# Limitations on Quantum Key Repeaters

###### Abstract

A major application of quantum communication is the distribution of entangled particles for use in quantum key distribution (QKD). Due to noise in the communication line, QKD is in practice limited to a distance of a few hundred kilometres, and can only be extended to longer distances by use of a quantum repeater, a device which performs entanglement distillation and quantum teleportation. The existence of noisy entangled states that are undistillable but nevertheless useful for QKD raises the question of the feasibility of a quantum key repeater, which would work beyond the limits of entanglement distillation, hence possibly tolerating higher noise levels than existing protocols. Here we exhibit fundamental limits on such a device in the form of bounds on the rate at which it may extract secure key. As a consequence, we give examples of states suitable for QKD but unsuitable for the most general quantum key repeater protocol.

When a signal is passed from a sender to a receiver, it inevitably degrades due to the noise present in any realistic communication channel (for example a cable or free space). The degradation of the signal is typically exponential in the length of the communication line. When the signal is classical, degradation can be counteracted by use of an amplifier that measures the degraded signal and, depending on a threshold, replaces it by a stronger signal. When the signal is quantum mechanical (for example encoded in non-orthogonal polarisations of a single photon), such an amplifier cannot work any more, since the measurement inevitably disturbs the signal fuchs-disturbance (), and, more generally, since quantum mechanical signals cannot be cloned no-cloning (). Sending a quantum signal, however, is the basis of quantum key distribution (QKD), a method to distribute a cryptographic key which can later be used for perfectly secure communication between sender and receiver BB84 (). The degradation of sent quantum signals therefore seems to place a fundamental limit on the distance at which secure communication is possible thereby severely limiting its applicability in the internet stucki2009high (); gisin-review (); scarani2009security ().

A way around this limitation is the use of entanglement-based quantum key distribution schemes EK91 (); BBM92 () in conjunction with a so-called quantum repeater repeatersPRL (); SSRG11 (). This amounts to distributing Einstein-Podolsky-Rosen (EPR) pairs between Alice and Charlie (an untrusted telecom provider) and between Bob and Charlie. Imperfections due to noise in the transmission are compensated by distillation, yielding perfect EPR pairs. Here denotes the distillable entanglement of the imperfect EPR pair, that is the optimal rate at which perfect EPR pairs can be distilled from imperfect ones. The EPR pairs between Charlie and Bob are then used to teleport the state of Charlie’s other particles to Bob. This process, known as entanglement swapping, results in EPR pairs between Alice and Bob ZZHE93 () (see Fig. 1). When Alice and Bob make appropriate measurements on these EPR pairs, they obtain a sequence of secret key bits, that is, an identical but random sequence of bits that is uncorrelated with the rest of the universe (including Charlie’s systems), enabling secure communication. The described scheme with one intermediate station effectively doubles the distance over which QKD can be carried out. This abstract view of the quantum repeater will be sufficient for our purpose. The full proposal of a quantum repeater in fact allows to efficiently extend the distance arbitrarily even if the local operations are subject to a limited amount of noise repeatersPRL (). The implementation of quantum repeaters is therefore one of the focal points of experimental quantum information science SSRG11 ().

Due to the tight connection between the distillation of EPR pairs and QKD quantum-privacy-amplification (); shor-preskill (), it came as a surprise that there are bound entangled states (that is entangled states with vanishing distillable entanglement) from which secret key can be obtained pptkey (). With the help of a quantum repeater as described above, however, the secret key contained in such states cannot be extended to larger distances, as the states do not allow for the distillation of EPR pairs. This raises the question of whether there may be other ways to extend the secret key to arbitrary distances than by entanglement distillation and swapping, other quantum key repeaters.

In this work, we introduce and formally define the concept of a quantum key repeater. We then study the associated quantum key repeater rate. It is always at least as large as the rate that can be obtained in a quantum repeater protocol and we raise the question whether it could be larger (and in particular non-zero for bound entangled states). Our main results consist of upper bounds on this quantity which we use to show that there are quantum states with extreme behaviour: state with a large key rate but with a negligible quantum key repeater rate. We thus demonstrate fundamental limitations on quantum key repeaters.

## Results

The Quantum Key Repeater Rate

We analyse the quantum key repeater rate at which a protocol — only using local operations and classical communication (LOCC) — is able to extract private bits between Alice and Bob from entangled states which each of them shares with Charlie (see Fig. 2). See Supplementary Note 1 for a formal definition of the key repeater rate. By a private bit we mean an entangled state containing a unit of privacy paralleling the EPR pair as a unit of entanglement pptkey (); keyhuge (). Mathematically, private bits are entangled states of the form

(1) |

where and are qubits that contain the key bits, corresponding to the rows and columns in the matrix. The AB subsystem is called the key part. A’ and B’ are each a -dimensional systems, forming the so-called shield part. is a -by- matrix with (see also Fig. 3). can also be presented in the form , where is some state, and is a controlled unitary acting on . This operation is called twisting. It is now easy to see that the bit that Alice and Bob obtain when they measure and in the computation basis is a key bit, that is, it is random and secure, that is product with a purification of held by the eavesdropper. The relation between and is given by .

Note that just as the definition of the distillable key DevetakWinter-hash (); pptkey (), the definition of the quantum key repeater rate is information-theoretic in nature. The role of Charlie here merits special attention. While he participates in the LOCC protocol like Alice and Bob do, he is not a “trusted party”; indeed, at the end of the protocol, Alice and Bob wish to obtain private bits, whose privacy is not compromised even if at that point Charlie passes all his remaining information to the eavesdropper. We also note that well-known techniques from quantum information theory post-selection (); privacyamplification () allow to conclude that the obtained rate of private bits can be made unconditionally secure BenOrUniversal (); unruh (); HHHLO:unco-pbit (). In the following we will describe our main results which demonstrate that the performance of quantum key repeaters beyond the use of entanglement distillation is severely limited.

Some private states cannot be swapped

Our first result takes as its starting point the observation that there are private bits that are almost indistinguishable from separable states by LOCC karol-PhD (). To see this, consider the state

(2) |

which is obtained from , when Alice and Bob measure the key part of their state in the computational basis. An example is given by the choice , where the are the entries in the quantum Fourier transform in dimension . For this choice of , is separable. The distinguishability under LOCC operations is measured in the norm , which is bounded by the distinguishability under global maps preserving the positivity under the partial transpose EW02 (). This can further be bounded by , which is easily calculated as . indicates the partial transpose, that is, the transpose of one of the systems smallkey ().

Suppose now that a quantum repeater protocol applied to two copies of the latter state, shared by Alice and Charlie and Bob and Charlie respectively, successfully outputs a private bit between Alice and Bob. This could be regarded as the privacy analogue to entanglement swapping. Then, if Alice and Bob joined their labs, they could distinguish this resulting state from a separable state, as separable states are well distinguishable from private states by a global measurement pptkey (). This implies an LOCC procedure for Alice & Bob (jointly) and Charlie to distinguish the initial private bits from separable states: first run the quantum key repeater protocol and then perform the measurement. This, however, is in contradiction to the property that the private state (and hence ) is almost indistinguishable from separable states under LOCC. In conclusion this shows that such private bits cannot be successfully extended to a private bit between Alice and Bob by any LOCC protocol acting on single copies (see Supplementary Note 2).

Bounding the Quantum Key Repeater Rate

Although intuitive, the above argument only bounds the repeated key obtained from a single copy of input states. The language of entanglement measures allows us to formulate this argument asymptotically as a rigorous distinguishability bound on the rate for general states and :

(3) |

where the right hand side is the regularised LOCC-restricted relative entropy distance to the closest separable state Piani2009-relent (): , where with the minimisation over separable states , the maximisation over LOCC implementable measurements and the relative entropy distance. The proof is given in Supplementary Note 3.

Arguably, it is difficult if not impossible to compute this expression. But noting that this bound is invariant under partial transposition of the system, we can easily upper bound the quantity for all known bound entangled states (these are the ones with positive partial transpose) in terms of the relative entropy of entanglement of the partially transposed state : . The relative entropy of entanglement is given by where the minimisation extends over separable states; the regularisation is analogous to the one above. If we restrict to forward communication from Charlie and , the squashed entanglement measure provides a bound: . The squashed entanglement is given as (one half times) the minimal conditional mutual information when minimising over all extensions of the state (we condition on the extending system). Using invariance under partial transposition directly on the hypothetical quantum key repeater protocol, we obtain for PPT states and :

(4) |

where is the key rate, that is, the rate at which secret key can be extracted from by LOCC. The same holds for . The proof can be found in Supplementary Note 4.

We will now give an example of a state for which the key rate is large, but the bounds, hence the quantum key repeater rate, are arbitrarily small. Guided by our intuition, we would like to consider the private bit from above whose partial transpose is close to a separable state. The state, however, is not PPT, as no private bit can be PPT pptkey (). Fortunately, it turns into a PPT state under mixing with a small amount of noise and we find while . This leads us to the main conclusion of our paper: there exist entangled quantum states that are useful for quantum key distribution at small distances but that are virtually useless for long-distance quantum key distribution (see Fig. 4).

Bounding the Entanglement of the Output

Finally, we present a different type of bound on the quantum key repeater rate based on the direct analysis of the entanglement of a concrete output state of a quantum repeater protocol:

(5) |

where denotes the entanglement cost of the state, the rate of EPR states needed to create many copies of the state. This bound, unlike the ones presented above, applies to all quantum states. In particular, it applies to certain states invariant under partial transposition which escape the techniques presented before. Note that in the case of PPT states, one may partially transpose the states appearing on the right hand side since is invariant under partial transposition. The proof of (5) is obtained by upper bounding the squashed entanglement of the output state of the protocol using a manipulation of entropies resulting in the right hand side of (5). The squashed entanglement in turn upper bounds the distillable key of the output state (which upper bounds the left hand side) Christandl-Schuch-Winter (). For a detailed proof see Supplementary Note 5. There, we also exhibit a private bit with a significant drop in the repeater rate when compared to the key rate. We further investigate the tightness of the bound (5) and, based on a random construction, show that the left hand side cannot be replaced by the entanglement cost of the output state.

## Discussion

The preceding results pose limitations on the entanglement of the output state of a quantum key repeater protocol. As such, they support the PPT-squared conjecture: Assume that Alice and Charlie share a PPT state and that Bob and Charlie share a PPT state; then the state of Alice and Bob, conditioned on any measurement by Charlie, is always separable pptsquare (); Dipl (); master-hansen (). Reaching even further, and consistent with our findings, we may speculate that perhaps the only “transitive” entanglement in quantum states, that is entanglement that survives a quantum key repeater, is the distillable entanglement. One may also wonder whether apart from (5) there are other inequalities between entanglement measures of the in- and output states. In the context of algebro-geometric measures, this question has been raised and relations for the concurrence have been found gour-assistance (); lee2011distribution (). Our work focuses on operational entanglement measures.

States from which more key than entanglement can be extracted have recently been demonstrated experimentally in a quantum optical setup dobekPRL (). These are exactly the private states discussed in Supplementary Note 2 ( is the SWAP operator) with shield dimension equal to two. As our results for these states only become effective for higher shield dimensions, we cannot conclude that the single copy key repeater drops when compared to the key contained in these states. This may be overcome by stronger theoretical bounds or experimental progress which increases the shield dimension; we expect both improvements to be achieved in the near future.

With this paper we initiate the study of long-distance quantum communication and cryptography beyond the use of entanglement distillation by the introduction of the concept of a quantum key repeater. Even though the reported results provide limitations rather than new possibilities, we hope that this work will lead to a rethinking of the currently used protocols resulting in procedures for long-distance quantum communication that are both more efficient and that can operate in noisier environments. In the following we will give a simple example of such a rethinking: Assume that Alice and Charlie share a private bit which is almost PPT and thus requires a large shield system (see Supplementary Note 6). The quantum repeater based on quantum teleportation would thus require Bob and Charlie to share a large amount of EPR pairs in order to teleport Charlie’s share of to Bob. Alice and Bob can then extract one bit of secret key by measuring the state. Inspired by the work of Smith and Yard SmithYard (), we show in Supplementary Note 6 that a single EPR pair and a particular state which is so noisy that it contains no (one-way) distillable entanglement are sufficient in order to obtain a large quantum key repeater rate (using only one-way communication from Alice and Charlie to Bob). We thus showed that there are situations in which significant amounts of distillable entanglement may be replaced by (one-way) undistillable states.

## References

## References

- (1) Fuchs, C. A. & Peres, A. Quantum-state disturbance versus information gain: Uncertainty relations for quantum information. Phys. Rev. A 53, 2038–2045 (1996).
- (2) Wootters, W. K. & Zurek, W. H. A single quantum cannot be cloned. Nature 299, 802–803 (1982).
- (3) Bennett, C. H. & Brassard, G. Quantum Cryptography: Public Key Distribution and Coin Tossing. In Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, 175–179 (IEEE Computer Society Press, New York, Bangalore, India, December 1984, 1984).
- (4) Stucki, D. et al. High rate, long-distance quantum key distribution over 250 km of ultra low loss fibres. New J. Phys. 11, 075003 (2009).
- (5) Gisin, N., Ribordy, G., Tittel, W. & Zbinden, H. Quantum cryptography. Rev. Mod. Phys. 74, 145–195 (2002).
- (6) Scarani, V. et al. The security of practical quantum key distribution. Rev. Mod. Phys. 81, 1301–1350 (2009).
- (7) Ekert, A. K. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67, 661–663 (1991).
- (8) Bennett, C. H., Brassard, G. & Mermin, N. D. Quantum cryptography without Bell’s theorem. Phys. Rev. Lett. 68, 557–559 (1992).
- (9) Briegel, H.-J., Dür, W., Cirac, J. I. & Zoller, P. Quantum repeaters: The role of imperfect local operations in quantum communication. Phys. Rev. Lett. 81, 5932–5935 (1998).
- (10) Sangouard, N., Simon, C., De Riedmatten, H. & Gisin, N. Quantum repeaters based on atomic ensembles and linear optics. Rev. Mod. Phys. 83, 33–80 (2011).
- (11) Żukowski, M., Zeilinger, A., Horne, M. A. & Ekert, A. K. Event-ready-detectors, Bell experiment via entanglement swapping. Phys. Rev. Lett. 71, 4287–4290 (1993).
- (12) Deutsch, D. et al. Quantum Privacy Amplification and the Security of Quantum Cryptography over Noisy Channels. Phys. Rev. Lett. 77, 2818–2821 (1996).
- (13) Shor, P. W. & Preskill, J. Simple Proof of Security of the BB84 Quantum Key Distribution Protocol. Phys. Rev. Lett. 85, 441–444 (2000).
- (14) Horodecki, K., Horodecki, M., Horodecki, P. & Oppenheim, J. Secure key from bound entanglement. Phys. Rev. Lett. 94, 160502 (2005).
- (15) Horodecki, K., Horodecki, M., Horodecki, P. & Oppenheim, J. General paradigm for distiling classical key from quantum states. IEEE Trans. Inf. Theory 55, 1898–1929 (2009).
- (16) Devetak, I. & Winter, A. Distillation of secret key and entanglement from quantum states. Proc. R. Soc. Lond. A 461, 207–235 (2005).
- (17) Christandl, M., König, R. & Renner, R. Postselection Technique for Quantum Channels with Applications to Quantum Cryptography. Phys. Rev. Lett. 102, 020504 (2009).
- (18) Renner, R. & König, R. Universally Composable Privacy Amplification Against Quantum Adversaries. In Kilian, J. (ed.) Theory of Cryptography, vol. 3378 of Lecture Notes in Computer Science, 407–425 (Springer Berlin Heidelberg, 2005).
- (19) Ben-Or, M., Horodecki, M., Leung, D. W., Mayers, D. & Oppenheim, J. The Universal Composable Security of Quantum Key Distribution. In Kilian, J. (ed.) Theory of Cryptography, vol. 3378 of Lecture Notes in Computer Science, 386–406 (Springer Berlin Heidelberg, 2005).
- (20) Unruh, D. Simulatable security for quantum protocols. Preprint at http://arxiv.org/abs/quant-ph/0409125 (2004).
- (21) Horodecki, K., Horodecki, M., Horodecki, P., Leung, D. & Oppenheim, J. Quantum key distribution based on private states: unconditional security over untrusted channels with zero quantum capacity. IEEE Trans. Inf. Theory 54, 2604–2620 (2008).
- (22) Horodecki, K. General paradigm for distiling classical key from quantum states — On quantum entanglement and security. Ph.D. thesis, University of Warsaw (2008). Available at http://www.mimuw.edu.pl/wiadomosci/aktualnosci/doktoraty/pliki/karol_horodecki/doktorat-kh.pdf.
- (23) Eggeling, T. & Werner, R. F. Hiding classical data in multipartite quantum states. Phys. Rev. Lett. 89, 97905 (2002).
- (24) Horodecki, K., Pankowski, Ł., Horodecki, M. & Horodecki, P. Low dimensional bound entanglement with one-way distillable cryptographic key. IEEE Trans. Inf. Theory 54, 2621–2625 (2008).
- (25) Piani, M. Relative Entropy of Entanglement and Restricted Measurements. Phys. Rev. Lett. 103, 160504 (2009).
- (26) Christandl, M., Schuch, N. & Winter, A. Entanglement of the Antisymmetric State. Commun. Math. Phys. 311, 397–422 (2012).
- (27) Christandl, M. PPT square conjecture (problem G). In Banff International Research Station workshop: Operator structures in quantum information theory (2012). Available at https://www.birs.ca/workshops/2012/12w5084/report12w5084.pdf.
- (28) Bäuml, S. On bound key and the use of bound entanglement. Diploma thesis, Ludwig Maximilians Universität München, Munich, Germany (2010). Available at http://www.maths.bris.ac.uk/~masmgb/Diploma_thesis.pdf.
- (29) Hansen, A. Swapped Bound Entanglement. Master thesis, ETH Zurich (2013). Available at http://www.qit.ethz.ch/paperPDFs/Hansen-Masterarbeit.pdf.
- (30) Gour, G. Mixed-state entanglement of assistance and the generalized concurrence. Phys. Rev. A 72, 042318 (2005).
- (31) Lee, S., Kim, J. S. & Sanders, B. C. Distribution and dynamics of entanglement in high-dimensional quantum systems using convex-roof extended negativity. Phys. Lett. A 375, 411–414 (2011).
- (32) Dobek, K., Karpiński, M., Demkowicz-Dobrzański, R., Banaszek, K. & Horodecki, P. Experimental Extraction of Secure Correlations from a Noisy Private state. Phys. Rev. Lett. 106, 030501 (2011).
- (33) Smith, G. & Yard, J. Quantum communication with zero-capacity channels. Science 321, 1812–1815 (2008).

## Achknowledgements

Part of this work was done when the authors attended the program “Mathematical Challenges in Quantum Information”, Aug-Dec 2013, at the Isaac Newton Institute for Mathematical Sciences, Cambridge, whose hospitality is gratefully acknowledged. MC was with ETH Zurich and visiting the Centre for Quantum Information and Foundations, DAMTP, University of Cambridge, during part of this work. We thank Gláucia Murta for pointing out an error in an earlier version of the manuscript. KH thanks Michał and Paweł Horodecki and Jonathan Oppenheim for helpful discussions.

MC was supported by a DFF Sapere Aude grant, an ERC Starting Grant, the CHIST-ERA project “CQC”, an SNSF Professorship, the Swiss NCCR “QSIT”, and the Swiss SBFI in relation to COST action MP1006. KH acknowledges support by the ERC Advanced Grant “QOLAPS” and the National Science Centre project Maestro DEC-2011/02/A/ST2/00305. AW was supported by the Spanish MINECO, projects FIS2013-40627-P and FIS2008-01236 with the support of FEDER funds, the Generalitat de Catalunya CIRIT project 2014 SGR 966, the EC STREP “RAQUEL”, and the Philip Leverhulme Trust. AW and SB were supported by the ERC Advanced Grant “IRQUAT”.

## Supplementary Note 1

### Definitions

Here we first formally recall the definition of a private state, of the secret key rate and of the distillable entanglement. We will then introduce the distillation of secure key with an intermediate station and formally introduce the corresponding information theoretic rate of secure key. A private state can be constructed from a maximally entangled state by tensoring with some state and performing a so-called “twisting“ operation. A twisting operation is a controlled unitary of the form that spreads the entanglement over the enlarged Hilbert space. Formally

(6) | ||||

(7) |

where we emphasize that is the number of key bits, in contrast to some of the literature, where the subscript denotes the dimension of the key system. It has been shown that even if Eve is in possession of the entire purification of , Alice and Bob will still be able to obtain bits of perfect key by measuring the subsystem in the computational basis, while keeping the part away from Eve. As all the correlation the key has with the outside world is contained in , it is called the “shield part“, whereas is called the “key part“. For , is also called a “private bit“ or “p-bit“ which can alternatively be represented in the form

(8) |

where and are qubits that contain the key bits, corresponding to the rows and columns in the matrix. and are each -dimensional systems, called the shield. is a -by- matrix with . As the twisting operations can be non-local, not every private state can be obtained from a single rank maximally entangled state via LOCC. This shows that privacy is a truly different property of a quantum state than its distillable entanglement, motivating the introduction of a quantity known as “distillable key“ pptkey ()

(9) |

in analogy to the distillable entanglement

(10) |

With we mean . Clearly . As every rank -dimensional maximally entangled state is a private state, . In order to study the question of quantum key repeaters, we introduce the following quantity. For input states between Alice and Charlie and between Charlie and Bob we call

(11) |

the quantum key repeater rate of and with respect to arbitrary LOCC operations among Alice, Bob and Charlie. If we restrict the protocols to one-way communication from Charlie to Alice we write and if all communication is one-way from Charlie we write .

## Supplementary Note 2

### Trace Norm Bound

The distinguishability bound that we present below is based on the notion of distinguishing entangled states from separable states by means of restricted measurements (for example LOCC measurements). Let us briefly describe the derivation of the bound. Consider a state, , and suppose is highly indistinguishable by LOCC operations between and from some triseparable state . Examples of states with this property were given in karol-PhD (): the states are in fact identical private bits () and is of the form with identical and separable. One may think of them as states that hide entanglement.

Consider now any quantum key repeater protocol . Since is an LOCC operation (between and and ), its output when acting on has to be highly indistinguishable by arbitrary CPTP quantum operations from its output when acting on . But this means that and are close in trace norm. Since is separable this means that is close to separable and therefore contains almost no key (and is certainly no p-bit).

To show the above reasoning formally, we first recall the notion of maximal probability of discrimination between two states and , using some set of two-outcome POVMs restricted-measurements (); karol-PhD (). By definition we have:

(12) |

In what follows we will consider several sets of operations: LOCC, SEP, PPT and ALL. The set ALL is the set of all two-outcome POVMs. PPT consists only of elements that have a positive partial transpose and SEP contains only separable elements, whereas LOCC are those POVMs that can be implemented by an LOCC protocol. Note that .

###### Lemma 1

For any two states , two separable states and any ,

(13) |

where and are the outputs of the protocol.

Proof Since is LOCC, it is a tri-separable map, that is has its Kraus representation . In particular it is separable in the cut , which will be crucial in what follows. Moreover, upon input of any two separable states , the map outputs a state with separable. We now prove the following chain of (in)equalities and comment on them below:

(14) | ||||

(15) | ||||

(16) | ||||

(17) | ||||

(18) | ||||

(19) | ||||

(20) | ||||

(21) | ||||

(22) | ||||

(23) | ||||

(24) | ||||

(25) |

The first equality is the well known Helstrom formula for optimally distinguishing two quantum states. Subsequently, we simply insert the definitions step by step. Inequality (18) follows from the fact that is a tri-separable map. In the next inequality we use . Then we write this explicitly out and partially transpose all the systems. Then we drop the positivity constraint on the POVM elements and see that the remaining maximisation extends over all POVMs. Using Helstrom once again concludes the calculation.

The above lemma shows that the trace norm distance between the output states of any quantum key repeater protocol is upper bounded by the trace norm distance of the partially transposed input states of it. Combining this result with asymptotic continuity of relative entropy of entanglement gives the following theorem:

###### Theorem 2

Consider any two states , and separable states in such that and , Then, if satisfies , we have

(26) |

with . Here, is the quantum key repeater rate when the repeater is restricted to act on single copies only.

Proof Let us consider . By adding and subtracting either or , and by triangle inequality, we obtain

(27) |

By Lemma 1 and the asymptotic continuity of the relative entropy of entanglement DonaldH1999 () we find

(28) |

which, by separability of implies

(29) |

Since pptkey (); keyhuge () we have proven the claim.

### Example: p-bit with

Since the single copy quantum key repeater rate is upper bounded by the general quantum key repeater rate, the example from Supplementary Note 4 can also be used to illustrate the above theorem. We therefore choose to provide an example in this section, which, we believe, is not amenable to the bounds presented elsewhere in this paper.

We consider , where is the private state from pptkey (), shown to be entanglement hiding in karol-PhD (). It is defined by (8) for with the swap operator. Note, that for any private bit described by operator as in (8), we have (see proof of Theorem 6.5 of karol-PhD ()). Now, following karol-PhD (), as a state which is separable and highly indistinguishable from , we take dephased on the key part of Alice: . Then and where . Thus, , which for by Theorem 2 (with ) implies that

(30) |

Note that the right hand side of the above inequality vanishes with large . It cannot be exactly zero, though, because perfect p-bits always have some non-zero, albeit sometimes small, distillable entanglement AH-pditdist (). This means that , although being a private bit ( by definition), in fact with keyhuge (), cannot be extended by a single copy quantum key repeater for large enough .

## Supplementary Note 3

### Restricted Relative Entropy Bound

In this section we derive an asymptotic version of the distinguishability bound, that is, one that upper bounds . The quantity which upper bounds the quantum key repeater rate measures the distinguishability of the state to the next separable state in terms of the relative entropy distance of the probability distributions that can be obtained by LOCC.

Let be the set of POVMs which can be implemented with local operations and classical communication. We think of an element of this class as the corresponding CPTP map, that is instead of a POVM given by we consider the CPTP map . Note that is a probability distribution for a density operator. Our first bound on the quantum key repeater rate is given in terms of the following quantities:

(31) | ||||

(32) |

We denote by the regularised versions of the above quantities. Note that for trivial , the measures reduce to the measures defined in Piani2009-relent (). Sometimes, we omit the minimisation over separable states in which case we write .

Before we prove the bound we need an easy lemma that shows that (as defined by Piani Piani2009-relent ()) is normalised to (at least) on private states pptkey (); keyhuge () containing at least bits of pure privacy.

###### Lemma 3

For and separable we have

(33) |

Proof Recall that is of the form for the projector onto the maximally entangled state in dimension on systems and a controlled unitary with control and target . is arbitrary. We calculate:

(34) | ||||

(35) | ||||

(36) | ||||

(37) |

The first inequality holds due to monotonicity of . Note that is a state -close to . We also defined . The second inequality is again an application of monotonicity, this time with the measurement map given by the POVM . The last inequality follows from the proof of (keyhuge, , Lemma 7) which says that and , which follows from .

We now come to the main result of this section.

###### Theorem 4

The following inequalities hold for all states and :

(38) | ||||

(39) |

Proof We will start with proving the first bound. Fix . Then, there is an and a (in the following we will suppress if obvious from the context), such that and . For we have

(40) | |||

(41) | |||

(42) | |||

(43) |

The first inequality is true as . The first equality follows as the arguments have no system anymore (or equivalently a one-dimensional system ) and since in this case . In the last equality we have used the definition of and introduced . Noting that is separable (since and ) and that we have from Lemma 3:

(44) |

Combining the bounds, minimizing over and taking the limit gives

(45) |

Since and was arbitrary we have proven the first claim.

The second claim follows by slight modification: restrict to be in and note that and that for trivial system . Then will turn into and into .

### Properties of the Restricted Relative Entropy Measure

In this section we present two properties of the distinguishability measure, its invariance under partial transposition of the system and its LOCC monotonicity. The former provides us with a slightly weaker version of the relative entropy of entanglement bound in Theorem 13.

###### Lemma 5

For all states and ,

(46) | ||||

(47) |

Proof It is sufficient to observe that the sets of measurements which we denote by LOCC as a placeholder for either or and the set of separable states are invariant under taking partial transpose of systems (or ):

(48) | ||||

(49) | ||||

(50) |

By the monotonicity of the relative entropy, we can upper bound by the relative entropy of entanglement and, using the invariance of under partial transpose of the system (Lemma 5), obtain

###### Corollary 6

The following inequality holds for all PPT states and :

(51) |

and thereby almost recover the relative entropy bound from Theorem 13.
This lets us also conclude that , which can similarly be upper bounded by , can be made strictly smaller than : simply take the states from Proposition 14. The observation that may be strictly smaller than was first made by Matthias Christandl and Robert Pisarczyk in order to answer a question posed in LiWinter ().

We conclude with proving the monotonicity of the bound.

###### Lemma 7

Let and . Then,

(52) |

and

(53) |

where and . Similar statements hold for and exchanged.

Proof We prove the statements for the case.