Finite-size security of continuous-variable quantum key distribution with digital signal processing

In comparison to conventional discrete-variable (DV) quantum key distribution (QKD), continuous-variable (CV) QKD with homodyne/heterodyne measurements has distinct advantages of lower-cost implementation and affinity to wavelength division multiplexing. On the other hand, its continuous nature makes it harder to accommodate to practical signal processing, which is always discretized, leading to lack of complete security proofs so far. Here we propose a tight and robust method of estimating fidelity of an optical pulse to a coherent state via heterodyne measurements. We then construct a binary phase modulated CV QKD protocol and prove its security in the finite-key-size regime against general coherent attacks, based on proof techniques of DV QKD. Such a complete security proof achieves a significant milestone in exploiting the benefits of CV QKD.

Quantum key distribution (QKD) aims at generating a secret key shared between two remote legitimate parties with information-theoretic security, which provides secure communication against an adversary with arbitrary computational power and hardware technology. Since the first proposal in 1984 [1], various QKD protocols have been proposed with many kinds of encoding and decoding schemes. These protocols are typically classified into two categories depending on the detection methods. One of them is called discrete-variable (DV) QKD, which uses photon detectors and includes earlier protocols such as BB84 [1] and B92 [2] protocols. The other is called continuous-variable (CV) QKD, which uses homodyne and heterodyne measurements with photo detectors [3][4][5]. Although DV QKD is more mature and achieves a longer distance if photon detectors with low dark count rates are available, CV QKD has its own distinct advantages for a short distance. It can be implemented with components common to coherent optical communication technology and is expected to be cost-effective. Excellent spectral filtering capability inherent in homodyne/heterodyne measurements suppresses crosstalk in wavelength division multiplexing (WDM) channels. This allows multiplexing of hundreds of QKD channels into a single optical fiber [6] as well as co-propagation with classical data channels [7][8][9][10][11][12][13], which makes integration into existing communication network easier.
One major obstacle in putting CV QKD to practical use is the gap between the employed continuous variables and mandatory digital signal processing. The CV QKD protocols are divided into two branches depending on whether the modulation method of the encoder is also continuous, or it is discrete. The continuous modulation protocols usually adopts Gaussian modulation, in which the sender chooses the complex amplitude of a coherent-state pulse according to a Gaussian distribution [3-5, 14, 15] (see Ref. [16] for a review). This allows powerful theoretical tools such as Gaussian optimality [17,18], and complete security proofs for a finite-size key and against general attacks have been given [19]. To implement Gaussian protocols with a digital random-number generator and digital signal processing, it is necessary to approximate the continuous distribution with a constellation composed of a large but finite number of complex amplitudes [20,21]. This is where difficulty arises, and the security analysis has been confined to the asymptotic regime and collective attacks. The other branch gives priority to simplicity of the modulation and uses a very small (usually two to four) number of amplitudes [22][23][24]. As for the security analysis, the status is more or less similar to the Gaussian constellation case, and current security proofs are either in the asymptotic regime against collective attacks [25][26][27][28] or in the finite-size regime but against more restrictive attacks [29]. Hence, regardless of approaches, a complete security proof of CV QKD in the finite-size regime against general attacks has been a significant milestone yet to be achieved.
Here we mark the above milestone by proposing a binary phase-modulated CV QKD protocol with a complete security proof in the finite-size regime against general attacks. The key ingredient is a novel estimation method using heterodyne measurements which is suited for analysis of confidence region in the finite-size regime. The outcome of heterodyne measurement, which is unbounded, is converted to a bounded value by a smooth function such that its expectation is proved to be no larger than the fidelity of the input pulse to a coherent state. This allows us to use a standard technique to derive a lower bound on the fidelity with a required confidence level in the finite-size regime. The fidelity as a measure of disturbance in the binary modulated protocol is essentially the same as what is monitored through bit errors in the B92 protocol [2,30,31]. This allows us to construct a security proof based on a reduction to distillation of entangled qubit pairs [32,33], which is a technique frequently used for DV QKD protocols.

Results
Estimation of fidelity to a coherent state. We first introduce a test scheme to estimate the fidelity between an input optical state ρ and the vacuum state |0 0| through a heterodyne measurement. For an input state ρ of a single optical mode, the heterodyne measurement produces an outcomeω ∈ C with a probability density where a coherent state |ω is defined as We denote the expectation associated with the distribution q ρ (ω) simply by E ρ . To construct a lower bound for the fidelity 0| ρ |0 fromω, we will use the associated Laguerre polynomials which are given by where are the Laguerre polynomials. Our test scheme is based on the following theorem.
Theorem 1: Let Λ m,r (µ) be a bounded function given by for an integer m ≥ 0 and a real number r > 0. Then, we have n| ρ |n (1 + r) n I n,m , (6) where I n,m are constants satisfying (−1) m I n,m > 0.
From Eq. (6), a lower bound on the fidelity between ρ and the vacuum state is given by for any odd integer m. As seen in Figure 1. a), the absolute value and the slope of the function Λ m,r are moderate for small values of m and r, which is advantageous in executing the test in a finite duration with a finite resolution. Compared to a similar method proposed in [34], our method excels in its tightness for weak input signals; we see from Eq. (6) that, regardless of the value of r, the inequality (7) saturates when ρ has at most m photons. This is crucial for the use in QKD in which tightness directly affects the efficiency of the key generation. Extension to the fidelity to a coherent state |β is straightforward as E ρ [Λ m,r (|ω − β| 2 )] ≤ Tr (ρ |β β|) (m : odd). (8) Figure 1. Illustration of the test scheme to estimate the fidelity. a) Example of the test functions used in the estimation. In general, the range of the function Λm,r gets larger when m gets larger. b) A schematic description of the usage of obtained outcomes in heterodyne measurement. In order to estimate the lower bound on the fidelity to the coherent states |±β , the squared distance between the outcomeω and the objective point (−1) a β (i.e., |ω − (−1) a β| 2 ) is used.
The proofs are given in Methods. Proposed protocol. Based on this fidelity test, we propose the following discrete-modulated protocol (see Figure 2). In what follows, Alice and Bob predetermine the number of rounds N , the protocol parameters (µ, p sig , p test , p trash , β, s), the acceptance probability of homodyne measurement f suc (|x|) (x ∈ R) with f suc (0) = 0, and the parameters for the test function (m, r). We assume all the parameters are positive and that p sig + p test + p trash = 1.
1. Alice generates a random bit a ∈ {0, 1} and sends an optical pulse B in a coherent state with amplitude (−1) a √ µ to Bob. She repeats it N times.
2. For each of the received N pulses, Bob chooses a label from {signal, test, trash} with probabilities p sig , p test , and p trash , respectively. According to the label, Alice and Bob do one of the following procedures.
[signal] Bob performs a homodyne measurement on the received optical pulse, and obtains an outcomex ∈ R. With a probability f suc (|x|), he regards the detection to be a "success", and defines a bit b = 0 (resp. 1) when sign(x) = +(−)1. He announces success/failure of the detection. In the case of a success, Alice (resp. Bob) keeps a (b) as a sifted key bit.
[test] Bob performs a heterodyne measurement on the received optical pulse, and obtains an outcomeω. Alice announces her bit a. Bob calculates the value of Λ m,r (|ω − (−1) a β| 2 ).
[trash] Alice and Bob produce no outcomes.
3. We denote the numbers of "success" and "failure" signal rounds, test rounds, and trash rounds bŷ

Bob computes and announces the final key length bŷ
is the binary entropy function and the function U (F ,N trash ) will be specified below. Alice and Bob apply privacy amplification to obtain the final key. The net key gainĜ per pulse is therefore given bŷ Security Proof. We determine a sufficient amount of the privacy amplification according to Shor and Preskill [17], which has been widely used for the DV-QKD protocols. We consider an equivalent protocol in which Alice and Bob determine their sifted key bits a and b by measurement on a pair of qubits. For Alice, we introduce a qubit A and assume that she entangles it with an optical pulse B in a state Then, Step 1. is equivalent to the preparation of |Ψ AB followed by a measurement of the qubit A on Z basis {|0 , |1 } to determine the bit value a. For Bob, we Bob chooses one of the three measurements based on the predetermined probability. In the signal round , Bob performs a homodyne measurement on the received optical pulse and obtains an outcomex. In the test round, Bob performs a heterodyne measurement on the received optical pulse and obtains an outcomeω. In the trash round, he produces no outcome.
construct a process of probabilistically converting the received optical pulse B to a qubit B (See Figure 3). Consider a completely positive map defined by with When the pulse B is in a state ρ B , the corresponding process succeeds with a probability p suc and then prepares the qubit B in a state ρ B , where p suc ρ B = F B→B (ρ B ). If the qubit B is further measured on Z basis, probabilities of the outcome b = 0, 1 are given by which shows the equivalence to the signal round in Step 2. This is illustrated in Figure 3.
Once the qubit pair AB are introduced, the amount of privacy amplification is connected to the so-called phase error rate. Instead of Z-basis measurements in the equivalent protocol, consider a virtual protocol in which the qubits are measured on X basis {|± := (|0 + |1 )/ √ 2}. A pair with outcomes (+, −) or (−, +) is defined to be a phase error. LetN suc ph be the number of phase errors amongN suc pairs. If we have a good upper bound e ph on the phase error rateN suc ph /N suc , shortening by fraction h(e ph ) via privacy amplification achieves the security in the asymptotic limit [32,36]. To cover the finite-size cases as well, our goal is to construct U (F ,N trash ) which satisfies for any attack in the virtual protocol. It is known that it immediately implies that the actual protocol can be made sec -secure with a small security parameter sec = √ 2 √ + 2 −s + 2 −s [36,37]. See Methods for the detailed definition of security.
At this point, it is beneficial for the analysis of the phase error statistics to clarify what property of the optical pulse B is measured by Bob's X-basis measurement (see Figure 3). Let Π ev(od) be the projection to the subspace with even (resp. odd) photon numbers. (Π ev +Π od = 1 B holds by definition.) Furthermore, since Π ev − Π odd is the operator for an optical phase shift of π, we have (Π ev − Π odd ) |x = |−x . Eq. (13) is then rewritten as (17) Therefore, the probability of obtaining +(−) in the Xbasis measurement is given by where . (19) This shows that Bob's X-basis measurement distinguishes the parity of the photon number of the received pulse. In this sense, the secrecy of our protocol is assured by the complementarity between the sign of the quadrature and the parity of the photon number.
For the construction of U (F ,N trash ), we consider a modified scenario as follows.
1'. Alice prepares a qubit A and an optical pulse B in a state |Ψ AB defined in (11). She repeats it N times.
2'. According to the label announced by Bob in the same way as in Step 2., Alice and Bob do one of the following procedures.
[signal] Bob makes a measurement on the received pulse B specified by measurement operators When the adversary adopts the same attack strategy on the virtual protocol and the modified scenario, the marginal joint probability of (N suc ph ,F ,N trash ) should be the same. Hence it suffices to prove Eq. (16) for the modified scenario.
In order to boundN suc ph , we seek an upper bound on a linear combination of variables, with coefficients κ, γ ≥ 0 which are independent of the observed values ofF andN trash . First, the expectation E T [κ, γ] can be bounded as follows. Let ρ AB be the state of the qubit A and the received pulse B averaged over N pairs, and define relevant operators as and Then we immediately have (25) and while application of the property of Eq. (8) leads to If we can find a constant B(κ, γ) ∈ R satisfying the operator inequality we obtain a bound E T [κ, γ] ≤ N B(κ, γ), which is indepenedent of ρ AB . An easily computable bound B(κ, γ) is derived in Methods. Then we expect that holds with a probability no smaller than 1− /2. Here, the term δ 1 ( /2) of O( √ N ) allows for fluctuations from finitesize effects, and is determined by using Azuma's inequality [38] (see Methods). Although Eq. (20) includesQ − which is inaccessible in the actual protocol, we can derive a bound by noticing that it is an outcome from Alice's qubits and is independent of the adversary's attack. In fact, givenN trash , it is the tally ofN trash Bernoulli trials with a probability −| A |Ψ AB 2 = (1 − e −2µ )/2 =: q − . Hence, we can derive an inequality of the form which holds with a probability no smaller than 1 − /2. Here δ 2 ( /2;N trash ) can be determined by a Chernoff bound (see Methods). Combining Eqs. (20), (29), and (30), we obtain U (F ,N trash ) satisfying Eq. (16) to complete the finite-size security proof. Numerical Simulation. We simulated the net key gain per pulseĜ as a function of transmissivity of the optical path η (including the efficiency of Bob's apparatus). We assume a channel model with a loss with transmissivity η and an excess noise for Bob's apparatus with which the received state is displaced randomly to increase the variance by a factor of 1 + ξ. We assume a step function with a threshold x th (> 0) as the acceptance probability f suc (|x|). The expected amplitude of coherent state β is chosen to be √ ηµ. We set sec = 2 −50 for the security parameter, and set = 2 −s = 2 sec /16 and 2 −s = sec /2. We thus have two coefficients (κ, γ), four protocol parameters (µ, x th , p sig , p test ), and two parameters (m, r) of the test function to be determined. For each transmissivity η, we determined (κ, γ) via a convex optimization using the CVXPY 1.0.25 [39,40] and (µ, x th , p sig , p test ) via the Nelder-Mead in the scipy.minimize library in Python, in order to maximize the key rate. Furthermore, we adopted m = 1 and r = 0.412019, which leads to (maxΛ m,r , minΛ m,r ) = (2.82404, −0.993162). See Methods for the detail of the model of our numerical simulation. Figure 4 shows the key rates of our protocol in the asymptotic limit N → ∞ and finite-size cases with N = 10 9 -10 12 for ξ = 10 −2.0 -10 −3.0 and 0. For the noiseless model (ξ = 0), the asymptotic rate reaches η = 0.2. In the case of ξ = 10 −3.0 , it reaches η = 0.4, which is comparable to the result of a similar binary modulation protocol [25]. As for finite-size key rates, we see that the noiseless model shows a significant finite-size effect even for N = 10 12 . On the other hand, with a presence of noises (ξ = 10 −3.0 ) the effect becomes milder, and N = 10 11 is enough to achieve a rate close to the asymptotic case.
Discussion. Numerically simulated key rates above were computed on the implicit assumption that Bob's observed quantities are processed with infinite precision. Even when these are approximated with a finite set of discrete points, we can still prove the security with minimal degradation of key rates. For the heterodyne measurement used for the test in the protocol, assume that a digitized outcome ω dig ensures that the true valueω lies in a range Ω(ω dig ). Then, we need only to replace Λ m,r (|ω ± β| 2 ) with its worst-case value, min{Λ m,r (|ω ± β| 2 ) :ω ∈ Ω(ω dig )}. As seen in Figure 1. a), the slope of function Λ m,r (µ) is moderate and goes to zero for µ → ∞. This means that the worstcase value can be made close to the true value, leading to small influence on the key rate. For the homodyne measurement used for the signal, finite precision can be treated through appropriate modification of the acceptance probability f suc (x). Aside from a very small change in the success rate and the bit error rate, this function affects the key rate only through integrals in Eqs. (101), (103), and (105) in Methods, and hence influence on the key rate is expected to be small. We thus believe that the fundamental obstacles associated with the analogue nature of the CV protocol have been settled by our approach.
To improve the presented key rate, increasing the number of states from two seems to be a promising route. Our fidelity test can be straightforwardly generalized to monitoring of such a larger constellation of signals, and we will be able to confine the adversary's attacks more tightly than in the present binary protocol. As for the proof techniques to determine the amount of privacy amplification, there are two possible directions. One is to generalize the present DV-QKD inspired approach of estimating the number of phase errors in qubits to the case of qudits. The other direction is to seek a way to combine the existing analyses [27,28,41] of discrete modulation CV-QKD protocols, which have been reported to yield high key rates in the asymptotic regime, to our fidelity test.
In summary, we proved the security of a binarymodulated CV QKD protocol in the finite-size regime while completely circumventing the problems arising from the analogue nature of CV-QKD. We believe that it is a significant milestone toward real-world implementation of CV-QKD, which has its own advantages.

Methods
Proof of Theorem 1 and Eq. (8). From Eq. (1), the expectation value of Λ m,r (|ω| 2 ) when given a measured state ρ is given by where for integers n, m ≥ 0. One can show the following three properties with regard to I n,m : (i) I n,m = 0 for m ≥ n ≥ 1.
This results from orthogonality relations of the associated Laguerre polynomials, that is, Since the polynomial µ n−1 can be written as a linear combination of lower order polynomials {L (1) l (µ)} 0≤l≤n−1 , I n,m vanishes whenever m ≥ n ≥ 1.
This property is shown as follows. First, the associated Laguerre polynomials satisfy the following recurrence relation for m ≥ 1 [42]: Substituting this to Eq. (32) and using integration by parts, we have I n,m = n + m n I n−1,m − m + 1 n I n−1,m−1 .
for n ≥ 1 and m ≥ 1. The property (ii) is then proved by induction over m. For m = 0, it is true since I n,0 = 1 > 0. When (−1) m−1 I n,m−1 > 0 for n > m − 1, we can prove (−1) m I n,m > 0 for n > m by using Eq. (35) recursively with I m,m = 0 from property (i).
Because of the property (ii), E ρ [Λ m,r (µ)] is always less than c 0 = F (|0 0| , ρ) when m is odd, that is, for an arbitrary state ρ and an odd integer m, we have The generalization to the fidelity to a coherent state |β is justified in the following way. Let D β be the displacement operator satisfying and Replacingρ with ρ, we obtain Eq. (8).
Definition of security in the finite-size regime. We evaluate the secrecy of the final key as follows. When the final key length isN fin ≥ 1, we represent Alice's final key and an adversary's quantum system as a joint state and define the corresponding ideal state as Let σ 1 = Tr √ σ † σ be the trace norm of an operator σ. We say a protocol is sct -secret when holds regardless of the adversary's attack. It is known [37] that if the number of phase errors is bounded as shown in Eq. (16), the protocol with Eq. (9) is sct -secret with sct = √ 2 √ + 2 −s . For correctness, we say a protocol is cor -correct if the probability for Alice's and Bob's final key to differ is bounded by cor . Our protocol achieves cor = 2 −s via the verification in Step 4.
When the above two conditions are met, the protocol becomes sec -secure with sec = sct + cor in the sense of universal composability [43].
Derivation of the operator inequality. Here we construct B(κ, γ) which fulfills the operator inequality (28). Let us denote the supremum of the spectrum of a bounded self-adjoint operator O by σ sup (O). Although σ sup (M [κ, γ]) would give a tightest bound, it is hard to compute numerically since system B has an infinitedimensional Hilbert space. Instead, we derive a looser but simpler bound.
To make use of the symmetry in the problem, we aim at bounding another operator M [κ, γ + , γ − ] defined by We see that Let us introduce projection operators by where Π ev(od) is defined in the main text. Let us further introduce orthogonal states as One can check that holds by using (Π ev − Π od ) |β B = |−β B . We can then decompose M [κ, γ + , γ − ] into a direct sum of two operators as follows: where We define an orthonormal basis {|e through the following equations: M suc ev(od) |e The normalization factors in Eq. (52) are explicitly given by These quantities can be numerically computed by integration through Eq. (19). We further define the following projectors: Since Eq. (56) implies Π od . (60) The last term is bounded as since M suc od ≤ 1 B . Combining Eqs. (56), (60), and (61), we have od | + V od (|e (2) od e (1) In the same way, by replacing + ↔ − and od ↔ ev, we have Using Eqs. (62) and (63), we can bound the operator M err in Eq. (49) as (68) As for M cor , it has a simpler decomposition: where we used the basis {|e where we used γ ≥ 0. Since M r-4 cor and M r-2 err are fourdimensional and two-dimensional matrices, their largest eigenvalues can be numerically calculated.
Derivation of the finite size bound. Here we construct the function U (F ,N trash ) to satisfy Eq. (16) in the modified scenario. For that, we will first derive Eq. (29). In the modified scenario, we define the following random variables labeled by the number i of the round; (i)N suc,(i) ph is defined to be unity only when "signal" is chosen in the i-th round, the detection is a "success", and a pair of outcomes (a , b ) is (+, odd) or (−, even). Otherwise,N (ii)F (i) is defined to be Λ m,r (|ω − (−1) a β| 2 ) when "test" is chosen in the i-th round. We havê − is defined to be unity only when "trash" is chosen in the i-th round and a = −. Otherwise, Q (i) We will make use of Azuma's inequality [38]. We define stochastic processes {X (k) } k=0,...,N and {Ŷ (k) } k=1,...,N as follows:X whereX <k := (X (0) ,X (1) , . . . ,X (k−1) ). Note thatŶ (k) is a constant when conditioned onX <k . Such a sequence {Ŷ (k) } k=1,2,... is called a predictable process with regards to {X (k) }. SinceT (i) is bounded for any i and {X (k) } k=0,1,... is a martingale, we can apply Azuma's inequality.
Proposition (Generalized Azuma's inequality [44,45]): for constants c min and c max , and a predictable process {Ŷ (k) } k=1,2,... with regards to {X (k) }, i.e.,Ŷ (k) is constant when conditioned onX <k . Then, for all positive integers N and all positive reals δ, We define constants c min and c max as follows. In each round, at most one ofN suc,(i) ph ,F (i) , andQ With c min and c max defined as above, we further define Setting δ = δ 1 ( /2) in the proposition, we conclude that holds with a probability no smaller than 1 − /2. Next, we will construct a deterministic bound onŶ (i) . Let ρ (i) AB be the state of Alice's i-th qubit and Bob's i-th pulse conditioned onX <i . Then, using the same argument as that has lead to Eqs. (25)-(27), we have and thusŶ where M [κ, γ] is defined in Eq. (24). Using the operator inequality (28), we obtain a bound independent of i aŝ Combining this with Eq. (85) proves Eq. (29). The function δ 2 ( /2;N trash ) satisfying the bound (30) onQ − can be derived from the fact that Pr[Q − |N trash ] is a binomial distribution. The following inequality thus holds for any positive integer n and a real δ with 0 < δ < (1 − q − )n (Chernoff bound): where D(x y) := xlog x y is the Kullback-Leibler divergence. On the other hand, for any non-negative integer n, we always have Therefore, for any non-negative integer n, by defining δ 2 ( ; n) which satisfies which holds with a probability no smaller than 1 − (Union bound).
Model of the quantum channel and measurement for the calculation of key rates. In what follows, we normalize quadrature x such that a coherent state |ω has expectation x = Re(ω) and variance (∆x) 2 = 1/4. The wave function for ω = ω R + iω I is given by For the simulation of the key rate G, we assume that the communication channel and Bob's detection apparatus can be modeled by a pure loss channel followed by random displacement, that is, the states which Bob receives are given by The parameter ξ is the excess noise relative to the vacuum, namely, We assume that Bob sets β = √ ηµ for the fidelity test. The actual fidelity between Bob's objective state |(−1) a √ ηµ and the model state ρ For the acceptance probability of Bob's measurement in the signal rounds, we assume f suc (x) = Θ(|x| − x th ), a step function with the threshold x th > 0. In this case, the quantities defined in Eqs. (56) and (57) are given by where β = √ ηµ and the complementary error function erfc(x) is defined as For the derivation of Eq. (105), we used the fact that Π ev + Π od = 1 and (Π ev − Π od ) |β = |−β .
We assume that the number of "success" signal roundŝ N suc is equal to its expectation value, where P ± := We also assume that the number of test roundsN test is equal to p test N and the number of trash roundsN trash is equal to p trash N . The test outcomeF is assumed to be equal to its expectation value E[F ], which is given by Under these assumptions, the key rateĜ for each transmissivity η is optimized over two coefficients (κ, γ) and four protocol parameters (µ, x th , p sig , p test ) as discussed in the main part. The cost of bit error correction H EC is assumed to be 1.1 ×N suc h(e bit ), where the bit error rate e bit is given by e bit = P − P + + P − . (111)