Continuous-variable quantum cryptography with discrete alphabets: Composable security under collective Gaussian attacks

We consider continuous-variable quantum key distribution with discrete-alphabet encodings. In particular, we study protocols where information is encoded in the phase of displaced coherent (or thermal) states, even though the results can be directly extended to any protocol based on finite constellations of displaced Gaussian states. In this setting, we provide a composable security analysis in the finite-size regime assuming the realistic but restrictive hypothesis of collective Gaussian attacks. Under this assumption, we can efficiently estimate the parameters of the channel via maximum likelihood estimators and bound the corresponding error in the final secret key rate.

In this work, we provide a finite-size composable proof of the security of discrete-alphabet CV-QKD protocols, under the assumption of collective Gaussian attacks [39] (and, in particular, collective entangling cloner attacks [4,40] which result into a realistic thermal-loss channel between the remote parties). While the general arguments apply to any discrete alphabet, we focus on the case of phase-encoded coherent (or thermal) states, so that they are displaced in the phase-space to create regular constellations at fixed distance from the vacuum state. Our techniques combine tools from Refs. [41][42][43][44].
The assumption of collective Gaussian attack is used for the purpose of parameter estimation, for which we follow the approach of Refs. [41,42]. The composable proof is then obtained by adapting the methods developed in Refs. [43,44] for protocols with Gaussian modulation. In particular, we adapt an expression developed for CV-MDI-QKD [44] to the case of one-way QKD protocols.
The manuscript is organized as follows. In Sec. II, we describe the discrete-alphabet (phase-encoded) QKD protocol, for which we discuss the asymptotic security analysis. In Sec. III, we discuss parameter estimation in the presence of finite-size effects and, in Sec. IV, we provide the key rate of the protocol in the composable security framework. Sec. V is for conclusions.

II. ASYMPTOTIC SECURITY OF A PHASE-ENCODED PROTOCOL
In a generic phase-encoded CV-QKD protocol with N states, Alice randomly chooses between N coherent states α exp(i2kπN −1 ) with α ≥ 0 and k = 1, . . . , N − 1 (so that the classical label k is chosen with probability P k = N −1 ). More generally, she prepares her mode A in one of N displaced thermal states ρ A|k with amplitudes α k := α exp(i2kπN −1 ), each with a fixed mean number of photonsn th . In terms of quadrature operatorsx A := (q A ,p A ) T , Alice's conditional thermal state has mean valuē and covariance matrix (CM) V A|k = (ν th + 1)I, where ν th = 2n th and I is the bidimensional identity matrix. The signal state ρ A|k is travelling through a Gaussian (thermal-loss) channel which is under the full control of Eve. This is described by transmissivity τ and injected thermal noise ω ≥ 1. This channel can always be dilated into an entangling cloner attack [39], where Eve has a two-mode squeezed-vacuum (TMSV) state ρ Ee with zero meanx Ee = (0, 0, 0, 0) and CM In particular, mode E is mixed with Alice's travelling mode A in a beam-splitter with transmissivity τ described by the symplectic matrix After the interaction, modes E ′ and e are kept in a quantum memory for an optimal final measurement taking into consideration of all the classical communication between the parties. For each use of the channel, Eve's and Bob's conditional output state ρ BE ′ e|k has mean and CM given bȳ At the output, assume that Bob applies heterodyne measurement with outcome (q B , p B ) (the analysis can be easily adapted to considering the case of switching homodyne detections). Then, Eve's doubly-conditional state ρ E ′ e|kqB pB has CM [46][47][48] while the probability of the outcome is given by with Ω := 2 + τ ν th + (1 − τ )(ω − 1). Setting with β ≥ 0 and θ ∈ [−πN −1 , πN −1 ], we obtain Integrating over for β and for θ, we derive which can be calculated numerically. Here l is Bob's estimator of Alice's enconding variable k. Using Bayes' formula we may write and compute the residual entropy The mutual information between the variables k and l is given by In reverse reconciliation (RR), Eve's information on l is bounded by the Holevo quantity where ρ E ′ e := l P l ρ E ′ e|l is non-Gaussian, and the conditional state ρ E ′ e|l is calculated by using the replacement of Eq. (8) in the Gaussian state ρ E ′ e|kqB pB and averaging over the probability P kβθ|l , i.e., we have Thus, the asymptotic secret key rate in RR is given by where ξ is the reconcilation efficiency. Note that some simplifications may be employed to compute the Holevo quantity of Eq. (14). Using the optimality of Gaussian states, we can replace S(ρ E ′ e ) ≤ S(ρ G E ′ e ) where ρ G E ′ e is a Gaussian state with the same CM as ρ E ′ e . Then, we could also use the concavity of the von Neumann entropy S ( x P x ρ x ) ≥ x P x S (ρ x ) holding for any ensemble of states {P x , ρ x }. In this way, from Eq. (15), we see that we can bound the conditional entropic term as follows Because the CM of the Gaussian state ρ E ′ e|βθlk does not depend on the variables β, θ, l, k (while the mean value does), from Eq. (17) we then have S(ρ E ′ e|l ) ≥ S(ρ E ′ e|βθlk ) and finally l P l S(ρ E ′ e|l ) ≥ S(ρ E ′ e|βθlk ). The entropy of ρ E ′ e|βθlk can be computed by the symplectic spectrum of its CM V E ′ e|βθlkl . Also note that the CM V E ′ e of the average state ρ E ′ e can be computed from the statistical momentsx E ′ e|βθkl and V E ′ e|βθlkl (see Appendix A for more details).

III. CHANNEL PARAMETER ESTIMATION
The asymptotic rate in Eq. (16) is a function of Alice's encoding parameters, i.e., α, N and ν th , together with the channel parameters, i.e., τ and ω, or equivalently τ and ε, where ε := τ −1 [(1 − τ )(ω − 1)] is the excess noise. In order to estimate the parameters of the channel, Alice and Bob sacrifice m signal states (note that the parameter estimation can also post-poned after the error correction stage, in which case the parties can use almost all their data for both parameter estimation and key generation). By communicating their outcomes for these m signals, Alice and Bob can compute estimators for τ and V ε := τ ε and corresponding confidence intervals. They can choose worst-case parameters to be used in the computation of the key rate in Eq. (16).
Therefore, assume that Alice reveals the encoding k of m signal states out of a block of M = m + n signal states. For m sufficiently large, we have that m/N can be chosen to be an integer. Bob will have samples B ki for i = 1 . . . m/N associated to a specific Alice's encoding k. Because we assume heterodyne detection, the discussion of theq andp quadratures is symmetric. In theq quadrature, Bob's sampled q-quadratures B ki can be described by the following stochastic variable where q th is Alice preparation noise with variance ν th + 1, q E is Eve's noise variable with variance ω, and q h is the noise variance due to Bob's heterodyne measurement. The variable q B k is Gaussian with mean and variance We can then create maximum likelihood estimators for the mean value and variance of q B k starting from the samples B ki . In fact, we may write The mean value and variance of the estimator q B k are given by since B ki can be considered to be i.i.d. variables (in a collective Gaussian attack). Note that the estimator q B k can be replaced by its expected value E(q B k ) due to the fact that its variance in Eq. (24) vanishes for m ≫ 1. Thus, we can write the variance estimator V no k in Eq. (22) as The term inside the brackets follows a standard normal distribution with zero mean and unit variance. Therefore, the sum term follows a chi-squared distribution with mean equal to m/N and variance 2m/N . Consequently, for the mean and variance of the estimator V no k we obtain Based on the estimator q B k we can build an estimator for the transmissivitŷ The estimator q B k is the sample mean of B ki and as such follows a Gaussian distribution. We then can express the above equation with the help of the chi-squared variable as followŝ This estimator of the transmissivity has mean and variance equal to Var (τ k ) := σ 2 k = 2V no N mα 2 cos 2 (2kπ/N ) Since there will other estimators corresponding to the other values of Alice's encoding k we can create an optimal linear combination of them with variance [42] So far, we have used only samples from the q-quadrature of Bob's outcomes. Similar relations will hold for the p-quadrature. Combining all the available q-and psamples, the optimal linear estimatorτ of the transmissivity will have variance In fact, for large m, we can approximate all the 2N estimatorsτ k to have Gaussian distributions with the same mean and variance σ 2 p = σ 2 q . As a result, the global estimatorτ is a Gaussian variable with the same mean and variance equal to σ 2 . Now, assuming an error ǫ CP E = 10 −10 for channel parameter estimation (CPE), we have to consider a 6.5 standard deviation interval for τ . This means that the worst-case value for the transmissivity is equal to Starting from V no k we may also define an estimator for the excess noise. Solving Eq. (21) with respect to V ε , we obtain Then the mean and variance of this estimator are given by The variance of the optimal linear combination V ε of all the estimators V ε k (also considering the p-quadrature) is given by Based on the assumption of large m, we approximate the distribution of each V no k to be Gaussian. As a result, the distribution of V ε is Gaussian with the same mean and variance given by s 2 above. Assuming an error ǫ CP E = 10 −10 , we obtain the 6.5 confidence intervals for V ε . Therefore, the worst-case value is give by Using the worst-case values τ ǫCPE and V ǫCPE ε , we can write a finite-size expression of the key rate R = R(τ, V ε ) of Eq. (16) which accounts for the imperfect parameter estimation and the reduced number of signals. This is give by replacing

IV. COMPOSABLE SECURITY
Our approach for the composable security of the protocol is based on tools of Ref. [43,44]. Let us suppose that the block size is M = n + m, where n signals are used for key generation and m signals for parameter estimation. The total number of secret key bits that can be extracted from Bob's variable l are given by where H ǫs min (l|E ′ e)ρn E ′ e is the smooth min-entropy of Bob's variable l conditioned on Eve's quantum systems E ′ e, which are described by the global stateρ n E ′ e in Eve's hands after successful error correction (EC). The term leak EC (n, ǫ EC ) accounts for the bits that are lost during the reconciliation process. Parameter ǫ is related to the probability that the protocol is not secure, while ǫ s is the smoothing parameter, and ǫ EC is associated with the error in the EC routine.
Under a collective attack, Eve's state before EC can be considered to be a tensor product state ρ ⊗n E ′ e . However, this is no longer true after EC. In fact, if the EC routine is successful (with probability p), Eve's state undergoes the transformation where Π EC is a suitable projector. Assuming that the protocol is not aborted (with probability 1 − p), it is then secure with probability ǫ/p. Theorem 1 in Ref. [44] states that we can still bound the number of secret bits by computing the smooth min-entropy over the tensor product state ρ ⊗n E ′ e (before EC) proviso that we replace the smoothing parameter as ǫ s → 2 3 pǫ s and we reduce the number of bits by log 2 (p − 2 3 pǫ s ). Then, we can also use the conditional von Neuman entropy of ρ E ′ e instead of the conditional smooth minentropy of ρ ⊗n E ′ e to approximate the previous bound. This is based on the asymptotic equipartition property (AEP) stating that the conditional smooth min-entropy of ρ ⊗n E ′ e is larger or equal to n times the conditional von Neumann entropy of ρ E ′ e minus a correction term √ n∆ AEP [49]. This term depends on the smoothing parameter ǫ s and the number of phase-encoded signals N ; it can be bounded by ∆ AEP ≤ 4( 1 2 log 2 N + 1) log 2 (2/ǫ 2 s ). (43) In turn, the conditional von Neumann entropy can be written in terms of the von Neumann entropy and the quantum mutual information, with further simplifications in the presence of a classical variable l. In fact, we have where H(l) is the Shannon entropy and χ(E ′ e : l) is the Holevo bound. We then can make the following replacement in terms of the mutual information I(k : l) and the reconcilation parameter ξ ∈ (0, 1). Thanks to this manipulations, the expression of the asymptotic secret key rate R = ξI(k : l) − χ(E ′ e : l) appears in the bound of Eq. (41). We explicitly have Finally, we replace with the worst-case value of the rate R ǫCPE from Eq. (40) which comes from the fact that the channel parameters are estimated as in Sec. III with associated error ǫ CPE . Accounting for this and the ratio n/M due to parameter estimation, we write the rate

V. CONCLUSION AND DISCUSSION
In this work, we have studied the finite-size composable security of a discrete-alphabet CV-QKD protocol under the assumption of collective Gaussian attacks. This assumption is realistic because the standard model of loss and noise in optical quantum communications is the memoryless thermal-loss channel, which is dilated into a collective entangling cloner attack, i.e., a specific type of collective Gaussian attack. Our analysis extends previous asymptotic analysis under collective attacks to the finitesize and composable regime, but simultaneously pays the price to be restricted to Gaussian attacks. Removing this assumption is the subject of future investigations.
Since our analysis applies not only to displaced coherent states but also to displaced thermal states, it can be useful for studying the security of phase-encoded protocols at frequencies lower than the optical. It is also worth to stress that our derivation, described for phase-encoded signals, can immediately be extended to any configuration or constellation of displaced Gaussian states (e.g., coherent, thermal or squeezed), besides the fact that it also applies to CV-QKD protocols based on the Gaussian modulation of the amplitudes of Gaussian states (e.g., coherent, thermal or squeezed). As a matter of fact, the formalism of Sec. IV does not change. This is heavily based on Ref. [43] and the following simplification [44] originally developed for CV-MDI-QKD, that we have suitably adapted to the case of one-way QKD protocols. The most crucial part is the finite-size rate R ǫCPE which can always be estimated, under the assumption of collective Gaussian attacks, by using maximum likelihood estimators and their confidence intervals, i.e., adopting simple variations of the technique in Sec. III. In this way, the finite-size rate R ǫCPE can always be expressed in terms of the asymptotic key rate R of the specific protocol under consideration via the transformation in Eq. (40).
Let us assume that where ρ A|k are Gaussian states with CM V A|k and mean valuex A|k , chosen with probability P k . By using the linearity of the trace operation, the CM of the average state ρ A will be given by For the component ρ A|k we may write and replace in Eq. (A5), so that we find which expresses the CM of the average state ρ A in terms of the statistical moments of its components ρ A|k .