Tight finite-key analysis for generalized high-dimensional quantum key distribution

Due to the capability of tolerating high error rate and generating more key bits per trial, high-dimensional quantum key distribution attracts wide interest. Despite great progresses in high-dimensional quantum key distribution, there are still some gaps between theory and experiment. One of these is that the security of secret key heavily depends on the number of the emitted signals. So far, the existing security proofs are only suitable in the case with infinite or unpractically large number of the emitted signals. Here, by introducing the idea of"key classification"and developing relevant techniques based on the uncertainty relation for smooth entropies, we propose a tight finite-key analysis suitable for generalized high-dimensional quantum key distribution protocols. Benefitting from our theory, high-dimensional quantum key distribution protocols with finite resources become experimentally feasible.


INTRODUCTION
Quantum key distribution (QKD), considered as the first application in quantum information science, can provide two distant parties Alice and Bob with a string of secret key bits by the laws of quantum mechanics. Because of this amazing feature, it has been rapidly developed in both theory and experiment over last three decades [1][2][3][4][5][6][7][8][9][10][11]. Among all the proposed QKD protocols, most of them are based on qubit systems, such as the well-known BB84 protocol [1]. QKD protocols using qubit systems are very mature both in theory and experiment, but in some scenarios, their performances are limited due to the dimensionality. For instance, each qubit can distribute at most 1 key bit. As our requirements for protocols performance increase, more and more novel protocols have been proposed. Some of them can tolerate high error rate such as six-state protocol [12], some of them carry more than one secret key each signal [13]. Some of these QKD protocols prepare quantum states in a Hilbert space larger than 2, while others may prepare and measure quantum states in 2 or more bases. That is the reason we call them high-dimensional(HD) QKD.
Since HD-QKD has various advantages, scholars have made a lot of efforts both in its security proofs and experimental techniques [13][14][15][16]. However, the most existing security proofs [13,17,18] are only available under the assumption that we have infinite resources. In another word, the two parties Alice and Bob are required to exchange arbitrarily large quantum signals N , which cannot be achieved by practical equipments. When we remove the infinite resources assumption, that is, when we consider the finite key issue, serval security proofs [17,19,20] have been proposed for some specific HD-QKD protocols. Frustratingly, the number of exchanged quantum signals N is usually too large to be realized. Thus, a more efficient method to reduce N to an acceptable level is an * yinzq@ustc.edu.cn urgent need. Besides, the existing proof [21] for HD-QKD protocols are not general, e.g. Bob is assumed to make measurements along only two bases albeit coding states are qudit systems.
Here, we propose an efficient method to tackle finite key issues for generalized HD-QKD protocols, i.e. the dimension of Hilbert space is arbitrary and Bob's measurement bases can be multiple. The proposed method can cover the previous proof technique [21] that is only suitable for two measurements bases. The essential of our method is introducing the idea of "key classification", which means classifying key bits into different types with different bit error patterns. Futhermore, applying uncertainty relation [22] for smooth entropies [23] to each type and developing relevant theoretical techniques, we derive a tight bound of secret key rate for HD-QKD in finite-key scenarios. Compared with previous methods including de Finetti theorem [24] and post-selection technique [25], our method leads to more optimistic bound. Through numerical simulations, we show that, for a variety of HD-QKD protocols, the number of exchanged quantum states N can be reduced dramatically thanks to the proposed theory.

RESULTS
Security definition. Before stating our new proof technique, let us review the security framework [5,26] that we are concerned about in this paper. A general QKD protocol is executed by two distant parties Alice and Bob. Bob receives the signals from an insecure quantum channel. Then Alice and Bob output either a pair of bit strings S A and S B , or a symbol ⊥ to indicate the abort of the protocol.
According to the definition of security, a QKD protocol has to satisfy three criteria called "correctness", "secrecy" and "robustness". Owing to the practical implementation, it is impossible to guarantee S A = S B . Then a QKD protocol is ε cor -correct, if it is ε corindistinguishable from a S A = S B protocol. Similarly, a protocol is ε sec -secret, if where U A is the fully mixed state of Alice's system, ρ AE is the composed state of Alice and Eve, and || · || denotes the trace norm. Finally, a protocol is ε rob -robust, if the probability that the protocol aborts is no bigger than ε rob . In this work, for simplicity, we just consider the correctness and secrecy of a QKD protocol. Thereby, we say a QKD protocol is ε tot -security, if it is both ε corcorrect and ε sec -secret, with ε cor + ε sec ≤ ε tot .
Based on this security definition, we are able to guarantee the security when we use our new technique in the HD-QKD protocols.
Protocol definition. In this work, we take (d+1)-basis QKD protocols, i.e. the generalization of the six-state protocol, as the examples to introduce our proof technique. Below, we present some assumptions of the devices first. On the one side of the insecure quantum channel, Alice controls her devices to prepare d-level (d is a prime number in this work) quantum states which we also call qudits. We recall that there are at most d + 1 mutually unbiased bases (MUBs) in the d-level Hibert space. Then, Alice randomly chooses one of MUBs and encode the key bit into its one orthogonal eigen-vector. After Bob receiving the particle, he is able to randomly choose one MUB to do projective measurement. In order to clearly describe the protocols, we list some notations as follows.
First, we review the definition of "overlap". The overlap of any two measurements is defined as c = max|| M y √ N z || 2 ∞ , where {M y } and {N z } are the elements of the positive operator valued measurements (POVMs) of Y basis and Z basis, respectively. In this paper, we heavily rely on the fact that the overlap of any two POVMs of MUB in d-level Hibert space is 1/d. Second, the prepared states are guaranteed to be dlevel quantum states chosen from d + 1 MUB X j,k ∈ {X 0,1 , X 1,0 , · · · , X 1,k , · · · , X 1,d−1 }, where the notions are analogous to [17]. On the other side of the channel, Bob controls his devices to measures quantum states in these d+1 basis. Thus, there exits an equivalent entanglementbased (EB) protocol according to the model described above.
Third, under the EB version of protocol, Alice prepares two entangled quantum states and sends one of them to Bob in each trial. At measurement, we assume that Bob is able to delay all the measurements in X 0,1 -basis until parameter estimation completed. This assumption doesn't affect the final key rate if the measurement statistics is same as the ones of actual devices. According to [27], the composed quantum states before measurements have the simple form ρ n AB = n n00,··· ,n jk ,··· ,n d−1,d−1 µ n00,··· ,n jk ,··· ,n d−1,d−1 ρ n n00,··· ,n jk ,··· ,n d−1,d−1 . ( In this formula, the sum is taken over all n 00 , · · · , n jk , · · · , n d−1,d−1 satisfying d−1 j,k=0 n jk = n and µ n00,··· ,n jk ,··· ,n d−1,d−1 are some non-negative coefficients. Moreover, there exits a unitary operation π on H n AB which permutes the n subsystems, so that ρ n n00,··· ,n jk ,··· ,n d−1,d−1 can be given by (3) In this expression, the generalized Bell basis states |Φ jk = d−1 s=0 ω sk |s, s + j (j, k ∈ {0, 1, · · · , d − 1} and ω is the dth root of unity) [17] belong to the composed Hibert space of Alice and Bob denoted by H AB .
Finally, in practical optical schemes, (d+1)-basis QKD protocols are often realized by weak coherent light rather than single-photon source. And this doesn't meet the assumption that Alice prepares d-level quantum states. Inspired by Lim et al.'s work [28], the finite-key analysis under this case can intuitively be solved by using decoy states [29][30][31][32].
We now define a family of (d+1)-basis QKD protocols, Φ[n, m, l, ε cor , leak EC ], where n is the block size with respect to the shifted keys in X 0,1 -basis, m is the number of dits used to do parameter estimation with regard to each basis, l is the secret key length, ε cor is the required correctness, and leak EC is the information leakage in error correction. The protocol is asymmetric, specifically, the n shifted keys used for producing final secret keys are measured in X 0,1 -basis, the other (d + 1) * m dits used for parameter estimation are measured in all d + 1 basis Therefore, the number of total sifted keys is defined as N = n + (d + 1) * m.
The protocol is described in Box 1 Box 1 Protocol definition.
State Preparation: Alice and Bob repeat the first four steps the protocol for i = 1, · · · , M until the condition in the Sifting step is met. Alice chooses a basis X i ∈ {X 0,1 , X 1,0 , · · · , X 1,k , · · · , X 1,d−1 }, where X j,k is chosen with probability p j,k respectively. Here we choose p 0,1 = f (n, m) and p 1,k = (1 − p 0,1 )/d that the function f (n, m) is chosen to minimize the number M of exchanged quantum states. Then, Alice chooses a random dit r i ∈ {0, 1, · · · , d − 1} and prepares the quantum state corresponding to r i in a basis X i Distribution: Alice sends the quantum state over the insecure channel to Bob. Measurement: Bob also chooses a basisX i ∈ {X 0,1 , X 1,0 , · · · , X 1,k , · · · , X 1,d−1 } with probability p j,k respectively. After receiving the state, Bob measures it in the chosen basis and stores the outcomer i ∈ {0, · · · , d − 1}.
Sifting: Alice and Bob broadcast their basis settings over an classical authenticated channel. We define the sets X 0,1 := {i : X i =X i = X 0,1 } and X 1,k := {i : The protocol repeats the first four steps unless |X 0,1 | ≥ n + m and |X 1,k | ≥ m for each k ∈ {0, · · · , d − 1}. Parameter estimation: Alice and Bob use n random dits from X 0,1 to form the code dit strings X n 0,1 andX n 0,1 , respectively. Then, for m dits from X j,k ∈ {X 0,1 , X 1,0 , · · · , X 1,k , · · · , X 1,d−1 }, they compute d types of statistical parameters q (t) and t ∈ {0, 1, 2, · · · , d − 1}. Moreover, these parameters satisfy j,k = 1 with the probability of no error q (0) j,k for each basis X j,k . The protocol aborts if the probability of error d−1 t=1 q (t) j,k for each basis X j,k is too high. Error correction: For those n that pass the parameter estimation step, an information reconciliation scheme is applied. This allows Bob to obtain an estimateX n 0,1 of X n 0,1 by Alice sending him leak EC bits of error correction data. Then, Alice computes a bit string (a hash) of length log 2 1 εcor by using a random two-universal hash function to X n 0,1 . She sends the choice of function and the hash to Bob. The protocol aborts if hash(X n 0,1 ) = hash(X n 0,1 ). Privacy amplification: If the n dits pass the error correction, Alice and Bob apply a random two-universal hash function to X n 0,1 andX n 0,1 to extract the final secret l bits (l * log d 2 dits) Security analysis. We now present our main result of our paper. It says that the (d+1)-basis protocols Φ[n, m, l, ε cor , leak EC ] are both ε cor -correct and ε secsecret, if the length of secret key is calculated according to given set of observed values. The correctness is guaranteed by the error correction step, where a hash of Alice's shifted key is compared with the hash of its estimate of Bob. If the length of secret key l satisfies the protocols Φ[n, m, l, ε cor , leak EC ] are ε sec -secret. In this formula, ξ is a d-level probability vector denoted by ξ = {ξ 0 , ξ 1 , · · · , ξ t , · · · , ξ d−1 }, and where H(·) denotes the entropy function of d-level probability vector by and µ(ε) that accounts for statistical fluctuation is given by A sketch of the proof of equation (4) can be found in methods section and a rigorous proof including a more general version of the equation (4) can be found in Supplementary Material. When we comes to the asymptotic case of sufficient large block sizes n, the statistical fluctuation term µ(ε) can be neglected, and thus l satisfies l ≤ n(log 2 d − H(ξ))(1 − Q) − leak EC , as obtained in previous work [13].

DISCUSSION
In this section, we analyze the behavior of our security bounds and compare our bounds with previous results by numerical simulations [17]. For this purpose, we assume that the quantum channel can be simulated as a generalization of the qubit depolarizing channel which leads to for each basis X j,k . To maximize the expected key rate, we fix ε tot = 10 −10 and assume an error correction leakage of leak EC = ζnH 2 (Q + µ(ε)) where ζ = 1.1 is the error correction efficiency and H 2 (·) denotes the binary entropy function. In Fig. 1, Fig. 2 and Fig. 3, we compare our optimal key rates (defined as l/N ) with the secret key rates in [17] of (d+1)-basis QKD protocols featured by d = 2, d = 3 and d = 17 respectively. As we can see from these  [13]. The horizontal dashed lines represent the asymptotic rates for error rate Q ∈ {1%, 2.5%, 5%} (from top to bottom). Secret key rate, l/N The plots show the secret key rate l/N versus sifted key length N = n + (d + 1) * m for the protocol when dimension d = 3. The solid curves show our results while the dash-dotted curves show the results given in Ref. [13]. The horizontal dashed lines represent the asymptotic rates for error rate Q ∈ {1%, 2.5%, 5%} (from top to bottom).
figures, our results show a significant improvement in the minimum block size of producing secret key. Moreover, we can reasonably conjecture that such improvement becomes more prominent with d increasing. Similarly to [21], the improvement is mainly credited to classifying sifted key with error types y n q (t) 0,1 (see Methods) and using entropic uncertainty relation to estimate smooth minentropy.
In conclusion, we have given tight finite-key bounds for (d+1)-basis QKD protocols against general attacks. Previous proof techniques cannot effectively tackle multiple measurements QKD protocols such as six-state protocol in finite-key region. To solve this problem, we propose a new proof technique combining a so-called "key classification" idea and entropic uncertainty relation. The "key classification" idea states that we can divide the classical- classical-quantum state ρ X n 0,1X n 0,1 E (see Methods) into different types according to the relevant dit error patterns, and then apply entropic uncertainty relation to these states respectively. The subtlety of our new proof technique is that we can flexibly classify ρ X n 0,1X n 0,1 E and construct the corresponding form of entropic uncertainty relation, which is also the reason that the new proof technique can cover the old one [21]. Finally, we believe that our new proof technique can give more tight finite-key bounds for other high-dimensional QKD protocols such as tomographic [33,34] and reference-frame-independent [35] QKD protocols .

Secrecy.
Here we briefly discuss our new proof technique that is applied to establish the secrecy of the (d+1)basis protocols Φ[n, m, l, ε cor , leak EC ]. We denote the dit strings of length n by X n 0,1 of Alice's side andX n 0,1 of Bob's side respectively, which are used to extract the final key. Then, after the measurements (based on EB version), the classical-classical-quantum state of Alice, Bob and Eve is given by where x n 0,1 ∈ X n 0,1 andx n 0,1 ∈X n 0,1 respectively, and P X n 0,1X n 0,1 (x n 0,1x n 0,1 ) is the probability of joint dit string x n 0,1x n 0,1 . According to the Quantum Leftover Hashing lemma [5,36], the secret key length is directly depended on the lower bound of smooth min-entropy of Hε min (X n 0,1 |E). Then, we use the uncertainty relation for smooth entropies [23] with two constructed POVMs to give a lower bound of Hε min (X n 0,1 |E). One is no doubt the X ⊗n 0,1 , the other one is π(X ⊗n0 1,0 · · · X ⊗n k 1,k · · · X ⊗n d−1 where d−1 k=0 n k = n. Thus, uncertainty relation is given by It is not obvious to apply this formula to the state ρ X n 0,1X n 0,1 E , to solve this problem, we introduce the idea of "classification". For any joint dit strings x n 0,1x n 0,1 , we can find that the i th pair dits occur t (r i −r i (mod d) = t) type change including error (t = 0) or no error (t = 0) happens. According to this feature, we define new dit strings y n q (t) 0,1 ∈ Y n q (t) 0,1 that are given by where the subtraction is bitwise and "t" dit occurs n t := n * q where we have "classified" the state ρ X n 0,1X n 0,1 E according to the dit string y n q (t) 0,1 . By uncertain relationship with appropriately constructing the POVM π(X ⊗n0 1,0 · · · X ⊗n k 1,k · · · X ⊗n d−1 1,d−1 ), we can obtain an almost tight bound of smooth min-entropy of ρ X n 0,1X n 0,1 E|y n With the help of subadditivity of min-entropy [37], we can connect the two smooth min-entropies between ρ X n 0,1X n 0,1 E|y n q (t) 0,1 and ρ X n 0,1X n 0,1 E . Finally, we obtain the lower bound of min-entropy given by whereε = 1 − (1 − ε 2 ) d+1 and µ(ε) that analogously to [21] accounts for statistical fluctuation depends on the security parameterε.
The term E ′ that represents all information Eve obtained can be decomposed as E ′ = CE, where C is classical information revealed by Alice and Bob during the error correction step. For the revealed information C is at most leak EC − log 2 2 εcor bits, we use a chain rule for smooth entropies and then obtain (15) If we chooseε = ε sec /2, combining equation (4) and Quantum Leftover Hashing lemma, we get Thus, these protocols are ε sec -secret.

Data availability
The data that support the findings of this study are available from the corresponding author upon reasonable request 61675189), National Cryptography Development Fund (Grant No. MMJJ20170120) and Anhui Initiative in Quantum Information Technologies.

Competing interests
The authors declare that they have no competing interests.  Here we present the full proof of our main result.

AUTHOR CONTRIBUTIONS
Definition 1. If we exclude a small probability denoted by ε 2 event and only consider its mutually exclusive event that the error rate under X 0,1 -basis measurement is bounded by Q + µ, then we can find a probability distribution In the above definition, q (0) 0,1 is the no error term in the probability vector q 0,1 = {q } with respect to the X 0,1 -basis, and the term µ is the function of ε given by [21] µ(ε) = n + m nm Thus, we can find that Then the purified distance [37] between the distributions is given by P (P, Q) = 1 − F 2 (P, Q) = ε.
Definition 2. We define the i th dit of string y n q (t) 0,1 by s i ∈ {0, 1, · · · , d − 1}. According to each dit string y n q (t) 0,1 , we construct a corresponding POVM denoted by X n |y n q (t) 0,1 , which the sub-POVM of i th subsystem is X 1,si ∈ {X 1,0 , X 1,1 · · · X 1,d−1 }. If we choose a comfortable permutation operation π, X n |y n q (t) 0,1 can also be written as where n t = n * q to Alice and Bob's quantum system respectively, then Hε min (X n 0,1 |E) + Hε max (X n |y n where smooth min-entropy is for ρ X n 0,1 E|y n Proof. Because the overlap of any two POVMs of MUB in d-level Hibert space is 1/d, the overlap of X ⊗n 0,1 and X n |y n q (t) 0,1 for any y n q (t) 0,1 is 1/d n . Owing to uncertainty relationship for smooth entropies [23], we have Considering the data-processing inequality for smooth max-entropy [37], we have Thus, we complete the proof. Similarly, if choosing a comfortable permutation operation π corresponding to y n q (t) 0,1 , we can rewrite X n |y n q (t) 0,1 and X n |y n q (t) 0,1 as X n |y n q (t) 0,1 = π(X n0 1,0 · · · X nt 1,t · · · X n d−1 1,d−1 ) X n |y n q (t) 0,1 = π(X n0 1,0 · · ·X nt 1,t · · ·X Hε max (X n |y n q (t) 0,1 X n |y n q (t) 0,1 ) = Hε max (X n0 1,0 · · · X nt 1,t · · · X n d−1 1,d−1 X n0 1,0 · · ·X nt 1,t · · ·X n d−1 1,d−1 ). (A. 25) In the following, we focus on bounding Hε max (X n |y n q (t) 0,1 X n |y n q (t) 0,1 ) by observed values. Firstly, we note that the correlation of X n |y n q (t) 0,1 andX n |y n q (t) 0,1 is discussed when Alice and Bob respectively output dit strings X n 0,1 andX n 0,1 that satisfy y n q (t) 0,1 =x n 0,1 − x n 0,1 (mod d). Then we can conceive a gedankenexperiment that, if we already know the outputs are x n 0,1 on Alice's side andx n 0,1 on Bob's side under X ⊗n 0,1 -basis measurement, we do the POVM X n |y n q (t) 0,1 and record the output values. Finally, the output values in the gedankenexperiment help us analyze the correlation of X n |y n q (t) 0,1 andX n |y n q (t) 0,1 and thus bound Hε max (X n |y n q (t) 0,1 X n |y n q (t) 0,1 ). In fact, we can use the actual observed values to reconstruct the values that we need in the gedankenexperiment up to a failure probability.
For this purpose, we recall that it is sufficient to consider that the quantum states shared by Alice and Bob before any measurements have the simple form where ρ n n00,··· ,n jk ,··· ,n d−1,d−1 = π(⊗ d−1 j,k=0 (|Φ jk Φ jk |) ⊗n jk ). (A. 27) We note that the pair of qudits |Φ t,kt−j mod d outcome "t" type change under measurements of X 0,1 -basis and "j" type change under measurements of X 1,k -basis, and we define its corresponding expected value λ t,kt−j mod d := 1 n n n00,··· ,n d−1,d−1 µ n00,··· ,n d−1,d−1 n t,kt−j mod d , (A.28) Then, we connect the actual observed values with λ t,kt−j mod d that Consequently, we can define the "conditional" values as we need in the gedankenexperiment picture. The values are given by which account for the expected probability that a pair of qudits outcome "j" type change in X 1,t -basis under the condition that this pair of qudits outcome "t" type change in X 0,1 -basis.
Lemma 5. We define a probability vector and letε = 1 − (1 − ε 2 ) d . Then Proof. Owing to the definition of smooth max-entropy and the technique introduced in [21], we have which completes the proof. In above expression, d−1 j=0 ω j|t = n t for each subscript t, besides, we have used the fact n t = n * q j=0 Ω j = N with Ω 0 ≥ N/2, and definite the corresponding probability vector Ω : Proof. Combining the facts that It remains to prove equation (A.41). We figure that Ω 0 ≥ N/2 ≥ Max{Ω 1 , · · · , Ω d−1 }, thus . Besides, it is not hard to note that Lemma 7. For any normalized density ρ = i=1 p i ρ i with the constraint i=1 p i = 1, if there exists a unnormalized densityρ = i=1p iρi that satisfy P (p i ,p i ) ≤ ε and Max i P (ρ i ,ρ i ) ≤ε where P (·, ·) denotes purified distance [37], then Proof. Because of the constraint i=1 p i = 1, we find that ρ i is normalized. According to the definition of the purified distance, we have whereF (·, ·) denotes purified fidelity. Owing to the strong concavity of the fidelity, we find that (A.47) Thus, we have which completes the proof.