Quantum key distribution with non-ideal heterodyne detection: composable security of discrete-modulation continuous-variable protocols

Continuous-variable quantum key distribution exploits coherent measurements of the electromagnetic field, i.e., homodyne or heterodyne detection. The most advanced security proofs developed so far relied on idealised mathematical models for such measurements, which assume that the measurement outcomes are continuous and unbounded variables. As physical measurement devices have finite range and precision, these mathematical models only serve as an approximation. It is expected that, under suitable conditions, the predictions obtained using these simplified models are in good agreement with the actual experimental implementations. However, a quantitative analysis of the error introduced by this approximation, and of its impact on composable security, have been lacking so far. Here we present a theory to rigorously account for the experimental limitations of realistic heterodyne detection. We focus on collective attacks, and present security proofs for the asymptotic and finite-size regimes, the latter within the framework of composable security. In doing this, we establish for the first time the composable security of discrete-modulation continuous-variable quantum key distribution in the finite-size regime. Tight bounds on the key rates are obtained through semi-definite programming and do not rely on a truncation of the Hilbert space.


I. INTRODUCTION
Quantum key distribution (QKD) is the art of exploiting quantum optics to distribute a secret key between distant authenticated users. Such a secret key can then be used as a one-time pad to achieve unconditionally secure communication. First introduced in the 80's by Bennett and Brassard [1], QKD is now at the forefront of quantum science and technology. By encoding information into the quantum electromagnetic field, QKD enables provably secure communication through an insecure communication channel, a task known to be impossible in classical physics. This contrasts with standard and post-quantum cryptography, which are based on computational assumptions and do not guarantee long-term security. In fact, future advancements in theoretical computer science or computational power (including quantum computing) may jeopardize the security of these schemes.
To travel the route from fundamental physics to future technologies, we need to account for the trade-off between the rate of key generation of the protocol, its security, and the feasibility and robustness to experimental imperfection. The highest standards of security and robustness are those of device-independent QKD, but are achieved at the cost of a reduced key rate. Here we focus on continuous-variable (CV) QKD, within the device-dependent approach, which allows for feasible implementations with much higher key rates. Our goal is to improve the robustness of CV QKD to experimental imperfections and practical limitations. For a recent review of device-independent QKD and CV QKD we refer to Ref. [2].
CV QKD denotes a family of protocols where information is carried by the phase and quadrature of the quantum electromagnetic field. A variety of protocols exist that differ in how the quadratures encode this information [3][4][5][6][7]. However, when it comes to decoding, all CV QKD protocols exploit coherent measurements of the field, i.e., either homodyne or heterodyne detection [8]. The strategic importance of CV QKD indeed relies on this choice of measurement, as homodyne and heterodyne detection are mature, scalable, and noise-resilient technologies. This is in contrast with discrete-variable architectures, that require bulky, high-efficiency, and lownoise single-photon detectors [9].
When modeling a CV QKD protocol, it is customary to describe its measurement outcomes as continuous and unbounded variables. In these models, homodyne detection measures one quadrature of the field, and heterodyne detection provides a joint measurement of both quadrature and phase [8]. These simplified models are powerful mathematical tools due to their continuous symmetry. Two fundamental theoretical results rely on this symmetry: the optimality of Gaussian attacks [10][11][12] and the Gaussian de Finetti reduction [13]. However, this symmetry is not exact and is broken by real-world physical devices. In fact, in actual experimental implementations, homodyne and heterodyne detection yield digital outcomes and have a finite range [14,15]. While it is expected that, in some limit, the idealised measurement models describe actual physical devices well, up to now a quantitative analysis of this approximation was lacking. In particular, it was not known how to quantify the impact of these non-idealities on the secret key rate.
In this work we finally fill this important conceptual gap and present a theory to quantify the secret key rates obtained in actual QKD protocols that exploit actual measurement devices. Up to now, only a handful of results were available in this direction. Furrer et al. considered digitalised homodyne for a protocol based on distribution of entangled states [6], and Matsuura et al. considered a binary encoding using coherent states, homodyne detection, and a test phase exploiting heterodyne [7]. However, in both cases the key rates do not converge to the asymptotic bounds obtained in Refs. [13,[16][17][18], which are believed to be optimal for ideal detection. In contrast, our results converge to these optimal bounds when the non-idealities are sufficiently small.
We focus on discrete-modulation (DM) protocols, where the sender prepares coherent states whose amplitudes are sampled from a discrete ensemble. We establish the security against collective attacks in both the asymptotic and non-asymptotic regime, the latter within the framework of composable security [19]. This contrasts with previous works on DM CV QKD [16][17][18]20], which only considered the asymptotic limit of infinite channel uses. Our composable security proof allows us to quantify the security of QKD in the practical scenario where the number of signal exchanges is finite, and QKD is used a sub-routine of an overarching cryptography protocol. Although collective attacks are not the most general attacks, they are known to be optimal, up to some finitesize corrections, through de Finetti reduction [13,21,22] While we focus on heterodyne detection, the same approach may be as well applied, with some modifications, to homodyne detection.

II. STRUCTURE OF THE PAPER AND SUMMARY OF RESULTS
We introduce DM CV QKD with non-ideal heterodyne detection in Section III and review its asymptotic security in Section IV. We discuss using a data-driven approach to approximate infinite-dimensional states with ones with finite-dimensional support in Section V, and in Section VI calculate corresponding corrections to our secret key rate by using a continuity argument.
We bound the secret key rates in three different settings with increasing complexity, where in each setting we find the optimal values using linear semi-definite programming. In the first setting (Section VII), the semidefinite programs are still over infinite dimensional quantum states, and knowledge of their optimal values would allow one to determine the secret key rate in the asymptotic limit. In the second setting (Section VIII), we map the infinite dimensional semi-definite programs of Section VII into finite-dimensional ones, the latter of which can be solved numerically without truncating the Hilbert space. This gives us a way to exactly numerically evaluate the secret key rate in the asymptotic limit. In the third setting (Section IX), within a composable security Encoding Composable Heterodyne Key rate Ref. [13] CM Ideal Exact Ref. [17] DM Ideal Approx. Ref. [18] DM Ideal Approx. Ref. [20] DM Ideal Exact Ref. [16] DM Ideal Exact This work DM Realistic Exact . These examples suggest that, in the limit of vanishing nonidealities in heterodyne measurement and growing number of channel uses, the secret key rate of DM CV QKD approaches the highest rate possible. Conclusions and potential future developments are discussed in Section XI. Table I compares our results with previous works that also presented security analysis of CV QKD protocols. We only consider works that obtained a tight estimation of the key rate. The encoding of classical information in quantum signals may happen through either a continuous modulation (CM) or a discrete modulation (DM). In this work we consider DM, which reflects what is actually done in experiments. We obtain our security proof within the framework of composable security, which is the gold standard in cryptography; composable security permits a quantitative assessment of the security of QKD, including when the QKD protocol is a subroutine of an overarching communication protocol. We consider a realistic model of actual heterodyne detection, instead of the ideal model used in previous works. Our numerical calculation of the lower bound on the secret key rate is exact, as we do not need to impose an arbitrary cutoff of the Hilbert space.

III. THE MODEL
We consider one-way QKD where one user (conventionally called Alice) prepares quantum states and sends them to the other user (called Bob), who measures them by heterodyne detection. The transmission is through an insecure quantum channel that may be controlled by an adversary (called Eve). This general scheme defines a prepare & measure (PM) protocol. In this work we focus on DM CV QKD protocols where, on each channel use, Alice prepares a coherent state |α whose amplitude is sampled from an M -ary set, {α x } x=0,...,M−1 with probabilities P x . This defines Alice's M -ary random variable X. An example is quadrature phase shift keying (QPSK), obtained for M = 4 and setting α x = αi x , P x = 1/4.
In order to prove the security of these protocols, we need to consider a different, though formally equivalent, scenario where a bipartite quantum state ρ AB is distributed to Alice and Bob, of which Eve holds a purification. This kind of setting defines an entanglement-based (EB) protocol. It is sufficient to prove the security of the EB protocol, from which the security of the PM protocol follows. In the EB protocol, the state ρ is a two-mode state, where a, a † and b, b † are the annihilation and creation operators for Alice and Bob, respectively. The EB representation of DM CV QKD protocols is discussed in detail in Ref. [16]. In this work we focus on collective attacks, which are identified by the assumption that, over n uses of the quantum channel, the state factorises and has the form ρ ⊗n AB . In the following, we indicate as ρ B = Tr A (ρ AB ) the reduced state on Bob side. To make the notation lighter, we will sometimes drop the subscripts AB or B when the the meaning is clear from the context.
On the receiver's side, Bob measures by applying heterodyne detection. Ideally, heterodyne detection is a joint measurement of the field's quadrature (q) and phase (p), whose output can be described as a complex variable β = (q + ip)/ √ 2. Ideal heterodyne detection, applied on a state ρ, would yield a continuous and unbounded output, with probability density 1 π β|ρ|β , where |β is the coherent state of amplitude β. In contrast, actual experimental realisations of heterodyne detection have measurement outcomes that are confined to a finite region in phase space, β ∈ R(R), and hence have finite range. Here we assume that the region R(R) is defined by the condition q, p ∈ [−R, R], for some R > 0. Furthermore, the measurement outputs are digital, such that each quadrature takes d values, with each value corresponding to a unique log d-bit string. This is obtained by binning the values of q ∈ [−R, R] into d non-overlapping intervals. For simplicity, we consider intervals of equal size, for j = 1, . . . , d. The output j is then associated to the event q ∈ I j , which, in turn, we identify by the central value The same digitisation, when applied to both q and p, yields a description of actual heterodyne detection as a measurement with d 2 possible outputs. This defines Bob's variable Y , which is a discrete random variable and assumes d 2 values. These discrete values can be conveniently labeled using the central points of each interval, i.e., If Bob obtains the average state ρ B , then the probability of measuring β jk is where the complex interval I jk is defined in such a way that β ∈ I jk if and only if q ∈ I j and p ∈ I k , and d 2 β = 1 2 dqdp. Finally, there is a non-zero probability of an inconclusive measurement, when the amplitude lies outside the measurement range.

IV. ASYMPTOTIC SECURITY OF CV QKD
In the limit that n → ∞, the secret key rate (i.e., the number of secret bits that can be distilled per transmission of the signal) is given by the Devetak-Winter formula [23]: where I(X; Y ) is the mutual information between Alice and Bob, and χ(Y ; E) ρ is the Holevo information (quantum mutual information) between Bob and Eve (here we assume reverse reconciliation on Bob's data, which is optimal for long-distance communication). The factor ξ ∈ (0, 1) accounts for the sub-unit efficiency of error correction. While I(X; Y ) only depends on X and Y , χ(Y ; E) ρ also depends on the quantum information held by Eve, which in general cannot be estimated directly. Fortunately, the property of extremality of Gaussian states [11,12] allows us to write the upper bound where f χ is a known function of the covariance matrix (CM) elements (see Appendix A) In conclusion, estimating the CM suffices to obtain a universal upper bound on the Holevo information, which holds for collective attacks in the limit of n → ∞. The asymptotic key rate is thus bounded as Since f χ is an increasing function of γ A and γ B , and a decreasing function of γ AB [24], estimating upper bounds on γ A , γ B and a lower bound on γ AB suffices to bound the asymptotic key rate. In practical realisations of CV QKD, where the parameter γ A is known by definition of the protocol, one only needs to bound γ B and γ AB .

V. PHOTON-NUMBER CUTOFF
The technical difficulties in the analysis of CV QKD are due to the fact that the quantum information carriers reside in a Hilbert space with infinite dimensions. To overcome this issue we need to impose a cutoff in the Hilbert space. As we do not want to impose such a cutoff in an arbitrary way, we follow a data-driven approach. Define the following operators on Bob's side: and where |n is the Fock state with n photons. Renner and Cirac noted that [22] From the experimental data, Bob can estimate the probability P 0 (R) as in Eq. (5). Note that from which we obtain This shows that the probability that Bob receives more than 2R 2 photons is no larger than 2P 0 (R). The gentle measurement lemma [25] then yields where is a normalised state with finite-dimensional support, and is the projector onto the subspace with up to N = ⌊R 2 ⌋ photons, and · 1 is the trace norm. In conclusion, though ρ is generic, an experimental estimation of the probability P 0 (R) allows us to determine the proximity of ρ to a state with finite-dimensional support.

VI. CONTINUITY OF THE HOLEVO INFORMATION
In the EB representation, the two-mode state ρ AB is measured, on Bob's side, by heterodyne detection. In general, ρ AB resides in a Hilbert space with infinite dimensions. However, as discussed above, it is close in trace norm to the state τ AB in Eq. (18). Note that τ AB has support in a space with M × ⌊R 2 + 1⌋ dimensions.
The Holevo information is a continuous functional of the state. By applying the continuity bound of Shirokov we obtain [26] where (in this paper we put log ≡ log 2 , and ln denotes the natural logarithm) This implies that, by paying a small penalty in the key rate, we can replace ρ with the finite-dimensional state τ . We thereby obtain the following bound on the asymptotic key rate, By comparing with Eq. (11), we note that this bound depends on the CM of τ . However, τ is only a mathematical tool and does not describe the state that is prepared and measured in the experimental realisation of the protocol. The only state that is physically accessible is ρ. Below we show how we can estimate the CM of τ by measuring ρ by heterodyne detection. In particular, our goal is to find an upper bound on γ B (τ ) and a lower bound on γ AB (τ ).

VII. SEMI-DEFINITE PROGRAMMING
In the EB representation, Alice prepares the two-mode state Alice keeps the mode A and sends A ′ to Bob. The vectors |ψ x are mutually orthogonal and span an M -dimensional subspace of Alice's mode A. Note that Alice's reduced state is The equivalence with the PM protocol is obtained by noticing that a projective measurement of A ′ in the basis {|ψ x } x=0,...,M−1 prepares the mode A in the coherent state |α x with probability P x . A good choice for the vectors |ψ x 's is presented in Ref. [16].
Our goal is to bound the key rate using the data collected by Alice and Bob, where Bob's measurement is modeled as realistic heterodyne detection with finite range and precision. We follow the seminal ideas of Refs. [17,18] and achieve this by semi-definite programming (SDP). As an example, we apply linear SDP, as done in Ref. [17], to bound the CM of the state τ , but we remark that our theory can also apply to non-linear SDP as in Ref. [18].
Let ρ B (x) be the state received by Bob given that Alice sent |α x . Alice and Bob can experimentally estimate the probability mass distribution which can be used as a constraint in the SDP that we later formulate. We can also consider linear combinations of the parameters P jk|x , which obviously are also experimentally accessible. Here we consider the quantities (where¯denotes complex conjugation) which are the expectation values of the variance and the covariance between Alice's and Bob's variables. Note that v = Tr(Vρ) and c = Tr(Cρ) are the expectation values of the operators Similarly, from Eq. (5), the quantity 1 − P 0 (R) = Tr(Uρ) is the expectation value of the operator Denote asγ B (τ ) the optimal value of the semi-definite program Taking into account normalisation, we obtain the upper bound on γ B (τ ), Similarly, consider the optimal valueγ AB (τ ) of the semi-definite program from which we obtain the lower bound Note that the projector Π appears in the objective functions but not in the constraints. For this reason, we cannot simply replace ρ with τ , and the optimal values of the semi-definite programs remain defined in an infinite dimensional Hilbert space. However, when numerically solving these semi-definite programs, we find solutions of the form Πρ B Π and (I ⊗ Π)ρ AB (I ⊗ Π). This suggests that the presence of the projector operator Π in the objective function suffices to make the problem effectively finite-dimensional (see the Appendix D for further detail). To numerically evaluate the optimal values of these semi-definite programs, we derive the corresponding dual programs, which are more efficient to evaluate, and detail this in Appendix D.

VIII. FINITE-DIMENSIONAL SDP
In this section we obtain from (31) and (33) two semidefinite programs that are defined in a finite-dimensional Hilbert space. We do this by replacing the constraints appearing in (31) and (33) with weaker constraints. This represents no loss of generality, as our goal is to obtain an upper bound on γ B (τ ) and a lower bound on γ AB (τ ). We express the new semi-definite programs in terms of the normalised state τ AB , defined in Eq. (18), which has support in the finite-dimensional subspace containing no more than N = ⌊R 2 ⌋ photons.
First consider the semi-definite program in (31). Note that, since V is positive semi-definite, we have Therefore, the condition Tr(Vρ B ) ≤ v implies Tr(VΠρ B Π) ≤ v. Taking into account the fact that the trace of Πρ B Π is larger than 1 − 2P 0 (R) (from Eq. (16)), we obtain the following constraint: Also note that the constraint Tr(Uρ B ) ≥ 1 − P 0 (R) can be rewritten as Tr((I − U)ρ B ) ≤ P 0 (R). As I − U is positive semi-definite, this constraint can be replaced with Tr((I − U)Πρ B Π) ≤ P 0 (R). Applying the same argument as above, we obtain the constraint which in turn implies Putting all this together, (31) can be replaced with the finite-dimensional semi-definite problem: , , Consider now (33). Note that the operator C is bounded, where O ∞ = sup ψ | ψ|O|ψ | ψ|ψ denotes the operator norm. This observation allows us to express the constraint in terms of the state τ AB instead of ρ AB by introducing a small error, where the first inequality follows from the general property that |Tr(OO ′ )| ≤ O ∞ O ′ 1 , for any pair of Hermitian operators O, O ′ .
In conclusion, we replace (33) with the finitedimensional semi-definite problem: , , IX. NON-ASYMPTOTIC REGIME Entropic uncertainty relations are often used to establish the security of QKD in the non-asymptotic regime [27]. In particular, they have been applied successfully in CV QKD by Furrer et al. [6]. Unfortunately, this elegant method does not yield a tight bound on the key rate for CV QKD. Quoting Leverrier [13]: "This [CV QKD] protocol can be analyzed thanks to an entropic uncertainty relation, but [...] this approach does not recover the secret key rate corresponding to Gaussian attacks in the asymptotic limit of large n, even though these attacks are expected to be optimal." In the same paper, Leverrier showed that the Asymptotic Equipartition Property (AEP) [28] is better suited for CV QKD as it converges to the secret key rate corresponding to Gaussian attacks in the asymptotic limit.
As we show below, the theory developed in the previous sections can be extended to the non-asymptotic regime where a finite number n of signals is exchanged between Alice and Bob. To achieve this goal, we need to make two main modifications to our theoretical analysis.
The first modification accounts for the finite-size correction to the entropic functions appearing in the asymptotic rate in Eq. (22). These corrections can be computed using the AEP [28]: where the additive term ∆ can be bounded as [29] ∆(d, ǫ s ) ≤ 4(1 + log d) log (2/ǫ 2 s ) , and ǫ s is the entropy smoothing parameter. Furthermore, Eq. (48) also includes a term due to privacy amplification, characterised by the hashing parameter ǫ h . The corresponding key is secure up to probability ǫ = ǫ s + ǫ h (see Ref. [28] for more details). Invoking the AEP is not sufficient to analyse the nonasymptotic regime. In order to achieve composable security in the non-asymptotic regime, we also need to provide confidence intervals for the channel parameters that are not known exactly but obtained through parameter estimation. Our second modification to our theory takes this into account, and we discuss this further below. Providing confidence intervals for parameter estimation is a difficult problem in CV QKD because the variables measured in ideal homodyne or heterodyne detection are unbounded. This problem was solved by Leverrier [13] by exploiting a continuous symmetry of heterodyne detection for CV QKD protocol with Gaussianmodulation. Unfortunately, discrete modulation occurs on a finite range and does not have a continuous symmetry. Hence, Leverrier's approach cannot by applied to any CV protocol with discrete modulation. In our work, since we consider non-ideal heterodyne detection (which is bounded), we are able to compute confidence intervals for all the relevant parameters of the communication channel. Therefore, although the AEP can be applied to previous asymptotic security proofs (e.g. Refs. [16][17][18]20]), our work is the first one to allow for a composable analysis of parameter estimation for CV QKD protocol with discrete modulation.

A. Parameter estimation: confidence intervals
The second modification arises because the parameters v, c, and P 0 (R), which enter the semi-definite programs, need to be estimated from experimental data. In the nonasymptotic regime, these estimates are subject to statistical errors due to finite-size fluctuations. To account for this, we need to compute confidence intervals for these quantities for any finite n. It is sufficient to consider onesided confidence intervals, as the parameters enter the semi-definite programs in constraints expressed through inequalities. Following the approach of Ref. [24], we assume that parameter estimation is performed after error correction. This allows Alice and Bob to use all their raw keys for both parameter estimation and key extraction.
First consider the variance parameter v. Given n signal transmissions, Bob obtains from his measurements a string of quadrature and phase values, q B 1 , q B 2 , . . . , q B n and p B 1 , p B 2 , . . . , p B n . His best estimate for In the scenario of collective attacks, this is the sum of n i.i.d. variables, with each variable taking values in the interval [0, R 2 ]. We can then obtain a confidence interval for v using the additive Chernoff bound. For any δ v > 0, where D(a b) = a ln a b + (1 − a) ln 1−a 1−b is the relative entropy. Note that, for p < 1/2, we have which yields To obtain a confidence interval for the covariance parameter c we apply the Hoeffding bound. Let us denote as q A 1 , q A 2 , . . . , q A n and p A 1 , p A 2 , . . . , p A n the raw data collected by Alice. The best estimate for c iŝ Finally, consider the estimation of P 0 (R). This parameter is estimated by counting the number of times that a measurement output falls outside of the allowed range R(R). Bob can locally estimate this with the help of the auxiliary variables S i , where S i = 0 if the ith signal falls inside the range, and S i = 1 otherwise. Therefore, Bob's best estimate for P 0 (R) iŝ This is the average of independent Bernoulli trials and therefore follows the Binomial distribution. A confidence interval can be obtained from the additive Chernoff bound: Applying the bound in Eq. (52) we obtain We will require that the probabilities ǫ v , ǫ c , ǫ P are much smaller than 1, of the order of 10 −10 .
In summary, we have obtained that the following bounds,v hold true with almost unit probability (larger than 1 − ǫ PE , where ǫ PE = ǫ v + ǫ c + ǫ P follows from an application of the union bound). For simplicity we put ǫ v = ǫ c = ǫ P = ǫ PE /3. By inverting Eq. (56), we obtain From Eqs. (54) and (60) we obtain the following conditions for δ v and δ P : To estimate these quantities we apply the inequalities (61), (63): Finally, solving for δ v and δ P we obtain In conclusion, the non-asymptotic secret key rates are obtain using the formula in Eq. (48), where the parameter γ B (τ ) and γ AB (τ ) are obtained by solving the semidefinite programs (40), (47) with the replacements and δ v , δ c , δ P bounded as in Eqs. (64), (69), (70). The key rate obtained in this way is secure up to probability not larger than ǫ ′ = ǫ s + ǫ h + ǫ PE . FIG. 1: Asymptotic secret key rates versus channel loss for QPSK encoding, for collective attacks in the limit of n → ∞. The channel parameters are |α| = 0.5, u = 0.001, and ξ = 0.97. The solid lines show the theoretical rate expected for ideal heterodyne detection, from Ref. [16]. For non-ideal heterodyne, the key rate is computed for d = 16 and R = 6 (squares) and R = 7 (circles). Top figure: the key rate is obtained by truncating and solving the infinite-dimensional semi-definite programs (31) and (33). Bottom figure: the key rate is obtained by solving the finite-dimensional semidefinite programs (40) and (47).

X. QPSK: SECRET KEY RATES
Our theoretical analysis applies to any DM protocol. As a concrete example, we describe the application of our theory to QPSK encoding, where α x = αi x and P x = 1/4, for x = 0, 1, 2, 3. To align with the symmetry of our model of realistic heterodyne detection, we set α = |α|e iπ/4 . We have From this we obtain and For the sake of presentation, we assume a Gaussian channel from Alice to Bob, characterised by the loss factor η ∈ [0, 1] and the excess noise variance u ≥ 0. Given that a, a † are the canonical annihilation and creation operators on Alice's input mode, and b, b † on Bob's output mode, a Gaussian channel (in the Heisenberg picture) is a map of the form where e, e † are the canonical operators associated to an auxiliary vacuum mode, and w is a Gaussian random variable with zero mean and variance u. Assuming this form for the channel from Alice to Bob, we can explicitly compute the expected asymptotic values of the constraint parameters v, c, and P 0 (R), and then solve the semidefinite programs to estimate the CM elements γ B (τ ), γ AB (τ ). (More details are discussed in Appendix E.) The computed secret key rates (measured in bits per channel use, i.e., per mode) are shown in Figs. 1-2 versus the loss η, expressed in decibels. The other parameters of the protocol are fixed as |α| = 0.5, and u = 0.001. Figure 1(top) is obtained by solving the semi-definite programs (31) and (33), which are defined in an infinitedimensional Hilbert space. To find a solution, we truncate the Hilbert space. The figure shows that, as expected, by increasing R, and for d large enough, the secret key rate converges towards the value expected for ideal heterodyne detection (which has been recently computed in Ref. [16]). Our theory allows us to rigorously compute the deviation from this ideal rate. Figure 1(bottom) is obtained by solving semi-definite programs (40) and (47), which are defined in a finitedimensional Hilbert space. In this case, a solution can be found without arbitrary truncation of the Hilbert space. Compared with Fig. 1(top), we note that the secret key rate is reduced, especially if the value of R is not large enough. This is due to the term proportional to C ∞ introduced in constraints of the semi-definite programs to account for the projections into the finite-dimensional space (therefore, an improved key rate can be obtained with a better bound for C ∞ ). However, already for R = 7 the difference with the solution of the infinitedimensional problem is relatively small. Figure 2 is obtained by solving finite-dimensional semidefinite programs and including the finite-size corrections in the constraints, as discussed in Section IX. For the sake of illustration, the calculations have been done by The error parameters are ǫ h = ǫ s = ǫ PE = 10 −10 . The figure shows that a non-zero secret key rate is obtained when the block size is about n = 10 10 or larger. The dominant finite-size corrections are due to δ v and δ c . This means that an improved key rate could be obtained by using tighter confidence intervals for the estimation of these parameters. This, in turn, would allow us to reduce the block-size without compromising composable security.

XI. CONCLUSIONS
In CV QKD information is decoded by a coherent measurement of the quantum electromagnetic field, i.e., homodyne or heterodyne. These are mature technologies and represent the strategic advantage of CV QKD over discrete-variable architectures. This applies to both continuous [3,4,13,24] and discrete modulation protocols [5, 16-18, 20, 30, 31]. Ideal homodyne and heterodyne detection, which are measurements of the quadratures of the field, possess a continuous symmetry that plays a central role in our theoretical understanding of CV QKD. However, this symmetry is broken in real homodyne and heterodyne dectection that are implemented in actual experiments [14,15]. While it is expected that, in practice, these measurements are well approximated by their idealised models in some regimes, a quantitative assessment of the error introduced by this approximation, and of its impact on the secret key rate, has so far been elusive. Here we have filled this gap and presented a theory to quantify the security of CV QKD with real, imperfect, heterodyne detection. Within this theory we have established the composable security of DM CV QKD in the non-asymptotic regime. To the best of our knowledge this is the first result obtained in this direction, as previous works only considered asymptotic, non-composable security [16][17][18]20]. Extension to most general attacks, which in principle can be obtained through a de Finetti reduction, remains an open problem.
In this paper, we have extended the approach of Ref. [17], in which one first estimates the covariance matrix of the quadratures, and then obtain a bound on the key rate using the property of extremality of Gaussian states. However, our theory can also be applied to the method of Refs. [18,20], in which one uses the measured data to bound the key rate directly through nonlinear semi-definite programming. We have focused on a particular kind of non-ideality in detection, but our approach can be applied to other non-idealities in both detection and in state preparation. Examples of these nonidealities include non-linearities in the analog-to-digital converter [32] and noise in the state preparation [16]. In principle, accounting for experimental imperfections in the security analysis mitigates the threat from sidechannel attacks. Our approach may also be extended to measurement-device-independent QKD [29,33,34], which protects against unknown side-channel attacks on the detectors. The results presented here are not only conceptually important, but will also enable secure, practical, and reliable DM CV QKD. In fact, to obtain reliable bounds on the secret key rates, the practitioner of CV QKD needs to carefully assess, in a composable way, finite-size effects as well as the impact of non-idealities in the measurement devices, including but not limited to, the effects of finite range and precision considered in this work. Consider a two-mode state ρ AB shared between Alice and Bob. We denote a, a † , and b, b † the annihilation and creation operators on Alice's and Bob's mode, respectively. Their local quadrature and phase operators are . The symmetrically ordered CM γ ′ (ρ) of the two-mode state ρ is defined as where Σ(x, y) := (xy + yx)/2. The CM can be written in a block form as where A, B, C are 2×2 matrices. We denote as ν + and ν − the symplectic eigenvalues of γ ′ (ρ). When Bob measures his mode by ideal heterodyne detection, the conditional state of Alice has CM We denote ν 0 as the symplectic eigenvalue of γ(ρ A|B ). The property of extremality of Gaussian states yields the following bound on the Holevo information: where and for any x > 0 the function g is defined as and g(x) := 0 if x = 0. It is possible to show [24] that the function F χ increases if we replace γ ′ (ρ) with the matrix γ(ρ) where ∆ := (q A q B − p A p B )/2. From this we obtain the bound Note that Obviously, F χ (γ(ρ)) is a function of γ A (ρ), γ B (ρ), γ AB (ρ). We therefore define Appendix B: QPSK: EB representation In the PM representation, Alice prepares the state |α x with probability P x = 1/4, for α x = αe ixπ/2 and x = 0, 1, 2, 3, where we put α = |α|e iπ/4 . The average state prepared by Alice is We can expand this state in the number basis. Its (n, n ′ ) entry is α nᾱn ′ √ n!n ′ ! 1 + e (n−n ′ )π/2 1 + e (n−n ′ )π . (B4) That is, ρ nn ′ A ′ = 0 unless n − n ′ is a multiple of 4, in which case, As this state is invariant under rotation of π/2 in phase space, the eigenvectors have the form, for y = 0, 1, 2, 3, |φ y = n≥0 c y,n |y + 4n . (B6) we obtain λ y c y,n = e −|α| 2 /2 α y+4n (y + 4n)! (B8) By imposing normalisation, we find |φ y = e −|α| 2 /2 λ y n≥0 α y+4n (y + 4n)! |y + 4n , where λ y = e −|α| 2 n≥0 |α| 2(y+4n) (y + 4n)! . Explicitly, We define the purification of the state ρ A ′ through its Schmidt decomposition, where |φ y = e −|α| 2 /2 λ y n≥0ᾱ y+4n (y + 4n)! |y + 4n .
It is easy to check that which we can invert to obtain We can then write where we have defined We now express the operators that appear in our semidefinite programs in the basis {|ψ x ⊗ |n } x=0,...,3;n=0,...,∞ , where |n 's are the number states of Bob's side, satisfying b † b|n = n|n .
The operator ρ B is a density matrix of one bosonic mode.
(C3) Therefore, The operator V is Note that by symmetry, V nn ′ = 0 unless n−n ′ is multiple of 4. Also by symmetry, V is a real matrix in the Fock basis. Similarly, we have with The covariance operator in the objective function reads To compute this, first note that from which we obtain Finally, the operator C has components The operator can thus be written as Note that, by symmetry, [B] nn ′ = 0 for n − n ′ even. Also by symmetry, the entries of C are all real.
In the main body of the paper we have formulated the following optimisation problems maximize ρ ≥ 0 and minimize ρ ≥ 0 where A, X = Tr(A † X) denotes the Hilbert Schmidt inner product. To derive the corresponding dual programs which will be more numerically efficient to evaluate, we revisit duality theory for SDP with mixed constraints. Given any semidefinite program of the form where C, A i and B j are Hermitian matrices, the Lagrangian is given by where y i ≥ 0, z i ∈ R. By linearity of inner products, we can rewrite the Lagrangian as The Lagrange dual is then given by The Lagrange dual of (D1) is thus given by minimize y 1 , y 2 ≥ 0, z ∈ R y 1 v − y 2 (1 − P 0 (R)) + z subject to − 1 2 Π(b † b + bb † )Π + y 1 V − y 2 U + zI ≥ 0.
(D7) Strong duality in this case holds because the inequality constraints can be strictly feasible, and the Slater constraint qualification holds.
(D8) where κ(y, z) = −y 1 C + y 2 V − y 3 U + y 4 I + h,k z h,k Z h,k , (D9) φ(z) = h≥k z h,k Re(σ h,k ) + h<k z h,k Im(σ h,k ) , (D10) and Z h,k = E h,k ⊗ I B when h ≥ k and Z h,k = F k,h ⊗ I B when h < k, with To solve numerically these optimisation problems we need to impose a cutoff to Bob's Hilbert space, and work within a finite dimensional space of dimensions dim, containing no more than (dim − 1) photons on Bob's side. The value of dim can be arbitrarily large, as long as it is larger than N + 1, where N = ⌊2R 2 ⌋ is determined by the rank of the projector Π. However, our numerical results suggest that it is sufficient to put dim = N + 1. As an example, Fig. 3 shows the optimal values for QPSK encoding, and for the optimisation problems (D7) and (D8), as a function of dim.
As a concrete example, we apply our theory to QPSK encoding, where α x = αi x and P x = 1/4, for x = 0, 1, 2, 3. To align with the symmetry of our model of realistic heterodyne detection, we set α = |α|e iπ/4 . We simulate a Gaussian channel from Alice to Bob, characterised by the loss factor η ∈ [0, 1] and the excess noise variance u ≥ 0.
First, we compute the expected value for the mutual information, where H(Y ) is the entropy of Bob's measurement outcome, and H(Y |X) is the conditional entropy for given input state prepared by Alice. If Alice prepares the coherent state |α x , with α x = (q x + ip x )/ √ 2, then the state ρ B (x) received by Bob is described by the Wigner function W x (q, p), where W x (q, p) = 1 π(2u + 1) e − (q− √ η qx ) 2 +(p− √ η px ) 2 2(u+1/2) .

(E2)
From this, we obtain the probability density of measuring β = (q + ip)/ √ 2 by ideal heterodyne detection, and, in turn, the probability of measuring β ∈ I jk , P jk|x = 1 π β∈I jk d 2 β β|ρ B (x)|β = P j|x P k|x , (E4) where P j|x = 1 2 erf (2 + d − 2j)R + d √ η q x d 2(u + 1) For QPSK encoding, the conditional mutual information then reads (log in base 2) The probability distribution of Y is obtained by averaging over X, P jk = 1 4 3 x=0 P jk|x , and the entropy of Y is Similarly, we compute the expected values for the estimated parameters v and c. We obtain