Abstract
In comparison to conventional discretevariable (DV) quantum key distribution (QKD), continuousvariable (CV) QKD with homodyne/heterodyne measurements has distinct advantages of lowercost implementation and affinity to wavelength division multiplexing. On the other hand, its continuous nature makes it harder to accommodate to practical signal processing, which is always discretized, leading to lack of complete security proofs so far. Here we propose a tight and robust method of estimating fidelity of an optical pulse to a coherent state via heterodyne measurements. We then construct a binary phase modulated CVQKD protocol and prove its security in the finitekeysize regime against general coherent attacks, based on proof techniques of DV QKD. Such a complete security proof is indispensable for exploiting the benefits of CV QKD.
Introduction
Quantum key distribution (QKD) aims at generating a secret key shared between two remote legitimate parties with informationtheoretic security, which provides secure communication against an adversary with arbitrary computational power and hardware technology. Since the first proposal in 1984^{1}, various QKD protocols have been proposed with many kinds of encoding and decoding schemes. These protocols are typically classified into two categories depending on the detection methods. One of them is called discretevariable (DV) QKD, which uses photon detectors and includes earlier protocols such as BB84^{1} and B92^{2} protocols. The other is called continuousvariable (CV) QKD, which uses homodyne and heterodyne measurements with photo detectors^{3,4,5}. See refs. ^{6,7} for comprehensive reviews of the topic.
Although DV QKD is more mature and achieves a longer distance if photon detectors with low dark count rates are available, CV QKD has its own distinct advantages for a short distance. It can be implemented with components common to coherent optical communication technology and is expected to be costeffective. Excellent spectral filtering capability inherent in homodyne/heterodyne measurements suppresses crosstalk in wavelength division multiplexing (WDM) channels. This allows multiplexing of hundreds of QKD channels into a single optical fiber^{8} as well as copropagation with classical data channels^{9,10,11,12,13,14,15}, which makes integration into existing communication network easier.
One major obstacle in putting CV QKD to practical use is the gap between the employed continuous variables and mandatory digital signal processing. The CVQKD protocols are divided into two branches depending on whether the modulation method of the encoder is also continuous, or it is discrete. The continuous modulation protocols usually adopts Gaussian modulation, in which the sender chooses the complex amplitude of a coherentstate pulse according to a Gaussian distribution^{3,4,5,16,17} (see refs. ^{18,19} for a review). This allows powerful theoretical tools such as Gaussian optimality^{20,21}, and complete security proofs for a finitesize key and against general attacks have been given^{22}. To implement Gaussian protocols with a digital randomnumber generator and digital signal processing, it is necessary to approximate the continuous distribution with a constellation composed of a large but finite number of complex amplitudes^{23,24}. This is where difficulty arises, and the security analysis has been confined to the asymptotic regime and collective attacks. The other branch gives priority to simplicity of the modulation and uses a very small (usually two to four) number of amplitudes^{25,26,27,28}. As for the security analysis, the status is more or less similar to the Gaussian constellation case, and current security proofs are either in the asymptotic regime against collective attacks^{29,30,31,32} or in the finitesize regime but against more restrictive attacks^{33,34}. Hence, regardless of approaches, a complete security proof of CV QKD in the finitesize regime against general attacks has been a crucial step yet to be achieved.
Here we achieve the above step by proposing a binary phasemodulated CVQKD protocol with a complete security proof in the finitesize regime against general attacks. The key ingredient is an estimation method using heterodyne measurement developed in this paper, which is suited for analysis of confidence region in the finitesize regime. The outcome of heterodyne measurement, which is unbounded, is converted to a bounded value by a smooth function such that its expectation is proved to be no larger than the fidelity of the input pulse to a coherent state. This allows us to use a standard technique to derive a lower bound on the fidelity with a required confidence level in the finitesize regime. The fidelity as a measure of disturbance in the binary modulated protocol is essentially the same as what is monitored through bit errors in the B92 protocol^{2,35,36}. This allows us to construct a security proof based on a reduction to distillation of entangled qubit pairs^{37,38}, which is a technique frequently used for DVQKD protocols.
Results
Estimation of fidelity to a coherent state
We first introduce a test scheme to estimate the fidelity between an optical state ρ and the vacuum state \(\left0\right\rangle \,\left\langle 0\right\) through a heterodyne measurement. For a state ρ of a single optical mode, the heterodyne measurement produces an outcome \(\hat{\omega }\in {\mathbb{C}}\) with a probability density
where a coherent state \(\left\omega \right\rangle\) is defined as
We refer to the expectation associated with the distribution q_{ρ}(ω) simply as \({{\mathbb{E}}}_{\rho }\). To construct a lower bound for the fidelity \(\left\langle 0\right\rho \left0\right\rangle\) from \(\hat{\omega }\), we will use the associated Laguerre polynomials which are given by
where
are the Laguerre polynomials. Our test scheme is based on the following theorem.
Theorem 1: Let Λ_{m,r}(ν) (ν ≥ 0) be a bounded function given by
for an integer m ≥ 0 and a real number r > 0. Then, we have
where I_{n,m} are constants satisfying (−1)^{m}I_{n,m} > 0.
From Eq. (6), a lower bound on the fidelity between ρ and the vacuum state is given by
for any odd integer m. As seen in Fig. 1a, the absolute value and the slope of the function Λ_{m,r} are moderate for small values of m and r, which is advantageous in executing the test in a finite duration with a finite resolution. Compared to a similar method proposed in ref. ^{39}, our method excels in its tightness for weak input signals; we see from Eq. (6) that, regardless of the value of r, the inequality (7) saturates when ρ has at most m photons. This is crucial for the use in QKD in which tightness directly affects the efficiency of the key generation.
Extension to the fidelity to a coherent state \(\left\beta \right\rangle\) is straightforward as
The proofs are given in Methods.
Proposed protocol
Based on this fidelity test, we propose the following discretemodulation protocol (see Fig. 2). Prior to the protocol, Alice and Bob determine the number of rounds N, the acceptance probability of homodyne measurement \({f}_{{\rm{suc}}}( x )\,(x\in {\mathbb{R}})\) with f_{suc}(0) = 0, the parameters for the test function (m, r), and the protocol parameters (μ, p_{sig}, p_{test}, p_{trash}, β, s) with p_{sig} + p_{test} + p_{trash} = 1, where all the parameters are positive. Alice and Bob then run the protocol described in Box 1. Upon successful verification, the protocol generates a shared final key of length
where \(h(x):= x\,{\mathrm{log}\,}_{2}(x)(1x){\mathrm{log}\,}_{2}(1x)\) is the binary entropy function and the function \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) will be specified later.
The acceptance probability f_{suc}(∣x∣) should be chosen to postselect the rounds with larger values of ∣x∣, for which the bit error probability is expected to be lower. It is ideally a step function, but our security proof is applicable to any form of f_{suc}(∣x∣). The parameter β is typically chosen to be \(\sqrt{\eta \mu }\) with η being a nominal transmissivity of the quantum channel, while the security proof itself holds for any choice of β. The parameters s and \(s^{\prime}\) are related to the overall security parameter in the security proof below.
Security proof
We determine a sufficient amount of the privacy amplification according to Shor and Preskill^{37,40}, which has been widely used for the DVQKD protocols. We consider a coherent version of Steps 1 and 2, in which Alice and Bob share an entangled pair of qubits for each success signal round, such that their Zbasis measurement outcomes correspond to the sifted key bits a and b. For Alice, we introduce a qubit A and assume that she entangles it with an optical pulse \(\tilde{C}\) in a state
Then, Step 1 is equivalent to the preparation of \({\left\Psi \right\rangle }_{A\tilde{C}}\) followed by a measurement of the qubit A on Z basis \(\{\left0\right\rangle ,\left1\right\rangle \}\) to determine the bit value a. For Bob, we construct a process of probabilistically converting the received optical pulse C to a qubit B (See Fig. 3). Consider a completely positive (CP) map defined by
with
where \(\left\langle x\right\) maps a state vector to the value of its wave function at x (See also Eq. (111)). When the pulse C is in a state ρ_{C}, the corresponding process succeeds with a probability p_{suc} and then prepares the qubit B in a state ρ_{B}, where \({p}_{{\rm{suc}}}{\rho }_{B}={{\mathcal{F}}}_{C\to B}({\rho }_{C})\). If the qubit B is further measured on Z basis, probabilities of the outcome b = 0, 1 are given by
which shows the equivalence to the signal round in Step 2. This is illustrated in Fig. 3.
To clarify the above observation, we introduce an entanglementsharing protocol defined in Box 2. This protocol leaves \({\hat{N}}^{{\rm{suc}}}\) pairs of qubits shared by Alice and Bob. If they measure these qubits on Z basis to define the sifted key bits, the whole procedure is equivalent to Steps 1 through 3 of the actual protocol (see Fig. 4). Alice’s measurements on X basis \(\{\left\pm \right\rangle := (\left0\right\rangle +\left1\right\rangle )/\sqrt{2}\}\) in the trash rounds are added for later security argument, and they do not affect the equivalence.
The ShorPreskill argument connects the amount of privacy amplification to the socalled phase error rate. Suppose that, after the entanglementsharing protocol, Alice and Bob measure their \({\hat{N}}^{{\rm{suc}}}\) pairs of qubits on X basis \(\{\left+\right\rangle ,\left\right\rangle \}\). A pair with outcomes (+, −) or (−, +) is defined to be a phase error. Let \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}\) be the number of phase errors among \({\hat{N}}^{{\rm{suc}}}\) pairs. If we can have a good upper bound e_{ph} on the phase error rate \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}/{\hat{N}}^{{\rm{suc}}}\), shortening by fraction h(e_{ph}) via privacy amplification in the actual protocol achieves the security in the asymptotic limit^{37}.
To cover the finitesize case as well, we need a more rigorous statement on the upper bound. For that purpose, we define an estimation protocol in Box 3 (see also Fig. 4). The task of proving the security of the actual protocol is then reduced to construction of a function \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) which satisfies
for any attack in the estimation protocol. It is known that the condition (15) immediately implies that the actual protocol is \({\epsilon }_{\sec }\)secure with a small security parameter \({\epsilon }_{\sec }=\sqrt{2}\sqrt{\epsilon +{2}^{s}}+{2}^{s^{\prime} }\)^{40,41}. See Methods for the rationale and the detailed definition of security.
At this point, it is beneficial for the analysis of the phase error statistics to clarify what property of the optical pulse C is measured by Bob’s Xbasis measurement in the estimation protocol (see Fig. 3). Let Π_{ev(od)} be the projection to the subspace with even (resp. odd) photon numbers. (Π_{ev} + Π_{od} = 1_{C} holds by definition.) Furthermore, since Π_{ev} − Π_{odd} is the operator for an optical phase shift of π, we have \(({\Pi }_{{\rm{ev}}}{\Pi }_{{\rm{odd}}})\leftx\right\rangle =\leftx\right\rangle\). Eq. (12) is then rewritten as
Therefore, when the state of the pulse C is ρ_{C}, the probability of obtaining +(−) in the Xbasis measurement in the estimation protocol is given by
where
This shows that Bob’s Xbasis measurement distinguishes the parity of the photon number of the received pulse. In this sense, the secrecy of our protocol is assured by the complementarity between the sign of the quadrature and the parity of the photon number.
As an intermediate step toward our final goal of Eq. (15), let us first derive a bound on the expectation value \({\mathbb{E}}[{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}]\) in terms of those collected in the test and the trash rounds, \({\mathbb{E}}[\hat{F}]\) and \({\mathbb{E}}[{\hat{Q}}_{}]\), in the estimation protocol. Let ρ_{AC} be the state of the qubit A and the received pulse C averaged over N pairs, and define relevant operators as
Then we immediately have
and
while application of the property of Eq. (8) leads to
Let us denote \({\rm{Tr}}\left({\rho }_{AC}M\right)\) simply by \(\left\langle M\right\rangle\) for any operator M. The set of points \(\big(\big\langle {M}_{{\rm{ph}}}^{{\rm{suc}}}\big\rangle ,\big\langle {\Pi }^{{\rm{fid}}}\big\rangle ,\big\langle {\Pi }_{}^{{\rm{trash}}}\big\rangle \big)\) for all the density operators ρ_{AC} form a convex region. Rather than directly deriving the boundary of the region, it is easier to pursue linear constraints in the form of
where \(B(\kappa ,\gamma ),\kappa ,\gamma \in {\mathbb{R}}\).
It is expected that a meaningful bound is obtained only for κ, γ ≥ 0. Decreasing fidelity \(\left\langle {\Pi }^{{\rm{fid}}}\right\rangle\) should allow more room for eavesdropping, leading to a larger value of phase error rate \(\left\langle {M}_{{\rm{ph}}}^{{\rm{suc}}}\right\rangle\). Hence Eq. (25) will give a good bound only when κ≥0. As for \(\left\langle {\Pi }_{}^{{\rm{trash}}}\right\rangle\), it only depends on the marginal state of Alice’s qubit A, which is independent of the adversary’s attack. We thus have \(\left\langle {\Pi }_{}^{{\rm{trash}}}\right\rangle ={q}_{}:= {\left\Vert {\left\langle \right}_{A}{\left\Psi \right\rangle }_{A\tilde{C}}\right\Vert }^{2}=(1{e}^{2\mu })/2\). Since Alice’s use of a stronger pulse should lead to larger leak of information, we should choose γ ≥ 0 for a good bound.
To find a function B(κ, γ) satisfying Eq. (25), let us define an operator
Then Eq. (25) is rewritten as \({\rm{Tr}}\left({\rho }_{AC}M[\kappa ,\gamma ]\right)\le B(\kappa ,\gamma )\). This condition holds for all ρ_{AC} iff M[κ, γ] satisfies an operator inequality
If the operator M[κ, γ] was represented by a matrix of a small size, the tightest bound would be found by computing the maximum eigenvalue of the matrix. But here M[κ, γ] has an infinite rank and it is difficult to compute the tightest bound. We thus compromise and heuristically find a computable bound B(κ, γ) which is not necessarily tight; we reduce the problem to finding the maximum eigenvalues of smallsize matrices by replacing M[κ, γ] with a constant upperbound except in a relevant finitedimensional subspace spanned by \(\left\pm \beta \right\rangle\) and \({M}_{{\rm{ev}}({\rm{od}})}^{{\rm{suc}}}\left\pm \beta \right\rangle\). For the detailed derivation of B(κ, γ), see Methods.
With B(κ, γ) computed, we can rewrite Eq. (25) using Eqs. (22)–(24) to obtain a relation between \({\mathbb{E}}[{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}]\), \({\mathbb{E}}[\hat{F}]\), and \({\mathbb{E}}[{\hat{Q}}_{}]\). It is concisely written as
with
This relation leads to an explicit bound on the phase error rate as \({\mathbb{E}}[{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}]/{p}_{{\rm{sig}}}N\le B(\kappa ,\gamma )+\gamma {q}_{}\kappa \ {\mathbb{E}}[\hat{F}]/{p}_{{\rm{test}}}N\), which is enough for the computation of asymptotic key rates.
The security in the finitesize regime is proved as follows. The fact that the bound given in Eq. (28) is true for all the states ρ_{AC} allows us to use Azuma’s inequality^{42} to evaluate the fluctuations around the expectation value, leading to an inequality
which holds with a probability no smaller than 1 − ϵ/2 (see Methods for the explicit form of δ_{1}(ϵ/2), which is of \(O(\sqrt{N})\)). We remark that the reason for including the trash rounds in the actual protocol is to circumvent a technical issue which would arise in this step. Without measurement of \({\hat{Q}}_{}\) in the estimation protocol, we would obtain an inequality \({\mathbb{E}}[{p}_{{\rm{sig}}}^{1}{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}+{p}_{{\rm{test}}}^{1}\kappa \hat{F}]\le NB(\kappa ,\gamma )+\gamma {q}_{}\). In contrast to Eq. (28), the new inequality is true only when ρ_{AC} satisfies \(\left\langle {\Pi }_{}^{{\rm{trash}}}\right\rangle ={q}_{}\), which is too stringent for the application of Azuma’s inequality.
Although Eq. (29) includes \({\hat{Q}}_{}\) which is inaccessible in the actual protocol, we can derive a bound by noticing that it is an outcome from Alice’s qubits and is independent of the adversary’s attack. In fact, given \({\hat{N}}^{{\rm{trash}}}\), it is the tally of \({\hat{N}}^{{\rm{trash}}}\) Bernoulli trials with a probability q_{−}. Hence, we can derive an inequality of the form
which holds with a probability no smaller than 1 − ϵ/2. Here \({\delta }_{2}(\epsilon /2;{\hat{N}}^{{\rm{trash}}})\) can be determined by a Chernoff bound (see Methods). Combining Eqs. (29), (30), and (31), we obtain \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) satisfying Eq. (15) to complete the finitesize security proof.
Numerical simulation
We simulated the net key gain per pulse \(\hat{G}\) as a function of attenuation in the optical channel (including the efficiency of Bob’s apparatus). We assume a channel model with a loss with transmissivity η and an excess noise at channel output; Bob receives Gaussian states obtained by randomly displacing coherent states \(\left\pm \sqrt{\eta \mu }\right\rangle\) to increase their variances by a factor of (1 + ξ)^{43,44}. We assume a step function with a threshold x_{th}( > 0) as the acceptance probability f_{suc}(∣x∣). The expected amplitude of coherent state β is chosen to be \(\sqrt{\eta \mu }\). We set \({\epsilon }_{\sec }={2}^{50}\) for the security parameter, and set \(\epsilon ={2}^{s}={\epsilon }_{\sec }^{2}/16\) and \({2}^{s^{\prime} }={\epsilon }_{\sec }/2\). We thus have two coefficients (κ, γ), four protocol parameters (μ, x_{th}, p_{sig}, p_{test}), and two parameters (m, r) of the test function to be determined. For each transmissivity η, we determined (κ, γ) via a convex optimization using the CVXPY 1.0.25^{45,46} and (μ, x_{th}, p_{sig}, p_{test}) via the NelderMead in the scipy.minimize library in Python, in order to maximize the key rate. Furthermore, we adopted m = 1 and r = 0.4120, which leads to \((\max {\Lambda }_{m,r},\min {\Lambda }_{m,r})=(2.824,0.9932)\). See Methods for the detail of the model of our numerical simulation and examples of optimized parameters. Typical optimized values of the threshold x_{th} range from 0.4 to 1.5 (we adopted a normalization for which the vacuum fluctuation is \(\sqrt{\langle {(\Delta x)}^{2}\rangle }=0.5\)). They are larger than those in other analyses of protocols with postselection (e.g., ref. ^{31}). A possible reason is the fact that the latter protocols use more than two states to monitor the eavesdropping act, which may lead to a lower cost of privacy amplification and higher tolerance against bit errors.
Figure 5 shows the key rates of our protocol in the asymptotic limit N → ∞ and finitesize cases with N = 10^{9}–10^{12} for ξ = 10^{−2.0}–10^{−3.0} and 0. (Note that from the results of the recent experiments^{8,44,47}, excess noise with ξ = 10^{−2.0}–10^{−3.0} at the channel output seems reasonable. Furthermore, the stateoftheart experiments^{8} work at 0.5 GHz repetition rate, which implies that total number of rounds N = 10^{9}–10^{12} can be achieved in a realistic duration.) For the noiseless model (ξ = 0), the asymptotic rate reaches 8 dB. In the case of ξ = 10^{−3.0}, it reaches 4 dB, which is comparable to the result of a similar binary modulation protocol proposed in ref. ^{29}. As for finitesize key rates, we see that the noiseless model shows a significant finitesize effect even for N = 10^{12}. On the other hand, with a presence of noises (ξ = 10^{−3.0}) the effect becomes milder, and N = 10^{11} is enough to achieve a rate close to the asymptotic case. This may be ascribed to the cost of the fidelity test. In order to make sure that the fidelity is no smaller than 1 − δ, the statistical uncertainty of the fidelity test must be reduced to O(δ). As a result, approaching the asymptotic rate of ξ = 0 will require many rounds for the fidelity test.
Discussion
Numerically simulated key rates above were computed on the implicit assumption that Bob’s observed quantities are processed with infinite precision. Even when these are approximated with a finite set of discrete points, we can still prove the security with minimal degradation of key rates. For the heterodyne measurement used for the test in the protocol, assume that a digitized outcome ω_{dig} ensures that the true value \(\hat{\omega }\) lies in a range Ω(ω_{dig}). Then, we need only to replace \({\Lambda }_{m,r}( \hat{\omega }\pm \beta { }^{2})\) with its worstcase value, \(\min \{{\Lambda }_{m,r}( \hat{\omega }\pm \beta { }^{2}):\hat{\omega }\in \Omega ({\omega }_{{\rm{dig}}})\}\). As seen in Fig. 1a, the slope of function Λ_{m,r}(ν) is moderate and goes to zero for ν → ∞. This means that the worstcase value can be made close to the true value, leading to small influence on the key rate. For the homodyne measurement used for the signal, finite precision can be treated through appropriate modification of the acceptance probability f_{suc}(x). Aside from a very small change in the success rate and the bit error rate, this function affects the key rate only through integrals in Eqs. (116), (118), and (120) in Methods, and hence influence on the key rate is expected to be small. We thus believe that the fundamental obstacles associated with the analog nature of the CV protocol have been settled by our approach.
In comparison with recent asymptotic analyses^{31,32} of discretemodulation CV QKD, our protocol achieves lower key rates and much shorter distance. Since ours is the first attempt of applying the proof technique of DV QKD to CV QKD, there is much room for possible improvement. We sacrificed the optimality for simplicity in deriving the operator inequality. The definition of the phase error is not unique and there may be a better choice. The trash rounds were introduced for technical reasons, but we are not sure whether they are really necessary. Nonetheless, we believe that the dominant reason for the difference lies in the fact that our protocol uses only two states. In contrast, the protocols considered in refs. ^{31,32} use four or more states in signal or test modes. The genuine binary protocol was analyzed in ref. ^{29}, and the key rate derived there is comparable to ours.
In order to improve the presented finitesize key rate, a promising route will thus be increasing the number of states from two. Our fidelity test can be straightforwardly generalized to monitoring of such a larger constellation of signals, and we will be able to confine the adversary’s attacks more tightly than in the present binary protocol. As for the proof techniques to determine the amount of privacy amplification, there are two possible directions. One is to generalize the present DVQKDinspired approach of estimating the number of phase errors in qubits to the case of qudits. The other direction is to seek a way to combine the existing analyses^{31,32,48} of discretemodulation CVQKD protocols, which have been reported to yield high key rates in the asymptotic regime, to our fidelity test. Although either of the approaches is nontrivial, we believe that the present results will open up new direction toward exploiting the expected high potential of CV QKD with an improved security level.
In summary, we proved the security of a binarymodulated CVQKD protocol in the finitesize regime while completely circumventing the problems arising from the analog nature of CV QKD. We believe that it is a significant milestone toward realworld implementation of CV QKD, which has its own advantages.
Methods
Proof of Theorem 1 and Eq. (8)
In this section, we prove Theorem 1 stated in the main text and derive Eq. (8) as a corollary of Theorem 1.
Proof: From Eq. (1), the expectation value of \({\Lambda }_{m,r}( \hat{\omega }{ }^{2})\) when given a measured state ρ is given by
where
for integers n, m ≥ 0.
The following three properties hold for I_{n,m}:

(i)
I_{n,m} = 0 for m ≥ n ≥ 1.
This results from orthogonality relations of the associated Laguerre polynomials, that is,
Since the polynomial ν^{n−1} can be written as a linear combination of lower order polynomials \({\{{L}_{l}^{(1)}(\nu )\}}_{0\le l\le n1}\), I_{n,m} vanishes whenever m ≥ n ≥ 1.

(ii)
(−1)^{m}I_{n,m} > 0 for n > m ≥ 0.
This property is shown as follows. First, the associated Laguerre polynomials satisfy the following recurrence relation for m ≥ 1^{49}:
Substituting this to Eq. (33) and using integration by parts, we have
for n ≥ 1 and m ≥ 1. The property (ii) is then proved by induction over m. For m = 0, it is true since I_{n,0} = 1 > 0. When (−1)^{m−1}I_{n,m−1} > 0 for n > m − 1, we can prove (−1)^{m}I_{n,m} > 0 for n > m by using Eq. (36) recursively with I_{m,m} = 0 from property (i).

(iii)
I_{0,m} = 1 for m ≥ 0.
This also follows from property (i) and Eq. (36) for n = 1 and m ≥ 1, which leads to I_{0,m} = I_{0,0} = 1.
Combining properties (i), (ii), and (iii) shows Eq. (6).
Eq. (8) in the main text is derived as the following corollary.
Corollary 1: Let \(\left\beta \right\rangle\;\)\((\beta \in {\mathbb{C}})\) be the coherent state with amplitude β. Then, for any \(\beta \in {\mathbb{C}}\) and for any odd positive integer m, we have
Proof: From Eq. (6) of Theorem 1, for any odd positive integer m, we have
Let D_{β} be a displacement operator satisfying
and \({D}_{\beta }^{\dagger }={D}_{\beta }\). With \(\tilde{\rho }:= {D}_{\beta }\rho {D}_{\beta }^{\dagger }\), we have \({q}_{\tilde{\rho }}(\omega )={q}_{\rho }(\omega \beta )\) for probability density function of heterodyne measurement outcome, which implies that
Replacing \(\tilde{\rho }\) with ρ, we obtain Eq. (37).
Detail of the security proof
In this section, we prove the security of the proposed protocol in the main text. This section consists of several subsections. In the first subsection, we give a definition of security, which is standard in the literature. The security condition is divided into two conditions, secrecy and correctness. Since the correctness is trivially satisfied, it is the secrecy that is the focus of the security proof. The second subsection explains how the secrecy condition is reduced to Eq. (15) of the estimation protocol, which bounds the number of phase errors. The third subsection lays the groundwork for the full security proof by deriving the inequality (27) involving three operators relevant for the quantities observed in the signal, the test, and the trash round in the estimation protocol. After proving a general lemma (Lemma 1), an explicit form of the upper bound B(κ, γ) satisfying Eq. (27) is given as a corollary (Corollary 2) of the lemma. Finally, the fourth subsection uses Azuma’s inequality and Corollaries 1 and 2 to derive an explicit form of \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) that fulfills Eq. (15), which completes the security proof of the actual protocol.
1. Definition of security in the finitesize regime. We evaluate the secrecy of the final key as follows. When the final key length is N^{fin} ≥ 1, we represent Alice’s final key and an adversary’s quantum system as a joint state
and define the corresponding ideal state as
Let \({\left\Vert \sigma \right\Vert }_{1}={\rm{Tr}}\sqrt{{\sigma }^{\dagger }\sigma }\) be the trace norm of an operator σ. We say a protocol is ϵ_{sct}secret when
holds regardless of the adversary’s attack. The main goal of the security proof is to derive the amount of privacy amplification, or equivalently to find the function \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) in Eq. (9), such that Eq. (43) should hold for given ϵ_{sct} > 0.
For correctness, we say a protocol is ϵ_{cor}correct if the probability for Alice’s and Bob’s final key to differ is bounded by ϵ_{cor}. Our protocol achieves \({\epsilon }_{{\rm{cor}}}={2}^{s^{\prime} }\) via the verification in Step 4.
When the above two conditions are met, the protocol becomes \({\epsilon }_{\sec }\)secure with \({\epsilon }_{\sec }={\epsilon }_{{\rm{sct}}}+{\epsilon }_{{\rm{cor}}}\) in the sense of universal composability^{50}.
2. Reduction to the estimation protocol. Here we show that Eq. (15) in the estimation protocol implies ϵ_{sct}secrecy of the actual protocol with \({\epsilon }_{{\rm{sct}}}=\sqrt{2}\sqrt{\epsilon +{2}^{s}}\). We have already seen that the entanglementsharing protocol immediately followed by Zbasis measurements of the qubits is equivalent to Steps 1 through 3 of the actual protocol. Here we consider a slightly modified scenario in which, after the entanglementsharing protocol, a controlledNOT operation V is applied on each pair of qubits, where \(V:= \left0\right\rangle \,{\left\langle 0\right}_{A}\otimes {{\bf{1}}}_{B}+\left1\right\rangle \,{\left\langle 1\right}_{A}\otimes {X}_{B}\) with \({X}_{B}:= \left1\right\rangle \,{\left\langle 0\right}_{B}+\left0\right\rangle \,{\left\langle 1\right}_{B}\). Alice then measures her qubits on the Z basis to define her sifted key bits and proceeds with Step 5 of the actual protocol. Since V does not affect the Zbasis value of the Alice’s qubit, her procedure of determining the \({\hat{N}}^{{\rm{fin}}}\)bit final key in this scenario is equivalent to that in the actual protocol. Although V prevents Bob from obtaining an equivalent final key, he can still simulate the reconciliation and the verification process in Step 4 since the Zbasis value of each of his \({\hat{N}}^{{\rm{suc}}}\) qubits corresponds to absence/presence of a bit error between Alice’s and Bob’s sifted key bits. Hence Bob can equivalently carry out all the announcements in Steps 4 and 5 of the actual protocol. As a result, this scenario leads to exactly the same distribution Pr(N^{fin}) and the same states \({\rho }_{{\rm{AE}} {N}^{{\rm{fin}}}}^{{\rm{fin}}}\) as those of the actual protocol.
The secrecy of Alice’s final key can be determined from the Xbasis property of her \({\hat{N}}^{{\rm{suc}}}\) qubits after the application of V. Since V can be rewritten as \(V={{\bf{1}}}_{A}\otimes \left+\right\rangle \,{\left\langle +\right}_{B}+{Z}_{A}\otimes \left\right\rangle \,{\left\langle \right}_{B}\) with \({Z}_{A}:= \left\right\rangle \,{\left\langle +\right}_{A}+\left+\right\rangle \,{\left\langle \right}_{A}\), the Xbasis value of each of Alice’s qubits corresponds to absence/presence of a phase error. Suppose that these \({\hat{N}}^{{\rm{suc}}}\) qubits are measured on the Xbasis to produce an outcome \(\hat{{\boldsymbol{x}}}\in {\{+,\}}^{{\hat{N}}^{{\rm{suc}}}}\). Let \({\rm{wt}}(\hat{{\boldsymbol{x}}})\) be the number of symbol ‘−’ in \(\hat{{\boldsymbol{x}}}\). If Eq. (15) holds in the estimation protocol, the statistics of \(\hat{{\boldsymbol{x}}}\) should satisfy
which implies that the number of probable patterns \(\hat{{\boldsymbol{x}}}\) is limited. To be more precise, let us introduce a set Ω(n, w) ≔ {x ∈ {+, −}^{n}∣ wt(x) ≤ w}, whose size is bounded as ∣Ω(n, w)∣ ≤ 2^{nh(w/n)}. The condition (44) then implies
with \({\mathcal{T}}({\hat{N}}^{{\rm{suc}}},\hat{F},{\hat{N}}^{{\rm{trash}}}):= \Omega \left({\hat{N}}^{{\rm{suc}}},U(\hat{F},{\hat{N}}^{{\rm{trash}}})\right)\), which satisfies
from Eq. (9). It is known^{40,41,51} that the above conditions imply Eq. (43) with \({\epsilon }_{{\rm{sct}}}=\sqrt{2}\sqrt{\epsilon +{2}^{s}}\). Therefore, it suffices to show that Eq. (15) holds in the estimation protocol for proving the actual protocol to be \({\epsilon }_{\sec }\)secure with \({\epsilon }_{\sec }=\sqrt{2}\sqrt{\epsilon +{2}^{s}}+{2}^{s^{\prime} }\).
We remark that the encryption of \(M:= {H}_{{\rm{EC}}}+s^{\prime}\) bits in Step 4 can be omitted as long as each bit linearly depends on Alice’s sifted key over GF(2). In such a case, the above scenario must include measurements on Alice’s qubits to simulate the announcement of the M bits in Step 4. The backaction on X basis caused by the measurement for each bit amounts to doubling the number of probable patterns \(\hat{{\boldsymbol{x}}}\). We can thus redefine the set \({\mathcal{T}}({\hat{N}}^{{\rm{suc}}},\hat{F},{\hat{N}}^{{\rm{trash}}})\) by enlarging its size by factor of 2^{M} such that Eq. (45) holds. Then, by decreasing \({\hat{N}}^{{\rm{fin}}}\) by M, Eq. (46) also holds. This means that we achieve the same net key rate with the same level of security.
3. Derivation of the operator inequality. The aim of this subsection is to construct B(κ, γ) which fulfills the operator inequality (27). Let \({\sigma }_{\sup }(O)\) denote the supremum of the spectrum of a bounded selfadjoint operator O. Although \(B(\kappa ,\gamma )={\sigma }_{\sup }(M[\kappa ,\gamma ])\) would give the tightest bound satisfying Eq. (27), it is hard to compute it numerically since system C has an infinitedimensional Hilbert space. Instead, we derive a looser but simpler bound. We first prove the following lemma.
Lemma 1: Let Π_{±} be orthogonal projections satisfying Π_{+}Π_{−} = 0. Suppose that the rank of Π_{±} is no smaller than 2 or infinite. Let M_{±} be selfadjoint operators satisfying Π_{±}M_{±}Π_{±} = M_{±} ≤ α_{±}Π_{±}, where α_{±} are real constants. Let \(\left\psi \right\rangle\) be an unnormalized vector satisfying \(({\Pi }_{+}+{\Pi }_{})\left\psi \right\rangle =\left\psi \right\rangle\) and \({\Pi }_{\pm }\left\psi \right\rangle\,\ne\,0\). Define following quantities with respect to \(\left\psi \right\rangle\):
Then, for any real numbers γ_{+} and γ_{−}, we have
where four dimensional matrix M_{4d} is defined as
Proof: We choose orthonormal vectors \(\left\{\left{e}_{\pm }^{(1)}\right\rangle ,\left{e}_{\pm }^{(2)}\right\rangle \right\}\) in the domain of Π_{±}, respectively, to satisfy
which is welldefined due to Eqs. (47)–(49) and Π_{±}M_{±}Π_{±} = M_{±}. From \(({\Pi }_{+}+{\Pi }_{})\left\psi \right\rangle =\left\psi \right\rangle\), we have
Let us define the following projection operators:
Since Eq. (53) implies \({\Pi }_{\pm }^{(\ge 3)}{M}_{\pm }{\Pi }_{\pm }^{(1)}=0\), we have
The second term in the righthand side of Eq. (58) is bounded as
since M_{±} ≤ α_{±}Π_{±}. Combining Eqs. (48), (58), and (59), we have
Combining Eqs. (54) and (60), we have
where M_{4d} is given in Eq. (51) with the basis \(\{\big{e}_{+}^{(2)}\big\rangle ,\big{e}_{+}^{(1)}\big\rangle ,\big{e}_{}^{(1)}\big\rangle ,\big{e}_{}^{(2)}\big\rangle \}\). Since \({\alpha }_{\pm }{\gamma }_{\pm }=\big\langle {e}_{\pm }^{(2)}\big{M}_{{\rm{4d}}}\big{e}_{\pm }^{(2)}\big\rangle \le {\sigma }_{\sup }\left({M}_{{\rm{4d}}}\right)\), supremum of the spectrum of the righthand side of Eq. (61) is equal to the maximum eigenvalue of the fourdimensional matrix M_{4d}. We thus obtain Eq. (50).
As a corollary, we derive Eq. (27) as follows.
Corollary 2: Let \(\left\beta \right\rangle\) be a coherent state. Let Π_{ev(od)}, \({M}_{{\rm{ev}}({\rm{od}})}^{{\rm{suc}}}\), and M[κ, γ] be as defined in the main text, and define following quantities:
Let \({M}_{{\rm{4d}}}^{{\rm{err}}}[\kappa ,\gamma ]\) and \({M}_{{\rm{2d}}}^{{\rm{cor}}}[\kappa ,\gamma ]\) be defined as follows:
Define a convex function
Then, for κ, γ ≥ 0, we have
Proof: Let us first observe that the operator Π^{fid} defined in Eq. (20) can be rewritten as follows:
where orthogonal states \({\left{\phi }_{{\rm{err}}}\right\rangle }_{AC}\) and \({\left{\phi }_{{\rm{cor}}}\right\rangle }_{AC}\) are defined as
Next, using Eqs. (70), (19), and (21), we rearrange the operator M[κ, γ] defined in Eq. (26) as follows:
where
We can apply Lemma 1 to M^{err}[κ, γ] by the following substitutions
Here, M_{±} ≤ Π_{±} (i.e., α_{±} = 1) holds because \({M}_{{\rm{od(ev)}}}^{{\rm{suc}}}\) are POVM elements. The other prerequisites of Lemma 1 are easy to be confirmed. Thus, we obtain
In the same way, we can apply Lemma 1 to M^{cor}[κ, γ] via
Since M_{±} = 0 implies D_{±} = V_{±} = 0 in Lemma 1, this time we can reduce the dimension of relevant matrix Eq. (51) by separating known eigenvalues 0 and −γ. Therefore, we have
where the last inequality holds since γ ≥ 0 and κC_{ev} ≥ 0. We then obtain Eq. (69) from Eqs. (73), (81), and (87). Since \({M}_{{\rm{4d}}}^{{\rm{err}}}[\kappa ,\gamma ]\) and \({M}_{{\rm{2d}}}^{{\rm{cor}}}[\kappa ,\gamma ]\) are symmetric and their elements linearly depend on κ and γ, \({\sigma }_{\sup }\left({M}_{{\rm{4d}}}^{{\rm{err}}}[\kappa ,\gamma ]\right)\) and \({\sigma }_{\sup }\left({M}_{{\rm{2d}}}^{{\rm{cor}}}[\kappa ,\gamma ]\right)\) are convex functions over κ and γ, and so is B(κ, γ).
4. Derivation of the finitesize bound. Here we construct the function \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) to satisfy Eq. (15) in the estimation protocol. For that, we will first derive Eq. (30). In the estimation protocol, we define the following random variables labeled by the number i of the round;

(i)
\({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}\) is defined to be unity only when “signal” is chosen in the ith round, the detection is a “success”, and a pair of outcomes \((a^{\prime} ,b^{\prime} )\) is (+, −) or (−, +). Otherwise, \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}=0\). We have
$${\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}=\left\{\begin{array}{ll}1&\left({\rm{signal}},\,{\rm{success,}}\,(+,)\ {\rm{or}}\ (,+)\right)\\ 0&({\rm{otherwise}}),\hfill\end{array}\right.$$(88)and \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}}}=\mathop{\sum }\nolimits_{i = 1}^{N}{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}\).

(ii)
\({\hat{F}}^{(i)}\) is defined to be \({\Lambda }_{m,r}( \hat{\omega }{(1)}^{a}\beta { }^{2})\) when “test” is chosen in the ith round. We have
$${\hat{F}}^{(i)}=\left\{\begin{array}{ll}{\Lambda }_{m,r}( \hat{\omega }{(1)}^{a}\beta { }^{2})&({\rm{test}})\hfill\\ 0\hfill&({\rm{otherwise}}),\end{array}\right.$$(89)and \(\hat{F}=\mathop{\sum }\nolimits_{i = 1}^{N}{\hat{F}}^{(i)}\).

(iii)
\({\hat{Q}}_{}^{(i)}\) is defined to be unity only when “trash” is chosen in the ith round and \(a^{\prime} =\). Otherwise, \({\hat{Q}}_{}^{(i)}=0\). We have
$${\hat{Q}}_{}^{(i)}=\left\{\begin{array}{ll}1&({\rm{trash}},\,)\\ 0&({\rm{otherwise}}),\end{array}\right.$$(90)and \({\hat{Q}}_{}=\mathop{\sum }\nolimits_{i = 1}^{N}{\hat{Q}}_{}^{(i)}\).

(iv)
We also define
$${\hat{T}}^{(i)}:= {p}_{{\rm{sig}}}^{1}{\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}+{p}_{{\rm{test}}}^{1}\kappa {\hat{F}}^{(i)}{p}_{{\rm{trash}}}^{1}\gamma {\hat{Q}}_{}^{(i)},$$(91)which leads to \(\hat{T}[\kappa ,\gamma ]=\mathop{\sum }\nolimits_{i = 1}^{N}{\hat{T}}^{(i)}\).
We will make use of Azuma’s inequality^{42}. We define stochastic processes \({\{{\hat{X}}^{(k)}\}}_{k = 0,\ldots ,N}\) and \({\{{\hat{Y}}^{(k)}\}}_{k = 1,\ldots ,N}\) as follows:
where \({\hat{X}}^{\,{<}\,k}:= ({\hat{X}}^{(0)},{\hat{X}}^{(1)},\ldots ,{\hat{X}}^{(k1)})\). Note that \({\hat{Y}}^{(k)}\) is a constant when conditioned on \({\hat{X}}^{\,{<}\,k}\). Such a sequence \({\{{\hat{Y}}^{(k)}\}}_{k = 1,2,\ldots }\) is called a predictable process with regards to \(\{{\hat{X}}^{(k)}\}\). Since \({\hat{T}}^{(i)}\) is bounded for any i and \({\{{\hat{X}}^{(k)}\}}_{k = 0,1,\ldots }\) is a martingale, we can apply Azuma’s inequality.
Proposition 1 (Azuma’s inequality^{52,53}): Suppose \({\{{\hat{X}}^{(k)}\}}_{k = 0,1,\ldots }\) is a martingale which satisfies
for constants \({c}_{\min }\) and \({c}_{\max }\), and a predictable process \({\{{\hat{Y}}^{(k)}\}}_{k = 1,2,\ldots }\) with regards to \(\{{\hat{X}}^{(k)}\}\), i.e., \({\hat{Y}}^{(k)}\) is constant when conditioned on \({\hat{X}}^{\,{<}\,k}\). Then, for all positive integers N and all positive reals δ,
We define constants \({c}_{\min }\) and \({c}_{\max }\) as follows. In each round, at most one of \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}\), \({\hat{F}}^{(i)}\), and \({\hat{Q}}_{}^{(i)}\) takes nonzero value; \({\hat{N}}_{{\rm{ph}}}^{{\rm{suc}},(i)}\) and \({\hat{Q}}_{}^{(i)}\) are either zero or unity, and \(\min {\Lambda }_{m,r}\le {\hat{F}}^{(i)}\le \max {\Lambda }_{m,r}\). Since κ, γ ≥ 0, Eq. (95) holds when \({c}_{\min }\) and \({c}_{\max }\) are defined as
With \({c}_{\min }\) and \({c}_{\max }\) defined as above, we further define
Setting δ = δ_{1}(ϵ/2) in the proposition, we conclude that
holds with a probability no smaller than 1 − ϵ/2.
Next, we will construct a deterministic bound on \({\hat{Y}}^{(i)}\). Let \({\rho }_{AC}^{(i)}\) be the state of Alice’s ith qubit and Bob’s ith pulse conditioned on \({\hat{X}}^{\,{<}\,i}\). Then, using the same argument as that has lead to Eqs. (22)–(24), we have
and thus
where M[κ, γ] is defined in Eq. (26). Using the operator inequality (27), we obtain a bound independent of i as
Combining this with Eq. (100) proves Eq. (30).
The function \({\delta }_{2}(\epsilon /2;{\hat{N}}^{{\rm{trash}}})\) satisfying the bound (31) on \({\hat{Q}}_{}\) can be derived from the fact that \(\Pr [{\hat{Q}}_{} {\hat{N}}^{{\rm{trash}}}]\) is a binomial distribution. The following inequality thus holds for any positive integer n and a real δ with 0 < δ < (1 − q_{−})n (Chernoff bound):
where
is the KullbackLeibler divergence. On the other hand, for any nonnegative integer n, we always have
Therefore, for any nonnegative integer n, by defining δ_{2}(ϵ; n) which satisfies
and by combining Eq. (106) and (108), we conclude that Eq. (31) holds with a probability no smaller than 1 − ϵ/2.
Combining Eq. (30) and Eq. (31), we obtain Eq. (15) by setting
which holds with a probability no smaller than 1 − ϵ (Union bound). Note that since B(κ, γ) is a convex function, so is \(U(\hat{F},{\hat{N}}^{{\rm{trash}}})\) with respect to auxiliary parameters κ and γ.
Models for numerical simulation of key rates
In what follows, we normalize quadrature x such that a coherent state \(\left\omega \right\rangle\) has expectation \(\left\langle x\right\rangle ={\rm{Re}}(\omega )\) and variance \(\left\langle {(\Delta x)}^{2}\right\rangle =1/4\). The wave function for ω = ω_{R} + iω_{I} is given by
For the simulation of the key rate \(\hat{G}\), we assume that the communication channel and Bob’s detection apparatus can be modeled by a pure loss channel followed by random displacement, that is, the states which Bob receives are given by
where η is the transmissivity of the pure loss channel and p_{ξ}(γ) is given by
The parameter ξ is the excess noise relative to the vacuum, namely,
We assume that Bob sets \(\beta =\sqrt{\eta \mu }\) for the fidelity test. The actual fidelity between Bob’s objective state \(\left{(1)}^{a}\sqrt{\eta \mu }\right\rangle\) and the model state \({\rho }_{{\rm{model}}}^{(a)}\) is given by
For the acceptance probability of Bob’s measurement in the signal rounds, we assume f_{suc}(x) = Θ(∣x∣ − x_{th}), a step function with the threshold x_{th} > 0. In this case, the quantities defined in Eqs. (64) and (65) are given by
where \(\beta =\sqrt{\eta \mu }\) and the complementary error function \({\rm{erfc}}(x)\) is defined as
For the derivation of Eq. (120), we used the fact that Π_{ev} + Π_{od} = 1 and \(({\Pi }_{{\rm{ev}}}{\Pi }_{{\rm{od}}})\left\beta \right\rangle =\left\beta \right\rangle\).
We assume that the number of “success” signal rounds \({\hat{N}}^{{\rm{suc}}}\) is equal to its expectation value,
where
We also assume that the number of test rounds \({\hat{N}}^{{\rm{test}}}\) is equal to p_{test}N and the number of trash rounds \({\hat{N}}^{{\rm{trash}}}\) is equal to p_{trash}N. The test outcome \(\hat{F}\) is assumed to be equal to its expectation value \({\mathbb{E}}[\hat{F}]\), which is given by
Under these assumptions, the key rate \(\hat{G}\) for each transmissivity η is optimized over two coefficients (κ, γ) and four protocol parameters (μ, x_{th}, p_{sig}, p_{test}) as discussed in the main part. Examples of optimized parameters are shown in Table 1. The cost of bit error correction H_{EC} is assumed to be \(1.1\times {\hat{N}}^{{\rm{suc}}}h({e}_{{\rm{bit}}})\), where the bit error rate e_{bit} is given by
Data availability
Data sharing not applicable to the article as no datasets were generated or analyzed during the current study.
Code availability
Computer codes to calculate the key rates are available from the corresponding author upon reasonable request.
References
Bennett, C. H. & Brassard, G. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, 175 (India, 1984).
Bennett, C. H. Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett. 68, 3121 (1992).
Ralph, T. C. Continuous variable quantum cryptography. Phys. Rev. A 61, 010303 (1999).
Hillery, M. Quantum cryptography with squeezed states. Phys. Rev. A 61, 022309 (2000).
Grosshans, F. & Grangier, P. Continuous variable quantum cryptography using coherent states. Phys. Rev. Lett. 88, 057902 (2002).
Xu, F., Ma, X., Zhang, Q., Lo, H.K. & Pan, J.W. Secure quantum key distribution with realistic devices. Rev. Mod. Phys. 92, 025002 (2020).
Pirandola, S. et al. Advances in quantum cryptography. Preprint at https://arxiv.org/abs/1906.01645 (2019).
Eriksson, T. A. et al. Wavelength division multiplexing of 194 continuous variable quantum key distribution channels. J. Lightwave Technol. 38, 2214–2218 (2020).
Huang, D. et al. Continuousvariable quantum key distribution with 1 Mbps secure key rate. Opt. Express 23, 17511–17519 (2015).
Kumar, R., Qin, H. & Alléaume, R. Coexistence of continuous variable QKD with intense DWDM classical channels. N. J. Phys. 17, 043027 (2015).
Huang, D. et al. Field demonstration of a continuousvariable quantum key distribution network. Opt. Lett. 41, 3511–3514 (2016).
Karinou, F. et al. Experimental evaluation of the impairments on a QKD system in a 20channel WDM coexistence scheme. In 2017 IEEE Photonics Society Summer Topical Meeting Series (SUM), 145–146 (IEEE, 2017).
Karinou, F. et al. Toward the integration of CV quantum key distribution in deployed optical networks. IEEE Photonics Technol. Lett. 30, 650–653 (2018).
Eriksson, T. A. et al. Coexistence of continuous variable quantum key distribution and 7 × 12.5 Gbit/s classical channels. In 2018 IEEE Photonics Society Summer Topical Meeting Series (SUM), 71–72 (IEEE, 2018).
Eriksson, T. A. et al. Wavelength division multiplexing of continuous variable quantum key distribution and 18.3 Tbit/s data channels. Commun. Phys. 2, 1–8 (2019).
Grosshans, F. et al. Quantum key distribution using gaussianmodulated coherent states. Nature 421, 238–241 (2003).
Weedbrook, C. et al. Quantum cryptography without switching. Phys. Rev. Lett. 93, 170504 (2004).
Diamanti, E. & Leverrier, A. Distributing secret keys with quantum continuous variables: principle, security and implementations. Entropy 17, 6072–6092 (2015).
Laudenbach, F. et al. Continuousvariable quantum key distribution with gaussian modulation – the theory of practical implementations. Adv. Quantum Technol. 1, 1800011 (2018).
Navascués, M., Grosshans, F. & Acin, A. Optimality of gaussian attacks in continuousvariable quantum cryptography. Phys. Rev. Lett. 97, 190502 (2006).
GarcíaPatrón, R. & Cerf, N. J. Unconditional optimality of gaussian attacks against continuousvariable quantum key distribution. Phys. Rev. Lett. 97, 190503 (2006).
Leverrier, A. Security of continuousvariable quantum key distribution via a gaussian de Finetti reduction. Phys. Rev. Lett. 118, 200501 (2017).
Jouguet, P., KunzJacques, S., Diamanti, E. & Leverrier, A. Analysis of imperfections in practical continuousvariable quantum key distribution. Phys. Rev. A 86, 032309 (2012).
Kaur, E., Guha, S. & Wilde, M. M. Asymptotic security of discretemodulation protocols for continuousvariable quantum key distribution. Preprint at https://arxiv.org/abs/1901.10099 (2019).
Silberhorn, C., Ralph, T. C., Lütkenhaus, N. & Leuchs, G. Continuous variable quantum cryptography: Beating the 3 dB loss limit. Phys. Rev. Lett. 89, 167901 (2002).
Hirano, T., Yamanaka, H., Ashikaga, M., Konishi, T. & Namiki, R. Quantum cryptography using pulsed homodyne detection. Phys. Rev. A 68, 042331 (2003).
Leverrier, A. & Grangier, P. Unconditional security proof of longdistance continuousvariable quantum key distribution with discrete modulation. Phys. Rev. Lett. 102, 180504 (2009).
Leverrier, A. & Grangier, P. Erratum: Unconditional security proof of longdistance continuousvariable quantum key distribution with discrete modulation. Phys. Rev. Lett. 106, 259902 (2011).
Zhao, Y.B., Heid, M., Rigas, J. & Lütkenhaus, N. Asymptotic security of binary modulated continuousvariable quantum key distribution under collective attacks. Phys. Rev. A 79, 012307 (2009).
Brádler, K. & Weedbrook, C. Security proof of continuousvariable quantum key distribution using three coherent states. Phys. Rev. A 97, 022310 (2018).
Lin, J., Upadhyaya, T. & Lütkenhaus, N. Asymptotic security analysis of discretemodulated continuousvariable quantum key distribution. Phys. Rev. X 9, 041064 (2019).
Ghorai, S., Grangier, P., Diamanti, E. & Leverrier, A. Asymptotic security of continuousvariable quantum key distribution with a discrete modulation. Phys. Rev. X 9, 021059 (2019).
Papanastasiou, P. & Pirandola, S. Continuousvariable quantum cryptography with discrete alphabets: Composable security under collective gaussian attacks. Preprint at https://arxiv.org/abs/1912.11418 (2019).
Samsonov, E. et al. Subcarrier wave continuous variable quantum key distribution with discrete modulation: mathematical model and finitekey analysis. Sci. Rep. 10, 1–9 (2020).
Tamaki, K., Koashi, M. & Imoto, N. Unconditionally secure key distribution based on two nonorthogonal states. Phys. Rev. Lett. 90, 167904 (2003).
Koashi, M. Unconditional security of coherentstate quantum key distribution with a strong phasereference pulse. Phys. Rev. Lett. 93, 120501 (2004).
Shor, P. W. & Preskill, J. Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett. 85, 441 (2000).
Lo, H. K. & Chau, H. F. Unconditional security of quantum key distribution over arbitrarily long distances. Science 283, 2050–2056 (1999).
Chabaud, U., Douce, T., Grosshans, F., Kashefi, E. & Markham, D. Building trust for continuous variable quantum states. Preprint at https://arxiv.org/abs/1905.12700 (2019).
Hayashi, M. & Tsurumaru, T. Concise and tight security analysis of the BennettBrassard 1984 protocol with finite key lengths. N. J. Phys. 14, 093014 (2012).
Koashi, M. Simple security proof of quantum key distribution based on complementarity. N. J. Phys. 11, 045018 (2009).
Azuma, K. Weighted sums of certain dependent random variables. Tohoku Math. J. 19, 357–367 (1967).
Namiki, R. & Hirano, T. Practical limitation for continuousvariable quantum cryptography using coherent states. Phys. Rev. Lett. 92, 117901 (2004).
Hirano, T. et al. Implementation of continuousvariable quantum key distribution with discrete modulation. Quantum Sci. Technol. 2, 024010 (2017).
Diamond, S. & Boyd, S. CVXPY: A Pythonembedded modeling language for convex optimization. J. Mach. Learn. Res. 17, 1–5 (2016).
Agrawal, A., Verschueren, R., Diamond, S. & Boyd, S. A rewriting system for convex optimization problems. J. Control Decis. 5, 42–60 (2018).
Jouguet, P., KunzJacques, S., Leverrier, A., Grangier, P. & Diamanti, E. Experimental demonstration of longdistance continuousvariable quantum key distribution. Nat. Photonics 7, 378–381 (2013).
Devetak, I. & Winter, A. Distillation of secret key and entanglement from quantum states. Proc. R. Soc. A: Math., Phys. Eng. Sci. 461, 207–235 (2005).
Abramowitz, M. & Stegun, I. A. Handbook of Mathematical Functions With Formulas, Graphs, and Mathematical Tables, vol. 55 (US Government printing office, 1948).
MüllerQuade, J. & Renner, R. Composability in quantum cryptography. N. J. Phys. 11, 085006 (2009).
Matsuura, T., Sasaki, T. & Koashi, M. Refined security proof of the roundrobin differentialphaseshift quantum key distribution and its improved performance in the finitesized case. Phys. Rev. A 99, 042303 (2019).
Raginsky, M. & Sason, I. Concentration of measure inequalities in information theory, communications, and coding. Found. Trends Commun. Inf. Theory 10, 1–246 (2013).
McDiarmid, C.Concentration, 195–248. Probabilistic methods for algorithmic discrete mathematics (Springer, 1998).
Carter, J. L. & Wegman, M. N. Universal classes of hash functions. J. Comput. Syst. Sci. 18, 143–154 (1979).
Pirandola, S., Laurenza, R., Ottaviani, C. & Banchi, L. Fundamental limits of repeaterless quantum communications. Nat. Commun. 8, 1–15 (2017).
Acknowledgements
This work was supported by Crossministerial Strategic Innovation Promotion Program (SIP) (Council for Science, Technology and Innovation (CSTI)); CREST (Japan Science and Technology Agency) JPMJCR1671; JSPS KAKENHI Grant Number JP18K13469.
Author information
Authors and Affiliations
Contributions
T.M., K.M., T.S. and M.K. contributed to the initial conception of the ideas, to the working out of details, and to the writing and editing of the manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Peer review information Nature Communications thanks Anthony Leverrier and the other, anonymous, reviewer(s) for their contribution to the peer review of this work. Peer reviewer reports are available.
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Supplementary information
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Matsuura, T., Maeda, K., Sasaki, T. et al. Finitesize security of continuousvariable quantum key distribution with digital signal processing. Nat Commun 12, 252 (2021). https://doi.org/10.1038/s41467020199161
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/s41467020199161
This article is cited by

Practical continuousvariable quantum key distribution with composable security
Nature Communications (2022)

Neural networkbased prediction of the secretkey rate of quantum key distribution
Scientific Reports (2022)
Comments
By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.