pith. sign in

arxiv: 2605.29787 · v1 · pith:IOPDO7NOnew · submitted 2026-05-28 · 🪐 quant-ph

Chain rules for conditional entropies in quantum cryptography: limitations and improvements

Pith reviewed 2026-06-29 06:27 UTC · model grok-4.3

classification 🪐 quant-ph
keywords chain rulesconditional entropiesdevice-independent protocolsentropy accumulation theoremRényi entropyquantum cryptographysecurity proofs
0
0 comments X

The pith

A hoped-for tightening of the chain rule for conditional entropies fails in the device-independent setting, though an intermediate new rule holds and slightly improves the Rényi EAT.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Security proofs for quantum cryptography use chain rules on conditional entropies to handle general eavesdropper attacks that are not i.i.d. across rounds. The paper shows that a natural tightening of the Dupuis et al. chain rule, which succeeded for trusted devices and enabled finite-round i.i.d. reductions, cannot hold when devices are untrusted. An intermediate improvement to the chain rule is nevertheless established. This yields a modestly tighter Rényi entropy accumulation theorem in some contexts and supplies a unified framework for comparing existing rules.

Core claim

A natural tightening of the chain rule of Dupuis et al. cannot hold in the device-independent setting. An intermediate new chain rule is nevertheless provable and, when inserted into the framework of Arqand et al., produces a slightly tighter Rényi EAT in certain contexts. The work also supplies a self-contained unification of existing chain rules.

What carries the argument

Chain rule relating the conditional entropy of a structured non-i.i.d. process to a sum of per-round entropy contributions.

If this is right

  • The natural tightening cannot be used to obtain finite-round i.i.d. reductions in device-independent protocols.
  • The intermediate chain rule still permits a modest improvement to the Rényi EAT.
  • Existing DI security proofs can be compared inside a single unified framework.
  • Current approaches to DI proofs face a structural limitation not present in the trusted-device case.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Device-independent protocols may need entirely different techniques for tight finite-round security bounds.
  • The intermediate rule could be tested for further tightening when additional structure, such as specific measurement assumptions, is imposed.
  • The limitation may affect other entropy measures or accumulation theorems beyond the Rényi case.

Load-bearing premise

That the device-independent setting permits the same style of finite-round i.i.d. reduction via chain-rule tightening that was achieved for trusted devices.

What would settle it

An explicit counter-example protocol or numerical instance in which the proposed natural tightening produces a contradiction with known device-independent bounds.

Figures

Figures reproduced from arXiv: 2605.29787 by Lewis Wooltorton, Omar Fawzi, Peter Brown.

Figure 1
Figure 1. Figure 1: Two steps of a general cryptographic protocol. The protocol accepts an input state [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The setting considered in [DFR20], which is a special case of [PITH_FULL_IMAGE:figures/full_fig_p009_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Two instances of a pair of non-signaling channels. Neither can be modeled by Markov [PITH_FULL_IMAGE:figures/full_fig_p012_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: (a) The i.i.d. channel structure considered in [ [PITH_FULL_IMAGE:figures/full_fig_p016_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: (a) The channel structure considered in the marginal constrained entropy accumulation [PITH_FULL_IMAGE:figures/full_fig_p017_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: (a) The non-signaling channel structure considered in [ [PITH_FULL_IMAGE:figures/full_fig_p018_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Relaxation of the non-signaling channel structure considered in [ [PITH_FULL_IMAGE:figures/full_fig_p021_7.png] view at source ↗
read the original abstract

Security proofs in quantum cryptography rely on conditional entropies. In a many-round protocol, their estimation is a challenging task; one must account for the most general attacks by an eavesdropper, including those that are not independently and identically distributed (i.i.d.) across all rounds. Chain rules address this problem by relating the conditional entropy of a structured, but non-i.i.d. process to a sum of entropy contributions from each round. They are a key ingredient in entropy accumulation theorems (EATs), which provide a versatile security proof framework for many protocols in quantum cryptography. Recently, chain rules in the setting of trusted devices have lead to tight i.i.d. reductions at a finite number of rounds, and whether analogous results can be recovered in the device-independent (DI) setting has not been addressed. Surprisingly, we show that a natural tightening of the chain rule of Dupuis et al. [Commun. Math. Phys. 379, 867-913, (2020)] that would answer this question affirmatively cannot hold, highlighting a limitation of the current DI security proof approach. Nonetheless, we show that an intermediate improvement is possible by proving a new chain rule in this setting. Following the framework of Arqand et al. [Phys. Rev. X 15, 041013 (2025)], we use our chain rule to provide a slightly tighter version of the R\'enyi EAT in certain contexts. In addition, we provide a self-contained framework that unifies existing chain rules and compares their applications, framing our results in a broader context.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 2 minor

Summary. The manuscript proves that a natural tightening of the Dupuis et al. chain rule cannot hold in the device-independent setting (via counterexample), establishes an intermediate new chain rule, applies it within the Arqand et al. framework to obtain a modestly tighter Rényi EAT in certain contexts, and supplies a self-contained unifying framework that compares existing chain rules and their applications to entropy accumulation theorems.

Significance. If the counterexample and derivations hold, the work usefully delineates the limits of i.i.d.-style finite-round reductions when moving from trusted-device to DI settings and supplies a concrete, albeit incremental, improvement to the Rényi EAT. The unifying framework is a secondary but genuine service to the community working on EAT-based security proofs.

minor comments (2)
  1. The abstract and introduction refer to 'certain contexts' for the tighter Rényi EAT without an explicit statement of the precise regime (e.g., number of rounds, dimension, or noise level) where the improvement is non-vacuous; a short clarifying sentence or footnote would help readers assess applicability.
  2. Notation for the new chain rule (presumably introduced in §3 or §4) should be cross-referenced to the Dupuis et al. and Arqand et al. statements so that the 'intermediate' character is immediately visible in a single display equation.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for their positive summary, significance assessment, and recommendation of minor revision. The report accurately captures the manuscript's contributions: the no-go result on tightening the Dupuis et al. chain rule in the device-independent setting, the new intermediate chain rule, its application to a modestly improved Rényi EAT via the Arqand et al. framework, and the unifying comparison of existing chain rules. No specific major comments were raised in the report.

Circularity Check

0 steps flagged

No significant circularity

full rationale

This is a mathematical proof paper establishing an impossibility result via explicit counterexample for a natural tightening of the Dupuis et al. chain rule in the DI setting, followed by a constructive derivation of an intermediate chain rule within the existing EAT framework of Arqand et al. Both the impossibility and the new rule are derived from explicit constructions and standard quantum information definitions rather than any fitted parameters, self-referential definitions, or load-bearing self-citations. The cited prior works (Dupuis et al. 2020, Arqand et al. 2025) are external and the derivations do not reduce to renaming or smuggling ansatzes. The central claims remain independent of the paper's own inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

This is a pure mathematical proof paper in quantum information theory. No free parameters, invented entities, or ad-hoc axioms are indicated in the abstract; the work relies on standard axioms of quantum mechanics and information theory.

pith-pipeline@v0.9.1-grok · 5820 in / 1135 out tokens · 21967 ms · 2026-06-29T06:27:25.713599+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

15 extracted references · 5 canonical work pages · 2 internal anchors

  1. [1]

    Quantumcryptography:Publickeydistribution andcointossing,

    arXiv:2502.02563. [BB84] Charles H. Bennett and Gilles Brassard. Quantum cryptography: Public key distri- bution and coin tossing. In Proceedings of IEEE International Conference on Com- puters, Systems, and Signal Processing, pages 175–179. IEEE, New York, 1984.doi: 10.1016/j.tcs.2014.05.025. [BBM92] Charles H. Bennett, Gilles Brassard, and N. David Merm...

  2. [2]

    Quantum And Relativistic Protocols For Secure Multi-Party Computation

    doi:10.1088/1367-2630/acf393. [BV04] Stephen Boyd and Lieven Vandenberghe. Convex Optimization. Cambridge University Press, 2004. [CG04] Daniel Collins and Nicolas Gisin. A relevant two qubit bell inequality inequivalent to the chsh inequality.Journal of Physics A: Mathematical and General, 37(5):1775, 2004. doi:10.1088/0305-4470/37/5/021. [CHSH69] John F...

  3. [3]

    Security of Quantum Key Distribution

    doi:10.1364/AOP.361502. [PAM+10] S. Pironio, A. Acin, S. Massar, A. Boyer de la Giroday, D. N. Matsukevich, P. Maunz, S. Olmschenk, D. Hayes, L. Luo, T. A. Manning, and C. Monroe. Random numbers certified by Bell’s theorem.Nature, 464:1021–1024, 2010.doi:10.1038/nature09008. [Ren05] Renato Renner. Security of Quantum Key Distribution. PhD thesis, Swiss Fe...

  4. [4]

    [TNA+26] Devashish Tupkary, Shlok Nahar, Amir Arqand, Ernest Y

    doi:10.1109/TIT.2009.2032797. [TNA+26] Devashish Tupkary, Shlok Nahar, Amir Arqand, Ernest Y. Z. Tan, and Norbert Lütken- haus. A rigorous and complete security proof of decoy-state BB84 quantum key distri- bution, 2026. arXiv:2601.18035. 34 [Tom16] Marco Tomamichel. Quantum Information Processing with Finite Resources. Springer International Publishing, ...

  5. [5]

    Rényi EAT

    doi:10.1103/PhysRevLett.134.090201. A Additional notation Recall that for a classical systemC with a finite alphabetC, the set of probability distributions on C is denoted by∆(C). The n-fold cartesian product ofC is denoted Cn, and we define the frequency distribution freq(cn) ∈ ∆(C) induced by a stringcn ∈ C n by freq(cn)(c) := k : ck = c n , ∀c ∈ C . Ve...

  6. [6]

    Lemma C.8: a closed form expression forsupqB ∈∆(B) H f α(AC|BE)ρ|σ

  7. [7]

    Lemma C.9: an expression forH f α(AC|BE)ρ|σ as a shifted Rényi divergence

  8. [8]

    Lemma C.10: continuity ofH f α(AC|BE)ρ|σ in ρ

  9. [9]

    Lemma C.11: data processing inequality forsupqB ∈∆(B) H f α(AC|BE)ρ|σ

  10. [10]

    Lemma C.12: concavity ofsupqB ∈∆(B) H f α(AC|BE)M(ω)|σ in f

  11. [11]

    Lemma C.8 (Closed form expression)

    Lemma C.13: convexity ofsupqB ∈∆(B) H f α(AC|BE)M(ω)|σ in ω. Lemma C.8 (Closed form expression). Let ρACBE = P c,b pCB(c, b)|cb⟩ ⟨cb|CB ⊗ ρ|c,b AE be a cq-state where B and C are classical, andC takes values in a finite alphabetC. Then for any vectorf ∈ R|C| and any α ∈ (1, ∞) the following equality is true: sup qB ∈∆(B) H f α(AC|BE)ρ|σ = α 1 − α log X b ...

  12. [12]

    Each Ci takes values in{0, 1}d ∪ {⊥} for a positive integerd

  13. [13]

    Each Bi is of the form TiBi where Ti is a classical bit and eachBi is isomorphic to a single register B that takes values in a finite alphabetB

  14. [14]

    Each Ai is classical and is isomorphic to a single registerA that takes values in a finite alphabet A

  15. [15]

    There exists aγ ∈ [0, 1], distributions pgen B , p test B ∈ ∆(B), a deterministic functionf : A × B → {0, 1}d and for everyi, a collection of CP mapsMa|b i : Ri−1 → Ri satisfyingP a tr[Ma|b i (ω)] = 1 for all input statesω and all b ∈ B, such that Mi = (1 − γ)|0⟩ ⟨0|Ti ⊗ Mgen i + γ |1⟩ ⟨1|Ti ⊗ Mtest i , (84) where Mgen i = X a∈A,b∈B pgen B (b)|a⟩ ⟨a|Ai ⊗ ...