Asymptotic security analysis of discrete-modulated continuous-variable quantum key distribution

Continuous-variable quantum key distribution (CV QKD) protocols with discrete modulation are interesting due to their experimental simplicity and their great potential for massive deployment in the quantum-secured networks, but their security analysis is less advanced than that of Gaussian modulation schemes. In this work, we apply a numerical method to analyze the security of discrete-modulation protocols against collective attacks in the asymptotic limit, paving the way for a full security proof with finite-size effects. While our method is general for discrete-modulation schemes, we focus on two variants of the CV QKD protocol with quaternary modulation. Interestingly, thanks to the tightness of our proof method, we show that this protocol is capable of achieving much higher key rates over significantly longer distances with experimentally feasible parameters compared with previous security proofs of binary and ternary modulation schemes and also yielding key rates comparable to Gaussian modulation schemes. Furthermore, as our security analysis method is versatile, it allows us to evaluate variations of the discrete-modulated protocols, including direct and reverse reconciliation, and postselection strategies. In particular, we demonstrate that postselection of data in combination with reverse reconciliation can improve the key rates.


I. INTRODUCTION
Quantum key distribution (QKD) [1,2] is an important cryptographic primitive in the era of quantum technology since it enables two honest parties, traditionally known as Alice and Bob, to establish information-theoretically secure keys against any eavesdropper (Eve) who is bound by the laws of quantum mechanics. By now, there are plenty of QKD protocols (see Ref. [3] for a review), which can be categorized into two families according to their detection technology: discrete variable (DV) and continuous variable (CV). DV QKD protocols like the Bennett-Brassard 1984 (BB84) protocol [1] are realized by encoding the information into qubitlike degrees of freedom of photons, such as polarization and time bin, and by measuring with single-photon detectors. DV QKD enjoys great success in experimental implementations and corresponding security analyses, and can currently reach longer distances than CV QKD. However, CV QKD (e.g., see Refs. [4][5][6]) uses detection technology that is widely used in modern optical (classical) communication methods, which turns those classical methods and the CV QKD apparatus into nearly identical devices. This technological similarity gives CV QKD a competitive edge for large-scale deployment in quantum-secured networks.
A main security proof technique for CV QKD is the optimality of Gaussian attacks [7,8] for protocols with Gaussian modulation. In fact, security proofs are quite mature for CV QKD with Gaussian modulation (see [9] for a review). However, this type of protocol puts a lot of demands on the modulation devices and classical errorcorrection protocols. In addition, the effect of a finite constellation needs to be taken into account carefully [10,11]. In probing quantumness of devices using coherent states, we notice that even a small number of coherent states have the same quantumness verification power as a Gaussian modulation of states [12]. We thus expect that a discrete-modulated CV QKD protocol will approach the performance of Gaussian-modulated CV QKD with just a few different modulation amplitudes. However, the corresponding security proof is more involved due to missing analytical tools. The binary [13] and ternary modulation schemes [14] have been proved secure against collective attacks. Unfortunately, the key rates obtained are not tight, and the proof technique is not expected to be generalizable to discrete-modulation schemes with more states. For the quaternary modulation scheme, also known as the quadrature phase-shift keying scheme, its security was previously analyzed under the assumption of linear bosonic channels [15] or Gaussian attacks [16,17], which restricts Eve's ability. (Unfortunately, the analysis [15] with the additional linear channel assumption is not expected to be tight and, thus, cannot be used as an upper bound of the key rate.) In this work, we apply a versatile numerical method to study the security of discrete-modulated schemes with a focus on the quaternary modulation scheme. Specifically, we analyze two variants of the quadrature phaseshift keying modulation scheme: one with homodyne detection and the other with heterodyne detection. Our method enables us to obtain tight key rates against collective attacks in the asymptotic limit. Recently, we noticed an independent work [18] that analyzes the asymptotic security of the quaternary modulation scheme with heterodyne detection. In this security analysis [18], Ghorai et al. use a reduction to the Gaussian optimality proof method and apply a semidefinite program (SDP) technique with a photon-number cutoff assumption. We emphasize here that our proof technique is quite different from their work, and, in particular, we do not invoke the arguments of Gaussian optimality. For this reason, we also directly compare our results with their results in this work. Remarkably, compared with the similar heterodyne scheme considered in Ref. [18], we obtain quite higher key rates. Furthermore, our approach can be extended to variants of the protocol using homodyne measurements. Since our method does not rely on the arguments of Gaussian optimality, it also allows us to investigate the effects of the postselection of data [19,20], which is not considered in Ref. [18] due to their proof technique. Postselection is commonly done for the classical telecommunication protocols and DV QKD protocols to discard noisy data and to improve the performance of the protocols. However, postselection strategies are currently not compatible with the Gaussian optimality proof technique, since the relevant states are non-Gaussian and Gaussian attacks are not expected to be optimal in the presence of postselection. Previously, postselection for discrete-modulation schemes was considered under a restricted class of attacks [16,21]. In this work, we show that postselection can improve the key rates under collective attacks. Finally, we remark that our security proof method works for both direct reconciliation and reverse reconciliation protocols. However, we focus on reverse reconciliation in this work, since reverse reconciliation is known to have better performance than the direct reconciliation in terms of transmission distances.
For our security analysis, we rely on the numerical key rate optimization methods developed in Refs. [22,23], and we use the version of Ref. [23] to prove the security against collective attacks in the asymptotic limit. Another contribution of this work is that we further develop the framework to handle the classical postprocessing for the numerical method presented in Ref. [23]. This development allows us to study the postselection strategies and also simplifies some aspects of the numerical calculation. In order to perform such an optimization numerically, we impose the photon-number cutoff assumption, which is the same assumption considered in Ref. [18]. Although, ultimately, one would like to prove the security without this assumption, this assumption is reasonable because we numerically verify that our key rate results do not depend on the choice of cutoff when the cutoff photon number is much larger than the mean photon number of each received state. We leave it as future work to remove this assumption. It is also interesting to point out that even though we demonstrate our proof method on only the quaternary modulation scheme here, our approach can be easily generalized to other discrete-modulation schemes beyond four coherent states.
The rest of the paper is outlined as follows. In Sec. II, we present two variants of the protocol: Protocol 1 uses homodyne detection and uses only two out of four states to generate keys; protocol 2 uses heterodyne detection and encodes two-bit information in each round. In Sec. III, we first review the relevant numerical approach used for this work, discuss the photon-number cutoff assumption, and then present the specific setup of the optimization problems for those two protocols such as choices of constraints, the postprocessing map, and the pinching map related to the key map. We then perform simulations and show the simulation results in Sec. IV. Finally, we summarize the results and provide insights for future directions in Sec. V. We discuss some technical details in the Appendixes. Particularly, we present a complete framework for postprocessing in Appendix A.

II. DESCRIPTION OF PROTOCOLS
In the following description, let [N ] denote the set of positive integers from 1 to N . A coherent state with an amplitude α or γ is denoted by |α or |γ .
(2). Measurement.-After receiving Alice's state, Bob performs a homodyne measurement on the state. Bob first generates a random bit b k according to the probability distribution (p B , 1 − p B ). If b k = 0, he measures the q quadrature and if b k = 1, he measures the p quadrature. He obtains the measurement outcome y k ∈ R.
(3). Announcement and sifting.-After N rounds of first two steps, Alice and Bob communicate via the authenticated classical channel to partition all the rounds [N ] into four subsets defined as (4). Parameter estimation.-Alice and Bob perform parameter estimation by disclosing all the information in the rounds indexed by the test set I test . To perform such an analysis, they process the data by computing quantities like the first and second moments of q and p quadratures conditioned on each of four states that Alice sends. These quantities allow them to constrain their joint state ρ AB . They then calculate the secret key rate according to the optimization problem in Eq. (16). If their analysis shows that no secret keys can be generated, then they abort the protocol. Otherwise, they proceed. (5). Reverse reconciliation key map.-Bob performs a key map to obtain his raw key string. This key map discretizes his measurement outcome y k to an element in the set {0, 1, ⊥} for each k ∈ I key . For each j ∈ [m], Bob sets z j according to the rule Note that ∆ c ≥ 0 is a parameter related to the postselection of data. A protocol without postselection can set ∆ c = 0. At the end of this process, Bob has a string Z = (z 1 , z 2 , . . . , z m ). In communication between Alice and Bob, positions with the symbol ⊥ are deleted from their strings. With a slight abuse of notation, we use X, Z to mean the strings after removing the positions related to ⊥. Z is called the raw key string. (6). Error correction and privacy amplification.-Bob chooses a suitable error-correction protocol and a suitable privacy-amplification protocol according to the security analysis done in the parameter estimation step and communicates the choices to Alice. Alice and Bob then apply the chosen errorcorrection protocol and privacy-amplification protocol to generate a secret key.
We remark on the asymmetric roles of these four states and asymmetric choices of quadrature measurements considered here. In this specific setup, Alice and Bob use only signal states {|α , |−α } and q quadrature measurement data to generate keys and use all other combinations to probe eavesdropping activities. In the asymptotic limit, we can set p A and p B arbitrarily close to 1 so that the sifting factor of the protocol is 1 (in the absence of postselection) [24]. However, for a finite number N , it is unlikely that p A and p B can be arbitrarily close to 1, since one needs to balance the trade-off between the sifting factor and the accuracy of parameter estimation. In this case, one needs to optimize the choices of p A and p B for a given choice of N . The reason that we choose this asymmetric version here is to simplify some numerical calculation and to maximize the sifting factor. We may also consider another variant of this protocol, that is, allowing Alice and Bob to generate keys from both I qq and I pp . Then for p A = p B = 1 2 , the protocol has 1 2 sifting factor (in the absence of postselection). However, we point out that the essential idea of our security proof in the asymptotic limit is the same for these different variations.
(1). State preparation.-Like protocol 1, Alice prepares one of those four signal states with an equal probability (p A = 1 2 ) and sends to Bob. (2'). Measurement.-Upon receiving Alice's state, Bob performs a heterodyne measurement on the state, which can be described by a positive operator-valued measure (POVM) {E γ = 1 π |γ γ| : γ ∈ C}. After applying this POVM, he obtains the measurement outcome y k ∈ C.
(4). Parameter estimation.-As with protocol 1, Alice and Bob perform parameter estimation to decide whether they abort the protocol.
(5'). Reverse reconciliation key map.-Bob performs a key map to obtain his raw key string. This key map discretizes his measurement outcome y k to an element in the set {0, 1, 2, 3, ⊥} for each k ∈ I key . As y k ∈ C, we write y k = |y k |e iθ k , where θ k ∈ [− π 4 , 7π 4 ). Bob sets each z j of his key string Z = (z 1 , . . . , z m ) according to the rule and y f (j) are none of the above.
(5) ∆ a ≥ 0 and ∆ p ≥ 0 are two parameters related to postselection. A protocol without postselection can set ∆ a = ∆ p = 0. This key map is depicted in Fig. 1. Like protocol 1, positions with the symbol ⊥ are deleted When Bob has a measurement outcome γ ∈ C, if γ is in one of the four shaded areas, then Bob maps the measurement outcome to the corresponding value of that area for his key string. If γ is not in the shaded areas, Bob obtains the symbol ⊥. ∆a and ∆p are two parameters related to postselection. from their strings. Again, we use X, Z to mean the strings after removing the positions related to ⊥. Z is called the raw key string. (6). Error correction and privacy amplification.-As with the protocol 1, they perform error correction and privacy amplification to generate a secret key.
Alice and Bob may decide to recast their strings to binary strings before or during the error-correction step depending on their choice of error-correcting code. For the consistency of our presentation, we use the alphabet {0, 1, 2, 3} in the following discussion.

III. SECURITY PROOF APPROACH
Our security proof applies the numerical key rate calculation framework developed in Refs. [22,23], which allows us to calculate the secret key rate against collective attacks in the asymptotic limit. Specifically, we implement the approach in Ref. [23] to solve the key rate optimization problem in this work. We begin with reviewing relevant components of the key rate calculation. For the purpose of reviewing, we keep this part of the discussion general. We direct readers to Refs. [22,23] for the derivation of the key rate optimization problem and specifically to both Ref. [23] and Appendix A for the technical details regarding the framework of handling the postprocessing steps of the protocol. We then discuss the photon-number cutoff assumption and possible ways to remove it. Finally, we present the specific numerical op-timization problems for these two protocols considered in this work.

A. Numerical method background
We first review the source-replacement scheme, which allows us to recast a prepare-and-measure protocol into an entanglement-based protocol. In the asymptotic limit and under collective attacks, the key rate formula is given by the well-known Devetak-Winter formula [25]. We then briefly discuss how to reformulate the Devetak-Winter formula to obtain the relevant convex objective function for the numerical optimization. Finally, we discuss the feasible set of our optimization problem.

Source-replacement scheme
Both protocols presented in Sec. II are prepareand-measure schemes. When we prove the security of a prepare-and-measure scheme, we apply the sourcereplacement scheme [26][27][28][29] to obtain an equivalent entanglement-based scheme and prove the security of the entanglement-based scheme, which is easier to analyze. (This idea of equivalence is first realized in Ref. [26] for BB84 and in Ref. [27] for Gaussian-modulated CV protocols. References [28,29] identify and formulate the general principle that applies to any protocol.) The key rate that we obtain from this entanglement-based scheme is also the key rate for the corresponding prepare-andmeasure scheme.
If Alice prepares states from the ensemble {|ϕ x , p x } in the prepare-and-measure scheme, by the sourcereplacement scheme, she effectively prepares the following bipartite state in the entanglement-based scheme: where Alice keeps the register A and sends A ′ to Bob via a quantum channel. For both protocols considered in this work, {|ϕ x } = {|α , |−α , |iα , |−iα }. To determine which state she sends to Bob, Alice performs a local measurement described by a POVM M A = {M x A = |x x|} on register A. Upon obtaining a measurement result x, she effectively sends to Bob the state |ϕ x . Their bipartite state ρ AB after transmitting the register A ′ via a quantum channel, which is described by a completely positive and trace-preserving (CPTP) map E A ′ →B , is where id A is the identity channel on the register A. Bob then performs a measurement on the register B to obtain his measurement result. When Alice performs a projective measurement |x x|, the corresponding conditional state ρ x B that Bob receives is defined as

Key rate formula
The secret key rate under collective attacks in the asymptotic limit is given by the well-known Devetak-Winter formula [25]. In the case of reverse reconciliation [5,27], this formula reads where I(X; Z) is the classical mutual information between Alice's string X and the raw key string Z, χ(Z : E) is the Holevo information that quantifies Eve's knowledge about the raw key string Z, and p pass is the sifting probability, that is, the probability that a given round is used for key generation after the sifting step. The set S contains all density operators compatible with experimental observations, which we discuss later. One can rewrite the Devetak-Winter formula as where H(Z|E) and H(Z|X) are conditional von Neumann (Shannon) entropies. In this formula, H(Z|X) is the amount of information leakage during the error-correction step performed at the Shannon limit. In reality, since the error correction cannot be done at the Shannon limit, to take the inefficiency of error correction into account, we replace this term by the actual amount of information leakage per signal (denoted by δ EC ) during the error-correction step.
The crucial step to turn this problem into a convex optimization problem is to rewrite H(Z|E) in terms of the bipartite quantum state ρ AB . As shown in Refs. [22,23], the key rate expression can be reformulated as In this equation, D(ρ||σ) = Tr(ρ log 2 ρ) − Tr(ρ log 2 σ) is the quantum relative entropy. According to Ref. [23], G is a completely positive and trace nonincreasing map that describes several classical postprocessing steps of the protocol in terms of actions on the bipartite state ρ AB . Briefly speaking, G is composed of an announcement map A, a sifting projection Π, and a key map isometry V . The roles are explained as below.

i) A is a CPTP map that introduces classical registers
A and B to store announcements and also introduces quantum registers A and B to store measurement outcomes in a coherent fashion (via isometries).
ii) The sifting projection Π projects the state after announcements to the subspace spanned by announcement outcomes kept for the key generation purpose.
iii) The key map isometry V then utilizes classical announcement registers and quantum measurement outcome registers to perform the key map step described in the protocol and stores the result of key map to a quantum register R.
Thus, G(σ) = V ΠA(σ)ΠV † for an input state σ. We remark that this output state may be subnormalized. The normalization factor is actually p pass . Due to this property of G map, the factor p pass is not shown in front of the first term in Eq. (11). Finally, Z is a pinching quantum channel, which completely dephases the register R to read out the result of key map. If {Z j } is the projective measurement that can be used to obtain the result of key map from the register R, then, for an input state σ,

Constraints
We now explain the feasible set S of our optimization problem. The set S contains all bipartite density operators ρ AB that are compatible with experimental observations. If is the set of experimental observables for some integer M and {γ i ∈ R|1 ≤ i ≤ M } is the corresponding set of expectation values observed for each Γ i , then the feasible set S of our optimization problem is In particular, we include the identity operator in the set {Γ i } to ensure Tr(ρ AB ) = 1. Since Eve cannot modify Alice's system A in a prepare-and-measure scheme, we additionally require that ρ A = Tr B (ρ AB ) is fixed as A final remark is that this optimization problem is a convex optimization problem, and, in particular, it is a nonlinear SDP problem. The objective function here is the quantum relative entropy function whose arguments involve additional linear maps and it is a nonlinear convex function of ρ AB , since quantum relative entropy is jointly convex in both arguments. The feasible set is a convex set inside the positive semidefinite cone.

B. Photon-number cutoff assumption
The key rate optimization problem in Eq. (11) involves optimizing over all possible bipartite states ρ AB in the feasible set S. The number of free variables depends on the size of ρ AB . In order to numerically perform the optimization by computer optimization packages, we can deal only with finite-dimensional ρ AB . In our optimization problem, as we can see from the source-replacement scheme, the dimension of Alice's system A is determined by the number of different signal states that she prepares.
For both protocols considered in this work, the dimension of register A is 4. However, since each state that Bob receives is an optical mode and, in principle, can be manipulated by Eve, Bob' state lives in an infinite-dimensional Hilbert space H B . A basis for this Hilbert space is the photon-number states {|n : n ∈ N}. We immediately see that Bob's POVM elements are infinite-dimensional operators and ρ AB is also infinite dimensional. For DV QKD, one method to reduce the dimension of the system is to apply a squashing model [30][31][32] for the protocol to obtain a lower-dimensional representation of his POVM. This reduction is possible for many DV QKD protocols, since one can explicitly formulate the squashing model. However, it is not clear how one can formulate a squashing model for CV systems. Instead, we have to impose an additional assumption in this work in order to perform the numerical optimization. This additional assumption is what we call the photon-number cutoff assumption. We impose the assumption that Bob's system lives in the Hilbert space H B = span{|0 , |1 , . . . , |N c } for some cutoff photon number N c . Namely, if we define Π Nc = Nc n=0 |n n| with a suitable choice of photonnumber cutoff parameter N c on Bob's system, we assume ρ = Π Nc ρΠ Nc for the state ρ under consideration. This assumption allows us to truncate the infinite-dimensional Hilbert space. If N c is chosen to be large enough, this assumption is a reasonable working assumption based on the following observations. i) Bob can obtain the mean photon number n x := Tr(ρ x Bn ) of each conditional state ρ x B via homodyne or heterodyne measurements, wheren denotes the number operator.
ii) Since n x is known, we can pick N c ∈ N such that N c is much larger than n x for each x ∈ {0, 1, 2, 3}. For such a choice of N c , the probability of finding the state to have a photon number n ≤ N c is close to 1. This probability suggests that the contribution from n > N c photon subspace becomes negligible. Similarly, the off-diagonal blocks (1−Π Nc )ρΠ Nc and Π Nc ρ(1−Π Nc ) also have vanishing contributions.
iii) We can increase N c to have a numerical verification that the key rate is unchanged after we choose a large enough N c .
This photon-number cutoff assumption renders our numerical optimization of the key rate problem feasible. Although this assumption sounds reasonable as our numerical verification suggests, we emphasize that one has to deliver an exact analysis to remove this assumption for a watertight security proof. In this sense, our proof is restricted. Nevertheless, we expect the key rates of these protocols to not be affected much by this working assumption.
We now provide some insights for removing this assumption and also for extending our current analysis to include finite-size effects and general attacks. To remove the photon-number cutoff assumption, one needs to combine our numerical optimization approach with some appropriate analytical tools. One possible approach is to develop a CV version of the squashing model. If such a squashing model exists, the key rate optimization problem then becomes a finite-dimensional problem even without the photon-number cutoff assumption. Since the effective dimension is finite, it might also be possible to apply existing tools (which are valid for finitedimensional systems) such as the quantum de Finetti representation theorem [33] or the postselection technique [34] to obtain the composable security [35] of the protocol against general attacks in the finite-size regime.
Another possible method for removing the photonnumber cutoff assumption is to adopt a similar idea used in Ref. [11], that is, using the entropy continuity bounds [36] to provide a tight error analysis of the key rate due to the truncation of Bob's Hilbert space. If one can tightly bound the trace distance between the optimal state in the truncated subspace and the optimal state in the original infinite-dimensional space, then the existing continuity bound for the Holevo information allows us to obtain a small correction term due to the photon-number cutoff. Then, one obtains a full security proof against collective attacks in the asymptotic limit. To reach a full composable security proof along this path, one may first manage to include the finite-size effects with collective attacks and then apply appropriate tools similar to the quantum de Finetti representation theorem for CV QKD [37] to take the general attacks into consideration.
Each of these two approaches has its own challenges that need to be overcome, and, thus, we have to defer these extensions to the finite-size and coherent attacks regime without the working assumption of the photonnumber cutoff to future research.

C. Optimization problem for protocol 1 (homodyne detection)
Letâ andâ † be the annihilation and creation operators of a single-mode state, respectively. They obey the commutation relation [â,â † ] = 1. To be consistent in this work, we define the quadrature operatorsq andp, respectively, aŝ They obey the commutation relation [q,p] = i. From the homodyne measurement, we can obtain expectation values of the first and second moments of the quadrature operators q , q 2 , p , and p 2 . We can calculate the mean photon number of each conditional state ρ x B from the homodyne measurement outcomes, sincê n = 1 2 (q 2 +p 2 − 1) =â †â . In addition ton, we define an operatord =q 2 −p 2 =â 2 + (â † ) 2 to utilize the second moment observations q 2 and p 2 to constrain ρ AB .
The relevant optimization problem is where x ∈ {0, 1, 2, 3} and q x , p x , n x , and d x denote the corresponding expectation values of operatorŝ q,p,n, andd for the conditional state ρ x B , respectively. In Appendix B, we discuss how we make these operators finite dimensional under the photon-number cutoff assumption.
We remark that one can add more fine-grained constraints using the POVM description of homodyne measurements or using the interval operators I 0 and I 1 , which we define shortly. Additional constraints can only improve the key rate, as they reduce the size of the feasible set S. Nevertheless, we observe that this set of constraints already gives us quite tight key rates. We expect that additional constraints will provide only marginal improvements. For the ease of presentation, we choose this set of coarse-grained constraints.
We now specify the maps G and Z. For the reverse reconciliation, the postprocessing map G(σ) = KσK † is given by the following Kraus operator: where I 0 and I 1 are interval operators defined in terms of projections onto (improper) eigenstates of q quadrature: In the definition of K, we project Alice's register A onto the subspace spanned by the first two basis states (which are related to the states |α and |−α ) and act on Bob's register by interval operators from the q quadrature measurement, since secret keys are generated only from the rounds where Alice sends |α or |−α and Bob performs q quadrature measurements in this protocol. We remark how the postselection is handled in our security proof.
Since ∆ c is a postselection parameter, the effect of postselection is reflected in the definition of interval operators which are used in the postprocessing map G. Finally, the pinching quantum channel Z is described by the projec- We remark that we make an additional simplification for the Kraus operator K. Unlike the general discussion in Sec. III A or in Ref. [23], we do not introduce the registers A, B, A, and B in the postprocessing map G for this protocol. The aim of such a simplification is to reduce the total dimension of the quantum states in the key rate optimization without affecting the calculated key rates. We provide a detailed analysis in Appendix A to explain why such a simplification can be made. Here, we discuss the ideas behind this simplification.
i) The quantum register A is Alice's private register that stores her measurement outcome after she performs her POVM {M x A } on register A in a coherent fashion. Since Eve has no access to register A, Alice can choose to first perform a coarse-grained measurement that introduces only the announcement register A and then perform a refined measurement conditioned on the announcements, which is described by a local isometry. Moreover, in the reverse reconciliation scheme, since the key map isometry V does not depend on Alice's measurement outcome, the isometry for the refined measurement commutes with both the key map isometry V and the pinching map Z. As our objective function is invariant under this type of local isometries, we can choose not to apply this isometry and, thus, we do not introduce register A.
ii) In the announcement step, Alice and Bob each announce whether a given round is kept for the key generation. Then the sifting process keeps only one announcement outcome, that is, when they both decide to keep the round. So, both classical registers A and B after applying the sifting projection Π are effectively one dimensional. We then use another property of the quantum relative entropy regarding quantum-classical states to show that the calculated key rates remain the same if we omit registers A and B.
iii) The key map in this protocol uses only the coarsegrained information about Bob's measurement outcomes, that is, in which interval Bob's measurement outcome lies. As with the previous discussion about register A, we can view Bob's measurement in two steps. At the first step, Bob performs a coarse-grained measurement in a coherent fashion to store the desired coarse-grained outcomes in register B. At the second step, Bob performs a refined measurement conditioned on the coarse-grained information to update register B, which is described by a local isometry (denoted by W ). Since the key map uses only the coarse-grained information, the key map isometry V effectively needs to first undo the isometry W . So, we can choose not to perform the isometry W and let the key map isometry V use the coarse-grained information directly. The calculated key rates remain the same after we ignore the isometry W . In this case, the key map isometry V simply copies register B to register R in the standard basis. Thus, we combine these two registers and retain the name of R. The calculated key rates are unaffected, because copying register B to register R in the standard basis is done by a local isometry, which we can omit.
D. Optimization problem for protocol 2 (heterodyne detection) The optimization problem for protocol 2 has essentially the same form as described in Eq. (16). The differences here are that expectation values are now obtained via heterodyne detection, and the postprocessing map G and the pinching map Z have different forms, as we present shortly. In principle, we can use additional information about second moments like qp to constrain ρ AB as the information becomes available via heterodyne detection. However, our calculation shows that additional constraints like this one can provide only marginal improvements on the key rates in our simulated scenarios. We expect these constraints to be more useful if we introduce squeezing in either the protocol or the simulation.
To write out the Kraus operator for the postprocessing map G including postselection, we define region operators that tell us in which region in Fig. 1 Bob's measurement outcome lies. We express them using the polar coordinate for the integration as The area of integration for each operator corresponds to the relevant region shown in Fig. 1. Again, ∆ a and ∆ p are parameters related to postselection.
In this case, the postprocessing map G(σ) = KσK † is given by the Kraus operator The pinching quantum channel Z is given by the projections Z j = |j j| R ⊗ 1 AB for j = 0, 1, 2, 3, that is, for a valid input state σ: Like protocol 1, we make a simplification for the Kraus operator K by a similar line of argument.
E. Generalization to other discrete-modulation schemes beyond four coherent states From the description of our security proof method, we remark that this proof technique does not depend on the distribution of the statistics, whether it is Gaussian or not. Also, it is not difficult to see that our method can be generalized to analyze discrete-modulated CV QKD protocols with more coherent states. If Alice modulates using ℓ coherent states, then Alice's system A is ℓ dimensional from the source-replacement scheme. In this case, the corresponding optimization problem essentially has the same form as in Eq. (16), except that the index x now runs from 0 to ℓ − 1 and the maps G and Z need to be modified accordingly to match the description of the protocol in a straightforward way. A guide to defining the postprocessing map G is also provided in Appendix A.

IV. SIMULATION AND KEY RATES
In this section, we first discuss our model for simulating experiments that execute each protocol. From the simulation, we can obtain relevant expectation values like q and p that we usually obtain from an actual experiment and which are the starting point of our key rate optimization problem in Eq. (16). Then we comment on the numerical performance of our current algorithm and discuss relevant numerical issues. Finally, we present key rates for both protocols with different variations. We emphasize that our security proof technique, of course, does not depend on the model of experiment that we use to predict the experimental behavior.

A. Simulation model
To understand how the protocols behave in a realistic scenario, we simulate the quantum channel as a realistic physical channel in the absence of Eve. Such a channel in the context of optical fiber communication can be described by a phase-invariant Gaussian channel with transmittance η and excess noise ξ which is defined as where (∆q vac ) 2 is the variance of q quadrature for the vacuum state and (∆q obs ) 2 is the variance of q quadrature observed for the signal state. Here we consider the case where both q and p quadratures have the same variance. With our definition of quadrature operators, (∆q vac ) 2 = 1 2 . In the literature, the value of excess noise is usually reported in a couple of different ways, depending on who makes the observation of (∆q obs ) 2 . To avoid possible confusion when discussing the value of excess noise, we clarify these definitions. We use ξ to mean the excess noise in the case where Alice measures (∆q obs ) 2 at the output of her lab and use δ in the case where Bob measures (∆q obs ) 2 for the received signal state.
A natural way to simulate this phase-invariant Gaussian channel is that, when Alice prepares a coherent state |α and sends to Bob via this channel, the output state from the channel becomes a displaced thermal state centered at √ ηα with the variance 1 2 (1 + δ) for each quadrature. An alternative but equivalent way is that, when Alice wants to prepare a coherent state |α , the state after preparation becomes a displaced thermal state centered at α with the variance 1 2 (1+ξ) for each quadrature at the output of her lab. Then, the state is transmitted via a pure-loss channel, and the final output state that reaches Bob's lab is a displaced thermal state centered at √ ηα with the variance 1 2 (1 + ηξ) for each quadrature. Therefore, we see that, for this physical channel, δ = ηξ. In this work, we use the definition of ξ when we discuss the value of excess noise. Readers should be able to translate between these two definitions by the relation δ = ηξ.
Given a displaced thermal state centered at √ ηα with the variance 1 2 (1 + ηξ) for each quadrature, we can then calculate our simulated values for q , p , n , and d (by either using quasiprobability distribution like the Wigner function or Q function of the final state or expanding the final state in the photon-number basis). These values can then be supplied to the optimization problem in Eq. (16), which, in turn, can be solved numerically.

B. About numerical algorithm and performance
To perform the numerical calculation of secret key rates, we apply the two-step procedure mentioned in Ref. [23]. At the first step, we adopt the Frank-Wolfe algorithm [39] to find a suboptimal attack that gives rise to a suboptimal bipartite state ρ AB . At the second step, we use this suboptimal ρ AB to solve a linear SDP problem to obtain a reliable lower bound on the key rate, which also takes the constraint violation into consideration. The Frank-Wolfe algorithm used in the first step is an iterative first-order optimization algorithm. We start with an initial choice of ρ AB in the feasible set S, and, in each iteration, we solve a linear SDP problem to update the choice of ρ AB until a stopping criterion is satisfied. Since this optimization algorithm may have a very slow rate of convergence near the optimal point in some scenarios, in order to have a reasonable running time, we limit the maximum number of Frank-Wolfe iterations to be 300. To solve linear SDP problems in both the first and second steps, we employ the CVX package [40,41] and SDPT3 [42,43] solver in Matlab.
In Fig. 2, we plot the results of the first step and the second step for protocols 1 and 2 in the case of the pureloss channel (ξ = 0) which is discussed in detail in Sec. IV C. Here, we utilize this figure to illustrate some aspects of the numerical analysis. The result from the first step can be treated as an approximate upper bound, since it is given by a suboptimal ρ AB . (It is only approximate, because the feasible set S might be enlarged either due to the coarse-graining of constraints or due to the numerical constraint violation.) The result of the second step is a reliable lower bound on the key rate. There are three regions in each plot. Since both plots have similar numerical behaviors, we take Fig. 2(a) as an example to discuss these three regions. The first region is where both steps give essentially the same results, as we can see for points between 0 and around 120 km. The second region is between around 120 and 150 km, where there is a noticeable gap between our approximate upper bound and the reliable lower bound. This gap is an indicator that the first-step algorithm fails to find a good suboptimal ρ AB . In fact, the chosen number of maximum iterations for the first-step Frank-Wolfe algorithm is reached for those points. The third region is beyond 150 km where the lower bound is missing in the plot. This result is because the suboptimal ρ AB from the first step also has some noticeable constraint violation when the first step terminates prematurely after 300 iterations. Since we take constraint violations into account in the second-step calculation to obtain a reliable lower bound according to Ref. [23], these points correspond to the case where the lower bound obtained is zero. To obtain a better lower bound, one needs to improve the result of the first-step calculation. There are several possible ways to improve the first-step result: i) replacing the Frank-Wolfe algorithm by other optimization algorithms, ii) using a different SDP solver, iii) choosing a different initial point (ρ AB ) for the first step, and iv) increasing the number of iterations.
The main reason behind these alternatives is that different solvers and different algorithms can have different Secure key rates versus the transmission distance for the pure-loss channel to demonstrate the numerical behavior of our two-step key rate calculation procedure and to compare with the analytical results (direct evaluation of the Devetak-Winter formula) for both protocols. The transmittance is η = 10 −0.02L for each distance L in kilometers, and the reconciliation efficiency is β = 0.95. The curve with circle markers is the approximate upper bound from the first step, and the curve with star markers is the reliable lower bound obtained from the second step. The curve with square markers is the analytical results presented in Appendix C. The solid line with no markers is the repeaterless secret key capacity bound [44,45]. rates of convergence and, thus, can potentially give better results within the time limit. Since the aim of this work is not about optimizing the numerical optimization algorithm, we choose to report results based on our current choice of algorithm and solver mentioned before with the limitation of 300 iterations in the first step, and we see that such a choice works well in many scenarios. For all the remaining figures in this work, we report only the reliable lower bound obtained from the sec-ond step. For some of the curves shown in this work, even though there are data points from the second and third scenarios mentioned above, which are not compatible with the general trend of the curve, these numbers can still be safely interpreted as reliable (but very pessimistic) secret key rates. We may expect that, if we improve the optimization algorithm (which is not the goal of this work), we can obtain smoother curves. It is also interesting to point out that, when we add some nonzero excess noise, the curves that we obtain (shown in later sections) can be smoother than the loss-only curves. We can understand this behavior from the fact that the rank of the density matrix ρ AB is much smaller than its dimension for the loss-only case, and, thus, the problem is not numerically well conditioned. One can improve on this aspect if one can reformulate the problem using a lower-dimensional representation.

C. Loss-only scenario: Comparison to analytical results
We first present the results for the loss-only scenario, that is, ξ = 0. For this scenario, we can also obtain an analytical result to have a direct comparison with our numerical result. A direct evaluation of the Devetak-Winter formula is possible in this scenario since we can determine Eve's relevant conditional states (up to irrelevant unitaries). As shown in Ref. [21], in the loss-only case, we need only to consider the generalized beamsplitting attack. When Alice sends |α x A ′ to Bob, the state becomes √ ηα x B √ 1 − ηα x E after the pure-loss channel. Eve's conditional states conditioned on Alice's string value x and Bob's raw key string value z effectively live in a two-dimensional subspace for protocol 1 and a four-dimensional subspace for protocol 2. This result makes the direct analytical evaluation possible. We leave the procedure of this analytical evaluation to Appendix C. For the numerical key rate optimization, the loss-only scenario follows as a special case of the noisy scenario (using ξ = 0), which we discuss in later sections.
A pure-loss channel is characterized by its transmittance η = 10 −(αattL/10) for each distance L in kilometers with the attenuation coefficient α att , which is 0.2 dB/km for the relevant communication fiber. One may take the quantum efficiency of realistic homodyne and heterodyne detectors into account. A simple but pessimistic way to deal with the detector efficiency is that the loss due to the imperfect detector is also attributed to Eve. In such a worse-case scenario, we can define the total transmittance as η = η det 10 −0.02L , where η det is the quantum efficiency of the detectors. If one defines an effective distance L 0 for the detector inefficiency, that is, η det = 10 −0.02L0 , then L 0 is less than 13 km for practical homodyne and heterodyne detectors with the quantum efficiency ≥ 55% [46]. For the ease of presentation and convenience of comparison with other works using different values of detector efficiency, we set η det = 1 in this work unless noted otherwise. One may obtain the key rate value corresponding to a realistic value of efficiency by subtracting the effective distance L 0 from all relevant figures.
We plot the key rate versus transmission distance in the loss-only scenario for protocol 1 in Fig. 2(a) and for protocol 2 in Fig. 2(b). For both protocols, we plot both the numerical key rate calculation results and the key rate that can be obtained by a direct evaluation of the Devetak-Winter formula. Interestingly, we see that our numerical results are close to the analytical results for both protocols up to a distance around 120 km. Above 120 km, we notice that there is a visible gap between our approximate upper bound and the reliable lower bound, which indicates there is room for improvement on the numerical algorithm. We also notice that our first-step result is slightly lower than the analytical result. The reason is that, by analytical analysis, we know the feasible set S effectively should contain only one state (up to irrelevant unitaries from the perspective of entropy evaluation). However, we use coarse-grained constraints in our numerical optimization, and, thus, the feasible set S is actually enlarged. We expect that, if all fine-grained constraints are used, we should be able to reproduce the analytical results in this loss-only scenario (when a better optimization algorithm is used).
We also include the repeaterless secret key capacity bound for the pure-loss channel [44,45] in both plots, that is, R ∞ ≤ − log 2 (1 − η). With the reconciliation efficiency β = 0.95 (explained in the next section), the key rate for protocol 1 is roughly 1 15 of the secret key capacity bound, and the key rate for protocol 2 is approximately 1 10 of the bound. Since Gaussian modulation schemes with the perfect reconciliation efficiency can reach 1 2 of this bound [45], we see that the performance of the quaternary modulation scheme is not far away from that of the Gaussian modulation schemes in the loss-only scenario.

Simulated statistics and error-correction cost
We now consider the noisy scenario with nonzero excess noise ξ. From the homodyne measurement, for each α x ∈ {α, −α, iα, −iα}, the simulated statistics is given as With these values specified, we perform the optimization to bound Eve's information.
Since we simulate the experimental behavior and the cost of error correction is not a part of the optimization, we now present the analytical formula to estimate δ EC from the simulated statistics and numerically evaluate the formula. In this protocol, we use only |+α , |−α (α ∈ R) and the q quadrature measurement to generate keys. After Bob performs his key map, Alice and Bob effectively communicate via a binary channel for the purpose of error correction. From the simulation, the probability distributions of Bob's q quadrature measurement outcomes for conditional states ρ 0 B and ρ 1 B are Since we allow postselection with the cutoff parameter ∆ c , the sifting probability reads where β is the reconciliation efficiency whose value is usually reported in the CV QKD literature. Therefore, In this work, we use β = 0.95 in all figures unless mentioned otherwise.

Key rates for protocol 1
We first investigate the optimal choice of coherent state amplitude α in the absence of postselection, that is, ∆ c = 0. In Fig. 3, we plot the key rate versus the choice of α for a selected set of distances in the case of the excess noise ξ = 0.01. The optimal choice of α for each distance L = 20, 50, 80, 100 km lies around 0.4, corresponding to a mean photon number of 0.16 from Alice's source. We also see that the optimal choice does not change significantly for different distances. This observation allows us to search in a restricted interval when we optimize α to maximize the key rate for each transmission distance.
In Fig. 4, we show the secret key rates as a function of the transmission distance for protocol 1 with homodyne detection for different choices of excess noise ξ. For this plot, we optimize the coherent state amplitude α by a coarse-grained search in the interval [0.35, 0.6]. As we can see from the plot, we can reach around 200 km with an experimentally feasible value of excess noise, say, ξ = 0.01 [46,47] with the current technology before the key rate becomes insignificant (say, less than 10 −6 per pulse). To put the number in a more concrete and realistic context, if we consider a system with the repetition rate of 1 GHz and with the detector efficiency 55%, we can obtain 10 3 bits per second at the distance of around 170 km if the total excess noise ξ can be made to be 1% or less.
We also investigate the effects of postselection. The idea of postselection was initially introduced to CV QKD protocols in order to beat the 3 dB limit [19]. The key rate can be potentially improved by discarding very noisy data where Eve has more advantages in determining the raw key than the party (Bob in the case of direct reconciliation and Alice in the case of reverse reconciliation) who needs to match the raw key via the error correction. Intuitively, if we optimize the postselection parameter ∆ c , the key rate can never be lower than the protocol with- out postselection since one can always set ∆ c = 0 if it is optimal to do so. The important observation here is that our security proof technique allows us to consider postselection with ∆ c > 0 by a simple modification of the postprocessing map G, unlike previous security proofs based on Gaussian optimality. In Fig. 5, we take the case with an excess noise ξ = 0.02 and a fixed coherent state amplitude α = 0.45 as an example to illustrate how the postselection strategy can improve the key rate in the reverse reconciliation scheme and to what extent it can help. We first search an optimal value for the postselection parameter ∆ c by a coarse-grained search, and we see, in Fig. 5(a), that the optimal value is around 0.6 at the distance L = 20 km. We also obtain similar plots for different choices of distance and find that the optimal value falls roughly in the interval [0.5, 0.7]. In Fig. 5(b), we compare the key rate with postselection (∆ c > 0) to that without postselection (∆ c = 0) for two values of reconciliation efficiency β. In this plot, we optimize the postselection parameter ∆ c via a coarse-grained search in the interval [0.5, 0.7]. Since the curves with postselection are above the curves without postselection, we see that the postselection strategy can improve the key rates. We also notice that, for reverse reconciliation schemes, the advantage of postselection also depends on the reconciliation efficiency β. The gap between these two scenarios ∆ c = 0 and ∆ c > 0 is smaller when a more efficient code (larger β) is used. E. Noisy scenario: Protocol 2

Simulated statistics and error-correction cost
We now investigate protocol 2 which uses heterodyne detection. From the heterodyne measurements, for each conditional state ρ x B with α x ∈ {α, iα, −α, −iα}, we obtain a Q function Q x as From each Q function, we can then calculate Note that those values are exactly the same as from the homodyne measurements, since we have the same state after the simulated quantum channel. We obtain those values here indirectly via the Q function.
We also present the procedure to calculate δ EC for protocol 2. We can numerically evaluate H(Z|X) via the probability distribution: where j, k ∈ {0, 1, 2, 3}, R j 's are the region operators defined in Eq. (20), and the conditional state ρ k B is defined in Eq. (8). (In the case of postselection, we then renormalize this probability distribution by the probability of being postselected.) Then, δ EC can be calculated by the second line of Eq. (28), as we now take into account that we have an alphabet of four symbols on both sides in the error-correction step. As with the case of protocol 1, we start by investigating the optimal choice of coherent state amplitude α for protocol 2. In Fig. 6, we plot the key rates versus α for selected distances when the excess noise ξ is 0.01. Comparing to Fig. 3, we see that the optimal α for this variant with heterodyne detection is, in general, larger than that for protocol 1. The optimal choice of α in protocol 2 is around 0.7 for those selected distances, corresponding to a mean photon number around 0.49, while the optimal choice of α in protocol 1 is around 0.4 for those selected distances, corresponding to a mean photon number around 0.16. Like protocol 1, we observe that the optimal value of α for protocol 2 does not change significantly for a wide range of distances. From the observation here, we later limit our search for optimal choice of α in a restricted interval. In Fig. 7, we plot the secure key rate versus the transmission distance for different values of excess noise ξ. We optimize the coherent state amplitude α via a coarsegrained search over the interval [0.6, 0.92]. We observe that protocol 2 can reach around 200 km even with an excess noise ξ = 0.02. Interestingly, we see that the key rate for protocol 2 is much higher than protocol 1 when the excess noise is large. For a direct comparison, we replot key rates of both protocols for the values of excess noise ξ = 0.01 and 0.02 from Figs. 4 and 7 in Fig. 8. We observe that protocol 2 achieves much higher key rates and reaches longer distances than protocol 1 for the same amount of excess noise. In this figure, we also plot the key rate of protocol 2 with the excess noise ξ = 0.04 for a direct comparison to the key rate of protocol 1 with the excess noise ξ = 0.02. We see that protocol 2 behaves similarly as protocol 1 with half of the excess noise for those values of excess noise considered here.
We then compare our results with an independent security analysis in Ref. [18] for a similar protocol. In addition to different proof methods, we differ from that protocol by how the error correction is done, which affects the calculation of the error-correction cost term δ EC . In particular, our error-correction cost is higher because we discretize Bob's measurement results and consider only binary or quaternary error-correcting codes. In Ref. [18], the mutual information I(X; Z) is obtained by the channel capacity of the binary additive white Gaussian noise channel, which is approximated by the capacity of an additive white Gaussian noise channel This result leads to a smaller value of δ EC by the conversion formula in the first line of Eq. (28). In Fig. 9, we plot the key rate results from both our work and Ref. [18] with a fixed choice of the coherent state amplitude α = 0.35 for all distances plotted and with two different values of excess noise. As we can see, our security proof approach provides remarkably higher key rates compared with the approach with a reduction to the Gaussian optimality. Our security analysis shows that this protocol has a good tolerance on the excess noise and can extend to significantly longer distances. We emphasize that this choice of α = 0.35 is not optimal for both works. While this value is closer to the optimal value found in Ref. [18], the optimal value of the coherent state amplitude found in our work is around 0.7 (for ξ = 0.01), as mentioned before. Thus, we also include two curves from Fig. 7, where the coherent state amplitude α is optimized via a coarsegrained search in the interval [0.6, 0.92] for comparisons. As we can see from Fig. 9, the key rate can be significantly improved after we optimize α. We summarize two factors that can boost the key rates. First, our security proof technique gives a tighter estimation of Eve's in-formation compared with the reduction to the Gaussian optimality approach. Second, the key rate can be improved by using a slightly larger value of α than what is investigated in Ref. [18]. This regime of α is not explored in Ref. [18], because the reduction to the Gaussian optimality approach for discrete-modulation schemes gives tight key rates only in the limit of α → 0 and can give quite loose key rates for large values of α. In the same figure, we also compare our results for protocol 2 with a Gaussian-modulated CV QKD protocol using heterodyne detection [6], where the modulation variance is optimized for each distance. We observe that this quaternary modulation scheme has key rates comparable to the Gaussian modulation scheme. Finally, we present the results on the effects of postselection. Our coarse-grained search for values of ∆ p suggests that the optimal value is ∆ p = 0; that is, we do not postselect the data based on the phase. For the postselection parameter ∆ a related to the amplitude of the measured complex value from heterodyne detection, we then perform a coarse-grained search for its optimal value. In Fig. 10, we consider the scenario with an excess noise ξ = 0.04 and with a fixed coherent state amplitude α = 0.6 as an example. In Fig. 10(a), we plot the key rate versus this parameter ∆ a at the distance L = 20 km with the reconciliation efficiency β = 0.95. From this plot, we observe that the optimal value of ∆ a is around 0.6 at this distance. We also obtain similar plots for various choices of the distance and find that the optimal value roughly falls in the interval [0.4, 0.7]. In Fig. 10(b), we compare key rates with or without postselection for two different values of reconciliation efficiency at different transmission distances, and, for this plot, we optimize the values of ∆ a via a coarse-grained search in the interval [0.4, 0.7]. We again notice that postselection with reverse reconciliation can improve the key rates. We remark that the improvement due to postselection in the reverse reconciliation scheme is more visible for less efficient error-correcting codes, larger excess noise, and longer transmission distances. This result agrees with the observation made in Ref. [21] under a restricted class of attacks.

V. SUMMARY AND OUTLOOK
In this work, we investigate the asymptotic security of discrete-modulated CV QKD protocols against collective attacks and demonstrate our proof method on the quadrature phase-shift keying scheme. We observe that CV QKD with quaternary modulation can significantly improve the key rate compared with previous binary and ternary modulation schemes [13,14]. We also directly compare our results with the results in a recent independent work [18], which uses a different proof technique from ours. Interestingly, as our security proof approach can give tight key rates, we are able to obtain significantly higher key rates than Ref. [18]. Our results show that this protocol can achieve comparable key rates as A comparison of key rates between our work and Ref. [18] for the heterodyne scheme with two different values of excess noise: (a) ξ = 0.005 and (b) ξ = 0.01. In each plot, the curve with triangle markers is from Ref. [18] with a fixed (not optimal) coherent state amplitude α = 0.35, and the curve with diamond markers is from this work with the same value of α. The curve with circle markers is also from this work with an optimal value of α for each distance. The curve with no markers is the key rates of a Gaussian-modulated CV QKD protocol [6] with an optimal modulation variance for each distance. All curves use the reconciliation efficiency β = 0.95.
Gaussian modulation schemes. In addition, we consider the effects of postselection and demonstrate that postselection can improve the key rates. We remark on possible directions for future work. Since our security analysis imposes a photon-number cutoff assumption which truncates the total dimension of the system by ignoring the subspace that has negligible contributions, it requires further investigations to remove this assumption and to generalize the current proof to include finite-size effects and general attacks. We mention two possible paths to reach this final goal in Sec. III B, and there are challenges in each direction. In addition, there are also possible ways to improve the key rates. In both protocols, we discretize Bob's measurement outcomes to obtain binary or quaternary strings. Therefore, we consider only binary or quaternary errorcorrecting codes. One can potentially improve the key rates by a better choice of key map and, thus, a better error-correction strategy. For a better choice of key map, one may run the optimization in Eq. (16) with modified G and Z maps. Another direction for improvement is to find a better way to treat the imperfection of detectors in the security analysis. We currently treat detectors as perfect detectors. To obtain key rates with imperfect detectors, we can apply a simple but pessimistic treatment; that is, additional loss and additional excess noise due to imperfect detectors are attributed to Eve. By doing so, we can simply modify two parameters η and ξ to obtain key rates related to imperfect detectors. However, since detectors are securely located in Bob's laboratory, one may treat the excess noise due to detector imperfection like the electronic noise as trusted noises (e.g., see Refs. [46][47][48]). By not giving Eve this additional power, one may improve the key rates. We leave further improvements to future work.

ACKNOWLEDGMENTS
We thank Patrick Coles and Adam Winick for valuable discussions on the numerical method in Ref. [23] and their contributions to the MATLAB codes related to Ref. [23] and thank Ian George for code review. We thank Anthony Leverrier for helpful discussions and comments on an early version of this manuscript and for providing data points from Ref. [18] for the comparison in Fig.  9. We thank Christoph Marquardt and Kevin Jaksch for discussion about feasible experimental parameters. The work has been performed at the Institute for Quantum Computing, University of Waterloo, which is supported by Industry Canada. The research has been supported by NSERC under the Discovery Grants Program In this Appendix, we present a derivation of a general postprocessing framework for the numerical method in Ref. [23], which reproduces the form of postprocessing map G presented in Ref. [23] when Eve's systems are traced out. Based on this derivation, we then make several observations to simplify the postprocessing map G in special cases, which leads to a reduction of the dimensions required in the numerical analysis. Finally, we remark how G maps are simplified in this work.
We begin with some definitions to set up the notations. When we write an operator on composite registers, we omit the identity operator on the unspecified registers and may reorder registers for ease of writing. Moreover, the relevant unspecified registers depend on the context. Let X denote the set of Alice's measurement outcomes. With Alice's set of announcements S A , we partition the set X into subsets X a for a ∈ S A such that X = a∈S A X a . Similarly, we partition Bob's measurement outcomes Y as Y = b∈S B Y b by using his set of announcements S B . To simplify our notation, we assume without the loss of generality that |X a | = ω A for all a ∈ S A and |Y b | = ω B for all b ∈ S B for some numbers ω A and ω B independent of a and b. This assumption can be easily satisfied by a clever way of bookkeeping measurement outcomes. Then, we define a family of maps   Here, m, r, and n are some sufficiently large integers so that we have a representation of the basis elements for each register in the computational basis of qubits. See the text in Appendix A for more explanations.

A full model for the relevant postprocessing steps
We give a schematic circuit diagram in Fig. 11 to describe the announcement (including measurement), sifting and key map steps. This diagram covers the scenarios related to this work, and it works for protocols with one round of announcements and with reverse reconciliation. It is not difficult to draw a similar diagram in other scenarios, including the direct reconciliation schemes. Under collective attacks, Alice and Bob share a bipartite quantum state ρ AB after each transmission of a quantum signal. In the worst-case scenario, Eve holds a purification ρ ABE of ρ AB . The initial state in the circuit diagram is ρ ABE . At each step, the state is evolved by an isometry; that is, we introduce some local registers and evolve the state by a local unitary. We also keep track of the information leakage during the classical communication. If some information is publicly available during the classical communication in the protocol, then each party holds a copy of the relevant registers. One can recover the classical communication information by measuring a local copy of these registers in the computational basis. Now, we discuss each of the three steps in detail.
The isometries related to the announcement and measurement step are denoted by W A for Alice and W B for Bob. In particular, W A first introduces two registers A and A and then applies a unitary operator U A AM to implement Alice's POVM P A in a coherent fashion, where announcements are stored in the register A and measurement outcomes are in the register A. Like Alice's isometry W A , Bob's isometry W B implements his POVM P B with the announcement register B and measurement outcome register B using a local unitary U B AM . Since the announcement information is available to everyone, Eve obtains a copy (denoted by E A ) of A and a copy (denoted by E B ) of B. The coherent version of copying is represented by the controlled NOT operation. Also, Alice and Bob each have a copy of the other party's announcement register, denoted by B copy and A copy , respectively. For convenience of writing, we use A and B to refer to both Alice's and Bob's copies of A and B. As we see later, we can actually combine the register A with A copy and combine B with B copy in the key rate calculation. In this diagram, the state after the announcement and measurement step is ρ where for ease of writing, we reorder the registers and use a shorthand notation for collections of registers: [A] for registers A AA and [B] for registers B BB.
The sifting step partitions the set of announcement events S A × S B as S A × S B = K ∪ D, where K is the set of announcement events to be kept and D is the set of announcements to be discarded. The sifting isometry (denoted by V S ) introduces a register S to store the result of sifting ("keep" or "discard") and performs a unitary operator U S on the local copies of registers A and B to compute the sifting decision. In a common scenario, each party can implement this unitary U S from the description of a protocol. If it is not from the protocol description and additional classical communication is needed, then, after a party implements this unitary operation, other parties obtain a copy of the register S. For simplicity, we use S to refer to both Alice's and Bob's copies of this register. In the diagram, the state after this sifting step is ρ where we use a shorthand notation [E] to refer to Eve's collection of registers The key map isometry V K introduces a register R and applies a local unitary U K to compute the key map g and to store the result in the register R. This key map g takes the announcement (a, b) ∈ S A × S B and Alice's measurement outcome f a (α) in the case of direct reconciliation or Bob's measurement outcome f b (β) in the case of reverse reconciliation as inputs and outputs a value in {0, 1, . . . , N − 1} where N is the number of key symbols. For the purpose of derivation, we include an additional key symbol ⊥ to this set and map all discarded events to it. We see later that we can eventually remove the symbol ⊥ from the set of key symbols. In the diagram, the state after the key map state is ρ To give explicit expressions for these isometries W A , W B , V S , and V K , we first define K A a and K B b as where {|a : a ∈ S A } and {|b : b ∈ S B } are orthonormal bases for registers A (E A ) and B (E B ) and {|α : α ∈ Ω A } and {|β : β ∈ Ω B } are orthonormal bases for registers A and B, respectively. (Note that |α here is not a coherent state discussed in the main text.) We remark that K A a and K B b are the same as defined in Eqs. (40) and (41) of Ref. [23] if we write f a (α) as α a and f b (β) as β b . Then W A , W B and V S are defined, respectively, as where Π = (a,b)∈K |a a| A ⊗|b b| B and {|K , |D } is an orthonormal basis for the register S (E S ). To write out the key map isometry V K , we take the reverse reconciliation schemes as an example, and it is straightforward to write out V K in the case of direct reconciliation schemes by using Alice's measurement outcome f a (α) instead of Bob's outcome f b (β). We first define an (partial) isometry V on the subspace that Π projects onto and then write out V K : We remark that the final state ρ K is a pure state since ρ ABE is a pure state, and we apply only isometries to it.

R[A][B]S[E]
). We then define an announcement map A for an input state σ as where p pass = Tr V ΠA(ρ AB )ΠV † = Tr(A(ρ AB )Π) is the same sifting probability defined in the main text and To show that the symbol ⊥ has no contribution to the key rate, we use the following lemma (see Ref. [50]). Lemma 1.-For quantum-classical states ρ QX and σ QX defined as ρ QX = x p(x)ρ x Q ⊗ |x x| X , σ QX = x q(x)σ x Q ⊗ |x x| X , where p and q are probability distributions over a finite alphabet X and ρ x Q and σ x Q are density operators for all x ∈ X , the quantum relative entropy is D(ρ QX ||σ QX ) = x p(x)D(ρ x Q ||σ x Q ) + D(p||q). Applying the lemma to the state ρ where we define G(ρ AB ) = V ΠA(ρ AB )ΠV † , which is the same as in Ref. [23].
Finally, we remark that, on the subspace where Π projects, the symbol ⊥ does not show up anymore. Thus, we can modify {Z j } to remove the symbol ⊥ in the end. This modification gives back to the definition of Z shown in Ref. [23].

Simplifying the postprocessing map
We now provide several remarks to explain how we can simplify the map G while making sure that such a simplification does not change our calculated key rates. Our discussion here takes the reverse reconciliation schemes as an example. It is straightforward to adapt the arguments to the direct reconciliation schemes.
We first make a remark about the registers A copy and B copy that are hidden in our notation A and B. After tracing out Eve's registers E A and E B , Alice's register A and Bob's copy A copy are both classical registers, and, likewise, Bob's register B and Alice's copy B copy are classical. Since each of the sifting and key map steps is done locally via a controlled unitary whose target is the register S or R alone, we can pull out two copies of registers A and B to write the final state in the form of the quantum-classical state to which the previous lemma applies. If we look at the block diagonal structure of G(ρ AB ) with respect to two copies of the register A, we see directly that the state with a single copy of the register A is just embedded in a larger space with two copies of the register A. This result means the eigenvalues of the state are unaffected by removing one copy of the register A. A similar argument works for two copies of B. Moreover, from the previous lemma, we see immediately that we can calculate the key rate from individual announcements if we write the key map g as g[a, b, f b (β)] =: g ab (β) for a collection of functions g ab , one for each (a, b) ∈ K. In this case, for each (a, b) ∈ K, we define an isometry V ab = β∈Ω B |g ab (β) R ⊗ |β β| B and a completely positive map G ab for an input state σ Besides the lemma, our objective function has another important property. Since the quantum relative entropy is invariant under an isometry, if an isometry can commute with G and Z maps, then our objective function is also invariant under this isometry. In other words, we can add or remove an isometry W (that acts only on Alice's and Bob's registers) in the final expression of Eq. (A7) if W commutes with G and Z maps.
From this property of our objective function, if those functions g ab 's are the identity function, then we see that each isometry V ab simply copies the register B and stores this copy to the register R. Adding this copy is a local isometry and renaming the register B by the name R is a unitary. Thus, we can combine the registers B and R and retain the name of R.
12. An alternative description of the announcement step for the reverse reconciliation schemes. This step can be decomposed into two steps. At the first step, Alice performs only a coarse-grained measurement with a unitary U A A to obtain announcement results, and Bob also performs a coarsegrained measurement with a unitary U B C to obtain announcement outcomes and coarse-grained measurement information. At the second step, they choose to perform optional refined measurements (U A M and U B F ) conditioned on the announcements (and previous coarse-grained measurement information for Bob). They can postpone the refined measurements after giving Eve announcement results and in some cases choose not to perform the refined measurements.
Also, based on this property of our objective function, we now discuss when we can omit the appearance of the register A. As depicted in Fig. 12, the announcement and measurement step can be decomposed into two steps. First, Alice performs a coarse-grained measurement (with associated unitary U A A in this figure) to make announcements. Second, conditioned on her own announcement result, Alice performs a refined measurement (with a controlled unitary U A M in the figure) if needed to obtain the fine-grained measurement outcomes. As the refined measurement is done in Alice's local registers, to which Eve has no access, Alice's refined measurement can be described by a local isometry. This local isometry can be performed after Eve obtains a copy of the announcement registers. In the reverse reconciliation scheme, since the key map isometry V does not depend on the register A, the isometry that describes Alice's refined measurement then commutes with G and Z maps. This result means that, from the key rate calculation perspective, we can drop this isometry due to the property of our objective function. More precisely, if we define P A a = α∈Ω A P A [a,fa(α)] for each a ∈ S A and define K A ′ a = P A a ⊗ |a A , then we can replace the map G by the map G ′ defined as A9) for an input state σ. (A similar replacement can be done for G ab .) A similar argument can be applied to the direct reconciliation schemes by interchanging the roles of Alice's and Bob's registers to show that we can omit the register B for direct reconciliation.
Along the same line of argument, we remark that the refined measurement conditioned on the announcements can be a coarse-grained instead of the fine-grained measurement if the key map uses only the coarse-grained information. This process is also described in Fig. 12. Bob first applies an isometry (with associated unitary U B C in the figure) to implement the coarse-grained measurement which gives the same coarse-grained information needed for the key map g and then applies an additional isometry (with associated unitary U B F in the figure) to obtain fine-grained measurement outcomes. As the sifting step depends only on the announcement, we can move Bob's refined measurement after the sifting step (not shown in this figure). Since the key map uses only the coarsegrained information, the key map isometry effectively undoes the unitary U B F . Therefore, we can take the POVM related to the coarse-grained measurement when we write out Kraus operators K B b in Eq. (A1). Finally, we explain how we derive the Kraus operators shown in Eqs. (17) and (21). First, since we consider the reverse reconciliation schemes, we can omit the measurement outcome register A. Second, since the key map of each protocol only uses the coarse-grained measurement outcomes, instead of using Bob's fine-grained POVM corresponding to homodyne or heterodyne measurements, we use the coarse-grained POVM ({I 0 , I 1 , 1 − I 0 − I 1 } for protocol 1 and {R 0 , R 1 , R 2 , R 3 , 1− 3 j=0 R j } for protocol 2). Since the set K contains only one element, we are left with only one term in the summation of Eq. (A8) after removing registers A and B. Finally, the key map in this case is the identity map. Thus, we combine registers R and B and retain the name R for this combined register.

APPENDIX B: OPERATORS WITH THE PHOTON-NUMBER CUTOFF
Let N denote the photon-number basis up to N c , that is, N = {|0 , . . . , |N c }. In this work, we impose a photon-number cutoff assumption, that is, ρ AB = (1 A ⊗ Π Nc )ρ AB (1 A ⊗ Π Nc ) with the projection Π Nc onto the subspace spanned by the basis N . Since Alice's system is irrelevant for our discussion here, we focus on the conditional states ρ x B in the following discussion. For any operatorÔ acting on Bob's system, we observe that Tr ρ x BÔ = Tr Π Nc ρ x B Π NcÔ = Tr (Π Nc ρ x B Π Nc )(Π NcÔ Π Nc ) .

(B1)
This observation allows us to define the truncated version of the operatorÔ by Π NcÔ Π Nc . In our optimization problem [see Eq. (16)], the relevant operators are of the forms Π Nc ρ x B Π Nc and Π NcÔ Π Nc , which have finitedimensional matrix representations. Specifically, we can find a matrix representation ofÔ in the basis N . We start by writing out the annihilation operatorâ in this basis, and then the creation operatorâ † is just its conjugate transpose. Consequently, other relevant operatorŝ q,p,n, andd can be written directly following from their definitions in terms ofâ andâ † . In this basis, It is not difficult to write out the interval operators I 0 and I 1 and region operators R 0 , R 1 , R 2 , and R 3 in this basis. To do so, we use the overlap q|n between a quadrature eigenstate |q and a photon-number state |n and the overlap γe iθ n between a coherent state γe iθ and a photon-number state |n . With our definition of quadrature operators in Eq. (15), the overlaps q|n and γe iθ n read [51] q|n = 1 π 1 2 2 n (n!) exp − q 2 2 H n (q), γe iθ n = e − γ 2 2 γ n e −inθ √ n! , respectively, where H n is the Hermite polynomial of the order of n. We then perform the relevant integrals to obtain a finite-dimensional matrix representation in this basis. Finally, in the expression of the Kraus operators shown in Eqs. (17) and (21), we need to take the square root of each of the interval operators I 0 and I 1 or region operators R 0 , R 1 , R 2 , and R 3 . A caution about the ordering of truncation and square root is needed. For example, even though the interval operators are projective on the entire infinite-dimensional space such that the square root of each operator is identical to itself, the truncated version of each interval operator is no longer projective in the finite-dimensional subspace spanned by the basis N . We now explain the proper way to handle this issue. With the photon-number cutoff assumption ρ = Π Nc ρΠ Nc , we see from Eq. (B1) that, for a POVM element F on the infinite-dimensional space, the corresponding POVM element on this finite-dimensional subspace becomes Π Nc F Π Nc . As we know from Appendix A, the purpose of taking the square root of a POVM element is to realize this POVM measurement in an isometric fashion. Since the relevant POVM element on this finite-dimensional subspace is Π Nc F Π Nc , we need to take the square root of Π Nc F Π Nc . Therefore, we first take the truncation and then take the square root.

APPENDIX C: EVALUATION OF LOSS-ONLY KEY RATES
We discuss how to evaluate the Devetak-Winter formula in the loss-only scenario in the absence of postselection. When Alice sends |α x A ′ to Bob, in the absence of noise, Bob can verify that he receives a pure coherent state via homodyne or heterodyne detections. In the case of homodyne detection, Bob can verify that the received state is a minimum uncertainty state with the same variance for both quadratures, which implies it is a pure coherent state. In the case of heterodyne detection, Bob performs a tomography to verify that the received state is a pure coherent state. In particular, if Bob verifies his state to be an attenuated coherent state √ ηα x , it is shown [21] that Eve's optimal attack is the generalized beam-splitting attack for this pureloss channel. Thus, the state shared by Bob and Eve becomes √ ηα x B √ 1 − ηα x E after this channel. Because of the product state structure of Bob and Eve's joint state, Bob's measurement outcome does not influence Eve's state. Therefore, conditioned on the value x of Alice's string X and the value z in Bob's raw key Z, Eve's conditional state |ǫ x,z is which is independent from z and, thus, we call it |ǫ x for simplicity.
We obtain I(X; Z) by a calculation similar to Eq. (28). We can directly calculate χ(Z : E) via where H(σ) = − Tr(σ log 2 σ) is the von Neumann entropy and the relevant states are where P (x, z) is the joint probability distribution of x and z and P (z) is the marginal probability distribution of z. Each of the relevant Eve's states |ǫ x has a two-dimensional matrix representation in the basis {|e 0 , |e 1 }, and, thus, it is straightforward to directly evaluate the Devetak-Winter formula.