Numerical Calculations of Finite Key Rate for General Quantum Key Distribution Protocols

Finite key analysis of quantum key distribution (QKD) is an important tool for any QKD implementation. While much work has been done on the framework of finite key analysis, the application to individual protocols often relies on the the specific protocol being simple or highly symmetric as well as represented in small finite-dimensional Hilbert spaces. In this work, we extend our pre-existing reliable, efficient, tight, and generic numerical method for calculating the asymptotic key rate of device-dependent QKD protocols in finite-dimensional Hilbert spaces to the finite key regime using the security analysis framework of Renner. We explain how this extension preserves the reliability, efficiency, and tightness of the asymptotic method. We then explore examples which illustrate both the generality of our method as well as the importance of parameter estimation and data processing within the framework.


I. INTRODUCTION
As large scale quantum computers become an actuality, we need to change our cryptographic infrastructure to be safe against attacks which involve adversaries who have such computers at their disposal [1].One of the cryptographic tools for this change in infrastructure is quantum key distribution (QKD), the security of which will not be threatened by future technological or algorithmic developments [2][3][4][5].See Ref. [6] for a review of QKD and Refs.[7,8] for the recent progress.
A main task of the security analysis is to calculate the secret key rates that can be securely achieved with a given protocol.In analyzing QKD protocols, security proofs are often done first in the asymptotic regime, that is, in the limit of an infinite amount of quantum signals being exchanged between a sender and a receiver (traditionally known as Alice and Bob).However, in any realistic implementation of a QKD protocol, Alice and Bob can only have a finite amount of data for characterizing their channel and for performing classical post-processing.It is of practical relevance to prove composable security in the finite regime [9] so that the key generated by QKD with properly evaluated security parameters can be used safely in other cryptographic applications such as encryption using one-time pad.Toward this goal, several protocols [10][11][12][13] have been proved to be secure in the finite regime using the ε-security framework expounded in [9,11].
However, analytical methods for calculating the secret key rates are highly technical in both asymptotic and finite regimes, and they are often restricted to certain protocols with symmetry.To aid the study of more QKD protocols (especially those without symmetry) and also to study side-channel imperfections of protocols, numerical methods [14][15][16][17] based on convex optimization and specifically semidefinite program (SDP) have been developed.In particular, numerical methods in Ref. [15] provide tight and reliable key rates for gen-eral finite-dimensional QKD protocols.Nevertheless, all these methods are currently restricted to the asymptotic regime.Thus, it is important to extend numerical methods to finite regime in order to preserve the advantages of numerical methods.
In this work, we extend the numerical asymptotic key rate calculation method in Ref. [15] to the finite regime.For the finite key analysis, we adopt Renner's framework [9].Our method retains advantages of the previous numerical method [15]; that is, it provides a reliable lower bound on the key rate for general finite-dimensional QKD and the key rate is tight within the framework [9].Unlike other works [12,18,19], our method does not make an approximation that leads to a loose bound in the parameter estimation subprotocol for certain cases.Specifically, our method remains tight when the positive-operator valued measure (POVM) used in the protocol has more than two outcomes.This makes our solver applicable for general QKD protocols.Furthermore, we show that, without changing the security parameter of the parameter estimation step, one can decrease the set of states over which one must minimize the key rate in many practical cases.We implement this improvement to the analysis of parameter estimation in our numerical method.Our numerical method also can calculate the finite key rate for protocols that accept a set of observed statistics in the parameter estimation subprotocol.This presents an opportunity that is commonly overlooked, though it is of practical relevance for actual implementations.In summary, we improve the analysis of the parameter estimation subprotocol in finite key analysis and present a reliable generic numerical method for calculating the finite key rate of QKD protocols represented in finite Hilbert spaces.
This paper is organized as follows.In Sec.II, we review background related to finite key analysis including a review of the finite key analysis framework from Ref. [9].We then discuss our extension of the numerical method arXiv:2004.11865v1[quant-ph] 24 Apr 2020 from Ref. [15] to the finite regime in Sec.III.To exemplify the key ideas in our finite key analysis, we apply our method to analyze different variations of Bennett-Brassard 1984 (BB84) [20] protocol including the singlephoton prepare-and-measure [20], measurement-deviceindependent (MDI) [21] and discrete-phase-randomized [22] variants in Sec.IV.Finally we make concluding remarks in Sec.V. We leave technical details in the appendices, including the derivations of the numerical method and certain improved terms in the bound on the key length.We start by reviewing the ε-security framework of QKD [9].QKD is a cryptographic protocol for secret key distribution in which Alice and Bob establish a shared secret key by generating a pair of keys S A and S B such that the keys agree (correctness) and are completely unknown to an eavesdropper (secrecy).Neither of these properties can be achieved perfectly, so we instead talk of a QKD protocol which is ε = ε + ε -secure as it is ε -correct and ε -secret where the ε's quantify the amount the protocol deviates from the ideal property.A QKD protocol is ε-secure if a distinguisher, which is either given the real or the ideal protocol as a block box to test, can guess correctly which protocol it was given with probability at most (1/2 + ε) [23,24].Formally, a QKD protocol is ε-secure if A † A .The output secret key of a ε-secure QKD protocol has composable security under the abstract cryptography framework [23,24].
In an entanglement-based QKD protocol, Alice (or Eve) constructs an entangled state ρ AB .Alice and Bob then measure their respective halves of ρ AB .In the case that Alice prepares the state, we refer to the half of the state sent from Alice to Bob as a signal.We note that the entanglement-based description of QKD we use in this section is without loss of generality as prepareand-measure protocols are equivalent via the sourcereplacement scheme [25,26] as will be reviewed in Section III.
When Alice sends signals to Bob, the eavesdropper, traditionally known as Eve, has the chance to perform her attack.There are two classes of attacks generally considered in security analysis-collective and coherent.In both cases one assumes Eve has an unbounded quantum memory, so she can store all her systems indefinitely.
Collective attacks assume Eve uses a new ancillary system to interact with each signal sent by Alice as it is sent across the channel after which she can measure her ancillary systems collectively whenever she should choose (even after Alice and Bob have completed their protocol).Coherent attacks assume Eve interacts with all of the signals as one large state after which she can measure whenever she pleases.As Eve interacts with all of the signals as one large state, the signals may be entangled in some arbitrary manner.As coherent attacks is the most general form of attack permitted by quantum mechanics, one ultimately needs to prove security against coherent attacks.With the security and attack models in mind, we can consider what subprotocols of a QKD protocol contribute to the its overall ε-security.To aid our discussion, we now describe steps in a general QKD protocol.Following Fig. 1, without loss of generality, the general QKD protocol can be described as follows: 7. Privacy Amplification: Alice and Bob produce their final keys by using a two-universal hash function on the key map result x (Theorem 5.5.1 of [9]).Privacy amplification ends with Alice and Bob having keys S A and S B respectively.
The subprotocols which contribute to the security parameter ε are parameter estimation, error correction, and privacy amplification.There is also one more source of uncertainty based on how much one 'smooths' the minentropy, ε.Therefore, using the standard security proof [9,10], we wind up with an ε = ε PE + ε+ε EC +ε PA -secure protocol which is ε EC -correct and ε PA + ε PE + ε-secure.Each term may be viewed in the following manner: 1. ε PE is the probability of the parameter estimation protocol not aborting and the state which Alice and Bob tested m times not being included in the security analysis.
2. ε is the probability of Eve knowing the key because for each state feasible according to parameter estimation, ρ AB , Alice and Bob a priori consider the min-entropy of the state ρ AB that maximizes the min-entropy over the set of states ε-similar to ρ AB .
3. ε EC is the probability that Alice and Bob do not abort the protocol and obtain outputs that differ, i.e. x = x .
4. ε PA is the probability that Alice and Bob do not abort the protocol and that the key is known to Eve because the privacy amplification failed.
We note each ε term puts a bound on the security of Eve knowing anything about the key, which one treats as if Eve learned everything about the key.While this interpretation of the bound may seem pessimistic, depending on the data being encrypted with the key, only one bit of the original message being known may be a security threat, and so this is the appropriate security [27,28].
With the protocol described and the ε-terms accounted for, we can define the calculation for determining the upper bound on the length of a secret key generated by a ε-secure QKD protocol.We begin by defining the set of density matrices which one must minimize the key rate over given the choice that Q is a set of frequency distributions within some distance t from a preferred, fixed frequency distribution F , denotes the set of density matrices on Hilbert space H A ⊗ H B .The map Φ P (X) ≡ j∈Σ Tr X Γ j |j j| maps density matrices to a register of the corresponding probability distribution under the POVM, { Γ j } j∈Σ .In other words, Φ P : D(H A ⊗ H B ) → P(Σ) where P(Σ) denotes the set of probability distributions over the finite set Σ which we refer to as an alphabet.We refer to Φ P as the probability map.The map N (X) = x∈Σ,y∈Λ p(y|x) x| X |x |y y| is a map N : P(Σ) → P(Λ) according to the conditional probability distribution p(y|x).This is the quantum channel representation of a classical-to-classical channel [29].By the data processing inequality, one knows that processing data with a map like N can be viewed as throwing out some information.We therefore refer to N as a 'coarse-graining channel' within this work, as will be elaborated in the next subsection.The frequency distributions are denoted by F, F ∈ P(Σ).Throughout this paper we denote POVM elements pertaining to frequency distributions we hold as being susceptible to statistical fluctuations with Γ and observables pertaining to expectations or probabilities we hold certain with Γ.Furthermore, throughout the rest of the paper, when talking about P − F 1 or F − F 1 , we will refer to these as the variational distance as P, F , and F are probability distributions.For this reason we refer to µ as the variation bound and t as the variation threshold.With the notation in Eqn. 1 accounted for, we see that Q is represented by a set of frequency distributions that have variational distance from a preferred frequency distribution F within the variation threshold, t, in Eqn. 1.The other inequality in Eqn. 1 determines a limit to the variational distance between the probability distribution induced by ρ ∈ D(H A ⊗ H B ) under the probability map Φ P and the coarse-graining of some F ∈ Q.In other words, Eqn. 1 determines the set of σ which, under the map Φ P , there exists an F ∈ Q such that the distance between Φ P and N (F ) is less than the variation bound.An in-depth explanation of why this set is what one optimizes over is given in Section II B.
We note that the F − F 1 ≤ t constraint in Eqn. 1 is a choice in formalizing the set of accepted distributions during parameter estimation, Q.While fundamentally Q may be any set, this threshold from some specific statistics F is a practical choice without much loss in generality as normally one would accept any probability distribution within some distance from an ideal probability distribution (such as the perfectly correlated statistics, or low phase error).
We can now present the key rate under the assumption of identically and independently distributed (i.i.d.) collective attack.We will explain how to lift the collective attack analysis to coherent attacks in Section III E.
Adaptation of Theorem 6.5.1 of [9] for Collective Attacks: Assuming i.i.d.collective attack, the QKD protocol is ε = ε PE + ε + ε EC + ε PA -secure given that, when the protocol does not abort, the output key is of length where with the following definitions: where d is the size of the alphabet for Alice and Bob's output key.We note that the variation bound µ is different from existing literature as we are not using an entry-wise approximation, but rather are bounding the entire variational distance and the previous statements of bounding the variational distance in general had a typo.Our δ(ε) term is smaller than any other reported work that we know of as we use the tightest bound in [9] and using the correction noted in Footnote 27 of [10].We note that leak εEC as defined is an upper bound on the amount of information leaked during the error-correction step taking into account the inefficiency in the error correction for realistic block lengths using the parameter f EC ≥ 1.
In an actual QKD experiment, the information leaked is an experimentally known parameter.We derive all terms which differ from other works in Appendix B.

B. Parameter Estimation
It is important to consider parameter estimation's role in the security proof in greater detail as it is deceivingly simple and is the primary focus of this work's examples.In this section we clarify its role, review how it has been used in previous works, and present a theorem which resolves a standing conceptual issue.
As stated in the previous section, in parameter estimation as presented in the Renner framework [9], Alice and Bob sacrifice m of the signals to get a sequence, z = (z 1 , z 2 , ..., z m ) ∈ Σ m .From this sequence Alice and Bob construct their frequency distribution F over Σ.If F is in a pre-agreed set of distributions, Q, Alice and Bob continue the protocol.Otherwise, they abort.
The ε PE term in the security statement arises from disregarding any state that would lead to an accepted frequency distribution with a probability less than ε PE .Formally, one could say a state σ is ε PE -filtered for a given set of measurements by Alice and Bob, { Γ j }, and set of accepted probabilities, Q, if Pr[Accept|σ] ≤ ε PE .Here Pr[Accept|σ] is the probability that Alice and Bob accept a frequency distribution which is produced by sampling from σ with the POVM defined in the protocol.A state which is ignored for this reason is referred to as being ε PE -filtered.This disregarding is necessary as otherwise Alice and Bob would always have to consider the maximally mixed state and be unable to generate a key.
One may note that the security statement in parameter estimation is therefore about all statistics which Alice and Bob would accept as can be formally seen in Eqn. 1.This has been obfuscated in many of the works on finite key analysis where the security is always implicitly presented for a protocol in which only one frequency distribution is accepted.We refer to such a protocol as a protocol with unique acceptance as there is a unique frequency distribution which Alice and Bob will accept.While rigorous, we believe the security analysis of protocols with unique acceptance to not be the complete picture as a protocol which only accepts a single frequency distribution will abort an impractical amount of the time.
However, there remains a further conceptual issue in parameter estimation.In parameter estimation's most straightforward implementation, Alice and Bob simply take the outcomes of their joint measurements for some subset of the N signals to get their sequence z and thus their probability distribution F .We refer to the sequence z as fine-grained data as it pertains to the most detailed information one can acquire via the measurements permitted by the protocol.However, Alice and Bob could also construct a variety of alternative distributions by coarse-graining the fine-grained probability distribution F over the alphabet Σ to a probability distribution F C over a smaller alphabet Λ. Formally, coarse-graining is simply data processing F using a conditional probability distribution p Λ|Σ which can be done with the coarsegraining channel N .Therefore one can construct the coarse-grained statistics F C and corresponding effective POVM { Γ C i } i∈Λ for constructing the probability map using the conditional probability distribution p Λ|Σ by the FIG. 2. Parameter Estimation Visualized: Here we consider parameter estimation for two coarse-grainings.For clarity we consider a protocol with unique acceptance which only accepts F .Each coarse-graining of F has its own set Sµ k which would correspond to Eqn. 1 for that given coarse-graining.One can see that the POVM and the variational bound µ k determines the set Sµ k .Furthermore, we now visually see how by considering both coarse-grainings, Sε PE , one can decrease the set of density matrices optimized over for the same security parameter and therefore possibly increase the keyrate.
following two equations: Given the proof method for constructing the set in Eqn. 1, coarse-graining may lead to a better a key rate than using just the fine-grained data as will be shown in Section IV.This would imply that, within the proof method, throwing out information can make one more secure against Eve which is counter-intuitive.However, in an actual protocol, even when Alice and Bob coarsegrain their statistics, they still have access to the finegrained data.We would expect therefore that one can construct a set which considers the fine-grained data and the coarse-grained data and maintains the same security statement. 2Such a set could only improve the key rate and would resolve the idea that throwing out information can help within this proof method.Here we prove such a set exists by taking the intersection of sets constructed via different coarse-grainings but with the same security promise under the assumption of i.i.d.collective attacks.A generalization of this theorem for considering the intersection of any set of sets, {S k }, such that ∀k the 2 We note that in [12] they considered fine-grained data and coarsegrained data by increasing the security term.
set's complement, S k , includes only states ξ such that Pr[Accept|ξ] ≤ ε PE is straightforward.
Theorem 1 (Security with Multiple Coarse-Grainings).Fix ε PE > 0. Let Ξ be a finite alphabet indexing these multiple coarse-grainings.For each k ∈ Ξ, let where F ∈ P(Σ) is used to define the set of statistics accepted, is the corresponding probability map, N k (X) = i,j p Λ k |Σ (j|i) i| X |i |j j| is the corresponding coarsegraining channel, N is a coarse-graining channel used so that one can abort on statistics that differ from the ones considered for the variation bounds µ k , and µ k is determined using Eqn. 4 so that, by Theorem 8, ∀σ ∈ We know by the construction of the sets S µ k (Eqn.4 and Theorem 8) that With the preceding theorem, we can define the general set to optimize over: (5) where Ξ is an alphabet for indexing the number of coarsegrainings.Note that F is fixed.
There are two important observations to be made.The first is that for ρ ∈ S εPE one does not need a single F ∈ Q which satisfies all k variation bounds with respect to ρ but rather (F 1 , ...., F |Ξ| ) ∈ Q ×|Ξ| so that F k satisfies the k th variation bound with respect to ρ.This is a property of the proof method we have used as we intersect the sets.An alternative proof method that only considers one F that satisfies all constraints at the same time remains an open problem.The second observation is that to define S εPE each S µ k being intersected must be defined using a coarse-graining which acts on fine-grained statistics over the same alphabet Σ. Otherwise more testing would be necessary which would relate to a different set and a different security claim.To visualize Eqn. 5, see Figure 2, which presents Eqn. 5 for a protocol with unique acceptance.

C. Asymptotic Analysis
Lastly we review how the asymptotic analysis arises from finite key analysis since the general numerical framework for finite key analysis is an extension of the asymptotic method.This can be seen as follows.Define the asymptotic key rate as R ∞ = lim N →∞ (N )/N .As the total number of signals sent, N , goes to infinity, the number of signals used for parameter estimation, m, will grow (although an increasingly smaller fraction of the total signals sent will be consumed for parameter estimation).Given Eqn. 4, as the the number of signals m increases to infinity, the variation bound µ will go to 0. The fundamental limit for n/N will be the probability that any signal can actually be used for key generation, which we refer to as p pass .It is then clear that the asymptotic key rate is where and Λ is an alphabet for indexing the constraints.
This statement is equivalent to the famed Devetak-Winter bound [30] which in this case has been derived from the finite key analysis.Furthermore, as we will see in Section III E, the finite key analysis can be extended to take into account coherent attacks and still achieve this bound in the limit.We can therefore conclude asymptotic analysis pertains to coherent attacks.In the expression for asymptotic key rates, {Γ i } no longer need to form a POVM, but rather can be any observables that are in the space spanned by the original POVM.This is the case as in the asymptotic limit there are no fluctuations, so one can calculate the expectation value of any observable from a linear combination of the probabilities determined by the POVM.Lastly, there exists a numerical method for calculating this key rate using semidefinite programming for general QKD protocols [14,15].In what follows, we show how to extend this numerical method to finite key so that we can then investigate examples to better understand parameter estimation.

III. NUMERICAL METHOD
To be able to determine the key rate for an arbitrary device-dependent QKD protocol using a unified numerical method, it is important to be able to represent all protocols in the same manner.All QKD protocols can be formulated as entanglement based protocols using the source-replacement scheme.This means that as our numerical framework can handle entanglement-based protocols, it can also handle prepare-and-measure protocols.First we review the source-replacement scheme.We then review the numerical method for asymptotic analysis under this representation.Lastly, we show how to extend the numerical analysis to consider the finite key regime.

A. Source-replacement Scheme
The source replacement scheme is a formulation of the prepare and measure protocol in the language of entanglement-based protocols.It was first made use of in the analysis of BB84 [31] and Gaussian CV-QKD [32].The general method for the equivalence was then expounded in [25,26].By formulating the prepare and measure protocol in language of entanglement-based protocols, whatever the key rate is for the entanglement-based protocol is also the key rate for the original prepare-andmeasure protocol.
Imagine a prepare-and-measure protocol in which Alice sends the ensemble {p x , |ϕ x } where p x is the a priori probability of sending the signal state |ϕ x .By the source-replacement scheme, it is equivalent for Alice to prepare the entangled state: Alice first sends Bob's portion of the state, the signal space S, to Bob through a quantum channel E leading to the resulting joint state: where id A is the identity channel on the A space.After Alice performs a local projective measurement on the A space, she effectively sends |ϕ x to Bob with probability p x just like in the prepare-and-measure scheme.Consequently Bob receives the conditional state Assume that in the original prepare-and-measure protocol Alice and Bob ended up with a joint probability distribution p(x, b) where b ∈ Σ and |Σ| is the number of POVM elements for Bob's POVM {Γ B b } b∈Σ .It follows by the source-replacement scheme that asymptotically it is equivalent for us to constrain ρ AB by when minimizing H(X|E) over the set S of compatible states.

B. Asymptotic Numerics
To calculate secret key rates, we have to minimize H(X|E) with the given constraints on the underlying state.This is often difficult when there are not sufficient symmetries to simplify the problem.To address this issue, a two-step method to produce a tight, efficient, and reliable lower bound on H(X|E) has been created [15].In this work there are a few key ideas which will be of particular import in our extension to include finite size effects.The first is that H(X|E) can be represented by the relative entropy as X is classical information [33].This is done using following function: where D(•||•) is the quantum relative entropy, G is a completely positive trace non-increasing map that describes the post-processing steps of the protocol and Z is a quantum pinching channel which is related to obtaining the results of key map (see Appendix A of [34] for further detail).By the joint convexity of quantum relative entropy, the function f (ρ) is a convex function in ρ and thus can be used as the objective function for a semidefinite program for our minimization of the conditional entropy.Therefore we define However, as we want a lower bound that also holds if our numerical optimization routines returns before reaching the true mathematical minimum, we need to acquire the dual problem of the SDP so that we have a maximization problem.This would guarantee the computer always returns an answer approaching from below the true minimum of the conditional entropy so that we can always guarantee that our answer provides a reliable lower bound on the key rate.Unfortunately, the quantum relative entropy is a highly non-linear function and so determining the dual of this problem is difficult in general.For this reason, we linearize the function about a given density matrix.We can then acquire the dual of the linearization of the original problem SDP, max y∈S * (σ) γ • y where where γ is just the vector of the set of expectation values {γ i } i∈Λ .
Then the lower bound for any optimal or suboptimal attack σ can be calculated as because it can be shown that for all ρ ∈ S, α ≥ β(ρ) so long as ∇f (ρ) exists (Theorem 1 of [15]).Here we have defined the gradient of f at point ρ represented in the standard basis {|k } as: and σ jk ≡ j| σ |k .Moreover, we can write the gradient of f (ρ) as: Lastly, one can guarantee ∇f (ρ) exists via perturbing the state sufficiently by mixing the output of G(ρ) with the maximally mixed state such that all eigenvalues are non-zero.The expression of β(σ) in Eqn. 10 gives a valid lower bound for the key rate for any σ, but the bound will be tighter the closer σ is to the true optimum.We thus use a near-optimal evaluation of the primal problem (Eqn.8) .This is referred to as Step 1 (see Algorithm 1).For further information on the specifics of this method, we refer to Appendix A and [15].

Tight, reliable, and efficient lower bound
We now extend the previous numerical framework to the finite regime and show rigorously that this extension preserves the advantages of previous numerical method; that is, it provides tight, efficient and reliable key rates.For clarity, we will begin by proving the tightness in the case where there are no numerical errors and a single coarse-graining.Here tightness is defined as the property that if one acquires the optimal solution in Step 1 of the algorithm, then Step 2 will obtain the same answer.We then generalize to the case for handling issues due to numerics and multiple POVMs in Appendix A.
The primary steps in extending our method to the finite key regime are changing the sets over which we optimize and changing how we perform Item 9 in Algorithm 1.In the case of prepare-and-measure protocols, we first modify S µ as defined in Equation 1 as Alice knows her portion of the state ρ A perfectly under the source-replacement scheme.Therefore, while the parameter estimation is handled in the original definition, it must take into account Alice's certainty on ρ A .Thus we define a variation of Eqn. 1 for prepare-and-measure protocols: where we use Λ for indexing constraints which are certain.We note ρ is a density matrix by setting Γ 1 = 1 H A ⊗H B , γ 1 = 1.Furthermore, the use of N and N is so that one might abort on some set of coarse-grained or fine-grained data which differs from the data used in relation to the variation bound.We stress that as F and N are fixed, N (F ) is a fixed frequency distribution.From this we can define the primal problem of the linearized SDP as: However it is not obvious from this form that this is an SDP.The trick is then to consider how to handle the trace norm.The trace norm of a square matrix A has a well known semidefinite program [35]: It is known that the trace norm SDP always achieves the optimal value in both the primal and dual, which is a property known as strong duality.This is important as we need our SDP to have strong duality for tightness (see Appendix A for more details).With this knowledge, we can express our SDP: The dual of this problem is: where f is the vector version of N (F ) and − → N † is the action as the adjoint of the map N , N † , on the diagonal entries of a matrix.It is sufficient to consider − → N † on the diagonal entries of a matrix because N † only acts on the diagonal entries of a matrix, and so it is easy to see that the − → N † map applied to the vector formed by the diagonal entries of a matrix gives the equivalent action as N † on the matrix.
One may note that the objective function of the finite key SDP is similar to the asymptotic case but with reductions associated with the finite size effects due to the variational bound µ and the threshold t as the variables a, a are non-negative.However this is somewhat obfuscated when first presented in this general form.We therefore explain this in relation to the simplified SDP of a protocol with unique acceptance in the following section.We denote the set of (a, a, b, y, z, z) which satisfy the constraints as S * µ (ρ) for a primal solution ρ to mirror the asymptotic notation.
With the SDP for finite key analysis determined, it is crucial to prove that we have preserved the old properties of tightness, robustness to perturbation to make ∇f (ρ) exist, and reliability in the face of finite computational precision.As we have not changed the function f , all of the theorems pertaining to perturbing the channel to guarantee ∇f (ρ) exist are unchanged from asymptotic case, and we direct readers to Ref. [15] for those proofs.However, the proof of tightness is not identical to that in [15] and so we state this result here.
This guarantees our numerical method obtains the optimal value when the solver works ideally.
Proof.See Appendix A.
Note this is not obvious as α is the optimal of the primal using the original function f (ρ), and β includes the dual of the linearization of f (ρ).
Lastly, we are concerned with the numerical precision of the computer which cannot perfectly represent the POVM elements or statistics and sometimes may return an answer in the first step that slightly violates some constraint.In other words the computer has not optimized over S µ , but rather over some different set S µ .Without handling this, our solver could be unreliable, i.e. it could allow for the solution of step 1 to obtain a value greater than step 2 in some case.To guarantee this does not happen, one must expand the set for the dual S * µ (σ) to S * µ (σ).The proper method for doing this is to find the largest constraint violation of the certainty constraints, which we denote by ζ'. 4 Then one must allow every certainty constraint to vary within that distance as was done in the asymptotic case: | Tr(ρΓ i )−γ i | ≤ ζ .Furthermore, one expands µ to µ = max(µ + n , Φ P (ρ f ) − F 1 + n ) where n = |Λ| and ρ is the solution to the first step.We leave the proof of this statement to Appendix A. This then guarantees to include the state considered in the first step.Therefore, we have an SDP to do finite key analysis which is tight, efficient, and reliable for general QKD protocols.

D. SDP for Protocol with Unique Acceptance
Many of our examples pertain to protocols with unique acceptance for clarity in relation to previous work as well as for clarity of ideas.As in the case of unique acceptance the problem simplifies, we derive the SDP for a QKD protocol with unique acceptance from the general version above.Most generally, a protocol with unique acceptance may be viewed as picking N (F ) to be the only distribution Alice and Bob accept on.Then the constraint pertaining to Q in Eqn. 12 vanishes as it must be the case N (F ) = N (F ).It follows F could be allowed to vary over all F such that N (F ) = N (F ).However, in previous works [10,11,18,19], this nuance is lost as only one coarse-graining is considered, and so it is assumed F = N (F ).For consistency in the literature, we also make this assumption in defining a protocol with unique acceptance.We denote N (F ) by F N to make it clear it is fixed rather than a variable.Using this notation, we can define the following set: where it must be the case that N coarse-grains data from the alphabet of F N as otherwise it would not be welldefined.From this definition we get the following primal problem: The dual of this problem is: where f is the vector version of N (F N ).
The SDP is nearly identical to the asymptotic case as the first constraint of Eqn. 15 is in effect identical to the single constraint of Eqn. 9. Similarly, the objective function is nearly identical, though one can see that there is some reduction to the key rate associated with the finite size effects, represented by variational bound µ, as the variable a is constrained to be non-negative.The constraint on z is simply the dual problem of the trace norm simplified using the specific structure of our problem (see Appendix A for derivation).

E. Coherent Attacks
As one important aspect of finite key analysis is the ability to analyze the key rate using coherent attacks, it is important to understand how the numerics can handle the coherent attack analysis.Extending the numerical approach in this work to coherent attacks using the Finite Quantum de Finetti Theorem [9] can be done by changing how one defines the variation bound µ and by adding some extra parameters, as we explain in Appendix C.However, the Finite Quantum de Finetti approach provides pessimistic key rates for realistic block sizes.An alternative method to the Finite Quantum de Finetti theorem which provides better, but still pessimistic, bounds on the key rate is the post-selection technique [36].This method effectively states that given ε-security for convex combinations of i.i.d.states, σ ⊗N , which follows from the security of i.i.d.collective attacks, then the protocol is ε = (N + 1) d 2 AB +1 ε-secure for coherent attacks, where d AB is the dimension of the Hilbert space that Alice and Bob's joint state lives in.However, to rigorously use this method, this either requires the initial protocol to be permutation invariant, or finds a way to bound the portion of the protocol after parameter estimation by a permutation invariant version which introduces more ε terms (Section 3.4.3 of [37]).Another technique that handles coherent attacks is the Entropy Accumulation theorem [38].However, this method is not immediately applicable to our numerical method since it requires a specific property for the protocol.We leave it as future work to investigate how to combine the entropy accumulation theorem with our numerical method.As such, the currently applicable coherent attack proof methods-the Finite Quantum de Finetti method and the post-selection technique-while implementable, are pessimistic and we expect them to be improved to be significantly closer to the collective attack results we present in this work.Moreover, this uplift is independent of our work here, so we concentrate on the collective attack.In Appendix C we explain how to lift our results to coherent attacks using the Finite Quantum de Finetti method.

IV. EXAMPLES
In this section we present variations of the BB84 protocol [20] to investigate the properties of finite key analysis as well as our method.In doing so, we show our method works for any protocol which can be represented in a finite-dimensional Hilbert space.This includes singlephoton protocols including single-photon MDI protocols, and any optical implementation of a protocol which admits a squashing map [39][40][41].Furthermore we show the power and generality of our method in being able to consider multiple coarse-grainings where each frequency distribution can be of any length.This is in contrast to previous works [12,18,19] which could only do multiple two-outcome probability distributions without adding looseness to their calculation of H µ (X|E) as their bound on the variation bound µ loosened beyond two-outcome POVMs.Lastly, in addition to examples of protocols with unique acceptance, we also present an example where Q is not a single distribution and discuss when using our method to calculate key rates of general protocols may be needed in the practical development of QKD hardware.
In all examples in this section, we let ε PE = ε = ε EC = ε PA = 1 4 ×10 −8 as we found no general asymmetric choice consistently improved the key rate substantially.We note that our method will work for significantly smaller ε values.The only limitation is numerical precision which will not be a problem for any realistic ε term given the equations always depend on the logarithm of the ε term.
For completeness, we present the post-processing maps, G, for each protocol in Appendix D which are not difficult to derive following the discussion in Appendix A of [34].

A. BB84 with Phase Error Parameter Estimation
As a simple case where the analytic answer is known, we consider the BB84 protocol where signals are sent in the Z-basis with probability p z and the key map is only done on the Z-basis so that all other events are removed during generalized sifting [42].In other words, the states |0 , |1 are sent with probability pz 2 and the states |+ , |− are sent with probability 1−pz 2 .We assume that Alice and Bob perform parameter estimation in which they only check the phase error, e x , using the POVM where Π ex ≡ (1 A ⊗ 1 B − σ X ⊗ σ X )/2 and σ X is the Pauli-X operator.An analytical key rate in finite size for a protocol with unique acceptance has been given for this scenario in [10]: where and all other terms are as defined in Section II.The specific form of H µ (X|E) follows from the fact that asymptotically the conditional entropy between the key and Eve for this protocol is of the form 1−h(e x ) and so the worst case-scenario in the finite regime is that half of the variation bound µ increases the phase error.The error correction term H(X|Y ) is the binary entropy of the quantum bit error rate e z because the number of bits that needed to be corrected when doing the key map from the Z-basis is the error rate in the Z-basis.
To show that our approach works, we consider it against the analytical curve in Fig. 3. Following [10], to determine the value of µ, we assume Alice and Bob sacrifice (1 − p z ) 2 N of the signals to parameter estimation.This is a good choice since because as N goes to infinity, p z can approach zero, and so one will need to spend a continuously smaller fraction on parameter estimation, which this a priori decision takes into account.Furthermore, in the simulation we assume that our observations yield that the error rates satisfy e z = e x to let H(X|Y ) = h(e x ).As can be seen in Fig. 3, for this protocol our solver produces a lower bound that matches the analytical result perfectly.Furthermore, in this example, we let f EC = 1.2 as this is a realistic model of the inefficiency of error correction in current experiments [10,11,43].4 × 10 −8 so that ε = 10 −8 .The lines are the theory curves, and the dots are the corresponding solutions by our numerical method.We let ez = ex and pz = 0.9.We assume here that the sample size is still larger than the block length of error correction, which then gives fEC =1.20.

B. Rotated BB84 & POVM Choice
In this section we explore the effect of fine-grained data versus coarse-grained data on the key rate and the increased importance of the difference in the finite regime.Furthermore we show the advantage of considering multiple coarse-grainings (Eqn.5) rather than only one (Eqn.1).
In the case of constraining the set of density matrices using a single frequency distribution F , there are two competing effects-the rate at which the variation bound µ goes to 0 and the value of the asymptotic key rate.As one can see from Eqn. 4, the number of POVM outcomes effects the size of the variation bound µ.This means that more coarse-grained data F C k has a variation bound µ k that converges to 0 faster than that of the fine-grained data.It follows that for a case such as in the first example where an element of a coarse-grained probability distribution (e x ) determines the key rate (Eqn.19), the coarse-grained data will lead to a better or equal key rate to the fine-grained data for any amount of signals.
However, we know that if one applies a unitary rotation about the Y-axis on the Bloch sphere to each signal sent to Bob, then the fine-grained statistics will detect the rotation, thereby leaving the key rate unchanged.In contrast, the phase error coarse-grained statistics cannot determine the rotation, thereby decreasing the coarsegrained key rate.As asymptotically the fine-grained key rate is better than the coarse-grained key rate in the event of such a rotation, even with the coarse-grained statistic variation bound converging to zero faster, the fine-grained key rate must be better than the coarsegrained key rate for some number of signals.
Independent of finite size effects, the idea that some POVMs being robust to rotations has already been recognized in the literature by the invention of the 'reference frame independent' and '6-state 4-state' protocols [44,45].The idea is that the information extracted by the POVM determines how robust the protocol is to differences in Alice and Bob's reference frames.This is because the signals sacrificed for the parameter estimation step allow them to in effect align their relevant reference frame [46].For example, if we had rotated the states about the X-axis of the Bloch sphere, not even the fine-graiend data of the BB84 protocol would help, but the six-state protocol, which is tomographically complete, would be robust to this.In this section we present an example of this misalignment in reference frames in BB84 to explore its relation to finite size effects and the advantage of doing parameter estimation with multiple-coarse grainings.
We consider BB84 where we constrain with one or more of the following three conditional probability distributions where for intelligibility we write the corresponding POVM rather than the conditional probability distribution: 1.The fine-grained joint POVM constructed by both Alice and Bob having the local POVM: This corresponds to applying the identity conditional probability distribution to the fine-grained statistics.
2. The phase error POVM defined in Eqn.18.This corresponds to mapping the frequencies corresponding to Alice and Bob both using the X-basis POVM and getting different results to a single outcome and all other fine-grained outcomes to a second.

The agreement POVM which simply checks how
often Alice and Bob agree: where Π a = |a a| ⊗ |a a| and Π else is the POVM element that completes the POVM.This corresponds to a conditional probability distribution that retains the statistics pertaining to Alice and Bob getting the same outcome and mapping all other fine-grained outcomes to a single outcome.
To evaluate the resulting key rates, we need to work with simulated observations, as we do not work from actual experimental data.To simulate the observed statistics, we consider a simple noise model for a qubit channel.Alice sends half of the ideal state The channel is the composition of two channels.The first channel is the depolarizing channel with noise value q defined as: The depolarizing channel induces a qubit error rate of q in the output state.The second channel is a unitary channel that rotates the state about the Y-axis on the Bloch sphere by an angle θ, Φ U (X) = e iθσY Xe −iθσY .Alice and Bob then perform measurements on the state (id A ⊗ (Φ U • Φ q dp ))(|Φ + Φ + |) using one of the POVMs previously described to generate the probabilities.
In Fig. 4, we plot the key rate for all three coarsegrainings individually as well as the key rate when we consider both the phase-error statistics and the finegrained statistics.To look at this, in Fig. 4, whenever m ≤ 10 8 we construct a frequency distribution by randomly sampling the simulated probability distribution using a pseudo-random function and then calculate the key rate for the protocol with unique acceptance which accepts on that frequency distribution.To see how much the key rate fluctuates when sampling m times depending on the frequency distribution Alice and Bob accept, we chose to repeat the simulation 20 times to determine the average key rate and standard deviation of the protocol with unique acceptance with all other parameters fixed.The standard deviation is represented by the error bars in Fig. 4. Furthermore, to make the comparison between the different POVMs fair, we optimize the choice of p z at each point by maximizing the average key rate over p z given that specific value of N .As in the previous example, we let m = (1 − p z ) 2 N and assume they do the key map only in the Z-basis.Lastly, the (observed) error correction cost for all four key rates is f EC H(X|Y) = f EC h(ē z ) where f EC = 1.2 and ēz is the bit error frequency determined by the fine-grained statistics in the key-generation basis Z.Given Fig. 4, we now see how in some regime coarsegraining does better than fine-grained data in some regime due to the coarse-grained variational bound µ k converging to zero faster, but is ultimately worse as N increases because asymptotically the fine-grained data provides a better key rate.We also see that considering both frequency distributions improves the key rate for all N .This is because whatever density matrix satisfies both sets of constraints has the phase error lower than just the fine-grained data and the unitary is 'undone' to a greater degree than just the phase error coarse-grained data.For this reason in the finite regime it will only be beneficial to always optimize over the fine-grained data as well as relevant coarse-grainings.The ability for our solver to do this regardless of the number of outcomes is one property which makes our solver truly general.

C. MDI-BB84 with Qubits
In this section we consider the simple extension to MDI-QKD protocols which are designed to be immune to side-channel attacks on measurement devices [21].Specifically we consider MDI-BB84 with perfect single photon sources in which Alice and Bob both send BB84 states to an untrusted third party Charlie who performs Bell state measurements on the two signals.Charlie then announces on which signals his measurement was successful as well as the outcome.Alice and Bob then do sifting on this subset and finally construct the key.The primary extension for finite key is that in MDI-QKD there is a third party.This means that there is a joint probability distribution over three alphabets and a joint POVM over three parties.This however is an immediate extension as parameter estimation can be defined for tripartite states and the third party in MDI QKD is a classical announcement and so does not effect Alice and Bob's fine-grained data.
To simulate data for the protocol, we apply sourcereplacement to both Alice and Bob's signal states resulting in a state ρ ABA B .In our calculation, we assume the setup is using linear optics, so Charlie can only discriminate unambiguously two of the Bell state measurements, Ψ + and Ψ − where Ψ ± ≡ 1 √ 2 (|01 ± |10 ).For simulating the statistics, we consider that the signal portions of the states, A and B , each go through a separate depolarizing channel Φ q dp as they are sent to Charlie.Lastly, we assume Alice and Bob only do the key map in the Z-basis for simplicity.In Fig. 5 we consider MDI-BB84 with p z = 0.5 for two depolarizing parameter values to see the rate of converging to the asymptotic key rate as a simple example Key rate q = 0.01 q = 0.03 FIG. 5.Here we see the MDI-BB84 protocol with unique acceptance converging to its asymptotic value as the number of signals is increased for depolarizing channels with depolarizing parameter values q = 0.01 and q = 0.03.For all curves, the security is defined by εPE = ε = εEC = εPA = 1 4 × 10 −8 .

D. Discrete-phase-randomized BB84
We next apply our method to optical implementation of QKD protocols with weak coherent pulses.Since each state that Bob receives is an optical mode and is in principle manipulated by Eve, a full description of the POVM usually involves an infinite-dimensional Hilbert space (e.g.Fock space).This also means that the density operator ρ AB in our optimization problem is infinite-dimensional such that no numerical optimization algorithm can solve the problem directly.Fortunately, for many discrete-variable QKD protocols, there exists a squashing model [39][40][41] that reduces the apparent infinite-dimensional representation to an effective finitedimensional subspace representation.Here, we present our finite key analysis for the discrete-phase-randomized BB84 protocol [22], which is based on phase-encoding and has a squashing model [39].
We consider the following simple model for determining the statistics.FIG. 6.Schematic for discrete-phase-randomized BB84.PM stands for phase modulator, PBS stands for polarizing beam splitter, BS stands for beam splitter, PR stands for polarization rotator, and D1 and D2 are two threshold detectors.
As depicted in Fig. 6, the quantum part of the protocol is s , to Bob where the first mode is the reference pulse and the second mode is the signal pulse.The global phase θ is chosen at random from the set { 2πk c : k = 0, . . ., c − 1} where c is the number of different global phases.The key information is encoded in the relative phase φ A chosen from the Z basis {0, π} or X basis { π 2 , 3π 2 }. 2. After receiving states from Alice, Bob may choose to measure in one of the two basis by applying a relative phase φ B ∈ {0, π 2 } to the reference pulse, where φ B = 0 corresponds to Z basis and φ B = π 2 to X basis.This results in either one, none, or both of Bob's detectors clicking.In the case where both detectors click, Bob assigns the result to either just detector 1 clicking or just detector 2 clicking.
We remark that the protocol with c=1, in which case Alice does not randomize the global phase, is also studied in [47,48].
For our simulation, we consider a lossy channel parameterized by the single-photon transmittance η = 10 −αattL/10 for a distance L (in kilometers) between Alice and Bob.We also introduce a channel noise parameterized by ζ, which describes the relative phase drift between the signal pulse and the reference pulse.In addition, imperfection of Bob's detectors is taken into account by the dark count probability p d and the dectector efficiency η d .To obtain simulated statistics, we choose η d = 0.045, p d = 8.5 × 10 −7 , and let the attenuation coefficient be α att = 0.2 dB/km, from the experimental parameters reported in [49].We also set ζ = 11 • , which produces a misalignment error of 1% at 0 km distance and let f EC = 1.16 as was done in [48].
Under the squashing model and source-replacement scheme, the fine-grained statistics for this protocol are generated by a 20c-outcome joint POVM constructed by Alice and Bob's local POVMs where Alice has 4c POVM elements which are projectors on to her 4c possible signal states and Bob has a 5-outcome POVM defined as: In other words, Bob's local POVM is the standard finegrained local BB84 POVM (Eqn.20 with p z = 1/2) embedded in a three-dimensional space plus a projector onto the third dimension where the third dimension is the vacuum state and |vac denotes the basis of the third dimension.
We take L = 100 km and L = 20 km and consider both c = 1 and c = 2 scenarios as an example to show the method works for multiple discrete phases and loss regimes.In this model the dark counts are the primary source of error.In generating this plot, to improve the key rate when less signals are sent, we optimize the fraction of signals that would be used for parameter estimation, which we denote g PE ≡ m/N , heuristically.The fraction is determined as follows: The first term of line 2 of each g PE was determined by numerically determining for how many signals the key rate could be made positive for c = 1.The extra term was decided so as to sacrifice a smaller fraction to parameter estimation as N grows so that the key rate is improved.We notice that with our simulation parameters, at L = 100 km considered in Fig. 7, a significant amount of signals needs to be sent before the key rate becomes nonzero.The reason is that at L = 100 km, the probability of the outcomes that will lead to key generation is quite low, at the order 10 −6 in the c = 1 case.It follows that if the variation bound µ is of an order greater than 10 −6 , there exists a probability distribution P such that P − F 1 ≤ µ and P corresponds to a density matrix that lacks sufficient correlation for any key to be distilled.Therefore one needs to sacrifice enough signals to parameter estimation such that the variation bound µ is sufficiently small with respect to the portion of the frequency distribution relevant to key distillation.

E. Security of BB84 with Practical Acceptance Probability
So far we have only presented protocols with unique acceptance.However, protocols with unique acceptance are FIG.7. Key rate of discrete-phase-randomized BB84 with unique acceptance when not randomizing the global phase (c = 1) and randomizing it over 2 choices (c = 2).Every point is for optimized coherent state intensity ν.For all curves, the security is defined by εPE = ε = εEC = εPA = 1 4 × 10 −8 .For this protocol we let fEC = 1.16.
impractical as the probability that an experiment yields the exact frequency distribution of outcomes that match the acceptance criteria is usually very low.Thus one introduces a range of accepted statistics, where the key rate is now to be taken over the worst case scenario of the accepted statistics.Therefore, there is a trade-off between how often one aborts, and the length of the secret key generated when the protocol does not abort.In some cases, especially where the accepted statistics is only based on one observable, such as an error rate, and the key rate has some monotonic behaviour, it is easy to identify the worst-case acceptable statistics.In these cases one can relate the case of a set of accepted statistics back to the case of a single accepted statistics, namely the identified worst case statistics.However, in cases where the observed statistics needed for determining the key rate of the protocol are more complex, it is often not as simple to identify the worst case statistics.In these scenarios, our numerical method is a powerful tool for determining a tight lower bound of the secret key rate.Here we present an example of determining the secure key rate for single-photon BB84 in the practical setting where multiple frequency distributions are accepted by Alice and Bob to show how our numerical approach may help.
We again return to the case where Alice and Bob perform BB84 where they choose some probability p z to send signals in the Z-basis.We consider two sets of frequency distributions to accept corresponding to whether their protocol has ideal behaviour or is suffering from misalignment due to the quantum channel.Following the notation in Eqn. 12, the first set, Q 1 , is defined by letting N (F ) be the two-outcome frequency distribution of 'phase error' and 'no phase error' with no observed phase errors (e x = 0).We refer to Q 1 as the phase set.The second set, Q 2 , is defined by letting N (F ) = F be (a) Key rate of the BB84 protocol for accepting statistics in Q1 where either just the phase statistics or both the phase statistics and the fine-grained statistics are used to determine the key rate.We see in this case the fine-grained data does not help for this protocol.(b) Key rate of the BB84 protocol for accepting observed statistics in Q2 where either just the phase statistics or both the phase statistics and the fine-grained statistics are used to determine the key rate.We see in this case the fine-grained data help for this protocol, and so an analytical key rate calculation is difficult.For both (a) and (b), each point pz is optimized and the security is defined by the asymptotic results of the fine-grained statistics given the model from Section IV B. We refer to Q 2 as the rotated set.In both cases, the variation threshold, t, is 2(1−p z ) 2 e x where e x is the maximum tolerated observed error from F .For this example we let e x = 0.02.The factor of (1 − p z ) 2 is so that the variation threshold stays the same as p z is varied to optimize the key rate.Given the definition of the phase set, Q 1 , the key rate can be determined analytically as one can replace e x in Eqn.19 by e x .Furthermore, as no data more fine-grained than the phase error is needed in this case, it is clear that the multiple coarse-grainings will not further improve the key rate.These observations are verified numerically in Fig. 8a.However, in the case where the observed statistics would be contained in Q 2 rather than in Q 1 , an analytical tight lower bound of the key rate is not a reasonable task as the structure of the worst case scenario is no longer simple.This is seen in Fig. 8b, where our numerical result shows that multiple coarse-grainings helps to obtain a tighter key rate when Q 2 is used.It follows that obtaining a tight key rate analytically would be difficult as one needs to utilize both fine-grained statistics and multiple coarse-grainings.
More generally, this tells us the optimal choice of Q in certain implementations may be difficult due to issues such as misalignment errors.In such cases, even in the honest implementation, the statistics one ought to accept are fine-grained data that, because of complications, lack certain symmetries in Alice and Bob's results.This in turn limits one's a priori knowledge of what form the worst-case scenario observed statistics will take.This is further aggravated by the trade-off between how often the protocol will be aborted and the length of the secret key when the protocol does not abort.For these reasons, constructing a good choice of Q is a non-trivial task due to common issues in implementing QKD protocols.As it is designed for generic protocols, our numerical method allows for further exploration of these difficulties which cannot be explored analytically.

V. CONCLUSION
In the utilization of QKD protocols for our future quantum-safe infrastructure, it is crucial that we can analyze general QKD protocols' ability to generate composable secret keys in the finite regime.Much work has already been done on both the framework of finite key analysis [9,11,18] as well as its analysis for specific protocols using both theory and numerics [6,10,13,19,50].However, there has not existed a tool which can determine the finite key rate for any QKD protocol which can be represented in finite-dimensional Hilbert spaces.The contribution of this work has been to construct such a tool with the further properties that it always determines a secure secret key rate (reliability) and can in principle exactly determine the secret key rate under the security proof method presented in [9].
We note that the tightness property of our solver is only up to the security proof method of [9] where the smooth min-entropy is bounded by the conditional von Neumann entropy.However, it was shown in [18] that in some regimes bounding the smooth min-entropy by the min-entropy can improve the key rate.This method has also been implemented for a subclass of protocols numerically in [19].Therefore, our claim of tightness is up to the assumption above, although it is easy to see one can unify our general framework with the min-entropy calculation presented in [19] and recover the tightness property up to this alternative choice.
Beyond the construction of a generic numerical framework for finite key analysis, we note that Theorem 1 in this paper resolves an issue about this security framework for finite key analysis.If one were to define the security using only one set of statistics, as coarse-graining can be better than fine-grained data, it would follow that there exist cases in which Alice and Bob throwing out information is an advantage against Eve.This would be counter-intuitive.However, we see that the security definition actually would allow Alice and Bob to keep both versions of the data, and thus the 'true' finite key rate can be seen as constraining over all possible coarse-grainings which utilizes all possible data from the experiment.The consideration of the rotated BB84 case exemplifies this idea.
Lastly, we note that this generic method requires that one considers probability distributions, but in CV-QKD one often is interested in a form of coarse-graining which leads to expectation values of observables rather than a probability distribution.One would hope there exists a proof method within the same security definitions which bounds the expectation values of these specific observables, even though they are not constructed using a conditional probability distribution applied to the initial fine-grained statistics.

Note added:
During the preparation of this manuscript, we noticed a similar work [19] is posted in the preprint server.Our ideas were conceived independently and we have presented many of our main results in a conference [51].We point out that our work is different from Ref. [19] in how to handle parameter estimation step as our method handles any number of coarse-grainings of any length tightly, which is the crucial property for a general solver in the finite key regime.
We define A = {X ∈ Pos(X )|Ψ(X) = B} and B = {Y ∈ Herm(Y)|Ψ † (Y ) A}.These sets are referred to as the feasible set of the primal problem and dual problem, respectively.By weak duality, for all semidefinite programs, the optimal value of the primal problem, denoted by α, is always greater than or equal to the optimal value to the dual problem, denoted by β.If a semidefinite program has that α = β, it is said to have strong duality.A sufficient condition to show strong duality for SDP is Slater's condition for the standard form presented here.Theorem 3. (Slater's Condition) For a semidefinite program (Ψ, A, B), if A = ∅ and there exists a Hermitian operator Y which strictly satisfies the dual problem, that is, Ψ † (Y ) ≺ A, then α = β and the optimal value is obtained in the primal problem.

Numerical Imprecision
We recall two sets of constraints defined in the main text.The set of constraints that are not subject to statistical fluctuation is denoted by {Γ i |i ∈ Λ} and we refer to these constraints as certainty constraints.Constraints { Γ j |j ∈ Σ} that are subject to statistical fluctuation are referred to as uncertainty constraints.
As noted in Sec.III, when one acquires a solution ρ f after the first step in Algorithm 1, the answer may not truly be feasible; that is, ρ f is not in the correct set S µ , but rather in an enlarged set S µ .This issue arises from the imprecise numerical representation of the POVMs as well as the imprecision of the numerical optimization solver which lead to violation of constraints in the optimization problem.To resolve this issue, one needs to consider the larger set S µ to guarantee that ρ f is included.Reference [15] presents a method for the asymptotic case.In Ref. [15], one has to consider only violations pertaining to certainty constraints {Γ i }.In the finite key scenario, we also need to consider the uncertainty constraints { Γ j }.To rigorously account for numerical imprecision, we now adapt the method in [15] to finite key analysis.
An imprecise solver may lead to a solution ρ f which is not positive semidefinite or that does not satisfy these constraints.To handle the first issue, if the state ρ f has negative eigenvalues, one first perturbs the state to be ρ f ≡ ρ f + |λ min (ρ f )|1 so that ρ f does not have negative eigenvalues.Then one checks the maximum violation of the certainty constraints of ρ f , and define sol ≡ max Imprecise representations can be seen as deviations from the true POVM and probability representations.One can therefore denote the imprecise representations as follows: where δΓ i HS ≤ 1 and |δγ i | ≤ 2 for all i ∈ Λ.By defining rep ≡ 1 + 2 , it is shown in Lemma 10 of Ref. [15] that | Tr Γ i − γ i | ≤ rep , ∀i ∈ Λ.One then defines = max( sol , rep ) and considers ρ subject to the constraints {| Tr ρΓ i − γ i | ≤ }.
These imprecisions may also lead to violation of the variational distance constraint.Therefore, one should redefine µ for the second step to guarantee the ρ f is considered in the second step.Since the uncertainty constraints pertain to the variational distance which takes the imprecisions as a whole, to properly enlarge µ to take constraint violations into account, one can use the Cauchy-Schwarz inequality along with Lemma 10 of [15] to expand µ as µ = max(µ + n , Φ P (ρ f ) − F 1 + n ) where n = |Λ|.
Lastly, there is the possibility that the solver finds an optimal solution (σ, F ) such that N (F ) − N (F ) 1 > t.In this case, one should expand t.Thus define t ≡ max(t, N (F ) − N (F ) 1 ).Then one defines S µ t to play the role of S µ by the following: Clearly, if = 0, t = t, and µ = µ, one reconstructs the original set S µ .This alternative set is used for deriving the dual problem in the second step in the following section.By optimizing over this set S µ t , we handle the numerical imprecision related to certainty and uncertainty constraints.
A final remark is that when G(ρ) is singular, the derivative in Eqn.(11) may not exist.To tackle this issue, Ref. [15] introduces a small perturbation as where d is the dimension of G(ρ), and ≥ 0 is chosen in a way such that G (ρ) is not singular.The derivative of f (ρ) is obtained by replacing G with G in Eqn.(11).
a, a, b, K, L, K, and L, we then get the following dual problem: where W ≡ C |Σ| .Let β 0 (ρ) denote the optimal value of this dual problem.From Eqn. (A9), we observe that off-diagonal entries of K, L, K, L, W 1 and W 2 , are not important for this optimization problem since for any optimal solution 2 ) of this problem, if K , L ,K ,L , W 1 and W 2 are matrices obtained by taking only the diagonal parts of K * , L * , K * , L * , W * 1 and W * 2 , respectively, then the matrix Y = diag(a * , K , L , K , L , W 1 , W 2 ) is also optimal as it is feasible and achieves the same optimal value.Moreover, we may optimize over the difference L − K (L − K) subject to the constraint −a1 W L − K a1 W (−a1 W L − K a1 W ) as only the difference L − K (L − K) matters in the optimization and its range is −a1 L − K a1 (−a1 L − K a1) which is determined by the two constraints 0 K a1 and 0 L a1 (0 K a1 and 0 L a1).If we write γ as the vector whose i-th entry is γ i and f = diag(F N ), the dual problem in Eqn.(A9) is simplified as where − → N † is defined such that diag(N † (Z)) = − → N † (diag(Z)) for arbitrary Z ∈ L(C |Σ C | ).We remark that when = 0, we can replace y 1 and y 2 by y ≡ y 1 − y 2 subject to the constraint y ∈ R |Λ| .When µ = µ, t = t, and = 0, Eqn.(A10) reduces to Eqn. (15) in the main text after this replacement.

Reliability and Tightness
We now prove that the lower bound using the linearization is tight for the finite key SDP.That is, in the limit where the numerical imprecisions go away, the program will obtain the true answer.In this section we present the precise mathematical statement of tightness for the SDP in Eqn. 14 in Theorem 4 which considers the issues of numerical imprecision discussed in Sec.A 3. The extension to multiple coarse-grainings is then straightforward.This theorem is a finite-size version of Theorem 3 in Ref. [15].In proving this theorem, we will adapt the proofs in Appendixes D and E of [15] as well as technical lemmas in Appendixes A-C of [15].
As our optimization problem comes from a physical scenario and we are only interested in the situation where the set S µ t is not empty (otherwise we may trivially set the key rate to be zero), we restrict our attention to this situation.As we have shown the reliability of our numerical method, we now proceed with the tightness in Eqn.(A16).If ρ * is an optimal solution, an immediate consequence of Lemma 6 is that for any ρ ∈ S µ t , the following equation holds: this completes the proof of Eqn.A16 and Theorem 4.

Multiple Coarse-Grainings
We now can show that it is easy to extend to the case where one considers multiple coarse-grainings.First, we define Σ f as the alphabet indexing the fine-grained statistics of the experiment.Let k index the set of conditional probability distributions pertaining to coarse-grained data, {p Σ k |Σ f } k .Each conditional probability distribution induces a channel N k which applies the coarse-graining to the statistics.Define the POVM which pertains to the k th conditional probability distribution as { Γ k j } j∈Σ k which induces a measurement channel Φ P k .In this case j is implicitly dependent on k as different coarse-grainings will construct probability distributions of different sizes.Then, the primal problem may be written as: where Φ P k (X) ≡ j∈Σ k Tr X Γ k j |j j|, N k (X) = x∈Σ f ,y∈Σ k p Σ k |Σ f (y|x) |y x| X |x y|.We stress that F k is indexed by k given the set considered in Theorem 1.
To convert this linearized primal problem into a semidefinite program, we effectively are just optimizing k copies of Eqn.A5 at the same time.This means we can write the equivalent form of Eqn.(A5): minimize ∇f (ρ), σ subject to Tr(G k ) + Tr(H k ) ≤ µ k ∀k where we have let t k be indexed by k in case different coarse-grainings violate the Q set by different amounts.
To reformat Eqn.(A23) into the definition in Eqn.(A1) we can extend the definitions in Eqn.(A6) in a block diagonal fashion using the matrix direct sum, ⊕, over k.A = diag(∇f (ρ), 0) It is straightforward to see the adjoint map of Ψ in this case is where Finally, again because all of the ks are independent, this dual problem is ultimately simplified to: where µ is just the vector whose k-th entry is given by µ k .From these forms, it is clear that strong duality and tightness proofs follow from the single POVM case by indexing over the variable k and scaling things properly.
⊕ is the direct sum.To make the expression of the Kraus operators concise, define the projector Π n = |n n| where n ∈ {0, 1, 2, 3}.Then, using that Alice performs the key map along with the simplifications from Appendix A of [34], we have two Kraus operators which describe the action of G: where ⊕ c Π n is well defined for all n as Π n ∈ H 4 and H A ∼ = ⊕ c H 4 .
QKD Protocol in the Finite Regime

1 2 ρ
S A S B E − π S A S B ⊗ ρ E 1 ≤ ε where π S A S B = s∈S 1 |S| |s s| ⊗ |s s|, S is the set of secret keys the protocol could generate, and • 1 is the trace norm defined as A 1 = Tr √

FIG. 3 .
FIG. 3.Numerical key rate versus analytic key rate for BB84 for four error rates with εPE = ε = εEC = εPA = 1 4 × 10 −8 so that ε = 10 −8 .The lines are the theory curves, and the dots are the corresponding solutions by our numerical method.We let ez = ex and pz = 0.9.We assume here that the sample size is still larger than the block length of error correction, which then gives fEC =1.20.

FIG. 4 .
FIG.4.We consider four different parameter estimation constraints for BB84 transmitted through a depolarizing channel with q = 0.02 when the signal states have been rotated by 12 • about the Y -axis on the Bloch sphere.Each point has pz numerically optimized for maximum key rate.The error bars are from checking the key rate for 20 trials of sampling the distribution whenever the number of signals used for parameter estimation was less than 10 8 and calculating the standard deviation.For all curves we let εPE = ε = εEC = εPA = 1 4 × 10 −8 .

5 )
log 10 (N )/5 else FIG. 8.(a) Key rate of the BB84 protocol for accepting statistics in Q1 where either just the phase statistics or both the phase statistics and the fine-grained statistics are used to determine the key rate.We see in this case the fine-grained data does not help for this protocol.(b) Key rate of the BB84 protocol for accepting observed statistics in Q2 where either just the phase statistics or both the phase statistics and the fine-grained statistics are used to determine the key rate.We see in this case the fine-grained data help for this protocol, and so an analytical key rate calculation is difficult.For both (a) and (b), each point pz is optimized and the security is defined by εPE = ε = εEC = εPA = 1 4 × 10 −8 .

1 .
State Preparation and Transmission: Alice prepares an entangled quantum state ρ AB and sends half of it to Bob.Alice does this N times.Alice and Bob announce their fine-grained data about some random subset of the N signals of size m to construct the frequency distribution f (a, b).If f (a, b) is in a set of preagreed upon accepted statistics, Q, Alice and Bob proceed.Otherwise, they abort the protocol.4. Announcements and General Sifting: Alice and Bob announce the public information that they prepared in Step 2 and throw out results of some subset of the N − m signals based on this public information.The remaining private information forms their raw keys x ∈ {0, ..., k A − 1} n and ỹ ∈ {0, ..., k B − 1} n where k A and k B are the number of possible outcomes for Alice and Bob's measurements respectively.5. Key Map: Alice computes the key map, 1 a function of their private data as well as the public data of both parties to obtain a key, x ∈ {0, 1, ..., d − 1} n where d is the size of the alphabet for the key.
2. Measurement and Data Partitioning: Alice and Bob measure each of the N entangled quantum states ρ AB and store the data pertaining to each measurement.In view of future communication, they partition their respective data from each measurement, indexed by i, into private information, A i , B i , and public information A i , B i which they later announce publicly.3. Parameter Estimation: 6. Error Correction: Alice and Bob publicly communicate to try and get ỹ and x to agree and thus Bob obtains x ∈ {0, 1, ..., d − 1} n .