Chain rules for conditional entropies in quantum cryptography: limitations and improvements
Pith reviewed 2026-06-29 06:27 UTC · model grok-4.3
The pith
A hoped-for tightening of the chain rule for conditional entropies fails in the device-independent setting, though an intermediate new rule holds and slightly improves the Rényi EAT.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
A natural tightening of the chain rule of Dupuis et al. cannot hold in the device-independent setting. An intermediate new chain rule is nevertheless provable and, when inserted into the framework of Arqand et al., produces a slightly tighter Rényi EAT in certain contexts. The work also supplies a self-contained unification of existing chain rules.
What carries the argument
Chain rule relating the conditional entropy of a structured non-i.i.d. process to a sum of per-round entropy contributions.
If this is right
- The natural tightening cannot be used to obtain finite-round i.i.d. reductions in device-independent protocols.
- The intermediate chain rule still permits a modest improvement to the Rényi EAT.
- Existing DI security proofs can be compared inside a single unified framework.
- Current approaches to DI proofs face a structural limitation not present in the trusted-device case.
Where Pith is reading between the lines
- Device-independent protocols may need entirely different techniques for tight finite-round security bounds.
- The intermediate rule could be tested for further tightening when additional structure, such as specific measurement assumptions, is imposed.
- The limitation may affect other entropy measures or accumulation theorems beyond the Rényi case.
Load-bearing premise
That the device-independent setting permits the same style of finite-round i.i.d. reduction via chain-rule tightening that was achieved for trusted devices.
What would settle it
An explicit counter-example protocol or numerical instance in which the proposed natural tightening produces a contradiction with known device-independent bounds.
Figures
read the original abstract
Security proofs in quantum cryptography rely on conditional entropies. In a many-round protocol, their estimation is a challenging task; one must account for the most general attacks by an eavesdropper, including those that are not independently and identically distributed (i.i.d.) across all rounds. Chain rules address this problem by relating the conditional entropy of a structured, but non-i.i.d. process to a sum of entropy contributions from each round. They are a key ingredient in entropy accumulation theorems (EATs), which provide a versatile security proof framework for many protocols in quantum cryptography. Recently, chain rules in the setting of trusted devices have lead to tight i.i.d. reductions at a finite number of rounds, and whether analogous results can be recovered in the device-independent (DI) setting has not been addressed. Surprisingly, we show that a natural tightening of the chain rule of Dupuis et al. [Commun. Math. Phys. 379, 867-913, (2020)] that would answer this question affirmatively cannot hold, highlighting a limitation of the current DI security proof approach. Nonetheless, we show that an intermediate improvement is possible by proving a new chain rule in this setting. Following the framework of Arqand et al. [Phys. Rev. X 15, 041013 (2025)], we use our chain rule to provide a slightly tighter version of the R\'enyi EAT in certain contexts. In addition, we provide a self-contained framework that unifies existing chain rules and compares their applications, framing our results in a broader context.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript proves that a natural tightening of the Dupuis et al. chain rule cannot hold in the device-independent setting (via counterexample), establishes an intermediate new chain rule, applies it within the Arqand et al. framework to obtain a modestly tighter Rényi EAT in certain contexts, and supplies a self-contained unifying framework that compares existing chain rules and their applications to entropy accumulation theorems.
Significance. If the counterexample and derivations hold, the work usefully delineates the limits of i.i.d.-style finite-round reductions when moving from trusted-device to DI settings and supplies a concrete, albeit incremental, improvement to the Rényi EAT. The unifying framework is a secondary but genuine service to the community working on EAT-based security proofs.
minor comments (2)
- The abstract and introduction refer to 'certain contexts' for the tighter Rényi EAT without an explicit statement of the precise regime (e.g., number of rounds, dimension, or noise level) where the improvement is non-vacuous; a short clarifying sentence or footnote would help readers assess applicability.
- Notation for the new chain rule (presumably introduced in §3 or §4) should be cross-referenced to the Dupuis et al. and Arqand et al. statements so that the 'intermediate' character is immediately visible in a single display equation.
Simulated Author's Rebuttal
We thank the referee for their positive summary, significance assessment, and recommendation of minor revision. The report accurately captures the manuscript's contributions: the no-go result on tightening the Dupuis et al. chain rule in the device-independent setting, the new intermediate chain rule, its application to a modestly improved Rényi EAT via the Arqand et al. framework, and the unifying comparison of existing chain rules. No specific major comments were raised in the report.
Circularity Check
No significant circularity
full rationale
This is a mathematical proof paper establishing an impossibility result via explicit counterexample for a natural tightening of the Dupuis et al. chain rule in the DI setting, followed by a constructive derivation of an intermediate chain rule within the existing EAT framework of Arqand et al. Both the impossibility and the new rule are derived from explicit constructions and standard quantum information definitions rather than any fitted parameters, self-referential definitions, or load-bearing self-citations. The cited prior works (Dupuis et al. 2020, Arqand et al. 2025) are external and the derivations do not reduce to renaming or smuggling ansatzes. The central claims remain independent of the paper's own inputs.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Quantumcryptography:Publickeydistribution andcointossing,
arXiv:2502.02563. [BB84] Charles H. Bennett and Gilles Brassard. Quantum cryptography: Public key distri- bution and coin tossing. In Proceedings of IEEE International Conference on Com- puters, Systems, and Signal Processing, pages 175–179. IEEE, New York, 1984.doi: 10.1016/j.tcs.2014.05.025. [BBM92] Charles H. Bennett, Gilles Brassard, and N. David Merm...
-
[2]
Quantum And Relativistic Protocols For Secure Multi-Party Computation
doi:10.1088/1367-2630/acf393. [BV04] Stephen Boyd and Lieven Vandenberghe. Convex Optimization. Cambridge University Press, 2004. [CG04] Daniel Collins and Nicolas Gisin. A relevant two qubit bell inequality inequivalent to the chsh inequality.Journal of Physics A: Mathematical and General, 37(5):1775, 2004. doi:10.1088/0305-4470/37/5/021. [CHSH69] John F...
work page internal anchor Pith review Pith/arXiv arXiv doi:10.1088/1367-2630/acf393 2004
-
[3]
Security of Quantum Key Distribution
doi:10.1364/AOP.361502. [PAM+10] S. Pironio, A. Acin, S. Massar, A. Boyer de la Giroday, D. N. Matsukevich, P. Maunz, S. Olmschenk, D. Hayes, L. Luo, T. A. Manning, and C. Monroe. Random numbers certified by Bell’s theorem.Nature, 464:1021–1024, 2010.doi:10.1038/nature09008. [Ren05] Renato Renner. Security of Quantum Key Distribution. PhD thesis, Swiss Fe...
work page internal anchor Pith review Pith/arXiv arXiv doi:10.1364/aop.361502 2010
-
[4]
[TNA+26] Devashish Tupkary, Shlok Nahar, Amir Arqand, Ernest Y
doi:10.1109/TIT.2009.2032797. [TNA+26] Devashish Tupkary, Shlok Nahar, Amir Arqand, Ernest Y. Z. Tan, and Norbert Lütken- haus. A rigorous and complete security proof of decoy-state BB84 quantum key distri- bution, 2026. arXiv:2601.18035. 34 [Tom16] Marco Tomamichel. Quantum Information Processing with Finite Resources. Springer International Publishing, ...
-
[5]
doi:10.1103/PhysRevLett.134.090201. A Additional notation Recall that for a classical systemC with a finite alphabetC, the set of probability distributions on C is denoted by∆(C). The n-fold cartesian product ofC is denoted Cn, and we define the frequency distribution freq(cn) ∈ ∆(C) induced by a stringcn ∈ C n by freq(cn)(c) := k : ck = c n , ∀c ∈ C . Ve...
-
[6]
Lemma C.8: a closed form expression forsupqB ∈∆(B) H f α(AC|BE)ρ|σ
-
[7]
Lemma C.9: an expression forH f α(AC|BE)ρ|σ as a shifted Rényi divergence
-
[8]
Lemma C.10: continuity ofH f α(AC|BE)ρ|σ in ρ
-
[9]
Lemma C.11: data processing inequality forsupqB ∈∆(B) H f α(AC|BE)ρ|σ
-
[10]
Lemma C.12: concavity ofsupqB ∈∆(B) H f α(AC|BE)M(ω)|σ in f
-
[11]
Lemma C.8 (Closed form expression)
Lemma C.13: convexity ofsupqB ∈∆(B) H f α(AC|BE)M(ω)|σ in ω. Lemma C.8 (Closed form expression). Let ρACBE = P c,b pCB(c, b)|cb⟩ ⟨cb|CB ⊗ ρ|c,b AE be a cq-state where B and C are classical, andC takes values in a finite alphabetC. Then for any vectorf ∈ R|C| and any α ∈ (1, ∞) the following equality is true: sup qB ∈∆(B) H f α(AC|BE)ρ|σ = α 1 − α log X b ...
-
[12]
Each Ci takes values in{0, 1}d ∪ {⊥} for a positive integerd
-
[13]
Each Bi is of the form TiBi where Ti is a classical bit and eachBi is isomorphic to a single register B that takes values in a finite alphabetB
-
[14]
Each Ai is classical and is isomorphic to a single registerA that takes values in a finite alphabet A
-
[15]
There exists aγ ∈ [0, 1], distributions pgen B , p test B ∈ ∆(B), a deterministic functionf : A × B → {0, 1}d and for everyi, a collection of CP mapsMa|b i : Ri−1 → Ri satisfyingP a tr[Ma|b i (ω)] = 1 for all input statesω and all b ∈ B, such that Mi = (1 − γ)|0⟩ ⟨0|Ti ⊗ Mgen i + γ |1⟩ ⟨1|Ti ⊗ Mtest i , (84) where Mgen i = X a∈A,b∈B pgen B (b)|a⟩ ⟨a|Ai ⊗ ...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.