Security of quantum key distribution from generalised entropy accumulation

The goal of quantum key distribution (QKD) is to establish a secure key between two parties connected by an insecure quantum channel. To use a QKD protocol in practice, one has to prove that a finite size key is secure against general attacks: no matter the adversary’s attack, they cannot gain useful information about the key. A much simpler task is to prove security against collective attacks, where the adversary is assumed to behave identically and independently in each round. In this work, we provide a formal framework for general QKD protocols and show that for any protocol that can be expressed in this framework, security against general attacks reduces to security against collective attacks, which in turn reduces to a numerical computation. Our proof relies on a recently developed information-theoretic tool called generalised entropy accumulation and can handle generic prepare-and-measure protocols directly without switching to an entanglement-based version.


I. INTRODUCTION
Quantum key distribution (QKD) considers the following scenario: two parties, Alice and Bob, can communicate via an insecure quantum channel and an authenticated classical channel. 1 Using these resources, Alice and Bob would like to establish a secure shared key, i.e. a piece of information that is known to both of them, but entirely unknown to an adversary Eve [1,2].
The key difficulty in establishing the security of a QKD protocol is that one has to take into consideration any possible attack that the adversary Eve may perform.For example, in one round of the protocol, Eve may gather a piece of quantum side information about the quantum state sent via the insecure channel.This piece of side information could be combined with side information from previous rounds to plan Eve's attack for the next round, resulting in a very complicated multi-round attack.Additionally, Alice and Bob can only execute a certain finite number of rounds, introducing statistical finite-size effects.A security proof that takes both of these challenges into account is called a finite-size security proof against general attacks (also referred to as coherent attacks) [3][4][5].Such a proof is required to safely deploy a QKD protocol in practice.
Due to the difficulty of proving finite-size security against general attacks, many protocols are first analysed for collective attacks, for which very general numerical techniques have been developed (see e.g.[6][7][8][9][10][11][12][13][14]).For a security proof against collective attacks one makes the assumption that Alice and Bob execute infinitely many rounds of the protocol and Eve behaves independently and identically in each round.This is also called the i.i.d.asymptotic setting.These assumptions are of course unrealistic, but a collective attack proof is a useful theoretical tool as it can often be converted into a finite-size proof against general attacks using techniques such as the quantum de Finetti theorem [15,16].Such general techniques are very powerful, but typically require additional assumptions on the protocol and can significantly lower the amount of key that can be extracted compared to the collective attack scenario.
In this work, we show that security against collective attacks implies finite-size security against general attacks for a broad class of protocols.The main feature of our security proof is its generality: while many existing security proofs work well for particular protocols, our approach works for any generic protocol satisfying a few structural assumptions.Furthermore, it provides a natural way of proving security against general attacks, with the proof being in close correspondence to the structure of the original protocol, whereas previous techniques often required the protocol to be transformed into a theoretically equivalent one to fit into the framework of a particular proof technique.In particular, our technique can be applied directly to prepare-and-measure protocols without transforming them into an entanglement-based version.Furthermore, our technique provides bounds that are independent of the dimension of the underlying Hilbert space; instead, the bound depends only on the number of possible classical outputs that Alice and Bob may receive.This is particularly important for photonic QKD protocols, where the underlying Hilbert space is a Fock space with unbounded dimension [17,18], and is also useful for (semi-)device-independent protocols.We give a more detailed comparison between our technique and previous ones below.
Our main result, Theorem II.4,reduces the task of showing security against general attacks to the (generally much simpler) task of proving security against collective attacks.In Section II, we present this result by providing a very general template prepare-and-measure QKD protocol (Protocol 1) and proving its finite-size security against general attacks assuming a security statement for collective attacks.Furthermore, we adapt existing numerical techniques [6,7] to show that a collective attack bound for any instance of this general protocol can be computed by solving a convex optimisation problem (Section II C).Hence, to show security for a particular protocol of interest, one can simply express this protocol as an instance of our general template protocol, numerically determine a collective attack bound, and deduce security against general attacks immediately from our Theorem II.4.We illustrate the procedure of proving security using our framework by applying it to the B92 protocol in Section II E; this yields the first finitesize security proof against general attacks for the B92 protocol that converges to the optimal key rate in the asymptotic limit of infinitely many rounds.We also note that the proof technique underlying the security proof of our template protocol is very general and can easily be adapted to protocols that do not fit precisely into our framework.For example, one could incorporate advantage distillation [19,20] by applying our technique in a block-wise rather than a round-wise manner.
Our proof employs a recent information-thereotic result, called the generalised entropy accumulation theorem (GEAT) [21].This theorem is an information-theoretic statement about the min-entropy produced by sequential quantum processes; see Section IV C for a more detailed explanation.For our security proof, we show that generic QKD protocols can be expressed in such a form that the GEAT provides a tight lower-bound on a certain min-entropy associated with the protocol, which implies security of the protocol against general attacks.This entropic lower bound depends on the security statement against collective attacks; it is in this sense that our proof reduces security against general attacks to security against collective attacks.
There are a number of existing techniques for converting security proofs against collective attacks into ones against general attacks.The most widely used ones are either based on the quantum de Finetti theorem [15] (or the related post-selection technique [16]), or they employ the entropy accumulation theorem (EAT) [22], of which the GEAT is a generalisation.We briefly describe how each of these relate to our technique using the GEAT.
The quantum de Finetti theorem and related methods such as the post-selection technique rely on the permutation-symmetry between different rounds of the protocol to reduce general to collective attacks.While not every protocol possesses this permutation symmetry naturally, it can usually be enforced by including an additional "symmetrisation step" in the protocol.The main downside of these techniques is that the bounds they achieve scale unfavourably with the dimension of the underlying Hilbert space, i.e. the Hilbert space that contains the states sent from Alice to Bob.This means that these techniques only yield useful bounds for protocols with a small Hilbert space dimension, e.g. the BB84 or B92 protocols [1,23].However, practical implementations of QKD protocols do not always satisfy this requirement; for example, many protocols use laser pulses as the means by which Alice sends a quantum state to Bob [24,25], and such laser pulses are described in a Fock space whose dimension is in principle unbounded.While methods for truncating the Fock space have been developed [26,27], this introduces additional complications and may lead to weak bounds if the dimension of the truncated Fock space remains large.
In contrast, the EAT and GEAT provide bounds that do not depend on the dimension of the underlying Hilbert space.In fact, the EAT and GEAT share (almost) the same second-order terms, so one does not incur a noticeable loss in parameters when using the GEAT compared to the EAT.This dimension-independence of the second-order terms means that the EAT can also be used to prove security for device-independent or semidevice-independent protocols [28].For an example of a device-independent protocol that can be treated with the GEAT, but not the EAT, see Ref. [21].
The main difference between the EAT and the GEAT is that the EAT deals with a more restrictive model of how side information can be generated during the protocol.The GEAT allows Eve's side information to be updated in an arbitrary way.In contrast, the EAT requires that new side information must be output in a round-by-round manner subject to a Markov condition between rounds, and once side information has been output it cannot be updated anymore.In general, it is not possible to model the way that Eve actively intercepts quantum states and updates her side information in a prepare-and-measure protocol by a process that outputs side information in a round-by-round manner subject to the Markov condition.As a consequence, the EAT cannot "naturally" deal with general prepare-and-measure protocols.Instead, one first has to convert a prepare-and-measure protocol into an entanglement-based protocol.This can be done as follows: if Alice prepares one of a set of pure states {|ψ j ⟩ Q } j with probability p(j) and stores the index j specifying the state in her register A, we can replace this by Alice preparing a state | ψ⟩ AQ = j p(j)|j⟩ A |ψ j ⟩ Q and later measuring her system A.Then, we can model Eve's attack by replacing this state | ψ⟩ AQ by an arbitrary state | ψ⟩ AQE prepared by Eve, subject to the constraint that Alice's marginal, which Eve cannot access in the prepareand-measure protocol, is "correct", i.e. ψA = ψA .This additional constraint is an artificial one in the sense that it is not something that Alice and Bob check in the actual protocol, and it is unclear how it can be incorporated into a security proof using the EAT in a natural way.As a result, it appears difficult or impossible to use the EAT to obtain reasonable finite-size key rates for prepare-and-measure protocols except in very simple cases.In contrast, the GEAT is able to deal with prepareand-measure protocols directly, circumventing this issue entirely.The GEAT's ability to deal with prepare-andmeasure protocols without any dependence on the dimension of the underlying Hilbert space makes it particularly useful for photonic prepare-and-measure protocols, which are of practical interest.
In addition to these general techniques for reducing security against general attacks to security against collective attacks, there are also more specialised techniques that directly prove security against general attacks without an explicit reduction to collective attacks.Perhaps the most common of these are phase-error correction and entropic uncertainty techniques, both of which use the complementarity of different measurements in the protocol as the starting point for a security proof (see e.g.[29][30][31][32][33][34]).These security proofs usually give very tight bounds for "symmetric" protocols (i.e.protocols relying on mutually unbiased measurement bases, even though these bases need not be chosen with equal probability) where they can be applied naturally, and can also be extended to symmetric protocols with experimental imperfections that slightly break the symmetry, e.g. using the reference state technique [35,36].In addition, various other proof techniques that use the symmetry of specific protocols have been developed (see e.g.[37][38][39]).
Our general security proof is not meant to replace more specialised techniques in cases where the protocol is symmetric enough for these to be applied; instead, we provide a unifying framework that can also prove the security of protocols for which no specialised techniques are available, or for which such techniques do not yield asymptotically tight bounds.An example of this is the B92 protocol, for which we give a full security proof in Section II E: for this protocol, complementarity-based methods have been used to prove security against general attacks [31,40], but the resulting key rates do not converge to the collective attack rate in the limit of infinitely many rounds.In contrast, a direct application of our general framework yields the first asymptotically tight finite-size security proof against general attacks for the B92 protocol.

II. RESULTS
A. Framework for prepare-and-measure protocols Our main result, Theorem II.4,shows that for a broad class of prepare-and-measure protocols, security against collective attacks implies security against general attacks.To make this result easy to use, we phrase it as a security statement for a general "template protocol"; many existing prepare-and-measure protocols can be viewed as an instance of this template protocol, and their security then follows from the security of the general template protocol.For protocols that do not fit exactly into this template, the security proof can usually easily be adapted from our proof of Theorem II.4.
Our template protocol is described formally in Protocol 1; here, we make a few additional remarks regarding this general protocol, using the notation introduced in Protocol 1. Firstly, without loss of generality we can assume that the cq-state ψ U Q is of the form ψ U Q = u p(u)|u⟩⟨u| ⊗ |ψ⟩⟨ψ| Q|u for a probability distribution p(u) and pure states |ψ⟩⟨ψ| Q|u .This means that Alice chooses a value u according to p(u) and then sends the pure state |ψ⟩⟨ψ| Q|u to Bob.The reason that we can assume that |ψ⟩⟨ψ| Q|u is pure is that if Alice wanted to send a mixed state, she could express that mixed state as a mixture of pure states, send one of those pure states, and later "forget" which of the pure states she sent as part of the map rk.
Secondly, in Protocol 1 Bob measures a POVM {N (v) } with outcomes v ∈ V.More commonly, we think of Bob as choosing an input y according to some distribution q(y) and receiving an output b ∈ B. This can be described by a collection of POVMs { Ñ (b) y } b∈B , one for each possible input y.For example, Bob might choose uniformly at random whether to measure a qubit in the computational or Hadamard basis.In that case, y would be the basis choice, and for each y, { Ñ (b) y } b∈B is the measurement in the chosen basis.However, since Bob's measurements are trusted, the distinction between inputs and outputs is unnecessary: we can convert a set of POVMs { Ñ (b) y } b∈B with an input distribution q(y) into an equivalent single POVM {N (v) } v∈V by choosing V = Y × B and N (y,b) = q(y) Ñ (b) y .This satisfies the required property of a POVM: where we used the fact that { Ñ (b) y } b∈B is a POVM for the first equality and the fact that q(y) is a probability distribution for the second.One can think of N (y,b) as first choosing y ∈ Y according to q(y) and then measuring { Ñ (b) y } on the state, providing (y, b) as output.
Thirdly, the function pd describes the total information exchanged during the public discussion (Step (2)) for one round i of the protocol.The details of how the public discussion takes place are of no concern to the protocol: in general, Alice and Bob may exchange multiple rounds of back-and-forth communication during this step, and pd describes the transcript of the entire exchange.For example, in a protocol that includes a sifting step, the public discussion would include the information necessary to decide which rounds to sift out; the actual sifting would occur in the raw key generation step, where Alice's function rk can use the information from the public discussion to put a special symbol (e.g.⊥) as the raw key for rounds that are sifted out.
Additionally, the protocol distinguishes between information I i published during Step (2) and error correction information ec published during Step (4).The difference between these two steps is that I i may only depend on the inputs U i and V i generated during the i-th round of measurements.This means that I i is generated in a round-by-round manner and will enter in the singleround security statement (or collective attack bound, see Definition II.2).In contrast, ec is global information of a fixed length λ ec , i.e. it can depend arbitrarily on information generated during all rounds of the protocol, Protocol 1.General prepare-and-measure QKD protocol Protocol arguments n ∈ N : number of rounds ψUQ : quantum state prepared by Alice, where U is classical with alphabet U and Q is quantum {N (v) }v∈V : POVM acting on Hilbert space HQ describing Bob's trusted measurements (where V is some finite set of possible outcomes) pd : U × V → I : function describing transcript of public discussion (where I is some finite alphabet) rk : U × I → S : function describing Alice's raw key generation (where S is the alphabet of the raw key) ev : V × I × S → C : function "evaluating" each round by assigning a label from the alphabet C λec ∈ N0 : length of bit string exchanged during error correction step kca > 0 : required amount of single-round entropy generation εkv, εpa > 0 : tolerated errors during key validation and privacy amplification steps ca : P(C) → R : affine function corresponding to collective attack bound l ∈ N : length of final key Protocol steps (1) Data generation.Alice prepares ψUnQn = ψ ⊗n U Q and sequentially sends the systems Q1, . . ., Qn to Bob via a public quantum channel.For each i ∈ {1, . . ., n}, Bob measures {N (v) }v∈V on register Qi and records the outcome in register Vi.
(4) Error correction.Alice and Bob publicly exchange information ec ∈ {0, 1} λec , which can depend on U n , V n , and (5) Raw key validation.Alice chooses a function Hash : S n → {0, 1} ⌈log(1/εkv)⌉ from a universal hash family F (Definition IV.1) according to the associated probability distribution PF and publishes a description of Hash and the value Hash(S n ).Bob computes Hash( Ŝn ) and aborts the protocol if Hash(S n ) ̸ = Hash( Ŝn ).but to obtain a good key rate, λ ec should be as short as possible. 2inally, we note that in Protocol 1, Alice and Bob first perform error correction, and afterwards Bob uses his error-corrected guess for Alice's raw key for the purposes of the statistical check.An alternative that is commonly used in existing QKD protocols is that Alice and Bob publish part of their data in a separate parameter estimation step before the error correction step and use this public information to run a statistical check.Our Protocol 1 can easily be modified to include protocols of this form. 3xample: BB84 protocol as an instance of Protocol 1.To gain further intuition for Protocol 1, we describe how to reproduce the well-known BB84 protocol as an instance of our general Protocol 1.In the BB84 protocol, Alice sends a random state from the set {|0⟩, |1⟩, |+⟩, |−⟩}, where |±⟩ = |0⟩±|1⟩ √ 2 are the Hadamard basis states.As her information U i , Alice records which state she sent, i.e. she records the basis x ∈ {0, 1} and the value a ∈ {0, 1}.Hence, for the BB84 protocol, where H is the Hadamard gate and H 0 = id, H 1 = H.
Bob's measurements output a basis choice y ∈ {0, 1} and the outcome b of a single-qubit measurement in that basis (with y = 0 corresponding to the computational and y = 1 to the Hadamard basis).Therefore, his measurements are described by a POVM on system Q consisting of elements During the public discussion phase, Alice and Bob publish their basis choices x i and y i for each of the rounds.Therefore, for U i = (x i , a i ) and V i = (y i , b i ), To generate her raw key, for each round Alice checks whether the basis choices x i and y i are the same: if so, she uses her measurement outcome a i for the raw key, and otherwise she discards that round.Formally, Finally, for the statistical check in Step (6), Bob checks whether his guess Ŝn for Alice's string matches his own raw data.In fact, Bob can only do this check on a small subset of indices i.The reason is that for our definition of collective attack bounds (Definition II.2) and the security proof (Theorem II.4), we are bounding the entropy conditioned on the systems C n , i.e. we are essentially assuming that all of the statistical information gets leaked to Eve. 4 Hence, Bob chooses a value T i at random with Pr[T i = 1] = γ (where γ is the testing probability, and the choice of T i can formally be included into V i ), and then sets Intuitively, ⊥ denotes that no useful check can be performed in this round, "1" means the check has passed, and "0" means the check has failed.
In Protocol 1, Eve can obtain information about the final key K in two ways: firstly, Eve can observe the classical information published by Alice and Bob during the protocol, e.g. the error correction information ec.In a security proof, this is easy to handle, as Alice and Bob have full control over what information they publish.Secondly, Eve can intercept the quantum systems Q i sent from Alice to Bob in Step (1).This is much harder to analyse in a security proof as Eve can perform arbitrary operations on the systems Q i and we need to bound the amount of information Eve can gain about Alice's and Bob's raw key from tampering with the systems Q i without being detected.The set of actions Eve performs on the systems Q i is called Eve's attack.
In principle, Eve could collect all of the n systems Q 1 , . . ., Q n , perform an arbitrary quantum channel A : Q n → EQ n , and send the output on systems Q n to Bob.
The system E would be kept by Eve and would contain her (potentially quantum) side information about the final key.
To analyse the security of a prepare-and-measure protocol with the GEAT, we need to introduce an extra condition.
Condition II.1.Eve can only be in possession of one of the systems Q i at the same time.
Since Alice sends the systems Q 1 , . . ., Q n sequentially in Step (1), this means that with this additional condition, Eve's most general attack also takes a sequential form.More formally, with this condition, the most general attack Eve can perform is described by a sequence of maps A i : , where E ′ i are arbitrary quantum systems that contain Eve's side information after having intercepted the i-th system Q i .(The system E 0 can be chosen to be trivial without loss of generality, but we will not need this for our security proof.) In fact, it is easy for Alice and Bob to enforce Condition II.1 by checking that system Q i has arrived on Bob's side before Q i+1 is sent.The downside of this simple strategy is that if Alice and Bob are far apart, it limits the number of signals that can be sent per unit time.
To circumvent this, Alice and Bob can agree on a "schedule" on which signals are transmitted, i.e. they decide when Alice will send out each signal, so Bob, being aware of its travel time without Eve's interference, knows when to expect to receive it.Then, assuming that Eve cannot significantly speed up the transmission of signals, this would ensure that Condition II.1 is satisfied without Alice having to wait for Bob's confirmation to send the next signal (see Figure 2 for an illustration of this).Whether or not the assumption that Eve cannot significantly speed up the transmission of signals is realistic depends on the specific QKD setup: for example, if signals are transmitted from Alice to Bob through vacuum (e.g. in satellite-to-satellite QKD), they travel at the speed of light and cannot be sped up further by Eve, so Condition II.1 can be enforced by sending signals on a pre-agreed schedule without issues.
On the other hand, if Alice and Bob exchange signals via a (very long) optical fiber, Eve could in principle extract the signal at the start of the fiber, transmit it through free space, and then re-insert it into the fiber on Bob's side.Since the speed of light in a fiber is slower than in free space, this would enable Eve to have simultaneous access to a (relatively small) set of s sped-up signals, perform some attack involving this set of signals, and then feed the "first" of these signals to Bob in such a way that it arrives at the time expected by Bob; then, Eve could add the next sped-up signal to her set, apply another attack to that set of s signals, and so on.Such an attack would violate Condition II.1, but it would go unnoticed by Alice and Bob since the signals do arrive at the expected times on Bob's end.
Setting aside the question of how realistic it is for Eve to perform such an attack, this issue can be addressed by relaxing Condition II.1 so that instead of requiring Eve to be in possession of only one signal at a time, we allow her to be in possession of s signals at a time.To prove security under this weakened condition, we can divide the signals into interleaved groups such that any two signals within a group are s rounds apart, use a standard chain rule for min-entropies (or Renyi entropies) to divide the total entropy into a sum of group-wise entropies, and simply apply our analysis at the level of these groups.Our proof then goes through essentially unchanged, although the resulting second-order terms in the key rate will depend on the allowed number s of signals available to Eve at a time.We explain this modification in more detail in Supplementary Note C and focus on the case where Condition II.1 holds exactly in the main text for simplicity.
We have now seen how to model Eve's general attack under Condition II.1.In contrast to such general sequential attacks, collective attacks only allow Eve to perform the same independent attack in each round of the protocol.Hence, a collective attack can be modelled by a map A : Q → EQ, which Eve applies in each round of the protocol, so Eve's full attack over n rounds is given by the tensor product map A ⊗n : Q n → E n Q n .Proving security against this restricted class of attacks is typically much easier than proving security against general attacks.However, we stress that, unlike Condition II.1, the assumption that Eve performs only a collective attack cannot be enforced by Alice and Bob.Therefore, a security proof that only considers collective attacks is insufficient for practical applications.

C. Collective attack bounds
If one restricts Eve to performing collective attacks, it is known that in the limit n → ∞ of many rounds the key rate is given by a simple entropic expression that only involves quantities corresponding to a single round of the protocol [41]. 5More formally, we can view a collective attack bound as a map that takes as input the statistics corresponding to a single round of the protocol and outputs a lower bound on a certain conditional entropy, which specifies how much key can safely be extracted from a state with those statistics.
Definition II.2 (Collective attack bound for Protocol 1).Fix arguments ψ U Q , {N (v) } v∈V , pd, rk, and ev for Protocol 1. Suppose that Alice and Bob run a single round (i.e.n = 1) of Protocol 1 with these arguments up to (and including) Step (3). 6For a collective attack A : Q → QE, denote the state at the end of Step (3) as ν U V SIE .Let ν U V SIEC be an extension of this state, where C = ev(V, I, S).A collective attack bound (for the choice of parameters fixed above) is a map ca : P(C) → R such that for any collective attack A, the state ν U V SIEC (which depends on A) satisfies (II.1)

D. Security against general attacks
Having introduced our framework for general prepareand-measure protocols and collective attack bounds, we can now state the main technical result of this paper, namely that a collective attack bound implies a security statement against general attacks.For this, we first recall the security definition for QKD, namely the notions of correctness, secrecy, and completeness [15].This security definition is composable, meaning that the key generated by a protocol satisfying this definition can safely be used for other protocols [42].
Definition II.3 (Correctness, secrecy, and completeness).Consider a QKD protocol in which Alice and Bob can decide whether or not to abort the protocol.Let ρ K KE be the final state at the end of the protocol (for a given initial state), where K and K are Alice's and Bob's version of the final key, respectively, and E contains all side information available to the adversary Eve at the end of the protocol.The protocol is called ε cor -correct, ε sec -secret, and ε comp -complete if the following holds: (i) Correctness.For any actions of the adversary Eve: (ii) Secrecy.For any actions of the adversary Eve: where τ K is the maximally mixed state on system K, Ω is the event that the protocol does not abort, and ρ ∧Ω = Pr[Ω] ρ |Ω is the subnormalised state conditioned on Ω (see Section IV A for details).
(iii) Completeness.For a given noise model for the protocol there exists an honest behaviour for the adversary Eve such that Note that correctness and secrecy must hold for any behaviour of Eve (and also any noise model), while completeness is concerned with the honest implementation of the protocol.Correctness and secrecy bound the probability of Alice and Bob receiving different or insecure keys without detecting this fact and aborting the protocol.Completeness says that the protocol is robust against a given noise model in the sense that for this noise model, the probability of aborting the protocol is small if Eve behaves honestly.It is common to combine the correctness and secrecy parameters and call a protocol (ε cor +ε sec /2)secure, where the factor of 1/2 arises because our definition of secrecy uses the difference in trace norm, not the trace distance, which has an additional factor of 1/2.
Our main result is that Protocol 1 satisfies the correctness and secrecy conditions.Formally, we show the following.
Theorem II.4.Fix any choice of arguments n, ψ U Q , {N (v) } v∈V , pd, rk, ev, k ca , λ ec , ε kv , and ε pa for Protocol 1.Let ca : P(C) → R be an affine collective attack bound for this choice of arguments.For any ε s , ε a > 0 and α ∈ (1, 3/2), choose a final key length l that satisfies where g(ε s ), V , and K ′ (α) are defined in Theorem IV.5.With this choice of parameters and assuming that Condition II.1 holds, Protocol 1 is ε cor -correct and ε sec -secret for We prove this theorem in Section IV D. In addition, we also show completeness; since this is much more straightforward and only uses standard techniques, we defer this to Supplementary Note B.

E. Sample application: B92 protocol
We now demonstrate how to apply our framework, using the B92 protocol as an example.The B92 protocol has no natural entanglement-based analogue8 and therefore cannot be analysed with the original EAT.Nonetheless, it is very simple, and therefore provides arguably the easiest example to demonstrate the application of our framework to a protocol that cannot be analysed with the EAT.Furthermore, while there exist analytic security proofs of B92 using entropic uncertainty relations [31,40], these techniques yield key rates that are far from optimal even in the asymptotic regime.This is in contrast to highly symmetric protocols such as BB84, where entropic uncertainty relations yield essentially tight proofs [34].
We emphasise that the purpose of this section is to illustrate our general results with a simple example, not to derive the tightest possible key rates for a particular protocols.We leave the analysis of more complicated protocols, where deriving the collective attack bound may be more involved, for future work.In Supplementary Note G, we also sketch how to express the decoy state BB84 protocol as an instance of our framework and how to derive a collective bound for it, demonstrating that the widely-used decoy state technique also naturally fits within our framework.
We also note that very recent work [43] has analysed the performance of the EAT on entanglement-based QKD protocols (and prepare-and-measure protocols that have a natural entanglement-based analogue) and found that it provides better key rates than previous methods.Since our GEAT-based security proof produces essentially the same key rates as the EAT in cases where both methods can be applied, this suggests that our framework will provide very good key rates also in cases where the EAT cannot be applied.
We start by giving an informal description of the B92 protocol and the intuition behind it.Then, we show how to view the B92 protocol as an instance of our general Protocol 1.Using the technique from Section II C to derive a collective attack bound, we can then apply Theorem II.4 to obtain a security statement for general attacks.To illustrate the result, we numerically compute the key rate for different choices of the number of rounds and tolerated noise level in Section II E 3.
Each round of the B92 protocol works as follows: Alice chooses a bit u ∈ {0, 1} uniformly at random.If u = 0, she prepares the state |ψ⟩ Q = |0⟩, whereas if u = 1, she prepares |ψ⟩ Q = |+⟩. 9She sends |ψ⟩ Q to Bob, who chooses y ∈ {0, 1} uniformly at random and measures the system Q in the computational basis if y = 0 and the Hadamard basis if y = 1.If he obtains outcome "1" (when measuring in the computational basis) or "-" (when measuring in the Hadamard basis), he sets v = y ⊕ 1.Otherwise, he sets v = ⊥.In the sifting step, Bob announces in which rounds he recorded v = ⊥, and Alice sets u = ⊥ for those rounds, too.The bits u and v from all of the rounds form the raw key.To detect possible tampering by Eve, Alice and Bob compare their values of u and v on a subset of rounds.
The intuition behind this protocol is the following: the secret information that will make up the key is encoded in Alice's basis choice u (where u = 0 corresponds to the computational and u = 1 to the Hadamard basis).When Bob receives the system Q he tries to find out which basis the state was prepared in.For this, he guesses a basis y and measures Q in this basis.Suppose he chose y = 0, i.e. the computational basis, and assume that Eve did not tamper with the system Q.Then, if he obtains outcome "1" he concludes that Alice cannot have prepared the state |0⟩ and therefore must have chosen u = 1.Accordingly, he sets v = 1 = y ⊕ 1.If Bob obtains outcome "0" he cannot deduce Alice's basis choice as both the states |0⟩ and |+⟩ may produce outcome "0" when measured in the computational basis, so he sets v = ⊥.Likewise, if he chose y = 1 and obtains outcome "-", this provides conclusive evidence that Alice cannot have prepared the state |+⟩, so he sets v = 0 = y ⊕ 1, whereas the outcome "+" is inconclusive.If Eve tries to tamper with the system Q, she is likely to disturb the state as she does not know which basis it was prepared in.Therefore, Alice and Bob will detect this tampering when comparing their values of u and v.

B92 as an instance of Protocol 1
We now give a more formal description of the B92 protocol as an instance of Protocol 1.As for the BB84 protocol described in Section II A, this means specifying the arguments ψ U Q , {N (v) } v∈V , pd, rk, and ev.For each round Alice chooses a bit U i uniformly at random and prepares |0⟩ or |+⟩ based on her choice, so Bob measures in either the computational or Hadamard basis and uses the outcome to determine V i ∈ {0, 1, ⊥} as described before.This measurement is described by the following POVM: 9 More generally, instead of |0⟩ and |+⟩, any two non-orthogonal states can be used.It has been observed that using states that are at a different angle to each other than |0⟩ and |+⟩ can be advantageous [6].Since our goal is to provide an illustration, not optimise the key rate, we pick |0⟩ and |+⟩ for simplicity.
During the public discussion phase, Bob informs Alice which rounds were inconclusive, i.e. yielded outcome ⊥.Therefore, To generate her raw key S n , Alice uses her bits U i and discards the rounds for which Bob's measurement outcome was inconclusive, which she knows from the value of I i : To generate the statistics Ĉi , Bob will check whether his guess Ŝn for Alice's raw key agrees with his own raw data V n .As for the BB84 protocol described in Section II A, Bob can only do so on a small fraction γ of rounds because Definition II.2 includes the classical statistics as a conditioning system.Therefore, Bob chooses a value T i at random with Pr[T i = 1] = γ (the choice of T i can formally be included into V i or one can view ev as a randomised rather than deterministic function).If Of course, the functions ev Ti=0 and ev Ti=1 can be combined into a single function ev to formally fit into the framework of Protocol 1.

Collective attack bound
We need to derive an affine collective bound ca(ν C ) = ⃗ λ • ⃗ ν C + c ⃗ λ for the B92 protocol, where ⃗ ν C denotes the probability vector of distribution ν C as in Section II C. For this, we use the steps and notation from Section IV E; we recommend skipping this subsection on a first reading and returning to it after understanding Section IV E.
In the notation of Section IV E, the state ψP Q is given by For any state ψP Q chosen by Eve, the statistics observed by Alice and Bob are described by  the key rate in the i.i.d.asymptotic setting, i.e. assuming that Eve behaves the same in each round and infinitely many rounds are executed.We see that as the number n of rounds in the protocol increases, the finite-size key rates against general attacks approach the i.i.d.asymptotic rate. where and Tr ⃗ Γ ψP Q is shorthand for the vector of the traces with the individual elements of ⃗ Γ.We can now directly apply the method from Section IV E to find a collective attack bound ca(ν C ) = ⃗ λ • ⃗ ν C + c ⃗ λ : we can heuristically choose a ⃗ λ and then determine c ⃗ λ by solving the convex optimisation problem from Equation (IV.14) using the package Matlab CVXQUAD [44]. 10 For our numerical implementation, we employ additional simplifications to the optimisation problem from Equation (IV.14) using the steps described in Supplementary Note E. This helps with numerical performance, but is not strictly necessary. 10One can pick ⃗ λ by any numerical optimisation technique such as Matlab's fminsearch.Note that since ⃗ λ can be chosen heuristically, it is not an issue if such an optimisation method does not have a convergence guarantee.In contrast, to determine c ⃗ λ one must use an optimisation method that guarantees a lower bound in order to ensure that the collective attack bound is valid.This is why it is important that c ⃗ λ be determined via a convex optimisation problem for which one can certify the solution by duality.

Key rate
As our noise model for an honest implementation, we consider the depolarising channel with depolarising probability p, i.e. the channel that maps ρ → (1 − p)ρ + pτ , where τ is the maximally mixed state.We determine the key rate as a function of p, i.e. we determine the amount of key that can safely be generated from any potentially dishonest implementation that produces the same statistics as the honest implementation with noise level p.To this end, for every value of p we first determine the statistics produced by an honest implementation with that noise level.We then choose a collective attack bound and parameters for Theorem II.4 that ensure that the protocol is ε cor -correct, ε sec -secret, and ε comp -complete for that noise level and ε cor = 5 • 10 −11 , ε sec = 10 −9 , and ε comp = 10 −2 .Finally, we choose the key length to be the largest integer l that satisfies the condition in Equation (II.2).We provide the choice of parameters in detail in Supplementary Note F and plot the resulting key rate in Figure 1 for different numbers of rounds n.We again note that the choice of parameters here is largely arbitrary and not optimised as the purpose of this example is only to illustrate the use of our general framework.

III. DISCUSSION
We have introduced a proof technique for analysing the security of QKD protocols in the finite-size regime against general attacks.This technique is best understood as a general procedure for converting a security proof in the i.i.d.asymptotic setting into a finite-size security proof against general attacks.To apply our technique, one can express a protocol of interest as an instance of our template Protocol 1, derive a collective attack bound (either using the general numerical technique described in Section II C or by reusing an existing analysis in the i.i.d.asymptotic setting), and apply our Theorem II.4 to obtain finite-size key rates against general attacks.Unlike previous techniques, our method can be applied directly to prepare-and-measure protocols and does not depend on the dimension of the underlying Hilbert space, allowing for a simple analysis of photonic prepare-and-measure protocols.
While we have provided a simple illustrative example of applying our framework to the well-known B92 protocol (Section II E), which is not amenable to treatment with the EAT, and sketched the analysis of the BB84 decoy-state protocol (Supplementary Note G), we leave it for future work to analyse more practical protocols and optimise the bounds one can obtain for those protocols.This is especially relevant given that commercial QKD systems may become increasingly prevalent in the near future.In particular, it would be interesting to see whether our framework can be used to prove the security of the differential phase-shift [45] and coherent one-way [46] QKD protocols.These protocols (and re-lated ones using similar ideas) are relatively practical to implement, but notoriously hard to analyse.

A. Notation
The set of states for a quantum system A (with associated Hilbert space H A ) is given by S(A) = {ρ ∈ Pos(A) | Tr[ρ] = 1}, where Pos(A) is the set of positive operators on H A .If A is a quantum system and X is a classical system with alphabet X , we call ρ ∈ S(XA) a cq-state and can expand it as ρ XA = x∈X |x⟩⟨x| ⊗ ρ A,x for subnormalised ρ A,x ∈ Pos(A).For Ω ⊂ X , we define the partial and conditional states If Ω = {x}, we also write ρ XA|x for ρ XA|Ω .The set of quantum channels from system A to A ′ is denoted as CPTP(A, A ′ ).The trace norm (sum of the singular values) of an operator L on H A is denoted as ∥L∥ 1 .
We will deal with two different entropies, the von Neumann entropy and the min-entropy, which are defined as follows.Let ρ AB ∈ S(AB) be a quantum state.Then the conditional von Neumann entropy of A conditioned on B is given by , where ∥•∥ ∞ denotes the spectral norm and the first infimum is taken over all states ρAB ∈ B ε (ρ AB ) in the ε-ball around ρ AB (in terms of the purified distance [47]).

B. Universal hashing and randomness extraction
To check that Alice's and Bob's keys are the same, our general QKD protocol will make use of a universal hash family, and to extract a secure key from Alice's and Bob's raw data we will use a randomness extractor.Here, we briefly define what these primitives achieve.We refer to [15] for a more detailed exposition and explanation of their construction.
Definition IV.1 (Universal hash family).Let M be a set.A family F of functions from M to {0, 1} l with a probability distribution P F over F is called a universal hash family if for any Definition IV.2 (Quantum-proof strong extractor [15,48,49]).A function Ext : {0, 1} m × {0, 1} d → {0, 1} l is a quantum-proof strong (k, ε Ext )-extractor if for any ρ SE ∈ Pos(SE) with Tr[ρ] ≤ 1 (and S classical with dimension 2 m ) for which H min (S|E) ρ ≥ k, we have where τ D and τ K are maximally mixed states of dimension 2 d and 2 l , respectively, and the map Ext acts on the classical systems S and D. The input on system D is called the seed of the extractor.This definition of extractors makes use of the nonsmoothed min-entropy H min (S|E) ρ .It is straightforward to modify this condition so that it only requires a lower bound on the smooth min-entropy: if Ext is a quantumproof strong (k, ε Ext )-extractor as in Definition IV.2 and To see that this is the case, note that H ε min (S|E) ρ ≥ k means that there exists a ρ ′ within ε purified distance of ρ for which H min (S|E) ρ ′ ≥ k.By the relation between purified distance and trace distance [47], we have ∥ρ − ρ ′ ∥ 1 ≤ 2ε.Then, Equation (IV.1) follows from the triangle inequality and because applying the map Ext cannot increase the trace distance.
For the purposes of QKD, a simple construction based on two-universal hashing [15] provides sufficiently good parameters.We also note that more involved constructions exist that require shorter seeds, but this if typically not a concern for QKD applications (see e.g.[49] for a very efficient example using Trevisan's extractor).

C. Generalised entropy accumulation
In this section, we introduce the GEAT from Ref. [21].Most of this section is taken directly from [21] and we refer to the introduction of that paper for a more detailed description of the setting and how it compares to the EAT [22].Consider a sequence of channels , where C i are classical systems with common alphabet C. In the context of cryptographic protocols, one should think of E i as Eve's side information after the i-th round, R i as some internal system of a device, A i as the protocol's output in the i-th round, and C i as classical statistics that determine whether the protocol aborts (e.g. by checking the number of rounds on which A i does not satisfy a certain property).For all results in this paper, R i can be chosen to be trivial.However, for (semi-)deviceindependent applications, the systems R i are important because they can be used to describe the internal memory of the untrusted devices.As this is an interesting direction for future work, we state the theorem in full generality here.
We require that these channels M i satisfy the following condition: defining M ′ i = Tr Ci • M i (where Tr Ci is the partial trace over system C i and • is the composition of channels), there exists a channel T ∈ where {Π (y) En } are families of mutually orthogonal projectors on A i and E i , and r : Y ×Z → C is a deterministic function.Intuitively, this condition says that the classical statistics can be reconstructed "in a projective way" from systems A n and E n at the end of the protocol.In particular, this requirement is always satisfied if the statistics are computed from classical information contained in A n and E n , which is the case for the applications in this paper.We note that the statistics are still generated in a round-by-round manner; Equation (IV.2) merely asserts that they could be reconstructed from the final state.
Let P be the set of probability distributions on the alphabet C of C i , and let Ẽi−1 be a system isomorphic to R i−1 E i−1 .For any q ∈ P we define the set of states where ν Ci denotes the probability distribution over C with the probabilities given by Pr[c] = ⟨c|ν Ci |c⟩.In other words, Σ i (q) is the set of states that can be produced at the output of the channel M i and whose reduced state on C i is equal to the probability distribution q.
Definition IV.4.A function f : Note that if Σ i (q) = ∅, then f (q) can be chosen arbitrarily.
Our result will depend on some simple properties of the tradeoff function, namely the maximum and minimum of f , the minimum of f over valid distributions, and the maximum variance of f : where Σ(q) = i Σ i (q) and δ x is the distribution with all the weight on element x.We write freq(C n ) for the distribution on C defined by freq(C n )(c) = |{i∈{1,...,n}:Ci=c}| n .We also recall that in this context, an event Ω is defined by a subset of C n , and for a state ρ C n A n EnRn we write Pr ρ [Ω] = c n ∈Ω Tr ρ A n 1 EnRn,c n for the probability of the event Ω and for the state conditioned on Ω.With this, we can finally state the GEAT of [21].
Theorem IV.5 (GEAT [21]).Consider a sequence of channels , where C i are classical systems with common alphabet C and the sequence {M i } satisfies Equation (IV.2) and the following no-signalling condition: 11 for each M i , there exists a channel and f be an affine min-tradeoff function with h = min c n ∈Ω f (freq(c n )).Then, where Pr[Ω] is the probability of observing event Ω, and We briefly comment on the main differences between the GEAT as stated above and the EAT from [22].The GEAT deals with a sequence of channels that can update both the internal memory register R i and the side information register E i (subject to the no-signalling condition), i.e. change these states to e.g.incorporate additional side information obtained in the protocol or account for measurements performed in response to the user's input.In contrast, the EAT does not allow the side information register to be updated.More formally, the EAT deals with channels , where I i is side information produced in each round that cannot be updated in the future.The final side information at the end of such a process is EI n , where E can be any additional side information from the initial state of the process that was never updated during the process.If the side information registers I i satisfy the Markov condition A i−1 ↔ I i−1 E ↔ I i (see [22] for a more detailed explanation), then the EAT gives a lower bound on |Ω similar to the one in Theorem IV.5.
We can now see at a high level why the EAT cannot be used to deal with prepare-and-measure protocols directly: in a prepare-and-measure protocol, the adversary Eve intercepts the quantum state sent from Alice to Bob in each round and updates her side information based on that.Therefore, any technique used to deal with such protocols must allow for the side information to be updated like in the GEAT; the more restrictive scenario considered in the EAT does not capture this kind of protocol.
We also note that the GEAT is strictly more general than the EAT (see [21, Section 1] for a proof).Hence, any application that can be treated with the EAT can also be treated with the GEAT (up to some very minor loss in second-order parameters), and the resulting proofs are often much more straightforward; see [21, Section 5.2] for an example.

D. Proof of Theorem II.4
In this section, we prove our main result, Theorem II.4,i.e. we show that Protocol 1 is correct and secret.
Proof of Theorem II.4.For the correctness statement, we need to show that Pr K ̸ = K ∧ not abort ≤ ε kv .To see that this is the case, we note that due to the check in Step (5), the protocol not aborting implies that Hash(S n ) = Hash( Ŝn ).Furthermore, from Step (7) we see that K ̸ = K implies that S n ̸ = Ŝn .Therefore, it suffices to show that Pr S n ̸ = Ŝn ∧ Hash(S n ) = Hash( Ŝn ) ≤ ε kv .
Since Alice chooses the function Hash at random from a universal hash family, this follows directly from Definition IV.1 and completes the correctness proof.
The remainder of the proof will be concerned with the secrecy condition.As explained in Section II B, assuming Condition II.1 we can model a general attack by a sequence of channels Alice, Bob, and Eve's joint final state at the end of the protocol therefore contains systems Here, E ′ n is Eve's system after using the maps A 1 , . . ., A n , E ′ stores the additional classical information published after Step (4), i.e., the error correction information ec, a description of the hash function Hash, the hash value Hash(S n ), and the seed µ, and the other systems are labelled as in Protocol 1.This means that Eve's full side information is given by I n E ′ n E ′ .Throughout the proof, we will denote the final state at the end of the protocol by where Ω is the event that the protocol does not abort and τ K is the maximally mixed state on system K of dimension |K| = 2 l .Since the protocol's final state arises by application of a strong extractor in Step (7), we can reduce Equation (IV.6) to an entropic statement.This step requires careful technical treatment because the statistical check in Step (6) uses the systems Ĉn , which are computed from Ŝn .However, Ŝn is Bob's guess for Alice's string S n and depends on the global error correction information ec, i.e., it cannot be generated in a round-byround manner as required for the GEAT.The intuition for circumventing this issue is as follows: if Ŝn ̸ = S n , then the protocol is likely to abort anyway because of Step (5); on the other hand, if Ŝn = S n , then we can replace Ŝn by S n , and the latter is generated in a round-by-round manner.Following this intuition, we can show that the entropy bound in Claim IV.6 implies Theorem II.4.We give a formal proof of this step in Supplementary Note A and continue here with proving the required entropy bound.We also note that for protocols that include a separate parameter estimation step rather than using Bob's guess for Alice's raw key, Claim IV.6 implies Theorem II.4 almost immediately.
Proof.To make use of the GEAT, we need to write ρ S n I n C n E ′ n |Ω C as the result of a sequential application of a quantum channel.For this we fix an attack A 1 , . . ., A n and define as the following channel: given a quantum system ω E ′ i−1 , (i) create the state ψ UiQi (defined in Step (1) of Protocol 1), (ii) apply the attack map (iii) measure {N (v) } v∈V on system Q i and store the result in register V i , (iv) set (vii) trace out registers U i and V i .
Comparing the steps of the protocol and Equation (A.1) with this definition of M i , we see that the marginal of ρ on systems S n I n C n E ′ n is the same as the output of the maps M i : , where ω E ′ 0 is the initial state of Eve's side information (which can be chosen to be trivial without loss of generality as explained in Section II B).If we define the systems i , then by suitable tensoring with the identity map and copying the register C i we can view M i as a map Mi : With this we can also express the final state (which technically now includes two copies of C n , one explicit and one part of E n ) as With this notation, the entropy on the l.h.s. of Equation (IV.7) can be written as We want to apply Theorem IV.5 to derive the desired lower bound in Equation (IV.7).For this, we first need to check that the required conditions on the maps Mi are satisfied.The condition in Equation (IV.2) is clearly satisfied as the systems C i are themselves included in the conditioning system E ′ n .The non-signalling condition in Theorem IV.5 is also trivially satisfied in this case since there is no system R i .
We now need to argue that the collective attack bound ca : P(C) → R used as an argument in Protocol 1 is a min-tradeoff function for the maps { Mi }.By Definition IV.4, we need to show that for any i, attack A i : (where Ẽi−1 ≡ E i−1 ), the following holds: For the rest of the proof, we fix an arbitrary choice of i, ω i−1 , and A i .To relate Equation (IV.8) to the definition of collective attack bounds (Definition II.2), we construct a collective attack where ν is defined as in Definition II.2, i.e. ν is the state produced by running a single round of Protocol 1 with the attack A ′ . 12It is easy to check that Equation (IV.9) is satisfied for the following choice of A ′ : given a state σ Q , A ′ first creates the (fixed) state ω i−1 Ei−1 Ẽi−1 and then applies the (fixed) attack Then, since ca is a collective attack bound, Equation (IV.8) follows from Definition II.2: Compared to Definition II.2, we have dropped the explicit conditioning on I := I i since I i is already part of E i , and in the last equality we can drop C i since it is also part of E i .This means that the function ca is a min-tradeoff function for Protocol 1.By definition, for any c n ∈ Ω C , ca(freq(c n )) ≥ k ca Hence, Claim IV.6 follows by applying Theorem IV.5.
Having proved correctness and secrecy, we turn our attention to the completeness of Protocol 1, i.e. we need to bound the probability that the protocol aborts when Eve does not interfere in the protocol, but the channel between Alice and Bob may be noisy.In the protocol, Alice sends a quantum system Q to Bob.If the channel connecting Alice and Bob is noisy, instead of Alice's and Bob's joint state in each round being ψ U Q , the joint state is N (ψ U Q ) for some channel N : Q → Q.This channel N describes the noise model for Protocol 1. 13For a given noise model N , we need to choose the length of the error correction string λ ec to be sufficiently long such that Bob's guess Ŝn for Alice's raw key S n is correct with high probability, and as a consequence the check in Step (5) passes.Furthermore, we need to choose the threshold k ca to be sufficiently low that an honest noisy state passes Step ( 6) with high probability.The precise choice of parameters can be worked out using the properties of the error correcting code in Step (4) and statistical tail bounds for Step (6).We provide the details in Supplementary Note B.

E. Deriving collective attack bounds
Our main result, Theorem II.4,turns an affine collective attack bound (defined in Definition II.2) into a security statement against general attacks.Therefore, the main step one has to perform to use our framework is finding such an affine collective attack bound for a protocol of interest.In this section, we give a numerical method for finding collective attack bounds for Protocol 1 based on ideas from [7,50].Combined with Theorem II.4,this means that the problem of finding key rate bounds against general attacks for any instance of Protocol 1 is reduced to a numerical computation.
We begin by noting that we can rewrite the condition Equation (II.1) from Definition II.2 as follows: for any probability distribution ν * C ∈ P(C) we require that where the infimum is over all states ν that can result from a collective attack and have statistics ν * C (and the infinimum is infinite if there is no such state).In the language of the GEAT, a collective attack bound essentially is a min-tradeoff function for a certain sequence of maps associated with Protocol 1.More details on how a collective attack bound serves as a min-tradeoff function can be found in the proof of Claim IV.6 Since we are interested in an affine lower bound, we write the probability distribution ν C as a probability vector ⃗ ν C and, following [12,51], make the ansatz for some vector ⃗ λ of the same dimension as ⃗ ν C and a constant c ⃗ λ .We treat ⃗ λ as a parameter that will be chosen heuristically.For example, one can choose ⃗ λ by numerically estimating the gradient of the function ν ′ C → inf ν s.t.ν C =ν ′ C H(S|IEC) ν around a particular choice of classical statistics ν * C that has been observed in an experimental realisation of the protocol, although this choice is not necessarily optimal and ⃗ λ should be numerically optimised if one wants to obtain the best possible key rates.
Having chosen ⃗ λ heuristically, we need to compute a value of c ⃗ λ that ensures that ⃗ λ • ⃗ ν C + c ⃗ λ is a valid min-tradeoff function.Inserting our ansatz into Equation (II.1), we see that for any fixed ⃗ λ, a valid choice of c ⃗ λ is one that satisfies The infimum here is taken over the states ν described in Definition II.2. 14o tackle this optimisation problem, we consider an entanglement-based version of Protocol 1 using the source-replacement scheme explained in [6].As explained in Section I, switching to an entanglement-based version of a prepare-and-measure protocol generally requires introducing "artificial" constraints on Eve's actions.These artificial constraints are troublesome when applying the EAT to the entanglement-based version, but here we take a different approach: we only use the entanglement-based version to derive a collective attack bound (for which the artificial constraints do not present a problem).This collective attack bound also applies to the original prepareand-measure protocol and in Theorem II.4 we apply the EAT with this collective attack bound to the prepareand-measure protocol directly.We emphasise that the method for deriving a collective attack bound and our Theorem II.4 are entirely independent: Theorem II.4 does not depend on how the collective attack bound was derived and does not make use of an entanglement-based protocol itself.
In Protocol 1 Alice prepares the state Here, |rk(u, pd(u, v))⟩⟨ | is shorthand for the projector |rk(u, pd(u, v))⟩⟨rk(u, pd(u, v))| and i is shorthand for pd(u, v).We can therefore write the optimisation problem from Equation (IV.11) as where ν = ν( ψ), and without loss of generality we can restrict the optimisation to pure states on P QE with E ≡ P Q.
A lot of work in QKD has been focused on numerical methods for this kind of optimisation problem (see e.g.[6,7,13,52,53]).The key difficulty is that we need a lower bound on the infimum of a concave function H(S|IEC) ν( ψ) .Here we use a method from [7,50] to turn this optimisation problem into a convex one.As a first step, we observe that in the definition of ν we can incorporate the classical functions rk, pd, and ev into Alice's and Bob's measurements by defining (IV.12) Then, we can write ν ESIC as ν = s,i,c Remembering that we can assume that ψ P QE is pure, we now define the pure state We observe that Following the proof of [50, Theorem 1], a direct calculation shows that where P S is the pinching map P S (ν 1 ) = We can view ν 1 P QSIC as a linear function of ψP Q : Furthermore, the relative entropy is jointly convex.Therefore, for a given ⃗ λ, a valid choice for c ⃗ λ can be found by solving the following convex optimisation problem: where ν 1 P QSIC and ν C are linear functions of ψP Q .To solve this optimisation problem, we can use standard techniques from convex optimisation.In particular, in [44,54,55] techniques have been developed to bound the relative entropy from below by a sequence of semidefinite programs (SDPs).These SDPs can then be solved using standard SDP solvers, and the solution to the dual SDP provides a certified lower bound.Alternatively, one can also turn any feasible choice of ψP Q (ideally close to the optimal attack) into a certified lower bound using the techniques from [6,7].
We note that many protocols have additional structure that allow the optimisation problem in Equation (IV.14) to be simplified before tackling it numerically.Additionally, if the map ev from Protocol 1 has a particular structure that distinguishes between "test rounds", in which Alice and Bob use their measurement outcomes to check whether Eve tampered with the protocol, and "data rounds", in which Alice and Bob generate the raw data for their key, the derivation of a collective attack bound can be further simplified.We refer to [56, Section V.A] for a detailed explanation of this method and to Section II E 1 for an example of its use in our context.In this section, we provide the detailed proof that Claim IV.6 implies Theorem II.4 using the same ideas as Ref. [51,Section 4.2].We continue with the same notation as in the main text.As a first step, we add to ρ additional systems C n defined by This means that the system C i is generated the same way as Ĉi , except that we use Alice's actual raw key S i instead of Bob's guess Ŝi .We now define the following events (formally defined as subsets of possible values of the classical systems S n , Ŝn , Ĉn , C n , and E ′ ): Ω g : S n = Ŝn (i.e.Bob's guess of Alice's raw key is correct).
The event Ω of the protocol not aborting is Ω = Ω kv ∧ Ω Ĉ .If S n = Ŝn , then Hash(S n ) = Hash( Ŝn ) and C n = Ĉn .Therefore, Since Step (5) employs a universal hash function, the probability that the protocol does not abort despite S n ̸ = Ŝn is at most ε kv , i.e.Pr Ω c g ∧ Ω ≤ ε kv , where Ω c g is the complement of Ω g .Hence, we can bound the l.h.s. of Equation (IV.6) by For the remainder of the proof, we will assume that This assumption is justified by the fact that otherwise, we have in which case the theorem statement follows directly from Equation (A.2) and . Therefore, to show the theorem, it suffices to show that The state is produced by applying a strong extractor in Step (7).Comparing Definition IV.2 and Equation (A.4) and remembering that the seed µ is chosen uniformly at random by Alice and is part of the system E ′ , we see that we need to show that To this end, we can first bound the l.h.s. by where the first inequality follows from [57, Lemma 10] together with the first condition in Equation (A.3), the second inequality holds because conditioning on additional classical information C n can only decrease the min-entropy, and the third inequality is a chain rule for the min-entropy which uses the fact that the only information in E ′ that is correlated with S n is the error correction information ec ∈ {0, 1} λec and the hash Hash(S n ) ∈ {0, 1} ⌈log(1/εkv)⌉ .We can show a lower bound on H εs min (S n |I n C n E) ρ |Ω C using the GEAT.Since this is the core of the security proof, we present it as a separate claim.From the preceding discussion and the assumption Pr[Ω C ] ≥ ε a it is then clear that Claim IV.6 implies Theorem II.4.

B. COMPLETENESS OF PROTOCOL 1
To prove the completeness of Protocol 1, we need to bound the probability of the protocol aborting for a given choice of parameters and noise model.Throughout this section, for a fixed choice of arguments in Protocol 1 and a fixed noise model N , we denote by ν hon the corresponding "honest single-round state", i.e. formally the state ν hon from Definition II.2 when one chooses Eve's collective attack as N .Furthermore, we assume that in Step (4) Alice and Bob use the one-way error correction protocol from [58], which is essentially optimal.We note that in Protocol 1 the choice of error correction protocol has no effect on the security statement, only on the completeness statement, so one can also use a heuristic protocol with some fixed leakage λ ec leading to a heuristic value of ε comp kv without impacting the security of the protocol.
There are two steps in which Protocol 1 may abort: Step (5) if Hash(S n ) ̸ = Hash( Ŝn ), and Step (6) if ca(freq( Ĉn )) < k ca .Since S n = Ŝn implies Hash(S n ) = Hash( Ŝn ), we can bound the total abort probability by Pr S n ̸ = Ŝn + Pr S n = Ŝn ∧ ca(freq( Ĉn )) < k ca .We denote these probabilities by ε comp Proof.By [58], it suffices to show that where ε ∈ [0, ε comp kv ) is a parameter that can be optimised over.For simplicity, here we choose ε = ε comp kv /2, but note that one could numerically optimise over ε if one wishes to derive the best possible completeness error.By the H max -version of [22,Corollary 4.10], Combining these two equations yields the lemma.
Lemma B.2. Fix a noise model N and a choice of arguments in Protocol 1.Then, any desired value of ε comp ev can be achieved as long as the following condition holds for δ = ca(ν hon C ) − k ca : Proof.Using the definitions at the start of Supplementary Note A, we can write The honest implementation is i.i.d., so the state we need to consider in Step ( 6) is (ν hon ) ⊗n .Let C 1 , . . ., C n be i.i.d.random variables with distribution ν hon C .Then we can view the value k computed by Bob in Step (6) as a random variable, too, and because ca is affine we have where by ca(δ Ci ) we mean the random variable that maps a value c ∈ C of C i to ca(δ c ), with δ c the point distribution with all the weight on element c.Conditioned on S n = Ŝn , Step (6) aborts if k < k ca .We can now apply Bernstein's inequality and find that Requiring that this be less than ε comp ev and noting that by Equation (IV.4), Var[ca(δ Ci )] ≤ Var(ca), we find the desired result.
We note that for simple protocols, e.g.ones where a certain number of rounds are used as "test rounds" that can either pass or fail, the above bound can usually be replaced by a simpler and tighter one using Hoeffding's inequality (see e.g.[28, Section 3.2]).

C. RELAXING THE SEQUENTIALITY ASSUMPTION
As explained in Section II B, for QKD implementations that allow the adversary Eve to speed up up the transmission of signals, it may be difficult to enforce Condition II.1 without significantly lowering the frequency with which signals are sent from Alice to Bob.It is therefore useful to relax Condition II.1 and allow Eve to be in possession of s signals at a time.More formally, using the same notation as in Section II B, we would like to prove security of a prepare-and-measure protocol under the following weaker condition: Condition C.1.Eve can only be in possession of at most s subsequent systems Q i , . . ., Q i+s−1 at the same time.We call s the step size of Eve's attack.
We note that this condition does not mean that Eve has to process the signals in disjoint blocks of size s; instead, this condition allows Eve to e.g.first apply an attack on systems Q 1 , . . ., Q s , then send system Q 1 to Bob and receive Q s+1 from Alice, apply an attack to Q 2 , . . ., Q s+1 , etc.In other words, Eve can execute a "rolling attack" that always uses s adjacent signals.As explained in Section II B, this condition can be enforced by Alice and Bob using a pre-agreed schedule on which to send their signals, assuming we can place some bound on the amount by which Eve could speed up the transmission of signals from Alice to Bob.(The trivial bound is of course always that Eve can speed up the signal transmission to the speed of light.)We emphasise that to enforce Condition C.1 (for some appropriately chosen s), Alice and Bob do not need to lower the frequency with which they send signals or divide their signals into blocks with breaks between blocks.
We can now prove an analogous statement to our main result Theorem II.4 that only requires the weaker Condition C.1 instead of Condition II.1.The cost that we have to pay for allowing the weaker condition Condition C.1 is that the second-order term g(εs)+α log(1/εa) α−1 from Theorem II.4 now acquires a prefactor s (and, less importantly, ε s gets replaced by ε s /(3s − 2)) and we get an additional term (s − 1)g(ε s /(3s − 2)); the latter is negligible compared to the former because α is close to 1.However, the first-order term remains unchanged and is independent of s, so in particular the asymptotic key rate (against general attacks with any fixed step size) is the same as in Theorem II.4.We illustrate this for the example of B92 in Figure 4.
Theorem C.2. Fix any choice of arguments n, ψ U Q , {N (v) } v∈V , pd, rk, ev, k ca , λ ec , ε kv , and ε pa for Protocol 1.Let ca : P(C) → R be an affine collective attack bound for this choice of arguments.For any ε s , ε a > 0, α ∈ (1, 3/2), and s ∈ N, choose a final key length l that satisfies where g(•), V , and K ′ (•) are defined in Theorem IV.5 and ε ′ := εs 3s−2 .With this choice of parameters and assuming that Condition C.1 holds for the value of s chosen above, Protocol 1 is ε cor -correct and ε sec -secret for The proof of Theorem C.2 follows the same steps as the proof of Theorem II.4 in Section IV D, except that we will need to make some modifications to account for the more general structure of the attack.Since most of the proof is identical, we only provide a sketch and point out the main differences compared to Section IV D.
As in Section IV D, we again denote the final state at the end of Protocol 1 (for any fixed attack of the form above) by The system labels here are as in Section IV D. The reduction from Theorem II.4 to Claim IV.6 did not use the structure of the attack, so the same steps also allow us to reduce Theorem C.2 to the following claim.
Under Condition C.1, we can model Eve's attacks by a sequence of maps A i : ; the difference to the scenario in Section II B is that now Eve can act on all of This prevents us from writing the final state ρ as the output of a sequence of maps M i as in Claim IV.6.
To circumvent this issue, we will need to split the systems S n into interleaved groups of systems This is illustrated in Figure 3.We can bound the entropy of S n in terms of a sum of entropies of the individual groups S n,s i for i = 1, . . ., s − 1 by repeatedly applying the chain rule for min-entropies [59] for a total of (s − 1) number of times.Setting ε ′ = εs 3s−2 as in Claim C.3, we get that where the last line holds because ε s − (s − 1) • 3ε ′ = ε ′ .Having split the total entropy into such groups, we can now use the GEAT to bound each H ε ′ min (S n,s i |I n C n E ′ n S n,s 1 . . .S n,s i−1 ) ρ |Ω C in terms of single-round von Neumann entropies.This works in exactly the same manner as the proof of Claim IV.6 because by assumption, Eve cannot act simultaneously on more than one of the rounds corresponding to S n,s i := S i S i+s S i+2s • • • S i+⌊n/s⌋s .Therefore, for each individual group S n,s i , Eve's attack is a sequential attack on that group of rounds.As a result, following the same steps as in the proof of Claim IV.6 (and assuming that n is divisible by s for simplicity) we get that for each group of rounds, Note that the extra conditioning on S n,s 1 . . .S n,s i−1 does not make a difference to the proof as we may formally consider these systems as part of Eve's side information for that particular group of rounds.Inserting this bound into Equation (C.3), we get that as claimed in Claim C.3.Finally, we note that for certain parameter regimes one can improve the second-order terms in Theorem C.2 using exactly the same idea as above, but performing the splitting into interleaved groups of rounds at the level of Renyi entropies, not min-entropies.Concretely, this means that instead of deriving Equation (C.3), one first relates , and then applies the chain rule from [60] according to a binary tree of depth O(log s), i.e. on the first application of the chain rule one splits the rounds into two equally sized groups (corresponding to a step size of 2), on the second application one again splits each of these groups into equally sized subgroups (corresponding to a step size of 4), and so on, until after O(log s) repetitions the desired step size s is reached.The remainder of the analysis is then identical.We consider the same B92 protocol with the same parameters as in the main text (Section II E, see in particular Figure 1), except that we weaken the sequentiality condition to allow for some step size s, and as a result have to use Theorem C.2 to obtain the key rates.The step size s = 10 is realistic for satellite-to-earth QKD experiments [61], a whereas the plot for s = 10 4 illustrates what happens at larger block sizes that are more relevant for fibre-based QKD implementations.We see that while the asymptotic key rate remains the same irrespective of block size, at larger block sizes finite-size corrections become more relevant.We note that the key rates are mostly included for illustrative purposes and could be improved further by using the Renyi-based method explained at the end of this section.
a For this example, we consider the worst case, where Eve is able to speed up the signals to the speed of light in vaccuum.This defines the largest possible causal future in Figure 2 that is still compatible with special relativity.Using the effective thickness of the atmosphere d ≈ 8km [62] and letting n Air ≈ 1.0003 be the refractive index of air, if the signal is sent at a 45 degree angle through the atmosphere, the delay of the signal compared to one travelling at the speed of light c is ∆t = √ 2(n Air − 1)d/c ≈ 10 −8 s.Assuming a signal frequency f Signal = 1 GHz (which exceeds the one used e.g. by [61]), we see that a step size s = ∆t • f Signal ≈ 10 is sufficient.

D. ENTANGLEMENT-BASED PROTOCOLS
Our general entanglement-based QKD protocol is very similar to the prepare-and-measure protocol in Section II.The only difference is in the the data generation step: in Protocol 1, Alice prepared a state ψ U Q and Bob measured system Q, storing his outcome in register V .In contrast, in Protocol 2, Eve prepares a state ψ P QE , and sends P to Alice and Q to Bob.Then, Alice and Bob measure their respective systems, recording the outcomes in registers U and V .The raw data in U and V is then treated exactly the same as in Protocol 1.Even though Step (2)-Step (7) are identical to Protocol 1, we spell out the full protocol for reference.
(3) Raw key generation.For each i ∈ {1, . . ., n}, Alice computes S i = rk(U i , I i ).(4) Error correction.Alice and Bob publicly exchange information ec ∈ {0, 1} λec , which can depend on U n , V n , and I n .Bob computes Ŝn (ec, V n , I n ) ∈ S n .(5) Raw key validation.Alice chooses a function Hash : S n → {0, 1} ⌈log(1/εkv)⌉ from a universal hash family F (Definition IV.1) according to the associated probability distribution P F and publishes a description of f and the value Hash(S n ).Bob computes Hash( Ŝn ) and aborts the protocol if Hash(S n ) ̸ = Hash( Ŝn ).
If the result is less than k ca , he aborts the protocol.(7) Privacy amplification.Alice and Bob convert their registers S n and Ŝn to a binary representation, obtaining strings of length m.Alice chooses a seed µ ∈ {0, 1} m uniformly at random and publishes her choice.Alice and Bob compute l-bit strings K = Ext(S n , µ) and K = Ext( Ŝn , µ), respectively, and The rest of this section proceeds similarly to Section II: we first explain how to model Eve's attack, again distinguishing between general and collective attacks.We formally define collective attack bounds for Protocol 2 in Definition D.1.Then, in Theorem D.2, we analyse the security of Protocol 2 assuming a collective attack bound.The definitions and the security proof are very similar to Section II, so we give less detailed explanations and only point out the relevant differences for the proof.
Eve's attack in Protocol 2 is specified by her choice of the state ψ P n Q n E .An honest Eve would distribute some desired product state ψ, e.g. an EPR pair, and keep no side information, i.e. ψ P n Q n E = ψ⊗n P Q .The most general attack available to Eve consists in preparing an arbitrary state ψ P n Q n E .We note that Eve's attack in an entanglement-based protocol is not subject to a sequentiality condition (Condition II.1) as in a prepare-and-measure protocol.This is because in an entanglement-based protocol, Eve's attack occurs at the level of the input state, which can be arbitrary, and the actions in the protocol performed by Alice and Bob are sequential irrespective of Eve's choice of input state.In contrast, in a prepare-and-measure protocol, Eve's attack is part of the actions performed during the protocol and therefore needs to be modelled as part of the quantum channels applied during the protocol; as a result, for the protocol as a whole to still have a sequential structure, Eve's attack needs to have such a structure, too.This is not an artefact of the GEAT, but rather a structural difference between entanglement-based and prepare-and-measure protocols.
As in Section II, a collective attack is the special case where Eve behaves in an i.i.d.manner, i.e.Eve prepares a product state ψ P n Q n E = ψ ⊗n P QE for some arbitrary state ψ P QE .Formally, we can define a collective attack bound for Protocol 2 similarly to Definition II.2.Definition D.1 (Collective attack bound for Protocol 2).Fix arguments {M (u) } u∈U , {N (v) } v∈V , pd, rk, and ev for Protocol 2. Suppose that Alice and Bob run a single round (i.e.n = 1) of Protocol 2 up to (and including) Step (3). 15or a choice of Eve's state ψ P QE , denote the state at the end of Step (3) as ν U V SIE .Let ν U V SIEC be an extension of this state, where C = ev(V, I, S).A collective attack bound (for the choice of parameters fixed above) is a map ca : P(C) → R such that for any initial state ψ P QE prepared by Eve, the state ν CU V SIE satisfies It is easy to see that for states that minimize the l.h.s. of this inequality, the system E is a purification of P and Q.Hence, it suffices to restrict our attention to such states.We are now ready to prove the security statement for Protocol 2.
Theorem D.2.Fix any choice of arguments n, {M (u) } u∈U , {N (v) } v∈V , pd, rk, ev, k ca , ε kv , and ε pa for Protocol 2. Let ca : C → R be an affine collective attack bound for this choice of arguments.For any ε s , ε a > 0 and α ∈ (1, 3/2) 16 , choose a final key length l that satisfies With this choice of parameters, Protocol 2 is ε cor -correct and ε sec -secret for Proof.The correctness statement is analogous to the proof of Theorem II.4,so we focus on the secrecy condition.Alice, Bob, and Eve's joint final state at the end of the protocol is denoted by ρ U n V n I n S n Ŝn Ĉn K KE .As in the proof of Theorem II.4 add to ρ additional systems C n defined by and define the event Ω C by the condition ca(freq(C n )) ≥ k ca .Then, we can follow the same steps as in the proof of Theorem II.4 to reduce the Theorem D.2 to the following Claim D.3.
Proof.To make us of the GEAT, we need to write ρ S n I n C n E|Ω C as the result of repeatedly applying quantum channels M 1 , . . ., M n to Eve's (arbitrary) initial state ψ P n Q n E in Protocol 2. For this, we define as the following channel: given a quantum system ω PiQi , (i) measure the POVMs {M (u) } u∈U and {N (v) } v∈V on P i and Q i respectively, and store the results in registers U i and V i , (ii) set Comparing the steps of Protocol 2 and Equation (D.1) with this definition of M i , we see that the marginal of ρ on systems S n I n C n E is the same as the output of the maps M i : . 16 These are parameters that can be optimised to maximize the key length If we define the systems E i = P n i+1 Q n i+1 I i C i E, then by suitable tensoring with the identity map and copying the register C i we can also view M i as a map Mi : Then, we can also express the final state (which technically now includes two copies of C n ) as To apply Theorem IV.5, we first need to check that the required conditions on the maps Mi are satisfied.The condition Equation (IV.2) is clearly satisfied as the systems C i are themselves included in the conditioning system.The no-signalling condition in Theorem IV.5 is also trivially satisfied in this case since there is no system R i .
We now want to argue that the collective attack bound ca : P(C) → R used as an argument in the protocol is a min-tradeoff function for the maps {M i }.By Definition IV.4, for this we need to show that for any i and any state ω Remembering that Mi acts as identity on the systems we can consider these systems collectively as a purifying system.Since Definition D.1 allows arbitrary purifying systems, we see that Equation (D.3) holds for any collective attack bound ca and conclude that ca is a min-tradeoff function for {M i }.By definition, for any c n ∈ Ω C , ca(freq(c n )) ≥ k ca .Therefore, Claim D.3 follows by applying Theorem IV.5.

E. SIMPLIFICATION OF THE OPTIMISATION PROBLEM FOR THE B92 PROTOCOL
Here we describe additional simplifications to the numerical optimisation problem from Equation (IV.14) for the case of the B92 protocol as it is specified in Section II E. As a first simplification, we exploit the fact that Alice and Bob distinguish between "test rounds", where T = 1 and they use the function ev T =1 , and "data rounds", where T = 0 and they perform no statistical check.We can therefore split the state ν as ν = (1 − γ)ν (data) + γ ν (test) , where ν is a distribution over C ′ = {fail, inc, ∅} determined according to ev T =1 .We can now apply [56, Lemma V.5], which states the following (translated to our notation): if an affine function g : P(C ′ ) → R satisfies that for any initial state ψP Q , g(ν then the affine function ca : is a collective attack bound.Here, Max(g) is defined as in Equation (IV.4) and δ c denotes the point distribution with all weight on element δ c .To evaluate ca on any distribution ν C , one simply writes that distribution as a convex combination of such point distributions and uses that ca is affine, i.e. linear under convex combinations.In addition, [56, Lemma V.5] also provides simple formulae for the properties of ca as in Equation (IV.4) in terms of the properties of g.The main advantage of this approach over a direct evaluation of the optimisation problem from Equation (IV.14) is that for small values of γ, the latter often runs into numerical stability issues, whereas the former does not.The problem of finding a collective attack bound is therefore reduced to finding a function g that satisfies Equation (E.1).This can be achieved using the same method as in Section II C. We make the ansatz g(ν + c ⃗ λ ′ and choose ⃗ λ ′ heuristically, e.g. using Matlab's fminsearch.Given a choice of ⃗ λ ′ , we need to determine c ⃗ λ ′ such that g satisfies Equation (E.1).Following the steps of Section II C, we can see that a valid choice of c ⃗ λ ′ is given by the solution to the following convex optimisation problem: It is easy to see that the above choices satisfy the conditions in Lemma B.1 and Lemma B.2, 18 whence it follows that the total completeness error for this choice of parameters is Finally, we choose the key length to be the largest integer l that satisfies the condition in Equation (II.2).Then, we can apply Theorem II.4 to find that the B92 protocol with this choice of parameters is ε cor -correct and ε sec -secret with ε cor = ε kv = 5 • 10 −11 , ε sec = max{ε pa + 4 ε s , 2 ε a } + 2 ε kv ≤ 10 −9 .

G. BB84 PROTOCOL WITH DECOY STATES
The BB84 protocol [1] is the most well-known QKD protocol and we already described how it can be viewed as an instance of Protocol 1 in Section II A. That description assumed that Alice always sends a single qubit to Bob.This qubit could e.g.be implemented as a polarised photon.However, in practice Alice will usually use a highly attenuated laser that does not reliably output a single photon.Instead, the number s of photons in a laser pulse is distributed according to the Possonian distribution p L (s|µ) = e −µ µ s s! , where the average photon number µ depends on the laser's intensity and is known to Alice.This means that a single pulse may contain multiple photons (with the same polarisation), allowing Eve to perform a photon number splitting attack [63]: Eve measures the number of photons in a pulse and, if there are multiple photons, measures the polarisation of one of the photons and forwards the others to Bob unchanged; this tells Eve the corresponding bit in the raw key.Therefore, only raw key bits from rounds with exactly one photon in the laser pulse contribute to the secret key.We therefore need to lower-bound the fraction Ω of "single-photon rounds" and the error rate e 1 in those rounds.While such a bound can be obtained from the standard BB84 protocol, the resulting key rate is quite poor.The decoy state method is a modification of the BB84 protocol that allows for better estimation of Ω and e 1 and therefore achieves higher key rates; see [64][65][66][67] for a background on the idea of decoy state protocols.
Decoy-state protocols can be implemented with commercially available components and thus serve as good examples for practical QKD.The purpose of this section is to show that the methods developed here can be used to establish their security.For this, we give a formal description of the BB84 decoy state protocol as an instance of Protocol 1 and explain how an existing i.i.d.asymptotic analysis of the BB84 decoy state protocol can be understood as a collective attack bound in our framework.This puts us in a position to apply Theorem II.4: we simply need to compute the relevant properties of the collective attack bound and numerically optimize over the parameters of the protocol to obtain the maximum key rate.As our goal is to illustrate the use of our framework, and not to numerically optimize key rates, we leave a detailed numerical analysis with experimentally realistic noise models for future work.This example again highlights the ease of use of our framework: one only needs to verify that the protocol fits into the template Protocol 1 and can reuse collective attack bounds from prior work to immediately obtain a finite-size key rate against general attacks.In contrast to previous techniques such as the de Finetti theorem, using photonic protocols over qubit protocols introduces no additional complications because our Theorem II.4only depends on the collective attack bound, not the underlying quantum states.
Bob will choose a measurement basis y ∈ {Z, X} with probability q y = q x and measure the signal he receives from Alice.The measurement will yield an outcome b ∈ {∅, 0, 1}, where ∅ corresponds to Bob not detecting any photon and 0, 1 denote Bob's measured polarisations. 20This measurement can be described by a POVM {N (y,b) }.Because we will reuse a collective attack bound from [67] instead of deriving our own, there is no need to write out this POVM explicitly.
During public discussion, Alice announces the intensity µ, Bob announces whether he received outcome ∅ or not, and both reveal their basis choices.Furthermore, if x = y = Z, they announce their values a and b.Formally, denoting by U i = (µ i , x i , a i ) and V i = (y i , b i ) Alice's and Bob's classical values in the i-th round, Alice uses the measurement outcomes from rounds where both her and Bob chose the X-basis as the raw key (with I i = pd(U i , V i )): Finally, to evaluate each round, Bob records the intensity, whether he received outcome ∅ when Alice sent a photon in the X-basis, and whether their outcomes agree in case x i = y i = Z.Formally, We therefore see that decoy state protocols naturally fit into the framework of Protocol 1.
The decoy state BB84 protocol is simple enough to be analysed analytically in the i.i.d.asymptotic setting.Therefore, instead of using the numerical technique from Section II C, we can instead reuse these analytical results as our collective attack bound.Concretely, we need to bound H(S|IEC) ν for any collective attack.For the decoy state BB84 protocol, this analysis can be performed analytically, so we do not need to invoke the numerical technique described in the main text.We briefly sketch the derivation of the analytical bound and refer to [66,67] for details.
We define the "transmission probability" t x s as the probability that if Alice sends out an s-photon state in basis x ∈ {Z, X}, Bob will detect at least one photon, i.e. not receive outcome ∅.Note that t x 0 > 0, i.e. Bob may detect a photon even though Alice did not send one, either due to a dark count in Bob's detector or due to Eve sending a photon instead.Similarly, the "failure probability" f x s is defined as the probability that if Alice sends out s photons in basis x, Bob's measurement outcome b will be different from Alice's chosen value a, conditioned on Bob not receiving ∅.We note that because Alice only knows the intensity of her laser, not how many photons are in a particular pulse, the above quantities are not directly accessible to Alice and Bob.Also recall that Alice chooses intensity µ ∈ {µ 1 , µ 2 , µ 3 } with probability p µi , and that for a given choice of µ the number of photons is distributed as p L (s|µ) = e −µ µ s s! .
The security analysis now proceeds in two steps: first, we bound H(S|IEC) ν in terms of t x s and f x s .Then we bound the latter quantities in terms of statistics Alice and Bob can observe in the protocol.To bound H(S|IEC) ν ,

Figure 1 :
Figure 1: Key rates for the B92 protocol as a function of the depolarising probability p for ε cor = 5 • 10 −11 , ε sec = 10 −9 , and ε comp = 10 −2 .The dashed line showsthe key rate in the i.i.d.asymptotic setting, i.e. assuming that Eve behaves the same in each round and infinitely many rounds are executed.We see that as the number n of rounds in the protocol increases, the finite-size key rates against general attacks approach the i.i.d.asymptotic rate.

1 Ei− 1
in the definition of Mi , see Step (ii)), and state ω i−Ẽi−1 the total abort probability is bounded by ε comp kv + ε comp ev .Lemma B.1.Fix a noise model N and a choice of arguments in Protocol 1.Then, any desired value of ε comp kv can be achieved as long as the following condition holds:

Figure 2 :
Figure 2: Spacetime diagram illustrating causal structure of signal transmission.If Alice and Bob send the signals on a pre-agreed schedule, the spacetime points where Alice sends signals and Bob expects signals are fixed.The causal future (green shaded region) of signal j contains all spacetime points to which Eve can transmit information about signal j.If Eve were not able to speed up the signals at all, then the boundary of the causal future (green line) would coincide with Alice's and Bob's expected signal transmission speed (red line) and the sequentiality assumption would be ensured already between subsequent signals (i.e.Condition II.1).If Eve can speed up the signals as shown in the figure, Alice and Bob can choose i and j sufficiently far apart (i.e.choose a sufficiently large step size in Condition C.1) that the expected arrival of signal i by Bob lies outside the causal future of signal j sent by Alice.

SFigure 3 :
Figure 3: Example of how the rounds are split up into interleaved groups for n = 12 and s = 3.

17 n = 10 13 n = 10 11 n = 10 10 (
b) Step size s = 10 4 .Note that the same colors here do not correspond to the same n as in (a).

Figure 4 :
Figure4: B92 example with weakened sequentiality condition.We consider the same B92 protocol with the same parameters as in the main text (Section II E, see in particular Figure1), except that we weaken the sequentiality condition to allow for some step size s, and as a result have to use Theorem C.2 to obtain the key rates.The step size s = 10 is realistic for satellite-to-earth QKD experiments[61], a whereas the plot for s = 10 4 illustrates what happens at larger block sizes that are more relevant for fibre-based QKD implementations.We see that while the asymptotic key rate remains the same irrespective of block size, at larger block sizes finite-size corrections become more relevant.We note that the key rates are mostly included for illustrative purposes and could be improved further by using the Renyi-based method explained at the end of this section.

Protocol 2 .
General entanglement-based QKD protocolProtocol argumentsn ∈ N : number of rounds {M (u) } u∈U , {N(v) } v∈V : POVMs acting on Hilbert spaces H P , H Q , respectively, describing Alice's and Bob's measurements with U and V the set of possible outcomes pd : U × V → I : function describing transcript of public discussion (where I is some finite alphabet) rk : U × I → S : function describing Alice's raw key generation (where S is the alphabet of the raw key) ev : V × I × S → C : function "evaluating" each round by assigning a label from the alphabet C k ca > 0 : required amount of single-round entropy generation ε kv , ε pa > 0 : tolerated errors during key validation and privacy amplification steps ca : P(C) → R : function corresponding to collective attack bound l ∈ N : length of final key

.
ψP Q D ν 1 P QSIC P S (ν 1 P QSIC ) − ⃗ λ ′ • ⃗ ν (test) C s.t.ψP Q ≥ 0 , Tr ψP Q = 1 , ψP = ψP , level p, we have H(S|V I) ν hon = 1+p 4 h(1/(1 + p)), where h(x) = −x log x − (1 − x) log(1 − x)is the binary entropy, and ν hon is the state for an honest noisy implementation and depends implicitly on the noise level p.We then setλ ec = n 1 + p 4 h(1/(1 + p)) + 2 √ n 1 − 2 log(ε comp kv /2) log(7)We furthermore choose k ca = ca(ν hon C ) − δ for δ = 2(Max(ca) − Min(ca))ca(ν hon C ) + 6Var(ca) |u⟩⟨u| ⊗ |ψ⟩⟨ψ| Q|u and sends system Q to Bob.It is clear that Alice could equivalently prepare the state| ψ⟩ U Q = Q|u ,send system Q to Bob, and only afterwards measure her own system P in the computational basis, storing the outcome in system U .Eve would now apply her collective attack A : Q → QE to system Q of ψ, so the state after Eve's attack would be ψP QE .We can replace this attack by giving Eve the ability to prepare a state ψP QE directly and distribute P and Q to Alice and Bob, respectively.This kind of attack clearly gives Eve more power.In fact, it gives Eve too much power: in order to still obtain a good key rate, we need to enforce the additional constraint that Alice's marginal of the state ψ is the same as her marginal of the state ψ she would have prepared herself, i.e. ψP = ψP .It is easy to see that even with this additional constraint, this latter kind of attack is still at least as general as any collective attack on the prepare-and-measure protocol described before.Note that the condition ψA = ψA is not a physical constraint that Alice checks in an actual protocol, but rather the aforementioned additional artificial constraint.Nonetheless, we can impose this artificial constraint on the optimisation problem used to calculate the collective attack bound.For a fixed instance of Protocol 1, we can now view the state ν in Definition II.2 as a function of ψP QE : u p(u)|u⟩ P ⊗ |ψ⟩ 72, 012326 (2005).[67] C. C. W. Lim, M. Curty, N. Walenta, F. Xu, and H. Zbinden, Concise security bounds for practical decoystate quantum key distribution, Physical Review A 89, 022307 (2014).[68] M. Berta, M. Christandl, R. Colbeck, J. M. Renes, and R. Renner, The uncertainty principle in the presence of quantum memory, Nature Physics 6, 659 (2010).
Data generation.Alice receives systems P n and Bob systems Q n of an initial quantum state ψ P n Q n E prepared by Eve.For each i ∈ {1, . .., n}, Alice measures the POVM {M (u) } u∈U on register P i of the state ψ P n Q n E and records the outcome in register U i .Similarly, Bob measures {N (v) } v∈V on register Q i and records the outcome in register V i .(2)Public discussion.For each i ∈ {1, . . ., n}, Alice and Bob publicly exchange information I