Numerical finite-key analysis of quantum key distribution

Quantum key distribution (QKD) allows for secure communications safe against attacks by quantum computers. QKD protocols are performed by sending a sizeable, but finite, number of quantum signals between the distant parties involved. Many QKD experiments, however, predict their achievable key rates using asymptotic formulas, which assume the transmission of an infinite number of signals, partly because QKD proofs with finite transmissions (and finite-key lengths) can be difficult. Here we develop a robust numerical approach for calculating the key rates for QKD protocols in the finite-key regime in terms of two semi-definite programs (SDPs). The first uses the relation between conditional smooth min-entropy and quantum relative entropy through the quantum asymptotic equipartition property, and the second uses the relation between the smooth min-entropy and quantum fidelity. The numerical programs are formulated under the assumption of collective attacks from the eavesdropper and can be promoted to withstand coherent attacks using the postselection technique. We then solve these SDPs using convex optimization solvers and obtain numerical calculations of finite-key rates for several protocols difficult to analyze analytically, such as BB84 with unequal detector efficiencies, B92, and twin-field QKD. Our numerical approach democratizes the composable security proofs for QKD protocols where the derived keys can be used as an input to another cryptosystem.


INTRODUCTION
Quantum key distribution (QKD), until today, remains the only quantum-resistant method of sharing secret keys and transmitting future-proof secret information at a distance [1].Even after more than 30 years of development, QKD still does not see widespread adoption, primarily due to practical and theoretical difficulties.
Practically, QKD as a means of encryption requires a dramatic change to the existing classical fiber-optical communication infrastructure.QKD systems typically require the use of specialized quantum optical devices.For example, some QKD protocols need single photon detectors and dark fiber-optical channels without any classical repeater device, e.g.erbium-doped fiber amplifiers.In other words, the need for significant change to the current telecommunication infrastructure presents a challenge to QKD's wide-use today.
Theoretically, security proofs are typically complicated, and the key rate derived can be loose due to limited availability of analytical proof techniques.Validating a published security proof is an equally complicated task, and it is likely impractical to expect QKD users to be capable of verifying the security of a protocol.
The security of any QKD protocol is guaranteed when a detailed security analysis certifies that the protocol produces a non-zero secret key rate (in terms of either bits per second or bits per transmission).So far, development in key rate calculations have relied on analytical tools that can be limited in scope to specific protocols.In particular, oftentimes to simplify the analysis, the calculations invoke a high degree of symmetry.Indeed, for some protocols, such as the Bennett-Brassard 1984 (BB84) protocol [2] or the six-state protocol [3], analytical formulas for the key rates are known.However, in * dariusb@mit.edupractical implementations of QKD, a lack of symmetry is the norm rather than the exception as experimental imperfections tend to break these symmetries [4].This motivates the need to develop a new method of analyzing the security of QKD protocols that may lack structure.
Recently, [5] and [6] proposed two numerical techniques to obtain reliable secret key rate bounds for an arbitrary unstructured QKD protocol.The original technique, described in [5], formulates the problem of calculating the secret key rate in terms of a mathematical optimization problem.Unfortunately, this original formulation resulted in a non-convex problem.The method was improved in [6], which formulates the key rate problem in terms of convex optimization.Commercially available convex optimization tools, such as Mosek [7], SeDuMi [8], or SDPT3 [9], can therefore be used to reliably solve the problem.Nevertheless, the problems formulated so far still assumed that Alice and Bob have exchanged an infinite number of signals (and an infinite key length), which is practically impossible.In order to quantify the security of realistic QKD protocols, a new problem that includes the finite-key statistics of the QKD operations must be formulated.
Here, we formulate the key rate problem in terms of a novel semidefinite program (SDP) that considers the practical case of only a finite number of transmitted signals.The program takes as inputs the measured statistics from the parameter estimation step and outputs the key rate as a function of the security parameter of the protocol: ε qkd .The SDP computes a reliable, achievable lower bound on the actual value of the secret key rate.As SDP is a convex optimization problem, we can solve the problem using commercial solvers that often are able to find the global optima.Our problem formulation is reliable, such that even if the solver fails to find the global optimum, the SDP is guaranteed to output an achievable secret key rate.Lastly, since the problem takes into consideration the finite number of signals exchanged, the secret key guaranteed by the method is composable, i.e. can be used as an input to another cryptosystem.

RESULTS
The key rate problem in the non-asymptotic regime We describe the main steps of a typical QKD protocol and take note of the relevant security parameters at each step.

Transmission.
A QKD protocol starts with the transmission of quantum signals.Let us assume that N signals are successfully distributed from Alice to Bob.After this step, in the entanglement picture, they will share N entangled quantum states, whose joint state can be described as ρ AB .They will then apply measurements to their respective quantum states to obtain classical data.There is a small probability ε PE that the raw keys obtained are not compatible with the estimated parameters, and it is related to the number of signals m that are used to estimate the relevant statistics of the overall data.(Relevant security parameter: ε PE .) 3. Reconciliation.Alice and Bob then perform key reconciliation (sometimes also referred to as error correction).The key reconciliation step, in which they correct for any possible error between their raw keys, reveals leak EC number of bits.This error correction step is performed with a certain failure probability ε EC , which is the probability that one party computes the wrong guess of the other party's raw keys.(Relevant security parameter: ε EC .) 4. Error verification.To ensure they have identical raw keys, they apply a two-universal hash function and publish ⌈log 2 1/ε cor ⌉ bits of information.Here, ε cor = ε hash , which is the probability two nonidentical raw secret keys generate the same hash value.(Relevant security parameter: ε cor .)In this nonasymptotic regime, we use a generalization of the von Neumann entropy called smooth min-entropy which was developed by [10].The main significance of smooth min-entropy comes from the fact that it characterizes the number of uniform bits that can be extracted in the privacy amplification step of a QKD protocol.Now, let us take E ′ to be the information that Eve gathered about Alice's raw key Z A up to and including the error correction and verification steps.When Alice and Bob apply a two-universal hash function in the privacy amplification step, they can then extract a ε sec -secret key of length: for ε + ε PA ≤ ε sec (Proof is by the Quantum leftover hash lemma in Ref. [11]).H ε min (Z A |E ′ ) is the conditional smoothed min-entropy that quantifies the average probability that Eve guesses Z A correctly using her optimal strategy based on her knowledge of the information E ′ .
During the error correction step, a maximum of leak EC bits of information are revealed about Z A .Alice has to send a syndrome bit string of length leak EC to Bob over the public channel, so that Bob can correct his raw key to match Alice's.Furthermore, during the error verification step, ⌈log 2 (1/ε cor )⌉ ≤ log 2 (2/ε cor ) bits of information are revealed.If we let E be the remaining quantum information Eve has on Z A , then The QKD protocol is said to be ε qkd ≥ ε cor + ε sec secure if it is correct with a probability higher than 1 − ε cor and is secret with a probability higher than 1 − ε sec .
The quantity H ε min (Z A |E) can be simplified in the case of collective attacks, in which Alice and Bob share the state of the form ρ AB = (ρ AB ) ⊗N .In this case, we can also assume that ρ ZAE = (ρ ZAE ) ⊗n since all purifications of ρ AB are equivalent under a local unitary operation by Eve, and there exists a purification with this property [12].In other words, after being presented with the tensor product states (ρ AB ) ⊗N , Eve is free to choose how to purify this state.(She wants to purify this state because this gives her the most information.)One obvious choice is to purify each transmission such that she has It is from such a purification, we obtain the tensor product structure of ρ ZAE = (ρ ZAE ) ⊗n .The observed statistics of relative detection frequencies, however, only gives some knowledge about the state ρ ZAE .Given that the state ρ ZAE is contained within a set that contains all ρ ZAE compatible with the observed statistics, except with probability ε PE , we have: where ε = ε + ε PE .When the error correction step is performed with a failure probability of ε EC , i.e. the probability that Bob computes the wrong guess for Z A , we can bound the quantity leak EC with Corrollary 6.3.5 of [10]: where d is the number of possible symbols in Z A , and f EC ≥ 1 characterizes the error correction (in)efficiency.Commonly, f EC is chosen to be ∼ 1.2, which is based on the performance of real codes [12].
To compute the key rate under the assumption of collective attacks, we therefore have to minimize the quantity: Here, the set C εPE is the set of all density operators ρ AB that are consistent with the statistics measured from the parameter estimation step, except with a probability ε PE .Let Γ i be the Hermitian observables for these measurements, then the average values of these operators are within the bounds: γ LB i ≤ Tr(ρ AB Γ i ) ≤ γ UB i , for i = 1, . . ., n PE , except with probability ε PE .Along with the constraint that ρ AB is a valid normalized density operator, i.e. ρ AB 0 and Tr(ρ AB ) = 1, then ρ AB is constrained to be in the set: except with probability ε PE .
To understand how one can obtain the bounds on the average values γ i ≡ Tr(ρ AB Γ i ), consider the parameter estimation step in a typical QKD protocol.Alice and Bob perform the measurements using the POVMs { M a A } and { M b B } (in the entanglement-based picture) and use a fraction of their measurements to obtain . Then, we can make the iden- . To find the relevant bounds, suppose that a total of m i signals have been used to estimate γ i , then the deviation of the estimate γ mi i from the ideal estimate γ ∞ i can be quantified using the law of large numbers [12,13]: except with a failure probability of ε i PE .Here, d is the number of outcomes of the POVM Γ i needed to estimate it (for error rates, d = 2 since the outcomes are either Alice = Bob or Alice = Bob).The overall parameter estimation step fails with a probability of ε PE = i ε i PE .We can then obtain the upper and lower bounds: as γ i is a probability and must have values between 0 and 1.We note that the inequality (7) is not the only law of large numbers that can be used to find these bounds.Tighter (asymmetric) bounds can be achieved by applying both the Chernoff bound and the Hoeffding's inequality [14,15].Recently, even tighter bounds were obtained with clever usage of the Chernoff bound alone [16].
The definition of Γ i and γ i above may be too finegrained for a QKD protocol such that each individual ε i PE may be too small for a given value of ε PE .The security of a QKD protocol typically can be defined with only a few parameters; for example, the security of BB84 relies on only the bit error rates when both parties choose the Z-basis and the X-basis.Coarse-graining the constraints can be achieved by merging the constraints Γ i together, e.g. by summing a subset of or by taking an average value of the constraints and the observed statistics.Coarse-graining, from an optimization perspective, loosens a constraint such that the guaranteed key rate can be lower than the optimal value of the calculations with fine-grained constraints.However, coarse-graining can provide tighter bounds on γ i 's for the same value of ε PE that can result in a higher secret key rate.
We now use two methods to evaluate a reliable numerical lower bound on the quantity H ε min (ρ ⊗n ZAE |ρ ⊗n E ) that will allow us to eventually quantify the key length ℓhence the key rate r.

Key rate estimation using von Neumann entropy
The smooth min-entropy of an independent and identically distributed product state ρ ⊗n ZAE converges to the von Neumann entropy in the limit of large n: ) For the case of finite number of signals n, these two entropic quantities are related via a correction factor obtained in Corrollary 3.3.7 of Ref. [10], i.e.
where, δ(n, ǫ) = (2d + 3) log 2 (2/ε)/n is the correction factor.It is worth pointing out that the right hand side of Eq. ( 10) is an achievable secure lower bound to estimate the key rate.We apply this result to obtain an ε qkdsecure finite-key QKD protocol that is ε cor -correct and ε sec -secret (with ε cor + ε sec ≤ ε qkd ) at a secret key rate per transmission of: which is in terms of the von Neumann entropy instead of the smooth min-entropy.The protocol is secret up to a failure probability of In light of Eq. ( 11), the optimization problem that we have to solve is min ρAB ∈Cε PE H(Z A |E). Ref. [5] shows how to recast this as an optimization problem with the quantum relative entropy, rather than the von Neumann entropy, as the objective function.Ref. [6] further developed a two-step method to obtain a secure lower bound.Simply put, this two-step method consists of finding an approximate minimum (step one), and then solving a linearized version of the SDP around this approximate minimum to obtain a secure lower bound (step two).In this work we use the semidefinite approximation of the matrix logarithm and quantum relative entropy from Ref. [17] to peform step one, and then follow step two directly as described in Ref. [6].The Methods section contains a review of the SDP developed in Ref. [6], and a more detailed description of our approach to step one.

Key rate estimation using min-entropy
To compute the key rate via the min-entropy, we use the fact that the smooth min-entropy is a maximization of the min-entropy and is equal to the min-entropy when the smoothing parameter ε = 0, i.e.
Then, using the additivity of min-entropy (derived in Lemma 3.1.6 of Ref. [10]) we have that: which gives a lower bound on the smooth min-entropy in terms of the single-transmission min-entropy.(The same result using different bounds of the smooth min-entropy is found in Ref. [18].) This approach guarantees an ε qkd -secure QKD protocol that is ε cor -correct and ε sec -secret at a secret key rate per transmission of: The secrecy of the protocol is found by composing the error terms The optimization problem to be solved in this formulation is therefore min ρAB ∈Cε PE [H min (Z A |E)].To solve this problem, we must show how the objective function H min (Z A |E) can be expressed in terms of an optimization problem that does not include Eve's state.We obtain the following relation by following a similar approach to Ref. [19] (further detailed in Methods): is the fidelity function and σ AB is a valid density matrix.Finally, using the linear SDP developed in Ref. [20] for the fidelity, we obtain a SDP that can be solved for a secure lower bound to the min-entropy, and therefore for the finite key rate (see Methods for further details).
The lower bound to the key rate using the singletransmission min-entropy is typically not as tight as that using the von Neumann entropy.However, this formulation is computationally less expensive than the von Neumann approach, and is therefore useful for protocols with signal states that have a large Hilbert space.

Examples
We now illustrate our numerical approach for obtaining reliable lower bounds on the QKD secret key rate by applying it to some well-known protocols.We consider the BB84 protocol [2], the B92 protocol [21], and the novel Twin-Field QKD protocol [22] (that is able to beat the fundamental capacity for direct quantum communication without any repeater [23]).We use BB84 as a benchmark, showing that our numerics exactly reproduce the known theoretical results based on analytical solutions to the key rate problem.For B92 and Twin-Field QKD, where analytical solutions are not known in general, we present novel results in the finite key regime using the approaches derived in the previous section.
We supplement the finite key results for B92 and Twin-Field QKD with asymptotic results using the numerical approach of Ref. [6], and find improved secret key rate lower bounds over those previously known.In the Supplementary Note D, we study protocols that lack symmetry, which have previously been analyzed numerically in the asymptotic regime [6].In particular, we look at variations of BB84: one with detector-efficiency mismatch, and one with Trojan-horse attacks.For all results presented we used the Mosek [7] SDP solver, with the SDPs programmed within a disciplined convex programming framework: cvxpy [24,25] in Python or CVX [26,27] in MATLAB.Alice and Bob postselect for the cases when they both measure their qubits in the same basis, discarding the outcomes when they measure in different bases (see Supplementary Note B for the postselection framework).They then generate a secret key using the results when they both measured in either the Z-basis or X-basis.
The maximally entangled state |Φ + is generated in Alice's laboratory so that only one part of the state is transmitted through the channel to Bob.To model this transmission through the quantum channel, we consider the depolarizing channel with a depolarizing probability p on Bob's qubit [28]: Therefore, for this protocol, we consider the statistics given by the state: Typically in QKD experiments the key rates are determined by the quantum bit error rates (QBERs).Therefore, we use these error rates to define coarse-grained constraints for the key rate SDPs.The error operators corresponding to the QBERs in the Z and X bases are: whose expectation values (i.e. the QBERs) are For the state defined in (18), one can show analytically that The analytical solution for the von Neumann entropy optimization is is the probability Alice and Bob postselect for the same basis.Similarly, the solution for the min-entropy optimization is [18]: where with ∆ > 0 being the deviation that can be quantified using the law of large numbers Eq. ( 7).We can compare the key rate predicted by the SDP with these analytical formulas (in the asymptotic regime) and apply the same estimation methods to both the numerical and the analytical key rates to compare them in the non-asymptotic regime.
To simulate a realistic QKD system, we assume that Alice and Bob uses α PE = 10% of the signals (after postselection) for parameter estimation.We take the protocol to be correct up to ε cor = 10 −15 and to be secret up to ε sec = 10 −10 .For simplicity, we assume equal security parameters of ε ′ for ε PA , ε EC , and ε.For parameter estimation, we assume each constraint is estimated with a failure probability up to ε i PE = 2ε ′ .The values of the security parameters are tabulated in Tab.I. Therefore, we have ε ′ = ε sec /7 for the calculation with von Neumann entropy (Eq.( 11) with SDPs ( 35) and ( 36)) and ε ′ = ε sec /6 for the calculation with min-entropy (Eq.( 14) with SDP ( 45)).20) and ( 21), and the dots are reliable lower bounds on the key rate calculated numerically.Fig. 1 show the secret key rate per transmitted pulse as a function of the number of transmissions, N , for both numerical methods.We observe that for a QBER of 0%, the bound from solving the min-entropy SDP is tighter and rises to a significant value at a lower number of transmitted signals.At higher error rates, solving the von Neumann entropy SDP provides a better bound.In fact, for a QBER 7.58%, the bound from min-entropy predicts a zero key rate at any number of transmissions.
As constraints for the problem we use operators that describe (on the postselected state) both a successful outcome, where Bob's measurement bit makes Alice's prepared bit, and an unsuccessful one, where they do not agree: In addition, since this is a prepare-and-measure protocol, we must add the constraints related to Alice's knowledge of ρ A , i.e. we add the constraints To simulate the channel, we again consider that the signal undergoes a depolarizing channel with probability p as it travels from Alice to Bob. Figure 2 shows the results of our numerical method in the asymptotic limit.We plot the secret key rate per pulse against the angle θ and against the depolarizing probability p after optimizing for the parameter θ.The asymptotic formula is obtained by taking the von Neumann formulation with N → ∞ (and n → ∞), and replacing the con- . This is a direct application of the formalism developed in Ref. [6], and is not a development of this manuscript, though the results we show have not been reported elsewhere, and are a useful demonstration of the power of numerical QKD calculations.
Our results guarantee a non-zero key rate even up to p = 0.15 (with r 1 = 0.00574 at θ = 64.8• ), while previous analytical results predict a non-zero key rate only for p ≤ 0.065 [10,29,30].Furthermore, this numerical approach guarantees a higher-secret key rate when compared to a previous numerical QKD approach described in Ref. [5], which predicts a non-zero key rate for p ≤ 0.053.For noise levels where all methods guarantee finite key rates, our results show tighter secure lower bounds than previous approaches.For example, for a depolarizing noise of p = 0.01, the method of Ref. [6] predicts r 1 = 0.248, while the previous method of [5] only obtains r 1 ≈ 0.21 per pulse.Secret key rate p=1.0%p=2.0%p=3.0%p=4.0%p=5.0%p=10.0%p=15.0%FIG.2: Secret key rate per pulse for the B92 protocol for different depolarizing probability p in the asymptotic regime.The rate is plotted against the Bloch-sphere angle between the two signal states |φ0 and |φ1 .Now, we consider the security of the B92 protocol in the nonasymptotic regime, using the finite key SDPs developed in the previous section.Fig. 3 shows the secret key generation rate per pulse in terms of the number of signals that Alice has sent, for different values of p.For each curve, we choose the value of θ that maximizes the secret key rate.We consider the security parameters tabulated in Tab.I and assume that the protocol is ε sec = 10 −10 -secret and ε cor = 10 −15 -correct.Our analysis shows that the B92 protocol is a simple way of exchanging random secret keys with composable security.Twin-Field QKD Twin-Field QKD is a novel variation of the measurement-device-independent (MDI)-QKD protocol that enables two parties to communicate through an intermediate untrusted node [31].The main difference is that TF-QKD uses single-photon interference (instead of two-photon interference in MDI-QKD), and achieves a key rate that is expected to beat the fundamental information capacity for the repeaterless quantum communication rate, typically at long distances [22].Because the protocol promises higher secret key rates than previous QKD protocols at long distances, it is a subject of extensive research both theoretically and experimentally.Theoretically, several security proofs of the protocol (and its variations) with asymptotic [32][33][34] and nonasymptotic [35][36][37] key rates have been proposed.Experimentally, the protocol has been demonstrated within the laboratory setting [38][39][40][41], and future field tests of the protocol are to be expected.
In the entanglement-based description of Twin-Field QKD presented in Ref. [33], Alice and Bob each prepare the entangled state |Φ q = √ q|00 + √ 1 − q|11 for 0 ≤ q ≤ 1, where |0 is the vacuum state (as opposed to the logical state 0) and |1 is the single photon state [42].They then randomly choose to measure their qubits in the standard Z = {|0 , |1 } basis with probability p Z or in the X = {|+ , |− } basis with probability p X = 1−p Z .
Alice and Bob send one part of their quantum signals (A ′ for Alice and B ′ for Bob) through optical channels with transmittance √ η to Charlie.The total optical transmittance from Alice to Bob is η.Charlie then performs a Bell-state measurement on the combined state A ′ B ′ that he has received.One way to do so is to use a 50:50 beamsplitter to mix Alice and Bob's signals, and then route the outputs of this beamsplitter to two singlephoton detectors.Charlie announces which of his two detectors fires, and Alice and Bob postselect for those events where one (and only one) detector fires.This is equivalent to postselecting for Charlie's state being one of the Bell states |Ψ ± .We can postselect to |Ψ + and |Ψ − independently, and we focus our discussion henceforth on postselection to the single state |Ψ − and the same arguments apply for postselection to the state |Ψ + .
The measurement POVMs for analyzing the Twin-Field QKD protocol are Alice's POVM Basis Bit-value for Alice, and for Bob.In the simulation, the channel that the transmitted signal goes through is a pure-loss channel (or an amplitude damping channel for the single photon case [28]).
We can describe the pure-loss channel E loss ( √ η) using a beam-splitter transformation with the help of an additional Hilbert space A 0 starting in the vacuum state.For example, the photon creation operator for Alice's transmitted signal â † A ′ undergoes the following transformation for a channel with transmittance √ η: Here, â † A0 is the creation operator for the additional Hilbert space.In summary, to describe the transmitted state, Alice generates the entangled state: which then undergoes a pure loss channel before being measured by Charlie.The state after the transmission is We can also define a similar state for Bob: and the overall state after both Alice and Bob's transmissions is: Charlie, equipped with only threshold detectors, cannot distinguish between the click due to a only single photon arriving at his first detector and the click due to two photons arriving.Therefore, he is projecting the signals he receives to We further assume that Charlie's detectors have small, but non-negligible dark counts.Let p d be the dark count probability for each clock cycle.We can modify Charlie's projection operator above into the following POVM: Alice and Bob postselect those cases, where Alice and Bob measure in the same basis and Charlie successfully measures | Ψ − dark Ψ − dark |.The performance of the protocol in the asymptotic limit as a function of the overall loss between Alice and Bob is plotted in Fig. 4. At each loss value, we optimize for the value of q that gives the best key rate using the Brent's method [43,44].As shown in Fig. 5, the value of q increases monotonically to about ∼ 0.93 at 40 dB loss, and saturates at this value for higher losses.The high value of q suggests that a weakly pumped photon pair source, which uses spontaneous parametric down conversion or spontaneous four-wave mixing, would be ideal to generate the initial entangled states.
From Fig. 4, it is clear that the Twin-Field QKD protocol-at sufficiently high losses (above ∼ 40 dB)can perform better than the capacity of direct repeaterless quantum communications, which we dub as the PLOB bound after the original authors [23].For a channel with a transmittance η, the bound which is an achievable rate is − log 2 (1 − η) and scales linearly as ∼ η at low transmittance.As the dark count rate increases, the region of losses at which the Twin-Field QKD protocol can beat the PLOB bound is reduced.For the nonasymptotic regime, we evaluate the security of a protocol that is ε sec -secret and ε cor -correct with ε sec = 10 −10 and ε cor = 10 −15 .We consider the values for the security parameters as in Tab.I.
Fig. 6 shows that the nonasymptotic bounds from von Neumann entropy can obtain better secret key rates than the PLOB bounds-even with the presence of dark counts.The plots also show that to faithfully demonstrate a better rate than the PLOB bound in a Twin-Field QKD experiment, both Alice and Bob must send a large number of transmissions to Charlie.For example, at 60 dB overall channel loss, they must send N ∼ 10 10 transmissions which are ∼ 10 5 higher than the number of transmissions needed to obtain a substantial secret key in a BB84 QKD protocol (see Fig. 1).Interestingly, the bounds from min-entropy are unable to beat the PLOB bound, but they do guarantee a substantial secret key rate even at orders of magnitude fewer transmissions.

DISCUSSION
We have developed semidefinite programs for finding reliable lower bounds on the secret key rate of an arbitrary QKD protocol in the nonasymptotic regime.We presented two methods of calculating such bounds, one via an SDP for von Neumann entropy and one via an SDP for min-entropy.For some of the protocols we have considered, the bound from min-entropy provides a better key rate than the bound for von Neumann entropy at lower error rates and at lower numbers of transmissions.The computational advantage for solving the SDP for min-entropy is also clear since the problem is more tractable than that for von Neumann entropy.
For a problem involving a density matrix between Alice and Bob of size n × n, the SDP (45) for min-entropy only requires us to solve for O(n 2 ) parameters while the SDP (35) for von Neumann entropy requires us to solve for O(n 4 ) parameters.Nevertheless, the nonasymptotic bound from von Neumann entropy guarantees a better secret key rate at higher numbers of transmission and, unlike the bound from min-entropy, can approach the asymptotic key rate.The supremum between these two methods should be considered as the tightest lower bound that our numerical approach offers.
So far, we have only considered security against collective attacks.Some protocols with high-symmetry have been found to have the same secret key rates under collective attacks and under the more general coherent attacks.Examples of these protocols include popular protocols such as BB84.
General methods for bounding the possible information advantage of coherent attacks over collective attacks has been outlined in multiple approaches.The first such approach uses the exponential de Finetti theorem [45], but the overhead obtained by this theorem turns out to be heavy making the finite-key bounds unrealistically pessimistic.The de Finetti theorem is tight if one compares the attacks signal-by-signal.Ref. [46] found that it suffices to only consider the entire collection of states.This method, known as the postselection technique, compares the distance between two maps: the map between the ideal protocol and an actual protocol under collective attacks and the map between the ideal protocol and an actual protocol under coherent attacks.
Using the postselection technique, we can define a new secrecy parameter under a coherent attack ε coh sec , which quantifies the probability the QKD protocol passes but is not secret to an eavesdropper with coherent-attack capabilities.ε coh sec is related to the secrecy parameter under collective attack ε sec in the following manner: For the above value of secrecy, the key rate under coherent attack r coh is related to the key rate under collective attack r by the following relation: Our numerical method is reliable and robust for calculating key rates involving single photon transmissions.Most practical implementations of QKD however have relied on the use of weak coherent states made by highly attenuated laser pulses.We hope to eventually evaluate such protocols numerically in the future.However, two main issues must be addressed when doing so.First, the probability of multiphoton emissions from a highly attenuated coherent light source, although small, is not negligible.Multiphoton signals are inherently insecure due to a class of attacks called the photon number splitting attack.One solution to combat the photon number splitting attack is to implement the decoy state protocol.In the decoy state protocol, Alice prepares an additional set of states-the decoy states-that are used to detect the presence of eavesdropping [47,48].Therefore, we plan to incorporate decoy state analysis to the numerical method in the future.
Second, Alice's coherent state transmission uses an infinite-dimensional Hilbert space.The calculation on this infinite-dimensional space is extremely challenging.For simple QKD protocols, there exist squashing maps that provide direct correlations between measurements in the infinite-dimensional optical implementation and measurements in the abstract low-dimensional protocol [49][50][51].Therefore, the numerical method (or the user) must also be able to determine the appropriate squashing map to reduce the size of the problem.
To conclude, our results extend the earlier numerical QKD approaches by presenting a general robust framework for calculating QKD key rates in nonasymptotic regimes.The numerical methods presented here will be useful for democratizing the QKD security proofs that are needed to estimate the amount of secret key generated in any QKD operation.
Note added -We recently became aware of another proposal for calculating the finite-key rate of a QKD protocol numerically [52].

Proof of the relationship between min-entropy and the fidelity function
We include the proof from Ref. [19] here for completeness.In this proof, we consider the pure state shared between Alice, Bob, and Eve: ρ ABE , and will use the max-entropy, defined as: The max-entropy is dual to the min-entropy, i.e.H min (X|Y ) = −H max (X|Z) for any pure state ρ XY Z .Now, consider the pure state ρZAABE = V ZA ρ ABE V † ZA with the isometry V ZA = j |j ZA ⊗ Z j A representing Alice's key map.We can derive the following series of equalities: which relates the min-entropy to a maximization of the fidelity.The third line is true because an isometry must satisfy V ZA V † ZA = I, and the fourth line uses the fact that fidelity is invariant under isometries.

SDP for quantum relative entropy
Let us express the problem in terms of a convex optimization problem with quantum relative entropy as the objective function: (34) Here Z j A are projectors onto the signal-state basis of the Hilbert space of A.
The SDP for the (m, k)-approximation of the quantum relative entropy in this case is [17]: where w j and s j are the weights and nodes for the m-point Gauss-Legendre quadrature on interval [0, 1].Here, |e is the vector obtained by vertically stacking the columns of an identity matrix.
Solving the approximate problem above only gives us a density matrix ρAB that is close to the optimal matrix ρ * AB .However, as it pointed out by Ref. [6], we can use this close-to-optimal density matrix ρAB and find a secure lower bound through linearization of the convex objective function: f (ρ) ≡ D(ρ Z j A ρZ j A ). Using the fact that this objective function is convex and differen-tiable, we have: Tr ∇f (ρ AB ) T σ , (36) where The primal and dual SDPs for the last term in Eq. ( 36) are: Primal problem.
Key rate problems for some of the more well-known QKD protocols, e.g. the BB84 protocol, can be solved efficiently (within a second on a personal computer) with Eq. ( 35) using a commercial or an open-source SDP solver, e.g.Mosek [7] or SeDuMi [8].Some larger problems, such as the prepare-and-measure protocol or the measurement-device-independent QKD protocol, require simplification that makes use of the block diagonal structure of the density operator ρ AB to be efficiently solved, see Supplementary Note C and Refs.[53,54].
The main inefficiency in our formulation comes during step one.Suppose that ρ AB is an n × n matrix, then X, Y, Z, and M i matrices are of size n 2 × n 2 .Therefore, the problem needs to solve a total of k blocks of 2n 2 × 2n 2 positive semidefinite matrices along with another m blocks of (n 2 +1)×(n 2 +1) positive semidefinite matrices.It is therefore desirable to find another approximation method that requires a smaller number of parameters.

SDP for min-entropy and quantum fidelity
Ref. [20] shows how the fidelity can be expressed in terms of a simple linear SDP.The primal and dual SDP problems for computing the F (P, Q) between two operators P 0 and Q 0 are as follows: Primal problem.
We can therefore formulate the following optimization problem: (42) In particular, we can compute the following quantity: that can be transformed into the following dual problem: Dual problem.
Solving the dual problem ( 45) directly provides a reliable lower bound to the key rate.The min-entropy SDP derived here has a computational advantage over the von Neumann SDP, due to the fact that other than the positive real numbers x i and y i , only two matrices Y 11 and Y 22 -both of the same size as the density matrix ρ ABhave to be computed.

Supplementary Note A: Convex optimization
Problems in quantum information can often be formulated as an optimization problem.In particular, the secret key rate problem can be expressed as a convex optimization problem, specifically a semidefinite program.There is in general no analytical formula for the solution of convex optimization problems, but there are efficient methods for solving them, such as the interior point methods [55].
A convex optimization problem is an optimization problem of the form: where f 0 , . . ., f m are convex functions, i.e.
) for any x 1 , x 2 and 0 ≤ p ≤ 1.Let us call the set of x values that satisfies the constraints as the feasible set, denoted as P. We refer to this problem as the primal problem.By rewriting the equality constraint as h i (x) = a T i x−b i and require h i (x) = 0, we can define the Lagrangian associated with Prob.(A1) as where λ i and ν i are Lagrange multipliers associated with the problem.
For each primal problem, there exists an associated dual problem: where g(λ, ν) ≡ inf x∈P L(x, ν, λ).The significance of this dual problem is as follows.The optimal value of the dual problem (Prob.(A3)) d * is, by definition, the best lower bound on the optimal value of the primal problem (Prob.(A1)) p * .In particular, we have an important relation d * ≤ p * called weak duality, which always holds even when the problem is not convex.
If the gap between d * and p * is 0, then we say that strong duality holds.For convex optimization problems, the strong duality holds if Slater's condition is satisfied: if there exists a point x ∈ P such that all the inequality constraints f i (x) is strictly less than zero and all the equality constraints are satisfied [55].
An important class of convex optimization problems that are often encountered in quantum information processing is the semidefinite program (SDP).Here we define a semidefinite program in the standard form proposed by [20] that is more directly applicable to working with quantum density matrices.
Let us first define several mathematical terms to help our discussion.Given a complex vector space X = C n , we call an n × n linear operator X Hermitian if X = X † ; let us denote the set of such operators with Herm(X ).An operator X is called positive semidefinite if it is Hermitian and all of its eigenvalues are nonnegative.We use the notation X 0 to indicate that X is positive semidefinite.More generally, Y X indicates that Y −X 0 for Hermitian operators X and Y .We also use the notation X ≻ 0 to indicate that the operator X is positive definite: Hermitian and all its eigenvalues are strictly positive.
An SDP can be defined using a few parameters: • Φ which is a Hermiticity-preserving linear map, and • A and B which are Hermitian operators.
We define the primal of an SDP problem to be: where the inner product A, B ≡ Tr(A † B).The Lagrange dual problem to the SDP above is The mapping Φ † is a unique mapping that can be defined from the following equation: An operator X 0 satisfying Φ(X) B is called primal feasible, and an operator Y 0 satisfying Φ † (Y ) A is called dual feasible.We denote the sets of primal and dual feasible operators with P and D, respectively.
Weak duality holds for any SDP, that is the optimal value of the primal problem p * and the optimal value of the dual problem d * are always related by p * ≥ d * .Strong duality holds if either of the following Slater's conditions are satisfied [56]: } [57].We follow the approach previously established in several papers (see e.g.[6]) and introduce extra classical registers A b and A v for Alice and B b and B v for Bob to store the basis and value information respectively.The idea is that Alice and Bob will keep most of the registers A v and B v to themselves (releasing some information for error correction), while they will eventually make public the registers A b and B b .Alice's measurements and announcements can be described by a quantum channel with Kraus operators and, similarly, Bob's can be described by another set of Kraus operators The quantum state after the announcement can be obtained through a completely positive trace-preserving (CPTP) map A involving the Kraus operators above, i.e.
(B3) Next, Alice and Bob will postselect/sift to decide which parts of the data they will keep.Let B keep be the set of basis measurements they will keep.For example, they may choose to keep only measurements in the same basis.Then, we can define a projector: The postselected state can then be modeled by using this projector: with p pass = Tr(Πρ ann AAv A b BBvB b ) is the probability of passing the postselection filter [58].We therefore can define a completely positive trace non-increasing map S for sifting, such that: Following the derivation in [19], we define another isometry V ZA = j |j ZA ⊗ Z j Av to store the raw key information in the register Z A .Applying this isometry to ρ sift gives us: We then take Eve's system to purify the state ρ sift (and ρsift ) such that she's able to obtain the maximum amount of information from not only A and B, but also A v , A b , B v , and B b .The key-rate problems that are solved by using von Neumann entropy are therefore modified from min ρAB H(Z A |E) ρ to min ρAB p pass H(Z A |E) ρsift .Using similar arguments as outlined in the main manuscript, we obtain: where the last line has been derived using the property that D(cρ cσ) = cD(ρ σ) for any constant c > 0. Furthermore, when linearizing this key rate problem to obtain a dual solution, we must update the gradient ∇f (ρ) T defined in Eq. ( 37) to: ) where S † is the adjoint map of S that can be found from the fact that: Explicitly, since then the adjoint map is Similarly, we modify the key-rate problems that are solved using min-entropy from min ρAB H min (Z A |E) ρ to min ρAB p pass H min (Z A |E) ρsift .Using similar arguments to the ones in the main manuscript, we obtain: ) where the last line is found by noticing that F (cσ, ρ) = F (σ, cρ) = cF (σ, ρ) for any constant c > 0.
When solving the numerical key rate problems, one can use the fine-grained constraints for all values of {(a b , a v ), (b b , b v )}.However, with measurement bases being well-defined in this framework, we can find general coarse-grained constraints where Alice and Bob obtain the same or different classical measurement values within each basis they postselect for.In other words, for (a b , b b ) ∈ B keep , we can find such constraints: Although generally using coarse-grained constraints leads to lower key rates, the key rates obtained in the more symmetric protocols we consider show no noticeable difference when compared to the key rates obtained using fine-grained constraints.In fact, when using only the coarse-grained constraints, the amount of information that must be communicated classically between Alice and Bob is reduced.Notice that this framework for postselection generally increases the size of the computation as it dilates the Hilbert space needed from just AB to include extra registers A v A b B v B b .In particular, the SDP for solving the approximate problem involving the quantum relative entropy can become too large for a typical personal computer to handle.We are, however, able to simplify the postselection procedure for some protocols without needing to introduce many extra registers.

Supplementary Note C: Simplification to the postselection procedure
Whenever postselection is performed-even for the simplest postselected BB84 protocol-direct calculation of the approximate SDP for quantum relative entropy can become a bottleneck (see SDP (35)).For a density matrix ρ of size n×n, solving the approximate SDP problem at order (m, k) involves solving for a total of k blocks of 2n 2 × 2n 2 positive semidefinite matrices and m blocks of (n 2 + 1) × (n 2 + 1) positive semidefinite matrices.For the postselected BB84 protocol, n = (dim 64 which results in an extremely large SDP to solve.We see a slowdown in the SDP for the fidelity function (see SDP (45)), but the problem is still small enough for our numerical solvers to find a solution within a reasonable amount of time.
We outline simplification steps that allows us to dramatically increase the calculation speed for the examples that we explore in this manuscript.

BB84
The Kraus operators related to Alice and Bob's announcements are: where there is no need to keep track of B v because the key map is only applied to Alice's value register.
With the postselection operator: we can fully define the action of the sifting map: (C3) Notice that the expression above is block diagonal so we can write: a.The key rate SDP The goal here is to simplify the key rate problem (in the von Neumann entropy formalism) by separating out the two blocks and thereby proving that ) where we have defined the notation Z B H which is the pinching channel in the B-basis acting on Hilbert space H.In particular: and First, we state the following useful lemma: Proof.The proof can be obtained by direct computation.
Since we have then the term . Therefore, and taking the trace of this matrix completes the proof.
Applying Lemma C.1 to D S(ρ AB ) Z Z Av (S(ρ AB )) , with the identification M = S(ρ AB ) and M ′ = Z Z Av (S(ρ AB )), gives us (C12) To obtain the simplified Eq. (C5), we show the following: The identification is straightforward.Let us write down ρ z in the basis of A v and A: which is equivalent to ρ AB in the Z-basis: Now, let us write Z Z Av (ρ z ) in the basis of A v and A: which is equivalent to Z Z A (ρ AB ) in the Z-basis: which is equivalent to ρ AB in the X-basis: Furthermore, Z Z Av (ρ x ) in the Z-basis of A v and the Xbasis of A is: is therefore equivalent to solving: where there is we did not keep track B v .With the postselection operator Π a.The key rate SDP We will show that the key rate problem simplifies as follows: ) We then write down ρ z in the basis of A v and A: which is equivalent to the upper-left block of ρ AB .Similarly, applying the pinching channel on ρ z gives us: Thus, we conclude that Next, we can also write ρ x : which is the lower-right block of ρ AB .Applying the pinching channel on ρ x gives us: In this case, let us define ρAB ≡ S(ρ AB ) such that we can translate the optimization problem to one that involves ρAB instead of ρ AB , i.e.
C55) which can be solved using the SDP formulation without postselection.Similarly, in the min-entropy formulation, we have ) The constraints for ρAB can be computed from: where Γi ≡ SΓ i S † .
The Kraus operator for the postselection procedure is: and the key maps are: has been treated analytically by [60] in the asymptotic regime, and the key rate analytical formula derived is The numerical analysis in the asymptotic limit has been considered in Ref. [6].
Here, we consider this problem in the nonasymptotic regime-taking into account the effects of statistical fluctuations during the QKD operations.Similar to the case of entanglement-based BB84, we assume equal security parameter ε ′ , and the value of each relevant parameter is tabulated in Tab.I. Fig. 7 plots the secret key rate per pulse in terms of the number of pulses are generated by Alice, assuming ε sec = 10 −10 and ε cor = 10 −15 .We consider the case where η 0 = 1 and η 1 = 25% or 75%.We see that, in this case, the bound from von Neumann entropy consistently outperforms the bound from min-entropy.We consider different values of error rate Q and efficiency of the "1" detector η1.We assume that the "0" detector has unit efficiency, i.e. η0 = 1.For all plots, the lines are the results of our numerical method.

Trojan-horse attack
A common assumption for QKD analyses is that Eve cannot access Alice's laboratory.As its name suggests, the Trojan-horse attack is a side-channel attack where Eve tries to infiltrate Alice's laboratory to obtain information about the state Alice has sent towards Bob.In particular, Eve uses the optical link between Alice and Bob to launch a bright light pulse into Alice's supposedly secure module.The light pulse will reach Alice's encoding device and is encoded with the same information, e.g. the phase value ϕ, as the signal prepared by Alice.Some of these Trojan photons are reflected back to Eve.Although the information ϕ is meant to be kept private by Alice, Eve can perform measurements on these back-reflected photons that may allow her to unambiguously learn about the value of ϕ.At the end of the QKD session, Eve can in principle obtain the same key as Alice and Bob-without her presence being detected by either Alice or Bob.The security of a QKD protocol can be seriously compromised if components are not installed to prevent these possible back-reflected lights.It has in fact been shown that the phase values ϕ from an encoding device can be discriminated with higher than 90% success probability using only three photons [61].
Different solutions have been proposed to counteract the Trojan-horse attack.Alice could install an active phase randomizer [62,63] to remove the phase reference from Eve's hands or she could install a watchdog detector [64,65] that alerts her when a bright pulse is injected into her setup.Countermeasures can also be realized with only passive components, e.g.optical fiber loops, filters, and isolators, which are simple to implement and to characterize experimentally [66].
The security against the Trojan-horse attack using these passive countermeasures is based on the laser induced damage threshold (LIDT) of the optical components.Let us assume that Eve injects a coherent state | √ µ in with an average photon number µ in into Alice's system.The Trojan photons will then acquire a phase modulation information ϕ that will return to Eve as |e iϕ √ µ out , where µ out = γµ in , with γ ≪ 1 describing the isolation factor of Alice's devices.If the value of µ in is unbounded, the QKD protocol is insecure against a Trojan-horse attack.Fortunately, the value of µ in is bounded by the LIDT of Alice's components.
Let us call Ṅ the maximum number of photons per second Eve is allowed to inject into Alice's lab without burning any of Alice's components.We assume that Alice has characterized this value of Ṅ very well.For a QKD system with a clock rate of f , Alice can assume the worst case scenario in which Trojan photons with a mean photon number µ out = Ṅ γ/f are emitted back to Eve at each transmission.Here, Alice has assumed that Eve distributes all her Trojan photons evenly in each round of transmission.The validity of this assumption relies on the convexity of the key rate as a function of µ out , which was shown in Ref. [66].
Let us assume that Alice prepares the states she sends to Bob using a single-photon source in the prepare-andmeasure scheme.She encodes her information in the phase difference ϕ between the leading and the trailing single-photon pulse.To model the Trojan-Horse Attack in the BB84 protocol, we use the approach outlined in Ref. [6].In this case, the state she prepares can be written as where Here, the states |z ± and |x ± are defined as where |n l and |n t denote an n-photon state in the leading and trailing pulse, respectively.Here, p Z denotes the probability she prepares a state in the Z-basis and p X = 1 − p Z denotes the probability she prepares a state in the X-basis.She sends the B system to Bob, and Bob measures his state either in the Z = {|0 , |1 } with probability p Z or in the X = {|+ , |− } basis with probability p X .For simplicity, we again assume Alice and Bob make the their basis choices with the same probabilities p Z and p X .The protocol under consideration here is the prepareand-measure BB84, thus the measurement POVMs for Alice are the standard basis: We again consider the depolarizing channel to simulate the statistics in our calculations: (D11) In addition to these constraints, we assume that Alice has characterized her source well.In other words, the state ρ A = Tr BE (ρ ABE ) = Tr B (ρ ′ AB ) is known exactly to her, such that we can add a set of tomographically complete observables {Ω j A } on system A, and also add the calculated corresponding expectation values {ω j } into the set of constraints.We add the constraints: which are known exactly with a failure probability of zero even in the nonasymptotic regime.Since ρ A is a valid normalized density operator, we find the values of {Ω j A } and {ω j } in our simulations by computing the spectral decomposition of ρ A = j p j |ψ j ψ j | A , such that Ω j A ≡ |ψ j ψ j | A and ω j ≡ p j .Under the Trojan-horse attack, Alice's state ρ A is constrained to be the following: The key rate calculation for the asymptotic regime was considered in Ref. [6].We consider the nonasymptotic regime, where we evaluate the security of an ε sec -secret and ε cor -correct QKD protocol with ε sec = 10 −10 and ε cor = 10 −15 .The breakdown of the security parameters are tabulated in Tab.I. Fig. 8 shows the secret key rate as a function of the number of pulses sent by Alice.The bounds from the von Neumann entropy calculations outperform the bounds from the min-entropy except for the case of zero QBER.We note this is the first time nonasymptotic security of a QKD protocol under Trojanhorse attack has ever been studied.

2 .
Parameter estimation.Next, Alice and Bob perform parameter estimation where they reveal a random sample of m signals through the public classical communication channel to estimate the statistics of their data.Sifting is often (but not always) also performed, in which Alice and Bob discard those data where they have chosen a different measurement basis.At this step, they are left with n ≤ N − m number of signals, called the raw keys, from which they can eventually generate secret keys.Let us denote their raw keys by Z A and Z B , both of which have the length |Z A | = |Z B | = n.

FIG. 1 :
FIG. 1: Nonasymptotic secret key rate per pulse for the BB84 protocol calculated using the von Neumann entropy (top) and the min-entropy (bottom) for different values of QBER.The line is a known theoretical curve calculated from Eqs. (20) and (21), and the dots are reliable lower bounds on the key rate calculated numerically.

FIG. 3 :
FIG. 3: Secret key rate per pulse for the B92 protocol calculated using the von Neumann entropy (top) and the minentropy (bottom) for different values of depolarizing probability p.

7 FIG. 4 :FIG. 5 :
FIG. 4: Secret key rate per pulse for the Twin-Field QKD protocol as a function of the overall loss between Alice and Bob.The different lines are for QKD operations with different dark count probability p d .The black dashed line corresponds to PLOB bound: the fundamental bound for direct repeaterless communications, calculated with η = 10 −(Loss in dB)/10 .

FIG. 6 :
FIG. 6: Secret key rate per pulse for the Twin-Field QKD protocol calculated at different values of dark count p d and overall channel loss.The key rates are obtained from von Neumann entropy (top) and from min-entropy (bottom).The dashed lines with the same color are the PLOB bound at the different loss values, i.e. blue: 60 dB loss, orange: 80 dB loss, green: 100 dB loss.

1 .
If P is nonempty and there exists an operator Y ≻ 0 such that Φ † (Y ) ≺ A, then there exists a primal feasible operator X for which A, X = p * and p * = d * , 2. If D is nonempty and there exists an operator X ≻ 0 such that Φ(X) ≻ B, then there exists a dual feasible operator Y for which B, Y = d * and p * = d * .Supplementary Note B: General framework for postselection Typically in a QKD protocol, Alice and Bob make public announcements during sifting in which they postselect for certain basis choices.During the quantum transmission stage, Alice and Bob measure their respective POVMs { M (a b ,av) A } and { M (b b ,bv ) B C23) which requires no dilation in the Hilbert space at all.

FIG. 7 :
FIG. 7:Secret key rate per pulse for the BB84 protocol calculated using the von Neumann entropy (top) and the minentropy (bottom).We consider different values of error rate Q and efficiency of the "1" detector η1.We assume that the "0" detector has unit efficiency, i.e. η0 = 1.For all plots, the lines are the results of our numerical method.

4 ( 1
FIG. 8: Nonasymptotic secret key rate per pulse for the BB84 protocol under a Trojan-horse attack for different values of error rate Q and mean number of reflected Trojan photons µout.The key rates are calculated using the von Neumann entropy (top) and the min-entropy (bottom).All lines are calculated using our numerical methods.
A , S B ) of length |S A | = |S B | = ℓ.ε PA measures how close the output of the hash function, i.e. the secret keys S A and S B are, from a uniform random bit string conditioned on the eavesdropper's, Eve's, knowledge.(Relevant security parameter: ε PA .) 5. Privacy amplification.Next, they apply another two-universal hash function (of different resulting hash length than the previous one in the error verification step) to extract a shorter secret key pair (S

TABLE I :
Values of security parameters and other relevant quantities for parameter estimation, assuming equal security parameters of ε ′ for the two numerical bounds: one bound is calculated using von Neumann entropy and another bound using min-entropy.The parameters listed here are: εEC: errorcorrection failure probability; εPA: privacy-amplification failure probability; ε: smoothing parameter for smooth minentropy; αPE: fraction of signals used for parameter estimation; ε i PE : failure probability of estimating parameter described by constraint Γi; εPE: parameter-estimation total failure probability; nPE: number of constraints to be quantified from the parameter estimation step; εsec: secrecy failure probability; εcor: probability that Alice and Bob's secret keys are not identical.
AB in the standard basis of A, i.e. in the {|0 A , |1 A } subspace.And, |i j| A i|ρ AB |j A , (C39) describing the lower-right block of ρ AB in the standard basis of A, i.e. in the {|2 A , |3 A } subspace.Applying Lemma C.1 to D S(ρ AB ) Z Z Av (S(ρ AB ) gives us: