Homodyne Detection Quadrature Phase Shift Keying Continuous-Variable Quantum Key Distribution with High Excess Noise Tolerance

Discrete-modulated continuous-variable quantum key distribution with homodyne detection is widely recognized for its ease of implementation, efficiency with respect to error correction, and its compatibility with modern optical communication devices. However, recent studies report that the application of homodyne detection obtains poor tolerance to excess noise and insufficient transmission distance, hence seriously restricting the large-scale deployment of quantum secure communication networks. In this paper, we propose a homodyne detection protocol using the quadrature phase shift keying technique. By limiting information leakage, our proposed protocol enhances excess noise tolerance to a high level. Furthermore, we demonstrate that homodyne detection performs better than heterodyne detection in quaternary-modulated continuous-variable quantum key distribution under the untrusted detector noise scenario. The security is analyzed using the tight numerical method against collective attacks in the asymptotic regime. Our results imply that the current protocol is able to distribute keys in nearly intercity area and thus paves the way for constructing low-cost quantum secure communication networks.


I. INTRODUCTION
In recent years, the rapid development of quantum computing [1,2] has signaled the coming quantum era, which threatens modern secure communications. For example, the most widely used public key cryptography, the Rivest-Shamir-Adleman cryptosystem [3], whose security relies on the complexity of factorizing a large number, can be cracked by the Shor algorithm [4] with quantum computers. Fortunately, the one-time pad algorithm [5] can ensure information-theoretically secure communication provided that two remote users share a large number of identical secret keys. Quantum key distribution (QKD) [6,7] is the only solution that enables two distant users to share secure keys against the most general attacks [8][9][10].
Since the first protocol was proposed by Bennett and Brassard in 1984 [6], a large number of discrete-variable quantum key distribution (DV-QKD) protocols, based on various discrete degrees of freedom of a single photon, have been developed, such as polarization [11][12][13] and time bin [14][15][16]. Many attempts have been made to realize the network deployment of DV-QKD [9,10,17,18]. Compared with DV-QKD, continuous-variable quantum key distribution (CV-QKD) [8,19] has the competitive advantages of lower-cost implementations and higher secret key rates over the metropolitan areas, and it has thus attracted widespread attention.
CV-QKD encodes keys on the quadratures of the quantized electromagnetic field by preparing and measuring coherent states [20][21][22] or squeezed states [23]. From * hlyin@nju.edu.cn † zbchen@nju.edu.cn an experimental perspective, CV-QKD based on Gaussian modulation has made remarkable achievements [24][25][26][27][28][29][30][31][32][33][34][35], such as the provision of security against all detection loopholes [33], integration of all optical components on chips [34], and record-breaking distance up to 200 km [35]. Because Gaussian modulation, which samples quadratures from Gaussian distribution, possesses U (n) symmetry, it has a relatively complete security analysis [36][37][38][39][40] based on the optimality of Gaussian attacks [41,42]. However, the continuous modulation of quadratures is not experimentally feasible [43]. Practical implementations sample from a discrete and finite distribution of coherent states to approximate the Gaussian distribution, resulting in an unclosed gap between security analysis and experimental implementation. Moreover, Gaussian modulation requires complex post-processing procedures mainly because of the low signal-to-noise ratio and complex data structure, which often consumes large amounts of computing resources [27,44]. Unlike Gaussian modulation, discrete modulation [45][46][47][48][49] can sample from a quite small set of coherent states with different phases and, thus, can perform an easier error correction. The security proof of discrete modulation carefully considers the effect of discrete distribution of prepared states. Despite that discrete modulation lacks U (n) symmetry, several effective numerical [50][51][52] and analytical methods [53,54] have emerged for security analysis, and robustness to collective attacks in the asymptotic regime has been verified. Recently, the security proof of a binary-modulated protocol has been proposed in the finite-key-size regime against general coherent attacks [55]. With security improvement and simplified implementations, discrete modulation becomes a trend of CV-QKD [9,10].
In this paper, we present a quaternary-modulated protocol with homodyne detection. Unlike in previous quaternary-modulated protocols [50,51], we prepare each signal with the phase chosen from { π 4 , 3π 4 , 5π 4 , 7π 4 }, which can be implemented using classical quadrature phase shift keying (QPSK) technology. We require the sender to generate raw keys according to quadrature choices of the receiver. According to this interesting operation, our protocol shows good tolerance to excess noise and promises significantly longer transmission distances than the previous homodyne detection protocol [51]. In addition, the secret key rate of the proposed protocol is comparable to that of the well-performed heterodyne detection protocol [51]. Considering the imperfections of detectors, our protocol even performs better than the heterodyne detection protocol.
We introduce our protocol in Section II, with an instruction of a possible experimental setup. In Section III, the formula of the secret key rate is given against collective attacks in the asymptotic regime. In Section IV, we numerically simulate the performance of our proposed protocol, which demonstrates an increase in transmission distance and secret key rate. Further discussions are presented in Section V.

II. PROTOCOL DESCRIPTION
We illustrate our protocol in this section using the preparing and mapping method in Fig. 1  tions show that no secret keys can be generated, they abort the protocol. Otherwise, they proceed. (4) Raw key generation.-Alice and Bob can obtain their raw keys using the remaining undisclosed rounds. Assuming that M rounds remain, they number these rounds according to the order of sending. For the kth round, Alice labels the corresponding state |φ k ∈ αe i π 4 , αe i 3π as a k ∈ {00, 10, 11, 01}. Then, the raw key bit x k is equal to the first bit of the label a k when the round is measured inq, and it is equal to the second bit of a k when the round is measured inp. Thus, she obtains her string X ′ = (x 1 , .., x k , ..., x M ). For the kth round, Bob maps the outcome greater than ∆ into the raw key bit z k = 0 and the outcome smaller than −∆ into z k = 1. The outcome with other values is mapped into z k = ⊥. Thus, he obtains his string Z ′ = (z 1 , .., z k , ..., z M ). ∆ is a non-negative parameter and related to post-selection. A protocol without post-selection can set ∆ = 0. If ∆ > 0, Bob communicates with Alice about positions of bits with value ⊥ and they get rid of these positions from their strings X ′ and Z ′ . Finally, they obtain their raw key strings X and Z. and Bob choose suitable methods to conduct error correction and privacy amplification. In the end, they generate secret keys. A realistic experimental setup of our protocol is proposed in Fig. 2. The required components are displayed with unnecessary details omitted. To prevent security loopholes of the LO, we adopt the local LO scheme with secure phase compensation [30][31][32]. Alice randomly [32] sends reference pulses and signal pulses. Signal pulses are modulated using QPSK technology, and are used to generate keys. Setting the phase of signal pulses before QPSK as the reference phase, Alice prepares reference pulses that are brighter than signal pulses and contribute nothing to the generation of keys. Reference and signal pulses are transmitted to Bob's side through quantum channels. The polarization of any pulse received by Bob is corrected by the electrical polarization controller. Bob generates a local LO with the phase randomly chosen from {0, π 2 } using the phase modulator, which will be sent to the beam splitter together with signal pulses or reference pulses for interference. The photodetector with a subtractor reveals the interference outcomes, according to which Bob evaluates the exact phase difference between the reference phase and local LO. Then, Bob uses this phase information to conduct phase compensation [32]. Thereafter, Alice and Bob conduct postprocessing described by steps (3)-(5), and we do not show this part in the figure.

III. SECRET KEY RATE
To evaluate the secret key rate, we analyze the security of an equivalent entanglement-based protocol of our prepare-and-measure protocol. Then, we calculate the secret key rate against collective attacks in the asymptotic regime by applying the numerical method [51,52].

A. Entanglement-based protocol
An equivalent entanglement-based protocol of our prepare-and-measure protocol can be described below. Alice prepares an entangled state where the subscripts A and A ′ represent two entangled systems.
x represents one of four labels in {00, 10, 11, 01}, and p x = 0.25 refers to the probability that the entangled state will collapse into the state labeled by x. {|x } is the set of orthogonal bases in system A, which can be measured by a set of positive operator valued mea- , respectively. The system A is kept by Alice and A ′ is sent to Bob via a quantum channel. Thus, the final state is given by where E A ′ →B is a completely positive and tracepreserving mapping. This mapping includes the influence of the environment and attacks by Eve. Alice randomly projects the system A to an eigenstate by {M x }. Then, she can write down the corresponding label x without performing any additional operations. Bob measures the system B as with the step (2) in our prepare-and-measure protocol and follows the remaining steps.

B. Key rate formula
Applying reverse reconciliation means that Alice corrects her string X according to Bob's string Z, which implies that adversary Eve should derive Bob's string unscrupulously. In the case where Eve performs collective attacks in the asymptotic regime, the secret key rate formula [51,56] is given by where p pass is the sifting probability of preserving a round in the post-selection step to generate a raw key. The conditional von Neumann entropy H(Z|E) describes the uncertainty of the string Z from Eve's perspective. Eve's maximal knowledge of Bob's string Z leads to the minimum uncertainty of Z under certain density matrix ρ AB . To evaluate Eve's maximal knowledge when ρ AB is uncertain for Alice and Bob, we must find the minimum conditional entropy H(Z|E) of all ρ AB that conform to constraints S. δ EC is the amount of information leakage of each round in the error correction step. Considering the reconciliation efficiency, the leakage is where H(Z) is the total information of Z related to the probability distribution of Bob's measurement outcomes. I(X; Z) is the classical mutual information between two strings. H(Z|X) is the conditional entropy describing the uncertainty of the string Z conditioned on knowing the string X. The parameter β represents the efficiency of error correction. Because Bob announces the measurement quadrature of each round, we can analyze the security of each quadrature separately. To this end, we rewrite the secret key rate formula as The coefficient 1 2 indicates that one half of states are measured inq and one half inp. The secret key rate comprises the secret key rate inq and the secret key rate inp. Note that Eve manipulates the density matrix ρ AB before Bob measures it, and she thus has no knowledge of Bob's choice of quadrature at that time. We can move the summation sign into the minimization problem because ρ AB of different quadratures are shared.
According to Refs. [57,58], the conditional entropy terms in formula (5) with their coefficients can be reformulated as where D(ρ||σ) = Tr(ρ log 2 ρ) − Tr(ρ log 2 σ) is the quantum relative entropy, G y describes the post-processing of different quadratures, and Z is a pinching quantum channel that reads out key information. The post-processing mapping G y (ρ) = K y ρK † y corresponds to the measurementŷ ∈ {q,p} and is given by Here |b R is the state of the key register R, which is determined by interval operators {I b y }. I b y projects the system B to one of two subspaces spanned by the eigenstates of operatorŷ in terms of the mapping rule: Here G y is in a simplified form introduced by Ref. [51]. Kraus operators {K y } describe the part of the measurement and announcement: Alice's operation is described by an identity matrix because Alice announces nothing and has no effect on the register R. Her measurement in the entanglement-based protocol can be moved after the announcement and never influences K y . Bob would announce the choice of quadrature, and his measurement is represented by interval operators. When considering the security, we can discuss two quadratures separately, denoted by the parameter y ∈ {q, p} in the above formulas.
Finally, the key rate formula reads

C. Numerical method
To realize the calculation of secret key rates, a photonnumber cutoff assumption [51] is adopted. Based on this assumption, we can describe operators and density matrices in the photon-number representation with finite dimensions N c . Because δ EC and p pass are only concerned with the information held by Alice and Bob, the term y∈{q,p} p y pass δ y EC in the key rate formula (9) can be easily calculated according to general definitions [51]. We calculate the rest of the formula numerically. The rest is a minimization problem that can be described by The variable is the density matrix ρ AB subject to constraints S [51]. The first four constraints come from the experimental outcomes, where x belongs to {00, 10, 11, 01} and q x , p x , n x , and d x are expectation values of operators when Bob measures states labeled by x. Homodyne detection directly outputs the outcomes of operatorsq andp, whilen = 1 2 (q 2 +p 2 − 1) andd =q 2 −p 2 correspond to the second moments ofq andp. The next constraint about partial trace of system B comes from the requirement of the completely positive and trace-preserving mapping, which implies that the quantum channel cannot influence the system A of Alice. The last two constraints are natural requirements because ρ AB is a density matrix.
This minimization problem can be solved using many methods. We adopt one using a linearization method, given in Appendix A. Briefly speaking, the numerical method involves two steps. First, we approach the optimal value of the minimization problem (10) by at most N i iterations. Second, the dual problem of the minimization problem is considered to guarantee that the result is less than or equal to the optimal value.

IV. PERFORMANCE
Here, we investigate the performance of our protocol by performing numerical simulations. The simulation method is described in Appendix B, where we set the reconciliation efficiency β = 0.95.
To simulate the performance, we adopt the phaseinvariant Gaussian channel model in the absence of Eve [51], which adds an effective excess noise to the input of the channel and transmits the input under the loss-only scenario. In this channel, the transmittance is η = 10 − aL 10 for distance L with a = 0.2 dB/km, and the effective excess noise is ξ = (∆q obs ) 2 (∆qvac) 2  theq quadrature. Both variances are in the natural unit. Because ξ is normalized by (∆q vac ) 2 , the excess noise is under the shot-noise unit without vacuum noise.
We first emphasize the significant performance improvement of our proposed protocol by comparing it with Protocol 1 in Ref. [51], which also prepares four types of coherent states and performs homodyne detection without post-selection.
As shown in Fig. 3, we investigate the excess noise tolerance at different distances. The excess noise tolerance is calculated by maximizing the excess noise ξ that enables the protocol to generate keys. The cutoff photon number N c is truncated at 12 with N i = 100 iterations in the first step of the numerical method. The excess noise tolerance of our protocol is approximately double that of Protocol 1.
As shown Fig. 4, we investigate the best secret key rates of our protocol for different levels of excess noise by optimizing the amplitude α of signal states in the interval [0.6, 1.1] with steps of 0.01. We also calculate the best secret key rates of Protocol 1 by optimizing the amplitude α of signal states in the interval [0.35, 0.6] with steps of 0.01. Different search ranges are used because the optimal range of α varies for different protocols. The cutoff photon number N c is 12 and the maximal iteration number N i of the first step in numerical method is 300. The solid lines show the performance of our proposed protocol, whereas the dashed lines show the performance of Protocol 1. When the excess noise is experimentally feasible, such as ξ = 0.02, our protocol enables the distri- bution of keys for around 200 km with meaningful 10 −6 bit secret keys per pulse. Moreover, when Protocol 1 can hardly generate keys for ξ = 0.04, our protocol can still distribute secret keys over 50 km. In Fig. 5, we show that there is an improvement in the transmission distance for a small excess noise with N c = 12 and N i = 300. When the excess noise is sufficiently small, but still possible, our protocol has the potential to distribute secret keys over 350 km. The transmission distance and secret key rates are increased significantly, which makes our protocol applicable and useful in the quantum secure communication network.
We further compare our protocol with a wellperformed quaternary-modulated heterodyne detection protocol called Protocol 2 in Ref. [51]. Owing to differences in the detection methods, the comparison is made under two scenarios: ideal detector scenario and untrusted detector noise scenario.
Under the ideal detector scenario, both excess noise and loss are from the channel. We set the detection (electronic) noise of detectors ξ det = 0 and the detection efficiency η det = 1. In Fig. 6, our protocol and Protocol 2 are simulated with parameters ξ = 0.04, N c = 12 and N i = 300. We search the best secret key rates of our protocol and Protocol 2 by optimizing the amplitude α of signal states in the interval [0.6, 1.1] with steps of 0.01. Protocol 2 can generate a higher secret key rate compared with our proposed protocol under the ideal detector scenario because heterodyne detection can accumulate twice the amount of raw key data than homo- The difference between the secret key rates of this work and Protocol 2 is normalized by the secret key rate of this work R het /Rour − 1 and is shown with the y axis on the right. dyne detection. We call the secret key rate of Protocol 2 R het and the secret key rate of our protocol R our . Then, we use R het /R our − 1 to represent the proportion of the secret key rate difference R het − R our in R our , as shown by the dashed line in Fig. 6. The secret key rate of Protocol 2 is no more than 20% higher than that of our proposed protocol within 30 km. The uncertainty relation limits the accuracy of measuring both quadratures simultaneously and increases the bit error rate of Protocol 2. Therefore, the improvement of the secret key rate by heterodyne detection is not significant. We also show the secret key rate of the Gaussian-modulated homodyne detection protocol in Fig. 6. The modulated variance in the Gaussian-modulated protocol is the parameter that has been optimized. In Fig. 7, we regard the detector as a noisy and lossy device, and Eve can control the imperfection of the device, which is a more practical condition. We should note that the heterodyne detector often comprises two homodyne detectors and one 50:50 beam splitter that splits signal pulses. Therefore, two points of imperfection are considered under the untrusted detector noise scenario that we used here. First, the detection noise of a homodyne detector is ξ hom = 0.002, and the detection noise of  [51]. The excess noise of our protocol is ξ = ξ oth + ξ hom η , and the excess noise of the heterodyne protocol is ξ = ξ oth + 2ξ hom a heterodyne detector is at least ξ het = 2ξ hom = 0.004. Second, the imperfection in the beam splitter usually causes an additional insertion loss of about 0.7 dB. By setting other excess noise as ξ oth = 0.01, the total excess noise of our protocol is ξ = ξ oth + ξ hom η , and the total excess noise of Protocol 2 with heterodyne detection is ξ = ξ oth + 2ξ hom η×10 − 0.7 10 . The cutoff photon number N c is 12 with N i = 100 iterations in the first step of the numerical method. Under this untrusted detector noise scenario, our protocol can perform better than the heterodyne detection protocol.
In Fig. 8, we compare the heterodyne protocol [48,51] under ideal, trusted, and untrusted detector noise scenarios with our protocol under ideal and untrusted detector noise scenarios. The data of the heterodyne protocol were reported by the authors of Ref. [48]. The imperfect detector has excess noise ξ hom = 0.01 and detection efficiency η d = 0.719. The other excess noise is ξ oth = 0.01 and the cutoff photon number N c is 15. We simulate our proposed protocol using the same parameters. Thus, the total excess noise of our protocol under the untrusted detector noise scenario is ξ = ξ oth + ξ hom η×η d . The iteration in the first step of the numerical method is N i = 100. Our protocol is a little worse than the heterodyne protocol under the ideal scenario, but it is better under the untrusted detector noise scenario. The heterodyne protocol   [48] is the blue line in the middle. The data of the heterodyne protocol has been reported by the authors of Ref. [48]. The parameters are the same as those used in Fig. 3 in Ref. [48]. Specifically, the imperfect detector has excess noise ξ hom = 0.01 and detection efficiency η d = 0.719. ξ oth = 0.01 is the excess noise and does not include detection noise. The total excess noise of our protocol under the untrusted detector noise scenario is ξ = ξ oth + ξ hom with trusted detector noise has a key rate that is comparable to the same protocol with the ideal detector, which may imply good performance when we also consider our protocol under the trusted detector noise scenario.
For the experiments, we show the optimal amplitudes that are searched for different transmission distances with parameters N c = 12 and N i = 300. As shown in Fig. 9, in the case of a long distance, the optimal amplitude decreases as the transmission distance increases, except for the case when there are some jitters, and a larger excess noise induces a lower optimal amplitude with little violation. The optimal amplitude for remote users is about 0.66. This conclusion also applies to the condition where N c = 12 and N i = 100.
The post-selection is a useful method to further increase the transmission distance and improve the secret key rate. In Fig. 10, we optimize the sifting parameter ∆ using the amplitude of signal states that have been optimized without post-selection. The cutoff photon number N c is truncated at 12 with N i = 100 iterations. The available ∆ has steps of 0.01. At distances where secret key rates are zero without post-selection, we search the best post-selection parameter ∆ by setting the amplitude to 0.66. This choice is reasonable considering that the optimal amplitude for the long distance is around 0.66 in average, as depicted in Fig. 9. The post-selection is more important for the scenario with the higher excess noise. For ξ = 0.04, the secret key rates are improved, and the largest transmission distance is extended. For smaller excess noise ξ = 0.03, the improvement of postselection is subtle. Over a long distance, there is no improvement in the secret key rates for ξ = 0.03. This is because as the excess noise increases, the overlap of outcome distributions obtained by measuring different kinds of signal states also increases, which causes higher bit error rates. The post-selection discards outcomes around zero because the overlap of outcome distributions most likely happens around zero. By post-selection, we discard many error bits, thus reducing the bit error rates. Protocols with heterodyne detection enjoy the same advantages of post-selection [59]. The optimal ∆ is larger under longer transmission distance. The sifting probability related to post-selection decreases to around 0.15 over the longest transmission distance for ξ = 0.04; the post-selection thus makes sense in our protocol. This operation can work well when the amplitude cannot be prepared optimally in the experiment.
Note that the curves in the above figures should have been smooth in theory. Although the secret key rate formula is a convex function with convex domain ρ AB , it is difficult to unify the imprecision of ρ AB under different amplitudes and transmittances. The inaccuracy also accumulates along with steps of calculations, resulting in some calculation noise. Finally, as a numerical method, limited by the calculation accuracy of computers and the stability of the convex optimization algorithm, unstable points and unsmooth curves appear. The quality of the algorithm largely determines the secret key rates. When the ideal secret key rate is quite small that it reaches the computational accuracy limit, numerical results sometimes show that no keys can be generated. Achieving improvements in the algorithm may help further enhance the transmission distance and stabilize the key rates. The calculation speed of the numerical method is often slow and is approximately 20 min per set of parameters. The speed largely depends on the number of iterations and the truncated photon number. Intriguingly, recent work [60] can utilize a neural network model to quickly predict the secure key rate of homodyne detection discrete-modulated CV-QKD with high accuracy.

V. DISCUSSION
Homodyne detection is the first adopted measurement method of CV-QKD with noticeable performance experimentally, and it provides excellent tolerance in terms of excess noise in Gaussian-modulated protocols. Our main goal is to inherit this mature technology and apply it to the discrete-modulated protocol. We propose a quaternary-modulated homodyne detection protocol with very high excess noise tolerance and long transmission distance that has never been reached by previous discrete-modulated homodyne detection protocols [51,61,62]. There is a quaternary-modulated heterodyne detection protocol [51] that shows high secret key rate and long transmission distance under large excess noise based on simulations. However, the heterodyne detector [63][64][65][66][67] is more sophisticated than the homodyne detector, and it introduces more noise and loss in experiments [68][69][70][71]. We show that our proposed protocol can offer a comparable performance with this heterodyne detection protocol under the ideal detector scenario. Our protocol can even perform better than this heterodyne detection protocol when considering the untrusted detector noise condition.
We determine why the previous quaternary-modulated homodyne detection protocol [51] cannot transmit over a long distance although they also send four kinds of states. In particular, from a practical point of view, our protocol and the previous protocol both generate one bit per pulse by homodyne detection. Compared with Eq. (17) in Ref. [51], the mapping K y of our protocol in Eq. (7) is an identity matrix at Alice's end, which means that Alice remains silent in our protocol. This mathematical difference implies that additional announcements cause more information leakage.
In addition, the adoption of QPSK is required during the preparation. Note that QPSK is a mature method in classical communication, shifting the phase of states by { π 4 , 3π 4 , 5π 4 , 7π 4 }. In previous quaternary-modulated protocols [50,51], they use states with phases {0, π 2 , π, 3π 2 }. The probability distribution of a state in quadraturep is symmetric about the original point if the state has phase 0 or π. Thus, states with phase 0 or π cannot represent keys when Bob appliesp measurement. Similarly, states with π 2 or 3π 2 cannot represent keys when Bob applieŝ q. The additional π 4 phase shift in our protocol offers chances to generate keys in both quadratures, and Alice can thus announce nothing.
Eventually, owing to the tolerance of excess noise, the transmission distance is improved, which removes the obstruction of the proceedings of the large-scale discretemodulated CV-QKD network. It is worth recalling that commercial instruments for QPSK have been updated to over 50 Gbps [72], which implies that the speed of preparation in our proposed protocol can also be increased to 50 Gbps. Our protocol will maximize the use of the mature homodyne detection technology to achieve the longdistance key distribution. The experimental demonstration of our protocol is of great practical value for network security and information security. Moreover, we can consider the trusted detector noise model [48]. With a simpler preparation, our proposed protocol has a chance to exceed the transmission record of 202.81 km set by the Gaussian modulation protocol [35] with an ultralow-loss fiber and small excess noise parameters. The experimental schematic and the search of optimal amplitudes in the text provide instructions for the experimental implementation.
Further studies of our protocol's security are also desirable. Note that the photon-number cutoff assumption can be removed [73] in the heterodyne detection protocol, which inspires us to present a more rigorous security analysis of our protocol in future work. Moreover, we can focus on determining a suitable adjustment of security theory to deal with the finite-size effects. The security against coherent attacks is another interesting and important direction for discrete-modulated CV-QKD. The quantum de Finetti representation theorem [74] is a possible path to equalize the information leaked by coherent attacks and collective attacks.

ACKNOWLEDGMENTS
We thank Jie Lin for valuable discussions on the numerical method in Ref. [51] and providing data points from Ref. [48] for the comparison in Fig. 8 The minimization problem in Eq. (10) is a convex optimal problem with one unique solution. It can be described as follows.
The independent variable is the density matrix ρ AB . The dimension number of Alice's system is 4, which is determined by the number of different states she prepared. |x x| A with x ∈ {00, 10, 11, 01} projects Alice's system into a one-dimensional subspace, which implies that Alice sends state |φ x ∈ αe i π 4 , αe i 3π to Bob. However, the state that Bob receives is infinitedimensional. The photon-number cutoff assumption is proposed to cut off the dimension of Bob's system. According to the assumption, ρ AB can be represented by a finite-dimensional matrix in Fock representation. Thus, the numerical method can be applied. The operatorŝ q,p,n,d correspond to the measurement on Bob's system. Considering the photon-number representation, they can be defined by the annihilation operatorâ: To calculate them numerically, the matrix ofâ in photonnumber representation is also cut off according to the photon-number cutoff assumption. We introduce notation q x , p x , n x , d x to represent the expectation values of these operators. The relative entropy D(ρ||σ) is the dependent variable that we need to minimize. G(ρ) = KρK † is the map in post-processing with Kraus operator K.
To implement the convex optimization, a two-step numerical method is introduced [58] below.
For convenience, we use f (ρ) to represent the function D(G(ρ)||Z[G(ρ)]). The constraints can be described by a set S: where H + is the set of positive semidefinite operators. Γ i is the Hermitian operator and γ i is the corresponding expectation value. To fit this form, one should rewrite the fifth constraint in Eq. (10). Specifically, one needs to transform the partial trace on Bob into some Hermitian operators.
Using the linearization method, we can obtain where ρ * is the optimal density matrix (i.e., the solution of minimization problem Eq. (10) and ǫ represents a perturbation parameter, by which the gradient of f (ρ) can exist. Owing to the existence of ǫ, the term is applied to correct the difference between f (ρ) and f ǫ (ρ) caused by perturbation. In our simulation, we set ǫ = 10 −12 to decrease the value of ζ ǫ . Using ǫ, the dependent variable becomes The gradient of f ǫ (ρ) is d ′ is the dimension of the matrix G(ρ), which is twice the dimension of density matrix ρ.
Using the linearization expressed in Eq. (A3), the optimization problem is transformed into a semi-definite program, such as the second or third term of the first or the second line, respectively, in Eq. (A3). Therefore, we only need to find ∆ρ or σ = ρ + ∆ρ that minimizes the related term. We take ∆ρ as an example, and the first step is to find a density matrix ρ that is quite close to the optimal one. To accomplish this step, we perform the algorithm as follows: 1. Begin with any ρ 0 ∈ S and set i = 0. 2. Compute min ρ+∆ρ∈S [Tr((∆ρ) T ∇f ǫ (ρ i ))]. 3. If Tr((∆ρ) T ∇f ǫ (ρ i )) is sufficiently small, STOP. 4. Find λ ∈ (0, 1) that minimizes f ǫ (ρ i + λ∆ρ). 5. Set ρ i+1 = ρ i + λ∆ρ, i ← i + 1 and go to 2.
When solving the minimization problem in step 2 of the algorithm, we find that the results are often sensitive to the setting of ρ 0 . Different convergence paths affect the convergence effect. In our simulation, we often choose the result of feasible verification under S or the result that maximizes the minimal eigenvalue of ρ under S as the primal density matrix ρ 0 . The iteration of 2-5 sometimes needs to be broken manually; otherwise, it may take a large amount of time to converge or even never stop. The largest iteration number in our simulation is 300 or 100. After 300 or 100 iterations, we choose ρ i with the smallest Tr((∆ρ) T ∇f ǫ (ρ i )) among all iterations as our result of the first step.
Reference [58] does not offer any method to deal with the minimization of f ǫ (ρ i + λ∆ρ) because its DV-QKD example is simple for calculation. However, it is not an easy task for CV-QKD. We provide our own method inspired by BinarySearch: 1. Set a starting point λ s = 0, an ending point λ e = 1, and a middle point λ m = 0.5.
2. Calculate f ǫ (ρ i + λ∆ρ) in three points, and compare them. 3. If λ s is the smallest one, update the ending point by λ e = λ m and the middle point by λ m = 0.5(λ s + λ e ). Then, go to 2. 4. If λ e is the smallest one, update the starting point by λ s = λ m and the middle point by λ m = 0.5(λ s + λ e ). Then, go to 2. 5. If λ m is the smallest one, two temporary points are generated by λ 1 = 0.5(λ s + λ m ) and λ 2 = 0.5(λ m + λ e ). 6. Calculate f ǫ (ρ i + λ∆ρ) of two temporary points and compare them with λ m . 7. If λ m is still the smallest one, set λ s = λ 1 and λ e = λ 2 , and go to 2. 8. If λ 1 is the smallest one, set λ e = λ m and λ m = λ 1 , and go to 2. 9. If λ 2 is the smallest one, set λ s = λ m and λ m = λ 2 , and go to 2.
The calculation results of some points can be temporarily stored for the next iteration. The termination of the iteration is decided by the calculation accuracy of computers.
After the first step, we seemingly find an appropriate density matrix ρ. However, considering the imprecision of numerical calculations, we cannot guarantee that the solution of the first step is the optimal one. In fact, we find an upper bound of the solution. To protect the security of the generated keys, we use the dual problem in the second step.
One can transform the primal problem min σ∈S [Tr(σ T ∇f ǫ (ρ))] into the dual problem max y∈S * (ρ) γ · y. The variable y obeys the constraints: In general, primal and dual problems satisfy the weak duality. The weak duality shows that the optimal value of the dual problem is always less than or equal to the optimal value of the primal problem. According to this principle, the final solution that we obtain from the dual problem must be a lower bound of the primal problem even if it is not optimal. The lower bound of the primal problem is also the lower bound of the secret key rates according to Eq. (A3).
In addition, we can consider the imprecision of the floating-point representations of {Γ i } and {γ i }.
where {Γ i } and {γ i } are the approximate representations used in the calculation. Furthermore, the solution ρ may not satisfy the constraints, especially the positive semidefinite constraint. Ref. [58] encourages one to transform ρ into positive semi-definite matrix ρ ′ by subtracting a term λ min I when the smallest eigenvalue λ min of ρ is negative. Then, we restrict the imprecision by After the first step, we extract the quantity ǫ ′ = max(ǫ rep , ǫ sol ) from the output ρ. This quantity influences the second step. The dual problem solved in the second step is adjusted to max ( y, z)∈S * (ρ) (A11) The description above is about one quadrature. Because f q (ρ) forq and f p (ρ) forp are added linearly, we can replace f ǫ (ρ) by f q,ǫ (ρ) + f p,ǫ (ρ). Then, ∇f ǫ (ρ) in primal and dual problems is replaced by ∇f q,ǫ (ρ) + ∇f p,ǫ (ρ). In addition, the perturbation compensation ζ ǫ is multiplied by 2.
Thus far, the lower bound of the minimization problem is solved numerically. Note that we solve primal and dual problems using the SDPT3 solver in CVX 1.22 package on MATLAB R2020b. This package is for specifying and solving convex programs, and SDPT3 is a free solver [75,76]. The code of our protocol is uploaded to the opensource code website [77].

Appendix B: Simulation Methods
We simulate the experiment's statistical results by assuming a phase-invariant Gaussian channel, as referred in Ref. [51]. When Alice sends a coherent state |α , Bob obtains a displaced thermal state centered at √ ηα with the variance 1 2 + ηξ 2 for each quadrature. The first term 1 2 in the variance is the vacuum noise. Thus, ρ x B can be given by with α x ∈ αe i π 4 , αe i 3π 4 , αe i 5π 4 , αe i 7π 4 and V A = ηξ 2 . ξ is the excess noise and η = 10 − aL 10 is the transmittance with a = 0.2 dB/km in the distance L. Thus, the expectation values of measurement operators are q x = 2ηRe(α x ), To simulate the error correction, the conditional probability between Alice's sending state and Bob's mapping result can be given by where y ∈ {q, p}. Then, we can find the sifting probability p y pass = x p x (P y (0|x) + P y (1|x)), and normalize the probability distribution after discarding bits ⊥. The conditional entropy for each quadrature is thus calculated by H(Z y |X y ) = x p x h P y (0|x) P y (0|x) + P y (1|x) ,