Improved composable key rates for CV-QKD

Modern security proofs of quantum key distribution (QKD) must take finite-size effects and composable aspects into consideration. This is also the case for continuous-variable (CV) protocols which are based on the transmission and detection of bosonic coherent states. In this paper, we refine and advance the previous theory in this area providing a more rigorous formulation for the composable key rate of a generic CV-QKD protocol. Thanks to these theoretical refinements, our general formulas allow us to prove more optimistic key rates with respect to previous literature.

Consider a CV-QKD protocol where N single-mode systems are transmitted from Alice A to Bob B. A portion n of these systems will be used for key generation, while a portion m = N − n will be used for parameter estimation.Let us assume that the bosonic communication channel depends on a number n pm of parameters p = (p 1 , p 2 , . ..) (e.g., transmissivity and thermal noise of the channel).These parameters are estimated by the parties and we will account for their partial knowledge at the end of the derivations.For now, let us assume that Alice and Bob has perfect knowledge of p.
Under the action of a collective attack, the output classical-quantum (CQ) state of Alice (A), Bob (B) and Eve (E) has the tensor-structure form ρ ⊗n , where Here Alice's variable k and Bob's variable l ∈ L = {0, . . ., 2 d −1} are both multi-ary symbols (2 d -ary, equivalent to d-bit strings) and p(k, l) is their joint probability distribution (depending on the interaction used by Eve).
In the case of a protocol based on the Gaussian modulation of coherent states, the multi-ary symbols are the output of analog-to-digital conversion (ADC) from Alice's and Bob's quadratures, x and y, i.e., we have x ADC → k and y ADC → l.If the protocol is based on the homodyne detection, we have that y is randomly created by a random switching between the q and p quadrature (with Alice choosing the corresponding quadrature for each instance, upon Bob's classical communication).If the protocol is based on the heterodyne detection, both q and p quadratures are used, so we have y = (q B , p B ) ADC → (l q , l p ) followed by the concatenation l = l q l p so that the dimension is d = d q + d p , where d q (d p ) refers to the dimension of l q (l p ). Finally, in the case of CV-QKD protocols based on discrete-alphabet coherent states, no ADC is necessary and the discretized variables are directly expressed by the encoding variables.
Whatever protocol is used, after n uses, there will be two sequences of multi-ary symbols, k = (k 1 , k 2 , . ..) and l = (l 1 , l 2 , . ..), each with length n (so their equivalent binary length would be nd).These are generated with joint probability p(k, l) = n i=1 p(k i , l i ), and the total n-use state of Alice, Bob and Eve reads where |k = ⊗ n i=1 |k i , |l = ⊗ n i=1 |l i and

B. Error correction and epsilon correctness
Alice and Bob will then perform procedures of error correction (EC) and privacy amplification (PA) over the state ρ ⊗n with the final goal to approximate the s n -bit ideal CQ state, which is of the type where Alice's and Bob's classical systems contain the same random binary sequence s of length s n , from which Eve is completely decoupled (note that the final output is a binary sequence even if we start from multi-ary symbols k and l for Alice and Bob).
In reverse reconciliation, Alice attempts to reconstruct Bob's sequence l.During EC, Bob publicly reveals leak ec bits of information to help Alice to compute her guess l of l starting from her local data k.In practical schemes of EC (based on linear codes, such as LDPC codes), these leak ec bits of information corresponds to a syndrome synd(l) that Bob computes over his sequence l, interpreted as a noisy codeword of a linear code agreed with Alice.
Then, as a verification, Alice and Bob publicly compare hashes computed over l and l.If these hashes coincide, the two parties go ahead with the probability p ec , otherwise, they abort the protocol.We denote by T ec the case of a successful verification (no abort), so that ρ |Tec represents a conditional post-EC state.More specifically, the hash comparison requires Bob to send ⌈− log 2 ε cor ⌉ bits to Alice for some suitable ε cor (the number of these bits is typically small in comparison to leak ec ).Parameter ε cor is called the ε-correctness [32,Sec. 4.3] and it bounds the probability that Alice's and Bob's corrected sequences are different even if their hashes coincide.The probability of such an error is bounded by [33] p ec Prob( l = l|T ec ) ≤ p ec 2 −⌈− log 2 εcor⌉ ≤ ε cor .(6) C. Equivalence to a projection process As discussed above, EC consists of two steps.In the first (correction) step, Bob sends the syndrome information synd(l) to Alice.Conditionally on synd(l), she transforms her variable via a function The second (verification) step is the verification of the hashes.If successful, this is equivalent to having a corrected sequence l that is indistinguishable from l with a probability larger than 1 − ε cor .Overall, successful EC is equivalent to filtering the entire set of initial sequences (k, l) ∈ {0, . . ., with associated probability p ec = (k,l)∈Γ p(k, l).This can equivalently be represented by a projection restricting the classical states to the labels (k, l) ∈ Γ followed by the application of the quantum operation according to the transformation in Eq. (7).In particular, note that this operation is a completely positive tracepreserving (CPTP) map, i.e., a quantum channel.Thus, the (normalized) post-EC state is given by It is clear that the state above, expressed in terms of n-long sequences of 2 d -ary symbols, can equivalently be rewritten in terms of nd-long binary strings.It is also important to note that, due to the projection, the state after EC no longer has a tensor product structure.

D. Privacy amplification and epsilon secrecy
The next step is PA which realizes the randomness extraction while decoupling Eve.The parties agree to use a function f randomly chosen from a family F of 2-universal hash functions with probability p(f ) among a total of |F | possible choices (note that it is necessary to randomize over the hash functions as discussed in Ref. [34]).Then, they transform their multi-ary nlong sequences into nd-long binary strings (so the state in Eq. ( 11) is suitably expressed in terms of these binary strings).Such strings are individually compressed into a key pair {ŝ, s} of s n < nd random bits.
The process of PA can be described by a CPTP map ρ F ⊗ ρn ABE|Tec → ρn ABEF |Tec , where which is a generalization of Ref. [35,Eq. (5.5)].This also means that Alice's and Bob's sequences undergo local data processing which cannot increase their distinguishability, i.e., we have due to the pigeonhole principle.By tracing out Alice, we can write the reduced state of Bob (containing the key) and Eve (14) On the latter state, we impose the condition of ε-secrecy for Bob.First note that we may write the ideal state as ω n B ⊗ ρn EF |Tec , where (15) Then, we impose that the distance from this ideal state must be less than ε sec , i.e., we impose

E. Combining correctness and secrecy into epsilon security
Following Ref. [32,Th. 4.1], we can combine the features of correctness and secrecy into a single epsilon parameter.In fact, if Eqs. ( 6) and ( 16) hold, then we may write the condition for ε-security for Alice and Bob It is instructive to repeat the proof of this result from Ref. [32,Sec. 4.3].
Proof.Let us define the following state, similar to ρn ABEF |Tec but where Alice's system is copied from Bob's so they have exactly the same key string Then, we can use the triangle inequality to write The first term accounts for the correctness and can be bounded as follows The second term in Eq. ( 19) accounts for secrecy and can be manipulated as follows where we use the fact that the trace distance does not change if we trace Alice's cloned system in γn .Thus we have Using Eqs. ( 6) and ( 16) in the right-hand side of Eq. ( 22) we get Eq.( 17).

F. Leftover hash bound
We may now bound the distance of the privacy amplified state ρn BEF |Tec from the ideal state ω n B ⊗ ρn EF |Tec containing s n random and decoupled bits.For this, we employ the converse leftover hash bound.Following Ref. [36,Th. 6], we may write where σ n is Bob and Eve's sub-normalized state before PA and after EC, given by By imposing the condition we certainly realize the secrecy bound in Eq. ( 16).If we also impose the condition of correctness in Eq. ( 6), we reach the condition of epsilon security for Alice and Bob expressed by Eq. ( 17).Setting ε h := ε sec − ε s and rearranging Eq. ( 25), we derive the following upper-bound for the binary klength of the key (converse leftover hash bound) Thus, for the protocol to be epsilon-secure with ε := ε cor + ε sec = ε cor + ε s + ε h , the binary length of the key cannot exceed the right-hand side of Eq. ( 26).

G. Including the leakage due to EC
Let us better describe Eve's system E n as E n R, where E n are the systems used by Eve during the quantum communication while R is an extra register of dimension dim R = 2 leakec+⌈− log 2 εcor⌉ .The latter is used by Eve to store the bits that are leaked during EC.This means that Eq. ( 26) is more precisely given by We can then use Ref. [37,Prop. 5.10] for the smooth min-entropy computed over generally sub-normalized states which leads to We then replace the above expression in Eq. (27), which leads to a stricter upper bound for the key length where we have set Note that we include the more precise term θ instead of just log 2 (2ε 2 h ) as in past derivations [20][21][22].

H. Tensor-product reduction and asymptotic equipartition property
We may replace the smooth-min entropy of the subnormalized state σ n after EC with that of the normalized state ρ ⊗n before EC.As we show in Appendix A, we may write the following tensor-product reduction This is a major improvement with respect to Ref. [20].
Because the state before the EC projection has a tensor product form (under collective attacks), we can now write a simpler (but larger) lower bound that is based on the von Neumann entropy of the single-copy state ρ in Eq. (1).In fact, we may apply the asymptotic equipartition property (AEP) [37,Cor. 6.5] and write where Using Eqs. ( 31) and (32) in Eq. ( 29), we may write the following stricter upper bound where ρ is the single-copy state in Eq. ( 1).We finally expand the conditional entropy as where H(l) is the Shannon entropy of l, and χ(l : E) ρ is Eve's Holevo bound with respect to l.Therefore, we get Alternatively, this can be written as where we have introduced the asymptotic key rate The result in Eq. ( 37) is an upper bound to the number of secret random bits that Alice and Bob can extract with epsilon security ε = ε cor + ε s + ε h .Note that the secret key rate will need to account for the fact that this amount of bits is generated with probability p ec and that only a fraction n/N of the total systems are used for key generation.Thus, the composable secret key rate (bits per use) of a generic CV-QKD protocol under collective attacks is given by More explicitly, we have the upper bound J. Achievable key rate for optimal PA The result in Eq. ( 40) means that Alice and Bob cannot exceed R UB bits per use if they want to have εsecurity assured.Assuming they can implement optimal PA, they can reach a rate R opt which is still bounded by R UB from above, but we can also guarantee that at least R LB bits per use are generated.Basically, for a protocol with optimal extraction of randomness [37,Sec. 8.2], we may have a guaranteed ε-security and a rate satisfying R LB ≤ R opt ≤ R UB , where R UB is given in Eq. ( 40) and The lower bound in Eq. ( 41) is proven by repeating the proof and using the direct part of the leftover hash bound [36] (see also Ref. [37, Eq. (8.7)]) for the number of bits s opt n that are achievable by a protocol with optimal data processing.For this number, we may in fact write We can see that the −1 difference between Eqs. ( 26) and ( 42) become an extra −p ec /N in Eq. ( 41).Because N is typically large, we also see that R LB ≃ R UB .Note that the direct leftover hash bound was used in the derivations of Refs.[20][21][22], which therefore provided formulas for the rate achievable by protocols with optimal PA.However, these previous works are more pessimistic than our current result due to a different tensor-product reduction with respect to Eq. (31).In particular, the key-rate lower bound from Ref. [21] takes the form where and (To be precise the formula above is already a refinement since we have also included more precise leakage contribution, as explained in Sec.II G).
K. Specification to various protocols

Formula for discrete-alphabet coherent state protocols
More specific formulas for a discrete-alphabet protocol are immediately derived.Let us define the reconciliation parameter β ∈ [0, 1] by setting where I(k : l) is Alice and Bob's mutual information.
Then, the asymptotic key rate takes the form This is to be replaced in Eq. ( 40) for the upper bound, and Eq. ( 41) for the lower bound with optimal PA.

Formula for Gaussian-modulated coherent state protocols
In the case of a Gaussian-modulated protocol, we need to express the formulas in terms of quadratures.First, we re-define the reconciliation parameter β ∈ [0, 1] as where I(x : y) ≥ I(k : l) is Alice and Bob's mutual information computed over their continuous variables.Second, we exploit the data processing inequality for Eve's Holevo bound, so χ(l : E) ρ ≤ χ(y : E) ρ under digitalization y ADC → l.Thus, we can use the asymptotic rate to be replaced in the previous general formulas.

Other protocols
Other protocols can be considered.For example, the composable key rate of CV-MDI-QKD can be expressed using our general formulation once we replace the corresponding asymptotic expression R ∞ .The same can be stated for post-selection protocols, which also involves the introduction of an extra (post-selection) probability p ps , appearing as a further pre-factor in Eqs. ( 40) and ( 41), i.e., p ec [. . .]/N → p ps p ec [. . .]/N .In general, the post-selection process can be seen as a global filter that distills the number of runs and is applied before the standard processing of data via EC and PA.

L. Parameter estimation
The asymptotic key rate R ∞ depends on a number n pm of parameters p.By sacrificing m systems, Alice and Bob can compute maximum likelihood estimators p and worst-case values p wc , which are w standard deviations away from the mean values of the estimators.The worstcase value bounds the true value of a parameter up to an error probability ε pe = ε pe (w).This means that, overall, n pm worst-case values p wc will bound the parameters p up to a total error probability ≃ n pm ε pe .Because PE occurs before EC, this probability needs to be multiplied by p ec , so we have a total modified epsilon security In the composable formulas of Eqs. ( 40) and ( 41), the asymptotic term R ∞ = R ∞ (p) will be computed on the estimators and worst-case values, i.e., replaced by In particular, the expressions in Eqs. ( 46) and (48) will be replaced by M. From one block to a session of blocks In a typical fiber-based scenario, a QKD session is stable, i.e., the main channel parameters are constant for a substantial period of time.This means that we can consider a session of n bks blocks, each block with size N .In this scenario, the success probability p ec becomes the fraction of blocks that survive EC (the value 1 − p ec is also known as frame error rate).Assuming such a stable QKD session, PE can be performed on a large number of points, namely n bks m.This approach leads to better estimators and worst-case values to be used in Eq. (50).Using these improved statistics, Alice and Bob will then implement EC block-by-block.Each block surviving EC will undergo PA, where it is subject to a hash function randomly chosen from a 2-universal family.Each block compressed by PA is then concatenated into the final key.

N. Extension to coherent attacks for heterodyne
One can extend the security of the Gaussianmodulated protocol with heterodyne detection to coherent attacks, following the Gaussian de Finetti reduction of Ref. [19].The parties need to verify that the Hilbert space of the signal states is suitably constrained.In other words, the energy of Alice's and Bob's states should be less than some threshold values, d A and d B , respectively.The parties execute a random energy test over k states to estimate the energy of the other n signal states that participate in the standard steps of the protocol.Given that the test is successful with probability p en and that the protocol is ε-secure against collective Gaussian attacks, the new key length is decreased by the following amount of secret bits [19] and (53) The number of channel uses per block is extended to N ′ = N + k, the epsilon-security is rescaled to and the probability of not aborting p ec is replaced by p ec → p en p ec .One may set Alice's energy threshold to be larger than the mean photon number nA = V /2 of the average thermal state created by her classical modulation V .More specifically, taking into account statistical calculations due to the use of k signal states, one may set ).These conditions lead to an almost successful energy test p en ≃ 1.Consequently, the secret key rate of the heterodyne protocol under coherent attacks will be given by constrained by the upper bound [similar to Eq. ( 40)] and the lower bound [similar to Eq. ( 41)]

O. Practical Considerations
In an experimental implementation of a CV-QKD protocol, the parties have to numerically estimate two crucial parameters: the EC probability p ec and the reconciliation efficiency β.The EC probability can be computed as the ratio p ec = nec n bks between the n ec successfully corrected blocks and the total number of blocks of a session n bks , assuming that the channel is stable (see also [24,25,31]).The reconciliation efficiency can be computed from the leakage of the EC scheme employed.Typically, the EC scheme exploits non-binary LDPC codes, described by a c × n parity check matrix with code rate R code = c/n, where c is the number of parity checks.In this case, the leakage can be bounded by where d least is the number of the least significant bits sent on the clear, while d syn is the number of syndrome bits (see Refs. [24,25] for details and precise definitions).
Once the leakage is bounded, one may use Eqs.( 45) or (47) to compute the reconciliation parameter β.However, in a practical setting, the value of the entropy H(l) is also not exactly known and must be estimated.During PE, the parties calculate the frequency f l = n l /n of the value l, starting from its n l occurrences in the sequence of length n.In this way, they construct the estimator The value of this estimator is then used in Eqs. ( 45) or (47) to derive an estimate for β [38].
The uncertainty on the value of Bob's entropy has also an effect at the level of the composable key rate, introducing a further epsilon parameter.For the entropy estimator, we have and we can write for This means that we have the condition with probability larger than 1 − ε ent .Combining the inequality above with Eq. (60), we get up to an error probability ε ent .In other words, we can replace Bob's entropy in the asymptotic rate of Eq. ( 38) with the lower bound in Eq. (64) computed from the estimator in Eq. ( 59).This leads to a stricter upper bound for the composable secret key rate.More precisely, Eq. ( 37) becomes where the asymptotic key rate becomes Thus, the corresponding composable secret key rate is upper-bounded by with overall ε-security ε = ε cor + ε s + ε h + p ec ε ent .Note that ε ent is re-scaled by p ec because Bob's entropy is evaluated during PE and, therefore, before EC.Similarly, according to the discussion in Sec.II J, we may write the lower bound for a protocol with optimal PA.Including the estimation of the channel parameter p via p and p wc , the asymptotic rate in Eq. (66) becomes R ∞ = R ∞ ( p, p wc ).In particular for the protocols in Sec.II K, the rates in Eqs. ( 46) and (48) become By replacing R PE ∞ → R ∞ in Eq. ( 68), we therefore bound the composable secret key rate, which accounts for the entire PE process, with overall ε-security Finally, for the heterodyne protocol, we may extend the security to coherent attacks repeating the modifications that lead to Eqs. ( 56) and (57) of Sec.II N.

III. EXAMPLES WITH THE MAIN GAUSSIAN-MODULATED PROTOCOLS
In order to use the composable formula, we need to specify the asymptotic key rate and the PE procedure, so that we can compute the rate R pe ∞ in Eq. ( 50) to be replaced in Eq. (40).Here, we report the known formulas for the asymptotic key rates of the Gaussianmodulated coherent-state protocols (with homodyne and heterodyne detection).These asymptotic formulas can be found in a number of papers (e.g., see Ref. [1] and references therein).Then we consider the modifications due to PE.

A. Gaussian modulation of coherent states with homodyne detection
We model the link connecting the parties as a thermalloss channel with transmissivity T = 10 −D/10 (where D is here the loss in dB) and excess noise ξ.The dilation of the channel is represented by a beam splitter with transmissivity T that Eve uses to inject one mode of a two-mode squeezed vacuum (TMSV) state with variance Eve's injected mode is therefore coupled with Alice's incoming mode via the beam splitter and the output is received by Bob, who detects it using a homodyne detector with efficiency η and electronic noise u el (both local parameters that can be considered to be trusted in a wellcalibrated scenario).The other, environmental, output of the beam splitter is stored by Eve in a quantum memory, together with the kept mode of the TMSV state.In this way, many modes are collected in Eve's quantum memory, which is finally subject to an optimal joint measurement (collective entangling-cloner attack).
Alice and Bob's mutual information is given by where V is Alice's modulation.The CM of Eve's output state (her partially-transmitted TMSV state) is given by where I = diag(1, 1), Z = diag(1, −1) and Then, Eve's conditional CM (conditioned on Bob's outcome) is given by where Π = diag{1, 0} and By calculating the symplectic eigenvalues of the total CM, ν + and ν − , and those of the conditional CM, ν+ and ν− , we obtain Eve's Holevo information on Bob's outcome where we use the usual CV-based entropy function Then the asymptotic secret key rate is given by the difference between the mutual information (multiplied by the reconciliation efficiency β) and Eve's Holevo information as in Eq. (48).

B. Gaussian modulation of coherent states with heterodyne detection
For the protocol with heterodyne detection, the mutual information is a simple modification of the previous one in Eq. ( 73) and given by where V 0 = 2 (note that for V 0 = 1 we get the expression valid for homodyne detection).Eve's CM is the same as in Eq. ( 74), but the conditional CM is instead given by C. Parameter estimation and final performance Let us now include PE, assuming that m signals are sacrificed for building the estimators of the channel parameters (to be used in the mutual information) and the associated worst-case values (to be used in Eve's Holevo bound).One therefore computes estimators T ≃ T , ξ ≃ ξ and the following worst-case values where Loss in dB   40)] for the Gaussian modulated coherent-state protocol with homodyne detection (blue solid line) and heterodyne detection (red solid line) with respect to the block size N .These lines coincide with those computed from the lower bound of Eq. ( 41).The corresponding dashed lines are computed using Eq. ( 43), based on previous literature.Loss is set to 7 dB, while all the other parameters are chosen as in Fig. 1.
In the equations above, V 0 = 1 is for homodyne detection and V 0 = 2 is for heterodyne detection.Then, in Eq. ( 87), the term c PE can be set to zero [14] (in fact, another choice would be c PE = 2 [15] based on a weaker assumption [39]).The parameter w that connects the worst-case values with ε pe is simply given by an inverse error function when we assume a Gaussian approximation for the parameters, i.e., However, when stricter conditions are required, e.g., in the case of coherent attacks [see Eq. ( 54)], we use chi-squared distribution tail bounds where w is given by w = 2 ln ε −1 pe .
(90) (See Appendix B for more details.)Thus, by using p = ( T , ξ) and p wc = (T wc , ξ wc ), we compute the PE rate as in Eq. (51) to be replaced in Eq. ( 40) for both the homodyne and heterodyne protocols.Let us assume ad hoc values for p ec and β (the numerical values of these parameters are known after a realistic implementation or simulation of EC, as discussed in Sec.II O).Then, we show the performances of the two protocols in Figs. 1 and 2.More specifically, in Fig. 1, we depict the secret key rate versus channel loss, while, in Fig. 2, we show its behavior with respect to block size.For the sake of comparison, we have also included the results based on previous literature [20,21] (refined in Sec.II J).From the figures, we can see a significant improvement in the key rate performance both in terms of robustness to loss and smaller block size.

IV. CONCLUSIONS
In this paper, we have introduced an improved formulation for the composable and finite-size secret key rate of a generic CV-QKD protocol.By resorting to previous theory and proving various other tools, such as a refined tensor-product reduction for the state after error correction, we have derived simpler and more optimistic formulas, able to show an improvement in the general performance of CV-QKD.As shown in the examples, this improvement can be appreciated both in terms of increased robustness to loss and/or reduced requirements for the size of the usually larger QKD blocks.In general, this work contributes to making a step forward in the rigorous deployment of CV-QKD protocols in practical scenarios.
).Then, under the assumption of a lossy channel with reasonable excess noise, the mean number of photons received by Bob is smaller than nA , so if we set d B = d A , we certainly have d B ≥ nA +O(k −1/2 FIG. 2. Improved composable secret key rate [upper bound ofEq.( tection efficiency is η = 0.6, and electronic noise is u el = 0.1.Security epsilons have all been set to 2 −32 .The cardinality of the alphabet is |L| = 27for homodyne and |L| = 214for heterodyne.Block size is N = 10 7 and PE is based on m = N/10 sacrificed signals.We have optimized the results over the variance V of Alice's Gaussian modulation.