Fig. 4: Relation between three protocols.

The actual protocol and the estimation protocol are related through the entanglement-sharing protocol. After the entanglement-sharing protocol, Alice and Bob are left with the observed data \(({\hat{N}}^{{\rm{suc}}},{\hat{N}}^{{\rm{fail}}},{\hat{N}}^{{\rm{test}}},{\hat{N}}^{{\rm{trash}}},\hat{F},{\hat{Q}}_{-})\) and \({\hat{N}}^{{\rm{suc}}}\) pairs of qubits. If Alice and Bob ignore \({\hat{Q}}_{-}\) and measure their qubits on the Z-basis to determine their \({\hat{N}}^{{\rm{suc}}}\)-bit sifted keys, it becomes equivalent to the actual protocol. On the other hand, if Alice and Bob measure their \({\hat{N}}^{{\rm{suc}}}\) pairs of qubits on the X-basis, they can count the number \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}\) of phase errors, which we call the estimation protocol. If we can find a reliable upper bound U on \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}\) in the estimation protocol, it restricts the property of the state of \({\hat{N}}^{{\rm{suc}}}\) pairs of qubits after the entanglement-sharing protocol, which in turn limits the amount of leaked information on the sifted keys in the actual protocol. The security proof is thus reduced to finding such an upper bound U in the estimation protocol, represented as a function of the variables that are commonly available in the three protocols.