Finite-Size Security for Discrete-Modulated Continuous-Variable Quantum Key Distribution Protocols

Discrete-Modulated (DM) Continuous-Variable Quantum Key Distribution (CV-QKD) protocols are promising candidates for commercial implementations of quantum communication networks due to their experimental simplicity. While tight security analyses in the asymptotic limit exist, proofs in the finite-size regime are still subject to active research. We present a composable finite-size security proof against independently and identically distributed collective attacks for a general DM CV-QKD protocol. We introduce a new energy testing theorem to bound the effective dimension of Bob's system and rigorously prove security within Renner's epsilon-security framework and address the issue of acceptance sets in protocols and their security proof. We want to highlight, that our method also allows for nonunique acceptance statistics, which is necessary in practise. Finally, we extend and apply a numerical security proof technique to calculate tight lower bounds on the secure key rate. To demonstrate our method, we apply it to a quadrature phase-shift keying protocol, both for untrusted, ideal and trusted nonideal detectors. The results show that our security proof method yields secure finite-size key rates under experimentally viable conditions up to at least 72km transmission distance.


I. INTRODUCTION
Quantum key distribution (QKD) [1,2] enables two remote parties to establish an information-theoretically secure key, even in the presence of an eavesdropper, which is known to be impossible by classical means. The generated key can then be used in cryptographic routines like the one-time pad. Comprehensive reviews about QKD can be found in [3][4][5]. Depending on the used detection technology, we distinguish between discrete-variable (DV) protocols like the famous BB84 [1] and protocols with continuous-variables (CVs) [6]. While the first class relies on rather expensive components like single-photon detectors, the latter ones make use of state-of-the-art communication infrastructure and employ much cheaper photodiodes to perform homodyne or heterodyne measurements. In contrast to CV QKD being easier to implement compared to DV QKD, proofs of security for CV-QKD are often more difficult to establish as the physical systems are described by infinite dimensional Hilbert spaces. Based on the modulation type, CV-QKD can be further subdivided into protocols with Gaussian modulation (GM) [7][8][9][10] and discrete modulation (DM) [11][12][13]. While Gaussian-modulated protocols have been examined extensively [4,[14][15][16], for a practically useful security analysis, one has to take the influence of finite constellations into account [17]. Furthermore, from a technical perspective, GM-protocols put high requirements on * florian.kanitschar@outlook.com the classical error correction routine and on the modulation device.
Discrete modulation schemes for continuous-variable quantum key distribution (CV-QKD) enjoy implementation simplicity and compatibility with the existing telecommunication infrastructures. These features make them attractive to be deployed in future quantumsecured networks. While early security proofs for DM CV-QKD protocols were restricted to idealised cases [11,13] and have been lagging behind proofs for Gaussianmodulated protocols, significant progress has been made in the asymptotic regime recently [18][19][20][21]. Although these analyses serve as an important first step toward a full security proof against general attacks in the finitesize regime, there remain challenging gaps to fill in order to complete the proof. A recent work [22] provides a finite-key analysis of the binary modulation protocol. This security proof uses the phase error rate approach that is commonly used in discrete-variable QKD security proofs, which seems to be challenging to extend beyond binary modulation. Unfortunately, due to the limitation of the binary modulation scheme, the key rate obtained is rather limited even for short distances and large block sizes [23,24]. One expects that much better performance can be obtained for higher constellation modulation schemes. Of particular interest is the quadrature phase-shift keying (QPSK) scheme. Very recently, a security proof against collective independently and identically distributed (i.i.d.) attacks for a discrete-modulated CV-QKD protocol was published [25]. However, the secure finite-size key rates there converge against the asymptotic arXiv:2301.08686v2 [quant-ph] 12 Oct 2023 key rates in [20], which -in contrast to Refs. [19,21] are known to be loose for quaternary modulation.
In this work, we present a finite-size security analysis for discrete-modulated CV-QKD protocols under the assumption of i.i.d. collective attacks. Although this does not represent the most general type of attacks, it is believed that key rates against collective i.i.d. attacks can be related to key rates against general attacks [26][27][28], hence are optimal up to de-Finetti reduction terms. However, as DM CV-QKD protocols are described in infinite dimensional Hilbert spaces and lack the universal rotation symmetry of CV protocols with Gaussian modulation, these techniques cannot be applied directly. We emphasize that our proof method is very general and does apply to general discrete modulation patterns. For illustration purposes, we demonstrate our proof method for a four-state quadrature phase-shift keying protocol and calculate secure key rates using the security proof framework of Refs. [29,30].
While there already exists an extension of this numerical security proof framework to the finite-size regime [31] for finite-dimensional spaces, we extend and generalise this to infinite dimensional Hilbert spaces, as required to treat CV-QKD protocols. In our work, we focus on heterodyne detection and examine only reverse reconciliation, which is known to perform better than direct reconciliation for long transmission distances. We want to emphasise that our proof method is not restricted to these cases and can be adapted to include homodyne measurements as well as direct reconciliation. Our approach does not assume a priori a finite maximum photon-number but employs a rigorous treatment of infinite dimensions. While the work in Ref. [25] exploits the finite detection range of realistic detectors but assumes perfect detection efficiency, our approach also takes nonunit detection efficiencies into account and allows trusted detection. Even though a direct comparison of the obtained key rates is difficult, we observe that our finite-size key rates converge to the asymptotic key rates given in Ref. [21], while the finite-size key rates in Ref. [25], based on a Gaussian extremality argument, converge to the asymptotic key rates in Ref. [20], which for quaternary modulation are known to be loose and clearly lower than the key rates in Ref. [21]. This leads to clearly higher key rates and significantly higher maximum transmission distances for our proof.
This paper is structured as follows. In Section II, we describe the general DM CV-QKD protocol. In Section III, we introduce the notation for our paper (Section III A), discuss briefly Renner's ϵ-security framework (Section III B) and the dimension reduction method (Section III C). In Section IV we first outline the idea of our security proof (Section IV A), and then state our energy testing theorem (Section IV C) as well as our acceptance test theorem (Section IV D). Finally, we present our security proof in Section IV E. In Section V, we summarise the numerical method we are going to use to calculate a lower bound on our key rate expression from the previ-ous section and state the minimisation problem we have to solve. Furthermore, we include a brief explanation of the trusted, nonideal detector model. We present numerical key rates in Section VI, both for untrusted, ideal and trusted nonideal detectors. For ease of comparison to previous work, we present most of our findings in the setting of a 'unique acceptance set' as previous works often do. However, as acceptance sets define on which observations the protocol does not abort, they are important to evaluate the expected secure key rates of protocols (see Section III B). Thus, in Section VI D 3), we also provide plots of the key rate for a nonunique acceptance set. Finally, in Section VII, we summarise our results and give an outlook.

II. PROTOCOL DESCRIPTION
In what follows, we describe the discrete-modulated CV-QKD protocol we consider in the present work, where N St ∈ N denotes the number of distinct signal states used in the protocol and Greek letters put in bra-ket notation refer to coherent states. We present the prepare-andmeasure version of the protocol. Note that thanks to the source-replacement scheme [32,33] this is equivalent to the entanglement-based version of the protocol and we are free to switch between both versions in case this eases the security analysis.
1 State preparation-Alice prepares one out of N St possible coherent states |α⟩ with α ∈ {α 0 , ..., α N St −1 } in her lab with equal probability and sends it to Bob using the quantum channel. Alice associates every state with a symbol and keeps track of what she sent in a private register.
2 Measurement-Bob receives the signal and performs a heterodyne measurement to determine the quadratures of the received signal. This can be described by a positive operator-valued measure (POVM), for example, {E γ = 1 π |γ⟩⟨γ| : γ ∈ C}. After applying this POVM, Bob holds a complex number y k ∈ C that is stored in his private register.
Steps 1 and 2 are repeated N times.
3 Energy test-After completing the state preparation and measurement phases, Bob performs an energy test on k T < < N rounds by using the measurement results related to these rounds. If for most of the tested signals, the heterodyne detection gave small measurement results (see Eq. 5) , the test passes. This means that most of the weight of the transmitted signals lies within a finite-dimensional Hilbert space, except with some small probability ϵ ET . Otherwise, Alice and Bob abort the protocol. For details about the energy test, we refer to Section IV C.
4 Acceptance test -If the energy test was successful, Bob discloses the data from the rounds he used for the energy test via the classical channel. This information is used by Alice and Bob to determine statistical estimators for their observables. If they lie within the acceptance set, Alice and Bob proceed, otherwise, they abort the protocol.
5 Key map-Bob performs a reverse reconciliation key map on the remaining n := N − k T rounds to determine the raw key stringz. For this purpose, Bob's measurement outcomes are discretised to an element in the set {0, ..., N St −1, ⊥}, where symbols mapped to ⊥ are discarded. By choosing a key map that discards results in certain regions of the phase space, Bob can perform postselection as described in [19].
6 Error correction-Alice and Bob publicly communicate over the classical channel to reconcile their raw keysx andz. After the error correction phase, Alice and Bob share a common string except with a small probability ϵ EC .
7 Privacy amplification-Finally, they apply a two-universal hash function to their common string. Except with small probability ϵ PA , in the end, Alice and Bob hold a secret key.
We note that step 4 is often called parameter estimation. However, we want to emphasise that in the finite-size regime we can never estimate any properties of the 'real' density matrix, but only determine some statistical quantities based on our observations. First, we define a so-called acceptance-set, which can be imagined as a list of accepted observations. Based on our measurement results, we partition the set of all density matrices into two disjoint sets. The first one contains density matrices that lead to accepted statistics with probability less than ϵ AT , i.e., the protocol aborts with high probability for those states. The second set is the complement of the first one and in what follows, we can restrict our security considerations to states lying in the latter set, called the 'relevant set'. Based on this construction, we restrict our analysis to states that are ϵ-secure with ϵ < ϵ AT . For a more detailed discussion of the idea of acceptance sets, we refer the reader to [31,Section II.B], where this notion is discussed for discrete-variable QKD.
While we present our security proof approach for an arbitrary number N St of signal states, we demonstrate our numerical results for a quadrature phase-shift keying protocol with N St = 4, where all four states are arranged equidistant on a circle with radius |α|, α k ∈ {|α|, i|α|, −|α|, −i|α|}, where i denotes the complex unit. In this case, the key map in step 5 of the protocol description looks as followsz where ∆ r ≥ 0 is the radial postselection parameter and arg(z) denotes the polar angle between the vector representing z and the positive q axis.

III. BACKGROUND
In this section, we set the stage for our security analysis by giving the necessary background. We summarise the notation used (Section III A), briefly discuss attack types and ϵ-security (Section III B) and summarise the proof method of dimension reduction (Section III C).

A. Notation
We start by clarifying the mathematical terminology and notation.

Miscellaneous notation
In the present work, by H we denote a separable Hilbert space, where we do not make any assumptions about the dimension. In particular, H can be infinite dimensional. If we want to explicitly refer to a finitedimensional Hilbert space, we add a superscript H n , where n refers to the highest number state that is still part of the Hilbert space. Since number states start with the vacuum state |0⟩, H n contains a maximum of n + 1 linearly independent vectors; hence, the dimension of H n is n + 1. We use natural units in the whole manuscript, hence the quadrature operators readq := 1 √ 2 (â † +â) and p := i √ 2 (â † −â), whereâ andâ † are the bosonic ladder operators defined by their action on number states a † |n⟩ = √ n + 1|n + 1⟩ andâ|n⟩ = √ n|n − 1⟩. Then, the commutation relation between the quadratures q-and p reads [q,p] = 1i. Another important operator will be the displacement operatorD(β) := exp βâ † − β * â . We denote displaced quantities by writing the displacement into the subscript. For example, displaced number states (with displacement β) will be denoted by |n β ⟩ :=D(β) |n⟩.

Distance measures
The trace distance and purified distance are two common distance measures used in this work to quantify the distance between two quantum states. The trace distance is given by ∆(ρ, σ) := 1 2 ||ρ − σ|| 1 while the purified distance is defined as P(ρ, σ) : is the generalised fidelity. Here, Π is the projector onto H and F (ρ, σ) := Tr √ ρσ √ ρ 2 is the traditional fidelity.

Smooth min-entropy
Besides the von Neumann entropy, the (smooth) minentropy is an important information measure in QKD security analyses and is used to quantify the uncertainty of an observer on a quantum state. Therefore, in the present subsection, we briefly define and introduce this quantity. For separable Hilbert spaces H A , H B as well as ρ AB ∈ D(H A ⊗ H B ), σ B ∈ D(H B ) we define the minentropy of ρ AB relative to σ B by The min-entropy of ρ AB given H B is then Based on the nonsmoothed version, we introduce the smooth min-entropy of ρ AB relative to σ B with, B ϵ (ρ) denoting the ϵ-ball around ρ. Depending on the distance measure used for smoothing, the ϵ-ball reads Finally, the smooth min-entropy of ρ AB given H B reads In the remaining text, we are going to indicate the used smoothing ball in the subscript, so H ϵ min(TD) for trace distance smoothing and H ϵ min(PD) for purified distance smoothing.
B. Composable security and the ϵ-security framework In this section, we summarize the idea of composable security, Renner's ϵ-security framework, and ϵ−completeness [35,36]. Usually, we analyse the security of cryptographic tasks that will be combined with other cryptographic routines to form a large cryptographic protocol. Therefore, we demand so-called composable security of cryptographic routines, which means that the security of a combination of those routines can be given solely relying on the security of its subprotocols. The definition of composable security compares an ideal secure protocol with the real protocol and asks if an adversary is able to distinguish between both protocols when given access to the outputs of both protocols but not Alice's and Bob's private data. Formally, for QKD this means that the adversary is given two quantum states, where the first one is the output of the ideal protocol and the second one the output of the real protocol. Here, S is the set of possible keys, S A and S B are Alice's and Bob's keys, respectively, and ρ E denotes Eve's state.
Since we cannot expect any protocol to be perfectly secure, we aim to limit the adversary's advantage when distinguishing between the ideal and the real protocol by some small number ϵ > 0. The formal security condition then reads So, the adversary's advantage when distinguishing between the ideal and the real protocol is smaller or equal to 1 2 + ϵ. Taking a closer look at this difference, we observe that we formalise how much the realistic state differs from a situation where Alice and Bob share exactly the same key and Eve is fully decoupled from their system. By applying a triangle inequality in the security definition, these conditions can be considered separately as ϵ cor -correctness and ϵ sec -secrecy (see, for example, [37,Theorem 4.1]). The ϵ cor -correctness condition, Pr [s A ̸ = s B ] ≤ ϵ cor , describes the situation where the protocol does not abort and Alice and Bob do not share the same key, chosen according to the distribution defined by ρ S A S B . The ϵ sec -secrecy condition can be writ- and captures the situation, where the protocol does not abort and the shared key is not private, i.e., known to Eve. A more detailed discussion of composability and ϵ-security can be found in Ref. [37].
Completeness Lastly, we remark that ϵ−security alone does not imply that a protocol is practical. This is easy to see. Consider a protocol that aborts unless it observes a specific set of statistics q ⋆ ∈ R m for some m ∈ N, which we later refer to as 'unique acceptance.' Then, in general, one would expect even if one were sampling from the distribution q ⋆ , the probability of observing q ⋆ would be small for a finite number of samples. Therefore, the probability of aborting the protocol will be high. It would follow that even if one could generate a great deal of key conditioned on nonaborting, the protocol is not very useful because it might almost always abort. The definition of completeness captures this notion.
where Honest means the honest implementation of the protocol, which is defined by the expected behaviour of the devices and the communication channel. That is, it is ν c QKD −complete only if when Eve 'does nothing', the protocol accepts except with probability ν c QKD .

C. Dimension reduction method
Proving the security of CV-QKD protocols involves dealing with optimisation problems over infinite dimensional Hilbert spaces. However, numerical methods for key rate calculation can only be applied to finitedimensional problems. Assuming an artificial heuristically argued cutoff is not rigorous enough for a finite-size security analysis. The dimension reduction method [21] connects an infinite dimensional convex optimisation problem to a finite-dimensional problem. In more detail, under some reasonable requirements for the objective function, the dimension reduction method tightly lower-bounds the infinite dimensional convex optimisation problem by a finite-dimensional convex optimisation problem and some penalty term. In what follows, we state the main theorem ([21, Theorem 1]) where we used the improved correction term from Refs. [38,39]. We refer the reader to the original paper for further details.
Theorem 2 (Dimension Reduction). Let H be a separable Hilbert space and Π the projection onto some finite-dimensional subspace H fin of H as well as Π ⊥ the projection onto (H fin ) ⊥ . Let ρ ∞ ∈ D ≤ (H) and ρ fin ∈ D ≤ (H fin ). If f : D ≤ (H) → R is uniformly close to decreasing under projection, that is and w ≤ Tr ρΠ ⊥ , then Here, |Z| denotes the dimension of the key map and h(·) is the binary entropy.
Note that the weight w depends on the dimension of the chosen finite-dimensional Hilbert space, so the correction term ∆(w) depends on the chosen subspace H fin . Consequently, we aim to choose a subspace such that the weight can be expected as small as possible. Based on a model for fibre-based implementations of QKD protocols, it was shown in [21] that it is advantageous to project onto a subspace spanned by displaced Fock states |n γ ⟩ = D(γ)|n⟩. Then, for the ith state the projection acting on Bob's Hilbert space reads Π := nc n=0 |n βi ⟩⟨n βi |, where is a list of complex numbers, chosen as √ ηα i .

IV. SECURITY PROOF APPROACH
In contrast to discrete-variable QKD and Gaussianmodulated CV-QKD, the security of discrete-modulated CV-QKD protocols has so far mainly been analysed in the asymptotic limit. Many useful symmetry properties, simplifications and tricks for protocols with Gaussian modulation that help to handle infinite dimensions there do not apply to discrete-modulated protocols, so we cannot expect security proofs to have a similar structure. Instead we to apply the numerical security proof framework introduced in Refs. [29,30] to obtain lower bounds on the secure key rate. Before we can do so, we need to find an expression for a lower bound on the secure key rate in the finite-size regime and argue the security of the underlying protocol.
In contrast to the asymptotic case, in finite-size analyses, the expectation values of our observables are not known with certainty. Hence, we need to define an acceptance set and consider in our security analysis only states that are more than ϵ-likely to produce a compatible observation. Therefore, we need to perform a statistical test. Unfortunately, most of the standard (wellscaled) concentration inequalities only apply for bounded observables, while, for example, the photon-number operator is unbounded for infinite dimensional Hilbert spaces. This is a serious issue, since the standard dimension reduction method, which one might want to use to reduce the dimension of the problem, cannot be applied directly as we need to know the (finite) expectation values of our (unbounded) observables to even formulate the finite-dimensional lower bound of the original optimisation. Besides that, we expect additional correction terms that are suppressed in the limit of infinitely many rounds but may become relevant for a finite number of signals.
Finally, from the perspective of a security proof, we note that many statements in Renner's thesis [36] assume finite-dimensional Hilbert spaces; therefore we need to carefully analyse which statements in the ϵ-security framework we want to use can be extended to infinite dimensional Hilbert spaces. Having listed the difficulties of a DM CV-QKD security proof, we provide a high-level outline of our proof in the following section.
A. High-level outline of the security proof Before we discuss the intricacies of our security proof, let us present the big picture of our approach. In our proof, we consider i.i.d. collective attacks. This means that Eve prepares a fresh ancilla state to interact with each round of the protocol in an identical manner and then stores them in a quantum memory. Once Alice and Bob have finally executed their protocol, she measures her quantum memory, encompassing all the ancillae, collectively. In particular, this means that there are no correlations between different rounds, enabling us to treat each round equally.
Since Alice's quantum signals went through the quantum channel, which is under Eve's control, we do not know a priori if there is a maximum photon-number in the states Bob receives. Moreover, since the worstcase scenario occurs when Eve possesses a purification of Bob's states, her purifying system is also infinite dimensional. Consequently, we require a security proof that encompasses infinite dimensional systems.
Within Renner's finite-size framework [36], the leftover hashing lemma tells us that if Alice and Bob apply a randomly chosen hash function from the family of twouniversal hash functions, the output is secure as long as it is smaller than Eve's uncertainty about Alice's and Bob's initial key strings. However, Renner's initial work assumes finite-dimensional Hilbert spaces, so we cannot apply his results directly. To resolve this, we use the leftover hashing lemma against infinite dimensional side information ( [40,Proposition 21]) to derive our entropic condition on the key length (Lemma 9 in Appendix C). It remains to take the effect of classical communication during the error correction phase into account. Thanks to Lemma 13 in Appendix C we can separate Eve's information leakage from information reconciliation and from other sources, and convert the effect of the information reconciliation term into a leakage term, even if one one of the conditioning systems (Eve's purifying system) is still infinite dimensional. We then use various properties of the smooth min-entropy to simplify the expression, giving an upper bound on the secure key rate. Following the methodology of Furrer et al. [41], we establish the asymptotic equipartition property (AEP) from Renner's thesis [36] and extended it to infinite dimensional quantum side information (Corollary 20 in Appendix D) [42].
We aim to apply a generalized version of the numerical security proof framework introduced in Refs. [29,30].
Hence, we have to represent the relevant occurring quantum systems on a computer and solve optimization problems. We cannot represent infinite dimensional states or spaces on a computer. In particular, there is a maximum practical dimension that can be represented numerically, which means that the numerical dimension of the problem cannot grow with the block size. To make our security proof rigorous, we do not want to simply assume a cutoff dimension. Thus, we design a method that guarantees that the analysed quantum states have high weight in a low-dimensional (thus, in particular, finitedimensional) subspace. In more detail, within the framework of our acceptance analysis, we develop an energy test (Theorem 3 below) that rigorously bounds the effective dimension. If the test passes, except with some small probability ϵ ET , most of the weight of the states sent lies within the chosen cutoff space H nc . The remaining errors due to cutting off at some finite-dimension are handled by the dimension reduction method [21] (Theorem 2), which allows us to translate the infinite dimensional optimization problem into a finite-dimensional semidefinite program.
It remains to discuss how the acceptance set is defined. The acceptance analysis guarantees that the state generated by Eve's attack either results in a secure key via the specified protocol or generates statistics such that the protocol aborts except with small probability. Now, recall that the security proof has to be done in infinite dimensions and that the dimension reduction method relates a well-defined infinite dimensional optimization problem with a finite-dimensional one. Thus, the acceptance set has to be defined on the infinite dimensional states. Unfortunately, the convergence of the sample mean to the true mean of unbounded random variables is only limited by Chebyshev's inequality, which gives slow convergence, and hence low key rates. Hence, using unbounded observables would be impractical. To enforce our observables to be bounded, we introduce a "soft detection limit," i.e., we coarse grain the measurement results, which allows us to bound our modified observables. We then can use Hoeffding's inequality to perform a statistical test, the acceptance test (Theorem 4 below), and obtain bounds on the expectations. Mathematically, we distinguish between two scenarios for both tests. Either the test fails, meaning that with high probability the observed statistical quantity does not correspond to a state in our acceptance set, or the test passes. Hence, after performing both the energy test and the acceptance test, we know that the actual state is ϵ ET + ϵ AT close to the set we consider in our security analysis.
Finally, we obtain a semidefinite program that we solve with an extension of the numerical framework presented in [29,30].

B. Bounding observables
As we we argued in the previous section, it is crucial for the security proof that the observables are bounded. To achieve this, inspired by real detectors, we modify our detector model such that detectors have a finite detection range, i.e., possible measurement outcomes are confined in a finite region M, for example, q, p ∈ M = [−M, M ] of the phase space. We note that this parameter M does not have to be exactly the physical limit of the real detector (e.g., the value corresponding to the maximal output of the analog-to-digital converter (ADC) ) as we simply introduce a 'soft detection limit' that only has to be smaller than the physical detection limit. This method takes results q and p with values larger (smaller) than M (−M ) and simply sets them to M (−M ). We want to highlight that this means that we do not need to model the exact physical process happening when strong laser pulses enter the detector, as long as we set M small enough. Effectively, we introduce an additional postselection region for measurement results with absolute value larger than M , which is already included in our postprocessing framework (see Ref. [19]). For the time being, it suffices to know that this allows us to bound every observableX by some x(M ) < ∞ and we postpone the detailed derivation for the observables occurring in the protocol we used to illustrate our security proof to later.

C. Energy Test
One of the first steps in our protocol is to perform an energy test. The goal of performing an energy test is to make a probabilistic statement about the maximum energy of a set of states by testing a subset of the total number of signals. Before we come to our version, we briefly discuss issues with existing energy tests [26,43,44] that prevented us from applying one of those.
The energy test presented in Ref. [26] makes use of the permutation invariance of the individual rounds in many QKD protocols. There, the authors performed testing on some subset of the signals and states that, except with some small probability, most of the remaining rounds live in finite-dimensional Hilbert spaces. However, since there remain some possibly infinite dimensional rounds, we cannot apply this energy test. In contrast, the energy test in Ref. [43] examines a small subset of all rounds, resulting in a statistical statement about the dimension of all remaining rounds and does not leave back any possibly infinite dimensional systems. However, this test requires a very strong phase-space rotation symmetry that our protocol does not satisfy. The approach in Ref. [44] adds a beam splitter to the experimental setup and therefore performs testing on some small fraction of every signal. However, as this comes with additional components such as a beam splitter and a second heterodyne measurement setup, it is experimentally less favourable. Thus, we developed our own energy test that does not require additional hardware and does not assume any particular phase-space symmetry.
As outlined in the protocol description, after transmitting N rounds of signals, Alice and Bob perform an energy test on k T < < N modes, i.e. they perform a heterodyne measurement to determine the quadratures of the chosen rounds. As we show in Appendix A, this can be used for the following statement.
Theorem 3 (Noise robust energy test). Consider signal states of the form ρ ⊗N , and let k T ∈ N, k T < < N , be the number of signals sacrificed for testing and l T ∈ N be the number of rounds that may not satisfy the testing condition. Denote by (Y 1 , ..., Y k T ) the absolute values of the results of the test measurement. Pick a weight w ∈ [0, 1], a photon cutoff number n c and a testing pa- is the upper incomplete gamma function, as well as Q y := 1 − y y and Finally, let Π ⊥ be the projector onto the complement of the photon cutoff space H nc . Then, as long as l T k T < w r for all ρ such that Tr Π ⊥ ρ ≥ w, where D(·||·) is the Kullback-Leibler divergence.

Proof. See Appendix A.
In other words, the energy test tells us that for all ρ that satisfy Tr Π ⊥ ρ ≥ w the energy test will fail except with probability ϵ ET .
Note that the theorem only tells us something in the case in which the energy test passes. If the energy test fails, we abort the whole protocol and therefore it is (trivially) secure. Furthermore, as Alice's lab is assumed to be inaccessible to Eve, the test needs to be performed only by Bob.

D. Acceptance test
After passing the energy test, working in a finitedimensional Hilbert space allows us to specify the relevant set for our observables. This is the set we restrict our security analysis to (see our discussion in Section II), based on statistical bounds for the observed values of our observables. This statistical test replaces the parameter estimation step in asymptotic security analyses. In particular, for any given set of observed statistics, the protocol must either abort or accept. To be secure, the acceptance set is a set of states such that any state not in the set could only have generated any of the accepted statistics with probability less than ϵ AT . The following theorem establishes such a set of states.
Theorem 4 (Acceptance Test). Let Θ be the set of Bob's observables. Let r ∈ R |Θ| and t ∈ R |Θ| ≥0 , where |Θ| denotes the cardinality of Θ. Define the set of accepted statistics as and the corresponding acceptance set as where r X is the Xth element of the vector r and likewise for t X . For every X ∈ Θ, let where x := ∥X∥ ∞ and m X is the number of tests for the observable X. If ρ ̸ ∈ S AT , then the probability of accepting the statistics generated by the i.i.d. measurements of ρ ⊗n is bounded above by ϵ AT . That is, the complement of S AT are all ϵ AT -filtered.
Proof. First, using Hölder's inequality, for the observable X, we obtain therefore, E(X) = Tr [ρX] ≤ x. This implies that our measurement results with respect to the observable X lie within the interval [−x, x] (or [0, x] in case X is positive semidefinite). Hence, we can apply Hoeffding's inequality [45] which states that where X is the average of the observations, i.e. the empirical mean. For positive semidefinite X, we replace 2x in the denominator of the exponent by x. Then, we obtain the µ X given in the theorem statement from basic algebra.
Next we show that if |Θ| = 1 with a unique element X then S AT only has ϵ AT −filtered states in its complement. For this case, we denote the set S AT X . Let v X ∈ R be the empirical mean of this unique observable, e.g. v X := X for X ∈ Θ. Then we have by Hoeffding's inequality that except with probability ϵ X AT , v X − Tr ρ X < µ X , where ρ is the state from which we are i.i.d. sampling. Now we show every state not in S AT X is ϵ AT −filtered. Let σ ̸ ∈ S AT X . Then, which follows from the definition of S AT X and the definition of the accepted statistics (6). Now note the implication which follows from the triangle inequality: Therefore, combining these points, Thus, we have shown in the one-parameter case, the set S AT X only has ϵ X AT −filtered states in its complement. All that is left to do is to lift from the one-parameter case to the many-parameter case. We want to do this without using a union bound. To do this, we first set the ϵ-parameter to be the same for every observable, i.e. ∀X, X ′ ∈ Θ : ϵ X AT = ϵ X ′ AT =: ϵ AT . Then we note that S AT = ∩ X∈Θ S AT X . It is known that if one takes the intersection of sets each of which only has ϵ−filtered states in the complement, then the intersection also only contains ϵ−filtered states in the complement ([31, Theorem 5]). Thus, as we established the filtering property for the single observable case, and S AT is the intersection of single observable cases, we know that if σ ̸ ∈ S AT , then σ is ϵ AT −filtered. This is what we wanted to establish, so this completes the proof.
Before moving forward, we note that the reason we need the vector t ∈ R Θ ≥0 is not for security, but rather for the completeness of the protocol. Indeed, if t = 0 then we would filter all states that do not result in statistics r except with probability ϵ AT . This has often been the case considered in previous works implicitly and we call this setting the unique acceptance set following terminology from Ref. [31]. However, we note that the probability of obtaining the statistics r is in general close to zero, so the protocol defined via a unique acceptance set aborts almost all of the time. For this reason a good key length in the unique acceptance setting is in some sense not useful. Thus, we use t to draw a "box" of accepted statistics around some ideal statistics r. This will of course decrease the key rate, but it will increase the completeness, thereby making the protocol practical. Indeed, we can show the following. Proposition 5. Let r be defined via r X := Tr [σX] where σ is the state after the honest implementation of the channel. Let l T , k T be the same as in Theorem 3, and let V 1 be defined as in the proof of Theorem 3.
EC is a parameter of the chosen error correcting code and where m X is the number of tests of observable X.

Proof. See Appendix F.
We note that if t X = 0 for any X, then the protocol is always 1-complete by these bounds, which we do not want.
To summarise, the above theorem tells us that states whose expected values deviate too far from r in terms of µ X and t X , and hence are not part of the acceptance set S AT , will only be accepted by our testing procedure with very low probability. Thus, at the cost of introducing a small probability of error ϵ AT , the remaining security analysis focuses on states in S AT . Additionally, via smart choices of parameter t, the theorem allows us to tune the success probability of the protocol.

E. Finite-size security proof
After having finished all preparations, we now establish the security proof of the present CV-QKD protocol against i.i.d. collective attacks. We state our main result, the security statement against i.i.d. collective attacks, in the following theorem and prove it afterwards.
Proof. According to our assumption, after completing N rounds of the quantum phase in the present QKD protocol, Alice and Bob share the state ρ ⊗N AB ∈ D((H A ⊗ H B ) ⊗N ). Alice and Bob choose randomly k T of those rounds for testing, where they first perform the energy test, followed by the acceptance test. Recall the notion of ϵ-securely filtered states; an input state σ is called ϵsecurely filtered if the probability that the corresponding statistical test does not abort on σ is less than ϵ. This allows us to define Analogously, as a subset of all states that have not been filtered by the energy test, we define the set of states that have not been filtered by the acceptance test with probability greater than 1 − ϵ AT S E&A := σ ∈ S ET : This set combines the results of Theorem 3 and Theorem 4. In what follows, when we refer to 'passing the testing' we mean that both tests pass successfully.
Because of the nature of statistical testing, in our security analysis we never know the actual state Bob receives, but only decide to proceed or abort the protocol, based on if the received state lies within a predefined set. Therefore, we split the security argument into two cases: Denote by Ω the event that Alice's and Bob's testing succeeds, i.e., the tests pass. Note that if we write a state conditioned on an event we do not imply that this state was renormalised.
To ease notation, we define the map E QKD := E key • E AT • E ET , representing the action of the QKD protocol, where E ET and E AT denote the quantum channels representing the energy test and the acceptance test and E key is the map denoting the classical postprocessing.
Let ρ ABE = σ ⊗N be an arbitrary i.i.d. input state and ρ S A S B E ′ := E QKD (ρ ABE ). Here E ′ denotes Eve's register E including all information she gathered from the classical communication between Alice and Bob. This state can either pass or fail the testing. Note that the protocol is trivially secure if the testing procedure aborts the protocol. For the difference between ρ S A S B E ′ and a uniformly distributed key that is fully decoupled from Eve, we obtain where, for the second inequality, we inserted the definition of ϵ EC . The last term can be simplified further, taking into account that the input was assumed to be i.i.d. and therefore the two cases 1.) the test passes and the input is in set S E&A and 2.) the test passes and the input is not in S E&A are mutually exclusive. We obtain where A := {σ ⊗n : σ ∈ S E&A } and, following the argument in the proof of [46, Theorem 3.2.5], we dropped the register S B since we condition on S A = S B , which means that the ideal output and the conditioned output have perfectly correlated classical registers, and hence contain redundant information. The second term in the maximum is upper bounded by where the first inequality uses the fact that the distinguishability given that Alice and Bob accept the testing is upper bounded by the probability of passing the test, and, for the second inequality we used Theorem 3 and Theorem 4 which define the set S E&A . It remains to upper bound the first term in the maximum, which refers to the case where σ ∈ S E&A and describes the fact that Alice's and Bob's shared key is only partially secret. This problem is addressed by performing privacy amplification, which is characterised by the leftover hashing lemma [36, Lemma 5.6.1]. We use the version that applies to infinite dimensional side information (Lemma 9). In Lemma 9, we set ϵ sec = ϵPA 2 + 2ϵ ′ and ϵ ′ =ε 2 . Then, for any input σ ⊗n with σ ∈ S E&A , the output will satisfy as long as we choose Register C denotes the information reconciliation transcript. Therefore, putting things together, we obtain Lemma 13 in Appendix C extends a statement in [36, Lemma 6.4.1] to infinite dimensional side information and allows us to remove the classical register C containing the transcript of the information reconciliation procedure from the smooth min-entropy at the cost of leak EC bits, While this completes our finite-size analysis, we want to optimise over finite-dimensional (in more detail: lowdimensional) states. Our energy test (Theorem 3) guarantees that any state that is not ϵ ET -filtered has at most weight w outside the cutoff space (defined by parameter n c in the energy test), and hence satisfies Tr [ρΠ nc ] = 1 − w. Using Theorem 2, we can relate the values of our objective function on inputs from an infinite dimensional Hilbert space to its values on projections onto a finite-dimensional subspace H nc by taking an additional weight-dependent correction term ∆(w) (see Eq. (4))into account. Hence, we arrive at Finally, we divide both sides by N , the total number of signals sent, and obtain where we defined δ EC leak := leakEC N (see Section V D). Hence, the key we obtain is ϵ sec = max 1 2 ϵ PA +ε, ϵ ET + ϵ ATsecret and ϵ cor = ϵ EC -correct, so ϵ := ϵ sec + ϵ cor -secure, which finishes the proof.

V. NUMERICAL SECURITY PROOF METHOD
Having derived the secure key rate formula and having transformed it into a finite-dimensional optimisation problem, it remains to calculate lower bounds on the secure key rate numerically. It turns out that the optimisation problem in Eq. (14) is a semidefinite program with convex, nonlinear objective function f : Since we are interested in finding a reliable lower bound on the secure key rate, it does not suffice to find an approximate solution to this minimisation problem. Therefore, we apply the numerical method developed in Refs. [29,30], which we are going to summarise briefly in what follows.

A. Idea of the numerical method
The idea of the numerical method is to split the problem into two steps. In the first step, the nonlinear problem is solved approximately, for example by an iterative first-order algorithm like the Frank-Wolfe algorithm [47]. We end up with an approximate solution ρ Step 1 on the minimisation problem. This is, however, not a reliable lower bound on the secure key rate. Therefore, we apply step 2, which helps us to transform this suboptimal solution into a reliable lower bound, using a linearisation and SDP-duality theory. We calculate ∇f (ρ Step 1 ), the gradient of our objective function at the approximate minimum from step 1, and use a relaxation theorem to formulate an expanded, linearised semidefinite program. This can be seen as lower bounding the (convex) objective function by a hyperplane, tangent at ρ Step 1 . To take numerical imprecisions into account, the feasible set is enlarged by some small ϵ num . Then the dual of this expanded SDP is solved numerically. Because of results from duality theory in semidefinite programming, every feasible point of this dual SDP is a lower bound on the initial optimisation problem. Consequently, we obtain a reliable lower bound on the optimisation problem in Eq. (14), and hence a reliable lower bound on the secure key rate.

B. Infinite dimensional, asymptotic optimisation
In this section, we summarise the details of the formulation of the used numerical method for a DM-CV QKD protocol in the asymptotic limit for infinite dimensional Hilbert spaces, following Refs. [19,21]. Even though we treat a more general case, this will be helpful to us to understand the formulation of the optimisation problem in the finite-size regime.
As outlined in the protocol description, in the prepareand-measure picture, Alice chooses one out of N St coherent states Ψ i ∈ {α 0 , ..., α NSt−1 } with probability p i and sends it to Bob. This can be modelled as Alice preparing the pure state where Alice keeps register A and sends register A ′ to Bob via the quantum channel E A ′ →B , which is under Eve's control. We denote the joint state of Alice, Bob and Eve by ρ ABE . As Eve cannot access Alice's lab in the source replacement scheme, P&M schemes are subject to the constraint ρ A := We model the postprocessing steps and the key map conducted by Alice and Bob as quantum channel Φ that stores the resulting key in the classical register Z, where R z B is the so-called region operator, describing the key map on Bob's side (see Figure 1), In the asymptotic limit, the secure key rate is given by the Devetak-Winter formula [48]. Taking realistic error correction into account, this leads to the following expression where S ∞ denotes the feasible set of the optimisation to find secure key rates in the asymptotic limit. In what follows, we provide details about this set. For ease of notation, we denote the objective function by f (ρ). The set S ∞ is defined by constraints due to Bob's measurements as well as by additional requirements on the quantum state shared between Alice and Bob. As outlined above, we assume Alice's lab is inaccessible to Eve so that her share of the state cannot change during the key-generation process. Next, we take Bob's measurements into account. We generically denote Bob's measurement operators byΓ j and the corresponding expected values by γ j , where j ∈ {1, ..., N meas } with N meas being the number of different measurement operators Bob applies. Additionally, as we optimise over a set  Sketch of the key map in phase space in (a) the standard setting for the ideal protocol, and (b) the modified setting with confined measurement (see Section V F and the discussion in Appendix B 3). The symbol ⊥ denotes results that are discarded while the shaded areas illustrate which points in phase space are associated with which symbol.
of valid density matrices, we require the trace to be equal to one and demand positive semidefiniteness. Then, the generic structure of the optimisation problem reads where j runs from 1 to the number of constraints we introduce. Hence, S ∞ reads where, to ease the notation, we included the constraint Tr [ρ] = 1 into our set of measurement-induced constraints, by definingΓ 0 := 1 and the corresponding expected value by γ 0 := 1. Consequently, we redefine the index set for j as {0, ..., N meas }.
As outlined in the protocol description, Bob performs a heterodyne measurement so that he has access to the moments of the received signals. We follow the approach in [21] to use the photon-number operatorn and its squaren 2 as Bob's observables and then express our constraints in the displaced number basis since these combinations turned out to give good estimation of the weight when we applied the dimension reduction method. Therefore, Γ j ∈ {1, |i⟩⟨i| ⊗n βi , |i⟩⟨i| ⊗n 2 βi } and γ j ∈ {1, ⟨n βi ⟩, ⟨n 2 βi ⟩} for i ∈ {0, ..., N St − 1}. As f is a convex function and the feasible set S ∞ is convex, we have a convex optimisation problem, which can be solved using the numerical security proof framework in Refs. [29,30].

C. Finite-size optimisation problem
Note that the objective function of the optimisation in the asymptotic limit (19) is the same as for the finite-size problem (14), while the feasible sets differ. Furthermore, there are additional correction terms for the finite-size version of the key rate formula. However, as these terms are constant with respect to the performed optimisation, they do not influence the structure of the SDP.
In the finite-size regime, we do not know the expected values of our observables with certainty. As outlined in the protocol description, we fix some small ϵ AT > 0 and a testing ratio r test ∈ (0, 1) such that k := r test ·N and perform testing on k randomly selected rounds. According to Theorem 4, we obtain bounds µ j which define our acceptance set. Therefore, our actual optimisation problem reads It is shown in Appendix E that finally, after applying the dimension reduction method, and various steps to bring the SDP to a more favourable form, we obtain the following (primal) optimisation problem where j ∈ {0, ..., N St − 1} and a j and b j denote the j-th entry of the vectors ⃗ a and ⃗ b, respectively. It remains to solve this SDP numerically to obtain lower bounds on the secure key rate. In the present work, we use the technique introduced in [30], where secure key rates are obtained via the two-step process described in Section V A. For the reader's convenience, we derive the corresponding dual problem in Appendix E.

D. Error correction
In this subsection, we briefly explain the informationreconciliation leakage term. In the case one is able to carry out the information reconciliation procedure in the Slepian-Wolf limit [49], the EC leakage term reads Here, X and Y represent Alice's and Bob's key strings. Since we cannot expect to perform error correction in the optimal limit, we assume only a fraction 0 < β ≤ 1 of the mutual information between Alice's and Bob's key strings can be used. Hence, I(X : Y ) in the formula above is replaced by βI(X : Y ). Therefore, Finally, the total leakage term is the sum of the correction term we just derived and the verification term. We obtain [31] leak EC ≤ n δ β EC + log 2 2 ϵ EC .
As the present protocol allows postselection, not all signals might be used for signal generation. Hence, not all signals have to undergo the information reconciliation procedure. Therefore, we replace leak EC → p pass leak EC , where p pass is the probability that a round passes the postselection routine.

E. Trusted, nonideal detector approach
So far, it has been assumed that Bob's detectors are ideal (i.e., 100% detection efficiency and no electronic noise) and we therefore dedicated all noise to Eve. In real-world implementations, detectors are noisy and have detection efficiency smaller than one. The trusted, nonideal detector model introduced in Ref. [50] enables us to include realistic detectors in our key rate calculations and allows us to trust those parts of the noise that come from Bob's detection devices. This assumption is reasonable since Bob's detectors are located in his lab, and hence assumed to be inaccessible to Eve.
The idea of the model is to introduce an additional beam splitter in front of every perfect homodyne detector that measure either the q or p quadrature. The transmission is chosen to be equal to the detector efficiencies η q and η p . At the second input port of both of those beam splitters, the signal is mixed with a thermal state with mean photon-numbersn i = ν el,i 2(1−ηi) for i ∈ {q, p}. Therefore, the output signals experience electronic noise ν el, q and ν el, p , respectively. Finally, two ideal homodyne detectors are used to perform the measurement. For more details regarding the trusted, nonideal detector we refer the reader to Ref. [50]. A sketch of the trusted detector scheme can be found in [50, Figure 2].

F. Bounding the detection range
As outlined in Section IV B, we ensure fast convergence of our acceptance test by constraining the observables to the detection range of the heterodyne detector. In line with the discussion in Ref. [21], in the ideal (nonrestricted) detector model, operatorsX can be represented asX where fX (ζ) is some scalar-valued function and 1 π |ζ⟩⟨ζ| is the POVM corresponding to an ideal heterodyne measurement. Its noisy counterpart reads where G ζ is the nonideal trusted detector POVM derived in Ref. [50]. In order to restrict the measurement results to the interval M = [−M, M ] 2 , we need to modify function fX . This involves partitioning the phase space into distinct regions and replacing f X (ζ) with g X (ζ).
Function gX (ζ) takes into consideration the finite detection range that has been proposed, where ζ x denotes the real part of ζ, while ζ y denotes the imaginary part of ζ. In the current protocol, we perform measurements ofn andn 2 in the displaced number basis. We derive expressions for the observations of [n] ′ b and [n 2 ] ′ b , which are the bounded and noisy equivalents ofn andn 2 , in Appendix B.
With our observables now being bounded, we can readily observe that we obtain xn = M 2 − 1 2 and xn2 = M 4 − 1 2 M 2 for the constants involved in Theorem 4.

A. Quadrature phase-shift keying protocol
To provide numerical key rates, we restrict our proof for general discrete-modulated CV-QKD protocols to the special case of N St = 4 signal states arranged on a circle in the phase space, a so-called quadrature phase-shift keying protocol. Therefore, in every round, Alice prepares one of the states {|α⟩, |iα⟩, | − α⟩, | − iα⟩} with equal probability, where α ∈ R is arbitrary but fixed. Bob then performs heterodyne detection on the states he receives. While our security proof works for both direct-and reverse reconciliation, we proceed with reverse reconciliation that is known to outperform direct reconciliation for CV-QKD protocols in the long-distance regime. Therefore, Bob performs the key map and assigns symbols to his measurement results, depending on which area of phase space the measurement outcomes lie. This includes the option of performing postselection to increase the key rate. For more details regarding the protocol, we refer the reader to [19,Protocol 2]. Since our description of the numerical method in Section V A was general, the expressions there apply to the present special case if we choose N St = 4.

B. Choice of the weight
In our security proof, the weight w = Tr ρΠ ⊥ plays a twofold role. On the one hand, it appears as a parameter in the energy test, while on the other hand, it determines the size of the correction term ∆(w) arising from the dimension reduction method. While the asymptotic dimension reduction method gives a bound on the weight via another semidefinite program, in our case w is chosen freely during the energy test. This means that, in principle, one could choose the weight arbitrarily small, resulting in a negligible correction term without corrupting our security statement (possibly resulting in a large ϵ ET ). However, since the energy test only makes a statement in the case when the test passes and aborts otherwise (in which case it is trivially secure), this comes at the cost of a high failure rate of the energy test, hence ultimately a low average key rate. Therefore, the choice of the weight w is a balancing act between aiming for a low correction term and making the energy test pass with high probability. In order to assure that, we required that the energy test passes with high probability in the honest implementation, i.e., when Eve is passive. Therefore, we modelled the quantum channel connecting Alice and Bob as a noisy and lossy Gaussian channel with excess noise ξ and transmittance η and calculated the expected weight w exp outside the cutoff space. Then, one possible choice for the weight is w ≥ w exp . We want to highlight that this was a choice motivated by practicality and is not a requirement of the security proof. Alternatively, we may fix ϵ ET and just solve the expression for ϵ ET obtained from the energy testing theorem (Theorem 3) for w to obtain w ϵ . In practice, we introduce a minimal weight w min and choose the weight w := max{w exp , w ϵ , w min } to make sure it is both compatible with the chosen ϵ ET and large enough such that the energy test passes with high probability on the honest implementation.

C. Details about the implementation
Before we come to our numerical results, we briefly discuss our choice of parameters and some technical details. To demonstrate the performance of the chosen 8  quadrature phase-shift keying protocol under our finitesize security proof, we simulate the expectation values (see Eqs. (20) and optimisation problems derived thereof) obtained from an experiment by modelling Alice's coherent states passing a noisy and lossy Gaussian channel with excess noise ξ and channel transmittance η. The excess noise is understood as preparation noise on Alice's side so that it is taken to be fixed at the input of the channel. Hence, Bob experiences the effective noise ηξ. Note that we measure the noise in the shot noise units. Within the whole work, our transmittance model as a function of the transmission distance L is η = 10 −0.02L . This corresponds to a transmission of −0.2 dB/km that is a common value for optical fibres at the telecom wavelength. While the total number of transmitted signals N , as well as the testing ratio k T N varies, we fix l T /k T (see Theorem 3) to be 10 −8 and M = 5. Furthermore, we fix the ϵ parameters to be ϵ EC = 1 5 × 10 −10 , ϵ PA = 1 5 × 10 −10 , ϵ = 7 10 × 10 −10 , ϵ AT = 7 10 × 10 −10 and ϵ ET = 1 10 × 10 −10 such that the total security parameter (see Theorem 6) is ϵ = 10 −10 . We emphasise that our security proof is independent of the choice of parameters and that those values are chosen for demonstration purposes only.
We applied the numerical framework in [29,30] to find a lower bound on the minimisation problem in Eq. (21), where the coding was carried out in Matlab ® , version R2020a. The semidefinite programs were modelled using CVX [51,52], where we used the MOSEK solver (version 9.1.9) [53] to solve the semidefinite programs.

D. Simulation Results
We present plots of the obtained secure key rates for various parameter choices. If not mentioned otherwise, Secure key rates over transmission distance L for different total number of signals N . We optimised the coherent state amplitude α and the radial postselection parameter ∆r and fixed testing ratio rtest = 10%. All curves correspond to ideal, untrusted detectors.
we fix the preparation noise ξ = 0.01 and in all plots, we assume that an error correction code with efficiency β = 0.95 is used, which is achievable with the latest lowdensity parity-check codes. We note that it is not entirely clear if constant β is also achievable for wide ranges of SNR. However, our security proof method is independent of the particular β and for illustration purposes we fixed it to 0.95, in accordance with common values used in the literature. If we do not state a particular value for the amplitude α and the postselection parameter ∆ r , the corresponding curves have been obtained after optimising over α and ∆ r via a coarse grained search. We chose the cutoff space dimension n c = 20, which turned out to be a sound compromise between numerical feasibility (calculation time) and impact on the obtained key rates (see the role of the cutoff number in the security proof in Section IV).
In the first two subsections, we present plots in the unique-acceptance scenario (see Section IV D), which is standard in the literature and allows for comparison. We start by discussing our results for untrusted, ideal detectors (so η d = 1 and ν el = 0), which is followed by results for trusted, nonideal detectors (η d < 1 and ν el > 0). However, as elaborated on after Theorem 4, in the unique-acceptance scenario, practical protocols will abort with probability close to 1. Therefore, in the final section, we briefly discuss the nonuniequ-acceptance scenario and present key rates for this practical and realistic case.

Untrusted, ideal detectors
In what follows, we present our results for untrusted, ideal detectors. The key rates shown are measured in bits per channel use and the plotted asymptotic key rate curves were generated with the method described in Ref. [21]. Figure 2 shows the obtained secure key rates over the total number of signals sent N . We fixed the transmission distance to be 10 km, the coherent state amplitude α = 0.85 and the radial postselection parameter ∆ r = 0.45, while we varied the testing ratios (TR). As one can see, we obtain secure key rates for N ≥ 5×10 8 for r test = 40%. Furthermore, our secure key rates approach the asymptotic limit from Ref. [21] for N → ∞ and low testing ratios. This shows that our analysis is tight in the asymptotic limit. We note that we had to adapt the asymptotic key rate curve in Figure 2 compared to Ref. [21] because of different weights, and hence different correction terms ∆(w). The reason behind this is as follows. The weight in the asymptotic regime without testing is determined by solving an additional SDP, and is hence fundamentally different than in our analysis including an energy test (see also the discussion in Section VI B). Our statistical approach allows us to work with smaller weights, and hence smaller correction terms. In order to make the key rate curves comparable, one therefore has to readjust the asymptotic curves in Ref. [21] by the weight correction.
Next, we consider the performance of our secure key rates as a function of the transmission distance for a different number of total rounds N in Figure 3. We fix the testing ratio to r test = 10%. Again, we note that for the asymptotic key rates, we do not effectively sacrifice signals for testing. Hence the asymptotic key rates are conceptionally different to the finite-size key rates in the plot and would correspond to finite-size key rates with a testing ratio equal to 0%. This explains the tiny difference in key rates between the asymptotic reference curve and the finite-size key rates for low transmission distances.
Our observations from Figure 2 indicate that it is unlikely positive key rates are obtained for N smaller than N = 5 × 10 8 at L = 10 km. Therefore we start our investigation at N = 10 9 in Figure 3, where we have hope to surpass L = 10 km significantly and go up to N = 10 12 , which is the largest N we assume is achievable in experiments with state-of-the-art lasers and heterodyne detectors in a practical amount of time. Note that we optimised over the coherent state amplitude α and the postselection parameter ∆ r via coarse grained search. We observe positive key rates up to 22 km for N = 10 9 , up to 38.5 km for N = 10 10 , up to 56 km for N = 10 11 and up to 70 km for N = 10 12 .
It remains to discuss how much we can improve our results by varying the testing ratio r test . In Figure 4, we fix N = 10 12 , optimise over α and ∆ r via a coarse grained search and examine the impact of testing ratios between 5% and 60%. As expected, it turns out that for low transmission distances, low testing ratios are advantageous, while the maximal achievable transmission distance can be improved significantly by increasing the  fraction of signals used for testing. This is because for high transmission distances the expectation values in our constraints become small, and hence (for the same testing as for lower distances) their uncertainties become relatively large. Higher testing counteracts this effect and increases the secure key rates. Sacrificing 60% of the signals for testing increases the maximal achievable transmission distance from 66 km (for 5% testing) to 77 km.

Trusted, nonideal detectors
Next, we present our results for the case of trusted, nonideal detectors. For demonstration purposes we choose η d = 0.72 and ν el = 0.04, and emphasise that our analysis is not restricted to this choice. We fix the excess noise again to ξ = 0.01. Note that this means that the curves for trusted, nonideal detectors have a higher total noise level compared to the curves for untrusted, ideal detectors in the previous section. Again, we add asymptotic key rate curves, derived following the method presented in Ref. [21], for comparison. Like in the untrusted, nonideal case, our key rates are tight, i.e. for low testing ratio r test and a high number of rounds N , the obtained finite-size key rates converge to the asymptotic limit.
We examine the performance of our security proof for different total numbers of rounds, while we fix the testing ratio at 10% and optimise over the coherent state amplitude α and the radial postselection parameter ∆ r via a coarse grained search. The resulting key rate curves can be seen in Figure 5. We see that, as expected, the secure key rates are lower than for the untrusted, ideal detector, but the maximal achievable transmission distances decrease only moderately compared to the untrusted detector with the same excess noise level. We observe pos- itive key rates up to 22 km (compared to 24 km for untrusted, ideal detectors), for N = 10 9 signals, we obtain non-negative key rates up to 39 km (compared to 41 km) for N = 10 10 , up to 55 km (compared to 58 km) for N = 10 11 , and up to 67 km (compared to 71 km) for N = 10 12 f. In Figure 6, we plot the obtained secure key rates as a function of the transmission distance L for different testing ratios, while we fix N = 10 12 and optimise over the coherent state amplitude α and the radial postselection parameter ∆ r . As expected the obtained secure key rates are lower than those for the untrusted, ideal detector.
However, for an excess noise level of ξ = 0.01, it turns out that the maximal achievable transmission distances do not differ significantly in the trusted detector scenario. For example, when the testing rate is 60% of the signals, the maximal achievable transmission distance for the trusted, nonideal detector is 72 km while in the untrusted, ideal detector case we obtained 77 km. For a testing ratio of 5%, the maximal achievable transmission distance differs by only 3 km. The achieved secure key rates in the nonideal detector case are merely lower. Therefore, even for realistic detectors, our method yields practically relevant secure finite-size key rates. We note that this moderate performance difference between key rates using ideal, untrusted detectors and noisy, trusted detectors has already been observed for the asymptotic case in [38,Section 5.3]. The reason behind this is that Bob's noisy observables can be related to his ideal observables by linear combinations. Hence, effectively, the feasible set remains unchanged, while only the objective function changes due to different POVM elements for the noisy, nonideal heterodyne detector. The error correction cost, however, is slightly higher, which explains the ob-  served drop in the secure key rate.

Nonunique acceptance
While it is common in the literature to discuss secure key rates in the unique-acceptance (UA) scenario (where t in Theorem 4 is set to zero), we want to emphasize that the acceptance test of such protocols basically always fails, even in the absence of eavesdroppers. Consequently, although these protocols can achieve high key rates when successful, the expected key rate per key generation round is generally low in practice. Therefore, we turn our attention to the more practical scenario of nonunique acceptance (nonUA), where t > 0. Our goal is to investigate the relationship between secure key rate and acceptance probability, which leads to a more useful presentation of secure key rates in practical settings.
Therefore, recall the following results from Section IV D to gain insights into how the choice of t influences the secure key rate and the acceptance probability. According to Eq. (7) the acceptance set grows larger when we choose t > 0. Consequently, the optimization performed when solving the key rate finding problem is carried out over a larger set, resulting in lower secure key rates compared to the unique-acceptance scenario. However, Proposition 5 provides bounds on the failure probability of the energy test, acceptance test, and the entire QKD protocol (through the union bound). Intuitively, as the sample size increases, we can choose a smaller t. Hence, for illustration purposes, we set t X = t F µ X for different values of t F ≥ 0, as this yields where Θ denotes the set of observables used in the protocol and X ∈ Θ. We want to highlight that this is only a choice and might not be optimal. Further optimizations are left for future work. Furthermore, for the second expression in Proposition 5, we use D (P l T +1 ||Q σ ) ≥ D(P l T +1 ||Q w r ) and obtain where l T , k T , w and r are from Theorem 3. While this bound is sufficient for illustration purposes, we want to note that it is quite loose and we leave tighter bounds for future work.
To summarize, we have observed that different choices of t simultaneously impact the acceptance set, and hence the secure key rate, and the acceptance probability. Consequently, in the nonunique acceptance scenario, direct comparisons of the secure key rate for different t values do not provide meaningful insights, as the expected secure key rate (weighted by the success probability) can vary significantly. Therefore, in this subsection, we introduce a slight modification in how we present our results. Instead of plotting the secure finite-size key rate in bits per channel use, denoted as ℓ N , which we obtained from our security proof and have used thus far, we now plot the expected secure key rate per channel use (1 − ν c QKD ) × ℓ N on the y-axis. Thereby, the acceptance probability is calculated assuming that the adversary behaves honestly. We believe that this revised representation of secure key rates better captures the practical relevance, describing the usable and accessible secure key rate in implementations of the investigated protocol. Our intention is to encourage the community to adopt similar reporting methods in future work.
We are now prepared to present and discuss the key rate plots for the nonunique acceptance scenario. Similar to previous sections, we set ϵ EC = 1 5 × 10 −10 and keep M = 5 fixed. In what follows, we mainly use the more natural quantity p succ := 1 − ν c QKD , which is the 'success probability on honest runs' of the analysed protocol. First, we examine the impact of different parameters, specifically t F (and consequently different acceptance probabilities), on the expected secure key rate. To maintain consistency with Figure 2, we set L = 10km, α = 0.85, ∆ r = 0.45, and r test = 2.5%. We investigate three values of t F , namely 0.760, 0.832, 1.110, which correspond to success probabilities exceeding 50%, 75%, and 99%, respectively. For comparison, we plot the unweighted unique acceptance (t F = 0) key rates, along with the asymptotic secure key rate provided in Figure  2. Notably, as N grows large, the expected secure key rates for t F = 1.110, corresponding to a protocol success probability of 99%, closely resemble the nonunique acceptance key rates and the asymptotic secure key rate. This observation underscores the tightness of our key rates even in the nonunique acceptance case. Next, we analyze the impact of the nonunique acceptance scenario on the achievable transmission distance. We set N = 10 12 and r test = 10% and optimize over α as well as the postselection parameter ∆ r . We consider four values of t F , specifically t F ∈ 0.760, 0.832, 1.110, 1.270, which correspond to success probabilities exceeding 50%, 75%, 99%, and 99.9% respectively. Additionally, we plot the unique acceptance key rates (t F = 0) and the asymptotic secure key rates from Figure 3 for comparison.
We observe that the expected secure key rates for short to medium transmission distances are close to the unique acceptance key rate, particularly for t F = 1.110 and t F = 1.270. While the expected secure key rates for low to medium transmission distances are close to the unique acceptance key rate, in particular for t F = 1.110 and t F = 1.270, the achievable transmission distances drop slightly to 61km for t F = 1.270, 62km for t F = 1.110, 63km for t F = 0.832 and 64.5km for t F = 0.714, from 70km in the unique acceptance case. This demonstrates that, at the expense of lower expected secure key rates, it is possible to increase the maximum achievable transmission distance towards those of the unique acceptance key rate. We expect that a tighter bound on Pr[AT Aborts|Honest] would close this small remaining gap, allowing for smaller values of t F with equal success probabilities, as our current bound overestimates the protocol failure probability. This, in turn, would result in higher key rates and increased achievable transmission distances. Secure nonunique acceptance key rates over transmission distance L for untrusted, ideal detectors. We fixed N = 10 12 and the testing ratio rtest = 10% and optimised the coherent state amplitude α as well as the postselection parameter ∆r. As explained in the main text, for nonunique acceptance curves (tF ∈ 0.760, 0.832, 1.110, 1.270) we plot the expected secure key rate (1 − ν c QKD ) × ℓ N , while we report secure key rates for unique acceptance curves (tF = 0 and asymptotic). Thus, dotted curves refer to the left, while the dash-dot and the solid curves refer to the right y-axis.

VII. CONCLUSION
In our work, we established a composable security proof against i.i.d. collective attacks in the finite-size regime. We tackled the problem of infinite dimensions by introducing a new energy test (Theorem 3) to bound the weight outside a finite-dimensional subspace and applying the dimension reduction method [21] to take the influence of the weight correction term into account. Furthermore, we argued that in the finite-size regime acceptance testing is the suitable statistical treatment, rather than parameter estimation, known from asymptotic security analyses. We rigorously extended the epsilon security proof method of Ref. [36] to handle infinite dimensional side information and finally extend the numerical security proof framework in Refs. [29,30] to obtain tight lower bounds on the finite-size key rates for a general DM CV-QKD protocol. Furthermore, our security analysis is capable of taking detector imperfections and limitations into account and offers the opportunity to trust Bob's detection devices.
For illustration, we apply our security proof method to a four-state phase-shift keying protocol and calculate the achievable secure key rates in various scenarios. However, we emphasise that our approach is not limited to four signal states or phase-shift keying modulation but applies to general discrete modulation patterns. We show that under experimentally viable conditions one can obtain positive finite-size key rates up to at least 73 km transmission distance for moderate to low noise. Through a comprehensive and detailed analysis of the success probability in an honest implementation, we are able to provide a clear and thorough examination of DM CV-QKD protocols. This enables us to report expected secure key rates, rather than solely focusing on achievable secure key rates in cases where the protocol does not abort. Additionally, it allows us to discuss the three crucial aspects of DM CV-QKD protocols, namely security, key rate, and success probability, together in a coherent manner.
Let us take this opportunity to discuss an alternative composable finite-size security proof for DM CV-QKD protocols against i.i.d. collective attacks given in Ref. [25]. The authors of that work used a proof method based on the extremality of Gaussian states and developed an interesting way to leverage the finite detection range of realistic detectors to bound the dimension of the problem. While our work also considers the finite detection range of realistic detectors, we want to highlight that the weight, and hence the bound for the cutoff space comes from the energy test and does not directly rely on the detection limit. This gives us additional flexibility and allows us to achieve small weights and a smaller impact of the detection limit on the secure key rate. However, despite this shared aspect, the security argument is very different, making a direct comparison of the obtained key rates is not straightforward. It was already shown in Ref. [19] that the asymptotic key rates obtained using the framework of Refs. [29,30] yield significantly better lower bounds than those in Ref. [18] which is another numerical approach employing Gaussian extremality. Lupo and Ouyang [25] compared their QPSK key rates with the analytical key rates given in Ref. [20], which are known not be tight for four signal states (and known to be lower than the key rates by Ref. [19]). As our key rates converge for large block sizes against the asymptotic key rates given by [19], one can nevertheless conclude that our method achieves clearly higher secure key rates than the recently published finite-size security analysis in Ref. [25]. Additionally, our work also takes the success probability of the examined protocol into account, allowing to report practically relevant expected secure key rates. However, a direct comparison of both methods to achieve bounded operators, and hence finite dimensional problems, using the same security proof framework and similar assumptions on the detectors and taking the success probabilities of the different statistical testing procedure into account would be interesting in the future.
While we prove security against i.i.d. collective attacks, which are assumed to be optimal up to de Finetti correction terms that are massive in the small block length limit, a rigorous security proof against general attacks remains an open question. One issue is that known energy tests on almost i.i.d. states do not bound the weight outside a cutoff space in a way that is useful to apply our numerical method. Furthermore, we require a chain rule for smooth min-entropies to remove an infinite dimensional register, which is not straightforward. This is even a technical issue that applies to the work of Ren-ner and Cirac [26]. However, assuming a photon-number cutoff, our method is able to handle coherent attacks as well, applying methods developed in Ref. [31]. Therefore, a rigorous general attack security analysis for general DM CV-QKD protocols needs to solve multiple open problems; hence, a generalisation to coherent attacks is left for future work.
(see, for example [54, p. 37]), it can be seen that V 1 = n∈N Γ(n+1,βtest) Γ(n+1,0) |n⟩⟨n|. Therefore, comparing the coefficients of V 1 and W 1 and recalling that, for fixed first argument, the incomplete gamma function is monotonically decreasing in its second argument, we conclude that ⟨n|W 1 |n⟩ ≤ 1 ≤ Γ(nc+1,0) Γ(nc+1,βtest) ⟨n|V 1 |n⟩ ∀n ∈ N. Hence, we find that To ease notation, we define r ideal (n c , β test ) := Γ(nc+1,0) Γ(nc+1,βtest) . The operator W 0 is the projector onto the cutoff space H nc and W 1 projects onto the orthogonal complement of the cutoff space. Therefore, To ease notation, we use the short notation r := r ideal . As it will turn out in the end, we actually do not need to distinguish between two different r for ideal and nonideal detectors.
For our analysis, we consider an arbitrary density matrix ρ, whose weight outside a cutoff space of dimension n c can be either larger or smaller than some chosen real number w ∈ [0, 1], 1) ρ is such that Tr [ρW 1 ] < w; 2) ρ is such that Tr [ρW 1 ] ≥ w.
In the first case, the energy test accepts on a state which lies indeed with the acceptance set of the energy test. In that case, we can proceed with our security analysis. In the second case, the energy test accepts on a state that does not lie within the acceptance set of the energy test. We now need to make sure that this happens only with small probability ϵ ET .
Note that for fixed ρ Born's rule induces a probability distribution in the probability space over outcomes; hence, the i.i.d. testing of it induces a probability distribution over the sequences. The fundamental error, denoted ϵ ET, fund , in the i.i.d. setting for our test strategy is the maximum probability of obtaining a sequence that passes the test even though the expected weight for the prototype ρ is greater than or equal to w. We denote this probability for a fixed prototype as Pr [|{Y i : Y i ≤ β T }| ≤ l T | ρ]. The maximum probability is then obtained by maximising this probability over all such prototypical ρ. Therefore, we derive the upper bound ϵ ET, fund := max While the first line defines ϵ ET, fund , for the second line we recall that according to our testing strategy, we only have to deal with ρ with expected weight larger than or equal to w, which allows us to rewrite the first line by including this condition into the set we maximise over. Density matrices ρ with expected weight smaller than w are not relevant in this part of our analysis. Finally, for the inequality in the last step, recall from the first part of the proof, that W 1 ≤ rV 1 ; hence, Now let ⃗ f k T ∈ {0, 1} k T be a vector containing '0' if V 0 was realised and '1' if V 1 was realised, i.e., for each of the test rounds we write '0' if the measurement result of the heterodyne measurement was within a circle of radius β T in the phase-space and '1' otherwise and define f k T be the type induced by ⃗ f k T . Furthermore, defineQ w r := 1 − y y : y ∈ w r , 1 and P j : Then, the set we are maximising over reads We observe that which is given by the product of the size of the corresponding type class and its probability where |T (P j )| denotes the size of type class P j and by Q k T ρ we denote the product distribution Q k T ρ := Π k T j=0 Q ρ . Next, we use two theorems from Ref. [55]. The first one, Theorem 11.1.2 of [55], tells us that, for n i.i.d. random variables X 1 , ..., X n drawn according to Q(x), the probability of a certain n-sequence ⃗ x only depends on its type P ⃗ x , Q n (⃗ x) = 2 −n(H(P ⃗ x )+D(P ⃗ x ||Q)) . The second one, Theorem 11.1.3 of [55], gives an upper bound for the size of a type class of type P ∈ P n (so a type with denominator n), |T (P )| ≤ 2 nH(P ) . Applying both to Eq. (A4) yields where D is the Kullback-Leibler divergence. Collecting what we found so far, we arrive at We assume that l T k T < w r ; hence, Q w r := 1 − w r w r will always be the closest to each of the P j among all y ∈ w r , 1 . Furthermore, choosing j = l T minimises the relative entropy between P j and Q w r , ∀j ≤ l T ∀y ∈ w r , 1 : D(P j ||Q ρ ) ≥ D(P j ||Q w r ) ≥ D(P l T ||Q w r ).
Therefore, we conclude that This completes the proof.
It remains to prove the energy testing theorem for trusted, nonideal detectors. The second part of the proof follows the arguments of the proof for ideal detectors. However, the measurement operator for trusted, nonideal detectors differs from the measurement operator V 1 for the ideal detector. Therefore it remains to show that the measurement operator for the trusted, nonideal case dominates W 1 as well (possibly with another constant r(n c , β test ).
Proof. According to [50] the POVM elements for the trusted, nonideal heterodyne measurement with efficiency η d and electronic noise ν el are given by where n d : . Therefore, the modified measurement operator isṼ 1 := y 2 ≥β 2 test G y dµ y . We use [56,Eq. (6.13) and (6.14)] to express G y in the number basis. For simplification, we define C n,m := , and obtain for n ≤ m is the generalised Laguerre polynomial of degree k and with parameter α [57]. Note that we substituted y 2 → z for the fifth equality and that we used the definition of the Laguerre polynomials to obtain the last line. Inserting C n,n and simplifying the obtained expression yields Note that the quotient Γ(j+1,aβtest) is monotonically increasing in j, therefore ∀j ≥ n c : Γ(nc+1,aβtest) .
Hence, U ≤Ṽ 1 . Based on the structure of W 1 , we observe Γ(nc+1,aβtest) and combining our operator relations, we obtain The rest of the proof is identical to the ideal case.
whereM := M √ η d c , c 2 := 1 +n = 1 + 1−η d +ν el η d = 1+ν el η d and γ := α − β √ η d . We observe that when M is chosen to be sufficiently large, the neglected terms become extremely small, often (depending on the particular choice of M ) even below the level of machine precision. It is important to highlight that the numerical method we employ to obtain accurate lower bounds on the secure key rate [29,30] accounts for small violations of constraints and finite-precision errors in the representation of operators, which may have a magnitude of ϵ ′ . Therefore, as long as we ensure that the neglected terms remain below this threshold, the resulting lower bounds remain reliable. For more details about handling numerical imprecisions in the used security proof framework, we refer to [30,Section 3.3]. This shows that the effect of restricting our measurement to only a finite detection range has negligible impact on our implementation. Furthermore, notice that forM → ∞ : i.e., as expected, we recover the results for the unbounded (noisy, nonideal) measurement from [21]. By the uniqueness of the Q-function, we obtain then where and, again, the restricted operators converge to the unrestricted operators given in [21] forM → ∞.

Energy test
After having clarified our observables, we can proceed with the energy test. Therefore, let us review the purpose of the energy test. When performing the energy test, we take some fraction of all rounds and check if q 2 + p 2 is smaller or larger than some arbitrary but fixed value β 2 test . As long as we choose β test ≤ M , this binary measurement is not affected by the finite detection range (note that we do not need to know the exact value but only need to know if it is smaller than our testing parameter) as can be seen from the definition of the measurement operator V 1 , here for the ideal heterodyne measurement POVM, but the same applies if we replace 1 π |α⟩⟨α| by G α . Comparing to Eq. (23) in the ideal case or to Eq. (24) for the nonideal detector, we see that f V1 = 1. As a result, the integral remains the same even for the bounded operator. Summing up, the energy test remains completely unaffected by this modification, providing we select a value for M that is not smaller than β test .

Modified key map
As we only want to use unambiguous measurement results, we restrict our key regions to the area between the postselection circle in the middle of the phase space and the detection-range bound at M . For z = 0 and z = 2, we obtain and for z = 1 and z = 3, we obtain We note that this integral cannot be computed analytically anymore which increases the computation time extensively. One possible solution is to slightly modify the key map by discarding not only results lying outside M = [−M, M ] 2 but outside a circle with radius M . Then the region operators read which can be calculated analytically. Although we increase the region corresponding to ⊥, as the removed areas are close to the corners of [−M, M ] 2 we do not expect a significant impact on the key rate, while speeding up the calculation considerably. Thus, we modify the key map accordingly for our simulations.

Appendix C: Technical lemmas
In this section, we present technical lemmas we use in the security proof to generalise existing finite-dimensional statements to their infinite dimensional counterparts.
Since E is a CPTNI map, we can find a Kraus representation where D is the diagonal form and U the corresponding transformation, we obtain Note that we definedK i := K i U and observe This implies that for the purified distance smoothing ball, if or, for the trace distance smoothing ball, if the obtained key is ϵ sec -secure.
Proof. We start the proof with [40,Proposition 21] for the case |K| = 2 ℓ since we are interested in bit-strings. Then, Proposition 21 states that for X, K, two sets of finite cardinality with |K| = 2 ℓ ≤ |X|, {F, P F }, a family of two-universal {X, K}-hash functions, holds. Here E F denotes the expectation with respect to P F , T f is the map applying the hash function and π K = 1 |K| s∈K |s⟩⟨s|. Note that K denotes the alphabet the hash function map into and that Ref. [40] uses the purified distance in the smooth min-entropy definition.
First, we rewrite the left-hand side We replace the left-hand side of the original statement with what we just derived and divide by two to obtain a statement in trace distance and obtain Let ϵ PA := 2(ϵ sec − 2ϵ ′ ) > 0. Then, we derive where F ∈ F. This gives us the statement in purified distance smoothing. By Proposition 7, we yield the proposed statement in trace distance smoothing. where the proof for the infinite dimensional case is identical to the proof given there. The third line is obtained by the strong subadditivity property of the smooth min-entropy (Lemma 11) and the last inequality comes from the fact that E ′ ↔ (X, E ′ ) ↔ C forms a Markov-chain since C is computed by Alice and Bob as a function of XY . Finally, since log 2 (|C|) stands for the number of all possible information-reconciliation transcripts, we may replace it with the actual leakage leak EC giving the number of bits needed to implement the used information-reconciliation scheme.
Appendix D: Generalisation of the asymptotic equipartition property In this appendix, we generalise the asymptotic equipartition property [36, Corollary 3.3.7] to infinite dimensions. The proof there requires an ordering on the eigenvalues as well as the Birkhoff-von Neumann theorem, so it needs some care to generalise the AEP statement to infinite dimensions. We note that the fully quantum asymptotic equipartition property was extended to infinite dimensions in Refs. [41,60,62,63]. However, as noted in Ref. [31] this version is harder to apply numerically. The basic idea of our proof relies on the fact that the infinite dimensional min-entropy can be converged via projections [41]. Before we come to the actual proof, it requires some preparations.
We start by extending the definition of the max-relative entropy to infinite dimensions.
Definition 14 (infinite dimensional max-relative entropy). Let H A be a Hilbert space, and let P, Q ∈ Pos(H A ).
Next, we prove that D max is a Rényi divergence just as in finite dimensions. (2) Dominance: For P, Q, Q ′ ∈ Pos(H A ) and Q ≤ Q ′ , we have D max (P ||Q) ≥ D max (P ||Q ′ ).
Proof. We prove the two points separately.
≥ Using the definition of the max-relative entropy yields aP ≤ 2 λ bQ, which implies that P ≤ 2 λ b a Q. According to the definition, λ * is the infimum of all µ such that P ≤ 2 µ Q, hence 2 λ * ≤ 2 λ b a . Taking the logarithm and rearranging yields λ ≥ λ * + log 2 (a) − log 2 (b), which concludes the first direction.
Defining H min (ρ AB ||σ B ) = −D max (ρ AB ||1 A ⊗ σ B ) gives us the following corollary.  Note that this coincides with the definition given in the main text (Section III A). Next, we want to generalise [41, Lemma 2]. Therefore, we introduce sequences of projectors {Π k } k∈N onto finite-dimensional subspaces U ⊆ H of the relevant Hilbert space H, that converge to the identity 1 H with respect to || · || 1 . Then we define a sequence of non-normalised projected states asρ k := Π kρ Π k . For a more detailed description, we refer the reader to [41,Section II]. We note that the following could be trivially further generalised to a continuity claim for the smoothed max-relative entropy.
Lemma 18. Let ρ B ∈ D(H A ⊗ H B ) and let {ρ k AB } ∞ k=1 a sequence of normalised projected states converging to ρ AB in the || · || 1 -norm. Let σ B ∈ D(H B ) and {σ k B } ∞ k=1 be a sequence of normalised projected states that converge to σ B . For any fixed t ∈ (0, 1) there exists k 0 ∈ N such that ∀k ≥ k 0 we have Proof. For fixed σ the statement can be established by showing ∀k ≥ k 0 : B tϵ TD ρ k AB ⊆ B ϵ TD (ρ AB ), where the proof is then identical to the proof of [41, Lemma 2]. Therefore, we take this result as established, so ∃k 0 such that ∀k ≥ k 0 : H ϵ min(TD) (ρ AB ||σ) ≥ H ϵ min(TD) (ρ k AB ||σ). Putting things together, we showed Thanks to Eq. (D1) we know already that there exists such a k 0 to bound H ϵ min(TD) (ρ k AB ||σ). This completes the proof.
In the next Lemma, we extend Renner's AEP [36,Theorem 3.3.6] to infinite dimensional side information. Note that we cannot generalise register A to infinite dimensions, as the correction term is a function of the dimension of this register. However, this generalisation is not required for QKD anyways. where δ = 2 log 2 rank(ρ A ) + Tr ρ 2 In terms of purified distance, we replace ϵ → √ ϵ.
Proof. We follow the proof of [41,Proposition 8]. Let Π k A , Π k B be sequences of projectors such that ∀k ′ ≥ k : Π k A ≤ Π k ′ A that converges to the identity in the weak operator topology and similarly for the projectors in B. Then, the n-fold projectors Π k A ⊗n , Π k B ⊗n satisfy these conditions as well.
Finally, taking the limit t → 1 completes the proof.
We obtain the final result of this section, the generalised Asymptotic Equipartition Property, as a corollary.
Corollary 20 (Asymptotic Equipartition Property). Let H X and H E be separable Hilbert spaces, where H X is finite-dimensional. Let ρ XE be a classical-quantum state. Then, for smoothing in terms of trace distance where δ(ϵ) := 2 log 2 (rank(ρ X ) + 3) log 2 (2/ϵ) n . For smoothing in terms of purified distance every ϵ needs to be replaced by √ ϵ.
We obtain min f (ρ) subject to The numerical method in [30] lower bounds the minimum of the objective function as follows. Let ρ * minimise f over the feasible set S. Then, we have Therefore, in what follows, we consider this linearised problem. The feasible set is given by the constraints in Eq. (E1). Furthermore, for ease of notation, we denote all measurement operators by the labelΛ and call the right-hand sides of the constraints related to measurements and the trace-condition λ j to obtain a more abstract form of our optimisation problem. Then, the problem reads min ⟨∇f (ρ), σ⟩ subject to Note that K 1 denotes the cone where K * 1 denotes the dual cone of K 1 and ⟨·, ·⟩ H1 and ⟨·, ·⟩ H2 are the inner products on the Hilbert spaces H 1 and H 2 , where the optimisation problems are set. In our case, we have K * 1 = K 1 and the first inner product is the Hilbert-Schmidt inner product over the Hilbert space of bounded linear operators and the second inner product is the inner product induced by the component-wise inner products of Hilbert spaces of the constituents of Y . H 1 , H 2 and N are known, while X is the primal optimisation variable, while Y is the optimisation variable in the dual problem.
Finally, we apply the relaxation in [30] to take numerical imprecisions into account. This adds ϵ num to the vector ⃗ v as well as to 2 √ w. Therefore, as claimed, we finally obtain the dual.

Appendix F: Completeness
Proof of Proposition 5. First, we show why the completeness may be decomposed into multiple epsilon terms. This has also been explained in other work [65]. By definition of completeness of a QKD protocol (Definition 1), where we have used that energy test, acceptance test, and error correction are the steps in the protocol which might abort and then applied the union bound. We take Honest to mean the input at the step conditioned on the previous inputs passing on the honest input. We take the honest input to be the state σ ⊗n := (E Honest (ρ)) ⊗n , where ρ is the state the devices effectively prepare and E Honest is the assumed memoryless noisy channel when there is no eavesdropper. We can then take each of these conditional probabilities and define a notion of ϵ−completeness for these subprotocols in the same manner as for the whole protocol (Definition 1). The completeness of error correction is a choice of error correcting code, so we leave this as an input parameter of the protocol, ϵ c EC . Thus we are only interested in bounding the other two probabilities.