Composable security for continuous variable quantum key distribution: Trust levels and practical key rates in wired and wireless networks

Continuous variable (CV) quantum key distribution (QKD) provides a powerful setting for secure quantum communications, thanks to the use of room-temperature off-the-shelf optical devices and the potential to reach much higher rates than the standard discrete-variable counterpart. In this work, we provide a general framework for studying the composable finite-size security of CV-QKD with Gaussian-modulated coherent-state protocols under various levels of trust for the loss and noise experienced by the parties. Our study considers both wired (i.e., fiber-based) and wireless (i.e., free-space) quantum communications. In the latter case, we show that high key rates are achievable for short-range optical wireless (LiFi) in secure quantum networks with both fixed and mobile devices. Finally, we extend our investigation to microwave wireless (WiFi) discussing security and feasibility of CV-QKD for very short-range applications.


I. INTRODUCTION
Quantum key distribution (QKD) [1] enables the generation of secret keys between two or more authenticated parties by resorting to the fundamental laws of quantum mechanics.Its continuous variable (CV) version [2][3][4][5][6] represents a very profitable setting and opportunity thanks to its more direct implementation in the current communication infrastructure and, most importantly, for its potential to approach the ultimate rate limits of quantum communication, as represented by the repeaterless PLOB bound [7].From an experimental point of view, we have been witnessing an increasing number of realizations closing the gap with the more traditional qubitbased implementations [8,9].
While composable security is typically assessed against collective or coherent attacks, experiments may involve some additional (realistic) assumptions that elude this theory.For instance, these assumptions may concern some level of trusted noise in the setups (e.g., this is often the case for the electronic noise of the detector) or some realistic constraint on the eavesdropper, Eve (e.g., it may be considered to be passive in line-of-sight freespace implementations).For this reason, here we present the general theory to cover all these cases.
In fact, we consider various levels of trust for the receiver's setup, starting from the traditional scenario where detector's loss or noise are untrusted, meaning that Eve may perform a side-channel attack over the receiver besides attacking the main channel.Then, we consider the case where detector's noise is trusted but not its loss, which corresponds to Eve collecting leakage from the receiver.Finally, we study the more trustful scenario where both detector's loss and noise are considered to be trusted, so that Eve is excluded from side-channels to the receiver.We show how these assumptions can nontrivially increase the composable key rates of Gaussianmodulated CV-QKD protocols and tolerate higher dBs.
In our analysis, we then investigate the free-space setting, specifically for near-range wireless quantum communications at optical frequencies (LiFi).This scenario involves the presence of free-space diffraction and also fading effects, mainly due to pointing and tracking errors associated with the limited technology of the transmitter (while we can neglect turbulence at such distances).We consider communication with both fixed and mobile devices, assuming realistic parameters for indoor conditions and relatively-large field-of-views for the receivers.Security is studied under the various trusted models for the receiver's detector and then including additional assumptions for Eve due to the line-of-sight configuration.
Here too we show that key rates are remarkably increased as an effect of the realistic assumptions.More interestingly, we show that wireless high-rate CV-QKD is indeed feasible with mobile devices.
Finally, we consider wireless quantum communications at the microwave frequencies (WiFi) where both loss and thermal noise are very high.In this scenario, we consider a potential regime of parameters that enables very short-range quantum security, e.g., between contact-less devices within the range of a few centimeters.
The paper is organized as follows.In Sec.II, we provide a general framework for the composable security of CV-QKD, which also accounts for levels of trust in the loss and noise of the communication.In Sec.III, we consider near-range free-space quantum communications, first at Let us consider a Gaussian-modulated coherent-state protocol between Alice (transmitter) and Bob (receiver).Alice prepares a coherent state |α whose amplitude α is modulated according to a complex Gaussian distribution with zero mean and variance µ − 1.Assuming the notation of Ref. [6], we may decompose the amplitude as α = (q + ip)/2, where x = q or p represents the mean value of the generic quadrature operator x = q, p where [q, p] = 2i.This generic quadrature can be written as x = x0 + x, where x0 is the vacuum noise associated with the bosonic mode and the real variable x is a random Gaussian displacement with zero mean and variance The coherent state is sent through a thermal-loss channel controlled by the eavesdropper, with transmissivity η ch and mean number of thermal photons ne .Equivalently, we may introduce the variance ω = 2n e + 1 and the background thermal noise nB defined by ne = nB /(1 − η ch ), so nB photons are added to the input signal.Bob's setup is characterized by quantum efficiency η eff and extra noise variance ν ex = 2n ex , where nex is an equivalent number of thermal photons generated by the imperfections in his receiver station (due to electronic noise, phase errors etc.) From an energetic point of view, the initial mean photons at the transmitter nT are attenuated by an overall factor τ = η ch η eff which can be seen as the total effective transmissivity of the extended channel between Alice and Bob.Thus, the total mean number of photons that are seen by the receiver's detector is given by nR where n is the total number of thermal photons due to the various sources of noise, given by n = η eff nB + nex .
See also Fig. 1 for a schematic of the overall scenario.Bob's detection is either a randomly-switched homodyne, measuring q or p [3], or heterodyne, realizing the joint measurement of q and p [4].We may treat both cases compactly with the same formalism.In both protocols, Bob retrieves an outcome y which corresponds to Alice's input x.For the homodyne protocol, there is a single pair (x, y) for each mode transmitted by Alice while, for the heterodyne protocol, there are two pairs of variables per mode (but affected by more noise).Eve (2) Eve (3) v FIG.1: Quantum communication scenario between transmitter (Alice) and receiver (Bob) separated by a quantum channel with transmissivity η ch and thermal number ne = nB/(1 − η ch ).Bob's setup has quantum efficiency η eff and extra thermal photons nex.The mean number of photons at the input (nT ) and output (nR) follow Eq. ( 2), while the input classical variable (x) and the output one (y) follow Eq. ( 4).We also describe the various trust levels for the receiver.In the scenario "Eve (1)", the eavesdropper is assumed to attack the external channel only.In the scenario "Eve (2)', there is also a passive side-channel attack where the eavesdropper collects leakage from the receiver's setup.Finally, in the scenario "Eve (3)", we assume that the eavesdropper is also able to perform an active side-channel attack, so that the noise internal to the setup has to be considered untrusted.
The input-output relation for the total channel from the classical input x to the output y takes the form where z is a noise variable.The latter is given by where xe denotes the quadrature of the thermal mode e, xv is the quadrature associated with setup vacuum mode v (quantum efficiency), z ex is a Gaussian variable with var(z ex ) = 2n ex accounting for the extra noise of the setup, and z det is an additional Gaussian variable with var(z det ) = ν det − 1 where ν det is the quantum duty ('quduty') associated with detection: ν det = 1 for homodyne and ν det = 2 for heterodyne.See also Fig. 1.In total the noise variable z has variance From the input-output relation of Eq. ( 4), we may compute Alice and Bob's mutual information I(x : y) which takes the same expression in direct reconciliation (where Bob infers x from y) and reverse reconciliation (where Alice infers y from x).In fact, from var(y) = τ σ 2 x + σ 2 z and var(y|x) = σ 2 z , we get where is the equivalent noise.Clearly I(x : y) can be specified to I hom (for homodyne) and I het (for heterodyne) by choosing the corresponding value for ν det .Note that the equivalent noise can be re-written as where ξ tot defines the total excess noise.In turn, the total excess noise can be decomposed as where ξ ch is the excess noise of the external channel, i.e., related to the thermal background, while ξ ex is that associated with the extra noise in the setup.
Let us make an important remark on notation.The use of the excess noise ξ tot is typical in fiber-based communication channels, while the use of the equivalent number of thermal photons n is instead more appropriate for freespace channels.In general, the two notations are related by the formulas above and can be used interchangeably.In the following, we choose to work with n which is particularly convenient from the point of view of the finite-size estimators.However, for completeness, we also provide the corresponding formulations in terms of excess noise.

B. Local oscillator and setup noise
Before discussing security aspects, let us discuss the local oscillator (LO) and then clarify the main contributions to the setup noise.In terms of equivalent number of thermal photons, the setup noise can be decomposed as nex = nLO +n el +n other , where nLO is the mean number of thermal photons associated with the phase errors of the LO, nel is the mean number of thermal photons generated by electronic noise, and nother is any other uncharacterized but independent source of noise (here neglected).Similarly, we may write a corresponding decomposition in terms of excess noise ξ ex = ξ LO + ξ el + ξ other , which is obtained by using ξ (...) = 2n (...) /τ .

Phase-locking via TLO or phase-reconstruction via LLO
LO is crucial in CV-QKD since it contains the phase information that allows the parties to exploit the two quadratures of the mode.In other words, Alice's and Bob's rotating reference frames need to be phase-locked so Bob can measure the incoming state in the same quadrature(s) chosen by Alice.To achieve this goal there are two techniques, the simplest solution of the transmitted LO (TLO) [3] and the more challenging (but more secure) one of the local LO (LLO) [1,[38][39][40].
With the TLO, the LO is generated by the transmitter and multiplexed in polarization with the signal mode/pulse.Both of them are sent through the channel and then de-multiplexed by the receiver before being interfered in the homodyne/heterodyne setup.With the LLO, bright reference pulses are regularly interleaved with the signal pulses (time multiplexing).At the receiver, both the signals and the references are measured with an independent local LO.From the references, Bob is able to track Alice's rotating frame and, using this phase information, he suitably rotates the outcomes obtained from the signals in the phase space.
Note that both TLO and LLO require to employ half of the total pulses for phase locking or reconstruction.When we explicitly consider a clock C for the system (pulses per second), the LLO involves an extra factor 1/2 in front of the final key rate, unless this is compensated by using both the polarizations for the signal transmissions (not possible for the TLO).

Contributions to setup noise
From the point of view of the setup noise, we need to account for phase errors introduced by an imperfect LO.In TLO this is negligible (n TLO ≃ 0), while for the LLO it is non-trivial.In fact, assume that signal and reference pulses are generated with an average linewidth l W = (l signal W + l LO W )/2.Then, for input classical modulation σ 2 x and transmissivity τ , we may write [11] nLLO This contribution can equivalently be written as excess noise ξ LLO = 2n LLO /τ , according to Eq. (12).For a cwlaser l W ≃ 1.6 KHz, a clock C = 5 MHz and a typical modulation σ 2 x = 9 (i.e., µ = 10) one has ξ LLO ≃ 0.018.While the LLO introduces phase errors, it may actually be better when we consider the impact of electronic noise.The latter can be described by a variance ν el or an equivalent number of photons nel = ν el /2.Its value depends on the frequency of the light ν, features of the homodyne/heterodyne detector, such as its noise equivalent power (NEP) and the bandwidth W , as well as features of the LO, such as its power at detection P det LO and the duration of its pulses ∆t LO .In fact, we may write In the case of a TLO, one has P det LO = τ P LO , where P LO is the LO initial power at the transmitter.For an LLO, we instead have P det LO = P LO .Thus, by setting  we may write so the formulas for the total setup noise are These formulas are in terms of equivalent number of thermal photons and they have corresponding expressions in terms of setup excess noise by using ξ ex = 2n ex /τ .Above we can see the different monotonicity of the setup noise with respect to τ , between TLO and LLO.Assume λ = 800 nm and W = 100 MHz, so we have signal pulses of duration ∆t = 10 ns and LO pulses of duration ∆t LO = 10 ns.For this bandwidth, we can assume the good value NEP = 6 pW/ √ Hz.Then, assuming P LO = 100 mW, we get Θ el ≃ 1.45 × 10 −3 for heterodyne detection (ν det = 2).For the LLO this value remains low, while for the TLO it is rescaled by 1/τ , which means that it may become large at long distances.See also Fig. 2 for a comparison.

C. Trust levels
Once we have clarified the main sources of noise in the communication scenario, we can go ahead and identify different levels of trust on the basis of different assumptions for the eavesdropper (Eve).The basic model is to assume that Eve's action is restricted to the outside channel.In this strategy, she inserts her photons in the thermal background and stores all the photons which are not collected by the receiver.However, she is assumed not to monitor or control the receiver's setup.This is the scenario where loss and noise are considered to be trusted in the receiver.See also Eve (1) in Fig. 1.In this case, Eve's collective Gaussian attack is represented by a purification of the environmental beam-splitter of transmissivity η ch , where the injected n(1) e = nB (1 − η ch ) −1 thermal photons are to be considered part of a two-mode squeezed vacuum (TMSV) state in Eve's hands [41].
More generally, we can assume that Eve is able to detect the leakage from setups [42][43][44].Here we consider this potential problem for the receiver's setup, so that the fraction 1 − η eff of the photons missed by the detection is stored by Eve and becomes part of her attack.On the other hand, we may assume that Eve is not able to actively tamper with the receiver, i.e., she does not control the noise internal to the setup, which may therefore be considered as trusted (this is a reasonable assumption which is often made by experimentalists for the electronic noise of the detector).We call this scenario the trustednoise model for the receiver.See Eve (2) in Fig. 1.In this case, the efficiency η eff becomes part of Eve's environmental beam-splitter, which now has total transmissivity τ = η ch η eff and injects n(2) Finally, there is the worst-case scenario where no imperfection in the receiver setup is trusted.In fact, the most pessimistic assumption is that Eve can also potentially control the extra photons in the setup nex besides collecting its leakage.See also Eve (3) in Fig. 1.In this case, the extra photons become part of Eve's environment.In other words, the entire channel from the transmitter to the final (ideal) detection is dilated into a single beam-splitter with transmissivity τ = η ch η eff and injecting n(3) e = n(1 − τ ) −1 thermal photons.
Clearly the security increases from the completely trusted receiver [Eve (1)] to the worst-case scenario [Eve (3)].Similarly, the key rate will decrease, because more degrees of freedom would go under Eve's control.For this reason, the worst-case scenario provides a lower bound for all the others.Also note that the worst-case scenario progressively collapses in the lower levels if we assume nex = 0 and then η eff = 1.Also note that, in general, one may consider hybrid situations between Eve (2) and Eve (3), where the setup noise nex is partly trusted (n tr ex ) and partly untrusted (n unt ex ).This is included by writing nunt ex = η eff nunt

D. Asymptotic key rates
It is convenient to start by studying the security of the protocol with the intermediate assumption of a trustednoise detector as in Fig. 3, where the setup noise is considered to be trusted, i.e., not coming from Eve's attack [cf.Eve (2) in Fig. 1].Then, we analyze the key rate in the most optimistic case where also the setup loss is considered to be trusted.Finally, we compare the formulas with the worst-case scenario, where all noise is considered to be untrusted [cf.Eve (3) in Fig. 1].The latter represents the case analyzed in Ref. [11].

Asymptotic key rate with a trusted-noise detector
Consider the trusted-noise detector which corresponds to the dilated scenario in Fig. 3.Here the total transmissivity is τ = η ch η eff and the injected thermal noise is given by n(2) e = η eff nB (1 − τ ) −1 .In order to compute the asymptotic secret key rate in reverse reconciliation, we consider Bob and Eve's joint covariance matrix (CM).Let us define the basic block matrices I := diag(1, 1) and Z := diag(1, −1).Then, the joint CM is given by where Eve's reduced CM V EE ′ and the cross-correlation block C take the forms where we have set In the homodyne protocol, Eve's conditional CM on Bob's outcome y is given by [6,45,46] where Π := diag(1, 0).In the heterodyne protocol, we have instead the following conditional CM [6,45,46] Call {ν ± } the symplectic spectrum of Eve's CM V EE ′ .Then, call {ν hom ± } and {ν het ± } the symplectic spectra of Eve's conditional CMs V hom EE ′ |B and V het EE ′ |B , respectively.Then, we may compute Eve's Holevo information for both protocols, as where E = EE ′ and H(x) is the entropic function For a realistic reconciliation efficiency β ∈ [0, 1], accounting for the fact that data-processing may not reach the Shannon limit, we write the asymptotic key rate R (2)  asy (τ, n, nB where the explicit expressions for the homodyne protocol [3] and the heterodyne protocol [4] derive from the corresponding expressions for the mutual information [cf. Eq. ( 7)] and the Holevo bound [cf.Eqs. ( 26) and ( 27)].
It is clear that, in a practical setting, the parties do not know all the parameters entering the rate in Eq. ( 29), so they need to resort to suitable procedures of parameter estimation.It is acceptable to assume that Alice controls/knows the signal modulation µ, while Bob monitors/knows the quantum efficiency η eff .The channel parameters τ and n need to be estimated.In general, the setup noise nex depends on the total transmissivity τ .For this reason, nex too needs to be estimated by the parties.The estimates of n and nex then provide the value of nB .

Asymptotic key rate with a trusted-loss and trusted-noise detector
Here we consider the best possible scenario for Alice and Bob, which is the assumption of Eve (1) in Fig. 1.Not only the setup noise is trusted but also the loss of the setup into the external environment is considered to be trusted (i.e., we assume Eve is not collecting the leakage from the setup).The asymptotic key rate can be found by a simple modification of the previous derivation.
From the point of view of Alice and Bob, the mutual information is clearly the same.For Eve instead, the effective beam splitter used in her attack has now transmissivity η ch and input thermal noise n(1 It is easy to check that we need to use the CM in Eq. ( 19) with the replacements while parameter b is the same as in Eq. ( 21).The next steps are as before.One computes the symplectic spectrum {ν ± } of the CM V EE ′ and those, {ν hom ± } and {ν het ± }, of the conditional CMs V hom EE ′ |B and V het EE ′ |B .These eigenvalues are then replaced in Eqs. ( 26) and (27).In this way, we get the corresponding asymptotic key rates R (1) asy (τ, n, nB ) following the formula in Eq. (29).Parameters need to be estimated in the same way as explained in the previous subsection.

Asymptotic key rate with untrusted detector
In the worst-case scenario of untrusted noise [cf.Eve (3) in Fig. 1], the entire channel is dilated into a single beam splitter with transmissivity τ = η ch η eff , where Eve injects n = n(1 − τ ) −1 thermal photons.Setup noise nex becomes part of Eve's attack, so all excess noise is now considered to be untrusted.From the point of view of the asymptotic key rate, it is sufficient to replace η eff nB = n − nex → n in the expression of Eve's variance ω in Eq. ( 20), with implicit modifications for the other elements of the CM.More precisely, it is sufficient to set ω = 2n (3)  e + 1 = Alternatively, we can exploit the entanglement-based representation of the protocol according to which Alice's Gaussian-modulated coherent states are realized by heterodyning mode A of a TMSV state [6] with CM After the thermal-loss channel with total transmissivity τ , Alice and Bob's shared Gaussian state ρ AB has CM Eve is assumed to hold the purification of ρ AB , so the total state ρ ABE of Alice, Bob and Eve is pure.This means that S(E) = S(AB), where S(Q) denotes the von Neumann entropy computed over the state ρ Q of system Q.Then, because homodyne/heterodyne is a rank-1 measurement (projecting pure states in pure states), we have that ρ AE|y is pure, which implies the equality of the conditional entropies S(E|y) = S(A|y).As a result, Eve's Holevo bound is simply given by χ(E : y) := S(E) − S(E|y) = S(AB) − S(A|y).(37) Thus, we may compute χ(E : y) using Alice and Bob's CM V AB with symplectic eigenvalues ν ′ ± .It is easy to find [11] where b is given in Eq. ( 21).Using these expressions and the mutual information of Eq. ( 7), we write Note that the parties only need to estimate the extendedchannel parameters τ and n.As we see below these estimators are built up to some error probability ε pe .

E. Parameter estimation
As mentioned in the previous section, Alice and Bob need to estimate some of the parameters.Even if they control the values of the input Gaussian modulation µ and they can calibrate the output quantum efficiency η eff , they still need to estimate the various channel's parameters and the setup noise nex .The procedure has some differences depending if we consider a trusted or untrusted model for the receiver.For a trusted-noise detector [Eve (2)] and a fully-trusted detector [Eve (1)], Alice and Bob need to estimate τ , n and nB (via nex ).For the untrusted detector [Eve (3)], they only need to estimate τ and n, since the two thermal contributions nB and nex are both considered to be untrusted (and therefore merged into a single parameter).
We therefore consider two basic independent estimators τ and n, for τ and n.Then, in the trusted scenarios [Eve (1) and ( 2)], we also require the use of additional estimators, which can be derived from the basic ones.To estimate the parameters, Alice and Bob randomly and jointly choose m of the N distributed signals, and publicly disclose the corresponding m p := ν det m pairs of values {x i , y i } mp i=1 .These are m pairs for the homodyne protocol and 2m pairs for the heterodyne protocol.Under the standard assumption of a collective (entangling-cloner) Gaussian attack, these pairs are independent and identically distributed Gaussian variables, related by Eq. ( 4).
From the pairs, they build the estimator T of the square-root transmissivity and the estimator σ 2 z of the noise variance σ 2 z , i.e., From these, we can derive the two basic estimators For a confidence parameter w, we then define and compute the worst-case estimators [47] τ Each of these estimators bounds the corresponding actual value, τ and n, up to an error probability ε pe if we take or, in case of low values (ε pe ≤ 10 −17 ), if we take As a result the total error probability associated with parameter estimation is ≃ 2ε pe .See Ref. [11] for more technical details on these derivations, which exploit tools from Ref. [48] and involves suitable tail bounds [49,50].
For the trusted-detector scenarios, we need to provide the best-case estimator of nex , which automatically allows us to derive the worst-case estimator of nB .From the analytical expressions in Eq. ( 17), we see that we need to account for the different behavior of nex in terms of the transmissivity τ , which requires both the use of a worst-case estimator τ ′ and that of a best-case estimator τ ′′ := τ + w var(τ ).In other words, we have Correspondingly, we have the following worst-case estimator for the background thermal noise We can now compute the values of the asymptotic key rates affected by parameter estimation.For the various scenarios, these are given by R (1,2)  asy (τ, n, nB ) where n = N −m is the number of signals left for key generation (after m are discarded for parameter estimation).
These key rates are correct up to an error ≃ 2ε pe .As a final remark, notice that the total excess noise ξ tot can be estimated by using τ and n via Eq.( 9) and therefore worst-case estimated by using τ ′ and n′ , i.e., Similarly, the channel excess noise ξ ch can be worst-case estimated by combining Eq. ( 11) with τ ′ and n′ B , i.e., F. Composable finite-size key rates After parameter estimation, each block of size N provides n signals to be processed into a shared key via error correction and privacy amplification.Given a block, this is successfully error-corrected with probability p ec (or failure probability FER = 1 − p ec known as 'frame error rate').The value of p ec depends on the signal-to-noise ratio, the target reconciliation efficiency β, and the εcorrectness ε cor , the latter bounding the probability that Alice's and Bob's local strings are different after error correction and successful verification of their hashes.
On average np ec signals per block are promoted to privacy amplification.This final step is implemented with an associated ε-secrecy ε sec , the latter bounding the distance between the final key and an ideal key that is completely uncorrelated from Eve.In turn, the ε-secrecy is technically decomposed as ε sec = ε s + ε h , where ε s is a smoothing parameter and ε h is a hashing parameter.
Overall, the final composable key rate of the protocol takes the form [11] where pe depends on the receiver model and the extra finite-size terms are equal to Here the parameter d is the size of Alice's and Bob's effective alphabet after analog-to-digital conversion of their continuous variables x and y (d = 2 5 = 32 for a 5-bit discretization).This rate refers to security against collective Gaussian attacks with total epsilon security [11] ε = 2p ec ε pe + ε cor + ε sec .
1. Improved pre-factor Note that the prefactor log 2 (2 √ d+ 1) in the AEP term in Eq. ( 57) can be tightened into log 2 ( √ d+2).In general, according to Theorem 6.4 and Corollary 6.5 of Ref. [51], one can lower-bound the conditional smooth min-entropy H δ min (y n |E n ) associated with the n-use classical-quantum state ρ ⊗n yE shared between Bob (classical system y) and Eve (quantum system E).This is done by using the conditional entropy between the single-use systems (y and E) up to a penalty, i.e., we may write [51,52] where with v being bounded using min-and max-entropies.Recall that the min-and max-entropies can be negative in general, but their absolute values must be ≤ log 2 d, with d being the size of Bob's alphabet (e.g., this easily follows from Ref. [52,Lemma 5.2]).This implies the bound v ≤ 2 √ d+1, which leads to the prefactor used in Eq. ( 57).See Ref. [11,Appendix G] for details on how to connect the key rate with the conditional smooth min-entropy and simplify derivations via the AEP term.
However, it is worth noting that, for a classicalquantum state ρ yE , the conditional min-entropy is nonnegative, i.e., H min (y|E) ≥ 0. This is a property that can be shown, more generally, for separable states.In fact, starting from the definition of conditional min-entropy for a generic state ρ AB of two quantum systems A and B [51, Def.4.1], we can write the lower bound (63) For separable ρ AB , one may write [52, Lemma 5.2] which leads to H ≥ 0, since we are left to find the maximum value of λ such that Thus, using H min (y|E) ≥ 0 in Eq. ( 62), we may write v ≤ √ d + 2 which improves Eq. ( 57) into Note that, for a typical 5-bit digitalization d = 2 5 , we have log 2 ( √ d + 2) ≃ 2.94 instead of log 2 (2 √ d + 1) ≃ 3.6, so the improvement is limited.In our numerical investigations we assume the worst-case pre-factor, but keeping in mind that performances can be slightly improved.

Extension to coherent attacks
For the heterodyne protocol, the key rate can be extended to security against general attacks using tools from Ref. [53].Let us symmetrize the protocol by applying an identical random orthogonal matrix to the classical continuous variables of the two parties.Then, assume that Alice and Bob jointly perform m et = f et n energy tests on randomly chosen uses of the channel (for some factor f et < 1).In each test, the parties measure the local number of photons (which can be extrapolated from the data) and compute an average over the m et tests.If these averages are greater than a threshold d et , the protocol is aborted.Setting ) assures secure success of the test in typical scenarios (where signals are attenuated and noise is not too high).
The number of signals for key generation is reduced to and the procedure needs an additional step of privacy amplification compressing the final key by a further amount where we have set ϑ := (2n) −1 ln(8/ε).
The composable key rate reads [11] R het gen ≥ where pe,het is the rate in Eq. ( 56) depending on the noise model for the receiver and suitably specified for the heterodyne protocol.Assuming that the original protocol had ε-security against collective Gaussian attacks, the symmetrized protocol has security ε ′ = K 4 n ε/50 against general attacks.Note that this implies a very demanding condition for the epsilon parameters, such as ε pe .As a matter of fact, ε pe should be so small that the confidence parameter needs to be calculated according to Eq. (47).

G. Numerical investigations
We may use the previous formulas to plot the composable key rate for the homodyne/heterodyne protocol with TLO/LLO under each noise model for the receiver, i.e., corresponding to each of the three different assumptions for Eve as depicted in Fig. 1.Here we numerically investigate the most interesting case which is the heterodyne protocol with LLO, for which we show the performances associated with the three noise models under collective attacks, and also the worst-case performance associated with the untrusted-noise model under general attacks.We adopt the physical parameters listed in Table I and the protocol parameters in Table II.The results are given in terms of secret key rate versus total loss in the channel and can be applied to both fiber-based and free-space quantum communications, as long as for the latter scenario we can assume a stable channel (i.e., we can exclude or suitably ignore fading [30]).
The results are shown in Fig. 4 where we are particularly interested in the high-rate short-range setting.As we can see from the figure, the rate has a non-trivial improvement as a result of the stronger assumptions made for the receiver, as expected.Considering the standard loss-rate of an optical fiber (0.2 dB/km), we see that one extra dB of tolerance for the rate corresponds to additional 5 km.Clearly this is achievable as long as the security assumptions about the receiver are acceptable by the parties.4: Composable secret key rate (bits/use) versus total loss (decibels) for the heterodyne protocol with LLO.We plot the rates against collective attacks assuming a trusted-loss and trusted-noise receiver (black dotted), a trusted-noise receiver (black dashed), and an untrusted receiver (solid black).We also show the performance achievable with the untrusted receiver in the presence of general attacks (red).The gray line is the total excess noise ξtot in shot noise units.Finally, the blue lines refer to line-of-sight security (discussed in Sec.III A) for trusted-loss and trusted-noise receiver (blue dotted), and trusted-noise receiver (blue dashed).Physical and protocol parameters are chosen as in Tables I and II.

III. SECURITY OF NEAR-RANGE FREE-SPACE QUANTUM COMMUNICATIONS
Let us now discuss the specific setting of free-space quantum communications which generally requires some elaborations of the formulas above in order to account for the additional physical processes occurring in this scenario.In the following we discuss one potential extra simplification and realistic assumption for security, and then we treat the issues related to near-range wireless communications at various frequencies and with different types of receivers (fixed or mobile).

A. Line-of-sight security
The line-of-sight (LoS) security is a strong but yet realistic assumption for free-space quantum communications in the near range (say within 100 meters or so).The idea is that transmitter and receiver can "see" each other, so it is unlikely that Eve is able to tamper with the middle channel.A realistic attack is here to collect photons which are lost in the environment; in other words it is a passive attack which can be interpreted as the action of a pure-loss channel, i.e., a beam-splitter with no injection of thermal photons (which are the active entangled probes employed in the usual entangling-cloner attack).
Within the LoS assumption, there are additional degrees of reality for Eve's attack.The most realistic scenario is Eve using a relatively-small device which only collects a fraction of the photons that are leaked into the environment.The worst-case picture which can be used as a bound for the key is to assume Eve collecting all the leaked photons.In this case, the performance will strictly depend on how much the receiver is able to intercept of the incoming beam which is in turn related to the geometric features of the beam itself (collimated, focused, or spherical beam).In any case, any thermal noise which is present in the environment is considered to be trusted.
In the studies below, we consider both LoS security (Eve passive on the channel) and standard security (Eve active on the channel).Under LoS security, thermal noise is considered to be trusted, which means that the relevant models the detector are those with trusted noise [Eve (2)] and trusted noise and loss [Eve (1)].The attack can be represented as in Fig. 1 but where Eve does not control environmental modes, represented by mode e for Eve (1) and modes e,v for Eve (2).With the trusted-noise detector, we also allow Eve to collect leakage from Bob's setup; with the trusted-noise-and-loss detector, this additional side-channel is excluded.Depending on the cases, we adopt one assumption or the other.See Table III for a summary of the security types and trust levels (associated detector models).These definitions are meant to be in addition to the classification into individual, collective and coherent/general attacks.
The secret key rates under LoS security are derived by excluding Eve from the control of the environmental noise.This means that her CM is reduced from the form in Eq. ( 19) to just the block φI.Thus, we have to consider the simpler joint CM for Bob and Eve leading to the conditional CMs Therefore, Eve's Holevo bound to be used in the key rates is simply given by where the explicit expressions for θ and φ depend on the detector noise model, while b is given in Eq. ( 21).
Using these expressions, we may then write the asymptotic key rate with LoS security for the two detector models (k = 1, 2).Recalling that the mutual information is expressed as in Eq. ( 7), the LoS key rate is given by R After parameter estimation, the modified key rate will be expressed in terms of the worst-case estimators as asy,LoS (τ ′ , n′ , n′ B ). Finally, the composable finite-size LoS key rate takes the expression in Eq. ( 55) proviso we make the replacement R pe,LoS .Improvement in performance is shown in Fig. 4.

B. Optical wireless with fixed devices
Let us consider a free-space optical link between transmitter and receiver.Assume that this is mediated by a Gaussian TEM 00 beam with initial spot-size w 0 and phase-front radius of curvature R 0 [13][14][15].This beam has a single well-defined polarization (scalar approximation) and carrier frequency ν = c/λ, with λ being the wavelength and c the speed of light (so angular frequency is ω = 2πc/λ, and wavenumber is k = ω/c = 2π/λ).The pulse duration ∆t and frequency bandwidth ∆ν satisfy the time-bandwidth product for Gaussian pulses, i.e., ∆t∆ν 0.44.In particular, we may assume ∆t∆ν ≃ 1.Under the paraxial wave approximation, we assume freespace propagation along the z direction with no limiting apertures in the transverse plane, neglecting diffraction effects at the transmitter (e.g., by assuming a suitable aperture for the transmitter with radius ≥ 2w 0 [14]).
By introducing the Rayleigh range which identifies near-and far-field, we may write the following expression for the diffraction-limited spot size of the beam at generic distance z [14, 15] In particular, for a collimated beam (R 0 = ∞), we get while for a focused beam (R 0 = z), we have We see that, in the far field z ≫ z R , the expressions in Eqs. ( 78) and (79) tend to coincide.Consider then a receiver with a sharped-edged circular aperture with radius a R .The total power impinging on this aperture is given by where parameter η d is the non-unit transmissivity of the channel due to the free-space diffraction and the finite size of the receiver.Note that, for far field and a receiver's size comparable with the transmitter's (so a R ≃ w 0 ), we have w z ≫ a R and therefore the approximation For a collimated or focused beam, this becomes The overall transmissivity of the system can be written as τ = η ch η eff , where η ch = η d η atm is the total transmissivity of the external channel which generally includes the effect of atmospheric extinction η atm .Since the latter effect is negligible at short distances (η atm ≃ 1), we may just write η ch ≃ η d .By contrast, the other term η eff is the total quantum efficiency of the receiver and its contribution is typically non-negligible, e.g., η eff ≃ 0.7.Because the devices are assumed to be fixed, there is no fading, meaning that the total transmissivity can be assumed to be constant and equal to τ .
The quantum communication scenario can be described as in Fig. 1, where η ch is essentially given by freespace diffraction and the thermal background nB needs to be carefully evaluated from the sky brightness (see below).Then, we can certainly assume standard security with the trust levels k = 0, 1, 2 according to which Eve's interaction is described by different effective beamsplitters with different amounts of input thermal noise n(k) e (see Sec. II C).Similarly, we may investigate LoS security where thermal noise is assumed to be trusted.
Sky brightness B sky λ is measured in W m −2 nm −1 sr −1 and its value typically varies from ≃ 1.5 × 10 −6 (clear night) to ≃ 1.5 × 10 −1 (cloudy day) [17,18], if one assumes that the receiver field of view is shielded from direct exposition to bright sources (e.g., the sun).Let us assume a receiver with aperture a R and angular field of view Ω fov (in steradians).Assume the receiver has a detector with bandwidth W and spectral filter ∆λ.Then, the mean number of background thermal photons per mode collected by the receiver is equal to In this formula, we can estimate Ω The effective value of the spectral filter ∆λ can be very narrow in setups that are based on homodyne/heterodyne detection.The reason is because the required mode-matching of the signal with the LO pulse provides a natural interferometric process which effectively reduces the filter potentially down to the timeproduct bandwidth.For instance, for an LO pulse of ∆t LO = 10 ns, we may assume a bandwidth ∆ν = 50 MHz which is ≥ 0.44/∆t LO .Thus, interferometry at the homodyne setup imposes an effective filter of ∆λ = λ 2 ∆ν/c ≃ 0.1 pm around λ = 800 nm.
Finally, if we take the detector bandwidth W = 100 MHz and we assume a small area for the receiver's aperture, i.e., a R = 1 cm (so as to be compatible with the typical sizes of near-range devices), then we compute nB ≃ 0.019 photons per mode during a cloudy day.This is a non-trivial amount of noise that leads to a clear discrepancy between the performance in standard security (where channel's noise is considered to be untrusted) and LoS security (where this noise is assumed to be trusted).Let us also remark here that LoS security is a realistic assumption for receivers with a small field of view, so the noise collected from free space is limited and unlikely to come from an active Eve hidden in the environment.
For our numerical study we consider the physical parameters listed in Table IV; these are compatible with indoor and near-range optical wireless communications with small devices (e.g., laptops).This means that, for the transmitter, we consider limited power (e.g., 10 mW), and a small spot size (w 0 = 1 mm).Similarly, for the receiver, we consider a limited aperture (a R = 1 cm),  non-unit quantum efficiency (η eff = 0.7), and a realistic field of view Ω fov ≃ 10 −4 sr as discussed above.
Assuming the physical parameters in Table IV and the protocols parameters in Table II, we show the various achievable performances of the free-space diffractionlimited heterodyne protocol with LLO in Fig. 5.As we can see from the figure, we have drastically different rates depending on the type of security and trust level.It is clear that the highest rates (and distances) are obtained with LoS security (blue lines in the figure).With standard security, the range is restricted to about 50 meters (black lines in the figure) and about 30 meters in the worst-case scenario of an untrusted detector and general attacks (red line in the figure).The possibility to enforce weaker security assumptions leads to non-trivial advantages in terms of rate and distance.Also note the stability of the rates at short distances (< 30 m) where their values remain approximately constant.This is due to the fact that, for the specific regime of parameters considered, the beam broadening induced by free-space diffraction within that range [see Eq. ( 78) with w 0 = 1 mm and z < 30 m] is still limited with respect to the radius of the receiver's aperture (a R = 1 cm).Thus, the transmissivity η d in Eq. ( 80) remains sufficiently close to 1, before starting to decay after about 30 m. FIG.5: Optical-wireless QKD with fixed devices.We plot the composable secret key rate (bits/use) versus free-space distance (meters) for the heterodyne protocol with LLO.In particular, we show the rates against collective attacks assuming a trusted-loss-and-noise receiver (black dotted), a trustednoise receiver (black dashed), and an untrusted receiver (solid black).We also show the performance achievable with the untrusted receiver versus general attacks (red).The blue lines refer to line-of-sight security (discussed in Sec.III A) for trusted-loss-and-noise receiver (blue dotted), and trustednoise receiver (blue dashed).Physical parameters are chosen as in Table IV, while protocol parameters are in Table II.

Pointing and tracking error
In the presence of free-space optical connections with portable devices, one can use a suitable tracking mechanism so the transmitter (such as a fixed router/hot spot) points at the mobile receiver in real time with some small pointing error.In general, the receiver too may have a mechanism of adaptive optics aimed at maintaining the beam alignment by rotating the field of view in direction of the transmitter.We therefore need to introduce a pointing error at the transmitter σP which introduces a Gaussian wandering of the beam centroid over the receiver's aperture with variance σ 2 P ≃ (σ P z) 2 for distance z.We assume an accessible value σP ≃ 1.745 × 10 −3 radiant, which is about 1/10 of a degree (this is ordersof-magnitude worse than the performance achievable in satellite-based pointing and tracking).
Let us call r the instantaneous deflection of the beam centroid from the center of the receiver's aperture.The wandering can be described by the Weibull distribution For each value of the deflection r, there is an associated instantaneous transmissivity τ = τ (r), which can be computed as follows where Q 0 (x, y) is an incomplete Weber integral [54].Alternatively, we may use the approximation where is the maximum transmissivity at distance z (corresponding to a beam that is perfectly-aligned), while γ and r 0 are the following shape and scale (positive) parameters where Λ n (x) := e −2x I n (2x) and I n is a modified Bessel function of the first kind with order n [19, Eq. (D2)].By suitably combining Eqs. ( 84) and ( 86), one can derive the fading statistics, i.e., the probability distribution P fad associated with the instantaneous transmissivity τ , which is given by

Maximum wireless range
Besides the beam wandering (and associated fading) due to pointing and tracking error, there is also the further issue that a mobile receiver generally has a variable distance from the transmitter, so the transmissivity of the free-space link has an additional degree of variability.The latter effect has a very slow dynamics with respect to typical clocks, meaning that a block of reasonable size is distributed while the position of the receiver is substantially unchanged.For example, for a detector bandwidth W = 100 MHz, we may use a clock of C = W/3 ≃ 33 MHz.In this case, a block of 10 7 points will be distributed in 1/3 of a second.For an indoor network, assuming an average walking speed of ≃ 1.5 m/s, this corresponds to a ≃ 50 cm free-space displacement of the receiver.In the worst-case scenario where this displacement increases the distance from the transmitter, we may assume that the distribution of the whole block occurs at the maximum distance.
In general, we may compute a lower bound by assuming that the entire quantum communication (i.e., the communication of all the blocks) occurs with the mobile device at the maximum distance from the transmitter.In other words, we can fix a maximum range z max for the local network and assume this value as worst-case scenario.Since the parties control the parameters of the channel and know the instantaneous distance, they could process their data in a way that it appears to be completely distributed at z max (data distributed at z < z max can be attenuated and suitably thermalized in post processing).
To be more precise the lower bound should be computed by minimizing the transmissivity and maximizing the thermal noise over the distance z ≤ z max , so that data is processed via a more lossy and noisy channel.While the minimization of the transmissivity occurs at z = z max , the maximization of the thermal noise may occur at different values of z, depending on the type of LO.In particular, this value is z = z max for the TLO and z = 0 for the LLO.The issue is therefore resolved for the LLO if we keep the mobile device at z = z max while bounding the LLO noise with the value for z = 0.Such an approach is not optimal but robust and applicable to outdoor wireless networks with faster-moving devices (with a speed limited by the ratio between z max and the total communication time).It is worth mentioning that, a better but more complicated strategy relies on slicing the trajectory of the moving device into sectors, with each sector being associated with the communication of a single block and the final rate being given by the average rate over the sectors.This is particularly useful in satellite quantum communications where a trajectory is well defined (for instance, see the technique of orbital slicing in Ref. [12]).However, for stochastic trajectories on the ground, the analytical treatment is not immediate.

Pilot modes and de-fading
Besides the use of bright pointing/tracking modes and bright LLO-reference modes, it is also important to use relatively-bright pilot modes that are specifically employed for the real-time estimation of the instantaneous transmissivity τ , whose fluctuation is generally due to both pointing error and distance variability (for mobile devices).These m PL pilots are randomly interleaved with N S := N − m PL signal modes, where N are the total pulses.The pilots allow the parties to: (i) identify an overall interval for the transmissivity ∆ = [τ min , τ max ] in which N S p ∆ signals are post-selected with probability p ∆ ; (ii) introduce a lattice in ∆ with step δτ , so that each signal is associated with a corresponding narrow bin of transmissivities ∆ k := [τ k , τ k+1 ], with τ k := τ min + (k − 1)δτ for k = 1, . . ., M and M = (τ max − τ min )/δτ [55].
Each bin ∆ k is selected with probability p k and, therefore, populated by N S p k signals.There are corresponding ν det N S p k pairs of points {x i , y i } satisfying the inputoutput relation of Eq. ( 4), which here reads where z (k) is a Gaussian noise variable with variance Bob can map these points into the first bin ∆ 1 of the interval via the de-fading map where ξ add is Gaussian noise with variance ν det .By repeating this procedure for all the bins, Bob create the new variable where z is non-Gaussian noise with variance This new variable is now associated with a single (worstcase) transmissivity τ min , thus effectively removing the fading process from the distributed data, i.e., from their ν det N S p ∆ pairs of correlated points.
Exploiting the optimality of Gaussian attacks, the parties assume that z is Gaussian (overestimating Eve's performance).In this way, the final input-output relation in Eq. ( 94) reduces to considering a simpler thermal-loss Gaussian channel with transmissivity τ min and thermal number n * .See Ref. [11] for more details.
For a receiver at some fixed distance z and only subject to pointing error, we can assume τ max = η [cf.Eq. ( 87)] and τ min = f th η for some threshold factor f th < 1.Then, the probabilities p ∆ = p(τ min , τ max ) and p k = p(τ k , τ k+1 ) are computed from the formula where P fad (τ ) is given in Eq. (90).
In general, for a mobile receiver at variable distance z, Alice and Bob compute the post-selection interval ∆ and the lattice {∆ k } directly from data, together with the corresponding values of p ∆ and p k .As mentioned in the previous subsection, the performance in this general scenario can be lower-bounded by the extreme case where the receiver is assumed to be fixed at the maximum distance z max from the transmitter (while maximizing thermal noise over z, whose maximum is at z max for a TLO and at z = 0 for an LLO).In this worst-case scenario, we may exploit the formula in Eq. ( 96) for the fading probability (suitably computed at z max ) and derive an analytical lower bound for the secret key rate.

Estimators and key rate
Let us assume the worst-case scenario of a receiver at the maximum range z max from the transmitter, so the maximum transmissivity is τ max = η(z max ) and the minimum transmissivity is τ min = f th η(z max ) for some threshold value f th .These border values define a post-selection interval ∆ which is sliced into a lattice of M narrow bins {∆ k }.The instantaneous transmissivity τ will fluctuate according to the distribution in Eq. ( 90) with associated pointing error σ 2 zmax ≃ (σ P z max ) 2 for an empirical value σ P at the transmitter (e.g., 1/10 of a degree).As a result of the fluctuation, a value of the transmissivity τ is postselected with probability p ∆ and populates bin ∆ k with probability p k , according to the integral in Eq. (96).
For the worst-case scenario, let us also assume that the thermal noise is maximized over z ≤ z max (and the fading process).Thus, for any bin ∆ k , we consider the following bound on the associated thermal noise nk ≤ nwc = η eff nB + nex,wc , where the maximum setup noise nex,wc depends on the type of LO and is given by Note that the first expression in Eq. ( 98) above is computed on τ min = τ min (z max ) while the second one is computed for τ = 1 (maximum value at z = 0).By replacing Eq. (97) in Eq. ( 95), we get the bound n * ≤ nwc .
As already explained, the construction of the lattice is possible thanks to the random pilots.In total, during the quantum communication, the parties exchange N quantum pulses, whose m PL are pilots and N S = N − m PL are signals.Using the pilots, the parties post-select a fraction N S p ∆ of the signals, with a smaller fraction N S p k allocated to the generic bin ∆ k .After de-fading, the parties are connected by an effective thermal-loss channel with transmissivity τ min = τ min (z max ) and thermal number nwc .
The parties sacrifice a portion mp ∆ of the post-selected signals N S p ∆ for parameter estimation (PE), so np ∆ signals are left for key generation, where n = N S − m (this value is further reduced for security extended to general coherent attacks).Overall the parties use m ∆ := ν det mp ∆ pairs of data points for PE following the procedure described in Sec.II E with effective transmissivity τ min = τ min (z max ) and σ 2 wc = 2n wc + ν det .This leads to the following bounds for the worst-case estimators [11] where σ 2 x is the input modulation and w is the confidence parameter [cf.Eqs.(46) and (47)].
As we can see from the two estimators above, the relevant information is the minimum transmissivity τ min of post-selection interval, the maximum thermal noise nwc over the range (and fading process), and the number of post-selected points m ∆ .The formulas hold for a generic fading statistics, i.e., not necessarily given by Eq. ( 96), as long as we can evaluate m ∆ .Also note that, assuming Eq. ( 96) and fixing a threshold transmissivity τ min , the value of m ∆ decreases by increasing z.In other words, the fact that a worst-case device at the maximum range provides a lower bound for a mobile device is also due to the decreased statistics for PE.
In order to compute the key rates for the trusted models, we also need to bound the worst-case estimator of the background thermal noise nB .This is possible by writing where the best-case value nex,bc needs to be optimized over the entire range z ≤ z max and the fading process.We therefore extend Eqs. ( 48) and ( 49) to the following expressions nTLO ex,bc := Θ el , nLLO ex,bc := Θ el + Θ ph τ min .
We now have all the elements to write the composable finite-size key rate, which extends Eq. ( 55) of Sec.II F to the following expression where n = N − (m + m PL ) and R pe depends on the receiver model (k = 1, 2, 3).The latter takes the following expressions in terms of the new estimators R (1,2)   pe = R (1,2)  asy (τ LB , nUB , nUB B ), (105) Alternatively, we may write Eq. ( 104) assuming LoS security, which means to replace R pe with the key rate The composable key rate in Eq. ( 104) is ε-secure against collective Gaussian attacks [cf Eq. ( 59)].
For the heterodyne protocol, we extend the composable key rate of Eq. (70) to the following expression where n must account for the m PL pilots besides the m et energy tests, i.e., pe,het is given by Eqs. ( 105) and (106) for the case of the heterodyne protocol.This rate has epsilon security ε ′ = K 4 np∆ ε/50 against general attacks, with ε being the initial security versus collective attacks (see Sec. II F).FIG.6: Optical-wireless QKD with mobile devices.We plot the composable secret key rate (bits/use) versus the maximum free-space distance zmax of the receiver-device from the transmitter (meters).This is for a pilot-guided post-selected heterodyne protocol with an LLO.We show the rates against collective attacks assuming a trusted-loss-and-noise receiver (black dotted), a trusted-noise receiver (black dashed), and an untrusted receiver (solid black).The blue lines refer to line-of-sight security for trusted-loss-and-noise receiver (blue dotted), and trusted-noise receiver (blue dashed).Physical parameters are chosen as discussed in the main text.
We perform a numerical investigation assuming the heterodyne protocol with LLO.This is now implemented in a post-selection fashion in a way to remove the (non-Gaussian) effect of fading from the distributed data (see above).We consider the protocol parameters in Table II but where we include the pilots m PL = 0.05 × N , so the key generation signals are reduced to n ≃ 7.08 × 10 6 , and a threshold parameter f th = 0.8 for post-selection.We then assume the physical parameters in Table IV, but taking a higher clock value C = 33 MHz and also including the transmitter's pointing error σP , equal to 1/10 of degree.In this regime of parameters, we study the composable key rates that are achievable under the various security and trust assumptions, considering a mobile device which can move up to a maximum distance z max from the transmitter (range of the wireless network).
The rates are plotted in Fig. 6.Note that the values in the range of 10 −2 − 1 bit/use correspond to high rates in the range of 0.33 − 33 Mbits/sec at the considered clock.This means that quantum-encrypted wireless communication at about 1 Mbit/sec are possible within distances of a few meters.Another important consideration is that these rates are actually lower bounds, since they are computed with the device at the maximum distance and bounding the noise.This is also the reason why the key rate of Eq. (108) does not appear for this specific choice of parameters.

D. Short-range microwave wireless
Let us consider wireless quantum communications at the microwave frequencies, in particular at 1 GHz.We show the potential feasibility for short-range quantumsafe WiFi (e.g., for contact-less cards) within the general setting of composable finite-size security.First of all we need to remark two important differences with respect to the optical case: presence of higher loss and higher noise.
From the point of view of increased loss, the crucial difference is the geometry of the beam.For indoor wireless applications, microwave antennas are small and, for this reason, cannot offer beam directionality.The emitted beam is either isotropic (spherical wave) or have some limited directionality, usually quantified by the gain g.This means that, at some distance z, the intensity of the beam will be confined in an area equal to 4πz 2 /g.It is clear that we have a strong suppression of the signal, since a receiver with aperture's radius a R is going to collect just a fraction η ch ≃ min{ga 2 R /(4πz 2 ), 1} of the emitted photons.Here the minimum accounts for the case where the receiver is close to the antenna, so the angle of emission is subtended by the receiver's aperture, which happens at the distance z best = g/πa R /2.In our investigation, we assume the numerical value g = 10.
As mentioned above another important difference with respect to the optical case is the amount of thermal background noise which affects microwaves for both signal preparation and detection [60][61][62][63][64][65].If we assume setups working at room temperature, this thermal noise is dominant with respect to the other sources of noise.Both the preparation noise at the microwave modulators and the electronic noise in the amplifiers of the microwave homodyne detectors are relevant [66]; we set them to be equal to the thermal background computed using the formula of the black-body radiation.On the other hand, phaseerrors associated with the LO are negligible since the LO is slow at the microwave and can easily be reconstructed.
Let us quantify the amount of thermal noise and identify a suitable set of parameters able to mitigate the problem.For a receiver with spectral filter ∆λ, detector bandwidth W , aperture a R , and field of view Ω fov , we can consider the photon collection parameter Γ R in Eq. (83).Assume that signal and LO pulses are time-bandwidth limited, so that ∆t∆ν ≃ 1.For instance ∆t = 10 ns and ∆ν = 100 MHz for a carrier frequency of ν = 1 GHz (10% bandwidth).Corresponding carrier wavelength is λ = c/ν ≃ 30 cm.Using ∆λ = ∆νλ 2 /c and setting W ≃ ∆ν (detector resolving the pulses), we may write For receiver aperture a R = 5 cm and sufficiently-narrow field of view Ω 1/2 fov = 1 degree (so Ω fov ≃ 3 × 10 −4 sr), we compute Γ R ≃ 2.28 × 10 −16 in units of s m 3 sr.Note that realizing such a narrow field of view with a small indoor receiver can be challenging in practice.
The photon collection parameter must be combined with the thermal background photons in units of photons s −1 m −3 sr −1 , quantified by the black-body formula nbody where k B is Boltzmann's constant and T ≃ 290 K is the temperature.Therefore we get nth = Γ R nbody ≃ 0.1 photons.
Note that the figure is acceptably low thanks to the filtering effect of Γ R , which accounts for the spatiotemporal profile of the LO pulses, together with the other features of the receiver (aperture, field of view).Thermal noise is affecting both preparation and detection with constant floor level.This means that nth mean photons are seen by the detector no matter if signal photons are present or not.In other words, the detector experiences a constant noise variance equal to where ν det is the usual quantum duty (which is = 1 for homodyne and = 2 for heterodyne).Assume that the total transmissivity is τ = η ch η eff , where η ch is channel's transmissivity and η eff ≃ 0.8 is receiver's efficiency.Also assume that the transmitter (Alice), modulates thermal states with classical variance σ 2 x = 2n T , where nT is equivalent mean number of signal photons.Then, the total mean number of photons at the receiver's detector is given by nR = τ nT + nth . (114) Basically, this is equivalent to Eqs. ( 2) and (3), by setting nB = nth and nex = (1 − η eff )n th .As we can see, for τ = 1, we get nT + nth meaning that the prepared states are thermal; for τ < 1, signal photons are lost (n T → τ nT while the depleted thermal background photons are compensated at the receiver re-entering the detection system, so we have the constant noise level nth .

Fully-untrusted scenario
In the worst-case scenario, the noise associated with preparation, channel and detector is all untrusted.In this case, Eq. (114) corresponds to the action of a beam splitter with transmissivity τ combining a signal mode with mean photons nT and an environmental mode with mean photons ne = nth /(1 − τ ).The idea is that Alice would attempt to create randomly-displaced coherent states, but Eve readily thermalizes them by adding malicious thermal photons.These photons add up to those later introduced by the channel, so that we globally have the insertion of ne mean photons as above.This leads to a collective Gaussian attack where Eve has the purification of the untrusted thermal noise associated with each stage of the communication.
Alice's and Bob's classical variables, x and y, are related by Eq. ( 4) but where the noise variable z has now variance σ 2 z as in Eq. ( 113) which corresponds to Eq. ( 6) up to replacing n → nth .Alice and Bob's mutual information I(x : y) is therefore given by Eq. ( 7) computed with modulation σ 2 x = 2n T and equivalent noise where ξ tot := 2n th /τ is the total excess noise.Numerically, we choose the modulation σ 2 x = 20.As already said, in the fully-untrusted scenario, all thermal noise coming from preparation, channel and receiver's setup is considered to be untrusted.This is equivalent to the treatment of Sec.II D 3, proviso we make the replacement n → nth in Eq. (34) and then in Eqs. ( 21), (22) and (23).The revised parameters can then be used in the global CM in Eqs.(18) and (19).
Then, the asymptotic key rate against collective Gaussian attacks is given by R (3) asy (τ, nth ) according to Eq. ( 40), where we now use and nth as given by Eq. ( 112).We may then assume the reconciliation parameter β = 0.98.
To account for finite-size effects, we first include parameter estimation.This means that the parties need to sacrifice m of the N pulses, so n pulses survive for key generation.Numerically, we take N = 5 × 10 7 and m = 0.1 × N .Thus, they construct the worst-case estimators for the overall transmissivity τ and thermal noise nth following Eqs.(44) and (45).These estimators can be here approximated as follows where w is the confidence parameter associated with ε pe , and computed according to Eq. ( 46) for collective Gaussian attacks (see Sec. II E for more details).Assuming a tolerable error probability of ε pe = 2 −33 , we have w ≃ 6.34 confidence intervals.The composable key rate takes the form in Eq. ( 55) where we now use R   57) and (58).Numerically, we can assume p ec = 0.9 for the probability of success of EC, d = 2 5  for the digitalization of the continuous variables, and the value 2 −33 for all the epsilon parameters, so we have epsilon security ε ≃ 5.6 × 10 −10 against collective Gaussian attacks according to Eq. (59).
To study the performance, let us consider the heterodyne protocol (ν det = 2).Then, we assume a device stably kept at some distance z from the transmitter within the emission angle of the transmitter and with an aligned field of view.For the parameters considered here, we find that a positive key rate is obtained for z ≤ 4.48 cm, which is fully compatible for contactless card applications.In particular, for any z ≤ z best ≃ 4.46 cm we compute a key rate of R 10 −2 bits/use, corresponding to 50 kbit/sec with a system clock at 5 MHz.
Note that, according to the thermal version of the PLOB bound [7], the maximum key rate cannot overcome the upper limit R ≤ − log 2 (1 − τ )τ nth 1−τ − h nth 1−τ , for nth ≤ τ, 0, for nth ≥ τ, (119) where h(x) := H(2x + 1).This means that the no rate is possible above the threshold nth = τ .Using Eqs. ( 112) and (116) with our regime of parameters, we find that the maximum possible range is about 12.47 cm, i.e., about three times the distance achievable with the considered heterodyne protocol under composable security.

LoS security for microwaves
Better performances can be obtained if we relax security requirements by relying on the LoS geometry.In particular, one may assume that the thermal noise is trusted, so that Eve is passively limited to eavesdrop the photons leaking from the channel and the setup.In this case, Eq. ( 114) corresponds to the action of a beam splitter with transmissivity τ combining a signal mode with mean photons nT + nth (signal photons plus trusted preparation noise) and a genuine environmental mode with mean photons nth [67].Eve collects the fraction 1−τ of photons leaked into the environment, but she does not control any noise, i.e., she does not have its purification.
Alice and Bob's mutual information I(x : y) is the same as above for the fully-untrusted case but Eve's Holevo information χ LoS (E : y) is now rather different.The latter can be computed as in Sec.III A and, in particular, from the CM in Eq. ( 71), where we insert the following parameters b = 2n R + 1, (120) In this way we can compute the asymptotic key rate R asy,LoS (τ, nth ) = βI(x : y) − χ LoS (E : y).
The incorporation of finite-size effects requires that we under-estimate the thermal noise experienced by Eve, while we over-estimate that seen by the parties.Thus, besides the worst-case estimators τ ′ and n′ th in Eqs. ( 117 which is replaced into Eq.( 55) to provide the composable key rate associated with LoS security.
Assuming the heterodyne protocol with the same parameters as in the fully-untrusted case, we find an improvement, as expected.As shown in Fig. 7, the range of security is now larger, even though the effective application is still restricted to centimeters from the transmitter.Note that this performance is based on the LoS assumption, so it is not confined by the PLOB bound.

IV. CONCLUSIONS
In this work, we have developed a general framework for the composable finite-size security analysis of Gaussian-modulated coherent-state protocols, which are the most powerful protocols of CV-QKD.We have investigated the secret key rates that are achievable assuming various levels of trust for the receiver's setup, from the worst-case assumption of a fully-untrusted detector to the case where detector's loss and noise are considered to be trusted.In the specific case of free-space quantum communication, we have also investigated the additional assumption of passive eavesdropping on the communication channel due to the line-of-sight geometry.
We have shown how the realistic assumptions on the setups can have non-trivial effects in terms of increasing the composable key rate and tolerating higher loss (therefore increasing distance).More interestingly, we have also demonstrated the feasibility of high-rate CV-QKD with wireless mobile devices, assuming realistic parameters and near-range distances, e.g., as typical of indoor networks.Besides the optical frequencies, we have also analyzed the microwave wavelengths, considering possible parameters able to mitigate the loss and noise affecting this challenging setting.In this way, we have discussed potential microwave-based applications for very short-range (cm-range) quantum-safe communications.

FIG. 2 :
FIG.2: Setup noise as a function of the total transmissivity τ expressed in decibels.(a) We plot the equivalent number of thermal photons nex associated with the setup noise, for the TLO (black lines) and the LLO (blue lines), considering the homodyne protocol (solid lines) and the heterodyne protocol (dashed lines).(b) As in (a) but we plot the setup excess noise ξex.Parameters are chosen as in the text.See Eq. (17).
l D /(2f D )] from the linear size of the sensor of the detector l D and the focal length f D of the receiver.For l D = 2 mm and f D = 20 cm, we find Ω fov ≃ 10 −4 sr.Note that the latter value of the field of view is relatively-large compared with typical values considered in long-range setting, including satellite communications (where Ω fov ≃ 10 −10 sr).

TABLE I :
Physical parameters.

TABLE II :
Protocol parameters adopted with respect to collective attacks and general attacks.

TABLE IV :
Physical parameters for optical wireless ) and (118), we also compute the best-case estimator n′′ th ≃ nth − w FIG.7: Microwave wireless QKD (at 1 GHz) using the heterodyne protocol under LoS security.We plot the composable secret key rate (bits/use) versus free-space distance z between transmitter and receiver (centimeters).Parameters are chosen as discussed in the main text.Thus, we compute the rate R pe,LoS = βI(x : y) τ ′ ,n ′ th − χ LoS (E : y) τ ′ ,n ′′ th ,