Introduction

Quantum key distribution (QKD) aims at generating a secret key shared between two remote legitimate parties with information-theoretic security, which provides secure communication against an adversary with arbitrary computational power and hardware technology. Since the first proposal in 19841, various QKD protocols have been proposed with many kinds of encoding and decoding schemes. These protocols are typically classified into two categories depending on the detection methods. One of them is called discrete-variable (DV) QKD, which uses photon detectors and includes earlier protocols such as BB841 and B922 protocols. The other is called continuous-variable (CV) QKD, which uses homodyne and heterodyne measurements with photo detectors3,4,5. See refs. 6,7 for comprehensive reviews of the topic.

Although DV QKD is more mature and achieves a longer distance if photon detectors with low dark count rates are available, CV QKD has its own distinct advantages for a short distance. It can be implemented with components common to coherent optical communication technology and is expected to be cost-effective. Excellent spectral filtering capability inherent in homodyne/heterodyne measurements suppresses crosstalk in wavelength division multiplexing (WDM) channels. This allows multiplexing of hundreds of QKD channels into a single optical fiber8 as well as co-propagation with classical data channels9,10,11,12,13,14,15, which makes integration into existing communication network easier.

One major obstacle in putting CV QKD to practical use is the gap between the employed continuous variables and mandatory digital signal processing. The CV-QKD protocols are divided into two branches depending on whether the modulation method of the encoder is also continuous, or it is discrete. The continuous modulation protocols usually adopts Gaussian modulation, in which the sender chooses the complex amplitude of a coherent-state pulse according to a Gaussian distribution3,4,5,16,17 (see refs. 18,19 for a review). This allows powerful theoretical tools such as Gaussian optimality20,21, and complete security proofs for a finite-size key and against general attacks have been given22. To implement Gaussian protocols with a digital random-number generator and digital signal processing, it is necessary to approximate the continuous distribution with a constellation composed of a large but finite number of complex amplitudes23,24. This is where difficulty arises, and the security analysis has been confined to the asymptotic regime and collective attacks. The other branch gives priority to simplicity of the modulation and uses a very small (usually two to four) number of amplitudes25,26,27,28. As for the security analysis, the status is more or less similar to the Gaussian constellation case, and current security proofs are either in the asymptotic regime against collective attacks29,30,31,32 or in the finite-size regime but against more restrictive attacks33,34. Hence, regardless of approaches, a complete security proof of CV QKD in the finite-size regime against general attacks has been a crucial step yet to be achieved.

Here we achieve the above step by proposing a binary phase-modulated CV-QKD protocol with a complete security proof in the finite-size regime against general attacks. The key ingredient is an estimation method using heterodyne measurement developed in this paper, which is suited for analysis of confidence region in the finite-size regime. The outcome of heterodyne measurement, which is unbounded, is converted to a bounded value by a smooth function such that its expectation is proved to be no larger than the fidelity of the input pulse to a coherent state. This allows us to use a standard technique to derive a lower bound on the fidelity with a required confidence level in the finite-size regime. The fidelity as a measure of disturbance in the binary modulated protocol is essentially the same as what is monitored through bit errors in the B92 protocol2,35,36. This allows us to construct a security proof based on a reduction to distillation of entangled qubit pairs37,38, which is a technique frequently used for DV-QKD protocols.

Results

Estimation of fidelity to a coherent state

We first introduce a test scheme to estimate the fidelity between an optical state ρ and the vacuum state \(\left|0\right\rangle \,\left\langle 0\right|\) through a heterodyne measurement. For a state ρ of a single optical mode, the heterodyne measurement produces an outcome \(\hat{\omega }\in {\mathbb{C}}\) with a probability density

$${q}_{\rho }(\omega )\ {d}^{2}\omega := \left\langle \omega \right|\rho \left|\omega \right\rangle \frac{{d}^{2}\omega }{\pi },$$
(1)

where a coherent state \(\left|\omega \right\rangle\) is defined as

$$\left|\omega \right\rangle := {e}^{-| \omega {| }^{2}/2}\mathop{\sum }\limits_{n = 0}^{\infty }\frac{{\omega }^{n}}{\sqrt{n!}}\left|n\right\rangle .$$
(2)

We refer to the expectation associated with the distribution qρ(ω) simply as \({{\mathbb{E}}}_{\rho }\). To construct a lower bound for the fidelity \(\left\langle 0\right|\rho \left|0\right\rangle\) from \(\hat{\omega }\), we will use the associated Laguerre polynomials which are given by

$${L}_{n}^{(k)}(\nu ):= {(-1)}^{k}\frac{{d}^{k}{L}_{n+k}(\nu )}{d{\nu }^{k}},$$
(3)

where

$${L}_{n}(\nu ):= \frac{{e}^{\nu }}{n!}\frac{{d}^{n}}{d{\nu }^{n}}({e}^{-\nu }{\nu }^{n})$$
(4)

are the Laguerre polynomials. Our test scheme is based on the following theorem.

Theorem 1: Let Λm,r(ν) (ν ≥ 0) be a bounded function given by

$${\Lambda }_{m,r}(\nu ):= {e}^{-r\nu }(1+r){L}_{m}^{(1)}((1+r)\nu ),$$
(5)

for an integer m ≥ 0 and a real number r > 0. Then, we have

$${{\mathbb{E}}}_{\rho }[{\Lambda }_{m,r}(| \hat{\omega }{| }^{2})]=\left\langle 0\right|\rho \left|0\right\rangle +\mathop{\sum }\limits_{n = m+1}^{\infty }\frac{\left\langle n\right|\rho \left|n\right\rangle }{{(1+r)}^{n}}{I}_{n,m},$$
(6)

where In,m are constants satisfying (−1)mIn,m > 0.

From Eq. (6), a lower bound on the fidelity between ρ and the vacuum state is given by

$${{\mathbb{E}}}_{\rho }[{\Lambda }_{m,r}(| \hat{\omega }{| }^{2})]\le \left\langle 0\right|\rho \left|0\right\rangle \quad (m:\,{\rm{odd}})$$
(7)

for any odd integer m. As seen in Fig. 1a, the absolute value and the slope of the function Λm,r are moderate for small values of m and r, which is advantageous in executing the test in a finite duration with a finite resolution. Compared to a similar method proposed in ref. 39, our method excels in its tightness for weak input signals; we see from Eq. (6) that, regardless of the value of r, the inequality (7) saturates when ρ has at most m photons. This is crucial for the use in QKD in which tightness directly affects the efficiency of the key generation.

Fig. 1: The test scheme to estimate the fidelity.
figure 1

a Example of the test functions Λm,r used in the estimation. The values of r in the figure are chosen so that the range of Λm,r is minimized for given m. In general, the minimum range of the function Λm,r becomes larger as m increases. The pair (mr) = (1, 0.4120) was used in the numerical simulation of key rates below. b A schematic description of the usage of obtained outcomes in heterodyne measurement. In order to estimate the lower bound on the fidelity to the coherent states \(\left|\pm \beta \right\rangle\), the squared distance between the outcome \(\hat{\omega }\) and the objective point (−1)aβ (i.e., \(| \hat{\omega }-{(-1)}^{a}\beta {| }^{2}\)) is used.

Full size image

Extension to the fidelity to a coherent state \(\left|\beta \right\rangle\) is straightforward as

$${{\mathbb{E}}}_{\rho }[{\Lambda }_{m,r}(| \hat{\omega }-\beta {| }^{2})]\le {\rm{Tr}}(\rho \left|\beta \right\rangle \,\left\langle \beta \right|)\quad (m:\,{\rm{odd}}).$$
(8)

The proofs are given in Methods.

Proposed protocol

Based on this fidelity test, we propose the following discrete-modulation protocol (see Fig. 2). Prior to the protocol, Alice and Bob determine the number of rounds N, the acceptance probability of homodyne measurement \({f}_{{\rm{suc}}}(| x| )\,(x\in {\mathbb{R}})\) with fsuc(0) = 0, the parameters for the test function (mr), and the protocol parameters (μpsigptestptrashβs) with psig + ptest + ptrash = 1, where all the parameters are positive. Alice and Bob then run the protocol described in Box 1. Upon successful verification, the protocol generates a shared final key of length

$${\hat{N}}^{{\rm{fin}}}={\hat{N}}^{{\rm{suc}}}\left(1-h\left(U(\hat{F},{\hat{N}}^{{\rm{trash}}})/{\hat{N}}^{{\rm{suc}}}\right)\right)-s$$
(9)

where \(h(x):= -x\,{\mathrm{log}\,}_{2}(x)-(1-x){\mathrm{log}\,}_{2}(1-x)\) is the binary entropy function and the function \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) will be specified later.

Fig. 2: The proposed continuous-variable quantum key distribution protocol.
figure 2

Alice generates a random bit a {0, 1} and sends a coherent state with amplitude \({(-1)}^{a}\sqrt{\mu }\). Bob chooses one of the three measurements based on the predetermined probability. In the signal round, Bob performs a homodyne measurement on the received optical pulse and obtains an outcome \(\hat{x}\). In the test round, Bob performs a heterodyne measurement on the received optical pulse and obtains an outcome \(\hat{\omega }\). In the trash round, he produces no outcome.

Full size image

The acceptance probability fsuc(x) should be chosen to post-select the rounds with larger values of x, for which the bit error probability is expected to be lower. It is ideally a step function, but our security proof is applicable to any form of fsuc(x). The parameter β is typically chosen to be \(\sqrt{\eta \mu }\) with η being a nominal transmissivity of the quantum channel, while the security proof itself holds for any choice of β. The parameters s and \(s^{\prime}\) are related to the overall security parameter in the security proof below.

Security proof

We determine a sufficient amount of the privacy amplification according to Shor and Preskill37,40, which has been widely used for the DV-QKD protocols. We consider a coherent version of Steps 1 and 2, in which Alice and Bob share an entangled pair of qubits for each success signal round, such that their Z-basis measurement outcomes correspond to the sifted key bits a and b. For Alice, we introduce a qubit A and assume that she entangles it with an optical pulse \(\tilde{C}\) in a state

$${\left|\Psi \right\rangle }_{A\tilde{C}}:= \frac{{\left|0\right\rangle }_{A}{\left|\sqrt{\mu }\right\rangle }_{\tilde{C}}+{\left|1\right\rangle }_{A}{\left|-\sqrt{\mu }\right\rangle }_{\tilde{C}}}{\sqrt{2}}.$$
(10)

Then, Step 1 is equivalent to the preparation of \({\left|\Psi \right\rangle }_{A\tilde{C}}\) followed by a measurement of the qubit A on Z basis \(\{\left|0\right\rangle ,\left|1\right\rangle \}\) to determine the bit value a. For Bob, we construct a process of probabilistically converting the received optical pulse C to a qubit B (See Fig. 3). Consider a completely positive (CP) map defined by

$${{\mathcal{F}}}_{C\to B}({\rho }_{C}):= {\int_{0}^{\infty }}dx\ {K}^{(x)}{\rho }_{C}{K}^{(x)\dagger }$$
(11)

with

$${K}^{(x)}:= \sqrt{{f}_{{\rm{suc}}}(x)}\left({\left|0\right\rangle }_{B}\,{\left\langle x\right|}_{C}+{\left|1\right\rangle }_{B}\,{\left\langle -x\right|}_{C}\right),$$
(12)

where \(\left\langle x\right|\) maps a state vector to the value of its wave function at x (See also Eq. (111)). When the pulse C is in a state ρC, the corresponding process succeeds with a probability psuc and then prepares the qubit B in a state ρB, where \({p}_{{\rm{suc}}}{\rho }_{B}={{\mathcal{F}}}_{C\to B}({\rho }_{C})\). If the qubit B is further measured on Z basis, probabilities of the outcome b = 0, 1 are given by

$${p}_{{\rm{suc}}}\left\langle 0\right|{\rho }_{B}\left|0\right\rangle ={\int_{0}^{\infty }}{f}_{{\rm{suc}}}(x)dx\ \left\langle x\right|{\rho }_{C}\left|x\right\rangle ,$$
(13)
$${p}_{{\rm{suc}}}\left\langle 1\right|{\rho }_{B}\left|1\right\rangle ={\int_{0}^{\infty }}{f}_{{\rm{suc}}}(x)dx\ \left\langle -x\right|{\rho }_{C}\left|-x\right\rangle ,$$
(14)

which shows the equivalence to the signal round in Step 2. This is illustrated in Fig. 3.

Fig. 3: Bob’s qubit extraction in the entanglement-sharing protocol.
figure 3

Bob performs on the optical pulse a non-demolition projective measurement, with which the absolute value of the outcome of homodyne measurement \(| \hat{x}|\) is determined. Then, Bob extracts a qubit B by the operation \({\mathcal{F}}\) defined in Eq. (11). A Z-basis measurement on this qubit gives the same sifted key bit b as described in the actual protocol. On the other hand, the X-basis measurement on this qubit reveals the parity of photon number of the received optical pulse.

Full size image

To clarify the above observation, we introduce an entanglement-sharing protocol defined in Box 2. This protocol leaves \({\hat{N}}^{{\rm{suc}}}\) pairs of qubits shared by Alice and Bob. If they measure these qubits on Z basis to define the sifted key bits, the whole procedure is equivalent to Steps 1 through 3 of the actual protocol (see Fig. 4). Alice’s measurements on X basis \(\{\left|\pm \right\rangle := (\left|0\right\rangle +\left|1\right\rangle )/\sqrt{2}\}\) in the trash rounds are added for later security argument, and they do not affect the equivalence.

Fig. 4: Relation between three protocols.
figure 4

The actual protocol and the estimation protocol are related through the entanglement-sharing protocol. After the entanglement-sharing protocol, Alice and Bob are left with the observed data \(({\hat{N}}^{{\rm{suc}}},{\hat{N}}^{{\rm{fail}}},{\hat{N}}^{{\rm{test}}},{\hat{N}}^{{\rm{trash}}},\hat{F},{\hat{Q}}_{-})\) and \({\hat{N}}^{{\rm{suc}}}\) pairs of qubits. If Alice and Bob ignore \({\hat{Q}}_{-}\) and measure their qubits on the Z-basis to determine their \({\hat{N}}^{{\rm{suc}}}\)-bit sifted keys, it becomes equivalent to the actual protocol. On the other hand, if Alice and Bob measure their \({\hat{N}}^{{\rm{suc}}}\) pairs of qubits on the X-basis, they can count the number \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}\) of phase errors, which we call the estimation protocol. If we can find a reliable upper bound U on \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}\) in the estimation protocol, it restricts the property of the state of \({\hat{N}}^{{\rm{suc}}}\) pairs of qubits after the entanglement-sharing protocol, which in turn limits the amount of leaked information on the sifted keys in the actual protocol. The security proof is thus reduced to finding such an upper bound U in the estimation protocol, represented as a function of the variables that are commonly available in the three protocols.

Full size image

The Shor-Preskill argument connects the amount of privacy amplification to the so-called phase error rate. Suppose that, after the entanglement-sharing protocol, Alice and Bob measure their \({\hat{N}}^{{\rm{suc}}}\) pairs of qubits on X basis \(\{\left|+\right\rangle ,\left|-\right\rangle \}\). A pair with outcomes (+, −) or (−, +) is defined to be a phase error. Let \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}\) be the number of phase errors among \({\hat{N}}^{{\rm{suc}}}\) pairs. If we can have a good upper bound eph on the phase error rate \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}/{\hat{N}}^{{\rm{suc}}}\), shortening by fraction h(eph) via privacy amplification in the actual protocol achieves the security in the asymptotic limit37.

To cover the finite-size case as well, we need a more rigorous statement on the upper bound. For that purpose, we define an estimation protocol in Box 3 (see also Fig. 4). The task of proving the security of the actual protocol is then reduced to construction of a function \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) which satisfies

$$\Pr \left[{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}\, \le \, U(\hat{F},{\hat{N}}^{{\rm{trash}}})\right]\ge 1-\epsilon$$
(15)

for any attack in the estimation protocol. It is known that the condition (15) immediately implies that the actual protocol is \({\epsilon }_{\sec }\)-secure with a small security parameter \({\epsilon }_{\sec }=\sqrt{2}\sqrt{\epsilon +{2}^{-s}}+{2}^{-s^{\prime} }\)40,41. See Methods for the rationale and the detailed definition of security.

At this point, it is beneficial for the analysis of the phase error statistics to clarify what property of the optical pulse C is measured by Bob’s X-basis measurement in the estimation protocol (see Fig. 3). Let Πev(od) be the projection to the subspace with even (resp. odd) photon numbers. (Πev + Πod = 1C holds by definition.) Furthermore, since Πev − Πodd is the operator for an optical phase shift of π, we have \(({\Pi }_{{\rm{ev}}}-{\Pi }_{{\rm{odd}}})\left|x\right\rangle =\left|-x\right\rangle\). Eq. (12) is then rewritten as

$${K}^{(x)}=\sqrt{2{f}_{{\rm{suc}}}(x)}\left({\left|+\right\rangle }_{B}\,{\left\langle x\right|}_{C}\,{\Pi }_{{\rm{ev}}}+{\left|-\right\rangle }_{B}\,{\left\langle x\right|}_{C}\,{\Pi }_{{\rm{od}}}\right).$$
(16)

Therefore, when the state of the pulse C is ρC, the probability of obtaining  +(−) in the X-basis measurement in the estimation protocol is given by

$$\left\langle +(-)\right|{{\mathcal{F}}}_{C\to B}({\rho }_{C})\left|+(-)\right\rangle ={\rm{Tr}}\left({\rho }_{C}{M}_{{\rm{ev}}({\rm{od}})}^{{\rm{suc}}}\right),$$
(17)

where

$${M}_{{\rm{ev}}({\rm{od}})}^{{\rm{suc}}}:= {\int_{0}^{\infty }}2{f}_{{\rm{suc}}}(x)dx\ {\Pi }_{{\rm{ev}}({\rm{od}})}\left|x\right\rangle \,{\left\langle x\right|}_{C}\,{\Pi }_{{\rm{ev}}({\rm{od}})}.$$
(18)

This shows that Bob’s X-basis measurement distinguishes the parity of the photon number of the received pulse. In this sense, the secrecy of our protocol is assured by the complementarity between the sign of the quadrature and the parity of the photon number.

As an intermediate step toward our final goal of Eq. (15), let us first derive a bound on the expectation value \({\mathbb{E}}[{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}]\) in terms of those collected in the test and the trash rounds, \({\mathbb{E}}[\hat{F}]\) and \({\mathbb{E}}[{\hat{Q}}_{-}]\), in the estimation protocol. Let ρAC be the state of the qubit A and the received pulse C averaged over N pairs, and define relevant operators as

$${M}_{{\rm{ph}}}^{{\rm{suc}}}:= \left|+\right\rangle \,{\left\langle +\right|}_{A}\otimes {M}_{{\rm{od}}}^{{\rm{suc}}}+\left|-\right\rangle \,{\left\langle -\right|}_{A}\otimes {M}_{{\rm{ev}}}^{{\rm{suc}}},$$
(19)
$${\Pi }^{{\rm{fid}}}:= \left|0\right\rangle \,{\left\langle 0\right|}_{A}\otimes \left|\beta \right\rangle \,{\left\langle \beta \right|}_{C}+\left|1\right\rangle \,{\left\langle 1\right|}_{A}\otimes \left|-\beta \right\rangle \,{\left\langle -\beta \right|}_{C},$$
(20)
$${\Pi }_{-}^{{\rm{trash}}}:= \left|-\right\rangle \,{\left\langle -\right|}_{A}\otimes {{\mathbf{1}}}_{C}.$$
(21)

Then we immediately have

$${\mathbb{E}}[{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}]={p}_{{\rm{sig}}}N\ {\rm{Tr}}\left({\rho }_{AC}{M}_{{\rm{ph}}}^{{\rm{suc}}}\right)$$
(22)

and

$${\mathbb{E}}[{\hat{Q}}_{-}]={p}_{{\rm{trash}}}N\ {\rm{Tr}}\left({\rho }_{AC}{\Pi }_{-}^{{\rm{trash}}}\right),$$
(23)

while application of the property of Eq. (8) leads to

$${\mathbb{E}}[\hat{F}]\le {p}_{{\rm{test}}}N\ {\rm{Tr}}\left({\rho }_{AC}{\Pi }^{{\rm{fid}}}\right).$$
(24)

Let us denote \({\rm{Tr}}\left({\rho }_{AC}M\right)\) simply by \(\left\langle M\right\rangle\) for any operator M. The set of points \(\big(\big\langle {M}_{{\rm{ph}}}^{{\rm{suc}}}\big\rangle ,\big\langle {\Pi }^{{\rm{fid}}}\big\rangle ,\big\langle {\Pi }_{-}^{{\rm{trash}}}\big\rangle \big)\) for all the density operators ρAC form a convex region. Rather than directly deriving the boundary of the region, it is easier to pursue linear constraints in the form of

$$\left\langle {M}_{{\rm{ph}}}^{{\rm{suc}}}\right\rangle \le B(\kappa ,\gamma )-\kappa \left\langle {\Pi }^{{\rm{fid}}}\right\rangle +\gamma \left\langle {\Pi }_{-}^{{\rm{trash}}}\right\rangle ,$$
(25)

where \(B(\kappa ,\gamma ),\kappa ,\gamma \in {\mathbb{R}}\).

It is expected that a meaningful bound is obtained only for κγ ≥ 0. Decreasing fidelity \(\left\langle {\Pi }^{{\rm{fid}}}\right\rangle\) should allow more room for eavesdropping, leading to a larger value of phase error rate \(\left\langle {M}_{{\rm{ph}}}^{{\rm{suc}}}\right\rangle\). Hence Eq. (25) will give a good bound only when κ≥0. As for \(\left\langle {\Pi }_{-}^{{\rm{trash}}}\right\rangle\), it only depends on the marginal state of Alice’s qubit A, which is independent of the adversary’s attack. We thus have \(\left\langle {\Pi }_{-}^{{\rm{trash}}}\right\rangle ={q}_{-}:= {\left\Vert {\left\langle -\right|}_{A}{\left|\Psi \right\rangle }_{A\tilde{C}}\right\Vert }^{2}=(1-{e}^{-2\mu })/2\). Since Alice’s use of a stronger pulse should lead to larger leak of information, we should choose γ ≥ 0 for a good bound.

To find a function B(κγ) satisfying Eq. (25), let us define an operator

$$M[\kappa ,\gamma ]:= {M}_{{\rm{ph}}}^{{\rm{suc}}}+\kappa {\Pi }^{{\rm{fid}}}-\gamma {\Pi }_{-}^{{\rm{trash}}}.$$
(26)

Then Eq. (25) is rewritten as \({\rm{Tr}}\left({\rho }_{AC}M[\kappa ,\gamma ]\right)\le B(\kappa ,\gamma )\). This condition holds for all ρAC iff M[κγ] satisfies an operator inequality

$$M[\kappa ,\gamma ]\le B(\kappa ,\gamma ){{\mathbf{1}}}_{AC}.$$
(27)

If the operator M[κγ] was represented by a matrix of a small size, the tightest bound would be found by computing the maximum eigenvalue of the matrix. But here M[κγ] has an infinite rank and it is difficult to compute the tightest bound. We thus compromise and heuristically find a computable bound B(κγ) which is not necessarily tight; we reduce the problem to finding the maximum eigenvalues of small-size matrices by replacing M[κγ] with a constant upper-bound except in a relevant finite-dimensional subspace spanned by \(\left|\pm \beta \right\rangle\) and \({M}_{{\rm{ev}}({\rm{od}})}^{{\rm{suc}}}\left|\pm \beta \right\rangle\). For the detailed derivation of B(κγ), see Methods.

With B(κγ) computed, we can rewrite Eq. (25) using Eqs. (22)–(24) to obtain a relation between \({\mathbb{E}}[{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}]\), \({\mathbb{E}}[\hat{F}]\), and \({\mathbb{E}}[{\hat{Q}}_{-}]\). It is concisely written as

$${\mathbb{E}}\left[\hat{T}[\kappa ,\gamma ]\right]\le NB(\kappa ,\gamma )$$
(28)

with

$$\hat{T}[\kappa ,\gamma ]:= {p}_{{\rm{sig}}}^{-1}{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}+{p}_{{\rm{test}}}^{-1}\kappa \hat{F}-{p}_{{\rm{trash}}}^{-1}\gamma {\hat{Q}}_{-}.$$
(29)

This relation leads to an explicit bound on the phase error rate as \({\mathbb{E}}[{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}]/{p}_{{\rm{sig}}}N\le B(\kappa ,\gamma )+\gamma {q}_{-}-\kappa \ {\mathbb{E}}[\hat{F}]/{p}_{{\rm{test}}}N\), which is enough for the computation of asymptotic key rates.

The security in the finite-size regime is proved as follows. The fact that the bound given in Eq. (28) is true for all the states ρAC allows us to use Azuma’s inequality42 to evaluate the fluctuations around the expectation value, leading to an inequality

$$\hat{T}[\kappa ,\gamma ]\le NB(\kappa ,\gamma )+{\delta }_{1}(\epsilon /2)$$
(30)

which holds with a probability no smaller than 1 − ϵ/2 (see Methods for the explicit form of δ1(ϵ/2), which is of \(O(\sqrt{N})\)). We remark that the reason for including the trash rounds in the actual protocol is to circumvent a technical issue which would arise in this step. Without measurement of \({\hat{Q}}_{-}\) in the estimation protocol, we would obtain an inequality \({\mathbb{E}}[{p}_{{\rm{sig}}}^{-1}{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}+{p}_{{\rm{test}}}^{-1}\kappa \hat{F}]\le NB(\kappa ,\gamma )+\gamma {q}_{-}\). In contrast to Eq. (28), the new inequality is true only when ρAC satisfies \(\left\langle {\Pi }_{-}^{{\rm{trash}}}\right\rangle ={q}_{-}\), which is too stringent for the application of Azuma’s inequality.

Although Eq. (29) includes \({\hat{Q}}_{-}\) which is inaccessible in the actual protocol, we can derive a bound by noticing that it is an outcome from Alice’s qubits and is independent of the adversary’s attack. In fact, given \({\hat{N}}^{{\rm{trash}}}\), it is the tally of \({\hat{N}}^{{\rm{trash}}}\) Bernoulli trials with a probability q. Hence, we can derive an inequality of the form

$${\hat{Q}}_{-}\le {q}_{-}{\hat{N}}^{{\rm{trash}}}+{\delta }_{2}(\epsilon /2;{\hat{N}}^{{\rm{trash}}})$$
(31)

which holds with a probability no smaller than 1 − ϵ/2. Here \({\delta }_{2}(\epsilon /2;{\hat{N}}^{{\rm{trash}}})\) can be determined by a Chernoff bound (see Methods). Combining Eqs. (29), (30), and (31), we obtain \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) satisfying Eq. (15) to complete the finite-size security proof.

Numerical simulation

We simulated the net key gain per pulse \(\hat{G}\) as a function of attenuation in the optical channel (including the efficiency of Bob’s apparatus). We assume a channel model with a loss with transmissivity η and an excess noise at channel output; Bob receives Gaussian states obtained by randomly displacing coherent states \(\left|\pm \sqrt{\eta \mu }\right\rangle\) to increase their variances by a factor of (1 + ξ)43,44. We assume a step function with a threshold xth( > 0) as the acceptance probability fsuc(x). The expected amplitude of coherent state β is chosen to be \(\sqrt{\eta \mu }\). We set \({\epsilon }_{\sec }={2}^{-50}\) for the security parameter, and set \(\epsilon ={2}^{-s}={\epsilon }_{\sec }^{2}/16\) and \({2}^{-s^{\prime} }={\epsilon }_{\sec }/2\). We thus have two coefficients (κγ), four protocol parameters (μxthpsigptest), and two parameters (mr) of the test function to be determined. For each transmissivity η, we determined (κγ) via a convex optimization using the CVXPY 1.0.2545,46 and (μxthpsigptest) via the Nelder-Mead in the scipy.minimize library in Python, in order to maximize the key rate. Furthermore, we adopted m = 1 and r = 0.4120, which leads to \((\max {\Lambda }_{m,r},\min {\Lambda }_{m,r})=(2.824,-0.9932)\). See Methods for the detail of the model of our numerical simulation and examples of optimized parameters. Typical optimized values of the threshold xth range from 0.4 to 1.5 (we adopted a normalization for which the vacuum fluctuation is \(\sqrt{\langle {(\Delta x)}^{2}\rangle }=0.5\)). They are larger than those in other analyses of protocols with post-selection (e.g., ref. 31). A possible reason is the fact that the latter protocols use more than two states to monitor the eavesdropping act, which may lead to a lower cost of privacy amplification and higher tolerance against bit errors.

Figure 5 shows the key rates of our protocol in the asymptotic limit N →  and finite-size cases with N = 109–1012 for ξ = 10−2.0–10−3.0 and 0. (Note that from the results of the recent experiments8,44,47, excess noise with ξ = 10−2.0–10−3.0 at the channel output seems reasonable. Furthermore, the state-of-the-art experiments8 work at 0.5 GHz repetition rate, which implies that total number of rounds N = 109–1012 can be achieved in a realistic duration.) For the noiseless model (ξ = 0), the asymptotic rate reaches 8 dB. In the case of ξ = 10−3.0, it reaches 4 dB, which is comparable to the result of a similar binary modulation protocol proposed in ref. 29. As for finite-size key rates, we see that the noiseless model shows a significant finite-size effect even for N = 1012. On the other hand, with a presence of noises (ξ = 10−3.0) the effect becomes milder, and N = 1011 is enough to achieve a rate close to the asymptotic case. This may be ascribed to the cost of the fidelity test. In order to make sure that the fidelity is no smaller than 1 − δ, the statistical uncertainty of the fidelity test must be reduced to O(δ). As a result, approaching the asymptotic rate of ξ = 0 will require many rounds for the fidelity test.

Fig. 5: The net key gain per pulse \(\hat{G}\) (key rate) vs. transmissivity η of the optical channel.
figure 5

The abscissa represents attenuation in decibel, i.e., \(-10\,{\mathrm{log}\,}_{10}\eta\). We assumed that the optical pulse that Bob receives is given by randomly displacing a coherent state to increase its variance by a factor of (1 + ξ). a The asymptotic key rate for various values of ξ. b The key rate for various values of ξ when the pulse number is finite (N = 1011). c The key rate without the excess noise (ξ = 0) along with the repeaterless bound (PLOB bound) of the secure key rate in the pure-loss channel55. d The key rate with the excess noise of ξ = 10−3.0.

Full size image

Discussion

Numerically simulated key rates above were computed on the implicit assumption that Bob’s observed quantities are processed with infinite precision. Even when these are approximated with a finite set of discrete points, we can still prove the security with minimal degradation of key rates. For the heterodyne measurement used for the test in the protocol, assume that a digitized outcome ωdig ensures that the true value \(\hat{\omega }\) lies in a range Ω(ωdig). Then, we need only to replace \({\Lambda }_{m,r}(| \hat{\omega }\pm \beta {| }^{2})\) with its worst-case value, \(\min \{{\Lambda }_{m,r}(| \hat{\omega }\pm \beta {| }^{2}):\hat{\omega }\in \Omega ({\omega }_{{\rm{dig}}})\}\). As seen in Fig. 1a, the slope of function Λm,r(ν) is moderate and goes to zero for ν → . This means that the worst-case value can be made close to the true value, leading to small influence on the key rate. For the homodyne measurement used for the signal, finite precision can be treated through appropriate modification of the acceptance probability fsuc(x). Aside from a very small change in the success rate and the bit error rate, this function affects the key rate only through integrals in Eqs. (116), (118), and (120) in Methods, and hence influence on the key rate is expected to be small. We thus believe that the fundamental obstacles associated with the analog nature of the CV protocol have been settled by our approach.

In comparison with recent asymptotic analyses31,32 of discrete-modulation CV QKD, our protocol achieves lower key rates and much shorter distance. Since ours is the first attempt of applying the proof technique of DV QKD to CV QKD, there is much room for possible improvement. We sacrificed the optimality for simplicity in deriving the operator inequality. The definition of the phase error is not unique and there may be a better choice. The trash rounds were introduced for technical reasons, but we are not sure whether they are really necessary. Nonetheless, we believe that the dominant reason for the difference lies in the fact that our protocol uses only two states. In contrast, the protocols considered in refs. 31,32 use four or more states in signal or test modes. The genuine binary protocol was analyzed in ref. 29, and the key rate derived there is comparable to ours.

In order to improve the presented finite-size key rate, a promising route will thus be increasing the number of states from two. Our fidelity test can be straightforwardly generalized to monitoring of such a larger constellation of signals, and we will be able to confine the adversary’s attacks more tightly than in the present binary protocol. As for the proof techniques to determine the amount of privacy amplification, there are two possible directions. One is to generalize the present DV-QKD-inspired approach of estimating the number of phase errors in qubits to the case of qudits. The other direction is to seek a way to combine the existing analyses31,32,48 of discrete-modulation CV-QKD protocols, which have been reported to yield high key rates in the asymptotic regime, to our fidelity test. Although either of the approaches is nontrivial, we believe that the present results will open up new direction toward exploiting the expected high potential of CV QKD with an improved security level.

In summary, we proved the security of a binary-modulated CV-QKD protocol in the finite-size regime while completely circumventing the problems arising from the analog nature of CV QKD. We believe that it is a significant milestone toward real-world implementation of CV QKD, which has its own advantages.

Methods

Proof of Theorem 1 and Eq. (8)

In this section, we prove Theorem 1 stated in the main text and derive Eq. (8) as a corollary of Theorem 1.

Proof: From Eq. (1), the expectation value of \({\Lambda }_{m,r}(| \hat{\omega }{| }^{2})\) when given a measured state ρ is given by

$$ {{\mathbb{E}}}_{\rho }[{\Lambda }_{m,r}\left(| \hat{\omega }{| }^{2}\right)]\\ \quad=\int_{\omega \in {\mathbb{C}}}{\Lambda }_{m,r}\left(| \omega {| }^{2}\right){q}_{\rho }(\omega )\ {d}^{2}\omega \\ \quad= {\int_{0}^{\infty }}d\nu \ {\Lambda }_{m,r}(\nu )\left({\int_{0}^{2\pi }}\frac{d\theta }{2\pi }\left\langle \sqrt{\nu }{e}^{i\theta }\right|\rho \left|\sqrt{\nu }{e}^{i\theta }\right\rangle \right)\\ \quad= {\int_{0}^{\infty }}d\nu \ {\Lambda }_{m,r}(\nu )\left(\mathop{\sum }\limits_{n = 0}^{\infty }\frac{{\nu }^{n}{e}^{-\nu }}{n!}\left\langle n\right|\rho \left|n\right\rangle \right)\\ \quad=\mathop{\sum }\limits_{n = 0}^{\infty }\frac{\left\langle n\right|\rho \left|n\right\rangle {I}_{n,m}}{{(1+r)}^{n}},$$
(32)

where

$${I}_{n,m}:= \frac{1}{n!}{\int_{0}^{\infty }}d\nu \,{e}^{-\nu }{\nu }^{n}{L}_{m}^{(1)}(\nu )$$
(33)

for integers nm ≥ 0.

The following three properties hold for In,m:

  1. (i)

    In,m = 0 for m ≥ n ≥ 1.

This results from orthogonality relations of the associated Laguerre polynomials, that is,

$${\int_{0}^{\infty }}{L}_{n}^{(1)}(\nu ){L}_{m}^{(1)}(\nu )\nu {e}^{-\nu }\ d\nu =(n+1){\delta }_{n,m}.$$
(34)

Since the polynomial νn−1 can be written as a linear combination of lower order polynomials \({\{{L}_{l}^{(1)}(\nu )\}}_{0\le l\le n-1}\), In,m vanishes whenever m ≥ n ≥ 1.

  1. (ii)

    (−1)mIn,m > 0 for n > m ≥ 0.

This property is shown as follows. First, the associated Laguerre polynomials satisfy the following recurrence relation for m ≥ 149:

$$m{L}_{m}^{(1)}(\nu )=\nu \frac{d{L}_{m}^{(1)}}{d\nu }(\nu )+(m+1){L}_{m-1}^{(1)}(\nu ).$$
(35)

Substituting this to Eq. (33) and using integration by parts, we have

$${I}_{n,m}=\frac{n+m}{n}{I}_{n-1,m}-\frac{m+1}{n}{I}_{n-1,m-1}.$$
(36)

for n ≥ 1 and m ≥ 1. The property (ii) is then proved by induction over m. For m = 0, it is true since In,0 = 1 > 0. When (−1)m−1In,m−1 > 0 for n > m − 1, we can prove (−1)mIn,m > 0 for n > m by using Eq. (36) recursively with Im,m = 0 from property (i).

  1. (iii)

    I0,m = 1 for m ≥ 0.

This also follows from property (i) and Eq. (36) for n = 1 and m ≥ 1, which leads to I0,m = I0,0 = 1.

Combining properties (i), (ii), and (iii) shows Eq. (6).

Eq. (8) in the main text is derived as the following corollary.

Corollary 1: Let \(\left|\beta \right\rangle\;\)\((\beta \in {\mathbb{C}})\) be the coherent state with amplitude β. Then, for any \(\beta \in {\mathbb{C}}\) and for any odd positive integer m, we have

$${{\mathbb{E}}}_{\rho }[{\Lambda }_{m,r}(| \hat{\omega }-\beta {| }^{2})]\le \left\langle \beta \right|\rho \left|\beta \right\rangle .$$
(37)

Proof: From Eq. (6) of Theorem 1, for any odd positive integer m, we have

$${{\mathbb{E}}}_{\rho }[{\Lambda }_{m,r}(| \hat{\omega }{| }^{2})]\le \left\langle 0\right|\rho \left|0\right\rangle .$$
(38)

Let Dβ be a displacement operator satisfying

$${D}_{\beta }\left|0\right\rangle \,\left\langle 0\right|{D}_{\beta }^{\dagger }=\left|\beta \right\rangle \,\left\langle \beta \right|,$$
(39)

and \({D}_{\beta }^{\dagger }={D}_{-\beta }\). With \(\tilde{\rho }:= {D}_{\beta }\rho {D}_{\beta }^{\dagger }\), we have \({q}_{\tilde{\rho }}(\omega )={q}_{\rho }(\omega -\beta )\) for probability density function of heterodyne measurement outcome, which implies that

$${{\mathbb{E}}}_{\tilde{\rho }}[{\Lambda }_{m,r}(| \hat{\omega }-\beta {| }^{2})] ={{\mathbb{E}}}_{\rho }[{\Lambda }_{m,r}(| \hat{\omega }{| }^{2})]\\ \le \left\langle 0\right|\rho \left|0\right\rangle \\ =\left\langle \beta \right|\tilde{\rho }\left|\beta \right\rangle .$$
(40)

Replacing \(\tilde{\rho }\) with ρ, we obtain Eq. (37).

Detail of the security proof

In this section, we prove the security of the proposed protocol in the main text. This section consists of several subsections. In the first subsection, we give a definition of security, which is standard in the literature. The security condition is divided into two conditions, secrecy and correctness. Since the correctness is trivially satisfied, it is the secrecy that is the focus of the security proof. The second subsection explains how the secrecy condition is reduced to Eq. (15) of the estimation protocol, which bounds the number of phase errors. The third subsection lays the groundwork for the full security proof by deriving the inequality (27) involving three operators relevant for the quantities observed in the signal, the test, and the trash round in the estimation protocol. After proving a general lemma (Lemma 1), an explicit form of the upper bound B(κγ) satisfying Eq. (27) is given as a corollary (Corollary 2) of the lemma. Finally, the fourth subsection uses Azuma’s inequality and Corollaries 1 and 2 to derive an explicit form of \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) that fulfills Eq. (15), which completes the security proof of the actual protocol.

1. Definition of security in the finite-size regime. We evaluate the secrecy of the final key as follows. When the final key length is Nfin ≥ 1, we represent Alice’s final key and an adversary’s quantum system as a joint state

$${\rho }_{{\rm{AE}}| {N}^{{\rm{fin}}}}^{{\rm{fin}}}=\mathop{\sum }\limits_{z = 0}^{{2}^{{N}^{{\rm{fin}}}}-1}\Pr (z)\left|z\right\rangle \,{\left\langle z\right|}_{{\rm{A}}}\otimes {\rho }_{{\rm{E}}| {N}^{{\rm{fin}}}}^{{\rm{fin}}}(z),$$
(41)

and define the corresponding ideal state as

$${\rho }_{{\rm{AE}}| {N}^{{\rm{fin}}}}^{{\rm{ideal}}}=\mathop{\sum }\limits_{z = 0}^{{2}^{{N}^{{\rm{fin}}}}-1}{2}^{-{N}^{{\rm{fin}}}}\left|z\right\rangle \,{\left\langle z\right|}_{{\rm{A}}}\otimes {{\rm{Tr}}}_{{\rm{A}}}({\rho }_{{\rm{AE}}| {N}^{{\rm{fin}}}}^{{\rm{fin}}}).$$
(42)

Let \({\left\Vert \sigma \right\Vert }_{1}={\rm{Tr}}\sqrt{{\sigma }^{\dagger }\sigma }\) be the trace norm of an operator σ. We say a protocol is ϵsct-secret when

$$\frac{1}{2}\mathop{\sum }\limits_{{N}^{{\rm{fin}}}\ge 1}\Pr ({N}^{{\rm{fin}}}){\left\Vert {\rho }_{{\rm{AE}}| {N}^{{\rm{fin}}}}^{{\rm{fin}}}-{\rho }_{{\rm{AE}}| {N}^{{\rm{fin}}}}^{{\rm{ideal}}}\right\Vert }_{1}\le {\epsilon }_{{\rm{sct}}}$$
(43)

holds regardless of the adversary’s attack. The main goal of the security proof is to derive the amount of privacy amplification, or equivalently to find the function \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) in Eq. (9), such that Eq. (43) should hold for given ϵsct > 0.

For correctness, we say a protocol is ϵcor-correct if the probability for Alice’s and Bob’s final key to differ is bounded by ϵcor. Our protocol achieves \({\epsilon }_{{\rm{cor}}}={2}^{-s^{\prime} }\) via the verification in Step 4.

When the above two conditions are met, the protocol becomes \({\epsilon }_{\sec }\)-secure with \({\epsilon }_{\sec }={\epsilon }_{{\rm{sct}}}+{\epsilon }_{{\rm{cor}}}\) in the sense of universal composability50.

2. Reduction to the estimation protocol. Here we show that Eq. (15) in the estimation protocol implies ϵsct-secrecy of the actual protocol with \({\epsilon }_{{\rm{sct}}}=\sqrt{2}\sqrt{\epsilon +{2}^{-s}}\). We have already seen that the entanglement-sharing protocol immediately followed by Z-basis measurements of the qubits is equivalent to Steps 1 through 3 of the actual protocol. Here we consider a slightly modified scenario in which, after the entanglement-sharing protocol, a controlled-NOT operation V is applied on each pair of qubits, where \(V:= \left|0\right\rangle \,{\left\langle 0\right|}_{A}\otimes {{\bf{1}}}_{B}+\left|1\right\rangle \,{\left\langle 1\right|}_{A}\otimes {X}_{B}\) with \({X}_{B}:= \left|1\right\rangle \,{\left\langle 0\right|}_{B}+\left|0\right\rangle \,{\left\langle 1\right|}_{B}\). Alice then measures her qubits on the Z basis to define her sifted key bits and proceeds with Step 5 of the actual protocol. Since V does not affect the Z-basis value of the Alice’s qubit, her procedure of determining the \({\hat{N}}^{{\rm{fin}}}\)-bit final key in this scenario is equivalent to that in the actual protocol. Although V prevents Bob from obtaining an equivalent final key, he can still simulate the reconciliation and the verification process in Step 4 since the Z-basis value of each of his \({\hat{N}}^{{\rm{suc}}}\) qubits corresponds to absence/presence of a bit error between Alice’s and Bob’s sifted key bits. Hence Bob can equivalently carry out all the announcements in Steps 4 and 5 of the actual protocol. As a result, this scenario leads to exactly the same distribution Pr(Nfin) and the same states \({\rho }_{{\rm{AE}}| {N}^{{\rm{fin}}}}^{{\rm{fin}}}\) as those of the actual protocol.

The secrecy of Alice’s final key can be determined from the X-basis property of her \({\hat{N}}^{{\rm{suc}}}\) qubits after the application of V. Since V can be rewritten as \(V={{\bf{1}}}_{A}\otimes \left|+\right\rangle \,{\left\langle +\right|}_{B}+{Z}_{A}\otimes \left|-\right\rangle \,{\left\langle -\right|}_{B}\) with \({Z}_{A}:= \left|-\right\rangle \,{\left\langle +\right|}_{A}+\left|+\right\rangle \,{\left\langle -\right|}_{A}\), the X-basis value of each of Alice’s qubits corresponds to absence/presence of a phase error. Suppose that these \({\hat{N}}^{{\rm{suc}}}\) qubits are measured on the X-basis to produce an outcome \(\hat{{\boldsymbol{x}}}\in {\{+,-\}}^{{\hat{N}}^{{\rm{suc}}}}\). Let \({\rm{wt}}(\hat{{\boldsymbol{x}}})\) be the number of symbol ‘−’ in \(\hat{{\boldsymbol{x}}}\). If Eq. (15) holds in the estimation protocol, the statistics of \(\hat{{\boldsymbol{x}}}\) should satisfy

$$\Pr \left[{\rm{wt}}(\hat{{\boldsymbol{x}}})\le U(\hat{F},{\hat{N}}^{{\rm{trash}}})\right]\ge 1-\epsilon ,$$
(44)

which implies that the number of probable patterns \(\hat{{\boldsymbol{x}}}\) is limited. To be more precise, let us introduce a set Ω(nw) {x {+, −}n wt(x) ≤ w}, whose size is bounded as Ω(nw) ≤ 2nh(w/n). The condition (44) then implies

$$\Pr \left[{\hat{N}}^{{\rm{suc}}}\ge 1,\hat{{\boldsymbol{x}}}\,\,\notin\,\,{\mathcal{T}}({\hat{N}}^{{\rm{suc}}},\hat{F},{\hat{N}}^{{\rm{trash}}})\right]\le \epsilon$$
(45)

with \({\mathcal{T}}({\hat{N}}^{{\rm{suc}}},\hat{F},{\hat{N}}^{{\rm{trash}}}):= \Omega \left({\hat{N}}^{{\rm{suc}}},U(\hat{F},{\hat{N}}^{{\rm{trash}}})\right)\), which satisfies

$${\mathrm{log}\,}_{2}| {\mathcal{T}}({\hat{N}}^{{\rm{suc}}},\hat{F},{\hat{N}}^{{\rm{trash}}})| \le {\hat{N}}^{{\rm{suc}}}-{\hat{N}}^{{\rm{fin}}}-s$$
(46)

from Eq. (9). It is known40,41,51 that the above conditions imply Eq. (43) with \({\epsilon }_{{\rm{sct}}}=\sqrt{2}\sqrt{\epsilon +{2}^{-s}}\). Therefore, it suffices to show that Eq. (15) holds in the estimation protocol for proving the actual protocol to be \({\epsilon }_{\sec }\)-secure with \({\epsilon }_{\sec }=\sqrt{2}\sqrt{\epsilon +{2}^{-s}}+{2}^{-s^{\prime} }\).

We remark that the encryption of \(M:= {H}_{{\rm{EC}}}+s^{\prime}\) bits in Step 4 can be omitted as long as each bit linearly depends on Alice’s sifted key over GF(2). In such a case, the above scenario must include measurements on Alice’s qubits to simulate the announcement of the M bits in Step 4. The backaction on X basis caused by the measurement for each bit amounts to doubling the number of probable patterns \(\hat{{\boldsymbol{x}}}\). We can thus redefine the set \({\mathcal{T}}({\hat{N}}^{{\rm{suc}}},\hat{F},{\hat{N}}^{{\rm{trash}}})\) by enlarging its size by factor of 2M such that Eq. (45) holds. Then, by decreasing \({\hat{N}}^{{\rm{fin}}}\) by M, Eq. (46) also holds. This means that we achieve the same net key rate with the same level of security.

3. Derivation of the operator inequality. The aim of this subsection is to construct B(κγ) which fulfills the operator inequality (27). Let \({\sigma }_{\sup }(O)\) denote the supremum of the spectrum of a bounded self-adjoint operator O. Although \(B(\kappa ,\gamma )={\sigma }_{\sup }(M[\kappa ,\gamma ])\) would give the tightest bound satisfying Eq. (27), it is hard to compute it numerically since system C has an infinite-dimensional Hilbert space. Instead, we derive a looser but simpler bound. We first prove the following lemma.

Lemma 1: Let Π± be orthogonal projections satisfying Π+Π = 0. Suppose that the rank of Π± is no smaller than 2 or infinite. Let M± be self-adjoint operators satisfying Π±M±Π± = M±α±Π±, where α± are real constants. Let \(\left|\psi \right\rangle\) be an unnormalized vector satisfying \(({\Pi }_{+}+{\Pi }_{-})\left|\psi \right\rangle =\left|\psi \right\rangle\) and \({\Pi }_{\pm }\left|\psi \right\rangle\,\ne\,0\). Define following quantities with respect to \(\left|\psi \right\rangle\):

$${C}_{\pm }:= \left\langle \psi \right|{\Pi }_{\pm }\left|\psi \right\rangle (> 0),$$
(47)
$${D}_{\pm }:= {C}_{\pm }^{-1}\left\langle \psi \right|{M}_{\pm }\left|\psi \right\rangle ,$$
(48)
$${V}_{\pm }:= {C}_{\pm }^{-1}\left\langle \psi \right|{M}_{\pm }^{2}\left|\psi \right\rangle -{D}_{\pm }^{2}.$$
(49)

Then, for any real numbers γ+ and γ, we have

$${\sigma }_{\sup }\left({M}_{+}+{M}_{-}+\left|\psi \right\rangle \,\left\langle \psi \right|-{\gamma }_{+}{\Pi }_{+}-{\gamma }_{-}{\Pi }_{-}\right) \le {\sigma }_{\sup }\left({M}_{{\rm{4d}}}\right),$$
(50)

where four dimensional matrix M4d is defined as

$${M}_{{\rm{4d}}}:= \left[\begin{array}{cccc}{\alpha }_{+}-{\gamma }_{+}&\sqrt{{V}_{+}}&0&0\\ \sqrt{{V}_{+}}&{C}_{+}+{D}_{+}-{\gamma }_{+}&\sqrt{{C}_{+}{C}_{-}}&0\\ 0&\sqrt{{C}_{+}{C}_{-}}&{C}_{-}+{D}_{-}-{\gamma }_{-}&\sqrt{{V}_{-}}\\ 0&0&\sqrt{{V}_{-}}&{\alpha }_{-}-{\gamma }_{-}\end{array}\right].$$
(51)

Proof: We choose orthonormal vectors \(\left\{\left|{e}_{\pm }^{(1)}\right\rangle ,\left|{e}_{\pm }^{(2)}\right\rangle \right\}\) in the domain of Π±, respectively, to satisfy

$$\sqrt{{C}_{\pm }}\left|{e}_{\pm }^{(1)}\right\rangle ={\Pi }_{\pm }\left|\psi \right\rangle ,$$
(52)
$${M}_{\pm }\left|{e}_{\pm }^{(1)}\right\rangle ={D}_{\pm }\left|{e}_{\pm }^{(1)}\right\rangle +\sqrt{{V}_{\pm }}\left|{e}_{\pm }^{(2)}\right\rangle ,$$
(53)

which is well-defined due to Eqs. (47)–(49) and Π±M±Π± = M±. From \(({\Pi }_{+}+{\Pi }_{-})\left|\psi \right\rangle =\left|\psi \right\rangle\), we have

$$\left|\psi \right\rangle =\sqrt{{C}_{+}}\left|{e}_{+}^{(1)}\right\rangle +\sqrt{{C}_{-}}\left|{e}_{-}^{(1)}\right\rangle .$$
(54)

Let us define the following projection operators:

$${\Pi }_{\pm }^{(j)}:= \left|{e}_{\pm }^{(j)}\right\rangle \,\left\langle {e}_{\pm }^{(j)}\right|\quad (j=1,2),$$
(55)
$${\Pi }_{\pm }^{(\ge 2)}:= {\Pi }_{\pm }-{\Pi }_{\pm }^{(1)},$$
(56)
$${\Pi }_{\pm }^{(\ge 3)}:= {\Pi }_{\pm }^{(\ge 2)}-{\Pi }_{\pm }^{(2)}.$$
(57)

Since Eq. (53) implies \({\Pi }_{\pm }^{(\ge 3)}{M}_{\pm }{\Pi }_{\pm }^{(1)}=0\), we have

$${M}_{\pm } = {\Pi }_{\pm }^{(1)}{M}_{\pm }{\Pi }_{\pm }^{(1)}+{\Pi }_{\pm }^{(\ge 2)}{M}_{\pm }{\Pi }_{\pm }^{(\ge 2)}+{\Pi }_{\pm }^{(1)}{M}_{\pm }{\Pi }_{\pm }^{(2)}+{\Pi }_{\pm }^{(2)}{M}_{\pm }{\Pi }_{\pm }^{(1)}.$$
(58)

The second term in the right-hand side of Eq. (58) is bounded as

$${\Pi }_{\pm }^{(\ge 2)}{M}_{\pm }{\Pi }_{\pm }^{(\ge 2)}\le {\alpha }_{\pm }{\Pi }_{\pm }^{(\ge 2)},$$
(59)

since M± ≤ α±Π±. Combining Eqs. (48), (58), and (59), we have

$$ {M}_{\pm }-{\gamma }_{\pm }{\Pi }_{\pm }\\ \le ({D}_{\pm }-{\gamma }_{\pm })\left|{e}_{\pm }^{(1)}\right\rangle \,\left\langle {e}_{\pm }^{(1)}\right|+({\alpha }_{\pm }-{\gamma }_{\pm })\left|{e}_{\pm }^{(2)}\right\rangle \,\left\langle {e}_{\pm }^{(2)}\right|\\ \quad+\sqrt{{V}_{\pm }}\left(\left|{e}_{\pm }^{(1)}\right\rangle \,\left\langle {e}_{\pm }^{(2)}\right|+\left|{e}_{\pm }^{(2)}\right\rangle \,\left\langle {e}_{\pm }^{(1)}\right|\right)+({\alpha }_{\pm }-{\gamma }_{\pm }){\Pi }_{\pm }^{(\ge 3)}.$$
(60)

Combining Eqs. (54) and (60), we have

$$ {M}_{+}+{M}_{-}+\left|\psi \right\rangle \,\left\langle \psi \right|-{\gamma }_{+}{\Pi }_{+}-{\gamma }_{-}{\Pi }_{-}\\ \quad \le {M}_{{\rm{4d}}}\oplus ({\alpha }_{+}-{\gamma }_{+}){\Pi }_{+}^{(\ge 3)}\oplus ({\alpha }_{-}-{\gamma }_{-}){\Pi }_{-}^{(\ge 3)},$$
(61)

where M4d is given in Eq. (51) with the basis \(\{\big|{e}_{+}^{(2)}\big\rangle ,\big|{e}_{+}^{(1)}\big\rangle ,\big|{e}_{-}^{(1)}\big\rangle ,\big|{e}_{-}^{(2)}\big\rangle \}\). Since \({\alpha }_{\pm }-{\gamma }_{\pm }=\big\langle {e}_{\pm }^{(2)}\big|{M}_{{\rm{4d}}}\big|{e}_{\pm }^{(2)}\big\rangle \le {\sigma }_{\sup }\left({M}_{{\rm{4d}}}\right)\), supremum of the spectrum of the right-hand side of Eq. (61) is equal to the maximum eigenvalue of the four-dimensional matrix M4d. We thus obtain Eq. (50).

As a corollary, we derive Eq. (27) as follows.

Corollary 2: Let \(\left|\beta \right\rangle\) be a coherent state. Let Πev(od), \({M}_{{\rm{ev}}({\rm{od}})}^{{\rm{suc}}}\), and M[κγ] be as defined in the main text, and define following quantities:

$${C}_{{\rm{ev}}}:= \left\langle \beta \right|{\Pi }_{{\rm{ev}}}\left|\beta \right\rangle ={e}^{-| \beta {| }^{2}}\cosh | \beta {| }^{2},$$
(62)
$${C}_{{\rm{od}}}:= \left\langle \beta \right|{\Pi }_{{\rm{od}}}\left|\beta \right\rangle ={e}^{-| \beta {| }^{2}}\sinh | \beta {| }^{2},$$
(63)
$${D}_{{\rm{ev}}({\rm{od}})}:= {C}_{{\rm{ev}}({\rm{od}})}^{-1}\left\langle \beta \right|{M}_{{\rm{ev}}({\rm{od}})}^{{\rm{suc}}}\left|\beta \right\rangle ,$$
(64)
$${V}_{{\rm{ev}}({\rm{od}})}:= {C}_{{\rm{ev}}({\rm{od}})}^{-1}\left\langle \beta \right|{\left({M}_{{\rm{ev}}({\rm{od}})}^{{\rm{suc}}}\right)}^{2}\left|\beta \right\rangle -{D}_{{\rm{ev}}({\rm{od}})}^{2}.$$
(65)

Let \({M}_{{\rm{4d}}}^{{\rm{err}}}[\kappa ,\gamma ]\) and \({M}_{{\rm{2d}}}^{{\rm{cor}}}[\kappa ,\gamma ]\) be defined as follows:

$${M}_{{\rm{4d}}}^{{\rm{err}}}[\kappa ,\gamma ] := \left[\begin{array}{cccc}1&\sqrt{{V}_{{\rm{od}}}}&&\\ \sqrt{{V}_{{\rm{od}}}}&\kappa \ {C}_{{\rm{od}}}+{D}_{{\rm{od}}}&\kappa \sqrt{{C}_{{\rm{od}}}\ {C}_{{\rm{ev}}}}&\\ &\kappa \sqrt{{C}_{{\rm{od}}}\ {C}_{{\rm{ev}}}},&\kappa \ {C}_{{\rm{ev}}}+{D}_{{\rm{ev}}}\,-\gamma \,&\sqrt{{V}_{{\rm{ev}}}}\\ &&\sqrt{{V}_{{\rm{ev}}}}&1-\gamma \end{array}\right],$$
(66)
$${M}_{{\rm{2d}}}^{{\rm{cor}}}[\kappa ,\gamma ]:= \Bigg[\begin{array}{cc}{\kappa \ {C}_{{\rm{ev}}}}&{\kappa \sqrt{{C}_{{\rm{ev}}}\ {C}_{{\rm{od}}}}}\\ { \kappa \sqrt{{C}_{{\rm{ev}}}\ {C}_{{\rm{od}}}}}&{\kappa \ {C}_{{\rm{od}}}-\gamma }\end{array}\Bigg].$$
(67)

Define a convex function

$$B(\kappa ,\gamma ):= \max \left\{{\sigma }_{\sup }\left({M}_{{\rm{4d}}}^{{\rm{err}}}[\kappa ,\gamma ]\right),{\sigma }_{\sup }\left({M}_{{\rm{2d}}}^{{\rm{cor}}}[\kappa ,\gamma ]\right)\right\}.$$
(68)

Then, for κγ ≥ 0, we have

$$M[\kappa ,\gamma ]\le B(\kappa ,\gamma ){{\boldsymbol{1}}}_{AC}.$$
(69)

Proof: Let us first observe that the operator Πfid defined in Eq. (20) can be rewritten as follows:

$${\Pi }^{{\rm{fid}}}=\left|{\phi }_{{\rm{err}}}\right\rangle \,{\left\langle {\phi }_{{\rm{err}}}\right|}_{AC}+\left|{\phi }_{{\rm{cor}}}\right\rangle \,{\left\langle {\phi }_{{\rm{cor}}}\right|}_{AC},$$
(70)

where orthogonal states \({\left|{\phi }_{{\rm{err}}}\right\rangle }_{AC}\) and \({\left|{\phi }_{{\rm{cor}}}\right\rangle }_{AC}\) are defined as

$${\left|{\phi }_{{\rm{err}}}\right\rangle }_{AC}:= {\left|+\right\rangle }_{A}\otimes {\Pi }_{{\rm{od}}}{\left|\beta \right\rangle }_{C}+{\left|-\right\rangle }_{A}\otimes {\Pi }_{{\rm{ev}}}{\left|\beta \right\rangle }_{C},$$
(71)
$${\left|{\phi }_{{\rm{cor}}}\right\rangle }_{AC}:= {\left|+\right\rangle }_{A}\otimes {\Pi }_{{\rm{ev}}}{\left|\beta \right\rangle }_{C}+{\left|-\right\rangle }_{A}\otimes {\Pi }_{{\rm{od}}}{\left|\beta \right\rangle }_{C}.$$
(72)

Next, using Eqs. (70), (19), and (21), we rearrange the operator M[κγ] defined in Eq. (26) as follows:

$$M[\kappa ,\gamma ]={M}^{{\rm{err}}}[\kappa ,\gamma ]\oplus {M}^{{\rm{cor}}}[\kappa ,\gamma ],$$
(73)

where

$${M}^{{\rm{err}}}[\kappa ,\gamma ]:= \,\,\left|+\right\rangle \,{\left\langle +\right|}_{A}\otimes {M}_{{\rm{od}}}^{{\rm{suc}}}+\left|-\right\rangle \,{\left\langle -\right|}_{A}\otimes {M}_{{\rm{ev}}}^{{\rm{suc}}}\\ +\kappa \left|{\phi }_{{\rm{err}}}\right\rangle \,{\left\langle {\phi }_{{\rm{err}}}\right|}_{AC}\,-\gamma \left|-\right\rangle \,{\left\langle -\right|}_{A}\otimes {\Pi }_{{\rm{ev}}},$$
(74)
$${M}^{{\rm{cor}}}[\kappa ,\gamma ]:= \kappa \left|{\phi }_{{\rm{cor}}}\right\rangle \,{\left\langle {\phi }_{{\rm{cor}}}\right|}_{AC}\,-\gamma \left|-\right\rangle \,{\left\langle -\right|}_{A}\otimes {\Pi }_{{\rm{od}}}.$$
(75)

We can apply Lemma 1 to Merr[κγ] by the following substitutions

$${M}_{\pm }=\left|\pm \right\rangle \,{\left\langle \pm \right|}_{A}\otimes {M}_{{\rm{od(ev)}}}^{{\rm{suc}}},$$
(76)
$$\left|\psi \right\rangle =\sqrt{\kappa }{\left|{\phi }_{{\rm{err}}}\right\rangle }_{AC},$$
(77)
$${\Pi }_{\pm }=\left|\pm \right\rangle \,{\left\langle \pm \right|}_{A}\otimes {\Pi }_{{\rm{od(ev)}}},$$
(78)
$${\alpha }_{\pm }=1,$$
(79)
$${\gamma }^{+}=0,\quad {\gamma }^{-}=\gamma .$$
(80)

Here, M± ≤ Π± (i.e., α± = 1) holds because \({M}_{{\rm{od(ev)}}}^{{\rm{suc}}}\) are POVM elements. The other prerequisites of Lemma 1 are easy to be confirmed. Thus, we obtain

$${\sigma }_{\sup }\left({M}^{{\rm{err}}}[\kappa ,\gamma ]\right)\le {\sigma }_{\sup }\left({M}_{{\rm{4d}}}^{{\rm{err}}}[\kappa ,\gamma ]\right).$$
(81)

In the same way, we can apply Lemma 1 to Mcor[κγ] via

$${M}_{\pm }=0,$$
(82)
$$\left|\psi \right\rangle =\sqrt{\kappa }{\left|{\phi }_{{\rm{cor}}}\right\rangle }_{AC},$$
(83)
$${\Pi }_{\pm }=\left|\pm \right\rangle \,{\left\langle \pm \right|}_{A}\otimes {\Pi }_{{\rm{ev}}({\rm{od}})},$$
(84)
$${\alpha }_{\pm }=0,$$
(85)
$${\gamma }^{+}=0,\quad {\gamma }^{-}=\gamma .$$
(86)

Since M± = 0 implies D± = V± = 0 in Lemma 1, this time we can reduce the dimension of relevant matrix Eq. (51) by separating known eigenvalues 0 and  −γ. Therefore, we have

$${\sigma }_{\sup }\left({M}^{{\rm{cor}}}[\kappa ,\gamma ]\right) \le \max \left\{{\sigma }_{\sup }\left({M}_{{\rm{2d}}}^{{\rm{cor}}}[\kappa ,\gamma ]\right),0,-\gamma \right\}\\ {\!}= {\sigma }_{\sup }\left({M}_{{\rm{2d}}}^{{\rm{cor}}}[\kappa ,\gamma ]\right),$$
(87)

where the last inequality holds since γ ≥ 0 and κCev ≥ 0. We then obtain Eq. (69) from Eqs. (73), (81), and (87). Since \({M}_{{\rm{4d}}}^{{\rm{err}}}[\kappa ,\gamma ]\) and \({M}_{{\rm{2d}}}^{{\rm{cor}}}[\kappa ,\gamma ]\) are symmetric and their elements linearly depend on κ and γ, \({\sigma }_{\sup }\left({M}_{{\rm{4d}}}^{{\rm{err}}}[\kappa ,\gamma ]\right)\) and \({\sigma }_{\sup }\left({M}_{{\rm{2d}}}^{{\rm{cor}}}[\kappa ,\gamma ]\right)\) are convex functions over κ and γ, and so is B(κγ).

4. Derivation of the finite-size bound. Here we construct the function \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) to satisfy Eq. (15) in the estimation protocol. For that, we will first derive Eq. (30). In the estimation protocol, we define the following random variables labeled by the number i of the round;

  1. (i)

    \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}\) is defined to be unity only when “signal” is chosen in the i-th round, the detection is a “success”, and a pair of outcomes \((a^{\prime} ,b^{\prime} )\) is (+, −) or (−, +). Otherwise, \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}=0\). We have

    $${\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}=\left\{\begin{array}{ll}1&\left({\rm{signal}},\,{\rm{success,}}\,(+,-)\ {\rm{or}}\ (-,+)\right)\\ 0&({\rm{otherwise}}),\hfill\end{array}\right.$$
    (88)

    and \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}=\mathop{\sum }\nolimits_{i = 1}^{N}{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}\).

  2. (ii)

    \({\hat{F}}^{(i)}\) is defined to be \({\Lambda }_{m,r}(| \hat{\omega }-{(-1)}^{a}\beta {| }^{2})\) when “test” is chosen in the i-th round. We have

    $${\hat{F}}^{(i)}=\left\{\begin{array}{ll}{\Lambda }_{m,r}(| \hat{\omega }-{(-1)}^{a}\beta {| }^{2})&({\rm{test}})\hfill\\ 0\hfill&({\rm{otherwise}}),\end{array}\right.$$
    (89)

    and \(\hat{F}=\mathop{\sum }\nolimits_{i = 1}^{N}{\hat{F}}^{(i)}\).

  3. (iii)

    \({\hat{Q}}_{-}^{(i)}\) is defined to be unity only when “trash” is chosen in the i-th round and \(a^{\prime} =-\). Otherwise, \({\hat{Q}}_{-}^{(i)}=0\). We have

    $${\hat{Q}}_{-}^{(i)}=\left\{\begin{array}{ll}1&({\rm{trash}},\,-)\\ 0&({\rm{otherwise}}),\end{array}\right.$$
    (90)

    and \({\hat{Q}}_{-}=\mathop{\sum }\nolimits_{i = 1}^{N}{\hat{Q}}_{-}^{(i)}\).

  4. (iv)

    We also define

    $${\hat{T}}^{(i)}:= {p}_{{\rm{sig}}}^{-1}{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}+{p}_{{\rm{test}}}^{-1}\kappa {\hat{F}}^{(i)}-{p}_{{\rm{trash}}}^{-1}\gamma {\hat{Q}}_{-}^{(i)},$$
    (91)

    which leads to \(\hat{T}[\kappa ,\gamma ]=\mathop{\sum }\nolimits_{i = 1}^{N}{\hat{T}}^{(i)}\).

We will make use of Azuma’s inequality42. We define stochastic processes \({\{{\hat{X}}^{(k)}\}}_{k = 0,\ldots ,N}\) and \({\{{\hat{Y}}^{(k)}\}}_{k = 1,\ldots ,N}\) as follows:

$${\hat{X}}^{(0)}:= 0,$$
(92)
$${\hat{X}}^{(k)}:= \mathop{\sum }\limits_{i = 1}^{k}\left({\hat{T}}^{(i)}-{\hat{Y}}^{(i)}\right)\quad (k\ge 1),$$
(93)
$${\hat{Y}}^{(k)}:= {\mathbb{E}}\left[\left.{\hat{T}}^{(k)}\right|{\hat{X}}^{\,{<}\,k}\right],$$
(94)

where \({\hat{X}}^{\,{<}\,k}:= ({\hat{X}}^{(0)},{\hat{X}}^{(1)},\ldots ,{\hat{X}}^{(k-1)})\). Note that \({\hat{Y}}^{(k)}\) is a constant when conditioned on \({\hat{X}}^{\,{<}\,k}\). Such a sequence \({\{{\hat{Y}}^{(k)}\}}_{k = 1,2,\ldots }\) is called a predictable process with regards to \(\{{\hat{X}}^{(k)}\}\). Since \({\hat{T}}^{(i)}\) is bounded for any i and \({\{{\hat{X}}^{(k)}\}}_{k = 0,1,\ldots }\) is a martingale, we can apply Azuma’s inequality.

Proposition 1 (Azuma’s inequality52,53): Suppose \({\{{\hat{X}}^{(k)}\}}_{k = 0,1,\ldots }\) is a martingale which satisfies

$$-{\hat{Y}}^{(k)}+{c}_{\min }\le {\hat{X}}^{(k)}-{\hat{X}}^{(k-1)}\le -{\hat{Y}}^{(k)}+{c}_{\max },$$
(95)

for constants \({c}_{\min }\) and \({c}_{\max }\), and a predictable process \({\{{\hat{Y}}^{(k)}\}}_{k = 1,2,\ldots }\) with regards to \(\{{\hat{X}}^{(k)}\}\), i.e., \({\hat{Y}}^{(k)}\) is constant when conditioned on \({\hat{X}}^{\,{<}\,k}\). Then, for all positive integers N and all positive reals δ,

$$\Pr [{\hat{X}}^{(N)}-{\hat{X}}^{(0)}\ge \delta ]\le \exp \left(-\frac{2{\delta }^{2}}{{({c}_{\max }-{c}_{\min })}^{2}N}\right).$$
(96)

We define constants \({c}_{\min }\) and \({c}_{\max }\) as follows. In each round, at most one of \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}\), \({\hat{F}}^{(i)}\), and \({\hat{Q}}_{-}^{(i)}\) takes non-zero value; \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}\) and \({\hat{Q}}_{-}^{(i)}\) are either zero or unity, and \(\min {\Lambda }_{m,r}\le {\hat{F}}^{(i)}\le \max {\Lambda }_{m,r}\). Since κγ ≥ 0, Eq. (95) holds when \({c}_{\min }\) and \({c}_{\max }\) are defined as

$${c}_{\min }:= \min \left({p}_{{\rm{test}}}^{-1}\kappa \ \min {\Lambda }_{m,r},\,-{p}_{{\rm{trash}}}^{-1}\gamma ,\,0\right),$$
(97)
$${c}_{\max }:= \max \left({p}_{{\rm{sig}}}^{-1},\,{p}_{{\rm{test}}}^{-1}\kappa \ \max {\Lambda }_{m,r},\,0\right).$$
(98)

With \({c}_{\min }\) and \({c}_{\max }\) defined as above, we further define

$${\delta }_{1}(\epsilon ):= ({c}_{\max }-{c}_{\min })\sqrt{\frac{N}{2}\mathrm{ln}\,\left(\frac{1}{\epsilon }\right)}.$$
(99)

Setting δ = δ1(ϵ/2) in the proposition, we conclude that

$$\hat{T}[\kappa ,\gamma ]\le \mathop{\sum }\limits_{i = 1}^{N}{\hat{Y}}^{(i)}+{\delta }_{1}(\epsilon /2)$$
(100)

holds with a probability no smaller than 1 − ϵ/2.

Next, we will construct a deterministic bound on \({\hat{Y}}^{(i)}\). Let \({\rho }_{AC}^{(i)}\) be the state of Alice’s i-th qubit and Bob’s i-th pulse conditioned on \({\hat{X}}^{\,{<}\,i}\). Then, using the same argument as that has lead to Eqs. (22)–(24), we have

$${\mathbb{E}}\left[\left.{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}\right|{\hat{X}}^{\,{<}\,i}\right]={p}_{{\rm{sig}}}{\rm{Tr}}\left({\rho }_{AC}^{(i)}{M}_{{\rm{ph}}}^{{\rm{suc}}}\right),$$
(101)
$${\mathbb{E}}\left[\left.{\hat{Q}}_{-}^{(i)}\right|{\hat{X}}^{\,{<}\,i}\right]={p}_{{\rm{trash}}}{\rm{Tr}}\left({\rho }_{AC}^{(i)}{\Pi }_{-}^{{\rm{trash}}}\right),$$
(102)
$${\mathbb{E}}\left[{\hat{F}}^{(i)}| {\hat{X}}^{\,{<}\,i}\right]\le {p}_{{\rm{fid}}}{\rm{Tr}}\left({\rho }_{AC}^{(i)}{\Pi }^{{\rm{fid}}}\right),$$
(103)

and thus

$${\hat{Y}}^{(i)}\le {\rm{Tr}}\left({\rho }_{AC}^{(i)}M[\kappa ,\gamma ]\right),$$
(104)

where M[κγ] is defined in Eq. (26). Using the operator inequality (27), we obtain a bound independent of i as

$${\hat{Y}}^{(i)}\le B(\kappa ,\gamma ).$$
(105)

Combining this with Eq. (100) proves Eq. (30).

The function \({\delta }_{2}(\epsilon /2;{\hat{N}}^{{\rm{trash}}})\) satisfying the bound (31) on \({\hat{Q}}_{-}\) can be derived from the fact that \(\Pr [{\hat{Q}}_{-}| {\hat{N}}^{{\rm{trash}}}]\) is a binomial distribution. The following inequality thus holds for any positive integer n and a real δ with 0 < δ < (1 − q)n (Chernoff bound):

$$\Pr \left[\left.{\hat{Q}}_{-}-{q}_{-}n\ge \delta \right|{\hat{N}}^{{\rm{trash}}}=n\right]\le {2}^{-nD({q}_{-}+\delta /n\parallel {q}_{-})},$$
(106)

where

$$D(x\parallel y):= x\ {\mathrm{log}\,}_{2}\frac{x}{y}+(1-x)\ {\mathrm{log}\,}_{2}\frac{1-x}{1-y}$$
(107)

is the Kullback-Leibler divergence. On the other hand, for any non-negative integer n, we always have

$$\Pr \left[\left.{\hat{Q}}_{-}-{q}_{-}n\le (1-{q}_{-})n\right|{\hat{N}}^{{\rm{trash}}}=n\right]=1.$$
(108)

Therefore, for any non-negative integer n, by defining δ2(ϵn) which satisfies

$$\left\{\begin{array}{ll}D\left({q}_{-}+{\delta }_{2}(\epsilon ;n)/n\parallel {q}_{-}\right)=-\frac{1}{n}{\mathrm{log}\,}_{2}(\epsilon )&(\epsilon\,> \,{q}_{-}^{n})\\ {\delta }_{2}(\epsilon ;n)=(1-{q}_{-})n\hfill &(\epsilon \,\le\, {q}_{-}^{n})\end{array}\right.,$$
(109)

and by combining Eq. (106) and (108), we conclude that Eq. (31) holds with a probability no smaller than 1 − ϵ/2.

Combining Eq. (30) and Eq. (31), we obtain Eq. (15) by setting

$$U(\hat{F},{\hat{N}}^{{\rm{trash}}}) := \,{p}_{{\rm{sig}}}NB(\kappa ,\gamma )+{p}_{{\rm{sig}}}{\delta }_{1}(\epsilon /2)\\ \quad\,\,-\frac{{p}_{{\rm{sig}}}}{{p}_{{\rm{test}}}}\kappa \hat{F}+\frac{{p}_{{\rm{sig}}}}{{p}_{{\rm{trash}}}}\gamma \left({q}_{-}{\hat{N}}^{{\rm{trash}}}+{\delta }_{2}(\epsilon /2;{\hat{N}}^{{\rm{trash}}})\right),$$
(110)

which holds with a probability no smaller than 1 − ϵ (Union bound). Note that since B(κγ) is a convex function, so is \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) with respect to auxiliary parameters κ and γ.

Models for numerical simulation of key rates

In what follows, we normalize quadrature x such that a coherent state \(\left|\omega \right\rangle\) has expectation \(\left\langle x\right\rangle ={\rm{Re}}(\omega )\) and variance \(\left\langle {(\Delta x)}^{2}\right\rangle =1/4\). The wave function for ω = ωR + iωI is given by

$$\left\langle x| \omega \right\rangle ={\left(\frac{2}{\pi }\right)}^{\frac{1}{4}}\exp \left[-{\left(x-{\omega }_{R}\right)}^{2}+2i{\omega }_{I}x-i{\omega }_{R}{\omega }_{I}\right].$$
(111)

For the simulation of the key rate \(\hat{G}\), we assume that the communication channel and Bob’s detection apparatus can be modeled by a pure loss channel followed by random displacement, that is, the states which Bob receives are given by

$${\rho }_{{\rm{model}}}^{(a)}:= \int_{{\mathbb{C}}}{p}_{\xi }(\gamma )\left|{(-1)}^{a}\sqrt{\eta \mu }+\gamma \right\rangle \,\left\langle {(-1)}^{a}\sqrt{\eta \mu }+\gamma \right|{d}^{2}\gamma ,$$
(112)

where η is the transmissivity of the pure loss channel and pξ(γ) is given by

$${p}_{\xi }(\gamma ):= \frac{2}{\pi \xi }{e}^{-2| \gamma {| }^{2}/\xi }.$$
(113)

The parameter ξ is the excess noise relative to the vacuum, namely,

$${\left\langle {(\Delta x)}^{2}\right\rangle }_{{{\rho }^{({\rm{a}})}_{{\rm{model}}}}}=(1+\xi )/4.$$
(114)

We assume that Bob sets \(\beta =\sqrt{\eta \mu }\) for the fidelity test. The actual fidelity between Bob’s objective state \(\left|{(-1)}^{a}\sqrt{\eta \mu }\right\rangle\) and the model state \({\rho }_{{\rm{model}}}^{(a)}\) is given by

$$ F({\rho }_{{\rm{model}}}^{(a)},\left|{(-1)}^{a}\sqrt{\eta \mu }\right\rangle \,\left\langle {(-1)}^{a}\sqrt{\eta \mu }\right|)\\ \quad =\int_{{\mathbb{C}}}{p}_{\xi }(\gamma )| \left\langle {(-1)}^{a}\sqrt{\eta \mu }| {(-1)}^{a}\sqrt{\eta \mu }-\gamma \right\rangle {| }^{2}d^2\gamma \\ \quad=\frac{1}{1+\xi /2}.$$
(115)

For the acceptance probability of Bob’s measurement in the signal rounds, we assume fsuc(x) = Θ(xxth), a step function with the threshold xth > 0. In this case, the quantities defined in Eqs. (64) and (65) are given by

$${D}_{{\rm{ev}}} ={\int_{0}^{\infty }}2{C}_{{\rm{ev}}}^{-1}{f}_{{\rm{suc}}}(x)\ {\left|\left\langle x\right|{\Pi }_{{\rm{ev}}}\left|\beta \right\rangle \right|}^{2}dx$$
(116)
$$ =\frac{1}{4{C}_{{\rm{ev}}}}\left[{\rm{erfc}}\left(\sqrt{2}({x}_{{\rm{th}}}-\beta )\right)+{\rm{erfc}}\left(\sqrt{2}({x}_{{\rm{th}}}+\beta )\right)\right.\\ \quad\left.+{\,}2{e}^{-2{\beta }^{2}}{\rm{erfc}}\left(\sqrt{2}{x}_{{\rm{th}}}\right)\right],$$
(117)
$${D}_{{\rm{od}}}={\int_{0}^{\infty }}2{C}_{{\rm{od}}}^{-1}{f}_{{\rm{suc}}}(x)\ {\left|\left\langle x\right|{\Pi }_{{\rm{od}}}\left|\beta \right\rangle \right|}^{2}dx\qquad\qquad\qquad\qquad $$
(118)
$$ =\frac{1}{4{C}_{{\rm{od}}}}\left[{\rm{erfc}}\left(\sqrt{2}({x}_{{\rm{th}}}-\beta )\right)+{\rm{erfc}}\left(\sqrt{2}({x}_{{\rm{th}}}+\beta )\right)\right.\\ \quad\left.-\;2{e}^{-2{\beta }^{2}}{\rm{erfc}}\left(\sqrt{2}{x}_{{\rm{th}}}\right)\right],$$
(119)
$$\;\;\;{V}_{{\rm{ev}}({\rm{od}})} ={\int_{0}^{\infty }}2{C}_{{\rm{ev}}({\rm{od}})}^{-1}{\left({f}_{{\rm{suc}}}(x)\right)}^{2}{\left|\left\langle x\right|{\Pi }_{{\rm{ev}}({\rm{od}})}\left|\beta \right\rangle \right|}^{2}dx -{D}_{{\rm{ev}}({\rm{od}})}^{2}\quad$$
(120)
$$={D}_{{\rm{ev}}({\rm{od}})}-{D}_{{\rm{ev}}({\rm{od}})}^{2},\qquad\qquad\qquad\qquad\qquad\qquad$$
(121)

where \(\beta =\sqrt{\eta \mu }\) and the complementary error function \({\rm{erfc}}(x)\) is defined as

$${\rm{erfc}}(x):= \frac{2}{\sqrt{\pi }}{\int_{x}^{\infty }}dt\,{e}^{-{t}^{2}}.$$
(122)

For the derivation of Eq. (120), we used the fact that Πev + Πod = 1 and \(({\Pi }_{{\rm{ev}}}-{\Pi }_{{\rm{od}}})\left|\beta \right\rangle =\left|-\beta \right\rangle\).

We assume that the number of “success” signal rounds \({\hat{N}}^{{\rm{suc}}}\) is equal to its expectation value,

$${\mathbb{E}}[{\hat{N}}^{{\rm{suc}}}] = \left({\int_{-\infty }^{\infty }}f(| x| )\left\langle x\right|{\rho }_{{\rm{model}}}^{(a)}\left|x\right\rangle dx\right){p}_{{\rm{sig}}}N\\ = {p}_{{\rm{sig}}}N({P}^{+}+{P}^{-}),$$
(123)

where

$${P}^{\pm } := {\int_{{x}_{{\rm{th}}}}^{\infty }}\left\langle \pm {(-1)}^{a}x\right|{\rho }_{{\rm{model}}}^{(a)}\left|\pm {(-1)}^{a}x\right\rangle dx\\ =\frac{1}{2}\ {\rm{erfc}}\,\left(({x}_{{\rm{th}}}\mp \sqrt{\eta \mu })\sqrt{\frac{2}{1+\xi }}\right).$$
(124)

We also assume that the number of test rounds \({\hat{N}}^{{\rm{test}}}\) is equal to ptestN and the number of trash rounds \({\hat{N}}^{{\rm{trash}}}\) is equal to ptrashN. The test outcome \(\hat{F}\) is assumed to be equal to its expectation value \({\mathbb{E}}[\hat{F}]\), which is given by

$${\mathbb{E}}[\hat{F}] ={p}_{{\rm{test}}}N\ {{\mathbb{E}}}_{{\rho }_{{\rm{model}}}^{(a)}}[{\Lambda }_{m,r}(| \hat{\omega }-{(-1)}^{a}\sqrt{\eta \mu }{| }^{2})]\\ ={p}_{{\rm{test}}}N\int_{{\mathbb{C}}}\frac{{d}^{2}\omega }{\pi }\left\langle \omega \right|{\rho }_{{\rm{model}}}^{(a)}\left|\omega \right\rangle {\Lambda }_{m,r}(| \omega -{(-1)}^{a}\sqrt{\eta \mu }{| }^{2})\\ =\frac{{p}_{{\rm{test}}}N}{1+\xi /2}\left[1-{(-1)}^{m+1}{\left(\frac{\xi /2}{1+r(1+\xi /2)}\right)}^{m+1}\right].$$
(125)

Under these assumptions, the key rate \(\hat{G}\) for each transmissivity η is optimized over two coefficients (κγ) and four protocol parameters (μxthpsigptest) as discussed in the main part. Examples of optimized parameters are shown in Table 1. The cost of bit error correction HEC is assumed to be \(1.1\times {\hat{N}}^{{\rm{suc}}}h({e}_{{\rm{bit}}})\), where the bit error rate ebit is given by

$${e}_{{\rm{bit}}}=\frac{{P}^{-}}{{P}^{+}+{P}^{-}}.$$
(126)
Table 1 Examples of optimized parameters.
Full size table