Security Proof Against Collective Attacks for an Experimentally Feasible Semiquantum Key Distribution Protocol

Semiquantum key distribution (SQKD) allows two parties (Alice and Bob) to create a shared secret key, even if one of these parties (say, Alice) is classical. However, most SQKD protocols suffer from severe practical security problems when implemented using photons. The recently developed"Mirror protocol"[Boyer, Katz, Liss, and Mor, Phys. Rev. A 96, 062335 (2017)] is an experimentally feasible SQKD protocol overcoming those drawbacks. The Mirror protocol was proven robust (namely, it was proven secure against a limited class of attacks including all noiseless attacks), but its security in case some noise is allowed (natural or due to eavesdropping) has not been proved yet. Here we prove security of the Mirror protocol against a wide class of quantum attacks (the"collective attacks"), and we evaluate the allowed noise threshold and the resulting key rate.


I. INTRODUCTION
Quantum key distribution (QKD) protocols [2] make it possible for two parties, Alice and Bob, to generate a secret shared key. This key is information-theoretically secure against any possible attack that can be applied by an all-powerful adversary Eve limited only by the laws of physics.
SQKD protocols use the notion of "classical operations" performed by a "classical party". However, in the 15 years since the publication of the original paper introducing SQKD protocols [3], we noticed that the term "classical party" sometimes causes confusion: in other hybrid quantumclassical protocols described in the literature (e.g., [16], [17]), the term classical operations is kept only to operations performed on classical bits, and it is implicitly or explicitly assumed that all classical parties have no access to quantum states (e.g., qubits) and cannot perform any operation on them. On the other hand, classical parties in SQKD protocols can perform limited operations on quantum states.
To avoid this confusion, we introduce here the notion of CloQ-Classical Operations on Quantum Data. CloQ protocols involve at least one classical party (or CloQ party) who is restricted to using the four classical operations 1-4 described below for interacting with a quantum channel. CloQ protocols have been shown to exhibit highly interesting theoretical properties; currently, their most well understood application is SQKD (see [18] for a recent review), but CloQ protocols have also been devised to solve other cryptographic problems, including secret sharing [19], [20], [21], secure direct communication [22], [23], [24], [25], identity verification [26], [27], and private state comparison [28]. CloQ protocols may even be devised in the future for quantum verification by defining a CloQ variant of QPIP (quantum prover interactive proofs) [29], which could allow a CloQ party to verify quantum computations performed by a fully quantum center (or prover). Possible generalizations of this idea include verification protocols for a CloQ verifier and a computationally unbounded prover (a known concept in complexity theory), as well as blind verification protocols where the quantum prover is oblivious to the computations it performs at the CloQ verifier's request.
The classical party in a CloQ protocol is restricted to limited classical operations but is capable of performing these operations on a quantum communication channel. Such protocols rely on a two-way quantum channel, which makes security analyses difficult (similarly to other two-way QKD protocols; see, e.g., [30], [31], [32], [33]), especially in practical and experimental settings allowing a quantum state to travel from one party to the classical party and back to the original sender. The classical party is restricted to using the following classical operations (see, e.g., [3], [4]): 1) Preparing a qubit in one of the computational basis states: |0 or |1 . 2) Measuring a qubit in the computational basis {|0 , |1 }. 3) Ignoring the qubit, letting it pass through their lab back to the sender undisturbed. 4) Permuting incoming qubits and returning them to the sender in a new order, but otherwise undisturbed.
CloQ protocols, and in particular SQKD protocols, are fascinating from a theoretical point of view because they attempt to find out "how quantum" a protocol must be to gain an advantage over a classical protocol: for example, it is impossible to perform secure key distribution using only classical communication (unless we make computational assumptions), but SQKD protocols show that one classical party and one quantum party can achieve informationtheoretically secure key distribution.
While the importance of SQKD protocols is clear from a theoretical standpoint, their practical importance is more subtle. Since the practical implementation of fully-quantum QKD (e.g., BB84) is a well studied problem with numerous high-speed implementations, the reader may rightly wonder at the practical importance of studying SQKD protocols. However, there are several advantages to this study from a practical perspective. First, semi-quantum communication is a practical technology, as some experimental proofs of concept have been demonstrated [34], [35], [36]. Second, while these experimental proofs of concept required hardware similar to their fully-quantum counterparts, the ability to perform CloQ operations may become cheaper as technology advances, so it is important to study alternative implementation methodologies now. Third, several semi-quantum protocols rely on imbalanced user capabilities-for example, the fully quantum user can invest in higher quality equipment, while the classical user can rely on cheaper devices (e.g., measurement devices with lower efficiency), leading to interesting use-case scenarios. Fourth, the security proof methodologies developed for practical SQKD protocols can be translated to other QKD protocols with potential new insights and countermeasure strategies; for example, proof techniques developed for practical SQKD can demonstrate how to compensate for imperfect or imbalanced hardware capabilities or partial device failures. Last but not least, if one wants to hide from some of the users the fact that quantum cryptography is used, the true description of the classical operations 1-4 can indeed hide any hint from such an oblivious party; after all, also when using classical data one can either check if the bit is 0/1 or choose to avoid checking it. Taken together, not only is the study of SQKD protocols (and CloQ protocols in general) important from a theoretical standpoint, but it can also have highly interesting practical implications.
However, while the capabilities of SQKD protocols in the ideal (perfect-qubit) scenario are now fairly well understood, and while in principle such protocols could allow simpler devices, the security and performance of SQKD protocols under practical attacks are yet to be verified. In fact, as pointed out by [37], [38], many existing SQKD protocols are experimentally infeasible: it is not known how to implement them in a secure way. Specifically, many SQKD protocols use the SIFT classical operation, which requires the classical user to first measure the incoming quantum state in the computational basis {|0 , |1 } and then resend the measured state back to the quantum user; the experimental implementations of this operation are vulnerable to some "tagging attacks" described by [37], [38], [1]. For solving this problem, an experimentally feasible SQKD protocol named the "Mirror protocol" was introduced by [1]; see also [39], which analyzed a simplified variant and attacks on it.
Most SQKD protocols have been proven robust: namely [3], if Eve obtains some secret information, she must cause some errors that may be noticed by Alice and Bob; equivalently, a protocol is "robust" if any attack that induces no errors, must give Eve no information. In particular, the Mirror protocol was proven robust by [1]. Proving robustness is a step towards proving security; proving full security of SQKD protocols is difficult because these protocols are usually two-way: for example, Bob sends a quantum state to Alice, and Alice performs a specific classical operation and sends the resulting quantum state back to Bob. A few SQKD protocols also have a security analysis [40], [41], [42], [43] which is usually applicable to an ideal qubitbased description, but not to the more realistic photon-based description. So far, the Mirror protocol has not been proven secure.
In this paper we prove security of the Mirror protocol against collective attacks. The class of the collective attacks [44], [45], [46] is an important and powerful subclass of possible attacks; the class of the general attacks (also known as the joint attacks; see, e.g., [47], [48], [49], [50]) includes all theoretical attacks allowed by quantum physics. Security against collective attacks is conjectured (and, in some security notions, proved [51], [52], [53]) to imply security against general attacks. However, some existing security proofs of SQKD protocols against general attacks may in fact be limited to collective attacks, because they use de Finetti's theorem and similar techniques (see [51], [52]) that can directly be applied only to entanglement-based protocols 1 . In particular, to use these techniques, one usually requires some reduction from the two-way protocol to an entanglement-based protocol. Such reduction techniques are known for certain classes of two-way protocols [33], [54], but it is not known how to perform these reductions for all twoway protocols. In particular, the method of [33] only applies if the protocol exhibits a certain symmetry property which no semi-quantum protocol can have, while the method of [54] is currently only applicable to mediated semi-quantum protocols in the ideal qubit scenario. In particular, these previous techniques do not apply to the Mirror protocol we consider in this work. Therefore, in this paper we restrict our analysis to collective attacks.
This paper proves security of the Mirror protocol under a large class of collective attacks, which include the ability of Eve to inject multiple photons into the classical user's lab, but not into the quantum user's lab (attacks of the later kind are left for future analysis, but we briefly discuss them in the beginning of Section III). In addition, we limit our analysis to two-mode quantum communication, leaving more complicated attacks for future research. We assume Alice's and Bob's devices precisely implement the needed operations (most notably, Alice's classical operations described in Eqs. (1)-(4)), and without loss of generality, we assume an all-powerful Eve controlling all errors and losses in the quantum channel.
We derive an information-theoretic proof of security against these attacks and simulate the performance of the protocol in a variety of realistic scenarios, including lossy quantum channels, compared to the BB84 protocol. Ultimately, our paper shows that SQKD protocols hold the potential to be secure and feasible in practice, and not just "secure in ideal conditions". The methods and techniques we present in this work may also be applicable to security proofs of other SQKD protocols or even other two-way QKD protocols where users are limited in some manner in their quantum capabilities.

II. THE MIRROR PROTOCOL
This section is partially based on [39].
For describing the Mirror protocol, we assume a photonic implementation consisting of two modes: the mode of the qubit state |0 and the mode of the qubit state |1 (below we call them "the |0 mode" and "the |1 mode", respectively). For example, the |0 mode and the |1 mode can represent two different polarizations or two different time bins. As elaborated in [1], the Mirror protocol can intuitively be described in terms of photon pulses that correspond to two distinct time bins, which means that the classical party (Alice) can only perform operations on the two distinct time bins (corresponding to the computational basis {|0 , |1 }) and not on their superpositions (corresponding, for example, to the Hadamard basis {|+ , |− }).

A. THE SINGLE-PHOTON CASE
We use the Fock space notations: if there is exactly one photon, the Fock state |0, 1 represents one photon in the |0 mode, and the Fock state |1, 0 represents one photon in the |1 mode (and, thus, our Hilbert space is the qubit space Span{|0, 1 , |1, 0 }). We can extend the qubit space to a 3-dimensional Hilbert space by adding the Fock "vacuum state" |0, 0 , which represents an absence of photons. Similarly . Then, Alice prepares an ancillary state in the initial vacuum state |0, 0 Aanc and chooses at random one of the following four classical operations (defined on any Fock state she may possibly get, due to Eve's single-photon attacks possible in this case): • I (CTRL) Reflect all photons towards Bob, without measuring any photon. The mathematical description is: • S 1 (SWAP-10) Reflect all photons in the |0 mode towards Bob, and measure all photons in the |1 mode. The mathematical description is: • S 0 (SWAP-01) Reflect all photons in the |1 mode towards Bob, and measure all photons in the |0 mode. The mathematical description is: • S (SWAP-ALL) Measure all photons, without reflecting any photon towards Bob. The mathematical description is: We note that in the above mathematical description, Alice measures her ancillary state |· Aanc in the computational basis {|0 , |1 } and sends back to Bob the |· B state.
The states sent from Alice to Bob (without any error, loss, or eavesdropping) and their interpretations, depending on Alice's random choice of a classical operation and on whether Alice detected a photon or not, are detailed in Table 1.

B. THE MULTI-PHOTON CASE
Most generally, we need to describe Alice's operation on a general state, because Eve can attack the state sent from Bob to Alice. The Fock state |m 1 , m 0 represents m 1 indistinguishable photons in the |1 mode and m 0 indistinguishable photons in the |0 mode. More details about the Fock space notations are given in [1]; using these mathematical notations is vital for describing and analyzing all practical attacks on a QKD protocol (see [55] for details and examples).
The mathematical description of the Mirror protocol in this multi-photon case remains identical to its description in Subsection II-A. However, in this case, Alice's classical operations are defined on any general Fock state, because Eve's attack can include any multi-photon pulse.

C. BOB'S FINAL MEASUREMENTS AND CLASSICAL POST-PROCESSING
In both cases described in Subsections II-A and II-B, Bob finally measures the incoming state in a random basis (either the computational basis {|0 , |1 } or the Hadamard basis {|+ , |− }). We assume here, as is true in most experimental setups, that Alice and Bob use detectors and not counters: namely, their detectors cannot count the number of incoming photons. Therefore, when a detector clicks, Alice and Bob cannot know whether it detected a single-photon pulse (a single photon in its measured mode) or a multi-photon pulse (more than one photon in its measured mode).
After completing all rounds, Alice and Bob perform classical post-processing: Alice sends over the classical channel her operation choices (CTRL, SWAP-x, or SWAP-ALL; she keeps x ∈ {01, 10} in secret); Bob sends over the classical channel his basis choices; and both of them reveal all rounds where they got a loss, and all measurement results each of them got in all testing rounds (CTRL, SWAP-ALL, and a random subset of the SWAP-x rounds, for which Alice also reveals her values of x ∈ {01, 10}) and in all mismatched rounds (such as rounds in which Alice used SWAP-10 and Bob used the Hadamard basis).
In the non-testing rounds, as detailed in Table 1, Alice and Bob share the raw key bit 0 if Alice uses SWAP-10 and detects no photon while Bob measures in the computational basis and detects a photon (or photons) in the |0 mode; similarly, they share the raw key bit 1 if Alice uses SWAP-01 and detects no photon while Bob measures in the computational basis and detects a photon (or photons) in the |1 mode. Now, Alice and Bob have enough information for computing all the probabilities they need for finding the key rate (that are detailed later, in Table 2), so they compute all these probabilities and deduce the final key rate according to the algorithm in Subsection III-G. If the final key rate is negative, they abort the protocol; otherwise, they perform error correction and privacy amplification in the standard way for QKD protocols. At the end of the protocol, Alice and Bob hold an identical final key that is completely secure against any eavesdropper.
A full description of the Mirror protocol and a proof of its robustness are both available in [1]. An illustration of the Mirror protocol is available as Fig. 1.

III. SECURITY PROOF OF THE MIRROR PROTOCOL AGAINST COLLECTIVE ATTACKS
We now prove security of the Mirror protocol. For our security proof, we assume that the adversary Eve is restricted to collective attacks-namely, that Eve attacks each round in an independent and identical manner, but she is allowed to postpone the measurement of her private quantum ancilla until any future point in time. Beyond this, we will also assume in our security analysis that Eve is allowed to inject any signal into the forward channel (linking quantum Bob to classical Alice); in the reverse channel, she is free to perform any quantum unitary probe, but we will assume that the number of photons returning to Bob is at most one. That is, Eve is allowed to inject multiple photons into the channel going to Alice, but on the way back, only a single photon or no photons at all will be returned to Bob. This assumption means that Eve may need to remove photons on the way from Alice to Bob, if she sent multiple photons towards Alice; in Subsection III-A we explain how Eve can perform this attack.
The above assumption (that at most one photon is sent towards Bob) is made to simplify the analysis of the return channel. We point out that according to [1], the Mirror protocol is completely robust even without this assumptionnamely, it is proved robust against all multi-photon attacks and all kinds of losses and dark counts. However, full security analysis of the multi-photon case, including both losses and dark counts, is very difficult even in the simplest one-way standard QKD, and even more so in any standard two-way QKD protocol such as "Plug & Play" [30], "Ping Pong" [31], and LM05 [32] (see also [33]). Furthermore, this case has not been analyzed in security proofs of many other SQKD protocols (e.g., [40], [41], [42], [43]). Therefore, we do not aim to solve this major issue here in the specific case of the Mirror protocol: extending the full security proof to this most general case is left for future research.
Our main result in this section is a lower bound on the von Neumann entropy S(A|E) of the protocol. This allows us to determine a lower bound on the key rate of the protocol using the Devetak-Winter key rate equation [56]. Our main key rate result is summarized in the following theorem (which uses notations defined in Table 2): Theorem 1. Assuming the attack model discussed above, consider the observable statistics and their respective notations listed in Table 2. Then, the key rate of the protocol is "test" none SWAP-10 no (happens with probability 1 2 ) |0, 1 B "raw key" 0 SWAP-10 yes (happens with probability 1 2 ) |0, 0 B "raw key" none SWAP-01 no (happens with probability 1 2 ) |1, 0 B "raw key" 1 SWAP-01 yes (happens with probability 1 2 ) |0, 0 B "raw key" none SWAP-ALL yes (happens with certainty) |0, 0 B "SWAP-ALL" none

Notation Definition Round Type This Occurs
Probability that Alice and Bob get raw key bits 0, 0, respectively "raw key" Probability that Alice and Bob get raw key bits 0, 1, respectively "raw key" Probability that Alice and Bob get raw key bits 1, 0, respectively "raw key" Probability that Alice and Bob get raw key bits 1, 1, respectively "raw key" M Probability that both Alice and Bob get raw key bits "raw key" p 0,+ Probability that Alice gets raw key bit 0, and Bob observes |+ "raw key" (with mismatched bases) p 1,+ Probability that Alice gets raw key bit 1, and Bob observes |+ "raw key" (with mismatched bases) p +,+ Probability that Bob observes |+ "test" p CTRL:0 Probability that Bob observes |0, 1 "test" (with mismatched bases) p CTRL: 1 Probability that Bob observes |1, 0 "test" (with mismatched bases) p double Probability that Alice observes a "double-click" event (|1, 1 ) "SWAP-ALL" p create:0 Probability that Alice observes |0, 0 , and Bob observes |0, 1 "SWAP-ALL" p create: 1 Probability that Alice observes |0, 0 , and Bob observes |1, 0 "SWAP-ALL" lower-bounded by: where: subject to the following constraint: We prove Theorem 1 in several steps. First, in Subsection III-A we describe Eve's most general attacks that are allowed under our attack model assumptions. Following this, in Subsection III-C we present the final quantum state ρ ABE shared by Alice, Bob, and Eve at the end of each round of the protocol, conditioning on a raw-key bit being generated during that round. To complete the proof, we must find a lower bound on the conditional von Neumann entropy S(A|E) corresponding to ρ ABE . For this, in Subsections III-B-III-E we show how Alice and Bob can use observable probabilities VOLUME 4, 2016 from all types of rounds (see Table 4) to compute inner products and norms of quantum states appearing in ρ ABE . Then, in Subsection III-F we use a theorem from [57] to compute the von Neumann entropy of ρ ABE as a function of our computed inner products. Finally, in Subsection III-F we combine all results from Subsections III-B-III-E to find lower bounds on the required inner products as functions of the observable probabilities from Table 4, which completes the proof of Theorem 1.

A. EVE'S ATTACKS a: Eve's first attack
We first analyze the forward-channel attack-namely, the attack on the way from Bob to Alice. Here, we note that it is to Eve's advantage to simply discard the signal coming from Bob (which should be the same each round and carries no information at this point) and inject a signal of her own, possibly consisting of multiple photons and entangled with her private quantum ancilla.
Specifically, in each round, Bob sends to Alice the same quantum state: . At this point, Eve performs her first attack: she replaces Bob's original state by her own state. Since Bob never prepares alternative initial states, Eve dropping the signal and replacing it with one of her own is the most general strategy she could perform in the collective attack scenario. Without loss of generality, Eve's state is of the form: Then, Eve sends subsystem B to Alice and keeps subsystem E as her own ancillary state. Note that as we are dealing with a two-way quantum communication channel, Eve has two opportunities to attack the quantum signal each round. The above equation represents the state after her first attack; however, following Alice's encoding operation, Eve will have a second opportunity to attack. Unlike many one-way protocols, we cannot reduce this to an entanglement-based protocol whereby Eve simply prepares a state and sends part to Alice and part to Bob: although some reductions for two-way (S)QKD protocols to equivalent entanglementbased protocols are known [58], [59], those results cannot be applied to this mirror-based protocol and so we cannot employ them. Thus we must analyze Eve's attack in two stages, which makes the analysis somewhat more complicated.
b: Eve's second attack Then, Alice performs her classical operation (CTRL, SWAP-10, SWAP-01, or SWAP-ALL) and sends the resulting state back to Bob. Now, Eve performs her second attack, described as the unitary operator U R . As explained above, for the second attack we make the simplifying assumption that Eve always sends at most one photon-namely, she sends a superposition of |0, 1 B , |1, 0 B , and |0, 0 B with her corresponding ancillary states |g 0,1 m1,m0 E , |g 1,0 m1,m0 E , and |g 0,0 m1,m0 E . We emphasize that this simplifying assumption applies only to the second attack, and not to the first attack.
Thus, Eve's second attack is of the form: However, in our security proof we use terms of the following simplified notations: where we denote |g j,k m1,m0 E |f j,k m1,m0,m1,m0 E . We note that the operation of U R on states |m 1 , m 0 B |e m1,m0 E where m 1 = m 1 or m 0 = m 0 will not appear in our security proof, because these states do not give us meaningful statistics 2 and thus do not contribute to the probabilities in Table 4. We also note that since Eve is all-powerful, she will have no trouble performing any unitary operation, even if it includes a complicated operation for reducing the number of photons.
In both attacks, subsystem B is sent to a legitimate user, while subsystem E is kept as Eve's ancilla.

B. ANALYZING ALL TYPES OF ROUNDS
In Table 3 we classify all rounds into six types, that Alice and Bob need to analyze. The rounds are classified according to Alice's random choice of a classical operation and Bob's random choice of a measurement basis.

Round Type
Alice's Operation Bob's Basis "raw key" SWAP-x computational mismatched "raw key" SWAP-x Hadamard "test" CTRL Hadamard mismatched "test" CTRL computational "SWAP-ALL" SWAP-ALL computational mismatched "SWAP-ALL" SWAP-ALL Hadamard Notice the use of basis-mismatched rounds. Technically, we could have used only the "standard" (basis-matching) rounds for completing the security proof, by using the Cauchy-Schwarz inequality for finding worst-case bounds. However, using the technique of analyzing "mismatched 2 States of the form U R |0, m 0 B |em 1 ,m 0 E and U R |m 1 , 0 B |em 1 ,m 0 E may appear in "raw key" rounds analyzed in Subsection III-C, but we analyze only rounds which contribute to the raw key, where Alice detects no photon-namely, m 1 = 0 or m 0 = 0, respectively. In addition, states of the form U R |0, 0 B |em 1 ,m 0 E may appear in "SWAP-ALL" rounds analyzed in Subsection III-E, but we analyze only "double-clicks" of Alice (where Eve's attack U R is irrelevant, although we use it algebraically to prove Lemma 2) and "creation" events (where Alice detects no photon, so m 1 = m 0 = 0). measurements" [60], [61], we can derive a significantly improved formula for the final key rate.
Alice and Bob have to find relevant statistics for each type of round and compute all probabilities listed in Table 4. In Subsections III-C-III-E we relate these probabilities to the quantum states appearing in our security proof, and in Subsection III-F we derive the resulting final key rate formula.
Then, Alice chooses her classical operation, as detailed below.

C. "RAW KEY" ROUNDS: ALICE CHOOSES THE SWAP-X OPERATION
In "raw key" rounds, Alice chooses either SWAP-10 or SWAP-01 (each with probability 1 2 ), that are defined in Eqs. (2)-(3). Then, the non-normalized state of the joint system, conditioning on Alice detecting no photon 3 , is: where we define: We note that |0 A and |1 A denote the raw key bit of Alice: Alice deduces it from her own choice of SWAP-10 (which corresponds to |0 A ) or SWAP-01 (which corresponds to |1 A ), as explained in Table 1. After Eve's second attack (namely, after Eve applies the U R operator defined in Eq. (9)), the joint non-normalized state becomes: To simplify notation, we define the following states in subsystem E: so Eq. (12) becomes:

1) Standard "Raw Key" Rounds: Bob Chooses the Computational Basis
Now, Bob measures his subsystem in the computational basis {|0 , |1 }, and his raw key bit is simply his measurement result ("0" or "1"). Conditioning on Bob detecting a photon (namely, measuring |0, 1 B or |1, 0 B ), the final normalized state of the joint system after Bob's measurement is: where M is a normalization term, which is computed below. Eq. (15) confirms that, as written in Table 4: E 0 |E 0 E = Pr (Alice gets raw key bit 0, and Bob gets raw key bit 0) , (16) E 1 |E 1 E = Pr (Alice gets raw key bit 0, and Bob gets raw key bit 1) , (17) E 2 |E 2 E = Pr (Alice gets raw key bit 1, and Bob gets raw key bit 0) ,  All the probabilities Alice and Bob need to compute, and the formulas relating them to quantum states in our security proof. All formulas are proved in Subsections III-C-III-E.

Probability Round
Definition Formula E 0 |E 0 E "raw key" Alice and Bob get raw key bits 0, 0, respectively E 1 |E 1 E "raw key" Alice and Bob get raw key bits 0, 1, respectively E 2 |E 2 E "raw key" Alice and Bob get raw key bits 1, 0, respectively E 3 |E 3 E "raw key" Alice and Bob get raw key bits 1, 1, respectively M "raw key" both Alice and Bob get raw key bits Alice gets raw key bit 0, and Bob observes |+ Alice gets raw key bit 1, and Bob observes |+ "SWAP-ALL" Alice observes |0, 0 , and Bob observes |0, 1 = 2 g 0 |g 0 E p create:1 "SWAP-ALL" Alice observes |0, 0 , and Bob observes |1, 0 = 2 g 1 |g 1 E In addition, we can compute the normalization term M : = Pr(both Alice and Bob get raw key bits) = Pr (Alice observes no photon, and Bob observes a photon) .
Notice that all these probabilities are observable quantities: Alice and Bob estimate E 0 |E 0 E , E 1 |E 1 E , E 2 |E 2 E , E 3 |E 3 E , and M during the classical postprocessing stage by testing a random subset of raw key bits. . We get: where the remainders of the above terms (the "· · · ") are irrelevant to our discussion. We denote by p 0,+ the probability that Alice gets the raw key bit 0 and Bob observes |+ B (see Table 4). Similarly, we denote by p 1,+ the probability that Alice gets the raw key bit 1 and Bob observes |+ B . These probabilities are: Therefore, we find:

2) Mismatched "Test" Rounds: Bob Chooses the Computational Basis
In this case, we denote by p CTRL:0 the probability of Bob observing |0, 1 B (see Table 4). From Eq. (24), we find (similarly to the computation of p +,+ ): Similarly, denoting by p CTRL:1 the probability of Bob observing |1, 0 B , we find:

E. "SWAP-ALL" ROUNDS: ALICE CHOOSES THE SWAP-ALL OPERATION, AND BOB CHOOSES THE COMPUTATIONAL BASIS
1) The Probability of a "Double-Click" Event: Used for Upper-Bounding h0|h0 E and h1|h1 E In "SWAP-ALL" rounds, Eve sends to Alice the initial state |ψ 0 m1≥0 m0≥0 |m 1 , m 0 B |e m1,m0 E described in Eq. (7), and Alice chooses the SWAP-ALL operation defined in Eq. (4), which essentially means that Alice measures subsystem B and sends a vacuum state towards Bob. Let us denote by p double the probability that Alice observes a "double-click" event (detecting a photon in both modes |0 and |1 )-namely, that she measures a state |m 1 , m 0 Aanc where m 1 , m 0 ≥ 1 (see Table 4). This probability is easily found to be: We can thus prove the following Lemma: Proof. Let us define the non-normalized state |ζ as: (We use the state |ζ only for this algebraic proof; it does not appear in the protocol.) Clearly: e m1,m0 |e m1,m0 E = 1 2 p double .
2) The Probability of a "Creation" Event: Used for Computing g0|g0 E and g1|g1 E Let p create:0 denote the probability that Alice observes |0, 0 Aanc (namely, a vacuum state) and Bob observes |0, 1 B (see Table 4). In this event, Eve "creates" (on the way from Alice to Bob) a photon in the |0 mode that should not have existed. (See [39] for examples of such attacks.) Similarly, let p create:1 denote the probability that Alice observes |0, 0 Aanc and Bob observes |1, 0 B .
After Eve sends the initial state |ψ 0 m1≥0 m0≥0 |m 1 , m 0 B |e m1,m0 E described in Eq. (7), and after Alice applies the SWAP-ALL operation defined in Eq. (4), the resulting state is: For computing the probabilities p create:0 and p create:1 , we need to analyze the term where Alice observes |0, 0 Aancnamely, the term |0, 0 Aanc |0, 0 B |e 0,0 E . Now, Eve's second attack applies the unitary operator U R (described in Eq. (9)) to this non-normalized term, which gives the following final result: Since p create:0 is the probability that Alice observes |0, 0 Aanc and Bob observes |0, 1 B (and similarly for p create:1 ), we get, according to the definitions of |g 0 E , |g 1 E in Eq. (27):

F. DERIVING THE FINAL KEY RATE
We remember that the final normalized state of the joint system after Bob's measurement, in standard "raw key" rounds where raw key bits are generated, is, according to Eq. (15): Theorem 1 from [57] allows us to mathematically compute a bound on the conditional von Neumann entropy S(A|E) of ρ ABE , as follows: where: Thus, to complete our proof of security, we only need bounds on the quantities E 0 |E 3 E and E 1 |E 2 E ; all the other parameters in the above expressions ( E 0 |E 0 E , and M ) are observable probabilities that appear in Table 4 and can be directly computed by Alice and Bob. Lemma 3. The following constraint on Eve's quantum states holds: Proof. We expand Eq. (26) and substitute Eqs. (22)- (23) and (28)- (29) (all appearing in Table 4) to find: From this, we easily find (substituting Eq. (20), which appears in Table 4): The Cauchy-Schwarz inequality, Lemma 2, and Eqs. (30)-(31) (all appearing in Table 4) complete the proof.
Taken together, the above proof derives a lower bound on S(A|E) for a raw-key generation round, and this bound is based only on observable statistics from Table 4. The Devetak-Winter key rate equation [56] (which says that the key rate of a QKD protocol under collective attacks is the difference S(A|E) − H(A|B)) then completes our proof of Theorem 1.
To actually evaluate our bound on S(A|E), we will simply E 1 |E 2 E , subject to the three following constraints: Note that we evaluate the minimum because we assume the worst-case scenario-namely, that Eve chooses her attack so as to minimize S(A|E) (and, thus, minimize the key rate r).
In practice, we can minimize over a single parameter (say, E 1 |E 2 E ), and take the other one ( E 0 |E 3 E ) as the right-hand-side of Eq. (42), minus the free parameter E 1 |E 2 E (but not less than 0). This will give us the minimum, because for any given value of E 1 |E 2 E , it is beneficial for Eve to have the smallest possible (non-negative) value of E 0 |E 3 E . For our evaluations, we performed this minimization by simply discretizing the search space and evaluating our bound on the entropy at all points in the space for computing the minimum. We also confirmed these results using Mathematica's NMinimize function.
3) Compute H(A|B) using the observed parameters: where: 4) Find the final key rate expression, using the Devetak-Winter key rate formula [56]: This process is summarized in Algorithm 1.
Algorithm 1: Compute a Lower Bound for rate = S(A|E) − H(A|B). Input: All observable probabilities listed in Table 4. Output: Lower bound on the key rate of the protocol. 1 Initialize the variable lowestAE ← ∞. 2 Compute all probabilities listed in Table 4  If this determined bound is lower than the existing value of lowestAE, save it in lowestAE. 7 end 8 Compute H(A|B) using Eq. (45), and put the result in variable AB. 9 return the difference value lowestAE − AB

IV. EXAMPLES
The key rate bounds we found in Section III work in a wide range of scenarios, and they can be evaluated for all the possible values of all probabilities in Table 4. We would now like to evaluate our bounds for two concrete scenarios, that are easily comparable with attacks on other QKD and SQKD protocols.

A. FIRST SCENARIO: SINGLE-PHOTON ATTACKS WITHOUT LOSSES
In the first scenario, let us assume that Bob has a perfect qubit source (no multi-photon pulses) and there are no photon losses. Furthermore, let us assume that Eve does not perform a multi-qubit attack at all (not even in her first attack). In this scenario, the only free parameters are the noises Q Z , Q X in the channel: Q Z is the probability that a |0, 1 B state is flipped into |1, 0 B (and vice versa) in "raw key" rounds, and Q X is the probability that a |+ B state is flipped into |− B in "test" rounds.
We consider the following noise model: • In the "raw key" rounds, we consider that both the forward channel (from Bob to Alice) and the reverse channel (from Alice to Bob) are depolarizing channels with error Q Z , as follows: • In the "test" rounds, we consider that the whole channel (from Bob to Alice and back to Bob; notice that Alice does nothing in such rounds) is a depolarizing channel with error Q X , as follows: Here, in the forward attack, Eve always replaces Bob's original state |0, 1 x,B |0,1 B +|1,0 B √ 2 by the following state (a special case of Eq. (7)): with e 0,1 |e 0,1 E = e 1,0 |e 1,0 E = 1 2 .

B. SECOND SCENARIO: SINGLE-PHOTON ATTACKS WITH LOSSES
In the second scenario, our noise model remains identical to the first scenario, except two modifications: • In the forward channel (from Bob to Alice), a loss occurs with probability p F ; if it does not occur, the original noise model is applied. • In the reverse channel (from Alice to Bob), a loss occurs with probability p R ; if it does not occur, the original noise model is applied. We assume, in particular, that a loss is final: if a loss occurs in the forward channel, no photon will ever be observed in this round by either Alice or Bob.

C. EVALUATION RESULTS
In Table 5 we evaluate all probabilities in both scenarios.
a: First scenario-single-photon attacks without losses Substituting the probabilities from Table 5 in Eqs. (42)-(44), we find the three constraints to be: As explained in Subsection III-G, we numerically find the minimal value of the key rate expression r = S(A|E) − H(A|B) for various values of Q Z,X by using the lower bound on S(A|E) presented in Eq. (41), which is evaluated under the three above constraints on the values of E 0 |E 3 E and E 1 |E 2 E . This numerical optimization yields the graph shown in Fig. 2, presenting two cases: • In the dependent noise model, where the error rates Q X and Q Z are identical (namely, Q X = Q Z ), we recover the asymptotic BB84 noise tolerance of 11%. • In the independent noise model, where the two-way channel is modeled as two independent depolarizing channels (namely, Q X = 2Q Z (1 − Q Z )), the maximal (asymptotic) noise tolerance is 7.9%. Interestingly, both values agree with the values found in [57] for the original "QKD with Classical Bob" SQKD protocol [3].
In both scenarios, because the Mirror protocol is two-way, we compare it to two copies of BB84 performed from Alice to Bob; this is a common comparison for two-way protocols (see, for example, [33]). The key rate of two copies of BB84 is 2(1 − 2H 2 (p))-namely, twice the original key rate of BB84. Substituting the probabilities from Table 5 in Eqs. (42)-(44), we find the three constraints to be: The numerical analysis for this scenario is similar to the previous one. However, here we must also model the loss rates, so we consider a fiber channel with loss rates p F,R = 1 − 10 −α (where α is the loss coefficient, and is measured in kilometers). We consider two examples of fiber lengths: = 10km and = 50km. Results are presented in Fig. 3. These evaluations lead to several observations-most notably, the observation that the Mirror protocol is more sensitive to loss than BB84 even in the single photon case: increasing the fiber length from = 10km to = 50km causes a significant drop in key rate. We also note that the key rate of the Mirror protocol at only 10km coincides with that of BB84 at 50km. This seems to indicate, not surprisingly, that BB84 outperforms the Mirror protocol under loss. There are many reasons for this. First, note that each photon in Mirror travels twice the distance compared to BB84: while we are comparing Mirror with two copies of BB84, these copies are treated independently and, thus, for a single bit to be produced from these two copies, it is sufficient for one of the photons to survive transmission without being lost (over a fiber of length ). On the other hand, in the Mirror protocol, the photon must travel through both channels without loss (a  Table 4 for both examples (both scenarios).

Probability Single-Photon without Losses
Single-Photon with Losses A graph of the final key rate versus the noise level of the Mirror protocol in the second scenario (single-photon attacks with losses), compared to two copies of BB84, for two possible lengths of fiber channels ( = 10km and = 50km) and α = 0.2 dB km . Note that this figure presents the effective key rate computed by the expression r = S(A|E) − H(A|B), which scales with the probability of a raw key bit being generated. Also note that the key rate of BB84 at 50km coincides with that of the Mirror protocol at 10km, so both are plotted as the same (solid) line. total fiber length of 2 ) for a single bit to be produced from a round. Second, in Mirror Eve has two opportunities to attack, which gives her a bigger attack strategy space for any given loss level. Finally, our security analysis against loss may not be as tight as our analysis against noise (where, as seen in Fig. 2, the Mirror protocol performs similarly to BB84 under a lossless but noisy channel). This is, to our knowledge, the first security proof for the Mirror protocol against loss, and future improvements may exist.

V. SUMMARY
We have proved security of the Mirror protocol against collective attacks, including attacks where the adversary Eve sends multiple photons towards the classical user (Alice). Our analysis shows that the asymptotic noise tolerance of the Mirror protocol is comparable, in the single-photon scenario, to the "QKD with Classical Bob" protocol [3], [57] and even to the BB84 protocol. Moreover, we have suggested a general framework for analyzing multi-photon attacks; this framework may be useful for other QKD and SQKD protocols, too.
We conclude the Mirror protocol is theoretically secure against collective attacks, and we suspect similar security results can be achieved for general attacks. Extensions of our results, such as security against general attacks, security against multi-photon attacks on both channels, and evaluation of our key rate formula in the multi-photon case, are left for future research. Our extension to multi-photon attacks also suggests the intriguing possibility of analyzing SQKD protocols employing decoy states and similar counter-measures against practical attacks.
Our results show that SQKD protocols can potentially be implemented in a secure way, overcoming the practical attacks suggested by [37], [38]. They therefore hold the potential to transform the SQKD protocols, making them not only theoretically fascinating, but also practically secure.