Numerical Method for Finite-size Security Analysis of Quantum Key Distribution

Quantum key distribution (QKD) establishes secure links between remote communication parties. As a key problem for various QKD protocols, security analysis gives the amount of secure keys regardless of the eavesdropper's computational power, which can be done both analytically and numerically. Compared to analytical methods which tend to require techniques specific to each QKD protocol, numerical ones are more general since they can be directly applied to many QKD protocols without additional techniques. However, current numerical methods are carried out based on some assumptions such as working in asymptotic limit and collective attacks from eavesdroppers. In this work, we remove these assumptions and develop a numerical finite-size security analysis against general attacks for general QKD protocols. We also give an example of applying the method to the recent Phase-Matching QKD protocol with a simple protocol design. Our result shows that the finite-size key rate can surpass the linear key-rate bound in a realistic communication time.


I. INTRODUCTION
Quantum key distribution (QKD) is one of the most successful applications of quantum mechanics and quantum information [1][2][3].Guaranteed by the quantum nocloning theorem, it enables the communication partners, Alice and Bob, to share keys with information-theoretic security, even if the eavesdropper has infinite computational power.Security analysis is the core issue of quantum key distribution.Currently, there exist two lines of security analysis methods, one is based on the phase error correction in an equivalent virtual QKD protocol, including Lo-Chau and Shor-Preskill's approach considering a virtual entanglement distillation protocol [4,5], and Koashi's approach considering the complementarity of virtual local measurement results [6]; The other is an entropic framework [7,8], which directly analyzes the correlation between the communication partners characterized by conditional min-entropy.In practical implementations, the effect of device imperfections [9,10] and finite data size [8,11,12] on security are also proposed and well addressed.
All of the security analyses aim at finding a lower bound of the secret key rate, in other words, an upper bound of the information leakage to an eavesdropper.Conventional security analysis methods are analytical, where specific techniques are needed for different protocols.Recently, numerical methods for security analysis are proposed [13][14][15][16], based on convex optimization problems constrained by the statistics of measurement results in experiments.The target function of the convex optimization problems can be the phase error rate [15,16] or conditional entropy [13], following the two lines of security analysis methods respectively.Both of them can be formulated [15,16] or transformed [14,17] to a semidefinite programming (SDP) problem.Recent researches show that the SDP method is successfully applied to continuous variable QKD [17,18] and device-independent QKD protocols [19].For protocols with mixed state source, the SDP method is also applied to find an optimal twisting operation as well as the secure key rate [20].
Compared with analytical methods, numerical methods are more general, i.e., the same convex optimization problem framework can be applied to various protocols, even if the protocols are lack of symmetry [13].The asymmetry may come from the device imperfections in experiments, such as the source flaw and the misalignment error, or due to specific requirements to implement the protocols [21].In analytical methods, such asymmetry can be addressed by certain techniques, such as the quantum coin method dealing with the source flaw [9,22].In contrast, we usually do not need additional techniques in numerical methods.However, there are also restrictions for numerical methods.The convex optimization problem corresponds to a single round of quantum communication.As a result, most of the current numerical methods can only deal with the asymptotic security.Recently, there are two studies for the finite-size case that only carried out numerical analysis against collective attacks [23,24].The work [24] also considers a possible extension to general attacks.Nevertheless, its performance is too pessimistic due to the direct application of the Finite Quantum de Finetti theorem [8].
In this work, we follow the phase error correction approach and develop a numerical finite-size analysis method against general attacks for a broad type of quantum key distribution protocols.Given the asymptotic analysis, we formulate a numerical framework for finitesize analysis by constructing virtual protocols.For the experiment outcomes, we introduce the nominal values and observed values, which are crucial in finite-size analysis.In contrast, such a distinction is not necessary in numerical asymptotic analyses.Considering the dual problem of the SDP given in [15,16], we can obtain an operator inequality for the phase error operator within one round of quantum communication, which is independent of the quantum state.By applying concentration inequalities [25][26][27], it is further transformed into an upper bound of the number of phase error occurrence in finite-size case under general attacks.One can directly substitute the experimental statistics into our framework and obtain secure finite-size key rates, without knowing any techniques of security analysis.To show how to apply our framework, we give an example of the recent Twin-Field QKD or Phase-Matching QKD [28,29], which are proved to surpass the linear key-rate bound [30,31] in finite-size cases [32,33].Our result shows such a result can still be achieved even with simplified protocol designs.

II. NUMERICAL FRAMEWORK FOR PREPARE-AND-MEASURE QKD PROTOCOLS A. Numerical framework in asymptotic case
We consider a broad type of prepare-and-measure protocols between the communication partners, Alice and Bob, which can be roughly described as the following process.Alice randomly prepares a quantum state and sends it to Bob. Bob also randomly performs a measurement on the incoming signal.After the measurement, they exchange some classical information about the state preparation and measurement result by an authenticated classical channel and probabilistically determine the round as a signal round or a test round.They evaluate the information leakage based on the results in the test rounds.With the classical information, they can perform the post-processing to extract secure keys.
The protocol can be described in the language of quantum information and mathematics.The normalized quantum state prepared by Alice is denoted as Bob's measurement is given by a set of positive operator-valued measure (POVM) defined in H B , {Γ b y } b , which is chosen with a probability τ y B and satisfies the normalization condition, b Γ b y = I and y τ y B = 1.They repeat the process for N tot rounds.Alice and Bob may randomly choose auxiliary random variables for each round, which are collectively denoted as α with probability p aux,α .Alice and Bob publicly communicate a part of the results (i, y, b, α) abstractly denoted as γ, which is represented by a map f ann from (i, y, b, α) to γ.They determine the role of each round based on γ and a predetermined set W such that γ ∈ W for a signal round and γ / ∈ W for a test round.In a signal round, Alice and Bob also generate their sifted-key bits based on γ and information available to them.In the case of direct reconciliation, Bob corrects his sifted key to match Alice's.Hence we call Alice's sifted key at this point a reconciled sifted key.The reconciled sifted-key bit z ∈ {0, 1} can be represented as a function f rec (i, y, b, α).In the case of reverse reconciliation, Bob's sifted key be-comes the reconciled sifted key.In a test round, they make additional announcements to reveal the value of (i, y, b, α).We denote the probability that α belongs to a test round as The dependence on (i, y, b) is because a signal or test round is jointly determined by (i, y, b, α) in general.
Based on the announcement in test rounds, they record the the number of test rounds with (i, y, b) as N i,y,b test and the number of signal rounds N sig .Then they perform the post-processing to evaluate the information leakage to the eavesdropper and secure key rate.
Although the dimension of Bob's incoming signal can be infinite, we assume the dimension of H B to be finite since we can only deal with finite-dimensional system in the numerical method.A possible way of the finitedimensional reduction is the squashing model [34].In general, such a model does not always exist for arbitrary QKD protocols.We consider a more general case of tagging method [9] in Appendix A.
For analyzing the security of the protocol, it is convenient to clarify what is announced in each round.Since the value of (i, y, b, α) completely specifies what are announced by Alice and Bob, the distinct announcements are represented by disjoint sets of values of (i, y, b, α).More specifically, let us define the set of values of (i, y, b, α) leading to announcement γ ∈ W by Ω γ := {(i, y, b, α) : f ann (i, y, b, α) = γ ∈ W }, which represents the announcement in a signal round.In a test round, the value of (i, y, b, α) is further announced in addition to γ / ∈ W , which corresponds to a single-element set {(i, y, b, α)}.All the possible announcements are thus represented by W all = W ∪ W test , where In this notation, the whole announcement in a round is represented by an element γ ∈ W all , that is to say, Eve's receiving actual communication between Alice and Bob is information-theoretically equivalent to her receiving γ.
Here γ ∈ W implies a signal round, and γ / ∈ W implies a test round.A value of (i, y, b, α) leads to announcement γ if and only if (i, y, b, α) ∈ γ.
An entanglement-based protocol is often considered for the convenience of security analysis, whose outputs (the classical-classical-quantum state shared by Alice, Bob and the eavesdropper Eve) are identical to those of the corresponding actual protocol.In the protocol, Alice prepares an entangled quantum state She keeps the d A -dimensional ancillary system H A and sends the signal part in H A ′ to Bob.They repeat the process for N tot rounds, and share a bipartite state in . We denote the averaged bipartite state in one round as ρout .They perform the classical postprocessing with the experimental results of N tot rounds.
In the security proofs based on the phase error correction, we define the phase error in the following way.We first represent the process of each round in the actual protocol as a POVM in the entanglement-based protocol.Its output in each round includes whether the round is signal or test, the bit z in the signal round, and the announcement γ.We denote the corresponding POVM as { Êobs bit,z,γ } z∈{0,1},γ∈W ∪ { Êobs test,γ } γ∈Wtest in L(H A ⊗ H B ), i.e., the linear operators in H A ⊗ H B .From the protocol description, they can be expressed as where E obs ph,x,γ is defined as Since the set of CP instrument {ζ γ } γ is not unique, the phase error operator Êobs ph depends on the choice of {ζ γ } γ .Now we begin the asymptotic analysis based on phase error correction.The phase error ratio e ph , i.e., the ratio of the number of phase errors to the number of signal rounds, is a key parameter that characterizes the information leakage to the eavesdropper [6,35].In the following analysis, we assume the phase error operator Êobs ph is given.The value tr Êobs ph ρout characterizes the probability that the round is labeled as a signal round and the phase error occurs, we call it phase error rate per round here and hence force.We consider an asymptotic limit in which the quantity N i,y,b test /(p test (i, y, b)N tot τ i A τ y B ) for each set of (i, y, b) with p test (i, y, b) > 0 converges to a value q b|i,y and N sig /N tot converges to Q sig .The statistics q b|i,y give restrictions on ρout , tr(ρ out |i i| ⊗ Γ b y ) = τ i A q b|i,y , so that we have a bound tr Êobs Here e U ph ({q b|i,y } b,i,y ) is the upper bound of the phase error rate.The key rate formula is then given in terms of e U ph ({q b|i,y } b,i,y ), 9) where h(•) denotes the binary Shannon entropy, f EC is error correction efficiency, and e bit is bit error rate.One way to find e U ph satisfying Eq. ( 8) is to solve the following maximization problem for the phase error rate per round, where the second constraint is due to the fact that the channel only acts on system A ′ of ρin and keeps A invariant.The third constraint means ρ should be compatible with the results in the test mode.
In the asymptotic analysis for some protocols, the optimal value of τ i A maximizing Eq. ( 9) can approach zero for some i.This happens, for example, if the i-th state |ψ i is only prepared in the test rounds and we set τ i A = 0, the formulation of Eq. ( 10) cannot handle the observed data associated with the i-th state properly.To deal with this issue, we renormalize the density matrix ρ by defining the following invertible maps acting on an arbitrary operator ÔA ∈ L(H A ), where the subscripts label the matrix elements.Then we have tr Here Ĝ is the renormalized density matrix.
The renormalized phase error operator Êph is defined as Then the r.h.s of Eq. ( 8) can be calculated by the following semi-definite programming (SDP) problem, tr( Êph Ĝ) s.t.Ĝ 0 tr( Qb,i|y Ĝ) = q b|i,y where The constraints in Eq. ( 13) are classified into two categories.One is independent of Eve's attack, i.e., the inner product constraints tr( Pi,i ′ ⊗ ÎB Ĝ) = p i,i ′ .Such inner product constraints come from the relation tr A ′ (ρ in ) = tr B (ρ out ); The other is determined by Eve's attack and compatible with the statistics observed in experiments, i.e., tr( Qb,i|y Ĝ) = q b|i,y .
Though Eq. ( 13) seems to be independent from τ i A and τ y B , according to the definition of phase error operator in Eq. ( 6), Êobs ph and Êph depend on τ i A and τ y B in general.The dependence can be simple in some protocols, for example, Êph is proportional to τ i A and τ y B .Then the optimization Eq. ( 13) only needs to be run once for different τ i A and τ y B .One may refer to such an example in Sec.IV.Usually we do not make use of all experimental data or the inner product information.Such a case will be regarded as a relaxation of the constraints in Eq. ( 13), which will be generally formulated as follows.We define new sets of operators and parameters as where ν k,i,i ′ and β l,i,y,b,α are real coefficients.The relaxed SDP is then given by max the phase error calculated by Eq. ( 16) will never be less than Eq. ( 13).If we define N l as Then N l /N tot converges to q l in asymptotic limit.

B. Finite-size analysis
Given an asymptotic analysis of a protocol, namely, a set of , we propose how to construct a protocol for which a secure key length is computable in the finite-key regime.The protocol is parameterized by τ i A , τ y B , p trash , p aux,α , q nom l , ǫ ph , ǫ EC , and s PA , which are called protocol parameters.The description of the proposed protocol is as follows.
Real Protocol

Alice randomly prepares a quantum state |ψ
Then she sends it to Bob through the channel.Bob randomly chooses y with probability τ y B satisfying y τ y B = 1 and conduct the generalized measurement specified by {Γ b y } b , Γ b y ∈ L(H B ) on the received signal.Alice and Bob randomly choose auxiliary random variables for each round, which are collectively denoted as α with probability p aux,α .With probability p trash , Alice determines the round is a trash round.
2. They repeat the process for N tot rounds.Here, Alice can send all of her input states to the channel before Bob receives the states.
3. Alice announces the position of the trash rounds among the N tot rounds.Alice and Bob discard the recorded data (i, y, b) for every trash round.

4.
For each round that is not a trash round, Alice and Bob announce γ and determine the round is a signal round or a test round, corresponding to γ ∈ W and γ / ∈ W, respectively.From the signal rounds, they generate the sifted key z and record N sig which is the number of signal rounds.From the test rounds, they determine N l given by , where N i,y,b test is the number of test rounds with (i, y, b).

Alice and Bob perform the post-processing to gen-
erate a key of a length where N sig is the number of signal rounds and ) is a function determined by protocol parameters q nom l .Then the net key gain is K − H EC , where H EC is the consumption of the pre-shared key in error correction process with a failure probability of ǫ EC .
To prove the finite-size security, we define a phasecontrol protocol as follows.
Phase-control Protocol 1. Alice prepares ρ⊗Ntot in and sends system H ⊗Ntot A ′ to Bob through the channel.With probability p trash , Alice determines whether each round is a trash round.For each round that is not a trash round, Alice and Bob perform the CP instrument {ζ γ } γ and output a qubit.
2. Alice and Bob announce the the positions of the trash rounds.In the rounds not designated as trash rounds, they announce γ, record N sig , and determine {N l } l .For every test round, they discard the output qubit.
3. Alice and Bob output the N sig qubits.
From this definition, the phase-control protocol followed by a {|0 , |1 } measurement on H Q amounts to carrying out the POVM, This means that the phase-control protocol followed by a {|0 , |1 } measurement on H Q is equivalent to steps 1 to 4 in the real protocol, i.e., the classical-quantum state of the reconciled key system (after POVM) and Eve's system are the same.Therefore, we can analyze the secrecy of the sifted key bit z by the phase-control protocol.
The phase-control protocol followed by a {|+ , |− } measurement on H Q amounts to that Alice and Bob performs a measurement on each output of the channel.We denote M ph as the number of phase error that corresponds to the POVM element (1 − p trash ) Êobs ph,−,γ for any γ ∈ W. If M ph were zero, the reconciled sifted-key bit z could be considered as a result of {|0 0|, |1 1|} measurement on the pure state |+ .Since a pure state has no correlation with any system, it guarantees the secrecy.In the case of nonzero M ph , we use a privacy amplification.It is known that the privacy amplification corresponds to the correction of the phase error in the phase-control protocol.It means that the final key can also be considered as a result of {|0 0|, |1 1|} measurement on the pure state |+ .This is a naive understanding about why the phase error correction approach can prove the security.
More precisely, suppose that there exists a function M U ph (N sig , {N l } l , ǫ ph ), where ǫ ph is a real value satisfying 0 ≤ ǫ ph ≤ 1.We assume that the function The random variables N sig and {N l } l can be considered as the outcome of the phase-control protocol followed by a {|+ , |− } measurement.It means that M U ph (N sig , {N l } l , ǫ ph ) is an upper bound of M ph which holds with a probability no smaller than 1 − ǫ ph .If we can find such a M U ph (N sig , {N l } l , ǫ ph ) and use it as M U ph in Eq. ( 18), there exists a classical post-processing [6,35,36] guaranteeing that the protocol becomes (ǫ tot = ǫ EC + ǫ PA )-secure, where The remaining problem is to obtain We introduce an estimation protocol where the joint probability distribution of M ph and {N l } l is the same as those in the phase-control protocol followed by a {|+ , |− } measurement.We assume that there is an observable P obs ∈ L(H A ), which will be defined later.We denote its eigenstate and the corresponding eigenvalue as {(|ω w , ω w )} w .We define the estimation protocol as follows, which generates random variables χ Estimation Protocol 1' Alice prepares ρin and sends system A ′ to Bob through the channel.They perform the measurement whose POVM can be written as

2' Alice and Bob obtain the values of random variables χ
Q,l , and χ (u) P in each round.The correspondence between the values of the random variables and the POVM elements is given in Table I.In the phase-control protocol, Alice and Bob just discard their data in the trash rounds.It means that the the joint probability distributions of random variables χ POVM elements in Eq. ( 23) POVM elements in Eq. ( 23) the same.The protocol is proved to be secure if we can show Eq. ( 21).
In order to analyze the statistics in the estimation protocol, we will use a linear operator inequality in the following form to apply the concentration inequalities.To obtain a suitable operator inequality, we propose to consider an alternative method other than Eq. ( 16) for asymptotic analysis, which can give rise to a linear operator inequality in the form of Eq. ( 24) and is easy to be extended into finite-size analysis.The alternative method works as follows.We first estimate q = (q 1 , q 2 , • • • , q l , • • • , q n ) in Eq. ( 16) with the protocol parameters q nom l prior to the actual run of the protocol.The estimations ) are called nominal values.Then we consider the dual problem of Eq. ( 16), min where Suppose the optimal Λ for Eq. ( 25) is Λ * ( q nom ).After the actual run of the protocol, we can observe true values of q, denoted as q obs = (q obs 1 , q obs 2 , • • • , q obs n ), with which we can calculate an upper bound of the phase error rate p * lin ( q obs ; q nom ) = − Λ * ( q nom ) • ( p, q obs ).The alternative method uses p * lin ( q obs ; q nom ) as the result, which is different from the optimal value of the primal problem Eq. ( 16), p * ( q obs ).
Since Λ * ( q nom ) satisfies the constraint in Eq. ( 25), we have the following inequality, which has the same form as Eq.(24).With the inequality Eq. ( 26), we can obtain tr( Êph Ĝ) ≤ p * lin ( q obs ; q nom ) for a renormalized density matrix Ĝ satisfying the constraints in Eq. ( 16), which means the alternative method can give a valid upper bound on the phase error rate.Therefore, the alternative method is secure.
We compare the alternative method with the original one in Eq. ( 16).Their performances on asymptotic key rate depend on p * lin ( q obs ; q nom ) and p * ( q obs ), respectively.According to the Lagrange duality of Eq. ( 16) and Eq. ( 25), we have − Λ * ( q obs ) • ( p, q obs ) ≥ p * ( q obs ), which saturates when the strong duality holds.Actually, the strong duality holds in most practical cases, unless the observed statistics q obs forbid the possibility of at least one pure state, in other words, there is no full-rank solution in Eq. ( 16).If we take C = ( p, q obs ) in Eq. ( 25), then we have − Λ * ( q nom ) • ( p, q obs ) ≥ − Λ * ( q obs ) • ( p, q obs ) since − Λ * ( q nom ) satisfies the constraint in Eq. ( 25) and Λ * ( q obs ) minimizes − Λ • C over all Λ satisfying that constraint.This inequality saturates when q obs = q nom .Combining the two inequalities above, we have p * lin ( q obs ; q nom ) ≥ p * ( q obs ).Therefore, the asymptotic key rate given by the alternative method is in general worse than the original one.The two key rates coincide only when the strong duality holds and q obs = q nom .
Here we make some remarks on the alternative method.The elements of q nom are fixed prior to the actual run of the protocol so that they are independent of the observed experimental data.For example, one may compute q nom by assuming a channel model, or carry out test rounds to estimate q nom .This is different from the literatures of asymptotic numerical frameworks [13][14][15][16] where the observed experiment results can be directly substituted into the optimization problems.We use the nominal values for the ease of applying concentration inequalities.Now we extend the alternative method to finitesize analysis.We define P obs = T PM ( k λ * k Pk ) = ωw ω w |ω w ω w |.Then the operator inequality given by the alternative protocol Eq. ( 26) can be rewritten as Êph + T −1 PM ( P obs ) ⊗ I B + l η * l Ql 0. We can analyze the statistics in the estimation protocol by combining this operator inequality and concentration inequalities.
The conditional expectation values of random variables Q,l , and χ (u) P are given by where F u−1 is the filtration identifying random variables χ is the post-measurement density matrix (the measurement results of the first u − 1 rounds are the same as the filtration).Recalling Eq. ( 26), we have the following inequality tr Êobs Combining Eq. ( 27) and Eq. ( 28), we have the following inequality for conditional expectation values To deal with the statistical fluctuations in χ P , we may apply concentration inequalities for dependent variables such as the Azuma's inequality or Kato's inequality [27].Suppose we obtain an inequality in the following form, which holds with a probability no smaller than 1 − ǫ ph /2.Note that one may apply a concentration inequality to a single variable (χ P /p trash , or apply concentration inequalities separately to each variable and then combine the results with the union bound.We note that the relation χ sig , which is derived from their definitions in the Table I, is useful when we apply Kato's inequality to χ (u) ph .Recalling Eq. ( 14) and the definition of P obs , we can see that χ (u) P is independent and identically distributed (i.i.d.).We may apply concentration inequalities for independent variables such as the Chernoff-bound, and have an inequality in the following form which holds with a probability no smaller than 1 − ǫ ph /2.Combining Eqs. ( 29), ( 30) and ( 31), we have which holds with probability at least 1 − ǫ ph .Therefore, our protocol is (ǫ tot = ǫ EC + ǫ PA )-secure.
In our protocol description, the classical communication between Alice and Bob begins only after the quantum communication is over.In addition, the number of total rounds is fixed prior to the quantum communication.One should be careful when applying our method to some protocols where Alice and Bob exchange the basis information in each round, such as those with iterative sifting [37].In these protocols, some concentration inequalities such as the Chernoff-bound may fail due to the requirement of i.i.d.random variables.
Recently, there are also some researches on asymptotic numerical security analysis of QKD based on Gram matrix formulation [15,16].We compare our method with them for asymptotic analysis.The main difference lies in Bob's dimension.In our case Bob's dimension is determined by the application of squashing model or tagging method (see Appendix A), while in [15] the dimension depends on the number of POVM outcomes.In order to get better key rate, higher hierarchical structure is introduced to the Gram matrix, which will enlarge Bob's dimension.Another difference is that the Gram matrix method is semi-device independent, i.e., the analysis is independent of the implementation of measurement settings.In our work, the renormalized density matrix can also be regarded as a Gram matrix.Its elements are the inner products of the states left for Eve when Alice sends some certain state |ψ i and Bob has a measurement outcome on his basis {|v }.
We also compare our numerical methods for asymptotic case and finite-size case.To calculate the asymptotic key rate, the constraints tr( Ql Ĝ) = q l should include as many experimental data as possible.However, this is not always true in finite-size case since more observables will introduce larger deviations due to the applications of concentration inequalities.

III. NUMERICAL FRAMEWORK FOR MEASUREMENT-DEVICE-INDEPENDENT QKD PROTOCOLS
Now we consider a broad type of measurement-deviceindependent (MDI) QKD protocols among the communication partners, Alice and Bob, and an untrusted node in the middle, Charlie.Alice(Bob) randomly prepares a quantum state |ψ i (|ψ j ) with probability τ i A (τ j B ) satisfying dA i=1 τ i A = 1( dB j=1 τ j B = 1).They send the signals to Charlie, who is supposed to jointly measure their signals and announce the results ξ.Similarly to prepare-andmeasure protocols, Alice and Bob may use additional random values which are collectively represented by α with probability p aux,α .Then they publicly communicate a part of the results (i, j, α) abstractly denoted as γ, which is represented by a map f ξ ann from (i, j, α) to γ.They determine the role of each round based on γ and a predetermined set W ξ such that γ ∈ W ξ for a signal round and γ / ∈ W ξ for a test round.In a signal round, they generate sifted key bit z ∈ {0, 1} represented by a function f ξ rec (i, j, α).In a test round, they announce (i, j, α).They record the number of test rounds with (i, j, ξ), N i,j,ξ test , the number of signal rounds N sig .Finally they perform the post-processing and extract secure key.Similar to the prepare-and-measure protocols, we denote the whole announcement in each round as γ and define the probability that α belongs to a test round as p test (i, j, ξ) = α:f ξ ann (i,j,α) / ∈W ξ p aux,α .The sets W, W test , and W all are also defined for each value of ξ, which we denote by W ξ , W ξ test , and W ξ all .In the corresponding entanglement-based protocol, Alice and Bob prepare entangled quantum states dA i=1 (33) Alice and Bob keep their ancillary system in H A ⊗ H B and send the signal parts in H A ′ ⊗ H B ′ to Charlie.Then the dimension of H A and H B are d A and d B , respectively.They repeat the process for N tot rounds and share a bipartite state in We also represent Alice's and Bob's processes of each round in the actual protocol, which depend on Charlie's announcement ξ in this case, as a POVM in the entanglement-based protocol.The POVM elements E obs,ξ bit,z,γ and E obs,ξ test,γ satisfy E obs,ξ bit,z,γ = (i,j,α)∈γ: The qubit system H Q and the CP instrument {ζ ξ γ } γ are similarly defined as those in prepare-and-measure protocols.
The phase error rate is upper bounded by the following maximization problem, where q ξ|i,j is the convergence of N i,j,ξ test /(p ξ test N tot τ i A τ j B ) in asymptotic limit.The phase error operator Êobs,ξ ph is defined following Eqs.( 5) to (7) for each value of Charlie's announcement ξ.The key rate formula is given by 36) where Q sig is the convergence of N sig /N tot in asymptotic limit and e U ph ({q ξ|i,j } ξ,i,j ) is obtained by solving Eq. ( 35).For renormalization, we consider the following invertible maps for an arbitrary operator ÔAB ∈ L(H A ⊗ H B ), We define the renormalized density matrix and phase error operator Êph as where we introduced the Hilbert space H Ξ for Charlie's announcement ξ for convenience.Then we have tr The upper bound of the phase error rate is calculated by the following SDP problem, where (41) The last constraint in Eq. ( 40) comes from the fact that the register for Charlie's announcement is classical.
In practical cases we also consider the relaxation of the constraints, β l,i,j,ξ Qξ,i,j where ν k,i,i ′ ,j,j ′ and β l,i,j,ξ are real coefficients.The relaxed SDP has the following form, Compared with Eq. ( 16), the only difference is the additional constraints for classical register.Considering the dual problem of Eq. ( 43), the target function is independent of the Lagrange multipliers for the classical register constraints, which means we can freely set these multipliers to be zero.Then the classical register constraints vanish and the dual problem of Eq. ( 43) has the same form as Eq. ( 25).In the finite-size analysis of measurement-device-independent QKD protocols, one only need to replace the quantifies depending on y and b with those depending on j and ξ, then follow the same procedure in Sec.II B. For example, one should replace β l,i,y,b , p test (i, y, b) and N i,y,b test with β l,i,j,ξ , p test (i, j, ξ) and N i,j,ξ test , respectively.

IV. EXAMPLE: PHASE-MATCHING QKD
To show how our method works in detail, we take the phase-matching MDI-QKD [29,38] as an example, which has been proved to surpass the linear key-rate bound [30,31] both in asymptotic limit and finite-size case.A simplified phase-matching MDI-QKD protocol is proposed recently [16] with asymptotic security analysis.Our result shows that such a protocol can also surpass the linear key-rate bound in finite-size case.In the following, a coherent state with a complex amplitude α is represented by a ket vector |α which is written by in a Fock basis {|n } n .We first list the parameters of the protocol.The protocol dictates that Alice and Bob randomly prepare X and Y basis states of an optical pulse.The probability of choosing X basis is p basis,0 .The mean photon numbers of X and Y basis states are µ 0 and µ 1 , respectively.Alice generates a random bit α ∈ {0, 1}.The probability of α = 0 is p aux,0 .The probability of determining a trash round is p trash The estimations of actual experiment results prior to the experiment are q nom l (l ∈ {1, 2, 3, 4}).We also use three security parameters, ǫ ph , ǫ EC , and s PA .The protocol is defined as follows.
Real Protocol 1. Alice(Bob) randomly prepares a quantum state 3.They repeat steps 1 and 2 for N tot times.
4. Alice announces the positions of the trash rounds, and Alice and Bob discard their raw key bits for those rounds.For each round that is not a trash round, Alice announces the value of α.Both Alice and Bob announce their basis choices.Each round is labeled as signal if they both choose X basis (π a = π b = 0), ξ = 2, and α = 0. Otherwise the round is test.For signal rounds, Alice and Bob record the number of signal rounds N sig and keep their raw key bits.For test rounds, they announce their raw key bits and record the following quantities: the number N X pass of successful detections when they both choose X basis, the number N Y pass of successful detections when they both choose Y basis, and the number N X bit and N Y bit of rounds where bit error occurs on each basis.Then they compute the key length Alice and Bob perform the post-processing to generate their final keys.Here, direct reconciliation is used and hence Alice's sifted-key value is the reconciled sifted-key value.
For convenience, we clarify how the protocol descriptions above satisfy the general prescription given in Sec.III.
In the protocol description, we introduced new labels κ a(b) and π a(b) .The relations to the labels i and j are i = (κ a , π a ) = 2κ a + π a + 1 and j = (κ b , π b ) = 2κ b + π b + 1.Then the probabilities τ i A and τ j B satisfy We also introduces new random variables N X bit , N Y bit , N X pass and N Y pass .The relations to N l will be given later.The announcement is represented by γ = f ξ ann (i, j, α) := ((i mod 2), (j mod 2), α).The round is signal when γ To define the phase error operator, we consider the corresponding entanglement-based protocol.The initial pure states prepared by Alice and Bob, which was given in Eq. ( 33) as a total density operator for , and H B1 hold Alice's key bit, Alice's basis, Bob's key bit, and Bob's basis, respectively.The central node Charlie performs a Bell measurement on H A ′ ⊗ H B ′ and announce the measurement result ξ.The result ξ = 0(1) corresponds to the detection of in(anti)phase pulse pair and ξ = 2 corresponds to the inconclusive result.The POVM element E obs,ξ bit,z,γ (γ ∈ W) is given by Eq. ( 34), which leads to (48) Based on the asymptotic analysis of the protocol [16] we define the following CP instrument {ζ ξ γ } γ .Bob performs X operation on H B0 when ξ = 1.Alice and Bob perform a {|0 0|, |1 1|} measurement on H A1 and H B1 and announce their results π a and π b .If π a = π b = 0 and ξ = 2, with probability p aux,0 , Alice and Bob perform operation Ŝ † A0 ÛCY on H A0 ⊗ H B0 , where ÛCY is the controlled-Ŷ operation given by |0 0| A0 ⊗ ÎB0 +|1 1| A0 ⊗ ŶB0 .Otherwise, they project H A0 to |0 .Finally they rename H A0 as H Q .Here Ŷ = −i|0 1| + i|1 0| is the Pauli operator and Ŝ = |0 0| + i|1 1| is the phase operator.One can easily check the CP instrument followed by a projection |z z| (z ∈ {0, 1}) on H Q equals to the POVM element E obs,ξ bit,z,γ (γ ∈ W).Therefore, the outcomes of the measurement {|0 0|, |1 1|} on H Q reproduce the joint probability distribution of the reconciled sifted-key value.The phase-control protocol can also be constructed according to the CP instrument.
The phase error operator Êobs,ξ ph is defined as where we omit the identity operators.After some derivations, we can get the renormalized phase error operator, Êph = We define operators Ql (l = 1, 2, 3, 4) and Pk by heuris-tically choosing the coefficients in Eq. ( 42) for the SDP problem, where X and Ẑ are Pauli operators.We only consider the 64 inner products of the same basis states, Then one can substitute the operators into the primal SDP to calculate the asymptotic key rate.The explicit form of the SDP is given in Appendix D. The dual prob-lem is given by min The real vector C is given by C = (p 1 , p 2 , • • • , p 64 , q nom 1 , q nom 2 , q nom 3 , q nom 4 ), where q nom 1 = p X,nom pass e X,nom and the inequality for conditional expectations, Properties specific to the current example can be used for reducing the computational cost of solving the SDP of Eq. ( 52).We notice that Êph is proportional to p aux,0 and p 2 basis,0 .If we consider another set of values p ′ aux,0 and p ′ basis,0 , then we can immediately have Therefore, a single run of the SDP is enough for different set of {p aux,0 , p basis,0 }, which greatly saves the computation resource for the optimization of p aux,0 and p basis,0 .Moreover, we also notice that all the operators in Eq. (53) are block diagonal, i.e, they can be expressed as ÔABΞ =  II.In finite-size analysis, we try to find M U ph (N sig , {N l } l , ǫ ph ).In the protocol, Alice and Bob record N X bit , N Y bit , N X pass and N Y pass .Their relations to N l are given by We separately apply Kato's inequality to χ Q,l (l ∈ {1, 2, 3, 4}) and χ (u) P and have the following inequalities, which hold with probabilities at least 1 − ǫ 0 , 1 − ǫ l (l ∈ {1, 2, 3, 4}) and 1 − ǫ 5 , respectively.Here sgn(•) = 1(0) represents a positive(negative) value and ∆ 1(0) is defined in Appendix B. The failure probabilities satisfy 5 j=0 ǫ j = ǫ ph /2.In Appendix B, we prove Eqs. (56) to (58).In Appendix E, we give an example of distributing these failure probabilities.Then ∆ 1 introduced in Eq. ( 30) is given by (59) We apply Bernstein's inequality to χ (61) which holds with probability at least 1 − ǫ ph .Then M U ph (N sig , {N l } l , ǫ ph ) is given by the rhs of Eq. (61).
The result enables us to simulate the finite-size key rate versus the transmission distance (Fig. 1).It turns out that such a protocol can also surpass the linear keyrate bound with N tot = 10 In conclusion, we give a numerical finite-size security analysis method for prepare-and-measure and measurement-device-independent QKD protocols.In the finite-size analysis, we introduce trash rounds where virtual measurements are performed to deal with the constraints independent of attacks from eavesdroppers.We also discriminate nominal and observed experimental data, which serve as protocol parameters and random variables, respectively.For a practical QKD implementation, one can estimate the measurement results and substitute them into the SDP to get a valid (might not be optimal) operator inequality.Then the upper bound of the phase error occurrence can be calculated by combining suitable concentration inequalities and hence the finite-size analysis is completed.Our method will be a useful tool to calculate the finite-size secret key rate under general attacks, especially for non-professional persons to calculate the secure key rate.
There are some future directions to extend our results.One interesting direction is to take various device imperfections into consideration, such as MDI-QKD with partially characterized sources.Besides, we can also explore whether our method can be generalized to continuous variable QKD protocols especially the discretemodulated coherent state protocols.The improved Azuma's inequality is given by the following theorem.
Theorem 1. (Kato's inequality [27]) Let {X (u) } be a list of random variables, and {F u−1 } be a filtration that identifies random variables {X (1) , X (2) , • • • X (u−1) }.Suppose 0 ≤ X (u) ≤ 1 for any u, then for any n ∈ N, a ∈ R and b ≥ 0, we have the relation In Kato's inequality, we choose the parameters a and b to make the inequality tight when the random variable X = n u=1 X (u) is close to its estimation.We denote this estimation as X nom For the optimal choice of a and b, we solve the following optimization problem for Eq.(B1) where ǫ is the given failure probability satisfying 0 < ǫ ≤ 1.The optimization problem can be solved analytically [33], Then according to Eq. (B1), we have the following in-equality which holds with probability at least 1 − ǫ, (C2) In our case we consider the i.i.d.random variable χ where each inequality holds with probability at least 1−ǫ.

3 '
They repeat steps 1 and 2 for N tot rounds and record M ph = (u) ph , χ (u) Q,l , and the positions of the trash rounds in the phase-control protocol and the estimation protocol are χ (u) ph POVM elements in Eq. (23) 1 (1 − p trash ) Êobs ph, b) and sends it to an untrusted central node Charlie.Here κ a(b) ∈ {0, 1} represents the raw key bit while π a(b) ∈ {0, 1} represents the basis choice where π a(b) = 0 corresponds to X basis and π a(b) = 1 corresponds to Y basis.The probabilities of preparing (−1) κ a(b) √ µ π a(b) and (−1) κ a(b) i √ µ π a(b) are p basis,0 /2 and (1 − p basis,0 )/2, respectively.Alice generates a bit α ∈ {0, 1} with a probability distribution {p aux,0 , 1 − p aux,0 }.With probability p trash , Alice determines the round is a trash round.2. The central node Charlie is supposed to perform a Bell measurement and announce the measurement result ξ.The result ξ = 0(1) corresponds to the detection of in(anti)-phase pulse pair and ξ = 2 corresponds to the inconclusive result.If ξ = 1, Bob flips his bit κ b as his new raw key bit.

bit , q nom 2 =q nom 3 =q nom 4 = 1 ÊX bit + η * 2 ÊY bit + η * 3 P
p Y,nom pass e Y,nom bit , p X,nom pass and p Y,nom pass are our estima-tions of the experimental results by assuming a channel model.In Appendix E, we give an example of estimations.By solving the dual problem, we have the following operator inequality Êph + η *

2 κ b + 2 3
(κ ′ a + 2π ′ + 2 2 κ ′ b ) and e X,nom bit , e Y,nom bit , p X,nom pass and p Y,nom pass are estimations given in Appendix E. The factor 1/4 comes from the assumption that Alice and Bob choose their bits κ a(b) ∈ {0, 1} with equal probability.Appendix E: Simulation of the finite-size key rateIn this section we simulate the key rate of the simplified PM-QKD protocol given in the last section.We need to estimate e X,nom bit , e Y,nom bit , p X,nom pass and p Y,nom pass .Here we consider a simple lossy channel model.Suppose the dark count rate of the single photon detector is p d and the channel transmittance is η.We make the following estimations,e X,nom bit = e −2ηµ1 p d (1 − p d ) e Y,nom bit = e −2ηµ2 p d (1 − p d ) p X,nom pass = (1 − p d ) 1 − e −2ηµ1 (1 − p d ) + e −2ηµ1 p d (1 − p d ) p Y,nom pass = (1 − p d ) 1 − e −2ηµ2 (1 − p d ) + e −2ηµ2 p d (1 − p d ), (E1)where the loss and double click events are regarded as the inconclusive results.Then N nom sig and Θ nom Q,l are given in terms of the protocol parameters,N nom sig = N tot (1 − p trash )p 2 basis,0 p aux,0 p X,nom pass Θ nom Q,1 = N tot (1 − p trash )p 2 basis,0 p aux,1 p X,nom pass e X,nom bit Θ nom Q,2 = N tot (1 − p trash )p 2 basis,1 p Y,nom pass e Y,nom bit Θ nom Q,3 = N tot (1 − p trash )p2 basis,0 p aux,1 p X,nom pass Θ nom Q,4 = N tot (1 − p trash )p 2 basis,1 p Y,nom pass .(E2)

TABLE I .
The correspondence between the values of the random variables and the POVM elements.
12rounds.The simulation formulas are given in Appendix E.
FIG.1.Simulation of the finite-size key rate versus the transmission distance (top) and the finite-size key rate versus the total rounds Ntot at 300km (bottom).We assume the detector efficiency is 1 and choose the dark count rate p d = 10 −8 , the number of total rounds Ntot = 10 12 , and security parameter ǫ ph = 2 −66 .Here µ1 and µ2 are optimized.