avoids the Markov condition.

The outline of this section is as follows: we first prove a generalised chain rule for the Rényi divergence (Theorem 3.1). This chain rule contains a regularised channel divergence. As the next step, we show that in the special case of conditional entropies, we can drop the regularisation (Sect. 3.2). This allows us to derive a chain rule for conditional entropies from the chain rule for channels (Sect. 3.3).

Strengthened chain rule for Rényi divergence

The main result of this section is the following chain rule for the Rényi divergence.

Theorem 3.1

Let $\alpha >1$, $\rho \in \text{S}(AR)$, $\sigma \in \text{Pos}(AR)$, $\mathcal{E}\in \text{CPTP}(AR,B)$, and $\mathcal{F}\in \text{CP}(AR,B)$. Suppose that there exists $\mathcal{R}\in \text{CP}(A,B)$ such that $\mathcal{F}=\mathcal{R}\circ {\text{Tr}}_R$. Then

$$\begin{array}{c}\hfill D_{\alpha }\left(\mathcal{E},({\rho }_{\mathit{AR}}),,\Vert ,,\mathcal{F},({\sigma }_{\mathit{AR}})\right)\le D_{\alpha }\left({\rho }_A,,\Vert ,,{\sigma }_A\right)+D_{\alpha }^{\text{reg}}\left(\mathcal{E},,\Vert ,,\mathcal{F}\right).\end{array}$$ 3.1

This is a stronger version of an existing chain rule due to [9], which we will use in our proof of Theorem 3.1:

Lemma 3.2

([9, Corollary 5.1]). Let $\alpha >1$, $\rho \in \text{S}(A)$, $\sigma \in \text{Pos}(A)$, $\mathcal{E}\in \text{CPTP}(A,B)$, and $\mathcal{F}\in \text{CP}(A,B)$. Then

$$\begin{array}{c}\hfill D_{\alpha }\left(\mathcal{E},(,\rho ,),,\Vert ,,\mathcal{F},(,\sigma ,)\right)\le D_{\alpha }\left(\rho ,,\Vert ,,\sigma \right)+D_{\alpha }^{\text{reg}}\left(\mathcal{E},,\Vert ,,\mathcal{F}\right).\end{array}$$ 3.2

The difference between Theorem 3.1 and Lemma 3.2 is that on the r.h.s. of Eq. (3.1), we only have the divergence $D_{\alpha }\left({\rho }_A,,\Vert ,,{\sigma }_A\right)$ between the two reduced states on system A. In contrast, if we used Eq. (3.2) with systems AR, then we would get the divergence $D_{\alpha }\left({\rho }_{\mathit{AR}},,\Vert ,,{\sigma }_{\mathit{AR}}\right)$ between the full states. In particular, the weaker Lemma 3.2 can easily be recovered from Theorem 3.1 by taking the system R to be trivial, in which case the condition $\mathcal{F}=\mathcal{R}\circ {\text{Tr}}_R$ becomes trivial, too.

While the difference between Theorem 3.1 and Lemma 3.2 may look minor at first sight, the two chain rules can give considerably different results: in general, the data processing inequality ensures that $D_{\alpha }\left({\rho }_A,,\Vert ,,{\sigma }_A\right)\le D_{\alpha }\left({\rho }_{\mathit{AR}},,\Vert ,,{\sigma }_{\mathit{AR}}\right)$, but the gap between the two quantities can be significant, i.e., there exist states for which $D_{\alpha }\left({\rho }_A,,\Vert ,,{\sigma }_A\right)\ll D_{\alpha }\left({\rho }_{\mathit{AR}},,\Vert ,,{\sigma }_{\mathit{AR}}\right)$. In such cases, Theorem 3.1 yields a significantly tighter bound. This turns out to be crucial if we want to apply this chain rule repeatedly to get an EAT.

We also note that the statement of Theorem 3.1 is known to be correct also for $\alpha =1$ [37, Theorem 3.5]. However, this requires a separate proof and does not follow from Theorem 3.1 as it is currently not known whether the function $\alpha \mapsto D_{\alpha }^{\text{reg}}\left(\mathcal{E},,\Vert ,,\mathcal{F}\right)$ is continuous in the limit $\alpha \searrow 1$.10

We now turn to the proof of Theorem 3.1. The key question for the proof is the following: given states ${\rho }_{\mathit{AR}}$ and ${\sigma }_A$, does there exist an extension ${\sigma }_{\mathit{AR}}$ of ${\sigma }_A$ such that $D_{\alpha }\left({\rho }_A,,\Vert ,,{\sigma }_A\right)=D_{\alpha }\left({\rho }_{\mathit{AR}},,\Vert ,,{\sigma }_{\mathit{AR}}\right)$? For the special case of $\alpha =1/2$, an affirmative answer is given by Uhlmann’s theorem [10] (see also [11, Corollary 3.14]). This also holds for $\alpha =\infty$, but not in general for $\alpha \ge 1$ as discussed in Sect. B. The following lemma shows that a similar property still holds for $\alpha >1$ on a regularised level.

Lemma 3.3

Consider quantum systems A and R with $d=dim(A)$. For $n\in \mathbb{N}$, we define $A^n=A_1\cdots A_n$, where $A_i$ are copies of the system A, and likewise $R^n=R_1\cdots R_n$. Then for $\rho \in \text{S}(AR)$, $\sigma \in \text{Pos}(A)$, and $\alpha >1$ we have

$$\begin{array}{cc}& D_{\alpha }\left({\rho }_A,,\Vert ,,{\sigma }_A\right)\le \underset{{\widehat{\sigma }}_{A^n{R}^n}\text{s.t.}{\widehat{\sigma }}_{A^n}={\sigma }_A^{\otimes n}}{inf}\frac{1}{n}{D}_{\alpha }\left({\rho }_{\mathit{AR}}^{\otimes n},,\Vert ,,{\widehat{\sigma }}_{A^n{R}^n}\right)\hfill \\ \hfill & \le D_{\alpha }\left({\rho }_A,,\Vert ,,{\sigma }_A\right)+\frac{\alpha }{\alpha -1}\frac{d(d+1)log(n+d)}{n}.\hfill \end{array}$$

Proof

The inequality

$$\begin{array}{c}\hfill D_{\alpha }\left({\rho }_A,,\Vert ,,{\sigma }_A\right)\le \underset{{\widehat{\sigma }}_{A^n{R}^n}\text{s.t.}{\widehat{\sigma }}_{A^n}={\sigma }_A^{\otimes n}}{inf}\frac{1}{n}{D}_{\alpha }\left({\rho }_{\mathit{AR}}^{\otimes n},,\Vert ,,{\widehat{\sigma }}_{A^n{R}^n}\right)\end{array}$$

follows directly from the data processing inequality for taking the partial trace over $R^n$, and additivity of $D_{\alpha }$ under tensor product [11].

For the other direction, we consider n-fold tensor copies of ${\rho }_{\mathit{AR}}$ and ${\sigma }_A$, which we denote by ${\rho }_{A^n{R}^n}={\rho }_{A_1{R}_1}\otimes \cdots \otimes {\rho }_{A_n{R}_n}$ and ${\sigma }_{A^n}={\sigma }_{A_1}\otimes \cdots \otimes {\sigma }_{A_n}$. We define the following two pinched states

$$\begin{array}{c}\hfill {\rho }_{A^n{R}^n}^{\prime }={\mathcal{P}}_{{\sigma }_{A^n}\otimes {\mathbb{1}}_{R^n}}({\rho }_{A^n{R}^n})\text{and}{\widehat{\rho }}_{A^n{R}^n}={\mathcal{P}}_{{\rho }_n^{\prime }\otimes {\mathbb{1}}_{R^n}}({\rho }_{A^n{R}^n}^{\prime }).\end{array}$$ 3.3

By definition of ${\widehat{\rho }}_{A^n{R}^n}$ and using the pinching inequality (see Lemma 2.7(iii)) twice, we have

$$\begin{array}{c}\hfill {\rho }_{A^n{R}^n}\le |\text{Spec}({\sigma }_{A^n})||\text{Spec}({\rho }_n^{\prime })|{\widehat{\rho }}_{A^n{R}^n}.\end{array}$$

Using the operator monotonicity of the sandwiched Rényi divergence in the first argument [11] we find for any state ${\widehat{\sigma }}_{A^n{R}^n}$

$$\begin{array}{c}\hfill \frac{1}{n}{D}_{\alpha }\left({\rho }_{\mathit{AR}}^{\otimes n},,\Vert ,,{\widehat{\sigma }}_{A^n{R}^n}\right)\le \frac{1}{n}{D}_{\alpha }\left({\widehat{\rho }}_{A^n{R}^n},,\Vert ,,{\widehat{\sigma }}_{A^n{R}^n}\right)+\frac{1}{n}\frac{\alpha }{\alpha -1}\eta (n),\end{array}$$ 3.4

with the error term

$$\begin{array}{c}\hfill \eta (n)=log|\text{Spec}({\sigma }_{A^n})|+log|\text{Spec}({\rho }_n^{\prime })|.\end{array}$$

To prove the lemma, we now need to bound the error term $\eta (n)$ and construct a specific choice for ${\widehat{\sigma }}_{A^n{R}^n}$ for which ${\widehat{\sigma }}_{A^n}={\sigma }_A^{\otimes n}$ and $\frac{1}{n}{D}_{\alpha }\left({\widehat{\rho }}_{A^n{R}^n},,\Vert ,,{\widehat{\sigma }}_{A^n{R}^n}\right)\le D_{\alpha }\left({\rho }_A,,\Vert ,,{\sigma }_A\right)$. We first bound $\eta (n)$. Since ${\sigma }_{A^n}={\sigma }_A^{\otimes n}$, we have from Eq. (2.3) that $|\text{Spec}({\sigma }_{A^n})|\le {(n+1)}^{d-1}$, where $d=dim(A)$. To bound $|\text{Spec}({\rho }_n^{\prime })|$, we note that by Eq. (3.3) and Lemma 2.7(v)

$$\begin{array}{c}\hfill {\rho }_n^{\prime }={\text{Tr}}_{R^n}\left[{\mathcal{P}}_{{\sigma }_{A^n}\otimes {\mathbb{1}}_{R^n}},({\rho }_{A^n{R}^n})\right]={\mathcal{P}}_{{\sigma }_{A^n}}({\rho }_{A^n})={\mathcal{P}}_{{\sigma }_A^{\otimes n}}({\rho }_A^{\otimes n}).\end{array}$$ 3.5

We can therefore use Lemma 2.9 to obtain $|\text{Spec}({\rho }_n^{\prime })|\le {(n+d)}^{d(d+1)/2}$. Hence,

$$\begin{array}{c}\hfill \eta (n)\le d(d+1)log(n+d).\end{array}$$ 3.6

It thus remains to construct ${\widehat{\sigma }}_{A^n{R}^n}$ satisfying the properties mentioned above. To do so we first establish a number of commutation statements.

• (i)
  From Lemma 2.7(ii) we have that $[{\widehat{\rho }}_{A^n{R}^n},{\rho }_n^{\prime }\otimes {\mathbb{1}}_{R^n}]=0$. Recalling the definition of ${\rho }^{\prime }$ from Eq. (3.3), we get

  $$\begin{array}{c}\hfill {\widehat{\rho }}_{A^n}={\text{Tr}}_{R^n}\left[{\mathcal{P}}_{{\rho }_n^{\prime }\otimes {\mathbb{1}}_{R^n}},({\rho }_{A^n{R}^n}^{\prime })\right]={\mathcal{P}}_{{\rho }_n^{\prime }}({\rho }_n^{\prime })={\rho }_n^{\prime },\end{array}$$ 3.7

  where the final step uses Lemma 2.7(i). As a result we find

  $$\begin{array}{c}\hfill [{\widehat{\rho }}_{A^n{R}^n},{\widehat{\rho }}_{A^n}\otimes {\mathbb{1}}_{R^n}]=0.\end{array}$$ 3.8
• (ii)
  From Lemma 2.7(ii) we have that $[{\rho }_{A^n{R}^n}^{\prime },{\sigma }_{A^n}\otimes {\mathbb{1}}_{R^n}]=0$. Taking the partial trace over $R^n$, this implies $[{\rho }_n^{\prime },{\sigma }_{A^n}]=0$, so by Lemma 2.7(iv) and Eq. (3.3)

  $$\begin{array}{c}\hfill {\widehat{\rho }}_{A^n{R}^n}={\mathcal{P}}_{{\rho }_n^{\prime }\otimes {\mathbb{1}}_{R^n}}\left({\mathcal{P}}_{{\sigma }_{A^n}\otimes {\mathbb{1}}_{R^n}},({\rho }_{A^n{R}^n})\right)={\mathcal{P}}_{{\sigma }_{A^n}\otimes {\mathbb{1}}_{R^n}}\left({\mathcal{P}}_{{\rho }_n^{\prime }\otimes {\mathbb{1}}_{R^n}},({\rho }_{A^n{R}^n})\right).\end{array}$$

  Therefore, by Lemma 2.7(ii),

  $$\begin{array}{c}\hfill [{\widehat{\rho }}_{A^n{R}^n},{\sigma }_{A^n}\otimes {\mathbb{1}}_{R^n}]=0.\end{array}$$ 3.9
• (iii)
  Taking the partial trace over $R^n$ in Eq. (3.9), we get

  $$\begin{array}{c}\hfill [{\widehat{\rho }}_{A^n},{\sigma }_{A^n}]=0.\end{array}$$ 3.10

Having established these commutation relations, we define $\mathcal{T}\in \text{CPTP}(A^n,A^n{R}^n)$ by11

$$\begin{array}{c}\hfill \mathcal{T}({\omega }_{A^n})={\widehat{\rho }}_{A^n{R}^n}^{1/2}{\widehat{\rho }}_{A^n}^{-1/2}{\omega }_{A^n}{\widehat{\rho }}_{A^n}^{-1/2}{\widehat{\rho }}_{A^n{R}^n}^{1/2}.\end{array}$$

By construction,

$$\begin{array}{c}\hfill \mathcal{T}({\widehat{\rho }}_{A^n})={\widehat{\rho }}_{A^n{R}^n}.\end{array}$$ 3.11

We define

$$\begin{array}{c}\hfill {\widehat{\sigma }}_{A^n{R}^n}=\mathcal{T}({\sigma }_{A^n}).\end{array}$$ 3.12

To see that this is a valid choice of $\widehat{\sigma }$, i.e., that ${\widehat{\sigma }}_{A^n}={\sigma }_{A^n}={\sigma }_A^{\otimes n}$, we use Eqs. (3.8), (3.9) and (3.10) to find

$$\begin{array}{c}\hfill {\widehat{\sigma }}_{A^n}={\text{Tr}}_{R^n}\left[{\widehat{\rho }}_{A^n{R}^n}^{1/2},{\widehat{\rho }}_{A^n}^{-1/2},{\sigma }_{A^n},{\widehat{\rho }}_{A^n}^{-1/2},{\widehat{\rho }}_{A^n{R}^n}^{1/2}\right]={\text{Tr}}_{R^n}\left[{\widehat{\rho }}_{A^n{R}^n},{\widehat{\rho }}_{A^n}^{-1},{\sigma }_{A^n}\right]={\sigma }_{A^n}.\end{array}$$

Using Eqs. (3.11) and (3.12) followed by the data processing inequality [11], we obtain

$$\begin{array}{c}\hfill \frac{1}{n}{D}_{\alpha }\left({\widehat{\rho }}_{A^n{R}^n},,\Vert ,,{\widehat{\sigma }}_{A^n{R}^n}\right)=\frac{1}{n}{D}_{\alpha }\left(\mathcal{T},({\widehat{\rho }}_{A^n}),,\Vert ,,\mathcal{T},({\sigma }_{A^n})\right)\le \frac{1}{n}{D}_{\alpha }\left({\widehat{\rho }}_{A^n},,\Vert ,,{\sigma }_{A^n}\right).\end{array}$$ 3.13

By Eqs. (3.7) and (3.3) we have ${\widehat{\rho }}_{A^n}={\rho }_n^{\prime }={\mathcal{P}}_{{\sigma }_{A^n}}({\rho }_{A^n})$. Therefore, continuing from Eq. (3.13) and using ${\sigma }_{A^n}={\mathcal{P}}_{{\sigma }_{A^n}}({\sigma }_{A^n})$ followed by the data processing inequality gives

$$\begin{array}{c}\hfill \frac{1}{n}{D}_{\alpha }\left({\widehat{\rho }}_{A^n{R}^n},,\Vert ,,{\widehat{\sigma }}_{A^n{R}^n}\right)\le \frac{1}{n}{D}_{\alpha }\left({\rho }_{A^n},,\Vert ,,{\sigma }_{A^n}\right)=\frac{1}{n}{D}_{\alpha }\left({\rho }_A^{\otimes n},,\Vert ,,{\sigma }_A^{\otimes n}\right)=D_{\alpha }\left({\rho }_A,,\Vert ,,{\sigma }_A\right).\end{array}$$

Inserting this and our error bound from Eq. (3.6) into Eq. (3.4) proves the desired statement. $\square$

With this, we can now prove Theorem 3.1.

Proof of Theorem 3.1

Because $D_{\alpha }$ is additive under tensor products, for any $n\in \mathbb{N}$ we have

$$\begin{array}{cc}\hfill D_{\alpha }\left(\mathcal{E},({\rho }_{\mathit{AR}}),,\Vert ,,\mathcal{F},({\sigma }_{\mathit{AR}})\right)& =\frac{1}{n}{D}_{\alpha }\left({\mathcal{E}}^{\otimes n},({\rho }_{\mathit{AR}}^{\otimes n}),,\Vert ,,{\mathcal{F}}^{\otimes n},({\sigma }_{\mathit{AR}}^{\otimes n})\right)\hfill \\ \hfill & =\underset{{\widehat{\sigma }}_{A^n{R}^n}\text{s.t.}{\widehat{\sigma }}_{A^n}={\sigma }_A^{\otimes n}}{inf}\frac{1}{n}{D}_{\alpha }\left({\mathcal{E}}^{\otimes n},({\rho }_{\mathit{AR}}^{\otimes n}),,\Vert ,,{\mathcal{F}}^{\otimes n},({\widehat{\sigma }}_{A^n{R}^n})\right),\hfill \end{array}$$ 3.14

where the second equality holds because $\mathcal{F}=\mathcal{R}\circ {\text{Tr}}_R$, so ${\mathcal{F}}^{\otimes n}({\sigma }_{\mathit{AR}}^{\otimes n})={\mathcal{F}}^{\otimes n}({\widehat{\sigma }}_{A^n{R}^n})$ for any ${\widehat{\sigma }}_{A^n{R}^n}$ that satisfies ${\widehat{\sigma }}_{A^n}={\sigma }_A^{\otimes n}$. From the chain rule in Lemma 3.2 we get that for any ${\widehat{\sigma }}_{A^n{R}^n}$:

$$\begin{array}{cc}\hfill \frac{1}{n}{D}_{\alpha }\left({\mathcal{E}}^{\otimes n},({\rho }_{\mathit{AR}}^{\otimes n}),,\Vert ,,{\mathcal{F}}^{\otimes n},({\widehat{\sigma }}_{A^n{R}^n})\right)& \le \frac{1}{n}{D}_{\alpha }\left({\rho }_{\mathit{AR}}^{\otimes n},,\Vert ,,{\widehat{\sigma }}_{A^n{R}^n}\right)+\frac{1}{n}{D}_{\alpha }^{\text{reg}}\left({\mathcal{E}}^{\otimes n},,\Vert ,,{\mathcal{F}}^{\otimes n}\right)\hfill \\ \hfill & =\frac{1}{n}{D}_{\alpha }\left({\rho }_{\mathit{AR}}^{\otimes n},,\Vert ,,{\widehat{\sigma }}_{A^n{R}^n}\right)+D_{\alpha }^{\text{reg}}\left(\mathcal{E},,\Vert ,,\mathcal{F}\right),\hfill \end{array}$$

where for the second line we used additivity of the regularised channel divergence (see Eq. (2.2)). Combining this with Eq. (3.14), we get

$$\begin{array}{c}\hfill D_{\alpha }\left(\mathcal{E},({\rho }_{\mathit{AR}}),,\Vert ,,\mathcal{F},({\sigma }_{\mathit{AR}})\right)\le \underset{{\widehat{\sigma }}_{A^n{R}^n}\text{s.t.}{\widehat{\sigma }}_{A^n}={\sigma }_A^{\otimes n}}{inf}\frac{1}{n}{D}_{\alpha }\left({\rho }_{\mathit{AR}}^{\otimes n},,\Vert ,,{\widehat{\sigma }}_{A^n{R}^n}\right)+D_{\alpha }^{\text{reg}}\left(\mathcal{E},,\Vert ,,\mathcal{F}\right).\end{array}$$ 3.15

Finally, using Lemma 3.3 and the fact that $d:=dim(A)$ and $\alpha >1$ are constants independent of n, we have

$$\begin{array}{cc}& \underset{n\to \infty }{lim}\underset{{\widehat{\sigma }}_{A^n{R}^n}\text{s.t.}{\widehat{\sigma }}_{A^n}={\sigma }_A^{\otimes n}}{inf}\frac{1}{n}{D}_{\alpha }\left({\rho }_{\mathit{AR}}^{\otimes n},,\Vert ,,{\widehat{\sigma }}_{A^n{R}^n}\right)\hfill \\ \hfill & \le D_{\alpha }\left({\rho }_A,,\Vert ,,{\sigma }_A\right)+\underset{n\to \infty }{lim}\frac{\alpha }{\alpha -1}\frac{d(d+1)log(n+d)}{n}\hfill \\ \hfill & =D_{\alpha }\left({\rho }_A,,\Vert ,,{\sigma }_A\right).\hfill \end{array}$$

Therefore, taking $n\to \infty$ in Eq. (3.15) and inserting this yields the theorem statement.$\square$

Removing the regularisation

The chain rule presented in Theorem 3.1 contains a regularised channel divergence term, which cannot be computed easily and whose behaviour as $\alpha \searrow 1$ is not understood. In this section we show that in the specific case relevant for entropy accumulation, this regularisation can be removed. From this, we then derive a chain rule for Rényi entropies in Theorem 3.6.

Definition 3.4

(Replacer map). The replacer map ${\mathcal{S}}_A\in \text{CP}(A,A)$ is defined by its action on an arbitrary state ${\omega }_{\mathit{AR}}$:

$$\begin{array}{c}\hfill {\mathcal{S}}_A({\omega }_{\mathit{AR}})={\mathbb{1}}_A\otimes {\omega }_R.\end{array}$$

Note that as usual, when we write ${\mathcal{S}}_A({\omega }_{\mathit{AR}})$, we include an implicit tensoring with the identity channel, i.e. ${\mathcal{S}}_A({\omega }_{\mathit{AR}})=({\mathcal{S}}_A\otimes {\text{id}}_R)({\omega }_{\mathit{AR}})$.

Lemma 3.5

Let $\alpha \in (1,2)$, $\mathcal{E}\in \text{CPTP}(AR,A^{\prime }{R}^{\prime })$, and $\mathcal{F}={\mathcal{S}}_{A^{\prime }}\circ \mathcal{E}$, where ${\mathcal{S}}_{A^{\prime }}$ is the replacer map. Then we have

$$\begin{array}{c}\hfill D_{\alpha }^{\text{reg}}\left(\mathcal{E},,\Vert ,,\mathcal{F}\right)\le D_{\frac{1}{2-\alpha }}\left(\mathcal{E},,\Vert ,,\mathcal{F}\right).\end{array}$$

Proof

Due to the choice of $\mathcal{F}$, we have that for any state ${\psi }^n\in \text{S}(A^n{R}^n{\tilde{R}}^n)$ (with $\tilde{R}\equiv AR$):

$$\begin{array}{c}\hfill D_{\alpha }\left({\mathcal{E}}^{\otimes n},({\psi }^n),,\Vert ,,{\mathcal{F}}^{\otimes n},({\psi }^n)\right)=-H_{\alpha }{\left({(A^{\prime })}^n,|,{(R^{\prime })}^n,{\tilde{R}}^n\right)}_{{\mathcal{E}}^{\otimes n}({\psi }^n)}.\end{array}$$

From [41, Proposition II.4] and [2, Lemma 4.2.2] we know that for every n, there exists a symmetric pure state $|{\widehat{\psi }}^n⟩\in {\text{Sym}}^n(AR\tilde{R})$ such that

$$\begin{array}{c}\hfill D_{\alpha }\left({\mathcal{E}}^{\otimes n},,\Vert ,,{\mathcal{F}}^{\otimes n}\right)=D_{\alpha }\left({\mathcal{E}}^{\otimes n},({\widehat{\psi }}^n),,\Vert ,,{\mathcal{F}}^{\otimes n},({\widehat{\psi }}^n)\right)=-H_{\alpha }{\left({(A^{\prime })}^n,|,{(R^{\prime })}^n,{\tilde{R}}^n\right)}_{{\mathcal{E}}^{\otimes n}({\psi }^n)},\end{array}$$

where ${\widehat{\psi }}^n=|{\widehat{\psi }}^n⟩⟨{\widehat{\psi }}^n|$ and the supremum in the definition of the channel divergence is achieved because the conditional entropy is continuous in the state. Let $d=dim(AR\tilde{R})$ and $g_{n,d}=dim({\text{Sym}}^n(AR\tilde{R}))\le {(n+1)}^{d^2-1}$. We define the state

$$\begin{array}{c}\hfill {\tau }_{A^n{R}^n{\tilde{R}}^n}^n=\int \mu ({\sigma }_{AR\tilde{R}}){\sigma }_{AR\tilde{R}}^{\otimes n},\end{array}$$ 3.16

where $\mu$ is the Haar measure on pure states. We now claim that in the limit $n\to \infty$, we can essentially replace the optimizer ${\widehat{\psi }}_{A^n{R}^n{\tilde{R}}^n}^n$ by the state ${\tau }_{A^n{R}^n{\tilde{R}}^n}^n$ in Eq. (3.16). More precisely, we claim that

$$\begin{array}{c}\hfill \underset{n\to \infty }{lim}\frac{1}{n}{H}_{\alpha }{({(A^{\prime })}^n|{(R^{\prime })}^n{\tilde{R}}^n)}_{{\mathcal{E}}^{\otimes n}({\widehat{\psi }}^n)}\ge \underset{n\to \infty }{lim}\frac{1}{n}{H}_{\frac{1}{2-\alpha }}{({(A^{\prime })}^n|{(R^{\prime })}^n{\tilde{R}}^n)}_{{\mathcal{E}}^{\otimes n}({\tau }^n)}.\end{array}$$ 3.17

To show this, we first use Lemma 2.3 to get

It is know that ${\tau }_{A^n{R}^n{\tilde{R}}^n}^n$ is the maximally mixed state on ${\text{Sym}}^n(AR\tilde{R})$ (see e.g. [13]). Therefore,

$$\begin{array}{c}\hfill {\rho }_{A^n{R}^n{\tilde{R}}^n}^n:=\frac{g_{n,d}{\tau }^n-{\widehat{\psi }}^n}{g_{n,d}-1}\end{array}$$

is a valid quantum state (i.e. positive and normalised). Hence, we can write

$$\begin{array}{c}\hfill {\tau }^n=\left(1,-,\frac{1}{g_{n,d}}\right){\rho }^n+\frac{1}{g_{n,d}}{\widehat{\psi }}^n.\end{array}$$

Using [1, Lemma B.5], it follows that

Since $\frac{log(g_{n,d})}{n}\le (d^2-1)\frac{logn}{n}$ vanishes as $n\to \infty$, taking the limit and using proves Eq. (3.17).

Having established Eq. (3.17), we can now conclude the proof of the lemma as follows

$$\begin{array}{cc}\hfill D_{\alpha }^{\text{reg}}\left(\mathcal{E},,\Vert ,,\mathcal{F}\right)& =-\underset{n\to \infty }{lim}\frac{1}{n}{H}_{\alpha }{({(A^{\prime })}^n|{(R^{\prime })}^n{\tilde{R}}^n)}_{{\mathcal{E}}^{\otimes n}({\widehat{\psi }}^n)}\hfill \\ \hfill & \le -\underset{n\to \infty }{lim}\frac{1}{n}{H}_{\frac{1}{2-\alpha }}{({(A^{\prime })}^n|{(R^{\prime })}^n{\tilde{R}}^n)}_{{\mathcal{E}}^{\otimes n}({\tau }^n)}\hfill \\ \hfill & =\underset{n\to \infty }{lim}\frac{1}{n}{D}_{\frac{1}{2-\alpha }}\left({\mathcal{E}}^{\otimes n},(,\int ,\mu ,({\sigma }_{AR\tilde{R}}),{\sigma }_{AR\tilde{R}}^{\otimes n},),,\Vert ,,{\mathcal{F}}^{\otimes n},(,\int ,\mu ,({\sigma }_{AR\tilde{R}}),{\sigma }_{AR\tilde{R}}^{\otimes n},)\right)\hfill \\ \hfill & \le \underset{n\to \infty }{lim}\underset{{\sigma }_{AR\tilde{R}}\in \text{S}(AR\tilde{R})}{sup}\frac{1}{n}{D}_{\frac{1}{2-\alpha }}\left({\mathcal{E}}^{\otimes n},\left({\sigma }_{AR\tilde{R}}^{\otimes n}\right),,\Vert ,,{\mathcal{F}}^{\otimes n},\left({\sigma }_{AR\tilde{R}}^{\otimes n}\right)\right)\hfill \\ \hfill & =D_{\frac{1}{2-\alpha }}\left(\mathcal{E},,\Vert ,,\mathcal{F}\right),\hfill \end{array}$$

where we used joint quasi-convexity [11, Proposition 4.17] in the fourth line and additivity under tensor products in the last line. $\square$

Strengthened chain rule for conditional Rényi entropy

We next combine Theorem 3.1 with Lemma 3.5 to derive a new chain rule for the conditional Rényi entropy which then allows us to prove the generalised EAT in Sect. 4.

Lemma 3.6

Let $\alpha \in (1,2)$, $\rho \in \text{S}(ARE)$, and $\mathcal{M}\in \text{CPTP}(RE,A^{\prime }{R}^{\prime }{E}^{\prime })$ such that there exists $\mathcal{R}\in \text{CPTP}(E,E^{\prime })$ such that ${\text{Tr}}_{A^{\prime }{R}^{\prime }}\circ \mathcal{M}=\mathcal{R}\circ {\text{Tr}}_R$. Then

$$\begin{array}{c}\hfill H_{\alpha }{(A{A}^{\prime }|E^{\prime })}_{\mathcal{M}(\rho )}\ge H_{\alpha }{(A|E)}_{\rho }+\underset{\omega \in \text{S}(RE\tilde{E})}{inf}{H}_{\frac{1}{2-\alpha }}{(A^{\prime }|E^{\prime }\tilde{E})}_{\mathcal{M}(\omega )}\end{array}$$ 3.18

for a purifying system $\tilde{E}\equiv RE$.

Proof

We define the following maps12

$$\begin{array}{ccc}\hfill \mathcal{N}& ={\mathcal{S}}_{A^{\prime }}\circ \mathcal{M}\hfill & \hfill \in \text{CP}(RE,A^{\prime }{R}^{\prime }{E}^{\prime }),\\ \hfill \tilde{\mathcal{M}}& ={\text{id}}_A\otimes {\text{Tr}}_{R^{\prime }}\circ \mathcal{M}\hfill & \hfill \in \text{CPTP}(ARE,A{A}^{\prime }{E}^{\prime }),\\ \hfill \tilde{\mathcal{N}}& ={\mathcal{S}}_{A^{\prime }}\circ \tilde{\mathcal{M}}\hfill & \hfill \in \text{CP}(ARE,A{A}^{\prime }{E}^{\prime }).\end{array}$$

Note that in Eq. (3.18), we can replace $\mathcal{M}$ by $\tilde{\mathcal{M}}$, as the system $R^{\prime }$ does not appear in Eq. (3.18). With ${\sigma }_{\mathit{ARE}}={\mathbb{1}}_A\otimes {\rho }_{\mathit{RE}}$ and $\tilde{\mathcal{N}}={\mathcal{S}}_{A^{\prime }}\circ \tilde{\mathcal{M}}$, we can write

$$\begin{array}{c}\hfill -H_{\alpha }{(A{A}^{\prime }|E^{\prime })}_{\mathcal{M}(\rho )}=D_{\alpha }\left(\tilde{\mathcal{M}},({\rho }_{\mathit{ARE}}),,\Vert ,,\tilde{\mathcal{N}},({\sigma }_{\mathit{ARE}})\right).\end{array}$$

We now claim that there exists a map $\tilde{\mathcal{R}}\in \text{CP}(AE,A{A}^{\prime }E)$ such that $\tilde{\mathcal{N}}=\tilde{\mathcal{R}}\circ {\text{Tr}}_R$. To see this, observe that by assumption, ${\text{Tr}}_{A^{\prime }}\circ \tilde{\mathcal{M}}={\text{id}}_A\otimes \mathcal{R}\circ {\text{Tr}}_R$ for some $\mathcal{R}\in \text{CP}(E,E^{\prime })$. Then, we can define $\tilde{\mathcal{R}}\in \text{CP}(AE,A{A}^{\prime }E)$ by its action on an arbitrary state ${\omega }_{\mathit{AE}}$:

$$\begin{array}{c}\hfill \tilde{\mathcal{R}}({\omega }_{\mathit{AE}}):={\mathbb{1}}_{A^{\prime }}\otimes ({\text{id}}_A\otimes \mathcal{R})({\omega }_{\mathit{AE}})={\mathbb{1}}_{A^{\prime }}\otimes {\text{Tr}}_{A^{\prime }}\circ \tilde{\mathcal{M}}({\omega }_{\mathit{ARE}})=\tilde{\mathcal{N}}({\omega }_{\mathit{ARE}})\end{array}$$

for any extension ${\omega }_{\mathit{ARE}}$ of ${\omega }_{\mathit{AE}}$. Therefore, we can apply Theorem 3.1 to find

$$\begin{array}{c}\hfill D_{\alpha }\left(\tilde{\mathcal{M}},({\rho }_{\mathit{ARE}}),,\Vert ,,\tilde{\mathcal{N}},({\sigma }_{\mathit{ARE}})\right)\le D_{\alpha }\left({\rho }_{\mathit{AE}},,\Vert ,,{\sigma }_{\mathit{AE}}\right)+D_{\alpha }^{\text{reg}}\left(\tilde{\mathcal{M}},,\Vert ,,\tilde{\mathcal{N}}\right).\end{array}$$

By definition of $\sigma$, we have $D_{\alpha }\left({\rho }_{\mathit{AE}},,\Vert ,,{\sigma }_{\mathit{AE}}\right)=-H_{\alpha }{(A|E)}_{\rho }$. Since the channel divergence is stabilised (see Footnote 9), tensoring with ${\text{id}}_A$ has no effect, i.e.,

$$\begin{array}{c}\hfill D_{\alpha }^{\text{reg}}\left(\tilde{\mathcal{M}},,\Vert ,,\tilde{\mathcal{N}}\right)=D_{\alpha }^{\text{reg}}\left({\text{Tr}}_{R^{\prime }},\circ ,\mathcal{M},,\Vert ,,{\text{Tr}}_{R^{\prime }},\circ ,\mathcal{N}\right)=D_{\alpha }^{\text{reg}}\left({\text{Tr}}_{R^{\prime }},\circ ,\mathcal{M},,\Vert ,,{\mathcal{S}}_{A^{\prime }},\circ ,{\text{Tr}}_{R^{\prime }},\circ ,\mathcal{M}\right).\end{array}$$

To this, we can apply Lemma 3.5 and obtain

$$\begin{array}{c}\hfill D_{\alpha }^{\text{reg}}\left(\tilde{\mathcal{M}},,\Vert ,,\tilde{\mathcal{N}}\right)\le D_{\frac{1}{2-\alpha }}\left({\text{Tr}}_{R^{\prime }},\circ ,\mathcal{M},,\Vert ,,{\mathcal{S}}_{A^{\prime }},\circ ,{\text{Tr}}_{R^{\prime }},\circ ,\mathcal{M}\right)=-\underset{\omega \in \text{S}(RE\tilde{E})}{inf}{H}_{\frac{1}{2-\alpha }}{(A^{\prime }|E^{\prime }\tilde{E})}_{\mathcal{M}(\omega )}\end{array}$$

with $\tilde{E}\equiv RE$. Combining all the steps yields the desired statement. $\square$

Generalised Entropy Accumulation

We are finally ready to state and prove the main result of this work which is a generalisation of the EAT proven in [1]. We first state a simple version of this theorem, which follows readily from the chain rule Theorem 3.6 and captures the essential feature of entropy accumulation: the min-entropy of a state ${\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1(\rho )$ produced by applying a sequence of n channels can be lower-bounded by a sum of entropy contributions of each channel ${\mathcal{M}}_i$. However, for practical applications, it is desirable not to consider the state ${\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1(\rho )$, but rather that state conditioned on some classical event, for example “success” in a key distribution protocol – a concept called “testing”. Analogously to [1], we present an EAT adapted to that setting in Sect. 4.2.

Generalised EAT

Theorem 4.1

(Generalised EAT). Consider a sequence of channels ${\mathcal{M}}_i\in$ $\text{CPTP}(R_{i-1}{E}_{i-1},A_i{R}_i{E}_i)$ such that for all $i\in \{1,\cdots ,n\}$, there exists ${\mathcal{R}}_i\in \text{CPTP}(E_{i-1},E_i)$ such that ${\text{Tr}}_{A_i{R}_i}\circ {\mathcal{M}}_i={\mathcal{R}}_i\circ {\text{Tr}}_{R_{i-1}}$. Then for any $\epsilon \in (0,1)$ and any ${\rho }_{R_0{E}_0}\in \text{S}(R_0{E}_0)$

$$\begin{array}{c}\hfill H_{\text{min}}^{\epsilon }{(A^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0})}\ge \sum _{i=1}^n\underset{\omega \in \text{S}(R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1})}{inf}H{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}-O(\sqrt{n})\end{array}$$

for a purifying system ${\tilde{E}}_{i-1}\equiv R_{i-1}{E}_{i-1}$. For a statement with explicit constants, see Eq. (4.1) in the proof.

Proof

By [1, Lemma B.10], we have for $\alpha \in (1,2)$

$$\begin{array}{c}\hfill H_{\text{min}}^{\epsilon }{(A_1^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0})}\ge H_{\alpha }{(A_1^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0})}-\frac{g(\epsilon )}{\alpha -1}\end{array}$$

with $g(\epsilon )=log(1-\sqrt{1-{\epsilon }^2})$. From Theorem 3.6, we have

$$\begin{array}{cc}& H_{\alpha }{(A_1^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0})}\hfill \\ \hfill & \ge H_{\alpha }{(A_1^{n-1}|E_{n-1})}_{{\mathcal{M}}_{n-1}\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0})}\hfill \\ \hfill & +\underset{\omega \in \text{S}(R_{n-1}{E}_{n-1}{\tilde{E}}_{n-1})}{inf}{H}_{\frac{1}{2-\alpha }}{(A_n|E_n{\tilde{E}}_{n-1})}_{{\mathcal{M}}_n(\omega )}.\hfill \end{array}$$

Repeating this step $n-1$ times, we get

$$\begin{array}{cc}\hfill H_{\alpha }{(A_1^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0})}& \ge H_{\alpha }{(A_1|E_1)}_{{\mathcal{M}}_1({\rho }_{R_0{E}_0})}\hfill \\ \hfill & +\sum _{i=2}^n\underset{\omega \in \text{S}(R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1})}{inf}{H}_{\frac{1}{2-\alpha }}{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}\hfill \\ \hfill & \ge \sum _{i=1}^n\underset{\omega \in \text{S}(R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1})}{inf}{H}_{\frac{1}{2-\alpha }}{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )},\hfill \end{array}$$

where the final step uses the monotonicity of the Rényi divergence in $\alpha$ [11, Corollary 4.3]. From [1, Lemma B.9] we have for each $i\in \{1,\cdots ,n\}$ and $\alpha$ sufficiently close to 1,

$$\begin{array}{cc}& \underset{\omega \in \text{S}(R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1})}{inf}{H}_{\frac{1}{2-\alpha }}{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}\hfill \\ \hfill & \ge \underset{\omega \in \text{S}(R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1})}{inf}H{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}-\frac{\alpha -1}{2-\alpha }{log}^2(1+2dim(A_i)).\hfill \end{array}$$

Setting $d_A={max}_{i}dim(A_i)$ and combining the previous steps, we obtain

$$\begin{array}{cc}& H_{\text{min}}{(A_1^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0})}\hfill \\ \hfill & \ge \sum _{i=1}^n\underset{{\omega }_i\in \text{S}(R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1})}{inf}H{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i({\omega }_i)}-n\frac{\alpha -1}{2-\alpha }{log}^2(1+2d_A)-\frac{g(\epsilon )}{\alpha -1}.\hfill \\ \hfill \end{array}$$ 4.1

Using $\alpha =1+O(1/\sqrt{n})$ yields the result. $\square$

Generalised EAT with testing

In this section, we will extend Theorem 4.1 to include the possibility of “testing”, i.e., of computing the min-entropy of a cq-state conditioned on some classical event. This analysis is almost identical to that of [8]; we give the full proof for completeness, but will appeal to [8] for specific tight bounds. The resulting EAT (Theorem 4.3) has (almost) the same tight bounds as the result in [8], but replaces the Markov condition with the more general non-signalling condition. Hence, relaxing the Markov condition does not result in a significant loss in parameters (including second-order terms).

Consider a sequence of channels ${\mathcal{M}}_i\in \text{CPTP}(R_{i-1}{E}_{i-1},C_i{A}_i{R}_i{E}_i)$ for $i\in \{1,\cdots ,n\}$, where $C_i$ are classical systems with common alphabet $\mathcal{C}$. We require that these channels ${\mathcal{M}}_i$ satisfy the following condition: defining ${\mathcal{M}}_i^{\prime }={\text{Tr}}_{C_i}\circ {\mathcal{M}}_i$, there exist channels ${\mathcal{T}}_i\in \text{CPTP}(A_i{E}_i,C_i{A}_i{E}_i)$ and $\mathcal{T}\in \text{CPTP}(A^n{E}_n,C^n{A}^n{E}_n)$ such that ${\mathcal{M}}_i={\mathcal{T}}_i\circ {\mathcal{M}}_i^{\prime }$ and ${\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1=\mathcal{T}\circ {\mathcal{M}}_n^{\prime }\circ \cdots \circ {\mathcal{M}}_1^{\prime }$, where ${\mathcal{T}}_i$ and $\mathcal{T}$ have the form

$$\begin{array}{c}\hfill {\mathcal{T}}_i({\omega }_{A_i{E}_i})=\sum _{y\in {\mathcal{Y}}_i,z\in {\mathcal{Z}}_i}({\mathrm{\Pi }}_{A_i}^{(y)}\otimes {\mathrm{\Pi }}_{E_i}^{(z)}){\omega }_{A_i{E}_i}({\mathrm{\Pi }}_{A_i}^{(y)}\otimes {\mathrm{\Pi }}_{E_i}^{(z)})\otimes |r_i(y,z)⟩⟨r_i(y,z){|}_{C_i}\\ \hfill \mathcal{T}({\omega }_{A^n{E}_n})=\sum _{y\in \mathcal{Y},z\in \mathcal{Z}}({\mathrm{\Pi }}_{A^n}^{(y)}\otimes {\mathrm{\Pi }}_{E_n}^{(z)}){\omega }_{A^n{E}_n}({\mathrm{\Pi }}_{A^n}^{(y)}\otimes {\mathrm{\Pi }}_{E_n}^{(z)})\otimes |r(y,z)⟩⟨r(y,z){|}_{C^n},\end{array}$$ 4.2

where ${\{{\mathrm{\Pi }}_{A_i}^{(y)}\}}_y$ and ${\{{\mathrm{\Pi }}_{E_i}^{(z)}\}}_z$ are families of mutually orthogonal projectors on $A_i$ and $E_i$, and $r_i:{\mathcal{Y}}_i\times {\mathcal{Z}}_i\to \mathcal{C}$ is a deterministic function Similarly, ${\{{\mathrm{\Pi }}_{A^n}^{(y)}\}}_y$ and ${\{{\mathrm{\Pi }}_{E_n}^{(z)}\}}_z$ are families of mutually orthogonal projectors on $A^n$ and $E_n$, and $r:\mathcal{Y}\times \mathcal{Z}\to \mathcal{C}$ is a deterministic function. (Note that even though we use the same symbol for both, in principle there does not have to be any relationship between the single-round projectors ${\mathrm{\Pi }}_{A_i}$ and the projector ${\mathrm{\Pi }}_{A^n}$ (and likewise for ${\mathrm{\Pi }}_{E_i}$ and ${\mathrm{\Pi }}_{E_n}$), although in practice the latter will usually be the tensor product of the former.) Intuitively, this condition says that for each round, the classical statistics can be reconstructed “in a projective way” from the systems $A_i$ and $E_i$ in that round, and furthermore the full statistics information $C^n$ can be reconstructed in a projective way from the systems $A^n$ and $E_n$ at the end of the process. The latter condition is not implied by the former because future rounds may modify the $E_i$-system in such a way that $C_i$ can no longer be reconstructed from the side information $E_n$ at the end of the protocol. To rule this out, we need to specify the latter condition separately. In particular, this requirement is always satisfied if the statistics $C_i$ are computed from classical information contained in $A_i$ and $E_i$ and this classical information is not deleted from $E_i$ in future rounds. This is the scenario in all applications that we are aware of, but we state Eq. (4.2) more generally to allow for the possibility of protocols where the statistics are constructed in a more general way.

Let $\mathbb{P}$ be the set of probability distributions on the alphabet $\mathcal{C}$ of $C_i$, and let ${\tilde{E}}_{i-1}$ be a system isomorphic to $R_{i-1}{E}_{i-1}$. For any $q\in \mathbb{P}$ we define the set of states

$$\begin{array}{c}\hfill {\mathrm{\Sigma }}_i(q)=\{{\nu }_{C_i{A}_i{R}_i{E}_i{\tilde{E}}_{i-1}}={\mathcal{M}}_i({\omega }_{R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1}})|\omega \in \text{S}(R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1})\text{and}{\nu }_{C_i}=q\},\end{array}$$ 4.3

where ${\nu }_{C_i}$ denotes the probability distribution over $\mathcal{C}$ with the probabilities given by $\text{Pr}\left[c\right]=⟨c|{\nu }_{C_i}|c⟩$. In other words, ${\mathrm{\Sigma }}_i(q)$ is the set of states that can be produced at the output of the channel ${\mathcal{M}}_i$ and whose reduced state on $C_i$ is equal to the probability distribution q.

Definition 4.2

A function $f:\mathbb{P}\to \mathbb{R}$ is called a min-tradeoff function for $\{{\mathcal{M}}_i\}$ if it satisfies

$$\begin{array}{c}\hfill f(q)\le \underset{\nu \in {\mathrm{\Sigma }}_i(q)}{min}H{(A_i|E_i{\tilde{E}}_{i-1})}_{\nu }\forall i=1,\cdots ,n.\end{array}$$

Note that if ${\mathrm{\Sigma }}_i(q)=\mathrm{\varnothing }$, then f(q) can be chosen arbitrarily.

Our result will depend on some simple properties of the tradeoff function, namely the maximum and minimum of f, the minimum of f over valid distributions, and the maximum variance of f:

$$\begin{array}{cc}\hfill \mathsf{Max}(f)& :=\underset{q\in \mathbb{P}}{max}f(q),\hfill \\ \hfill \mathsf{Min}(f)& :=\underset{q\in \mathbb{P}}{min}f(q),\hfill \\ \hfill {\mathsf{Min}}_{\mathrm{\Sigma }}(f)& :=\underset{q:\mathrm{\Sigma }(q)\ne \mathrm{\varnothing }}{min}f(q),\hfill \\ \hfill \mathsf{Var}(f)& :=\underset{q:\mathrm{\Sigma }(q)\ne \mathrm{\varnothing }}{max}\sum _{x\in \mathcal{C}}q(x)f{({\delta }_x)}^2-{\left(\sum _{x\in \mathcal{C}},q,(x),f,({\delta }_x)\right)}^2,\hfill \end{array}$$

where $\mathrm{\Sigma }(q)={\bigcup }_i{\mathrm{\Sigma }}_i(q)$ and ${\delta }_x$ is the distribution with all the weight on element x. We write $\mathsf{freq}(C^n)$ for the distribution on $\mathcal{C}$ defined by $\mathsf{freq}(C^n)(c)=\frac{|\{i\in \{1,\cdots ,n\}:C_i=c\}|}{n}$. We also recall that in this context, an event $\mathrm{\Omega }$ is defined by a subset of ${\mathcal{C}}^n$, and for a state ${\rho }_{C^n{A}^n{E}_n{R}_n}$ we write ${\text{Pr}}_{\rho }\left[\mathrm{\Omega }\right]={\sum }_{c^n\in \mathrm{\Omega }}\text{Tr}\left[{\rho }_{A_1^n{E}_n{R}_n,c^n}\right]$ for the probability of the event $\mathrm{\Omega }$ and

$$\begin{array}{c}\hfill {\rho }_{C^n{A}^n{E}_n{R}_n|\mathrm{\Omega }}=\frac{1}{{\text{Pr}}_{\rho }\left[\mathrm{\Omega }\right]}\sum _{c^n\in \mathrm{\Omega }}|c^n⟩⟨c^n{|}_{C^n}\otimes {\rho }_{A^n{E}_n{R}_n,c^n}\end{array}$$

for the state conditioned on $\mathrm{\Omega }$.

Theorem 4.3

Consider a sequence of channels ${\mathcal{M}}_i\in \text{CPTP}(R_{i-1}{E}_{i-1},C_i{A}_i{R}_i{E}_i)$ for $i\in \{1,\cdots ,n\}$, where $C_i$ are classical systems with common alphabet $\mathcal{C}$ and the sequence $\{{\mathcal{M}}_i\}$ satisfies Eq. (4.2) and the non-signalling condition: for each ${\mathcal{M}}_i$, there exists ${\mathcal{R}}_i\in \text{CPTP}(E_{i-1},E_i)$ such that ${\text{Tr}}_{A_i{R}_i{C}_i}\circ {\mathcal{M}}_i={\mathcal{R}}_i\circ {\text{Tr}}_{R_{i-1}}$. Let $\epsilon \in (0,1)$, $\alpha \in (1,3/2)$, $\mathrm{\Omega }\subset {\mathcal{C}}^n$, ${\rho }_{R_0{E}_0}\in \text{S}(R_0{E}_0)$, and f be an affine13 min-tradeoff function with $h={min}_{c^n\in \mathrm{\Omega }}f(\mathsf{freq}(c^n))$. Then,

$$\begin{array}{cc}\hfill H_{\text{min}}^{\epsilon }{(A^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1{({\rho }_{R_0{E}_0})}_{|\mathrm{\Omega }}}& \ge nh-n\frac{\alpha -1}{2-\alpha }\frac{ln(2)}{2}{V}^2-\frac{g(\epsilon )+\alpha log(1/{\text{Pr}}_{{\rho }^n}\left[\mathrm{\Omega }\right])}{\alpha -1}\hfill \\ \hfill & -n{\left(\frac{\alpha -1}{2-\alpha }\right)}^2{K}^{\prime }(\alpha ),\hfill \end{array}$$ 4.4

where $\text{Pr}\left[\mathrm{\Omega }\right]$ is the probability of observing event $\mathrm{\Omega }$, and

$$\begin{array}{cc}\hfill g(\epsilon )& =-log(1-\sqrt{1-{\epsilon }^2}),\hfill \\ \hfill V& =log(2d_A^2+1)+\sqrt{2+\mathsf{Var}(f)},\hfill \\ \hfill K^{\prime }(\alpha )& =\frac{{(2-\alpha )}^3}{6{(3-2\alpha )}^{3}ln2}{2}^{\frac{\alpha -1}{2-\alpha }(2log{d}_A+\mathsf{Max}(f)-{\mathsf{Min}}_{\mathrm{\Sigma }}(f))}{ln}^3\left(2^{2log{d}_A+\mathsf{Max}(f)-{\mathsf{Min}}_{\mathrm{\Sigma }}(f)},+,e^2\right),\hfill \end{array}$$

with $d_A={max}_{i}dim(A_i)$.

Remark 4.4

The parameter in $\alpha$ in Theorem 4.3 can be optimized for specific problems, which leads to tighter bounds. Alternatively, it is possible to make a generic choice for $\alpha$ to recover a theorem that looks much more like Theorem 4.1, which is done in Corollary 4.6. We also remark that even tighter second order terms have been derived in [42]. To keep our theorem statement and proofs simpler, we do not carry out this additional optimization explicitly, but note that this can be done in complete analogy to [42].

To prove Theorem 4.3, we will need the following lemma (which is already implicit in [1, Claim 4.6], but we give a simplified proof here).

Lemma 4.5

Consider a quantum state $\rho \in \text{S}(CADE)$ that has the form

$$\begin{array}{c}\hfill {\rho }_{\mathit{CADE}}=\sum _{c\in \mathrm{\Omega }}|c⟩⟨c|\otimes {\rho }_{AE,c}\otimes {\rho }_{D|c},\end{array}$$

where $\mathrm{\Omega }\subset \mathcal{C}$ is a subset of the alphabet $\mathcal{C}$ of the classical system C, and for each c, ${\rho }_{AE,c}\in \text{Pos}(AE)$ is subnormalised and ${\rho }_{D|c}\in \text{S}(D)$ is a quantum state. Then for $\alpha >1$,

Proof

Let ${\sigma }_E\in \text{S}(E)$ such that

Then

$$\begin{array}{c}\hfill {\left({\sigma }_E^{\frac{1-\alpha }{2\alpha }},{\rho }_{\mathit{CADE}},{\sigma }_E^{\frac{1-\alpha }{2\alpha }}\right)}^{\alpha }=\sum _{c\in \mathrm{\Omega }}|c⟩⟨c|\otimes {\left({\sigma }_E^{\frac{1-\alpha }{2\alpha }},{\rho }_{AE,c},{\sigma }_E^{\frac{1-\alpha }{2\alpha }}\right)}^{\alpha }\otimes {\rho }_{D|c}^{\alpha }.\end{array}$$

Hence,

$$\begin{array}{cc}\hfill \text{Tr}\left[{\left({\sigma }_E^{\frac{1-\alpha }{2\alpha }},{\rho }_{\mathit{CADE}},{\sigma }_E^{\frac{1-\alpha }{2\alpha }}\right)}^{\alpha }\right]& =\sum _{c\in \mathrm{\Omega }}\text{Tr}\left[{\left({\sigma }_E^{\frac{1-\alpha }{2\alpha }},{\rho }_{AE,c},{\sigma }_E^{\frac{1-\alpha }{2\alpha }}\right)}^{\alpha }\right]\text{Tr}\left[{\rho }_{D|c}^{\alpha }\right]\hfill \\ \hfill & \le \underset{{\tilde{\sigma }}_E\in \text{S}(E)}{sup}\text{Tr}\left[\sum _{c\in \mathrm{\Omega }},|c⟩⟨c|,\otimes ,{\left({\tilde{\sigma }}_E^{\frac{1-\alpha }{2\alpha }},{\rho }_{AE,c},{\tilde{\sigma }}_E^{\frac{1-\alpha }{2\alpha }}\right)}^{\alpha }\right]\hfill \\ \hfill & \times \underset{c\in \mathrm{\Omega }}{max}\text{Tr}\left[{\rho }_{D|c}^{\alpha }\right]\hfill \\ \hfill & =\underset{{\tilde{\sigma }}_E\in \text{S}(E)}{sup}\text{Tr}\left[{\left({\tilde{\sigma }}_E^{\frac{1-\alpha }{2\alpha }},{\rho }_{\mathit{CAE}},{\tilde{\sigma }}_E^{\frac{1-\alpha }{2\alpha }}\right)}^{\alpha }\right]\underset{c\in \mathrm{\Omega }}{max}\text{Tr}\left[{\rho }_{D|c}^{\alpha }\right]\hfill \end{array}$$

Recalling the definitions of $D_{\alpha }$ (Definition 2.1) and (Definition 2.2), we see that the lemma follows by taking the logarithm and multiplying by $\frac{1}{\alpha -1}$. $\square$

Proof of Theorem 4.3

As in the proof of Theorem 4.1, we first use [1, Lemma B.10] to get

4.5

for $\alpha \in (1,2]$ and $g(\epsilon )=log(1-\sqrt{1-{\epsilon }^2})$. We therefore need to find a lower bound for

4.6

where the equality holds because of Eq. (4.2) and [1, Lemma B.7].

Before proceeding with the formal proof, let us explain the main difficulty compared to Theorem 4.1. The state for which we need to compute the entropy in Eq. (4.6) is conditioned on the event $\mathrm{\Omega }\subset {\mathcal{C}}^n$. This is a global event, in the sense that it depends on the classical outputs $C_1,\cdots ,C_n$ of all rounds. We essentially seek a lower bound that involves ${min}_{\nu \in {\mathrm{\Sigma }}_i(\mathsf{freq}(c^n))}{H}_{\alpha }{(A_i|E_i)}_{\nu }$ for some $c^n\in \mathrm{\Omega }$, i.e., for every round we only want to minimize over output states of the channel ${\mathcal{M}}_i$ whose distribution on $C_i$ matches the frequency distribution $\mathsf{freq}(c^n)$ of the n rounds we observed. This means that we must use the global conditioning on $\mathrm{\Omega }$ to argue that in each round, we can restrict our attention to states whose outcome distribution matches the (worst-case) frequency distribution associated with $\mathrm{\Omega }$. The chain rule Theorem 3.1 does not directly allow us to do this as the r.h.s. of Eq. (3.18) always minimizes over all possible input states.

To circumvent this, we follow a strategy that was introduced in [1] and optimized in [8] (see also [16, 21, 43] for related ideas and [44] for follow-up work). For every i, we introduce a quantum system $D_i$ with $dim(D_i)=\lceil 2^{\mathsf{Max}(f)-\mathsf{Min}(f)}\rceil$ and define ${\mathcal{D}}_i\in \text{CPTP}(C_i,C_i{D}_i)$ by

$$\begin{array}{c}\hfill {\mathcal{D}}_i({\omega }_{C_i})=\sum _{c\in \mathcal{C}}⟨c|{\omega }_{C_i}|c⟩·|c⟩⟨c|\otimes {\tau }_{D_i|c}.\end{array}$$

For every $c\in \mathcal{C}$, the state ${\tau }_{D_i|c}\in \text{S}(D)$ is defined as the mixture between a uniform distribution on $\{1,\cdots ,\lfloor 2^{\mathsf{Max}(f)-f({\delta }_c)}\rfloor \}$ and a uniform distribution on $\{1,\cdots ,\lceil 2^{\mathsf{Max}(f)-f({\delta }_c)}\rceil \}$ that satisfies

$$\begin{array}{c}\hfill H{(D_i)}_{{\tau }_{D_i|c}}=\mathsf{Max}(f)-f({\delta }_c),\end{array}$$

where ${\delta }_x$ stands for the distribution with all the weight on element x. This is clearly possible if $dim(D_i)=\lceil 2^{\mathsf{Max}(f)-\mathsf{Min}(f)}\rceil$.

We define ${\overline{\mathcal{M}}}_i={\mathcal{D}}_i\circ {\mathcal{M}}_i$ and denote

$$\begin{array}{c}\hfill {\rho }_{C^n{A}^n{R}_n{E}_n}^n={\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }_{R_0{E}_0})\text{and}{\overline{\rho }}_{C^n{A}^n{D}^n{R}_n{E}_n}^n={\overline{\mathcal{M}}}_n\circ \cdots \circ {\overline{\mathcal{M}}}_1({\rho }_{R_0{E}_0}).\end{array}$$

The state ${\overline{\rho }}_{|\mathrm{\Omega }}^n$ has the right form for us to apply Lemma 4.5 and get

4.7

where

$$\begin{array}{c}\hfill {\overline{\rho }}_{D^n|c^n}^n={\tau }_{D_1|c_1}\otimes \cdots \otimes {\tau }_{D_n|c_n}.\end{array}$$

We treat each term in Eq. (4.7) in turn.

• (i)
  For the term on the l.h.s., it is easy to see that ${\overline{\rho }}_{C^n{A}^n{R}_n{E}_n|\mathrm{\Omega }}^n={\rho }_{C^n{A}^n{R}_n{E}_n|\mathrm{\Omega }}^n$, so

  4.8
• (ii)
  For the first term on the r.h.s., we compute

  $$\begin{array}{cc}\hfill H_{\alpha }{(D^n)}_{{\overline{\rho }}_{D^n|c^n}^n}=\sum _i{H}_{\alpha }{(D_i)}_{{\tau }_{D_i|c_i}}\le \sum _{i}H{(D_i)}_{{\tau }_{D_i|c_i}}& =n\mathsf{Max}(f)-\sum _{i}f({\delta }_{c_i})\hfill \\ \hfill & =n\mathsf{Max}(f)-nf(\mathsf{freq}(c^n)),\hfill \end{array}$$ 4.9

  where the last equality holds because f is affine.
• (iii)
  For the second term on the r.h.s., we first use [1, Lemma B.5] to remove the conditioning on the event $\mathrm{\Omega }$, and then use that removing the classical system $C^n$ and switching from to $H_{\alpha }$ can only decrease the entropy:

  

  where we used ${\text{Pr}}_{{\rho }^n}\left[\mathrm{\Omega }\right]={\text{Pr}}_{{\overline{\rho }}^n}\left[\mathrm{\Omega }\right]$. Now noting that ${\text{Tr}}_{D_i}\circ {\overline{\mathcal{M}}}_i={\mathcal{M}}_i$, we see that the non-signalling condition ${\text{Tr}}_{A_i{R}_i{C}_i}\circ {\mathcal{M}}_i={\mathcal{R}}_i\circ {\text{Tr}}_{R_{i-1}}$ on ${\mathcal{M}}_i$ implies the non-signalling condition ${\text{Tr}}_{A_i{R}_i{C}_i{D}_i}\circ {\overline{\mathcal{M}}}_i={\mathcal{R}}_i\circ {\text{Tr}}_{R_{i-1}}$ on ${\overline{\mathcal{M}}}_i$. We can therefore apply the chain rule in Theorem 3.6 to find

  $$\begin{array}{c}\hfill H_{\alpha }{(A^n{D}^n|E_n)}_{{\overline{\rho }}^n}\ge \sum _{i=1}^n\underset{{\omega }_{i-1}\in \text{S}(R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1})}{min}{H}_{\beta }{(A_i{D}_i|E_i{\tilde{E}}_{i-1})}_{{\overline{\mathcal{M}}}_i({\omega }_{i-1})},\end{array}$$

  where we introduced the shorthand $\beta :=\frac{1}{2-\alpha }$ and the purifying system ${\tilde{E}}_{i-1}\equiv R_{i-1}{E}_{i-1}$. Noting that for $\alpha \in (1,3/2)$ we have $\beta \in (1,2)$, we can now use [8, Corollary IV.2] to obtain

  $$\begin{array}{cc}& H_{\beta }{(A_i{D}_i|E_i{\tilde{E}}_{i-1})}_{{\overline{\mathcal{M}}}_i({\omega }_{i-1})}\hfill \\ \hfill & \ge H{(A_i{D}_i|E_i{\tilde{E}}_{i-1})}_{{\overline{\mathcal{M}}}_i({\omega }_{i-1})}-(\beta -1)\frac{ln(2)}{2}{V}^2-{(\beta -1)}^{2}K(\beta ),\hfill \end{array}$$

  where $V^2$ and $K(\beta )$ are quantities from [8, Proposition V.3] that satisfy

  $$\begin{array}{cc}\hfill K(\beta )& \le \frac{1}{6{(2-\beta )}^{3}ln2}\hfill \\ \hfill & 2^{(\beta -1)(2log{d}_A+\mathsf{Max}(f)-{\mathsf{Min}}_{\mathrm{\Sigma }}(f))}{ln}^3\left(2^{2log{d}_A+\mathsf{Max}(f)-{\mathsf{Min}}_{\mathrm{\Sigma }}(f)},+,e^2\right),\hfill \\ \hfill V^2& ={\left(log,(2d_A^2+1),+,\sqrt{2+\mathsf{Var}(f)}\right)}^2,\hfill \end{array}$$

  where $d_A={max}_{i}dim(A_i)$. Note that the above expressions derived in [8, Proposition V.3] also hold in our case due to the first part of Eq. (4.2). Furthermore, as in the proof of [8, Proposition V.3], we have

  $$\begin{array}{c}\hfill H{(A_i{D}_i|E_i{\tilde{E}}_{i-1})}_{{\overline{\mathcal{M}}}_i({\omega }_{i-1})}\ge \mathsf{Max}(f).\end{array}$$

  Therefore, the second term on the r.h.s. of Eq. (4.7) is bounded by

  4.10

Combining our results for each of the three terms (i.e. Eqs. (4.8), (4.9) and (4.10)) and recalling $h={min}_{x^n\in \mathrm{\Omega }}f(\mathsf{freq}(x^n))$, Eq. (4.7) becomes

Inserting this into Eqs. (4.5) and (4.6), and defining $K^{\prime }(\alpha )=K(\beta )=K(\frac{1}{2-\alpha })$ we obtain

$$\begin{array}{cc}\hfill H_{\text{min}}^{\epsilon }{(A^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1{({\rho }_{R_0{E}_0})}_{|\mathrm{\Omega }}}& \ge nh-n(\beta -1)\frac{ln(2)}{2}{V}^2-\frac{g(\epsilon )+\alpha log(1/{\text{Pr}}_{{\rho }^n}\left[\mathrm{\Omega }\right])}{\alpha -1}\hfill \\ \hfill & -n{(\beta -1)}^{2}K(\beta )\hfill \end{array}$$ 4.11

as desired. $\square$

Corollary 4.6

For the setting given in Theorem 4.3 we have

$$\begin{array}{c}\hfill H_{\text{min}}^{\epsilon }{(A^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1{({\rho }_{R_0{E}_0})}_{|\mathrm{\Omega }}}\ge nh-c_1\sqrt{n}-c_0,\end{array}$$

where the quantities $c_1$ and $c_0$ are given by

$$\begin{array}{cc}\hfill c_1& =\sqrt{\frac{2ln(2)V^2}{\eta }(g(\epsilon )+(2-\eta )log(1/{\text{Pr}}_{{\rho }^n}\left[\mathrm{\Omega }\right]))},\hfill \\ \hfill c_0& =\frac{(2-\eta ){\eta }^{2}log(1/{\text{Pr}}_{{\rho }^n}\left[\mathrm{\Omega }\right])+{\eta }^{2}g(\epsilon )}{3{(ln2)}^2{V}^2{(2\eta -1)}^3}\hfill \\ \hfill & 2^{\frac{1-\eta }{\eta }(2log{d}_A+\mathsf{Max}(f)-{\mathsf{Min}}_{\mathrm{\Sigma }}(f))}{ln}^3\left(2^{2log{d}_A+\mathsf{Max}(f)-{\mathsf{Min}}_{\mathrm{\Sigma }}(f)},+,e^2\right)\hfill \end{array}$$

with

$$\begin{array}{cc}\hfill \eta & =\frac{2ln(2)}{1+2ln(2)},g(\epsilon )=log(1-\sqrt{1-{\epsilon }^2}),V=log(2d_A^2+1)+\sqrt{2+\mathsf{Var}(f)}.\hfill \end{array}$$

Proof

We first note that for any $\mathrm{\Omega }$ with non-zero probability, $h\le log{d}_A$. Therefore, if $n\le {\left(\frac{c_1}{2log{d}_A}\right)}^2$, it is easy to check that $nh-c_1\sqrt{n}\le -nlog{d}_A$, so the statement of Corollary 4.6 becomes trivial. We may therefore assume that $n\ge {(\frac{c_1}{2log{d}_A})}^2$.

As in the proof of Theorem 4.3, we define $\beta =\frac{1}{2-\alpha }$. The first part of the proof works for any $\alpha \in (1,2-\eta )$ for $\eta =\frac{2ln(2)}{1+2ln(2)}\approx 0.58$; later we will make a specific choice of $\alpha$ in this interval. Then, $\beta -1=\frac{1}{2-\alpha }-1\le \frac{\alpha -1}{\eta }$ and $\beta \in (1,1/\eta )$. Therefore, using $K(\beta )$ as defined in the proof of Theorem 4.3 and noting that in the interval $\beta \in (1,1/\eta )\subset (1,2)$ this quantity is monotonically increasing in $\beta$, we have

$$\begin{array}{cc}& K(\beta )\le K:=\hfill \\ \hfill & \frac{{\eta }^3}{6{(2\eta -1)}^{3}ln2}{2}^{\frac{1-\eta }{\eta }(2log{d}_A+\mathsf{Max}(f)-{\mathsf{Min}}_{\mathrm{\Sigma }}(f))}{ln}^3\left(2^{2log{d}_A+\mathsf{Max}(f)-{\mathsf{Min}}_{\mathrm{\Sigma }}(f)},+,e^2\right),\hfill \end{array}$$

Hence, we can simplify the statement of Theorem 4.3 to

$$\begin{array}{cc}& H_{\text{min}}^{\epsilon }{(A^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1{({\rho }_{R_0{E}_0})}_{|\mathrm{\Omega }}}\hfill \\ \hfill & \ge nh-n(\alpha -1)\frac{ln(2)}{2\eta }{V}^2-\frac{g(\epsilon )+(2-\eta )·log(1/{\text{Pr}}_{{\rho }^n}\left[\mathrm{\Omega }\right])}{\alpha -1}-n{(\alpha -1)}^2\frac{K}{{\eta }^2}.\hfill \\ \hfill \end{array}$$ 4.12

We now choose $\alpha >1$ as a function of n and $\epsilon$ so that the terms proportional to $\alpha -1$ and $\frac{1}{\alpha -1}$ match:

$$\begin{array}{c}\hfill \alpha =1+\sqrt{\frac{2\eta }{nln(2)V^2}(g(\epsilon )+(2-\eta )log(1/{\text{Pr}}_{{\rho }^n}\left[\mathrm{\Omega }\right]))}.\end{array}$$

Inserting this choice of $\alpha$ into Eq. (4.12) and combining terms yields the constants in Corollary 4.6. The final step is to show that this choice of $\alpha$ indeed satisfies $\alpha \le 2-\eta$ for $n\ge {(\frac{c_1}{2log{d}_A})}^2$. For this, we note that for $n\ge {(\frac{c_1}{2log{d}_A})}^2$, we have

$$\begin{array}{c}\hfill \alpha =1+\frac{\eta }{ln(2)V^2}\frac{c_1}{\sqrt{n}}\le 1+\frac{2\eta log{d}_A}{ln(2)V^2}.\end{array}$$

We can now use that $V^2\ge {\left(log,(,2,d_A^2,)\right)}^2\ge 4log{d}_A$ since $d_A\ge 2$, so

$$\begin{array}{c}\hfill \alpha \le 1+\frac{2\eta log{d}_A}{ln(2)V^2}\le 1+\frac{\eta }{2ln(2)}=2-\eta ,\end{array}$$

where the last inequality holds because $\eta =\frac{2ln(2)}{1+2ln(2)}$. $\square$

In many applications, e.g. randomness expansion or QKD, a round can either be a “data generation round” (e.g. to generate bits of randomness or key) or a “test round” (e.g. to test whether a device used in the protocol behaves as intended). More formally, in this case the maps ${\mathcal{M}}_i\in \text{CPTP}(R_{i-1}{E}_{i-1},C_i{A}_i{R}_i{E}_i)$ can be written as

$$\begin{array}{c}\hfill {\mathcal{M}}_i=\gamma {\mathcal{M}}_{i,R_{i-1}{E}_{i-1}\to C_i{A}_i{R}_i{E}_i}^{\text{test}}+(1-\gamma ){\mathcal{M}}_{i,R_{i-1}{E}_{i-1}\to A_i{R}_i{E}_i}^{\text{data}}\otimes {|\perp ⟩⟨\perp |}_{C_i},\end{array}$$ 4.13

where the output of ${\mathcal{M}}_i^{\text{test}}$ on system $C_i$ is from some alphabet ${\mathcal{C}}^{\prime }$ that does not include $\perp$, so the alphabet of system $C_i$ is $\mathcal{C}={\mathcal{C}}^{\prime }\cup \{\perp \}$. The parameter $\gamma$ is called the testing probability, and for efficient protocols we usually want $\gamma$ to be as small as possible.

For maps of the form in Eq. (4.13), there is a general way of constructing a min-tradeoff function for the map ${\mathcal{M}}_i$ based only on the statistics generated by the map ${\mathcal{M}}_i^{\text{test}}$. This was shown in [8] and we reproduce their result (adapted to our notation) here for the reader’s convenience.

Lemma 4.7

([8, Lemma V.5]). Let ${\mathcal{M}}_i\in \text{CPTP}(R_{i-1}{E}_{i-1},C_i{A}_i{R}_i{E}_i)$ be channels satisfying the same conditions as in Theorem 4.3 that can furthermore be decomposed as in Eq. (4.13). Suppose that an affine function $g:\mathbb{P}({\mathcal{C}}^{\prime })\to \mathbb{R}$ satisfies for any $q^{\prime }\in \mathbb{P}({\mathcal{C}}^{\prime })$ and any $i=1,\cdots ,n$

$$\begin{array}{c}\hfill g(q^{\prime })\le \underset{\omega \in \text{S}(R_{i-1}{E}_{i-i}{\tilde{E}}_{i-1})}{min}\{H{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}:{\left({\mathcal{M}}_i^{\text{test}},(\omega )\right)}_{C_i}=q^{\prime }\}\end{array}$$ 4.14

where ${\tilde{E}}_{i-1}\equiv R_{i-1}{E}_{i-1}$ is a purifying system. Then, the affine function $f:\mathbb{P}(\mathcal{C})\to \mathbb{R}$ defined by

$$\begin{array}{cc}\hfill f({\delta }_x)& =\mathsf{Max}(g)+\frac{1}{\gamma }(g({\delta }_x)-\mathsf{Max}(g))\forall x\in {\mathcal{C}}^{\prime }\hfill \\ \hfill f({\delta }_{\perp })& =\mathsf{Max}(g)\hfill \end{array}$$

is a min-tradeoff function for $\{{\mathcal{M}}_i\}$. Moreover,

$$\begin{array}{cc}\hfill \mathsf{Max}(f)& =\mathsf{Max}(g)\hfill \\ \hfill \mathsf{Min}(f)& =\left(1,-,\frac{1}{\gamma }\right)\mathsf{Max}(g)+\frac{1}{\gamma }\mathsf{Min}(g)\hfill \\ \hfill {\mathsf{Min}}_{\mathrm{\Sigma }}(f)& \ge \mathsf{Min}(g)\hfill \\ \hfill \mathsf{Var}(f)& \le \frac{1}{\gamma }(\mathsf{Max}(g)-\mathsf{Min}(g){)}^2.\hfill \end{array}$$

Sample Applications

To demonstrate the utility of our generalised EAT, we provide two sample applications. Firstly, in Sect. 5.1 we prove security of blind randomness expansion against general attacks. The notion of blind randomness was defined in [15] and has potential applications in mistrustful cryptography (see [15, 16] for a detailed motivation). Until now, no security proof against general attacks was known. In particular, the original EAT is not applicable because its model of side information is too restrictive. With our generalised EAT, we can show that security against general attacks follows straightforwardly from a single-round security statement.

Secondly, in Sect. 5.2 we give a simplified security proof for the E91 QKD protocol [45], which was also treated with the original EAT [1]. This example is meant to help those familiar with the original EAT understand the difference between that result and our generalised EAT. In particular, this application highlights the utility of our more general model of side information: in our proof, the non-signalling condition is satisfied trivially and the advantage over the original EAT stems purely from being able to update the side information register $E_i$. We point out that while here we focus on the E91 protocol to allow an easy comparison with the original EAT, our generalised EAT can be used for a large class of QKD protocols for which the original EAT was not applicable at all. A comprehensive treatment of this is given in [7].

Blind randomness expansion

We start by recalling the idea of standard (non-blind) device-independent randomness expansion [17–21]. Alice would like to generate a uniformly random bit string using devices $D_1$ and $D_2$ prepared by an adversary Eve. To this end, in her local lab (which Eve cannot access) she isolates the devices from one another and plays multiple round of a non-local game with them, e.g. the CHSH game. On a subset of the rounds of the game, she checks whether the CHSH condition is satisfied. If this is the case on a sufficiently high proportion of rounds, she can conclude that the devices’ outputs on the remaining rounds must contain a certain amount of entropy, conditioned on the input to the devices and any quantum side information that Eve might have kept from preparing the devices. Using a quantum-proof randomness extractor, Alice can then produce a uniformly random string.

Blind randomness expansion [15, 16] is a significant strengthening of the above idea. Here, Alice only receives one device $D_1$, which she again places in her local lab isolated from the outside world. Now, Alice plays a non-local game with her device $D_1$ and the adversary Eve: she samples questions for a non-local game as before, inputs one of the questions to $D_1$, and sends the other question to Eve. $D_1$ and Eve both provide an output. Alice then proceeds as in standard randomness expansion, checking whether the winning condition of the non-local game is satisfied on a subset of rounds and concluding that the output of her device $D_1$ must contain a certain amount of entropy conditioned on the adversary’s side information.

For the purpose of applying the EAT, the crucial difference between the two notions of randomness expansion is the following: in standard randomness expansion, the adversary’s quantum side information is not acted upon during the protocol, and additional side information (the inputs to the devices, which we also condition on) are generated independently in a round-by-round manner. This allows a relatively straightforward application of the standard EAT [4]. In contrast, in blind randomness expansion, the adversary’s quantum side information gets updated in every round of the protocol and is not generated independently in a round-by-round fashion. This does not fit in the framework of the standard EAT, which requires the side information to be generated round-by-round subject to a Markov condition. As a result, [15, 16] were not able to prove a general multi-round blind randomness expansion result.

In the rest of this section, we will show that our generalised EAT is capable of treating multi-round blind randomness expansion, using a protocol similar to [14, Protocol 3.1]. A formal description of the protocol is given in Protocol 1.

The following proposition shows a lower bound on on the amount of randomness Alice can extract from this protocol, as specified by the min-entropy. For this, we assume a lower-bound on the single-round von Neumann entropy. Such a single-round bound can be found numerically using a generic method as explained after the proof of Lemma 5.1.

Proposition 5.1

Suppose Alice executes Protocol 1 with a device D that cannot communicate with Eve. We denote by $R_i$ and $E_i^{\prime }$ the (arbitrary) quantum systems of the device D and the adversary Eve after the i-th round, respectively. Eve’s full side-information after the i-th round is $E_i:=T^i{X}^i{Y}^i{B}^i{E}_i^{\prime }$. A single round of the protocol can be described by a quantum channel ${\mathcal{N}}_i\in \text{CPTP}(R_{i-1}{E}_{i-1},C_i{A}_i{R}_i{E}_i)$. We also define ${\mathcal{N}}_i^{\text{test}}$ to be the same as ${\mathcal{N}}_i$, except that ${\mathcal{N}}_i^{\text{test}}$ always picks $T_i=1$. Let ${\rho }_{A^n{C}^n{R}_n{E}_n}$ be the state at the end of the protocol and $\mathrm{\Omega }$ the event that Alice does not abort.

Let $g:\mathbb{P}(\{0,1\})\to \mathbb{R}$ be an affine function satisfying the conditions

$$\begin{array}{c}\hfill g(p)\le \underset{\omega \in \text{S}(R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1}):{\mathcal{N}}_i^{\text{test}}{(\omega )}_{C_i}=p}{inf}H{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{N}}_i(\omega )},\mathsf{Max}(g)=g({\delta }_1),\end{array}$$ 5.1

where ${\tilde{E}}_{i-1}\equiv R_{i-1}{E}_{i-1}$ is a purifying system. Then, for any ${\epsilon }_a,{\epsilon }_s\in (0,1)$, either $\text{Pr}\left[\mathrm{\Omega }\right]\le {\epsilon }_a$ or

$$\begin{array}{c}\hfill H_{\text{min}}^s{(A^n|E_n)}_{{\rho }_{|\mathrm{\Omega }}}\ge nh-c_1\sqrt{n}-c_0\end{array}$$

for $c_1,c_0\ge 0$ independent of n and

$$\begin{array}{cc}\hfill h& =\underset{p^{\prime }\in \mathbb{P}(\{0,1\}):p^{\prime }(0)\le 1-{\omega }_{\text{exp}}+\delta }{min}g(p^{\prime }),\hfill \end{array}$$

where ${\omega }_{\text{exp}}$ is the expected winning probability and $\delta$ the error tolerance from Protocol 1. If we treat ${\epsilon }_s,{\epsilon }_a,dim(A_i),\delta ,\mathsf{Max}(g),$ and $\mathsf{Min}(g)$ as constants, then $c_1=O(1/\sqrt{\gamma })$ and $c_0=O(1)$.

Furthermore, if there exists a quantum strategy that wins the game G with probability ${\omega }_{\text{exp}}$, there is an honest behaviour of D and Eve for which $\text{Pr}\left[\mathrm{\Omega }\right]\ge 1-exp(-\frac{{\delta }^2}{1-{\omega }_{\text{exp}}+\delta }\gamma n)$.

Remark 5.2

The condition on g(p) in Eq. (5.1) is formulated in terms of the entropy

$$\begin{array}{c}\hfill H{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{N}}_i(\omega )}=H{(A_i|T^i{X}^i{Y}^i{B}^i{E}_i^{\prime }{\tilde{E}}_{i-1})}_{{\mathcal{N}}_i(\omega )}\end{array}$$

with ${\tilde{E}}_{i-1}\equiv R_{i-1}{E}_{i-1}$. However, the map ${\mathcal{N}}_i$ corresponding to the i-th round does not act on the systems $T^{i-1}{X}^{i-1}{Y}^{i-1}{B}^{i-1}$. Therefore, we can view these systems as part of the purifying system. Since the infimum in Eq. (5.1) already includes a purifying ${\tilde{E}}_{i-1}$, we can drop these additional systems and without loss of generality choose ${\tilde{E}}_{i-1}$ to be isomorphic to those input systems on which ${\mathcal{N}}_i$ acts non-trivially, i.e. ${\tilde{E}}_{i-1}\equiv R_{i-1}{E}_{i-1}^{\prime }$. This means that we can replace the upper bound on g in Eq. (5.1) by the equivalent condition

$$\begin{array}{c}\hfill g(p)\le \underset{\omega \in \text{S}(R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1}):{\mathcal{N}}_i^{\text{test}}{(\omega )}_{C_i}=p}{inf}H{(A_i|B_i{X}_i{Y}_i{T}_i{E}_i^{\prime }{\tilde{E}}_{i-1})}_{{\mathcal{N}}_i(\omega )}\end{array}$$ 5.2

with ${\tilde{E}}_{i-1}\equiv R_{i-1}{E}_{i-1}^{\prime }$. For the proof of Lemma 5.1 we will use Eq. (5.1) since it more closely matches the notation of Theorem 4.3, but intuitively, Eq. (5.2) is more natural as it only involves quantities related to the i-th round of the protocol.

Proof of Lemma 5.1

To show the min-entropy lower bound, we will make use of Corollary 4.6. For this, we first check that the maps ${\mathcal{N}}_i$ satisfy the required conditions. Since $C_i$ is a deterministic function of the (classical) variables $X_i,Y_i,A_i,$ and $B_i$, it is clear that Eq. (4.2) is satisfied. For the non-signalling condition, we define the map ${\mathcal{R}}_i\in \text{CPTP}(E_{i-1},E_i)$ as follows: ${\mathcal{R}}_i$ samples $T_i,X_i$ and $Y_i$ as Alice does in Step 5.1 of Protocol 1. $\mathcal{R}$ then performs Eve’s actions in the protocol (which only act on $Y_i$ and $E_{i-1}^{\prime }$, which is part of $E_{i-1}$). It is clear that the distribution on $X_i$ and $Y_i$ produced by ${\mathcal{R}}_i$ is the same as for ${\mathcal{N}}_i$. By the assumption that D and Eve cannot communicate, the marginal of the output of ${\mathcal{N}}_i$ on Eve’s side must be independent of the device’s system $R_{i-1}$. Hence, ${\text{Tr}}_{A_i{R}_i{C}_i}\circ {\mathcal{N}}_i={\mathcal{R}}_i\circ {\text{Tr}}_{R_{i-1}}$.

To construct a min-tradeoff function, we note that we can split ${\mathcal{N}}_i=\gamma {\mathcal{N}}_i^{\text{test}}+(1-\gamma ){\mathcal{N}}_i^{\text{data}}$, with ${\mathcal{N}}_i^{\text{test}}$ always picking $T_i=1$ and ${\mathcal{N}}_i^{\text{data}}$ always picking $T_i=0$. Then, we get from Lemma 4.7 and the condition $\mathsf{Max}(g)=g({\delta }_1)$ that the affine function f defined by

$$\begin{array}{c}\hfill f({\delta }_0)=g({\delta }_1)+\frac{1}{\gamma }(g({\delta }_0)-g({\delta }_1)),f({\delta }_1)=f({\delta }_{\perp })=g({\delta }_1)\end{array}$$

is an affine min-tradeoff function for $\{{\mathcal{N}}_i\}$.

Viewing the event $\mathrm{\Omega }$ as a subset of the range ${\{0,1\}}^n$ of the random variable $C^n$ and comparing with the abort condition in Protocol 1, we see that $c^n\in \mathrm{\Omega }$ implies $\mathsf{freq}(c^n)(0)\le (1-{\omega }_{\text{exp}}+\delta )\gamma$. Therefore, for $c^n\in \mathrm{\Omega }$ and denoting $p=\mathsf{freq}(c^n)$,

$$\begin{array}{c}\hfill f(\mathsf{freq}(c^n))=p(0)f({\delta }_0)+(1-p(0))f({\delta }_1)=\frac{p(0)}{\gamma }g({\delta }_0)+\left(1,-,\frac{p(0)}{\gamma }\right)g({\delta }_1)\ge h,\end{array}$$

where the last inequality holds because g is affine and the distribution $p^{\prime }(0)=p(0)/\gamma ,p^{\prime }(1)=1-p(0)/\gamma$ satisfies $p^{\prime }(0)\le 1-{\omega }_{\text{exp}}+\delta$. The proposition now follows directly from Corollary 4.6 and the scaling of $c_1$ and $c_0$ is easily obtained from the expressions in Corollary 4.6.

To show that an honest strategy succeeds in the protocol with high probability, we define a random variable $F_i$ by $F_i=1$ if $C_i=0$, and $F_i=0$ otherwise. If D and Eve execute the quantum strategy that wins the game G with probability ${\omega }_{\text{exp}}$ in each round, then $\mathbb{E}[F_i]=(1-{\omega }_{\text{exp}})\gamma$. Using the abort condition in the protocol, we then find

$$\begin{array}{cc}\hfill \text{Pr}\left[\text{abort}\right]& =\text{Pr}\left[\sum _{i=1}^n,F_i,>,(1-{\omega }_{\text{exp}}+\delta ),·,\gamma ,n\right]\hfill \\ \hfill & =\text{Pr}\left[\sum _{i=1}^n,F_i,>,\left(1,+,\frac{\delta }{1-{\omega }_{\text{exp}}}\right),·,\mathbb{E},[,\sum _{i=1}^n,F_i,]\right]\hfill \\ \hfill & \le e^{-\frac{{\delta }^2}{1-{\omega }_{\text{exp}}+\delta }\gamma n},\hfill \end{array}$$

where in the last line we used a Chernoff bound. $\square$

To make use of Lemma 5.1, we need to construct a function g(p) that satisfies the condition in Eq. (5.1). For this, we will use the equivalent condition Eq. (5.2). A general way of obtaining such a bound automatically is using the recent numerical method [22].14 Specifically, using the assumption that Alice’s lab is isolated, the maps ${\mathcal{N}}_i$ describing a single round of the protocol take the form described in Fig. 1.

Fig. 1.

Circuit diagram of $\mathcal{N}:R_{i-1}{E}_{i-1}^{\prime }\to A_i{R}_i{T}_i{X}_i{Y}_i{B}_i{E}_i^{\prime }$. For every round of the protocol, a circuit of this form is applied, where $\mathcal{A}$ and $\mathcal{B}$ are the (arbitrary) channels applied by Alice’s device and Eve, respectively. As in the protocol, $T_i$ is a bit equal to 1 with probability $\gamma$, and $X_i$ and $Y_i$ are generated according to q whenever $T_i=1$, and are fixed to $x^{\ast },y^{\ast }$ otherwise. We did not include the register $C_i$ in the figure as it is a deterministic function of $T_i{X}_i{Y}_i{A}_i{B}_i$

The method of [22] allows one to obtain lower bounds on the infimum of

$$\begin{array}{c}\hfill H{(A_i|B_i{X}_i{Y}_i{T}_i{E}_i^{\prime }{\tilde{E}}_{i-1})}_{{\mathcal{N}}_i({\omega }_{R_{i-1}{E}_{i-1}^{\prime }{\tilde{E}}_{i-1}})}\end{array}$$

over all input states ${\omega }_{R_{i-1}{E}_{i-1}^{\prime }{\tilde{E}}_{i-1}}$ and for any map ${\mathcal{N}}_i$ of the form depicted in Fig. 1. Importantly, for any ${\mathcal{N}}_i$ we may also restrict the infimum to states $\omega$ that are consistent with the observed statistics, i.e., ${\mathcal{N}}^{\text{test}}{(\omega )}_{C_i}=p$ for some distribution p on $C_i$, using the notation of Lemma 5.1. Using this numerical method for the CHSH game, we obtain the values shown in Fig. 2. From this, one can also construct an explicit affine min-tradeoff function g(p) in an automatic way using the same method as in [46]. As our focus is on illustrating the use of the generalised EAT, not the single-round bound, we do not carry out these steps in detail here.

Fig. 2.

Lower bound on the conditional entropy $H{(A_i|B_i{X}_i{Y}_i{T}_i{E}_i^{\prime })}_{{\rho }_{|T_i=0}}$ for any state generated as in Fig. 1 and such that on test rounds the obtained winning probability for the CHSH game is $\omega$. This lower bound was obtained by using the method from [22]. For each input $y\in \mathcal{Y}$, the channel ${\mathcal{B}}_y$ is modelled as ${\mathcal{B}}_y(\omega )={\sum }_b{\mathrm{\Pi }}_y^{(b)}\omega {\mathrm{\Pi }}_y^{(b)}$, where ${\{{\mathrm{\Pi }}_y^{(b)}\}}_{b\in \mathcal{B}}$ are orthogonal projectors summing to the identity, and similarly for the map $\mathcal{A}$. It is simple to see that this is without loss of generality

Combining this single-round bound and Lemma 5.1, one obtains that for Protocol 1 instantiated with the CHSH game, ${\omega }_{\text{exp}}$ sufficiently close to the maximal winning probability of $\frac{1}{2}+\frac{1}{2\sqrt{2}}$, and $\gamma =\mathrm{\Theta }(\frac{logn}{n})$, one can extract $\mathrm{\Omega }(n)$ bits of uniform randomness from $A_1\cdots A_n$ while using only $\text{polylog}(n)$ bits of randomness to run the protocol. In other words, Protocol 1 achieves exponential blind randomness expansion with the CHSH game.

E91 quantum key distribution protocol

The E91 protocol is one of the simplest entanglement-based QKD protocols [45, 47]. This protocol was already treated using the original EAT in [1]. Here, we do not give a formal security definition and proof, only an informal comparison of how the original EAT and our generalised EAT can be applied to this problem; the remainder of the security proof is then exactly as in [1]. For a detailed treatment of the application of our generalised EAT to QKD, see [7]. To facilitate the comparison with [1], in this section we label systems the same as in [1] even though this differs from the system labels used earlier in this paper. The protocol we are considering is described explicitly in Protocol 2. It is the same as in [1] except for minor modifications to simplify the notation.

We consider the systems $B_i,{\overline{B}}_i,A_i,{\overline{A}}_i,Q_i,{\overline{Q}}_i$ as in Protocol 2 and additionally define the system $X_i$ storing the statistical information used in the parameter estimation step:

$$\begin{array}{c}\hfill X_i=\left\{\begin{array}{cc}{A}_i\oplus {\overline{A}}_i\hfill & \text{if}{B}_i={\overline{B}}_i=1,\hfill \\ \perp \hfill & \text{otherwise.}\hfill \end{array}\right)\end{array}$$

Denoting by E the side information gathered by Eve during the distribution step, we can follow the same steps as for [1, Equation (57)] to show that the security of Protocol 2 follows from a lower bound on

$$\begin{array}{c}\hfill H_{\text{min}}^{\epsilon }{(A^n|B^n{\overline{B}}^{n}E)}_{{\rho }_{|\mathrm{\Omega }}}.\end{array}$$ 5.3

Here, ${\rho }_{|\mathrm{\Omega }}$ is the state at the end of the protocol conditioned on acceptance.

We first sketch how the original EAT (whose setup was described in Sect. 1) is applied to this problem in [1]. One cannot bound $H_{\text{min}}^{\epsilon }{(A^n|B^n{\overline{B}}^{n}E)}_{{\rho }_{|\mathrm{\Omega }}}$ directly using the EAT because a condition similar to Eq. (4.2) has to be satisfied. Therefore, one modifies the systems ${\overline{A}}_i$ from Protocol 2 by setting ${\overline{A}}_i=\perp$ if $B_i={\overline{B}}_i=0$ and then applies the EAT to find a lower bound on

$$\begin{array}{c}\hfill H_{\text{min}}^{\epsilon }{(A^n{\overline{A}}^n|B^n{\overline{B}}^{n}E)}_{{\rho }_{|\mathrm{\Omega }}}.\end{array}$$ 5.4

For this, a round of Protocol 2 is viewed as a map ${\mathcal{M}}_i:Q_i^n{\overline{Q}}_i^n\to Q_{i+1}^n{\overline{Q}}_{i+1}^n{A}_i{\overline{A}}_i{B}_i{\overline{B}}_i{X}_i$, which chooses $B_i{\overline{B}}_i$ as in Protocol 2, applies Alice and Bob’s (trusted) measurements on systems $Q_i{\overline{Q}}_i$ to generate $A_i{\overline{A}}_i$, and generates $X_i$ as described before. To apply the EAT, $R_{i-1}:=Q_i^n{\overline{Q}}_i^n$ takes the role of the “hidden sytem”, and $A_i{\overline{A}}_i$ and $B_i{\overline{B}}_i$ are the output and side information of the i-th round, respectively. It is easy to see that with this choice of systems, the Markov condition of the EAT is satisfied, so, using a min-tradeoff function derived from an entropic uncertainty relation [48], one can find a lower bound on Eq. (5.4).

However, adding the system ${\overline{A}}_i$ in this manner has the following disadvantage: to relate the lower bound on $H_{\text{min}}^{\epsilon }{(A^n{\overline{A}}^n|B^n{\overline{B}}^{n}E)}_{{\rho }_{|\mathrm{\Omega }}}$ to the desired lower bound on $H_{\text{min}}^{\epsilon }{(A^n|B^n{\overline{B}}^{n}E)}_{{\rho }_{|\mathrm{\Omega }}}$ one needs to use a chain rule for min-entropies, incurring a penalty term of the form $H_{\text{max}}^{\epsilon }{({\overline{A}}^n|A^n{B}^n{\overline{B}}^{n}E)}_{{\rho }_{|\mathrm{\Omega }}}$. This penalty term is relatively easy to bound for the case of the E91 protocol, but can cause problems in general.15

We now turn our attention to proving Eq. (5.3) using our generalised EAT. For this, we first observe that

$$\begin{array}{c}\hfill H_{\text{min}}^{\epsilon }{(A^n|B^n{\overline{B}}^{n}E)}_{{\rho }_{|\mathrm{\Omega }}}\ge H_{\text{min}}^{\epsilon }{(A^n|B^n{\overline{B}}^n{X}^{n}E)}_{{\rho }_{|\mathrm{\Omega }}},\end{array}$$

so it suffices to find a lower bound on the r.h.s. This step is similar to adding the ${\overline{A}}_i$ systems in Eq. (5.4) in that its purpose is to satisfy Eq. (4.2). However, it has the advantage that here, $X^n$ can be added to the conditioning system and therefore lowers the entropy, not raises it like going from Eqs. (5.3) to (5.4). The same step is not possible in the original EAT due to the restrictive Markov condition.

Using the same system names as before, we define $E_i:=Q_{i+1}^n{\overline{Q}}_{i+1}^n{B}^i{\overline{B}}^i{X}^{i}E$.16 Then, analogously to the original EAT, we can describe a single round of Protocol 2 by a map ${\mathcal{M}}_i:E_{i-1}\to A_i{E}_i{X}_i$. (Compared to the map ${\mathcal{M}}_i$ we described above for the original EAT, we have traced out ${\overline{A}}_i$, added a copy of $X_i$, and added identity maps on the other additional systems in $E_{i-1}$.) Denoting by ${\rho }_{Q^n{\overline{Q}}^{n}E}^0$ the joint state of Alice and Bob’s systems $Q^n{\overline{Q}}^n$ before measurement and the information E that Eve gathered during the distribution step, the state at the end of the protocol is $\rho ={\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }^0)$. To apply Corollary 4.6 to find a lower bound on

$$\begin{array}{c}\hfill H_{\text{min}}^{\epsilon }{(A^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1{({\rho }^0)}_{|\mathrm{\Omega }}},\end{array}$$

we first observe that the condition in Eq. (4.2) is satisfied because the system $X^n$ is part of $E_n$, and the non-signalling condition is trivially satisfied because there is no $R_i$-system. A min-tradeoff function can be constructed in exactly the same way as in [1, Claim 5.2] by noting that all systems in $E_i$ on which ${\mathcal{M}}_i$ does not act can be viewed as part of the purifying system.

This comparison highlights the advantage of the more general model of side information in our generalised EAT: for the original EAT, one has to first bound $H_{\text{min}}^{\epsilon }(A^n{\overline{A}}^n|B^n{\overline{B}}^{n}E)$ (rather than $H_{\text{min}}^{\epsilon }(A^n|B^n{\overline{B}}^{n}E)$) in order to be able to satisfy the Markov condition, and then perform a separate step to remove the ${\overline{A}}^n$ system. In our case, the non-signalling condition, the analogue of the Markov condition, is trivially satisfied because we need no $R_i$-system. This is because we can add the quantum systems $Q^n{\overline{Q}}^n$ to the side information register $E_0$ at the start and then, since we allow side information to be updated and Alice and Bob act on $Q_i{\overline{Q}}_i$ using trusted measurement devices, we can remove the systems $Q_i{\overline{Q}}_i$ one by one during the rounds of the protocol.

Dual Statement for Smooth Max-Entropy

In the main text we have focused on deriving a lower bound on the smooth min-entropy. Here, we show that this also implies an upper bound on the smooth max-entropy by applying a simple duality relation between min- and max-entropy. A similar upper bound was also derived in [1]. However, that bound is subject to a Markov condition and cannot be derived by a simple duality argument since the “dual version” of the Markov condition is unwieldy. We show that the bound from [1] follows as a special case of our more general bound even without any Markov conditions or other non-signalling constraints. For simplicity, we restrict ourselves to an asymptotic statement without “testing”, i.e. we derive an $H_{\text{max}}^{\epsilon }$-version of Theorem 4.1. By applying the same duality relation to the more involved statement in Theorem 4.3, one can also obtain an $H_{\text{max}}^{\epsilon }$-bound with explicit constants and testing.

Recall that for ${\rho }_{\mathit{AB}}\in \text{S}(AB)$ and $\epsilon \in [0,1]$, the $\epsilon$-smoothed max-entropy of A conditioned on B is defined as

$$\begin{array}{c}\hfill H_{max}^{\epsilon }{(A|B)}_{\rho }=log\underset{{\tilde{\rho }}_{\mathit{AB}}\in {\mathcal{B}}_{\epsilon }({\rho }_{\mathit{AB}})}{inf}\underset{{\sigma }_B\in \text{S}(B)}{sup}{∥{\tilde{\rho }}_{\mathit{AB}}^{\frac{1}{2}},{\sigma }_B^{\frac{1}{2}}∥}_1^2,\end{array}$$

where ${∥·∥}_1$ denotes the trace norm and ${\mathcal{B}}_{\epsilon }({\rho }_{\mathit{AB}})$ is the $\epsilon$-ball around ${\rho }_{\mathit{AB}}$ in terms of the purified distance [11]. The smooth min- and max-entropy satisfy the following duality relation [11, Proposition 6.2]: for a pure quantum state ${\psi }_{\mathit{ABC}}$,

$$\begin{array}{c}\hfill H_{\text{min}}^{\epsilon }{(A|B)}_{\psi }=-H_{\text{max}}^{\epsilon }{(A|C)}_{\psi }.\end{array}$$

For the setting of Theorem 4.1, let $V_i:R_{i-1}{E}_{i-1}\to A_i{R}_i{E}_i{F}_i$ be the Stinespring dilation of the map ${\mathcal{M}}_i$, and let $|{\rho }^0{⟩}_{R_0{E}_0{F}_0}$ be a purification of the input state ${\rho }_{R_0{E}_0}^0$. Then, $V_n\cdots V_1|{\rho }^0⟩$ is a purification of ${\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }^0)$, so by the duality of the smooth min- and max-entropy,

$$\begin{array}{c}\hfill H_{\text{min}}^{\epsilon }{(A^n|E_n)}_{{\mathcal{M}}_n\circ \cdots \circ {\mathcal{M}}_1({\rho }^0)}=-H_{\text{max}}^{\epsilon }{(A^n|F^n{R}_n)}_{V_n\cdots V_1|{\rho }^0⟩}.\end{array}$$

Furthermore, by concavity of the conditional entropy the infimum in Theorem 4.1 can be restricted to pure states ${|\omega ⟩}_{R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1}}$, so $V_i|\omega ⟩$ is a purification of ${\mathcal{M}}_i(\omega )$. Then, by the duality relation for von Neumann entropies,

$$\begin{array}{c}\hfill H{(A_i|E_i{\tilde{E}}_{i-1})}_{{\mathcal{M}}_i(\omega )}=-H{(A_i|R_i{F}_i)}_{V_i|\omega ⟩}.\end{array}$$

Therefore, we obtain the following dual statement to Theorem 4.1:

$$\begin{array}{c}\hfill H_{\text{max}}^{\epsilon }{(A^n|F^n{R}_n)}_{V_n\cdots V_1|{\rho }^0⟩}\le \sum _{i=1}^n\underset{|\omega ⟩}{max}H{(A_i|R_i{F}_i)}_{V_i|\omega ⟩}+O(\sqrt{n}),\end{array}$$ A.1

where the maximisation is over pure states on $R_{i-1}{E}_{i-1}{\tilde{E}}_{i-1}$. This holds for any sequence of isometries $V_i$ for which the maps ${\mathcal{M}}_{V_i}:R_{i-1}{E}_{i-1}\to A_i{R}_i{E}_i$ given by ${\mathcal{M}}_{V_i}(\rho )={\text{Tr}}_{F_i}\left[V_i,\rho ,V_i^{†}\right]$ satisfy the non-signalling condition of Theorem 4.1: for each i, there must exist a map ${\mathcal{R}}_i\in \text{CPTP}(E_{i-1},E_i)$ such that ${\text{Tr}}_{A_i{R}_i}\circ {\mathcal{M}}_{V_i}={\mathcal{R}}_i\circ {\text{Tr}}_{R_{i-1}}$.

To gain some intuition for the above statement, consider a setting where an information source generates systems $A_1,\cdots ,A_n$ and $F_1,\cdots ,F_n$ by applying isometries $V_i:S_{i-1}\to A_i{F}_i{S}_i$ to some pure intial state $|{\rho }^0{⟩}_{S_0}$. We might be interested in compressing the information in $A^n$ in such a way that given $F^n$, one can reconstruct $A^n$ except with some small failure probability $\epsilon$. Then, the amount of storage needed for the compressed information is given by $H_{\text{max}}^{\epsilon }(A^n|F^n)$. To apply Eq. (A.1), for $i<n$ we split the systems $S_i$ into $R_i{E}_i$ in such a way that the channel ${\mathcal{M}}_{V_i}$ defined above satisfies the non-signalling condition, and set $E_n=S_n$ (so that $R_n$ is trivial). Then Eq. (A.1) gives an upper bound on $H_{\text{max}}^{\epsilon }(A^n|F^n)$. Note that this bound depends on how we split the systems $S_i=R_i{E}_i$: the non-signalling condition can always be trivially satisfied by choosing $R_i$ to be trivial, but Eq. (A.1) tells us that if we can describe the source in such a way that $E_i$ is relatively small and $R_i$ is relatively large while still satisfying the non-signalling condition, we obtain a tighter bound on the amount of required storage.

From Eq. (A.1) we can also recover the max-entropy version of the original EAT, but without requiring a Markov condition. To facilitate the comparison with [1], we first re-state their theorem with their choice of system labels, but add a bar to every system label to avoid confusion with our notation from before. The max-entropy statement in [1] considers a sequence of channels ${\overline{\mathcal{M}}}_i:{\overline{R}}_{i-1}\to {\overline{A}}_i{\overline{B}}_i{\overline{R}}_i$ and asserts that under a Markov condition, for any initial state ${\rho }_{{\overline{R}}_0\overline{E}}$ with a purifying system $\overline{E}\equiv {\overline{R}}_0$:

$$\begin{array}{c}\hfill H_{\text{max}}^{\epsilon }{({\overline{A}}^n|{\overline{B}}^n\overline{E})}_{{\overline{\mathcal{M}}}_n\circ \cdots \circ {\overline{\mathcal{M}}}_1({\rho }_{{\overline{R}}_0\overline{E}})}\le \sum _{i=1}^n\underset{\omega \in \text{S}({\overline{R}}_{i-1}\overline{R})}{max}H{({\overline{A}}_i|{\overline{B}}_i\overline{R})}_{{\overline{\mathcal{M}}}_i(\omega )}+O(\sqrt{n}),\end{array}$$ A.2

where $\overline{R}\equiv {\overline{R}}_{i-1}$. We want to recover this statement from Eq. (A.1) without any Markov condition. For this, we consider the Stinepring dilations ${\overline{V}}_i:{\overline{R}}_{i-1}\to {\overline{R}}_i{\overline{A}}_i{\overline{B}}_i{\overline{F}}_i$ of ${\overline{\mathcal{M}}}_i$. We make the following choice of systems:

$$\begin{array}{c}\hfill R_i={\overline{B}}^i\overline{E},A_i={\overline{A}}_i,E_i={\overline{R}}_i{\overline{F}}_i,\end{array}$$

and choose $F_i$ to be trivial. By tensoring with the identity, we can then extend ${\overline{V}}_i$ to an isometry $V_i:R_{i-1}{E}_{i-1}\to A_i{R}_i{E}_i$. Then, the maps ${\mathcal{M}}_{V_i}$ satisfy the non-signalling condition since $V_i$ acts as identity on $R_{i-1}$. Therefore, remembering that $R_n={\overline{B}}^n\overline{E}$ and $F^n$ is trivial, we see that Eq. (A.1) implies Eq. (A.2). Note that our derivation did not require any conditions on the channels ${\overline{\mathcal{M}}}_i$ we started with, i.e. we have shown Eq. (A.2) holds for any sequence of channels ${\overline{\mathcal{M}}}_i$, not just channels satisfying a Markov or non-signalling condition.

Uhlmann Property for the Rényi Divergence

We establish that for the max-divergence (where $\alpha \to \infty$), Uhlmann’s theorem holds.

Proposition B.1

Let ${\sigma }_A\in \text{S}(A)$ and ${\rho }_{\mathit{AR}}\in \text{S}(AR)$. Then we have

$$\begin{array}{c}\hfill D_{max}({\rho }_A\Vert {\sigma }_A)=\underset{{\widehat{\sigma }}_{\mathit{AR}}:{\widehat{\sigma }}_A={\sigma }_A}{inf}{D}_{max}({\rho }_{\mathit{AR}}\Vert {\widehat{\sigma }}_{\mathit{AR}}).\end{array}$$ B.1

In addition, if ${\rho }_{\mathit{AR}},{\rho }_A\otimes {\text{id}}_R$ and ${\sigma }_A\otimes {\text{id}}_R$ all commute, then for any $\alpha \in [\frac{1}{2},\infty )$, we have

$$\begin{array}{c}\hfill D_{\alpha }({\rho }_A\Vert {\sigma }_A)=\underset{{\widehat{\sigma }}_{\mathit{AR}}:{\widehat{\sigma }}_A={\sigma }_A}{inf}{D}_{\alpha }({\rho }_{\mathit{AR}}\Vert {\widehat{\sigma }}_{\mathit{AR}}).\end{array}$$ B.2

Proof

We start with Eq. (B.1). The inequality $\le$ is a direct consequence of the data-processing inequality for $D_{max}$. For the inequality $\ge$, we use semidefinite programming duality, see e.g., [50]. Observe that we can write $2^{D_{max}({\rho }_A\Vert {\sigma }_A)}$ as the following semidefinite program

$$\begin{array}{c}\hfill \underset{{\tau }_A\in \text{Pos}(A),\lambda \in \mathbb{R}}{min}\{\text{Tr}\left[{\tau }_A\right]\text{subject to}{\rho }_A\le {\tau }_A\text{and}{\tau }_A=\lambda {\sigma }_A\}.\end{array}$$

Using semidefinite programming duality, this is also equal to

$$\begin{array}{c}\hfill \underset{X_A\in \text{Pos}(A),Y_A\in \text{Herm}(A)}{max}\{\text{Tr}\left[X_A,{\rho }_A\right]\text{subject to}{\text{id}}_A+Y_A=X_A\text{and}\text{Tr}\left[Y_A,{\sigma }_A\right]=0\}.\end{array}$$ B.3

We can also write a semidefinite program for ${inf}_{{\widehat{\sigma }}_{\mathit{AR}}:{\widehat{\sigma }}_A={\sigma }_A}{2}^{D_{max}({\rho }_{\mathit{AR}}\Vert {\widehat{\sigma }}_{\mathit{AR}})}$. We introduce the variable ${\theta }_{\mathit{AR}}=\lambda {\widehat{\sigma }}_{\mathit{AR}}$ and get

$$\begin{array}{c}\hfill \underset{\theta \in \text{Pos}(A\otimes R),\lambda \in \mathbb{R}}{min}\{\text{Tr}\left[{\theta }_{\mathit{AR}}\right]\text{subject to}{\rho }_{\mathit{AR}}\le {\theta }_{\mathit{AR}}\text{and}{\theta }_A=\lambda {\sigma }_A\}.\end{array}$$

Again, by semidefinite programming duality, we get that it is equal to

$$\begin{array}{cc}& \underset{X_{\mathit{AR}}\in \text{Pos}(A\otimes R),Y_A\in \text{Herm}(A)}{max}\{\text{Tr}\left[X_{\mathit{AR}},{\rho }_{\mathit{AR}}\right]\text{subject to}({\text{id}}_A+Y_A)\otimes {\text{id}}_R\hfill \\ \hfill & =X_{\mathit{AR}}\text{and}\text{Tr}\left[Y_A,{\sigma }_A\right]=0\}.\hfill \end{array}$$ B.4

Eliminating the variable $X_{\mathit{AR}}$, we can write this last program as

$$\begin{array}{c}\hfill \underset{Y_A\in \text{Herm}(A)}{max}\{\text{Tr}\left[({\text{id}}_A+Y_A),{\rho }_A\right]\text{subject to}{\text{id}}_A+Y_A\in \text{Pos}(A)\text{and}\text{Tr}\left[Y_A,{\sigma }_A\right]=0\},\end{array}$$

which is the same as Eq. (B.3). This proves Eq. (B.1). Equation (B.2) follows immediately by choosing ${\widehat{\sigma }}_{\mathit{AR}}={\sigma }_A{\rho }_A^{-1}{\rho }_{\mathit{AR}}$ and using the commutation conditions. $\square$

However, for $\alpha \ge 1$ and arbitrary ${\sigma }_A\in \text{S}(A)$, ${\rho }_{\mathit{AE}}\in \text{S}(AE)$, the Uhlmann property given by Eq. (B.2) does not hold. A concrete example is ${\rho }_{\mathit{AR}}={|\psi ⟩⟨\psi |}_{\mathit{AR}}$ with

$$\begin{array}{c}\hfill {|\psi ⟩}_{\mathit{AR}}=\sqrt{\frac{1}{4}}{|00⟩}_{\mathit{AR}}+\sqrt{\frac{3}{4}}{|11⟩}_{\mathit{AR}}\end{array}$$

and ${\sigma }_A=\frac{1}{3}|+⟩⟨+|+\frac{2}{3}|-⟩⟨-|$. In this case, $D_2({\rho }_A\Vert {\sigma }_A)<0.476$ whereas

$$\begin{array}{c}\hfill \underset{{\widehat{\sigma }}_{\mathit{AR}}:{\widehat{\sigma }}_A={\sigma }_A}{inf}{D}_2({\rho }_{\mathit{AR}}\Vert {\widehat{\sigma }}_{\mathit{AR}})\ge \underset{{\widehat{\sigma }}_{\mathit{AR}}:{\widehat{\sigma }}_A={\sigma }_A}{inf}D({\rho }_{\mathit{AR}}\Vert {\widehat{\sigma }}_{\mathit{AR}})>0.48.\end{array}$$

This computation was performed by numerically solving the semidefinite programs via CVXQUAD [51]. Putting everything together shows that Eq. (B.2) does not hold for $\alpha \in \{1,2\}$:

$$\begin{array}{c}\hfill D({\rho }_A\Vert {\sigma }_A)\le D_2({\rho }_A\Vert {\sigma }_A)<\underset{{\widehat{\sigma }}_{\mathit{AR}}:{\widehat{\sigma }}_A={\sigma }_A}{inf}D({\rho }_{\mathit{AR}}\Vert {\widehat{\sigma }}_{\mathit{AR}})\le \underset{{\widehat{\sigma }}_{\mathit{AR}}:{\widehat{\sigma }}_A={\sigma }_A}{inf}{D}_2({\rho }_{\mathit{AR}}\Vert {\widehat{\sigma }}_{\mathit{AR}}).\end{array}$$

Funding

Open access funding provided by Swiss Federal Institute of Technology Zurich. TM and RR acknowledge support from the National Centres of Competence in Research (NCCRs) QSIT (funded by the Swiss National Science Foundation under grant number 51NF40-185902) and SwissMAP, the Air Force Office of Scientific Research (AFOSR) via project No. FA9550-19-1-0202, the SNSF project No. 200021_188541 and the QuantERA project eDICT. OF acknowledges funding from the European Research Council (ERC Grant AlgoQIP, Agreement No. 851716), from the European Union’s Horizon 2020 QuantERA II Programme (VERIqTAS, Agreement No 101017733) and from a government grant managed by the Agence Nationale de la Recherche under the Plan France 2030 with the reference ANR-22-PETQ-0009. Part of this work was carried out when DS was with the Institute for Theoretical Physics at ETH Zurich.

Data Availability

No experimental data has been generated as part of this project. The introduction of this work has been published as an extended abstract in the proceedings of FOCS 2022 [49].

Declarations

Conflict of interest

The authors have no Conflict of interest to declare.