Security Proof for Variable-Length Quantum Key Distribution

We present a security proof for variable-length QKD in the Renner framework against IID collective attacks. Our proof can be lifted to coherent attacks using the postselection technique. Our first main result is a theorem to convert a series of security proofs for fixed-length protocols satisfying certain conditions to a security proof for a variable-length protocol. This conversion requires no new calculations, does not require any changes to the final key lengths or the amount of error-correction information, and at most doubles the security parameter. Our second main result is the description and security proof of a more general class of variable-length QKD protocols, which does not require characterizing the honest behaviour of the channel connecting the users before the execution of the QKD protocol. Instead, these protocols adaptively determine the length of the final key, and the amount of information to be used for error-correction, based upon the observations made during the protocol. We apply these results to the qubit BB84 protocol, and show that variable-length implementations lead to higher expected key rates than the fixed-length implementations.


I. INTRODUCTION
Security proofs for QKD protocols are typically proven in the "fixed-length" scenario, where two users Alice and Bob either produce a key of a fixed length, or abort the protocol [1][2][3][4][5][6].Such protocols accept and produce a key of fixed length if and only if their observed statistics belong to some predetermined "acceptance set".Otherwise, the protocol aborts.Such protocols have two main disadvantages.
First, in order to ensure that the protocol accepts with high probability for honest behaviour, the acceptance set needs to be chosen carefully.Typically, the acceptance set is chosen to be the set of statistics that are close to what is expected from honest behaviour [2][3][4].This requires Alice and Bob to know the honest behaviour of the channel connecting Alice and Bob, before a run of the QKD protocol.In many practical scenarios, such as ground-to-satellite QKD [7][8][9][10][11], it is difficult to know the behaviour of the channel in advance.In fact, this can be a problem even in fibre-based setups [12][13][14].
Second, even if the honest behaviour is known, the size of the acceptance set affects the length of the final key that can be produced.This reflects the fact that the key has to be secure for the worst-case event that accepts.Larger acceptance sets have a high probability of accepting on any given run of the QKD protocol, but lead to a shorter length of the final key, since they include worse accept events.In particular, if users choose a large acceptance set, and then find that their observed statistics are much better than expected, they are not allowed to produce a larger key.Thus, there is a trade-off between protocols that accept with high probability, and protocols which produce a large key on accepting.
A variable-length QKD protocol is one that allows users to adjust the length of the key generated based upon the observed statistics during the protocol [15,16].This eliminates the trade-off described above.It also does not require the expected behaviour of the channel to be known in advance.In fact, many prior works have implemented such a variable-length protocol based upon intuition.For the qubit BB84 protocol, a rigorous treatment of variable-length protocols can be found in Ref. [16], using the phase-error approach for security proofs.
In this work, we present a security proof for variablelength QKD protocols against IID collective attacks, which can be lifted to coherent attacks using the postselection technique [17].Since that lift to coherent attacks is technical and requires details of the postselection technique, it is included in Ref. [18] for pedagogical reasons.This work differs from Ref. [16] in that it follows the lines of the Renner framework (i.e.bounding suitable entropies and applying a leftover hashing lemma) rather than the phase-error approach; in particular, it does not involve an explicit reduction to an analysis of a virtual phase-error-correction procedure.
This work is organized as follows: In Section II we describe the QKD protocol steps, and setup the notation used in this work.In Section III we show how, under certain conditions, a sequence of fixed-length QKD security proofs against IID collective attacks can be lifted to a variable-length QKD security proof against IID collective attacks.Our approach involves at most a doubling of the security parameter.Therefore, for the same target security parameter, the various key lengths for the variablelength protocol are nearly identical to the key lengths for the fixed-length protocols.In Section IV, we consider the scenario where the expected channel behaviour is known in advance, and compute expected key rates for the qubit BB84 protocol, and show that the variablelength protocol generates better expected key rates than the best fixed-length protocol.
We then move on to study scenarios where the channel arXiv:2311.01600v3[quant-ph] 10 May 2024 behaviour is unpredictable, and not known in advance.
In Section V we present another variable-length protocol, where the procedure for choosing the final key length (and length of error-correction information) is especially suited for such scenarios.Our protocol allows Alice and Bob to perform QKD without any prior knowledge about the channel connecting them.In Section VI we apply these results to the qubit BB84 protocol, and show that the variable-length implementation lead to higher expected key rates than the best fixed-length implementation.
In Section VII, we point out and remedy a gap between the theory and implementation of privacy amplification in QKD protocols.This gap exists because in implementations, privacy amplification is typically done on a register of variable length containing the raw sifted key, whereas in theory, privacy amplification is typically done on a register of fixed length containing data from all the signals.In Section VIII we present concluding remarks.Various technical details are delegated to the appendices.

II. NOTATION AND PROTOCOL SPECIFICATIONS
In this work, we will either consider a sequence of fixedlength protocols indexed by i, or a single variable-length protocol where different events in the variable-length decision (see below) are indexed by i.We use the same index i since we construct the variable-length protocol from the sequence of fixed-length protocols in Section III.We describe the protocol steps for both fixed-length and variable-length protocols below.

State Preparation and Transmission: Alice
prepares signal states and sends them to Bob, who measures them.We let N be the total number of signals sent by Alice.For prepare-andmeasure protocols, the source-replacement scheme [19] can be used to equivalently describe this step as Alice and Bob receiving subsystems of the state ρ A N B N E N , followed by Alice measuring her subsystem A N .In this case, one can assume that

where σ⊗N
A is a fixed marginal state which reflects the fact that Alice's system never leaves her lab, and that each signal is prepared independently.Furthermore, since we assume IID collective attacks, we have ρ A N B N E N = ρ ⊗N ABE .2. Measurement: Bob performs measurements on the received states, and stores measurement data.

Public Announcements:
Alice and Bob select at random m rounds [20] out of the total N rounds, and announce their measurement outcomes for those rounds in the register C m AT .These announcements will be used to determine whether to accept or abort in the fixed-length protocol, or to determine appropriate lengths of various strings in the variable-length protocol.
On the remaining n := N − m rounds, Alice and Bob perform round-by-round announcements C n (such as basis-choice, detect / no-detect).They store their private data in registers X n and Y n .The state of the protocol at this stage is given by ρ , where we split up the m test rounds and n key generation rounds.Note that since we assume IID collective attacks, the test round announcements C m AT and registers E m are independent of the raw key Z n .
From the public announcements C m AT , Alice and Bob compute F obs , which is the observed frequency of outcomes in the test rounds of the QKD protocol.

Acceptance Test / Variable-Length Decision:
For the ith fixed-length protocol, Alice and Bob accept the protocol if F obs ∈ Q i .Here Q i denotes the acceptance set for the protocol, and we use Ω i to denote the event F obs ∈ Q i .Note that in this work, we use variables Ω and Ω (with subscripts) to denote the boolean variables corresponding to the occurrence of various events.
For the variable-length protocol, we instead use the following procedure: we have multiple disjoint sets Q i , and use Ω i to denote the event F obs ∈ Q i .Depending on which event Ω i is observed, Alice and Bob can choose different parameters in the processing of the data to the final key (for instance, the number of bits used in error correction, and the length of the final key).
Remark 1.It is important to note that for fixed-length protocols, the details of the acceptance test need to be determined before looking at F obs .In particular, current security proofs for such protocols do not allow users to first look at the observed statistics F obs and then decide the nature of the acceptance test.This is the reason why it is important to know the expected behaviour of the channel before the QKD protocol is run, in order to design an acceptance test that accepts with high probability for honest behaviour.to denote the number of bits of communication during error-correction, when event Ω i occurs.Note that C E may contain additional information beyond λ EC i bits, as long as the information is independent of Alice and Bob's data.For example, if the error-correction protocol randomly divides the data into blocks, then the descriptions of the randomly generated blocks can be included in C E .Thus λ EC i actually refers to the number of bits in C E that are computed from Alice and Bob's data.
Remark 2. It is important to note that one has to fix the exact number of bits of communication during errorcorrection before the QKD protocol is run.In particular, current security proofs do not allow users to first count the number of bits used during error-correction and then adjust the length of the final key produced.For the framework described in this work for variable-length protocols, it is still the case that the values λ EC i need to be decided before the protocol is run, i.e. for each i, the users must implement an error-correction procedure that uses a fixed number [21] of bits, rather than one that uses a randomly varying number of bits.

7.
Error-verification: Alice chooses a two-universal hash function that hashes to ⌈log(1/ε EV )⌉ bits, computes the hash of her raw key, and sends the hash value to Bob, along with the description of the hash function.Bob hashes his guess for Alice's key, compares the hash values, and announces whether the values match or not.We use C V to denote the classical register that stores this communication.We note that since the hash function is chosen independently of Alice and Bob's data, only ⌈log(1/ε EV )⌉ bits of C V are correlated to Alice and Bob's data [22].We use Ω EV to denote the event that the hash values match, and Alice and Bob continue with the protocol.The state of the protocol at this stage is given by ρ B is Bob's guess for Alice's raw key after error-correction.
8. Privacy Amplification: For the ith fixed-length protocol, if event Ω i ∧ Ω EV occurs, Alice chooses a two-universal hash function from n bits to l i bits.She announces the description of the hash function in the register C P , and Alice and Bob apply the hash function to their data to produce their final keys in registers K A and K B .We use ρ Ωi∧ΩEV to denote the final state of the protocol, conditioned on the event Ω i ∧ Ω EV , where we use C to denote the registers For the variable-length protocol, if event Ω i ∧Ω EV occurs, Alice chooses a two-universal hash function from n bits to l i bits.She announces the description of the hash function in the register C P , and Alice and Bob apply the hash function to their data to produce their final keys in registers K A and K B .We use ρ to denote the final state of the protocol, conditioned on the event Ω i ∧Ω EV .
Thus for all the fixed-length QKD protocols, the details of the acceptance test, and the value of λ EC i and l i must be fixed before the start of the protocol.For the variablelength QKD protocol, the details of the variable-length decision (in particular the values of λ EC i and l i ) must be fixed before the start of the protocol.Moreover, the events Ω i ,Ω i determine the pair of values (l i , λ EC i ) for the corresponding protocol.

III. VARIABLE-LENGTH SECURITY FROM FIXED-LENGTH SECURITY
In this section, we show how a sequence of security proofs for fixed-length protocols (against IID collective attacks) can be converted to a security proof for variablelength protocols (against IID collective attacks).Let us suppose that we have M fixed-length QKD protocols, indexed by i ∈ {1, 2, . . ., M }.The protocols differ only in their choice of acceptance test, the number of bits used for error-correction, and length of the final key generated.In particular, the ith protocol accepts if and only if F obs ∈ Q i , where Q i is the acceptance set.Upon acceptance, it uses λ EC i bits for error-correction and produces a key of fixed length l i .

A. Fixed-Length Security Statements
Following standard composable security definitions [23,24], the ith fixed-length QKD protocol is said to be ε secure -secure against some class of attacks if the following condition holds: for all attacks in that class, at the end of the protocol we have Here, ρ Ωi∧ΩEV denotes the actual output state at the end of the protocol, while ρ (li,λ EC i ,ideal) K A K B CE N | Ωi∧ΩEV denotes an "ideal state" obtained by replacing the key registers of ρ (li,λ EC i ) Note that ρ Ωi∧ΩEV is not a "fixed" state but rather a function of the input state.
In particular, in this work we focus on restricting the class of attacks to IID collective attacks, which means we suppose that the input states supplied to the QKD protocol are always of the form ρ ⊗N ABE .For prepareand-measure protocols, the input states are further constrained to satisfy Tr BE (ρ ABE ) = σA , where σA is the fixed marginal state on Alice's system that is obtained from the source-replacement scheme [19].(For entanglement-based protocols, this constraint is not imposed; either version can be handled using the framework presented in this work.)Furthermore, as explained in Ref. [15,23,24], to show that a QKD protocol is ε secure -secure (against some class of attacks), it suffices to prove a pair of simpler conditions, namely that it is ε 1 -correct and ε 2 -secret (against that class of attacks) with ε 1 + ε 2 ≤ ε secure .Specifically, ε 1 -correctness means the output state satisfies while ε 2 -secrecy means it satisfies i.e. the same condition as ε secure -security (Eq.( 1)) but with Bob's key register omitted.(Both of the above conditions are to be implicitly understood as holding against all attacks in the considered class.)In our subsequent discussion, we shall indeed proceed by proving the above pair of conditions rather than Eq.(1) directly.
1.There is a "feasible" set S i ⊆ {ρ ∈ S • (AB)| Tr B (ρ AB ) = σA }, where S • denotes the set of normalized states, such that if the state ρ AB is not in the set S i , the protocol aborts with high probability, and is thus secure.That is, Note that in the entirety of this work, the statement ρ / ∈ S i is assumed to be with respect to the parent set {ρ ∈ S • (AB)| Tr B (ρ AB ) = σA } having the fixed marginal on A. 2. The hash length l i is given by where H denotes the conditional von Neumann entropy, and d Z denotes the dimension of the Z register.This choice of l i is such that if the state ρ AB ∈ S i , a key of length l i can be safely extracted from the protocol.In the entirety of this work, we choose α = 1 + κ/ √ n with κ := log(1/ϵ PA )/log(d Z + 1), assuming n is large enough to ensure that α ≤ 1 + 1/ log(2d Z + 1) is satisfied.This is the choice of α that maximizes Eq. ( 6) (up to a minor approximation that α/(α − 1) ≈ 1/(α − 1)), and also leads to the expected asymptotic scaling in the key rate expression.
To see how these three statements imply Eq. (1), we first note that the protocol is ε EV -correct: where Z n B denotes Bob's guess for Alice's raw key, and the second inequality follows from the fact that B , while the final inequality follows from that the fact that error-verification step compares hashes of length ⌈log(1/ε EV )⌉.
Furthermore, we obtain the following chain of inequalities using some technical lemmas from [25-27] which we restate in Appendix A. The derivation of these inequalities is explained below.We obtain, Pr Ω i ∧Ω EV ρ where H α denotes the Rényi entropy (see Definition 1 and Appendix A) with α as the Rényi parameter.Here we used the leftover hashing lemma for Rényi entropy [26, Theorem 8] (restated in Lemma 6) in the first inequality, and Lemma 11 to split off the error-correction and error-verification information for the second inequality, along with the registers C m AT E m (which are independent of Z n ).We further use Lemma 9 to get rid of the conditioning on acceptance events in the third inequality.The fourth equality follows from additivity of Rényi entropy (Lemma 7), and fifth inequality follows from Lemma 8 .The choice of l i from Eq. ( 6) is the largest possible value that guarantees the final inequality in Eq. ( 8).The IID assumption comes into play in the use of Lemma 7.

B. From fixed-length security to variable-length security
For a variable-length protocol, again following composable security definitions [15,24], we say that it is ε securesecure against some class of attacks [28] if the following condition holds: for all attacks in that class, at the end of the protocol we have Here, Ω len=k denotes the event that a final key [29] of length k is produced, while ρ denotes the actual output state at the end of the protocol conditioned on the event Ω len=k , and ρ denotes an "ideal state" obtained by replacing the key registers of ρ with perfect keys of length k (analogous to Eq. ( 2)).Note that we recover the security definition of fixed-length protocols (Eq.( 1)) from Eq. ( 10) by setting k to be a fixed value k = l i in the sum in Eq. ( 10), and noting that Ω len=k is the same event as Ω i ∧Ω EV , corresponding to a key length of l i bits, and λ EC i bits used for error-correction.Again, in this work we focus only on IID collective attacks, in the sense previously described in Section III A.
Similar to fixed-length protocols, one can define correctness and secrecy for variable-length protocols.Specifically, we shall take ε 1 -correctness to be defined the same way as before (Eq.( 3)), while ε 2 -secrecy is analogously defined by omitting Bob's registers from the variablelength ε secure -security condition, i.e. for all attacks (in the considered class) we have (11) Just as in the fixed-length case, for the variable-length case we also have the property that ε 1 -correctness and ε 2secrecy together imply (ε 1 +ε 2 )-security -the argument is identical to the fixed-length case [15,23,24], and we provide it in Lemma 12 of Appendix.A.
In order to use the security statements from Section III A for (a sequence of) fixed-length protocols to prove security for a variable-length protocol, we require the acceptance sets Q i of those fixed-length protocols to satisfy the following condition.We assume that the acceptance sets Q i for the fixed-length protocols are ordered such that Q i ⊆ Q i+1 .This can in principle be satisfied by suitable construction of the acceptance sets, as we show in Section IV (though the resulting variablelength protocol may not be suitable in all contexts, as we discuss later in Section V).Without loss of generality, we can then pick feasible sets S i such that S i ⊆ S i+1 , since (12) Thus, the feasible set S i can always be chosen to be smaller than the feasible set S i+1 .

Remark
3. Recall from Eq. ( 6), we have is a non-increasing sequence in i.This property will play a crucial part in proving the security of our variable-length protocol.
We now use the acceptance sets Q i from the sequence of fixed-length protocols to construct the sets Q i (in the variable-length decision step) for a variable-length protocol.Specifically, let us define Q 1 := Q 1 , and We then prove the following theorem concerning the security of variable-length QKD protocols.
Theorem 1.Let there be a sequence of fixed-length QKD protocols that vary only in their acceptance criterion ( Q i ), length of error-correction communication (λ EC i ) and final hash length l i .Suppose that for each of these fixed-length protocols, we have a security proof against IID collective attacks, in which Eqs. ( 5) to (7) are true.Furthermore, suppose Q i ⊆ Q i+1 and S i ⊆ S i+1 .Then, the variable-length protocol that upon the event Ω i ∧ Ω EV , generates a key of length l i while having used λ EC i number of bits for error-correction, is (ε AT + ε EV + ε PA )-secure against IID collective attacks, where the values of ε AT , ε EV , ε PA are the same as those in the fixed-length protocol statements Eqs. ( 5) to (7).
Proof.As before, we will prove that the protocol is ε EVcorrect and (ε AT + ε PA )-secret.This will then imply that the protocol is (ε The proof of ε EV -correctness of the protocol remains essentially the same as before (Eq.( 7)): We now focus on proving the (ε AT + ε PA )-secrecy of the protocol.To do so, we first note that the secrecy definition for variable-length protocols (Eq.( 11)) groups together terms with the same output length of the key.However, the different events Ω i ∧Ω EV may correspond to the same output length of the key and different lengths of error-correction information.Nevertheless, the events Ω i ∧Ω EV are deterministic functions of public announcements C m AT , C V .Thus, the states ρ since we can group terms with the same output key length in Eq. ( 14) to show that Eqs. ( 11) and ( 14) are equivalent.(An analogous argument can be conducted at the level of the security condition (Eq.( 10)) directly, though here we focus on just the secrecy condition since that (together with correctness) is sufficient to imply the security condition.)We will now prove Eq. ( 14).
We proceed by noting that since we have the ordering S i ⊆ S i+1 , any input state ρ AB has to fall under exactly one of the following three cases:
We prove the secrecy claim separately for each case.We start with Case 2.
Case 2: If ρ / ∈ S j but ρ ∈ S j+1 for some j, we split up the security definition from Eq. ( 10) into two parts.For the first part, we show that if ρ / ∈ S j , the probability of the protocol obtaining the event Ω 1 ∪ ...Ω j is small: where the final inequality follows from the fixed-length security statement (Eq.( 5)).
To bound the remaining terms, we use some technical lemmas from [25-27] (which are restated in Appendix A), to obtain the following chain of inequalities.
The inequalities above are explained below, with the crucial step explained in Remark 4. We used the leftover hashing lemma for Rényi entropy in the first inequality (Lemma 6), and Lemma 11 to split off the information leakage due to error-correction and the E m register (which is independent of Z n ), in the second inequality.
For the third inequality, we use the fact that l i + λ EC i is a non-increasing sequence in i (Remark 3).We use Lemma 10 to get rid of the conditioning on events for the fourth inequality, and Lemma 11 to split off information leakage due to error-verification and the C m AT register (which is independent of Z n ) in the fifth inequality.The sixth equality follows from the additivity of Rényi entropy (Lemma 7), while the seventh inequality follows from Lemma 8. Finally, we use the security proof statement for fixed-length protocols (Eq.( 8)) and the fact that ρ ∈ S j+1 for the final inequality.Remark 4. We highlight two critical steps in Eq. ( 16).The first is in the third inequality, where we replace l i + λ EC i with the constant value l j+1 + λ EC j+1 , using Remark 3. The second is in the use of Lemma 10 in the fourth inequality, which allows us to get rid of terms involving Rényi entropies of the state conditioned on events.In particular, smooth min-entropy does not straightforwardly allow a statement analogous to Lemma 10, which is the reason for using Rényi entropy in this work.Moreover we split off the C m AT , C V registers after using Lemma 10, since we require the events Ω i ∧ Ω EV to be known to Eve to use Lemma 10 for the fourth inequality.
Bringing Eqs. ( 15) and ( 16) together, we obtain that the protocol is (ε ) Case 1 and Case 3: The analysis of Case 1 is a special case of the above analysis, and follows from choosing j = 0 in Eq. ( 16).The analysis of Case 3 is also a special case, and follows from choosing j = M in Eq. (15).
The theorem claim then follows from the correctness and secrecy statements.Thus, a sequence of security proofs for fixed-length protocols satisfying certain conditions can be turned into a security proof for a variable-length protocol.Moreover, the only penalty imposed by our approach is a minor increase in the security parameter of the protocol, which goes from (max{ε AT , ε PA } + ε EV ) for the fixed-length case, to (ε AT + ε PA + ε EV ) for the variable-length case.In fact, this minor penalty is completely compensated by the ability to generate longer keys in the variable-length case, as we show in the next section.

IV. APPLICATION TO QUBIT BB84
In this section we will show how Theorem 1 can be utilized to improve the expected key rate [30] of QKD protocols.For the sake of simplicity, we consider the qubit based BB84 protocol to illustrate our results.However, Theorem 1 can be directly applied to any fixedlength protocols whose security proof satisfies Eqs.(5) to (7).We use Ref. [2] for the finite-size security proof of qubit BB84, and the numerical key rate framework from Ref.
[31] to compute key rates.The signal preparation and measurement steps of the qubit BB84 protocol are described in Appendix B. The acceptance test and key rate computation is described in Section IV B. We start by explaining the notion of expected key rates.

A. Expected key rate
Before defining expected key rates we first set up the following notation.1. R fixed,i : This denotes the key rate obtained upon the event Ω i ∧Ω EV for the ith fixed-length protocol.
2. R variable,i : This denotes the key rate obtained upon the event Ω i ∧Ω EV for the variable-length protocol.
3. Rfixed,i : This denotes the expected key rate for the ith fixed-length protocol.
4. Rvariable : This denotes expected key rate for the variable-length protocol.
5. ρ hon : This denotes the state corresponding to the honest implementation of the QKD protocol.
Note that R fixed,i and R variable,i are obtained from the security proofs, and are independent of honest behaviour.
For the purposes of this work, in all the expected key rate computations we assume that the probability of the event Ω EV in the honest case is approximately 1.We make this simplifying assumption because the true value would depend on the (honest) probability of Bob correctly guessing Alice's key in the error-correction step, but many error-correction protocols used in practice do not have rigorous lower bounds on this probability, only heuristic estimates.We stress however that this in no way affects our proof that the protocol satisfies the security condition, which does not require any lower bound on this probability.
With this approximation, the expected key rate for the ith fixed-length protocol is given by where Pr Ω i ρ hon is the probability of the protocol accepting during honest behaviour, and R fixed,i is the key rate upon accepting for the ith protocol.We use Rfixed as a useful metric to compare the practical key rate of a QKD protocol.
We can generalize the notion of expected key rate to the variable-length case in a straightforward manner.We define where Pr(Ω i ) ρ hon is the probability of obtaining the event Ω i for honest implementations, and R variable,i is the key rate obtained upon the event Ω i .Again, Rvariable is a useful metric to compare the practical key rate of a QKD protocol.
Thus, the expected key rates can be computed from Eqs. (18) and (19).The values of R fixed,i and R variable,i can be obtained from security proofs.The probabilities Pr Ω i ρ hon and Pr(Ω i ) ρ hon can be estimated numerically, by simulating the channel a large number of times, and computing the fraction of runs that lead to events Ω i and Ω i .
We now describe the acceptance test from Ref. [2], and key rate computations.

B. Acceptance Test and Key Rates
Consider a sequence of fixed-length protocols indexed by i ∈ {1, 2, . . ., M }.Let Σ denote the set of outcomes that can take place in the test rounds.For qubit BB84, Σ consists of the 16 possible outcomes corresponding to Alice's choice of signal state and Bob's measurement outcome.Then following Ref.[2], we shall define the acceptance set Q i for each of these fixed-length protocols as where P(Σ) the set of probability distributions on Σ.
Here F is the probability vector of outcomes for the honest implementation, i.e. each entry of F is the probability of obtaining some outcome in a single round of the honest implementation, as determined by Eq. ( 21) below.F obs is the observed frequency of outcomes, and the acceptance test checks whether the observed frequency of outcomes is close to the expected frequency ( F).Note that one can easily satisfy the condition . This ensures that Theorem 1 can be applied safely.Let Γ j be the POVM element corresponding to the jth outcome, and define to be the map that takes the state ρ and outputs the probability distribution over the outcomes.Given such an acceptance set Q i , a feasible set S i satisfying Eq. ( 5) is given by [2, Theorem 8] where µ is given by The construction of this set crucially uses the concentration inequality from Lemma 13 (Appendix B 1).Therefore, the key length l i satisfying Eq. ( 6) is given by where d Z is the dimension of Z, λ EC i is the number of bits used for error-correction, n is the number of signals for key generation, and we set the Rényi parameter to be α = 1+κ/ √ n with κ := log(1/ϵ PA )/log(d Z + 1).Moreover, λ EC i can be chosen to be any number for the purposes of proving the security of the protocol.However, a careful choice of λ EC i and design of the error-correction protocol is necessary to guarantee that the protocol passes errorverification with high probability for honest behaviour.

C. Results
We now use the above results to compare the expected key rates for fixed-length protocols and variable-length protocols.We consider a protocol with honest behaviour determined by a depolarization probability of 0.02, and misalignment angle about the Y axis of θ = 2 • .We set the basis choice probabilities to p z = p x = 0.5.The total number of signals is given by N = 10 6 , and the number of signals used for testing is given by m = 0.05N .The number of bits used for error-correction is always taken to be λ EC i = λ EC = f nH(Z|Y C) ρ hon where f = 1.16 is the efficiency parameter.We set α = 1 + κ/ √ n with κ := log(1/ϵ PA )/log(d Z + 1), and fix a range of values of t i (horizontal axis of Fig. 1) such that t i ≤ t i+1 .This determines the acceptance sets Q i for the fixedlength protocols, and thus also the sets Q i in the variablelength decision of the variable-length protocol we construct (Section III).We set a target security parameter of ε secure = 10 −12 .We plot various key rates in Fig. 1, which are explained below.1. R fixed,i : This is the key rate upon acceptance for fixed-length protocols for various values of t i .Since ε secure = max{ε PA , ε AT } + ε EV for fixed-length protocols, we set ε AT = ε PA = ε EV = ε secure /2.We use Eqs.( 22) and ( 24) to compute l i for various values of t i , and plot R fixed,i = l i /N .We see that R fixed,i decreases monotonically on increasing values of t i , which reflects the fact that larger acceptance sets lead to lower key rate upon acceptance.
2. Rfixed,i : This is the expected key rate for fixedlength protocols, for various values of t i .We use the values of R fixed,i obtained above, along with Eq. ( 18) to compute Rfixed,i .The probability of accepting the protocol Pr Ω i ρ hon is computed as follows: (a) We first compute the probability vector F corresponding to the honest behaviour ρ hon , by setting F = Φ(ρ hon ), where Φ is defined in Eq. ( 21).
(b) We sample m times from F, and obtain the observed frequency of outcomes F obs .We check whether F obs ∈ Q i .
(c) We estimate Pr Ω i ρ hon by repeating (b) 100000 times, and computing the fraction of times we obtained F obs ∈ Q i .
We see that the Rfixed,i is small at low values of t i , since the probability of the protocol accepting is small.We also see that Rfixed,i is small at larger values of t i , since the key rate upon acceptance is small.The expected key rate thus captures the trade-off between accepting with large probability, versus producing a large key upon acceptance.
3. Rvariable : This is the expected key rate for variablelength protocols.Note that this is a fixed value and not plotted as a function of t i (since we obtain a single variable-length protocol from a sequence of fixed-length protocols determined by the t i s).
Anticipating the use of Theorem 1, we set ε AT = ε secure /4, ε PA = ε secure /4, and ε EV = ε secure /2.We compute l i using Eq. ( 24) for various values of t i , and set R variable,i = l i /N .Using Theorem 1, we obtain that the variable-length protocol constructed from the sequence of fixed-length protocols, for the given set of t i s, is ε secure = (ε AT +ε PA +ε EV )-secure.We compute the various probabilities Pr(Ω i ) ρ hon in the same manner as (2) above (by simulating 100000 runs of the QKD protocol), and compute Rvariable using Eq.(19).
Crucially, we find that the variable-length protocol has higher expected key rate than the best fixed-length protocol.Since the variable-length protocol consists of exactly the same steps as the fixed-length protocol, and only differs in the parameters of the classical processing of the data, the implementation of the variable-length protocol does not impose any additional difficulties, and is accompanied by an increase in the expected key rate.In fact, we expect that implementing a variable-length protocol will almost always lead to an improvement in the expected key rate, as we argue in the following remark.
Remark 5. Consider any fixed-length protocol where the honest behaviour is given by ρ hon .Suppose that Alice and Bob choose to implement a fixed-length protocol, with parameters l, λ EC and t.Now, consider the variablelength protocol for the same honest behaviour ρ hon , for the same choice of ε PA , ε AT , ε EV , obtained by choosing l i according to t 1 ≤ t 2 ... ≤ t, and choosing λ EC i = λ EC .Then since l 1 ≥ l 2 ... ≥ l, using Theorem 1, one is guaranteed to improve upon the expected key rate by switching to a variable-length protocol (albeit with a small increase in the security parameter).This is because the variable-length protocol always has some non-zero probability of producing keys of larger length when compared to the fixed-length protocol.We believe that in almost all cases, this improvement will remain even after choosing the same security parameter for both fixed-length and variable-length protocols (as we saw in Fig. 1).

V. A TRUE VARIABLE-LENGTH PROTOCOL
In the preceding section, we considered a scenario where the honest implementation of the protocol is fixed and known beforehand.However, in scenarios where the honest implementation varies unpredictably between each run of the protocol, it is not clear how Theorem 1 can be used to obtain good key rates.For instance, suppose that the channel has a 50% chance of having honest behaviour ρ hon (leading to statistics F) and ρ ′ hon (leading to statistics F′ ), and F and F′ are very different frequencies.Then it is not clear how to choose suitable acceptance sets that: a) give good key rates and b) on which Theorem 1 can be applied.This is because the size of the acceptance test that includes both F and F′ , is of the order of F − F′ 1 , which can be quite large.This leads to low (or in many cases zero) key rate upon acceptance.Thus, we have not yet resolved the problem of unpredictable channels, which we shall now address in this section.We note that one potential solution to this problem is to coarse-grain the acceptance data, and set the acceptance condition to be "QBER is less than some fixed value".However, coarse-graining involves throwing away information, and has been shown to lead to suboptimal key rates [32].Note that an unpredictable channel connecting Alice and Bob is already a significant issue for experimental implementations, which is sometimes incorrectly resolved by choosing the acceptance test ( F, t) after seeing the observed statistics F obs (see Remark 1).
In this section, we will propose and analyze a variablelength protocol that directly uses F obs , the observed frequency of outcomes, to determine the length of the secret key to be produced and the number of bits to be used for error-correction.Note that unlike Section III, we no longer need to go through a sequence of fixedlength protocols in this section.Instead, we will design the variable-length decision in a different manner that does not depend on a sequence of fixed-length acceptance tests.Crucially, this will involve the construction of a statistical estimator b stat (F obs ), that with high probability is a lower bound on the Rényi entropy H α (Z n |C n E n ) ρ of the state ρ in the QKD protocol.That is, we will first construct a b stat such that for any state ρ, it is the case that Pr This estimator will then be used to determine the length of the output key.We start by presenting some results that allow us to construct such an estimator in Section V A. In Section V B we specify the variable-length protocol, and explain how the users use b stat (F obs ) to decide the length of the key and the number of bits to use for error-correction.Finally, in Section V C we prove the security of the variable-length protocol.
We highlight that the only place we use the IID collective attacks assumption is in Section V A, in the construction of b stat .Therefore, if alternative methods could be found that construct b stat without this assumption, our proof framework would generalize to coherent attacks.

A. Constructing the Estimator
In a QKD protocol, we deal with a fixed yet unknown ρ AB .In particular ρ AB is a fixed state and not a random variable.This ρ AB then gives rise to a random variable F obs .Given that Alice and Bob observe F obs , obtained by performing measurements on ρ ⊗m AB , we would like to construct a set of states V (F obs ), such that V (F obs ) contains ρ AB with high probability.Remark 6.In general, one can use a variety of concentration inequalities to obtain such a set.In the following Lemma, we will use the concentration inequality from Lemma 13 (Appendix B 1).We make this choice since it is the same concentration inequality used in the construction of the feasible set Eq. ( 22), and we wish to make a fair comparison between the variable-length and fixed-length protocols.Thus, for our comparisons later in Section VI, the acceptance tests for the fixedlength protocols and the variable-length decision in the variable-length protocol are designed using the same concentration inequalities.
Lemma 1.For any state ρ, let F obs ∈ P(Σ) be the frequency vector obtained from measuring the state m times, where Σ is the set of possible outcomes.Let Γ j be the POVM element corresponding to outcome j.Define parameters and the map Φ(ρ) := j∈Σ Tr(Γ j ρ) |j⟩ ⟨j|, and the set Then, V (F obs ) contains ρ with probability greater than 1 − ε AT .That is, Pr Proof.F obs is sampled from the probability distribution given by Φ(ρ).The claim follows from Lemma 13, which states that if F obs is obtained by sampling m times from the probability distribution Φ(ρ), then Next, we use the above result to obtain a statistical estimator of a lower bound on the Rényi entropy of the state ρ ⊗n ZCE .Lemma 2. For any state ρ satisfying Tr BE (ρ ABE ) = σA , let F obs ∈ P(Σ) be the frequency vector obtained from measuring the state m times.Define b stat (F obs ) := min (30) where d Z = dim(Z) and 1 < α < 1 + 1/ log(2d Z + 1).Then, Proof.From Lemmas 7 and 8, we have that The claim then follows from Lemma 1.

B. Variable length decision
We will use b stat (F obs ) to construct the following variable-length decision procedure.Let F be the (possibly infinite [33]) set of all possible observations F obs in the variable-length decision step.Let {0, 1, . . ., l max } denote all the possible values of output key lengths in our protocol.Let {0, 1, . . ., λ EC max } denote all the possible values of the number of bits used for error-correction in our protocol.Then, the variable-length decision is implemented as follows: 1. From public announcements C m AT , Alice and Bob compute F obs and b stat (F obs ) .
3. They compute l(F obs ), the length of the final key to be produced, where l(•) : F → {0, 1, . . ., l max } is a function defined as Recall that Ω i denotes the event that a key of length l i is produced using λ EC i bits for error-correction for some values (l i , λ EC i ).In other words, the index i determines the pair (l i , λ EC i ) of values of the key length and length of error-correction information.The sets Q i for the variable-length decision in our protocol are thus formally defined by Note that number of possible events Ω i is always finite (unlike the set of possible observations F), and we denote it by M .The remaining steps of the variable-length protocol are identical to the ones described in Section II.
Remark 7. Recall that in the proof of Theorem 1, the fact that l i + λ EC i was a non-increasing sequence in i played a crucial role.This property is required for similar reasons in the proof of Theorem 2. Thus, without loss of generality, we label the events Ω i such that l i + λ EC i forms a non-increasing sequence in i.

Such an ordering allows us to prove the following
Lemma, which we use in the next section in our security proof.Lemma 3. Let T p = {i|l i > 0} be the set of values of i that lead to non-trivial length of the key.Then, ) for any j ∈ {1, 2, . . ., M }.
Proof.For any i ∈ T p , using Eq. ( 32) we have where we used the fact that Ω i are disjoint events in the first equality, Eq. ( 35) for the second inequality, and the ordering on l i + λ EC i (Remark 7) in the final inequality.
We now have all the tools necessary to prove the security of our variable-length protocol.Before presenting the security proof, we compare the fixed-length and variablelength implementations in the following remark.
Remark 8.Note that with the way we construct the acceptance tests and variable-length decision in this section, the following property holds.Focusing on the fixedlength implementation for some specific i, the key length whenever the protocol accepts is given by Eq. ( 24), which is an optimization over the feasible set S i (Eq.( 22)) whose size is determined by t i + µ.On the other hand, the variable-length implementation determines the key length (Eq.( 32)) by looking at the observed value F obs and optimizing over the set V (F obs ) (Eq. ( 27)) whose size is determined by µ.Now observe that whenever F obs takes a value such that the fixed-length implementation would accept during the acceptance test (Eq.( 20)), V (F obs ) is smaller than S i , and the only difference between Eq. ( 24) and Eq. ( 32) is in the optimization set.Therefore, it follows that the variable-length key rate is always higher when the same values of ε AT , ε EV , ε PA are used in the two cases (though as previously discussed, this results a minor increase in ε secure ).

C. Security proof of variable-length protocol
Theorem 2. The variable-length protocol that, on obtaining F obs during the variable-length decision and passing error-verification, hashes to length l(F obs ) using λ EC (F obs ) bits for error-correction (according to Eq. ( 32)), is (ε AT + ε EV + ε PA )-secure.
Proof.As in the proof of Theorem 1, we will show that the protocol is ε EV -correct and (ε PA + ε AT )-secret, implying that the protocol is (ε EV + ε AT + ε PA )-secure (Lemma 12 or Ref. [15]).First note that the proof of ε EV -correctness of the protocol is the same as in the proof of Theorem 1 (Eq.( 13)).Thus we only need to prove secrecy.
Again, as in the proof of Theorem 1, it is sufficient to show that since each of the states ρ (li,λ EC i ) K A CE N |Ωi∧ΩEV have orthogonal supports.This is because the event Ω i ∧Ω EV is a deterministic function of the registers C m AT , C V .Thus, Eqs. ( 11) and (37) are equivalent.
Recall that the values l i + λ EC i are ordered such that they form a non-increasing sequence (Remark 7).Thus, for any ρ AB that the protocol can start with, the Rényi entropy H α (Z n |C n E n ) ρ has to fall under at least one of the following three cases: We will prove the secrecy claim separately for each case.Suppose ρ is such that it satisfies case 2, for some value j.In this case, the secrecy bound can be obtained similar to the proof of Theorem 1, by splitting up the sum into two convenient parts.The first part groups the set of events that happen with low probability, and is given by, (38) Here the first equality follows from the fact that the real and the ideal outputs are identical when the length of the key generated is zero, the second inequality uses the fact that the trace norm is upper bounded by 2, and the third inequality follows from the properties of probabilities.The fourth inequality uses Lemma 3, the fifth inequality follows from the fact that and the final inequality from Lemma 2.
For the remaining terms, we follow the same steps as Eq. ( 16) from the proof of Theorem 1.We obtain the following inequalities: We now explain the derivation of the expressions above, and highlight the crucial steps in Remark 9.The first equality follows from the fact that the real and the ideal outputs are identical when the length of the key generated is zero.We use the leftover hashing lemma for Rényi entropy for the second inequality (Lemma 6), and Lemma 11 to split off the information leakage due to error correction, and the E m register (which is independent of Z n ) in the third inequality.The ordering on l i + λ EC i from Remark 7 allows us obtain the fourth inequality, and we use Lemma 10 to get rid of the conditioning on events for the fifth inequality.We use Lemma 11 again to split off the error-verification communication, and the C m AT register (which is independent of Z n ) in the sixth inequality.We use the fact that for the seventh inequality, and Eq.(32) for the eighth inequality.
Remark 9.As in the proof of Theorem 1, the critical steps in the above chain of inequalities are the replacement of l i + λ EC i with l j+1 + λ EC j+1 in the third inequality, and using Lemma 10 in the fourth inequality to get rid of the conditioning on events in the Rényi entropies.As in the proof of Theorem 1, we split of C m AT and C V registers after using Lemma 10, since we need the events Ω i ∧Ω EV to be known to Eve in order to use Lemma 10.
Case 1 and Case 3: The analysis of Case 1 is a special case of Case 2, and is obtained by setting j = 1 in Eq. ( 39).The analysis of Case 3 is a special case of Case 2, and is obtained by setting j = M in Eq. (38).
Bringing Eqs. ( 38) and (39) together, we obtain Remark 10.Since the protocol from Theorem 2 does not impose any condition on the sets Q i , unlike Theorem 1 which requires the acceptance sets Q i of the fixedlength protocols to form a nested sequence, one can use Theorem 2 in scenarios where the channel behaviour is unpredictable and chaotic.This is especially desirable for ground-to-satellite QKD, where the channel behaviour is difficult to predict in advance.In the next section, we show how Theorem 2 can be used to improve the expected key rate in such scenarios.

VI. APPLICATION TO QUBIT BB84
In this section, we compute expected key rates for fixed-length and variable-length qubit BB84 protocols for a scenario where the honest behaviour is unpredictable.The fixed-length implementation is identical to Expected key rate for fixed-length protocols ( Rfixed,i ) for various values of ti, key rate upon acceptance for fixedlength protocols (R fixed,i ) for various values of ti and the expected key rate for variable-length protocol ( Rvariable ).
the one from Section IV.The variable-length implementation is also similar, except the variable-length decision, which is implemented as described in Section V B above.In particular, after signal transmission, measurements, and public announcements, Alice and Bob compute F obs from public announcements, and determine l(F obs ) and λ EC (F obs ) according to Eq. (32).
For the sake of simplicity, we consider a channel model that can take a discrete set of values for the depolarization probability and the misalignment angle.We assume that the channel is such that, on any given run, the depolarization probability is chosen randomly from {0.02, 0.03, 0.04, 0.05} with equal probability, and the misalignment angle is chosen randomly from {2 • , 4 • , 6 • , 8 • , 10 • } with equal probability.Thus the channel has n ch = 20 possible values, which it takes with equal probability.We use ρ (j) hon to denote the state corresponding to the jth honest behaviour of the channel.We set the basis choice probabilities to p x = p z = 0.5, the total number of signals to N = 10 6 , and the number of signals used in the public announcement to m = 0.05N .We estimate the number of bits to be used for error-correction from F obs , by setting λ EC (F obs ) = f nH(Z|Y C) F obs where f = 1.16 is the efficiency factor.We set a target security parameter of ε secure = 10 −12 .
We now explain the various key rates plotted in Fig. 2.
1. R fixed,i : This is the key rate upon acceptance for the fixed-length protocol, plotted against t i , the size of the acceptance set, and is identical to the plot from Fig. 1.We set ε PA = ε EV = ε AT = ε secure /2, and compute R fixed,i = l i /N , where l i is computed according to Eq. ( 24) for the acceptance test in Eq. (20).We choose the centre ( F) of the fixedlength acceptance set (Eq. ( 20)) to be the expected frequency of outcomes corresponding to the channel with the least possible depolarization probability (0.02) and least possible misalignment angle (2 • ).
As expected, we see that R fixed,i decreases mono-tonically as we increase t i , reflecting the fact that larger acceptance sets lead to lower key rates upon acceptance.
2. Rfixed,i : This is the expected key rate for fixedlength protocols.Let Q i be the acceptance set for the fixed-length protocol for a given value of t i .
Then, the expected key rate is given by hon ), where Φ is defined in Eq. ( 21).
(b) From each F(j) , we sample m times to obtain F obs .We check whether F obs ∈ S i or not.
(c) We estimate Pr by repeating step (b) 50 times for reach possible honest behaviour, and computing the fraction of times we obtained F obs ∈ S i .
Thus, the whole process is a simulation of 1000 runs of the QKD protocol, with each channel being used 50 times.
In Fig. 2 we see that Rfixed,i is much smaller than R fixed,i since the fixed-length protocol only accepts on a small number of channel behaviours.As t increases, the fixed-length acceptance set becomes larger, starts accepting on multiple values of Fj , and therefore has a larger probability of acceptance.Thus, the expected key rate Rfixed,i increases slightly.However, the size of the acceptance test is already large, and the key rate upon acceptance (R fixed,i ), rapidly goes to zero for large t i .This causes Rfixed,i to also go to zero rapidly.
3. Rvariable : This is the expected key rate for variablelength protocols.This is given by is the probability of obtaining F obs when the honest behaviour is ρ (j) hon , and R variable (F obs ) is the key rate obtained for the observed frequency F obs .The term in the parenthesis represents the expected key rate for the jth channel behaviour.Note that Rvariable is a fixed value and not plotted against t i , and is computed as follows.
(a) For each channel model, we compute the expected statistics F(j) corresponding to the honest behaviour ρ (j) hon .(b) From each F(j) , we sample m times to obtain F obs .We compute l(F obs ) according to Eq. ( 32), with ε PA = ε AT = ε secure /4 and ε EV = ε secure /2, and set R variable (F obs ) = l(F obs )/N .
(c) For each channel model, we repeat step (b) 50 times, and compute the average value of R variable (F obs ).This is our estimate of (d) Rvariable is then computed by averaging the key rate obtained in step (c), over all the possible channel models.
Thus the above procedure is a simulation of 1000 runs of the QKD protocol, with each channel behaviour being used 50 times.Crucially, we find the expected key rate for variable-length protocols is much higher than the expected key rate for the fixed-length protocols.
Remark 11.Note that the degree of improvement shown by the variable-length protocol in Fig. 2 depends on n ch .Larger values of n ch reflect a higher variation in the channel behaviour, and will lead to a bigger difference between the performance of fixed-length and variablelength protocols.In this work, we chose the above channel model for the sake of simplicity.Detailed studies of practical QKD protocols over realistic, unpredictable channel models will be the subject of future work.

VII. VARIABLE INPUT-LENGTH PRIVACY AMPLIFICATION
So far we have studied the variable-length aspects of the final key that is generated after privacy amplification in QKD protocols.In this section, we will turn our attention to the variable-length aspect of the sifted raw key in QKD implementations, before privacy amplification.In particular, we will point out and remedy a gap between the theoretical analysis of privacy amplification and its experimental implementation.For simplicity, we only consider fixed-length QKD protocols.However, our results can be generalized to variable-length protocols in a straightforward manner.
A. Sifting in QKD Consider the following three ways of implementing the sifting step in QKD protocols.
1. Map the discard outcomes to ⊥: In this case, the state prior to privacy amplification is given by ρ Ẑn Y n CE N , where Ẑ is a register that takes values in {0, 1, ⊥}, and C = C n C m AT C E C V for brevity.In this case, one has to implement privacy amplification using two-universal hashing from Ẑn to l bits.In particular, binary Toeplitz hashing, a widely used choice, is not possible.
2. Map the discard outcomes to 0: In this case, the state prior to privacy amplification is given by ρ Z n Y n CE N , where Z is a register that takes values in {0, 1}.In this case, one has to implement privacy amplification using two-universal hashing from n bits to l bits.In particular, binary Toeplitz hashing, a widely used choice, is possible; however, the hash matrices must always be for input strings of a fixed length n.
3. Actually discard the discard outcomes: In this case, the state prior to privacy amplification is given by ρ Z ≤n Y n CE N , where Z ≤n is a register that takes values in the set of bitstrings of length less than or equal to n, which we shall denote as {0, 1} ≤n .In this case, one first looks at the number of bits in the register Z ≤n , denoted by len(Z ≤n ), and chooses a two-universal hashing procedure from len(Z ≤n ) bits to l bits.This is what is commonly done in QKD experiments.Practically, one would like to use binary Toeplitz hashing in this procedure.However, we will see below that this is not a valid two-universal hashing procedure from {0, 1} ≤n to l bits.
The theoretical analysis of Case 1 and Case 2 is straightforward, since they constitute valid two-universal hashing procedures from {0, 1, ⊥} n to l bits, and n bits to l bits respectively.Thus, the leftover hashing lemma can be directly applied.However, Case 3 is not necessarily a two-universal hashing procedure from {0, 1} ≤n to l bits, as we now explain.Thus we cannot directly apply the leftover hashing lemma in this case.

B. The problem
For every i ∈ {0, 1, . . ., n}, let F hash i denote a twouniversal hash family from i bits to l bits.Then, the procedure described in Case 3 above is equivalent to first randomly sampling f i ∈ F hash i for every i, followed by computing f len(Z ≤n ) (Z ≤n ).Note that in this case, only one of the sampled f i s is ever applied.In order for this procedure to be a valid two-universal hashing procedure from {0, 1} ≤n to l, by definition it must be the case that for any two inputs z 1 ̸ = z 2 , we have Pr f1,f2,...,fn When z 1 and z 2 are of the same length, then Eq. ( 43) follows from the two-universal property of F hash i .When z 1 and z 2 are of different length, an explicit counterexample can be obtained by considering z 1 and z 2 to be all-zero strings of different lengths.In this case, if F hash i is a two-universal linear hash family, then f len(z1) (z 1 ) = f len(z2) (z 2 ) = 0 with probability 1.Thus for binary Toeplitz hashing, Case 3 is not a valid two-universal hashing procedure.Thus we cannot directly apply the leftover hashing lemma.
Remark 12.We note that if every F hash i is chosen such that it is two-universal and has the following "uniform output" property: Pr (44) then it is straightforward to prove that Eq. ( 43) holds and hence the described procedure is a valid two-universal hashing.Furthermore, in principle any two-universal hashing procedure can be modified into one that satisfies Eq. ( 44), via the construction we describe in the Lemma 4 proof below.However, physically implementing this conversion in an actual QKD protocol would be an undesirable additional cost, hence we instead provide a proof that shows that this is not necessary.

C. The solution
We address this issue with Lemmas 4 and 5 below.We start by proving the following modified leftover hashing lemma that is applicable to Case 3, as long as the protocol satisfies the property that the positions and values of the discarded outcomes can be determined from the public announcements C (we return to this point after presenting the lemmas and their proofs).Our approach is to first use Remark 12 to construct a virtual hashing procedure that is a valid two-universal hashing procedure from {0, 1} ≤n to l bits.We will then show that the actual output states can be obtained by performing a CPTP map on the virtual output states.The required result then follows from data-processing inequalities.Lemma 4. Let ρ Z ≤n CE N be a state classical in Z ≤n C (where the Z ≤n register takes values in {0, 1} ≤n ), with the property that conditioned on each possible value c on the C register, the resulting distribution on Z ≤n is only supported on values in {0, 1} kc for some constant k c ∈ N. Let ρ K A CE N be the state obtained from ρ Z ≤n CE N by first computing the number of bits len(Z ≤n ) in the Z ≤n register, then implementing a two-universal hashing procedure from len(Z ≤n ) bits to l bits, where C := CC P with C P being the choice of hashing function (in other words, the procedure described above in Case 3).Then for any event Ω on the classical register C, we have (for Proof.As explained in Section VII B, the hashing procedure described above can be thought of as first randomly sampling f i ∈ F hash i for every i, and then computing f len(Z ≤n ) (Z ≤n ).However, as noted in that section, this process is not a valid two-universal hashing procedure from {0, 1} ≤n to l bits.
Consider instead the following virtual hashing process, based on new hash families [34] Fhash i := F hash i × {0, 1} l (for every i).This virtual process first randomly samples (f i , u i ) ∈ Fhash i for every i, i.e. f i is sampled from the same two-universal hash family F hash i as before, and u i is a random l-bit string.It then computes f len(Z ≤n ) (Z ≤n ) ⊕ u len(Z ≤n ) as its hash output.Now, this virtual hashing procedure is a valid two-universal hashing procedure from {0, 1} ≤n to l bits, because each hash family Fhash i is two-universal and satisfies the "uniform output" property (Eq.( 44)).
Denote the output state of the virtual process (act- ĈP being the description of the hash function chosen in the virtual process (in particular, all the values (f i , u i ) from the virtual process).Let us analogously define ρ (ideal,virtual) . Now, we construct a CPTP map E : K A ˆ CE N → K A CE N that will map the virtual output states to the actual output states.This map E does the following operations: 1. Look at C and determine the corresponding value k C (as defined in the conditions of this lemma) [35], to be used in the subsequent steps.
2. Look at ĈP and determine u k C , to be used in the subsequent steps.

Replace K
4. Partial trace on the ĈP register, on everything except the f k C information.
It is straightforward to verify that this map E indeed satisfies and analogously for the above states conditioned on the event Ω (since E does not disturb the register C).Therefore, we have where we used the fact that CPTP maps cannot increase trace norm in the third inequality, and leftover hashing lemma for Rényi entropies (Lemma 6) for the fourth inequality, and Lemma 9 for the final inequality.
Remark 13.While here we have focused on proving an analogue of the leftover hashing lemma for Rényi entropy (Lemma 6), a similar result for the smooth min-entropy version can be obtained by exactly the same proof (except that when conditioning on the event Ω, one should use the subnormalized conditional states; see [1, Lemma 10 and Proposition 9]).
In order to use Lemma 4, we have to compute bounds on the Rényi entropy H α (Z ≤n | CE N ) ρ , which is computed on the state just prior to privacy amplification in Case 3.However, we expect that if the registers that were discarded to produce Z ≤n are completely determined by the register C, then this entropy should be the same as the value before the discarding process, since the conditioning register C could be used to isometrically convert between the values before and after discarding some registers.We formalize this claim in the following Lemma and subsequent discussion.Lemma 5. Suppose ρ R CE N , ρ Z ≤n CE N are states that are classical in C, and related to each other as follows: letting R c be a register containing the support of the conditional state ρ R| C=c , there exist isometries Then we have Proof.We intuitively expect Eq. ( 49) to be true, since Eq. ( 48) essentially states that C can be used to isometrically convert R to Z ≤n .To formalize this, we first note that each isometry V (c) Rc→Z ≤n can always be extended to an isometry V R→Z ≤n , i.e.where the domain is the full Hilbert space of R (padding the output space Z ≤n with extra dimensions if dim(R) > dim(Z ≤n )).Furthermore, Eq. (48) still holds with V defined in terms of these new isometries instead, i.e. we have (It does not matter how we chose the extensions, since ρ R CE N is only supported on a subspace that is unaffected by these choices of extensions.)Furthermore, letting Cc be a copy of the register C, using [25, Lemma B.7] we have Thus, it is enough to show that H α (Z ≤n Cc | CE) ρ = H α (R Cc | CE) ρ .This follows from Eq. ( 50), and the fact that the Rényi entropy is invariant under isometries on the first subsystem, since by defining the isometry which concludes the proof [37].
To apply Lemmas 4 and 5 in comparing Cases 1, 2 and 3 described previously, we can begin by viewing R as being Ẑn in Case 1 or Z n in Case 2. If the protocol satisfies the condition that the positions and values of discarded outcomes are fixed by the public announcements C, we can define operations V (c) Rc→Z ≤n that simply drop the discarded outcomes specified by c, and it is not difficult to show the state ρ Z ≤n CE N in Case 3 has the following properties:  39) (and similar bounds in other calculations) is valid even if we apply the procedure in Case 3 rather than Case 2. To qualitatively summarize, under that protocol condition, the bounds obtained on the privacy amplification procedure in QKD are unaffected if the actual protocol implements Case 3 in place of Case 1 or Case 2.

VIII. CONCLUSION
In this work, we presented a security proof for variablelength QKD protocols in the security analysis framework of Renner, against IID collective attacks.First, we showed how a sequence of security proofs for fixedlength protocols satisfying certain conditions can be converted to a security proof for a variable-length protocol.This conversion did not require any new calculations, or any changes to the final key lengths or the lengths of error-correction information.Moreover, the maximum penalty imposed by this approach is a doubling of the security parameter.We exemplified this result by studying the performance of variable-length and fixedlength implementations of the qubit BB84 protocol, implemented over a fixed, known channel.We showed that the variable-length implementation leads to an improvement in the expected key rate of the protocol, compared to the best fixed-length implementation.Additionally, we showed that implementing the variable-length protocol eliminates the typical trade-off in fixed-length implementations, where a larger acceptance test leads to a higher probability of accepting during honest behaviour, but low key rate upon acceptance.
Next, we moved on to consider scenarios of unpredictable channels.Here, we construct the variable-length decision in a way that does not rely on a nested sequence of acceptance tests, and proved the security of the resulting class of variable-length protocols.These protocols did not require users to characterize their channel before running the QKD protocol.Instead, they include instructions for adjusting the length of the final key, and the amount of error-correction information, for every possible observation during the protocol.We exemplified this result by studying the performance of the qubit BB84 protocol implemented in this fashion.We showed that the variable-length implementation leads to a significant improvement in the expected key rate compared to fixedlength implementations, especially for scenarios where the channel is chaotic and unpredictable.
These results are a significant step towards practical QKD implementations, since they eliminate the typical trade-off from fixed-length implementations, and remove the requirement of channel characterization.Moreover, variable-length protocols have already been implemented in several works based on intuition.This work puts such claims (under the Renner framework) on a solid mathematical footing.(We highlight that in particular, our proof approach relies on a leftover hashing lemma for Rényi entropies that was only recently developed, in Ref. [26].It does not seem entirely straightforward to construct a similar rigorous analysis using the earlier leftover hashing lemma versions that were based on smooth min-entropy.) In order to use the results of this work to implement a valid variable-length QKD protocol, one can follow the following steps.First, decide λ EC (F obs ) to be any function of the observed statistics F obs .This fixes the number of bits used for error-correction, for any F obs .Second, construct a set V (F obs ) satisfying Eq. ( 28).This fixes b stat (F obs ) via Lemma 2, and l(F obs ) via Eq.(32).Then, the variable-length protocol that produces a key of length l(F obs ), and uses λ EC (F obs ) bits for error-correction, upon obtaining F obs , is secure.In practise, one should choose λ EC (F obs ) such that the error-correction protocol has a high chance of succeeding.Furthermore, while we have provided one construction of V (F obs ) in this work, it is straightforward to construct V (F obs ) using other concentration inequalities.
Finally, all our security proofs can be lifted to coherent attacks using the postselection technique.For pedagogical reasons, this is included in Ref. [18], where we also fix a technical flaw in the application of postselection technique to QKD.Alternatively, we highlight that the only part of our Section V proof that relied on the IID collective-attacks assumption was the construction of b stat in Lemmas 1 and 2. Therefore, any alternative approach that could construct a valid b stat for coherent attacks would also serve to yield a security proof against such attacks for variable-length protocols.
i on the number of bits used, by noting that the number of bitstrings of length up to some value ν is 2 ν+1 − 1, so an (ν + 1)-bit register suffices to encode all such bitstrings.With this, it suffices to replace the λ EC i values in our subsequent key length formulas with ν EC i + 1.
[22] While Bob's announcement technically constitutes an extra bit, we note that in our security proofs, when accounting for the "leakage" caused by ] also technically requires describing some honest ideal functionality in the case where Eve does not attack the protocol.For a variable-length protocol, we can take this to simply be a functionality that outputs perfect keys (of variable length) to Alice and Bob and nothing to Eve except the length of the key, with the distribution of key lengths being the same as that of the honest protocol behaviour.(This behaviour does not have to be explicitly known, for instance when considering the Section V protocol.We merely require this honest behaviour to exist in principle, and (to avoid only having trivial operational implications) for it to produce some "reasonable" expected key rate.)With this choice of ideal functionality, the protocol satisfies the property of completeness (see [23,24] for details) with perfect completeness parameter.

FIG. 1 .
FIG. 1.Expected key rate for fixed-length protocols ( Rfixed,i ) for various values of ti, key rate upon acceptance for fixedlength protocols (R fixed,i ) for various values of ti, and the expected key rate for the variable-length protocol ( Rvariable ) constructed from the fixed-length protocols.
where the expression in the parenthesis represents the expected key rate for the jth channel behaviour.We use the values of R fixed,i obtained above, and numerically estimate Pr F obs ∈ Q i ρ For each channel model, we compute the probability vector F(j) corresponding to the honest behaviour ρ (j) hon , by setting F(j) = Φ(ρ

5 .
Key Map and Sifting: Alice maps her raw data X n to her raw key Z n where Z is a binary variable, based on the announcements C n .In this work, we assume that Alice sets Z to 0 for signals that are sifted out, and let d Z denote the dimension of the Z register.
6. Error-correction: Alice and Bob implement error-correction by exchanging classical information in the register C E .For the ith fixed-length protocol, we use λ EC i to denote the number of bits of communication during error-correction, when the protocol accepts.For variable-length protocols we use λ EC i Rc→Z ≤n operations are indeed isometries, and ρ Z ≤n CE N is related to ρ R CE N in the sense expressed in Eq. (48).2.ρ Z≤n CE N satisfies the conditions of Lemma 4, and hence Eq. (45) is valid.3. ρ Z ≤n CE N satisfies the conditions of Lemma 5, and hence H α (Z ≤n | CE N ) ρ in Eq. (45) can be replaced with H α (R| CE N ) ρ .Rc→Z ≤n is fixed, and all the discarded positions have fixed values so there are no "collisions".)With this, we see that for Case 3 the bound in Eq. (45) holds with H α (Z ≤n | CE N ) ρ replaced by H α ( Ẑn | CE N ) ρ from Case 1 or H α (Z n | CE N ) ρ from Case 2 [38]; in particular, for the purposes of this work this means the third line in Eq. ( CV , we only consider the state conditioned on accepting in this step, in which case this extra bit takes a deterministic value and does not affect any entropies.[23] C. Portmann and R. Renner, Cryptographic security of quantum key distribution (2014), arxiv:1409.3525[quantph].[24] C. Portmann and R. Renner, Security in quantum cryptography, Rev. Mod.Phys.94, 025008 (2022).[25] F. Dupuis, O. Fawzi, and R. Renner, Entropy Accumulation, Communications in Mathematical Physics 379, 867 (2020).[26] F. Dupuis, Privacy amplification and decoupling without smoothing, IEEE Transactions on Information Theory , 1 (2023).[27] M. Tomamichel, Quantum Information Processing with Finite Resources, SpringerBriefs in Mathematical Physics, Vol. 5 (Springer International Publishing, Cham, 2016).[28] A full specification of a composable security framework [23, 24