Tight Secure Key Rates for CV-QKD with 8PSK Modulation

We use a recent numerical security proof approach to calculate tight secure key rates in the presence of collective attacks for a continuous-variable (CV) eight-state phase-shift keying (8PSK) protocol with heterodyne detection in the asymptotic limit. The results are compared to achievable secure key rates of a QPSK protocol obtained with the same security proof technique. Furthermore, we investigate the influence of radial postselection on the secure key rate and examine a recently suggested strategy to reduce the computational requirements on the error-correction phase for four-state phase-shift-keying protocols. Based on our investigations, we suggest different strategies to reduce the raw key of 8PSK protocols significantly, only on the cost of a slightly lower secure key rate. This can be used to lower the computational effort of the error-correction phase, a known bottleneck in many practical implementations, considerably.


I. INTRODUCTION
Quantum key distribution (QKD) enables two remote parties to expand a short symmetric preshared secret key into a long secret key without any assumptions on the computational power of a potential adversary.Perhaps the most famous cryptographic protocol based on quantum mechanics, BB84, was published by Bennett and Brassard [1] in 1984 and is based on (discretely) polarized photons.Discrete-variable (DV) QKD protocols like BB84 rely on single-photon detectors that are rather expensive components.In contrast, continuous-variable (CV) QKD protocols are based on the field quadratures of light that are measured by homodyne or heterodyne detection using much cheaper photodiodes.Continuousvariable QKD goes back to Ralph in 1999 [2] and is based on discrete modulation.Postselection, i.e. selection of certain signals for further processing based on measurement results, can increase the secure key rate for continuous-variable QKD-protocols by reducing the information available to an adversary [3].Postselection areas for multiletter phase-shift keying (PSK) protocols in linear channels are discussed in [4].References [5][6][7] give comprehensive reviews of the entire field of quantum key distribution, implementations, and security proofs.
The process of finding a lower bound on the achievable secure key rate is called security proof.Analytical attempts to prove the security of a certain QKD protocol are usually very technical, introduce looseness in * florian.kanitschar@outlook.com the lower bounds and are often difficult to generalize.In contrast, numerical attempts are typically more flexible concerning changes in the protocol structure, but have only finite precision, and it cannot be expected that the optimization tasks involved achieve the optimum with arbitrary accuracy.In particular, for CV protocols, we have to approximate physical quantities living in infinitedimensional Hilbert spaces by finite-dimensional representatives to make the key-rate-finding problem computationally feasible.Finally, as the most interesting discrete modulated (DM) CV-QKD protocols involve four or more states, the numerical tasks are high-dimensional, hence computation time is crucial.
Several security proofs for DM CV-QKD protocols in the asymptotic limit are known.Analytical approaches are restricted to certain scenarios such as linear quantum channels [4,8], or a fixed number of signal states [9], [10].A general attempt [11] gives an analytical lower bound on the secure key rate of DM CV-QKD protocols with arbitrary modulation, but is loose for a low number of signal states and does not consider postselection.In contrast, numerical approaches [12][13][14][15] are more flexible, but suffer from high computational complexity and assume that it is sufficient to solve the key rate finding problem occurring by truncating the infinite Fock space.This so-called photon-number cutoff assumption was removed in [16].
While these security proofs are valid in the limit of infinitely long keys, establishing general security in the finite-size regime is an open problem.Recently, [17] proved the finite-size security of a QKD protocol with discrete encoding under the restriction of collective Gaussian attacks, while [18] introduced a general security proof of a special two-state DM CV-QKD protocol.

A. Contribution
In the present work, we adapt a numerical framework to calculate secure key rates of DM CV-QKD protocols under the assumption of collective attacks in the asymptotic limit [12,13] and use it to analyze and optimize different phase-shift keying protocols.We consider both the untrusted and trusted detector scenarios.We reduc the computation time and increase the accuracy of the calculated key rates by replacing numerical approximations for certain operators with analytical expressions.
We point out why it is not useful to consider more than eight PSK signal states for phase-shift keying modulation protocols using state-of-the-art postselection strategies.Backed by considerations about the bit error probability for heterodyne measurement outcomes, we introduce a simple postselection strategy for QPSK protocols (crossshaped postselection) and show that it clearly outperforms state-of-the-art radial [14] postselection in terms of the achievable secure key rate and performs comparably with radial and angular postselection.We show how postselection can be used to reduce the amount of raw key (i.e., data that must be error-corrected) significantly, tackling a well-known bottleneck in practical implementations, at the cost of only a much smaller decrease in the amount of secure key.We highlight how a smart choice of the postselection strategy can also reduce the gap in the key rate between QPSK and 8PSK modulation.

B. Organization
The remainder of this work is structured as follows.
In Section II we give a brief summary of the numerical security proof approach we use, including the changes necessary to consider trusted detectors.In Section III we introduce a general phase-shift keying protocol and motivate our particular choices for the number of signal states and the postselection strategies.This is followed by Section IV where we comment on details of the implementation.In the main part of the paper, Section V, we present and discuss our results for both untrusted and trusted detectors.We show that postselection is an important improvement to discretely modulated CV-QKD.Section VI concludes the paper.Detailed explanations, calculations and additional examinations are provided in the appendices.

C. Choice of Units
Throughout the paper, we use natural units, that is, the quadrature operators are defined by q := 1 √ 2 (â † + â) p := i √ 2 (â † − â), where â and â † are the bosonic ladder operators and the commutation relation between the qand p-quadrature operators has the form [q, p] = i.

II. THE SECURITY PROOF APPROACH
First, we give a brief overview of the numerical security proof approach against collective attacks in the asymptotic limit, following [13] and [14].Interested readers will find a more detailed discussion in Appendix C. The physical intuition of the key rate finding problem is the following: we search for the optimal attack, that is, the density matrix of Alice's and Bob's joint quantum state that (1) minimizes the achievable secure key rate while (2) matching expected values of experimentally accessible observables (e.g.quadrature amplitudes, photon numbers).The well-known Devetak-Winter formula [19] gives the secret key rate in the asymptotic limit.In the case of reverse reconciliation, it can be reformulated [13] in terms of the quantum relative entropy D(ρ||σ) := Tr [ρ (log 2 (ρ) − log 2 (σ))], a quantity measuring the distinguishability of two states ρ and σ, the sifting probability p pass , and the amount of information leakage per signal in the error-correction phase δ EC as follows Here, G is a completely positive, trace-nonincreasing map describing classical postprocessing steps, and Z is a pinching quantum channel required to 'read out' the results of the key map.We note that p pass is contained implicitly in the first term of the target function.A more detailed explanation is given in [14].The set S is the feasible set of the minimization, which is a subset of the set of density operators D(H AB ), where H AB = H A ⊗ H B , and is defined by a set of linear constraints, with Hermitian operators Γ i , real numbers γ i and some finite set I. In what follows, we denote the objective function of this minimization by f .Using Lindblad's theorem [20] and the linearity of G and Z, it can be shown that we face a convex minimization problem, with linear and semidefinite constraints, hence a semidefinite program (SDP).The present problem requires optimization over a subset of the set of all density operators, which is an infinite-dimensional vector space.In order to make the problem computationally feasible, we approximate it by a finite-dimensional vector space.While Bob's infinite-dimensional state space is spanned by the basis of Fock states {|n : n ∈ N}, following the photon-number cutoff assumption in [14], we approximate the infinite-dimensional state space by H Nc B := span{|n : 0 ≤ n ≤ N c }, where N c ∈ N is the cutoff number.In contrast to most of the minimization problems, for the present problem it is not sufficient to come close to the minimum as this would give us only an upper bound on the secure key rate.Therefore, the approach in [13] tackles the key rate finding problem in a two-step process.First, a numerical solving algorithm is applied to find an eavesdropping attack that is close to optimal.Then, in a second step, this upper bound of the secure key rate is converted into a lower bound, taking numerical imprecision into account.
To start the key generation process, Alice prepares |ψ x drawn from a set of N St states with probability p x and sends them to Bob, using the quantum channel.Thanks to the source-replacement scheme [21,22], equivalently the corresponding formulation in the entanglement-based scheme can be considered, where Alice prepares the bipartite state the register that is kept by Alice and the state labeled with A is sent to Bob.The quantum channel is modeled as a completely positive trace-preserving map E A →B .Hence, the bipartite state shared by Alice and Bob reads Bob performs heterodyne measurements, hence determines the first and second moments of q and p.These observations can be used to calculate the mean photon number n = 1 2 q2 + p2 − 1 and d = q2 − p2 to constrain the density matrix ρ AB .Furthermore, we know that Eve has no access to Alice's system and, hence, she cannot modify the states held by Alice.That can be expressed mathematically as Tr which is a matrix-valued constraint, where p x is the probability that the state |Ψ x is prepared, for x ∈ {0, ..., N St − 1}.Therefore, we have the following SDP: [14], where x ∈ {0, ..., N St − 1}.

A. Trusted, nonideal detector approach
Up to now, we have assumed that Bob performs measurements with an ideal, noiseless, heterodyne detector having unit detection efficiency.However, detectors used in QKD devices are not ideal, but are noisy and have an efficiency smaller than unity.These deviations from the ideal model can be included in the security analysis differently.
Firstly, in the most conservative scenario, we assume that Bob always uses an ideal detector and all nonideal detector properties occur on the transmission line (effectively increasing the transmission loss and excess noise) [23].This is easily done in theory as it does not need any change to the security proof.However, it leads to much lower key rates and maximal achievable distances compared with the next scenario.
Secondly, as the detector is located in Bob's lab, it may less conservatively be assumed that Eve cannot improve the detector's efficiency and cannot reduce or control its electronic noise.In [24], the numerical security proof method is extended to this second, so-called "trusted", detector scenario.We give a brief summary of the adaptations introduced there: A nonideal heterodyne detector is modeled by two homodyne detectors and a beam splitter, where each of the homodyne detectors has non-unit detector efficiency η q , η p and suffers from electronic noise ν q , ν p .Similar to the excess noise, the electronic noise is measured in shot noise units.The quantum optical model by Lodewyck [25] includes these quantities in the following way (see Figure 1).After the input signal is split into two parts at a 50 : 50 beam splitter (where it is mixed with the vacuum state) each part of the signal passes another beam splitter with transmissions η q and η p (hence, reflectances of 1 − η q and 1 − η p ), respectively.There, we mix each part of the split signal with a thermal state with mean photon number n q and n p .If we choose the mean photon numbers to be n i = νi 2(1−ηi) , i ∈ {q, p}, we relate each thermal state to the observed amount of electronic noise introduced by the corresponding detector.Finally, two ideal homodyne detectors measure the signals.

III. PHASE-SHIFT KEYING PROTOCOLS
We consider prepare-and-measure (P&M) phase-shift keying protocols, which are generalizations of 'Protocol 2' in [14] which is a QPSK protocol with radial (and angular) postselection.
Therefore, we consider two distant parties, the sender Alice and the receiver Bob, who want to establish a symmetric key.They are connected by an authenticated classical channel and a quantum channel.Eve, an adversary, can listen to the classical communication and manipulate and store signals that are exchanged via the quantum channel.In what follows, we denote the number of signal states by N St , and the raw key block size by N ∈ N.  phase is called state preparation.After preparing one of these states, Alice sends it to Bob using the quantum channel.
2) Once the state is transmitted to Bob, he performs a heterodyne measurement and obtains some complex number y n .This is called the measurement phase.
3) Alice and Bob agree via the classical channel to choose some random subset I Test ⊂ {n ∈ N : n ≤ N } and reveal the corresponding sent symbols x l and measurement results y l for l ∈ I Test to perform parameter estimation, that is, they determine the expected values of the first and second moments in Equation (3).The remaining rounds I Key := {n ∈ N : n ≤ N } \ I test will be used for key generation.For simplicity, assume that I Key contains the first m := |I Key | rounds that can be used for key generation (this can be assumed without loss of generality, as we always find some bijective map that reorders the set).After this step, Alice holds a key string X := (x 1 , ..., x m ).
4) In the simplest case, Bob applies a key map to obtain his key string Z = (z j ) j∈IKey .He maps each of his measurement outcomes y l for rounds l ∈ I Key to an element in a finite set {0, ..., N St − 1}. .

4*)
In a more sophisticated version of the protocol, Bob is allowed to additionally perform postselection, that is, he can discard certain rounds according to some rule.He applies a modified key map to obtain his key string Z = (z j ) j∈IKey .He adds an additional symbol ⊥ to his finite set {0, ..., N St −1, ⊥}, and maps discarded rounds to ⊥ while kept rounds are treated as described in 4).
5) After having sent and transmitted a block of symbols, Alice and Bob perform classical error correction.For example, as considered in the present paper, Bob may transmit information about his key string and Alice corrects her key string according to his information, which is called reverse reconciliation (since the information flow is the opposite direction to the quantum signals sent).The error correction routine used cannot be expected to work perfectly, but with an efficiency of 0 ≤ β ≤ 1.After finishing the error correction, Alice and Bob use almost universal hash functions to upper-bound the probability that the error correction phase has failed.They omit the key if the hash values do not coincide and restart the key generation process 6) Finally, Alice and Bob apply privacy amplification algorithms to reduce Eve's knowledge about their common information by omitting parts of their shared key, for example, by using seeded randomness extractor algorithms.
A. Practical choices for the number of signal states Recent works on protocols with phase-shift keying modulation [10,14,15,26,27] have focused on protocols with two, three or four signal states.Since there is no obvious upper limit on the number of signal states, we generalized an analytical security proof [8] for loss-only channels to an arbitrary number of signal states (for details, see Appendix A) to investigate the effect of varying N St .
For the key map in step 4) of the protocol, we divide the phase space into N St equally sized wedges and associate each wedge with an element in the set {0, ..., N St − 1}.
We examined the effect of different numbers of signal states and depict our findings in Figure 2. There, we plot the secure key rate as function of the distance for 4, 8, 16 and 32 signal states.For each distance, the coherent state amplitude α is optimized.Although our approach is not restricted to powers of 2, similarly to classical communication, only 2 NSt states can be mapped directly to N St bits; for other values the generation of binary keys is significantly more complicated.Furthermore, it turned out to be sufficient and practical to find the maximal number of signal states N St that still increase the secure key rate noticeable.Our results show that using eight PSK signal states increases the secure key rate considerably compared with the QPSK protocol for loss-only channels, while increasing the number of signal states further has no significant impact on the secure key rate.Additionally, for comparison, we added the secure key rate for protocols with Gaussian modulation [28][29][30][31].The gap in the secure key rate between PSK and Gaussian modulation can be explained by the additional amplitude modulation for Gaussian protocols.Hence, higher key rates than with discretely modulated CV protocols can be obtained with a combination of phase and amplitude modulation, for example, by adding signals on a second circle with a radius greater than |α|.

B. Phase shift keying with four or eight signal states and postselection
Since doubling the number of signal states quadruples the dimension of the problem (see Footnote [32] for a more detailed discussion), backed by our finding in the previous subsection, we focus on protocols with four and eight signal states (arranged on one circle with arbitrary but fixed radius |α|) with our numerical method, as we do not expect a significant improvement of the secure key rate for noisy channels as well.Constellations with additional amplitude modulation are left for future work.
In what follows, we motivate and discuss postselection for QPSK and 8PSK protocols and describe the key maps of the resulting protocols.

Motivation for the postselection strategies
It is well known that the bit error rate (BER) is a major source for key rate reduction in DM CV-QKD at higher distances.In Figure 3, we plot the contour lines of the bit error probability for a four-state protocol without noise.Since adding noise increases the probability of bit errors further, in reality, we expect even higher bit error rates near the axes.Based on this observation, it seems reasonable to discard certain measurement results before proceeding with the key-generation process on the remaining ones.This is known as postselection.Optimally, a postselection strategy which omits signals in regions bounded by lines similar to the contour lines in Figure 3 would be chosen.It would be subject to optimization to determine the exact parameters of the boundary.Unfortunately, for computational and numerical reasons, it is not possible to calculate secure key rates for postselection areas with this shape directly.Therefore, inspired by the bit error probability contour plot, we consider simplified postselection schemes which remove measurement results close to the axes.Technically, this is realized by adding an additional symbol (⊥) to the key map which is assigned whenever a signal lies within the discarded area.A more detailed explanation of the BER, its calculation and a discussion of numerical and computational reasons for working with simplified postselection strategies can be found in Appendix B.

Description of protocols with postselection
For protocols with postselection, we proceed with step 4*) of the protocol description above.Based on our considerations in the previous subsections, in the rest of the paper we focus on protocols with four or eight signal states (see Figure ?? for a sketch in phase space).As outlined above, choosing postselection regions bounded exactly by a contour line of the bit error probability is not feasible.Instead, we consider postselection strategies that discard signals close to the (symmetry) axes of the protocol.We consider the following three different postselection strategies: The corresponding areas associated with the logical symbols are illustrated in Figure 5.We note that initially we also examined angular postselection for 8PSK, but we did not observe an increase in the secure key rate.A more formal description of the postselection areas can be found in Appendix D 1. Setting ∆ r = ∆ a = 0 in a) or ∆ c = 0 in b) results in the same protocol QPSK without postselection (noPS).Likewise, setting in c) ∆ r = 0 results in the protocol 8PSK without postselection (8noPS).Furthermore, we note that, in contrast to [14], we rotated the signal states for QPSK protocols by π/4 in the p,qplane such that they are not located on the axes but on the diagonals.This is in accordance with the constellation of the signal states in classical QPSK schemes and makes it easier to consider cross-shaped postselection.As outlined in the protocol description, postselection can be introduced by modifying the key map.Mathematically, the key map is included in the postprocessing map G, which is part of the objective function of the present optimization problem (see Equation ( 3)).In the upcoming section, we give analytical expressions for the so-called region operators, which represent the key map within the frame of the present security proof method.For details about how exactly the region operators are used to calculate secure key rates, we refer to Appendix D.

C. Region operators for the untrusted detector
We start with the untrusted detector scenario for QPSK protocols.As Bob performs heterodyne measurement of the incident quantum states, the positive operator-valued measure (POVM) of an ideal, untrusted homodyne detector has the form {E γ = 1 π |γ γ| : γ ∈ C} [33].Then, the measurement operators, called region operators, corresponding to the symbol z = k, k ∈ {0, 1, 2, 3}, are defined by As we later approximate the infinite-dimensional problem by a problem living in a finite-dimensional Fock space, we express the region operators in the number basis, Then, once it comes to numerical treatment, we may replace the upper limit in the sums by the cutoff number N c (see Section II) .It remains to find expressions for the matrix elements n|R ra z |m in Equation ( 6) and n|R c z |m in Equation (7).We show in Appendix E that they can be calculated analytically and have the form where By a similar calculation with adapted angular integration, we obtain for the present 8PSK protocol where now z ∈ {0, ..., 7}.

D. Region operators for the trusted detector
In this section we give analytical expressions for the region operators in the trusted detector scenario.Since we mainly discuss only trusted detectors for QPSK protocols, we derive the operators only for protocols with four signal states.However, the radial and angular case can be generalized easily to N St states.
Similarly, for G y , the POVM corresponding to the trusted detector (see Equation (D7)), we need to express the region operators for the trusted noise scenario in the number basis, We show in Appendix F that the coefficients for the trusted noise scenario have the form where C n,m := We note that [24] derives an expression for nonrotated signal states (i.e., signal states lying on the axis) for the case with only radial postselection, relying on Taylor series expansion.In contrast, our result for the radial and angular-case is more general, as it additionally includes angular postselection.Furthermore, we give a direct expression that does not require Taylor series coefficients.Again, both results have been validated with numerical solutions of the relevant integrals with MATLAB™, version R2020a.Furthermore, for the sake of completeness, we give analytical expressions for the Fock-basis representation of the first-and second-moment observables FQ , FP , ŜQ , ŜP in Appendix F 3.
Not relying on numerical integration is not only significantly faster but also more accurate and eliminates integration errors, which have not been considered in the security analysis so far.
The main advantage of cross-shaped postselection over radial and angular postselection is its simplicity since it can be described by merely one parameter (∆ c ) while the radial and angular strategy requires two parameters (∆ r , ∆ a ).Therefore, the parameter space for optimizations for radial and angular postselection is twice as large as the parameter space for cross-shaped postselection.Furthermore, depending on just one parameter, makes it easier to grasp the influence of postselection on the raw key (see Section V B 2).

IV. DETAILS AND OPTIMIZATION OF THE IMPLEMENTATION
In this section, we comment briefly on the details and parameters of our implementation.The numerical method used is explained in Section II (and a more detailed explanation can be found in Appendix C).In Appendix D we derive analytical expressions for operators used to model the problem.We note that the usage of the analytical expressions instead of numerical solutions of the integrals is highly recommended, as (1) the time saving even for small systems is formidable, (2) the numerical precision is higher, and (3) the influence of errors due to numerical integration on the key rate has not yet been considered, representing a gap between the security proof and its numerical implementation.The coding is carried out in MATLAB™, version R2020a, and we used CVX [34,35] to model the linear SDPs that appear in step 1 and step 2 of the method and employed the MOSEK solver (Version 9.1.9)[36] as well as SDPT3 (Version 4.0) [37,38] to conduct the SDP optimization tasks.It turned out that the line search at the end of every (modified) Frank-Wolfe step, can be solved efficiently by bisection.
We found an initial value required to start the Frank-Wolfe algorithm in two different ways.The first method utilizes the SDP solver, where we formulate the problem exactly as in Equation ( 3) but replace the target function by f (ρ) = 1.Then, the SDP solver returns a density matrix that satisfies all constraints, hence lying in the feasible set S. The second method uses a model for a two-mode Gaussian channel (see [39]) with excess noise ξ and transmittance η to calculate a density matrix on Bob's side, given Alice's density matrix.The first method is faster, in particular for systems with cutoff numbers N c = 10 and larger.On the other hand, the second method is numerically more stable and yields density matrices with only positive eigenvalues, even for very 'exotic' parameter regimes (e.g., very low ξ, very high L), where solver imprecisions cause slightly negative eigenvalues for the first method.
Unless mentioned otherwise, we used the cutoff number N c = 12 for QPSK protocols and N c = 14 for 8PSK protocols, which turned out to be an ideal compromise between accuracy and computation speed for most of the reasonable parameter inputs.A more detailed discussion of that choice can be found in Appendix G. Therefore, all infinite-dimensional operators and quantities are replaced by their finite-dimensional representations in Fock spaces of size N c .For example, the upper limit of the sum appearing in the Fock representation of the region operators is replaced by N c .The maximal number of Frank-Wolfe steps for QPSK protocols is chosen between N FW = 30 and N FW = 150, and for 8PSK protocols between N FW = 30 and N FW = 200, depending on the system parameters applied.In general, N FW is chosen as small as possible under the condition that the bound obtained for the key rate does not improve significantly for higher values of N FW .We used FW = 10 −7 for the threshold of the Frank-Wolfe algorithm and ˜ = 10 −11 for the perturbation.
In the present work, we performed all calculations with the following model for the transmittance, η = 10 −0.02L .That is a transmittance of -0.2 dB or about 95.5% per kilometer, which is realistic for practical implementa- tions.Recall, that both the excess noise ξ and the electronic noise ν el are measured in shot noise units.Unless mentioned otherwise, we work with a reconciliation efficiency of β = 0.95.
Secure key rates in the present paper are obtained by optimizing over |α| and ∆ r , ∆ c or ∆ r and ∆ a respectively (depending on postselection strategy).In general, |α| is varied in steps of 0.05 in the interval |α| ∈ [0.4,1.2] for QPSK and in the interval |α| ∈ [0.7, 2.0] for 8PSK protocols.For given transmission distance, the interval can be narrowed down significantly (see discussion in Section V A).The postselection parameters are varied in steps of 0.025 in the intervals ∆ c ∈ [0, 0.45], ∆ r ∈ [0, 0.70] and ∆ a ∈ [0, 0.35], unless mentioned otherwise.
In Appendix A, we validate our implementation by comparing it with analytical results for loss-only channels.We observe that steps 1 and 2 (hence, the upper and lower bounds obtained on the secure key rate) are separated only by negligible gaps.Therefore, in the rest of the work we omit the curves for step 1 and plot only step 2, which is the relevant (lower) bound, for the sake of clarity.

V. RESULTS
Recall that throughout the paper we work with a reconciliation efficiency of β = 0.95, unless mentioned otherwise, and measure the excess noise ξ in shot noise units.

A. Optimal coherent state amplitude
Before we investigate the influence of postselection, we enquire about the influence of |α| on the secure key rate, as the optimal choice of the postselection parameter might heavily depend on the chosen |α|.In Figure 6 we investigate the optimal choice of the coherent state amplitude |α| for both QPSK and 8PSK protocols and an excess noise level of ξ = 0.01 and compare the results with the analytical prediction for ξ = 0 (see Appendix A for details).We note that, according to our observations, the optimal coherent state amplitudes for ξ = 0.02 do not differ significantly from those for ξ = 0.01.We examined transmission distances up to 180km for QPSK and up to 250km for 8PSK.Since in the latter case both the values of the analytical prediction and the results of our numerical investigation remain constant for transmission distances higher than 80km and 160km respectively, we omit the part of the plot exceeding 180km.As expected, the optimal coherent state amplitude for noisy channels is slightly lower than that for a loss-only channel.We observe that the optimal choice for the coherent state amplitude decreases with increasing transmission distance, hence with increasing losses.This is in accordance with our expectations, as for high channel losses, Eve can theoretically receive a much stronger signal than Bob (Eve is assumed to extract Alice's signal right after leaving her lab).Hence, the amplitude has to be small for high transmission distances to keep Eve's advantage as small as possible.
The QPSK-values for 20, 50, 80 and 100km match the values reported by [14] for a similar protocol with rotated signal states.For example, they report optimal values of about 0.78 for 20km and 0.66 for 80km while we obtained 0.80 and 0.65, respectively.Within the frame of the accuracy of our coarse-grained search with steps of ∆ |α| = 0.05 this coincides with our results.Furthermore, we observe that there are only minor differences between the optimal values found for different values of excess noise.Therefore, we can later limit the search for |α opt | to a restricted interval around the optimal coherent state amplitude, obtained from the noiseless case.

B. Postselection strategies in the untrusted detector scenario
In this section we present numerical results and findings for the so-called untrusted detector scenario in which Alice and Bob attribute any detector imperfection to the channel which is under Eve's control.Without loss of generality we assume in this section ideal detectors with efficiency η d = 1 and zero electronic noise.However, untrusted, nonideal detectors can easily be modeled by multiplying the channel transmission by the detector efficiency η d , and adding the detector noise to the channel noise.Therefore, for example, curves in key rate versus transmission distance plots will be shifted to the left for Secure key rates for the untrusted detector scenario without postselection (reference curve), as well as for radial, cross-shaped, and radial and angular postselection for ξ = 0.01.The noPS curve is equivalent to the results in [14].Furthermore, we plotted relative differences (right y axis) between the secure key rates obtained with different postselection strategies and secure key rates obtained without performing postselection.
nonideal detectors compared with ideal detectors.
1. Secure key rates for QPSK and 8PSK In this section, we examine optimal postselection strategies for QPSK and 8PSK protocols and compare their performance for transmission distances up to 200km.Our numerical examinations showed that the optimal coherent state amplitudes obtained without performing postselection (see Section V A) remain optimal or very close to optimal with nonzero postselection parameters.Therefore, all data points in this section represent key rates optimized over the coherent state amplitude α and the postselection parameter(s) corresponding to the chosen postselection strategy.The optimizations over the postselection parameters are carried out as finegrained searches in steps of 0.025.
We first examine four-state protocols.In Figure 7 we plot the calculated (lower bounds on the) secure key rate for three different postselection strategies (rPS, cPS, raPS).Recall that radial postselection (rPS) is the special case of radial and angular postselection (raPS) where ∆ a = 0. Therefore, the key rates obtained by radial postselection are always lower or equal to the key rates obtained by radial and angular postselection.However, since radial postselection is the best-known postselection strategy for QPSK protocols, we plot the curves for radial postselection separately to enable better comparison and to highlight the outperformance of radial and angular postselection and cross-shaped postselection over radial postselection.On the secondary (right) y axis, we plot the relative improvements of the examined postselection strategies compared with the secure key rates obtained without performing postselection (noPS).Note that the (black) noPS curve is equivalent to the secure key rates without postselection reported in [14] for the same four-state protocol with both signal states and key map rotated by π/4.It can be observed that performing radial postselection improves the secure key rate only slightly by about 10%, while radial and angular postselection performs similar to radial postselection up to distances of 60km.For longer transmission distances, radial and angular postselection shows a clear outperformance which increases with increasing distance, leading to a relative improvement of 88% at 170km for the radial and angular strategy compared with the no postselection scenario.For distances less than 60km the optimal angular postselection parameter ∆ a is zero, which explains why there is no improvement compared with radial postselection for short distances.Finally, the cross-shaped postselection strategy does not improve the secure key rates for distances up to 50km (as the optimal cross-shaped postselection parameter ∆ c = 0) and performs comparably to the radial and angular scheme for longer transmission distances.
Next we study how the picture changes when we increase the number of states from four to eight.In Figure 8, we compare the secure key rates obtained for the 8PSK protocol with those for the QPSK protocol for two different values of excess noise (ξ = 0.01 and ξ = 0.02) and without performing postselection.In Figure 8a we chose the reconciliation efficiency β to be 0.90, while in Figure 8b β is 0.95.The results for noisy channels confirm our observations for loss-only channels in Figure 2 as the secure key rates for the 8PSK protocol in all scenarios are clearly higher than those for the QPSK protocol.The relative improvement for ξ = 0.01 and β = 0.95 is between 60% and 95% (depending on the transmission distance) while for ξ = 0.01 and β = 0.90 the relative differences are between 45% and 70%.The advantage of 8PSK increases even more for higher values of excess noise, as the secure key rates for QPSK begin to drop steeply at 160km (for β = 0.95) and at 130km (for β = 0.90) while the secure key rates for the 8PSK protocol remain stable.Additionally, this results in longer achievable maximal transmission distances with the 8PSK protocol than with the QPSK protocol for those cases where the QPSK key rates drop.
Similar to the four-state protocol, the secure key rates for the 8PSK protocol can be improved further by applying additional postselection.For 8PSK protocols our considerations focus on the radial scheme.This is because we selectively examined the influence of additional angular postselection and did not observe a significant impact for eight signal states.Since the computational effort of our numerical method is already very high for the eight-state protocol, we therefore did not investigate angular postselection parameters ∆ a > 0 for all data points.In Figure 9, we plot the secure key rates obtained with radial postselection (8rPS) and without postselection (8noPS) for two different values of excess noise (ξ = 0.01 and ξ = 0.02) for fixed reconciliation efficiency of β = 0.95.The secondary y axis represents the relative difference between the secure key rates with and without postselection for fixed excess noise.We observe a moderate improvement in the medium to long singledigit percent range for short transmission distances and up to 28% for medium to long transmission distances (and ξ = 0.01).Furthermore, it is remarkable that the protocol with 8rPS is able to generate nonzero secure key rates for transmission distances up to at least 250km.
Finally, we summarize the results of our investigations in Figure 10, where we plot the best postselection strategy for four-state protocols, which is radial and angular postselection (raPS), and the best postselection strategy for eight-state protocols, which is radial postselection (8rPS).For reference, we also plot the curve representing the achievable secure key rate for the four-state protocol obtained without performing postselection.Note that, again, this curve corresponds to the results reported in [14] for a rotated version of the four-state protocol examined.Therefore, the relative differences plotted in Figure 10 display the improvements achieved in the present work.As described earlier, performing radial and angular postselection for the four-state protocol increases the secure key rate considerably, compared with not performing any postselection, where the advantage increases with increasing transmission distances, peaking at an outperformance of 88% for 170km and 180km.Recall that the cross-shaped postselection strategy performs comparably, in particular for medium to long transmission distances.However, for clarity, we plotted only the results for radial and angular postselection.The secure key rates for eight signal states with radial postselection are between 80% and 100% higher than those for four signal states without performing postselection.We observe that the relative advantage of 8PSK with radial postselection over QPSK without postselection remains approximately stable over the examined range for the transmission distance L, while the advantage of QPSK with radial and angular postselection over QPSK without postselection increases with L. For distances greater than 140km QPSK with radial and angular postselection (as well as QPSK with cross-shaped postselection) performs comparably to 8PSK with radial postselection.Thus, for high transmission distances, the advantage of a higher number of signal states can be compensated by a suitable postselection strategy.This is relevant both from a theoretical and an applied point of view: On the one hand, calculating the secure key rates for a higher number of signal states is computationally costly.On the other hand, preparing coherent states which differ in phase by a smaller angle with high accuracy is experimentally more challenging.Both tasks can be circumvented by introducing radial and angular (or cross-shaped) postselection to a four-state protocol which requires only minor software adaptations and can be implemented easily.

Dependency of the secure key rate on the probability of passing the postselection step
In step 5) of the protocol, Alice and Bob perform error correction to reconcile their raw keys and obtain keys which are identical.This task, in general, is complicated and computationally expensive and therefore often a bottleneck in many practical implementations.
To address this issue, we examine the influence of postselection on the fraction of the raw key which passes the postselection phase (i.e., the fraction of the raw key which has to be error-corrected).We begin with the QPSK protocol, where we fix the excess noise at ξ = 0.01 and the coherent state amplitude |α| = 0.70 and examine transmission distances of L = 50km and L = 100km.Note that, according to Figure 6, |α| = 0.70 is the optimal value for 50km and very close to the optimal choice for 100km.We compare radial postselection and crossshaped postselection since both strategies depend merely on one postselection parameter (in contrast to radial and angular postselection, which depends on ∆ r and ∆ a ).We varied the postselection parameters in the intervals ∆ r ∈ [0, 2] and ∆ c ∈ [0, 1.125] in steps of size 0.025 and plotted the secure key rate achieved against the probability of passing the postselection phase p pass .Note that 1 − p pass corresponds to the fraction of the raw key which is removed by the postselection procedure.In Figure 11  we plot our results for two different values of the reconciliation efficiency β ∈ {0.90, 0.95}.For L = 50km (see Figure 11a), we observe that the maximal secure key rate is achieved with radial postselection (which confirms our earlier results that for short distances rPS yields slightly higher key rates than cPS) at p pass = 0.75, while the cross-shaped postselection strategy increases monotonically, reaching its maximum at p pass = 1, that is, for the case without postselection (which, again, confirms our earlier results in Section V B 1 that the optimal choice at 50km is ∆ c = 0).For p pass 40% radial postselection yields slightly higher secure key rates than the cross-shaped scheme .
We discover the opposite for L = 100km (see Figure 11b), where the cross-shaped postselection strategy yields higher secure key rates than the radial scheme, which, again, is in accordance with our earlier results in Section V B 1. The cross-shaped strategy obtains its maximum at p pass ≈ 0.55, while the (much lower) maximum of the radial postselection scheme is obtained at p pass = 0.80.Note, that using the cross-shaped postselection strategy increases the secure key rates by about 35% although the raw key is reduced by almost 50% (i.e., the part of the raw key which has to be error-corrected is halved compared with the protocol without postselection)!This shows the clear advantage of the cross-shaped over the radial postselection scheme, where the raw key is only reduced by 20%, while the secure key rate increases by merely 10%.
Assume we aim to obtain the same secure key rate as without performing postselection (corresponding to p pass = 1) while removing as much raw key as possible.For L = 100km, performing radial postselection can remove about 53% of the raw key without decreasing the secure key rate while with cross-shaped postseletion 77% of the raw key can be removed such that merely 23% of the raw key need to be error corrected (see dashed lines in Figure 11b).
With the aim of reducing the data that has to be errorcorrected drastically, this idea can be taken even further.To reduce the raw key by, for example, 80% (or even more) the cross-shaped postselection scheme yields higher key rates than the radial scheme for both transmission distances examined, L = 50km and L = 100km.For 100km and cross-shaped postselection, the secure key rates obtained are even almost equal to those obtained without postselection, while the key rates for the radial scheme are clearly lower.Since, according to earlier examinations, the cross-shaped strategy remains superior for higher transmission distances, we expect similar results for all L ≥ 50km.This shows the clear advantage of cross-shaped postselection, in particular for medium to long transmission distances, and the potential application to reduce the data that has to be error-corrected.
For the 8PSK protocol and radial postselection, we investigated the secure key rates for L = 50km and |α| = 0.90 (which is the optimal choice for 50km) for four different values of excess noise ξ ∈ {0.01, 0.02, 0.03, 0.04} and two different values for the reconciliation efficiency β ∈ {0.90, 0.95}.In Figure 12 we plot the achievable secure key rates for β = 0.95 against the probability of passing the postselection for QPSK modulation (Figure 12a) and for 8PSK modulation (Figure 12b).Qualitatively similar curves are obtained for β = 0.90 (not shown).
We observe that the secure key rates obtained with 8PSK modulation are in all scenarios clearly higher than those for QPSK modulation, confirming our earlier results.For both modulation schemes, the maximal secure key rate is obtained at lower p pass for increasing excess noise, indicating that the advantage of postselection increases with increasing noise.The curves in Figure 12 again motivate various strategies to increase the achievable secure key rate maximally and/or reduce the secure   key rate significantly, similarly to our QPSK discussion.
We summarise the key rates, associated with various scenarios for both modulation schemes, both reconciliation efficiencies, and four different values of excess noise in Tables I -III.For β = 0.90 and ξ = 0.04 the secure key rates for QPSK modulation are zero, therefore the corresponding table entries are empty.

C. Postselection strategies in the trusted detector scenario
It is a well-known fact (and has been confirmed in the previous subsection; see, for example, Figs. 12b  and 8) that high noise levels negatively influence the secure key rate, as well as the maximum distance.If noise sources are assumed not to be under Eve's control ('trusted noise') we expect higher key rates for systems than for systems with the same overall noise level, where we cannot trust any noise.In this section we examine our three different postselection strategies in the trusted noise scenario with nonideal detectors for QPSK protocols.We expect a similar relation between QPSK and 8PSK results to that already seen in the previous section, hence we only investigate QPSK to avoid redundancies.To reduce the number of parameters in the presentation and to simplify the analytical results, we chose η q = η p =: η d = 0.72 and ν q = ν p =: ν el = 0.04 in our detector model (see also Footnote [40]) which correspond to early-stage data of an experimental CV-QKD system of the Austrian Institute of Technology.
The parameter |α| is optimized via coarse-grained search in steps of 0.05 and it turned out that the optimal value of the coherent state amplitude |α| in the untrusted detector scenario (cf. Figure 6) and in the trusted detector scenario is identical.In what follows, we fix the reconciliation efficiency β = 0.95 and examine two different levels of excess noise ξ ∈ {0.01, 0.02}.In Figure 13a (ξ = 0.01) and, Figure 13b (ξ = 0.02) we display the secure key rates obtained for all three postselection strategies and without postselection (noPS), as well as the relative differences to the key rates obtained without postselection (right y axis).For reference, we additionally added curves representing the secure key rates for untrusted detectors with the same overall noise level (so, ξ = 0.05 for Figure 13a and ξ = 0.06 for Figure 13b) and detector efficiency η d = 0.72.
Similarly to our examinations for untrusted detectors, we observe a clear outperformance of the cross-shaped and radial and angular scheme over no postselection and the radial postselection strategy.For ξ = 0.01 (see Figure 13a) the radial postselection strategy performs about 10% better than no postselection, while the cross-shaped and radial and angular scheme perform clearly better for distances greater than 80km, peaking at relative improvements of 72% and 79% respectively for a transmission distance of 180km.These advantages intensify for ξ = 0.02 (see Figure 13b), where cross-shaped and radial and angular postselection improve the secure key rates by factors of up to 7-9.
For both levels of excess noise, we observe a clear improvement in the secure key rate for trusted detectors over those for untrusted detectors with the same overall noise level, in particular, compared with the no postselection and radial postselection curves for untrusted detectors, where the key rate curves drop steeply already at short transmission distances.In contrast, the secure key rates for untrusted detectors with radial and angular postselection remain nonzero up to 150km.We observe that in the untrusted scenario, the optimal angular postselection parameter is nonzero for distances greater than 20km for ξ = 0.05 and greater than 15km for ξ = 0.06, compared with 80km (for ξ = 0.01 and ν el = 0.04) and 70km (for trusted detectors with ξ = 0.02 and ν el = 0.04).This can be seen in Figure 13, where the difference between the dotted blue line and the solid blue line decreases slightly between 20km and 80km (Figure 13a) and between 15km and 70km (Figure 13b).Higher untrusted noise requires postselection already at shorter transmission distances, as expected.It is remarkable that for an overall noise level of ξ = 0.06 the curve for the untrusted detector scenario with radial and angular postselection performs comparably to the trusted curve with radial postselection for transmission distances of 120-150km.Therefore, we conclude that in some scenarios radial and angular postselection for untrusted detectors yields key rates comparable with that for trusted detectors without or with radial postselection.Note that if we do not trust any noise, the security statement obtained is stronger.We expect similar results for cross-

FIG. 13.
Secure key rate versus transmission length L for different postselection schemes and with detector parameters η d = 0.72 and ν el = 0.04 and reconciliation efficiency β = 0.95.Dotted lines represent the key rates without trusting any noise, obtained with the same overall noise level (trusted plus untrusted noise) and the same total loss (for the same transmission distance) as the solid curves.We plotted relative (dot-dashed lines) differences between the trusted key rates obtained with radial postselection, cross-shaped postselection and radial and angular postselection, where the reference is the trusted secure key rate obtained without postselection, on the right y axis.
Although we conducted our analysis in the asymptotic limit, we are confident that our ideas apply as well to the finite-size regime.There are several techniques known to establish security against general attacks (providing security against collective attacks has been proven) [41][42][43].These methods have the potential to lift our analysis.However, since finite-size analysis against general attacks is not the focus of the present paper, more detailed in-vestigations are left for future work.

VI. CONCLUSIONS
In this work, we have adapted and improved the numerical security analysis of [14] and analyzed and optimized continuous-variable quantum key distribution (CV-QKD) protocols with phase-shift keying (PSK) modulation with and without postselection.We have shown that having more than eight signal states does not lead to a significant improvement in the secure key rate, and thus have concentrated on QPSK and 8PSK modulation.
Our examinations for untrusted ideal detectors (Section V B) have shown that for protocols with four signal states, both radial and angular postselection and crossshaped postselection increase the secure key rate considerably compared with not performing postselection and perform clearly better than radial postselection.For low noise levels (ξ = 0.01), using cross-shaped or radial and angular postselection, the secure key rates can be improved by up to 70-80%, while for medium noise (ξ = 0.02) the secure key rates can be enhanced by up to 800%.
The key rates for the 8PSK protocols without or with radial postselection, are always superior to the key rates for the QPSK protocol with the same postselection strategy.The improvement is about 80% for transmission distances up to 200km and low noise and up to 300% for medium to high noise levels, in particular, for longer transmission distances, where the QPSK key rates drop.However, radial and angular and cross-shaped postselection for QPSK perform comparably to 8PSK with radial postselection for long transmission distances, in particular for medium to high noise.This highlights that for certain scenarios, proper postselection, which is easy to implement, can have the same effect on the secure key rate as increasing the number of signal states, which is more challenging from an experimental point of view.
For trusted, nonideal detectors (Section V C) effects of postselection similar to those for untrusted detectors could be observed.Radial and angular postselection and cross-shaped postselection increase both the key rate and the maximal achievable transmission distance.We have compared the secure key rates in the trusted and untrusted detector noise scenarios with the same overall noise level.Secure key rates of protocols using radial and angular postselection and untrusted detectors are comparable to those without postselection but trusting the detectors.Therefore, postselection can achieve comparable secure key rates with weaker security assumptions.
Postselection can reduce the computational bottleneck in error correction for CV-QKD (Section V B 2) because it can be used to reduce the length of the raw key (i.e., the data that has to be error corrected).Within this context, we showed that cross-shaped postselection is superior to radial postselection and pointed out how postselection can be applied to practical problems.
Finally, we wish to highlight that postselection can be implemented easily both in new and existing QKD systems since it does not require additional hardware.Therefore, the aforementioned advantages can be utilized in any QKD system with PSK modulation.can be calculated directly.Inserting these values in the Devetak-Winter formula yields the secure key rate for lossonly channels.The maximal achievable secure key rate is then obtained by optimizing R ∞ over α while holding the transmission distance constant.
2. Analytical vs. numerical secure key rates We compared the theoretical model for a loss-only channel (ξ = 0) presented in the previous section to our numerical implementation for very low noise (ξ = 10 −5 ).We had to choose a low but non-zero ξ to guarantee numerical stability.We fixed the photon-cutoff number to be N c = 12 for the QPSK protocol and N c = 14 for the 8PSK protocol.While data points with low coherent state amplitude |α| could have been calculated with a lower cutoff number, states with high coherent state amplitudes demand higher cutoff numbers to obtain reliable and tight results for the secure key rate.This is plausible since states with high coherent state amplitude have a high average photon number, hence it requires more photon states to represent those states properly.A brief discussion about the choice of the photon-cutoff can be found in Section G.
We examined the achievable secure key rate for transmission distances between 0 and 180km by varying the coherent state amplitude in steps of ∆ |α| = 0.05.In Figure 14, we plot the obtained upper (step 1) and lower bounds (step 2) on the secure key rates for four different transmission distances.It can be observed that the gaps between the upper and lower bounds are very small, indicating tight key rates.Therefore, we may omit the curves for step 1 in the present paper and plot only step 2, which is the relevant (lower) bound, to improve lucidity.The maxima of the curves in Figure 14 represent the maximal achievable secure key rates and match perfectly with the predictions of the aforementioned analytical model.Note that the maximal secure key rate for L = 50km is about ten times higher than the maximal secure key rate for L = 100km, which meets the expectation for channel losses of 0.2dB/km.
In Figure 15a, we compare the optimal coherent state amplitude obtained by analytical calculations with those obtained by our numerical implementation.The analytical coherent state amplitude was found by fine-grained search over different |α| for fixed transmission distance L in steps of 0.005.We observe an excellent agreement for both four-and eight-state protocols.In Figure 15b, we compare the theoretical prediction for the secure key rate with our numerical lower bound.Again, we observe an excellent accordance between our results and the analytical prediction with only minor deviations of less than 1% (QPSK) and of less than 0.5% (8PSK) for all data points except those for the lowest and highest transmission distance displayed, where the deviations are slightly higher.This can be explained by small numerical instabilities for very low and very high transmission distances at low values of excess noise.We did not observe such effects for practical values of excess noise.Summing up, our numerical results are very satisfying and meet the predictions by the analytical model excellently.(b) Optimal analytical secure key rates for various modulation schemes and numerical lower bounds on the secure key rates for QPSK and 8PSK for transmission distances up to 180km.The displayed lower bounds on the secure key rates (step 2) were obtained by optimizing over |α|.The relative differences refer to the differences between numerical and analytical results for the same modulation scheme.
FIG. 15.Comparison between analytical prediction and numerical results for the secure key rate (almost) without noise and without performing postselection.The analytical curves were obtained by performing a fine-grained search in steps of ∆ |α| = 0.005 (red line) and the numerical results were obtained by numerical calculations and fine-grained search in steps of ∆ |α| = 0.02 (blue dots).The investigation shows that optimal coherent state amplitudes obtained by numerical calculation match perfectly with the analytical prediction and that the obtained secure key rates coincide with high accuracy.
by γ i .Then, the feasible set can be reformulated as where the first part represents the subspace fixed by the constraints, and the second part represents the free subspace.Finally, the present minimization problem (with objective function f ) in every Frank-Wolfe step reads [13] ω = arg min ω j∈J and the next iterate can be obtained by where λ ∈ [0, 1] can be found by a line-search to speed-up the algorithm (or set to 1 otherwise).For λ = 2 k+2 , it is known [45] that the Frank-Wolfe algorithm with target function k , where ρ * is the optimal solution and ρ k is the k-th iterate.As performing a line-search includes the case of λ = 2 k+2 , the Frank-Wolfe algorithm combined with a line-search is known to converge at least at that rate.For our application, we observed that the Frank-Wolfe algorithm with additional line-search converges considerably faster.As mentioned earlier, for our implementation we used the bisection method.

Obtaining a tight lower bound on the key rate
The second step aims to convert the upper bound, obtained in step 1, into a lower bound.We only state the basic idea, following [13], where step 2 is justified by a sequence of three theorems.
The basic idea of step 2 is to convert every upper bound on the secure key rate for a feasible ρ, obtained from step 1, into a lower bound on the secure key rate by linearisation and solving the dual problem of the occurring semidefinite program.Therefore, both step 1 and step 2 involve the evaluation of the gradient of f , which might not exist for every ρ (e.g., if G has not full rank).To address this issue, a perturbed map is introduced, where 0 < ˜ < 1 and Computational evaluations and differences between the exact constraints and their representation due to finite precision can introduce little numerical errors in the secure key rate calculations and therefore have to be taken into account for a reliable security proof.Let us denote the computer representation of variables with tildes, for example, Γi is the representation of Γ i .It is shown in [13] that if the constraints are satisfied up to some small number ∈ R, ∀i ∈ I : Tr Γi ρ − γi ≤ , the following statement holds.
The set S * (σ) is given by S for four-state protocols and for k ∈ {0, ..., 7} in the case of eight signal states.Here, the superscript labels the chosen postselection strategy, and the subscript labels the symbol we associate with the defined set.Note that the radial postselection-scenario is included in the radial and angular case by setting ∆ a = 0 and the no postselection scenario is included in both schemes by setting all postselection parameters to zero.Therefore, we do not need to define separate sets for the radial scheme and for no postselection.
For trusted detectors, we cannot use the POVM of ideal detectors any more.Hence, we have to replace E y in Equation (D2) by a POVM corresponding to the aforementioned detector model.In [24] the following POVM elements have been derived, where D is the displacement operator and ρ th (n) denotes a thermal state with mean photon number n.
Finally, the pinching channel Z is given by Hence, we have completely specified the objective function f (ρ).We refer to Section III D for our explicit analytical expressions for the region operators for untrusted ideal detectors, as well as to Section III C for our explicit analytical expressions for the region operators for trusted nonideal detectors for each of the proposed postselection strategies.The detailed derivations are given in Appendix E (untrusted) and Appendix F (trusted).Using these analytical expressions instead of calculating the matrix elements for the region operators numerically increases the accuracy of our results, speeds up the whole algorithm considerably and eliminates the (so-far not considered) influence of inaccuracies of numerical integration on the secure key rate.

Channel model
It remains to specify the right-hand sides of the constraints of the present optimization problem.Therefore, we simulate the quantum channel connecting Alice and Bob as a phase-invariant Gaussian channel with transmittance η and excess noise ξ, which is a common model for optical fibres.The right-hand sides of the constraints can be found similarly to [14], where the expectation values for QPSK states on the axes are calculated using Husimi-Q-functions.The rotation in the phase space that transforms the arrangement of the states on the axes to our 'QPSK-like' constellation does not lead to significant changes in that approach.Furthermore, this idea can be generalized easily to N St signal states.Recall that we measure the excess noise in multiples of the shot noise.The expectation values read q x = 2η (α x ), (D9) for x ∈ {0, ..., N St − 1}, where α x is a complex number associated with the coherent state Alice prepares.Note that n and d are related to the second-moment observables q2 and p2 .Therefore, the constraints for n x and d x can be replaced by expressions for q2 x and p2 x .For trusted detectors, the POVM, given in Equation (D7), is used to define first-and second-moment observables Appendix E: Fock state representation of region operators for the untrusted noise scenario Here, we present the explicit calculations leading to to the matrix representations of the region operators with respect to the Fock basis, as stated in Section D 1.Both for the calculation of the radial and angular and the cross-shaped postselection strategy, the projection of a coherent state with amplitude |α| and phase θ on a number state According to the definition of the incomplete gamma function, the integral in the last line is equal to Γ p+1 2 , k∆ 2 .

Radial&angular postselection
We start with the expression for the region operators given in Equation ( 4) and insert the definition of the sets A ra 0 , A ra 1 , A ra 2 and A ra 3 from (D4), e iθ(n−m) dθ.
The radial integral can be expressed by the incomplete gamma function Γ(x, a) using the integral given in Equation (E3).Similarly, the corresponding expression for the 8PSK radial and angular protocol can be obtained, where only the angular integral has to be adapted accordingly.
where we inserted the expression for G y from Equation (F1) in the last line.For the second equality we inserted the sum representation of the Laguerre polynomials (F2) and for the third equality we used the binomial theorem to express (x 2 + y 2 ) j as sum.Both the integrals over x and y are of the same form as discussed in Equation (E3), therefore we obtain For the second equality we inserted the sum representation of the Laguerre polynomials (F2) and for the third equality we used the binomial theorem twice; first, to express (x 2 + y 2 ) j as sum and second, to write (x − iy) m−n as a sum too.Again, the occurring integrals are of the form given in Equation (E3).Therefore, we obtain (F6) Similarly to the cross-shaped postselection in the untrusted scenario, we observe that the integral for m = n contains only even powers of x and y.Hence, this part is not affected by sign-changes in the boundaries of the occurring integrals.In contrast for n < m we have odd powers of x and y, so we expect additional powers of −1 in the expressions for n|R c, tr (F7)

First-and second-moment observables
For the sake of completeness, we give explicit number-basis representations of the first-and second-moment observables, defined in equations (D13-D16).We note that [24] gives explicit representations in the appendix, too, which again depend on the coefficients of some Taylor expansion.In contrast to, we give explicit expressions and solve the integrals similar to our calculations for the region operators in the preceding sections.In what follows, we give only expressions for n ≤ m, as all operators need to be Hermitian, hence k| Ô|l = l| Ô|k gives the missing matrix elements.
We start with FQ , whose matrix elements with respect to the number basis are given by

FIG. 1 .
FIG.1.Sketch of the realistic (nonideal) QKD experiment, where on Bob's side we depict the physical model of an imperfect, trusted, noisy heterodyne detector (for ideal detector, remove the blue and light-red beam splitter).We denote the local oscillator by LO and the random number generator in Alice's lab with RNG.

1)
Alice prepares for every n ≤ N one out of N St coherent states |Ψ n = |α|e i (2k+1)π N St corresponding to the symbol x n = k, where |α| > 0 (arbitrary but fixed) is the coherent state amplitude and k ∈ {0, ..., N St − 1}, according to some probability distribution (see Figure ??).In the present work, this is chosen to be the uniform distribution.This

FIG. 3 .
FIG. 3. Contour-plot of the expected bit error rate for heterodyne measurement without noise for the QPSK protocol for coherent state amplitude |α| = 0.8.
a) QPSK radial and angular Postselection (raPS): Fix some 0 ≤ ∆ r ∈ R and 0 ≤ ∆ a ∈ R and determine Bob's key string according to Figure 5a.Note that radial postselection (rPS) is the special case where we set ∆ a = 0. b) QPSK cross-shaped Postselection (cPS): Fix some 0 ≤ ∆ c ∈ R and determine Bob's key string according to Figure 5b.c) 8PSK radial Postselection (8rPS): Fix some 0 ≤ ∆ r ∈ R. Bob obtains his key string as shown in Figure 5c.

FIG. 4 .
FIG. 4. Key maps for QKSP protocols with (a) radial and angular postselection, (b) cross-shaped postselection and (c) radial postselection for the 8PSK protocol.Bob's measurement outcomes γ ∈ C that are in one of the blue-shaded areas are dropped (i.e., are assigned the symbol ⊥).The remaining outcomes are assigned bit values that are associated with the corresponding areas.∆r is the radial and ∆a is the angular postselection parameter, and ∆c denotes the parameter for the cross-shaped postselection strategy.
FIG. 5. Key maps for QPSK protocols with a) radial and angular postselection and b) cross-shaped postselection and c) for radial postselection for the 8PSK protocol.Bob's measurement outcomes γ ∈ C that are in one of the blue-shaded areas are dropped, i.e., are assigned to the symbol ⊥.The remaining outcomes are assigned to the bit-values that are associated with the corresponding areas.∆r is the radial-and ∆a is the angular postselection parameter and ∆c denotes the parameter for the cross-shaped postselection strategy.

2 FIG. 6 .
FIG.6.Optimal choice of the coherent state amplitude |α| for ξ > 0 obtained by coarse-grained search compared with predicted optimal choice of loss-only channel for QPSK and 8PSK protocol.As our results for ξ = 0.01 and ξ > 0.01 do not differ significantly, we plot only the data points for ξ = 0.01 to improve clarity.In what follows, we use these optimal values for |α|.
FIG. 7.Secure key rates for the untrusted detector scenario without postselection (reference curve), as well as for radial, cross-shaped, and radial and angular postselection for ξ = 0.01.The noPS curve is equivalent to the results in[14].Furthermore, we plotted relative differences (right y axis) between the secure key rates obtained with different postselection strategies and secure key rates obtained without performing postselection.

FIG. 8 .
FIG.8.Comparison of the secure key rates for the 8PSK and QPSK protocol without postselection for ξ = 0.01 and ξ = 0.02 and two different values for the reconciliation efficiency β ∈ {0.90, 0.95}.The (red) QPSK curves in (b) are equivalent to the results in[14].

FIG. 10 .
FIG.10.Comparison of the best postselection strategies for both modulation schemes for ξ = 0.01 and β = 0.95.Note that the (black) QPSK key rate curve without postselection is equivalent to the results in[14].

FIG. 12 .
FIG.12.Secure key rate versus the probability of passing the postselection phase ppass for radial postselection and four different values of excess noise and a fixed transmission distance of L = 50km.The underlying data are calculated by varying the postselection parameter ∆r in the interval [0, 2.15] with a step size of 0.025.The reconciliation efficiency is fixed to β = 0.95.

2 (
E1)    or, in Cartesian coordinates, |α|e iθ = x + iy,x + iy|n = e − x 2 +y 2 .This relation is obtained readily by expressing the coherent state in the number basis and applying the inner product with |n .Before we start with the calculation, we derive an integral that occurs multiple times in the following derivations.For p > 0 and k > 0 we have can be seen using the substitution z := kγ 2 e −z dz.

2 Γ 2 , a∆ 2 c
As the region operators have to be Hermitian, we do not need to calculate the matrix elements for n > m separately.Summing up, we found for R c, tr 0= n,m |n m| n|R cl + k+1 2 , a∆ 2 c Γ j − l + m−n−k+1

z 2 , a∆ 2 c
|m , z ∈ 1, 2, 3 compared with n|R c, tr 0 |m .By similar considerations as carried out in Section E 2, we obtainD(0) k,m,n = (−1) m−n−k , D(1) k,m,n = (−1) m−n D(2) k,m,n = (−1) k , D(3) k,m,n = 1,where D(z) m,n,k denotes the power of −1 that occurs in the expression for the region operator z.Note that we have already included the factor (−1) m−n−k , which occurs in the expression for all z.We define D (z) m,n,k := D(z) m,n,k i m−n−k and obtain for R c, tr z = n,m |n m| n|R c, tr z |m the representation with respect to the number basis n|R ck,m,n Γ l + k+1 2 , a∆ 2 c Γ j − l + m−n−k+1

TABLE I .
Maximal achievable secure key rate for QPSK and 8PSK protocols at L = 50km with radial postselection for four different values of excess noise and two values for the reconciliation efficiency.The values of ppass at which the maximal secure key rate is obtained are given in parenthesis.

TABLE III .
Relative change in the secure key rate when omitting 70% of the raw key compared with the secure key rate obtained without performing postselection for two different values of β, four different values of excess noise and L = 50km.