Simple security proofs for continuous variable quantum key distribution with intensity fluctuating sources

Despite tremendous theoretical and experimental progress in continuous variable (CV) quantum key distribution (QKD), the security has not been rigorously established for most current continuous variable quantum key distribution systems that have imperfections. Among these imperfections, intensity fluctuation is one of the principal problems affecting security. In this paper, we provide simple security proofs for continuous variable quantum key distribution systems with intensity fluctuating sources. Specifically, depending on device assumptions in the source, the imperfect systems are divided into two general cases for security proofs. In the most conservative case, we prove the security based on the tagging idea, which is a main technique for the security proof of discrete variable quantum key distribution. Our proofs are simple to implement without any hardware adjustment for current continuous variable quantum key distribution systems. Also, we show that our proofs are able to provide secure secret keys in the finite-size scenario.


I. INTRODUCTION
Quantum key distribution (QKD) allows two distant parties to share a common string of secret data [1][2][3].Based on the laws of quantum mechanics, QKD offers information-theoretical security.QKD has aroused much interest in both theoretical protocol and experimental demonstration, because it is considered the first application of quantum information science to reach commercial maturity.For example, the implementation of discrete variable (DV) QKD protocols including satellite-to-ground QKD [4] and chip-based QKD [5][6][7] have demonstrated the potential for commercial applications in the filed of quantum information.Besides, twin-field QKD [9,10] has been proposed to outperform the well-known rate-loss limit [8] and largely extend transmission limits.Compared to DV protocols, continuous variable (CV) protocols have the potential for high-key rate and low-cost implementations using current standard telecom components such as homodyne detectors [3].Recently, CV QKD experiment has demonstrated the secret key transmission over a long distance from 100 km [11] to more than 200 km [12].
Despite the enormous progress in the field of QKD, the most important question in quantum communication is always how secure QKD really is.For example, are QKD systems secure when implemented with practical devices?Fortunately, measurement-device-independent QKD [13] can remove all imperfections and security loopholes in the measurement devices, and therefore we only need to consider the imperfections in the source devices.Imperfect sources, such as the correlated intensity fluctuations in optical pulses [14] and setting-choice-independently correlated light sources [15], have been recently analyzed in DV QKD systems.However, the security research concerning CV QKD with imperfect source has fallen behind that of its discrete-variable cousin.For instance, almost all existing CV QKD proofs require a perfect state preparation [16], i.e., Gaussian modulation, which cannot be guaranteed in a practical CV QKD system with imperfections and limitations [17,18].The security of continuous-variable quantum key distribution with noisy coherent states has been analyzed in [19][20][21] by introducing an independent and additive Gaussian noise to a perfect Gaussian modulation.However, in the practical continuous variable modulation, the imperfections might not work independently or additively with Gaussian modulation.For example, intensity fluctuation is one of the potential practical problems affecting the use of Gaussian modulation by its dependence on modulated quadratures.Therefore, in this work we study intensity fluctuations in practical CV QKD systems.Our intensity fluctuation model is an arbitrary distributed random variable with a unit mean value.Depending on whether the intensity fluctuation information is accessible or not to Alice, our security analysis of a QKD system can be generally divided into two cases:(1) Alice can ,and (2) Alice cannot monitor intensity fluctuation values for every pulse.
In this work, we prove the security for the two cases based on different techniques.Particularly, in case (1) , because Alice's information can help modify her data, the security proof is based on the integrating over the distribution of intensity fluctuations.Also, a refined data analysis is developed to improve the QKD performance over long distance.In case (2), Alice can not exactly monitor every signal pulse.Depending on whether Eve has the intensity fluctuation information, we divide case (2) into two subcases: (2A)Eve can, and (2B)Eve cannot monitor intensity fluctuation values for every pulse.In subcase (2A), we prove the security based on Gaussian extremality [22,23].In the most conservative case (2B), we apply the concept of tagging, previously developed for DV QKD in [24] , to the security proof of CV QKD.Specifically, we divide up signals into two distinct sets, untagged and tagged.Untagged signals are those whose intensities fall inside a prescribed region, whereas tagged signals are those whose intensities might fall outside the prescribed region.In the actual protocol, the QKD system users do not need to know whether each signal is tagged or untagged.They only need to be able to set a bound for untagged signals, which would lead to the security of their generated key.Moreover, given the distribution of intensity fluctuations, the users could obtain the probability of untagged signals and further optimize the secret key rate by the fraction of untagged signals.In the end, our proofs for all cases are simple to implement without any hardware adjustment for the current continuous variable quantum key distribution system.Alice and Bob are free to choose choose different security proofs to generate the secret key based on their device assumptions.In the end, we demonstrate that our proofs are able to provide secure secret keys in the finite-size scenario over distances larger than 50 km.

Intensity Fluctuation Model
Here, we define our model for experimental intensity fluctuations.For example, suppose that a desired pulse intensity is I A , however, Alice actually prepares a pulse with the intensity of kI A .We denote k as a random variable to characterize the intensity fluctuations, with mean value E k and variance V k .This intensity fluctuation can be caused by power fluctuations of a laser or imperfect intensity modulators [25].In this paper, for simplicity, we assume the following conditions of the random variable k: 1) k is an independent and identically distributed (i.i.d.) random variable.
2) k has a mean value E k and a variance V k , where E k is 1.
3) k is independent of the pulse intensity I A . 4) the probability distribution function of k can be obtained before the experiment by testing the source device.5) the probability distribution function of k will not change during the QKD transmission.
Here, these conditions are assumed to simplify our model for experimental intensity fluctuations.Conditions 1)-3) are the intrinsic constraints and assumptions for the intensity fluctuations.Conditions 4)-5) are the assumptions for system characterization, which is required before QKD transmission.
CV QKD system description Fig 1 shows that, with the intensity fluctuation information, QKD systems can be generally divided into two cases for security proofs.To fairly compare the results, an ideal CV QKD system is added as the baseline case (0) for benchmarking.Here, following [24] we introduce a hypothetical party Fred, who controls the intensity fluctuations k for every optical pulse, e.g., the intensity fluctuation can be controlled by temperature drift.Through secure communication, Fred would choose to reveal the value of k to Alice.In total, there are two cases: (1) Fred discloses the actual value of k to Alice; (2) Fred does not disclose the actual value of k to Alice.In both cases, because the actual pulse intensity is kI A , the actual encoded Gaussian random variable now becomes √ kX A and Alice sends out a mode Â1 = 0+ √ kX A .In case (1), Alice has access to the intensity fluctuation values k and can further revise her data from X A to √ kX A for every pulse.In case (2) , Alice does not have access to the intensity fluctuation values k.Depending on whether Eve has the intensity fluctuation side information, we divide case (2) into two subcases (2A) and (2B) for security proofs.
For a common QKD system, it is usually assumed that Eve often has infinite power in the channel with only limitations from the laws of physics.In other words, the source should always be assumed to be secure and no information in the source stage can be disclosed to Eve.Here, we divide the QKD systems into different cases only based on the source information leakage assumptions.It is open for Alice and Bob to consider which case is acceptable in their QKD transmission process.For case (1), the justification is that Alice can have access to the device imperfection in real time.For case (2A), the justification is that Alice should use a certified device which come from a faithful company.For case (2B), this is most conservative case.If Alice does not have enough confidence on the device, they can always choose case (2B).Note that, the authors in [26] have applied the similar idea to the detection stage where they assume that the detection process is inaccessible to eavesdroppers.
(0) ideal CVQKD system (k=1) Here, the symbol "?" in case (1) means two possible subcases that Eve can or cannot have access to the intensity fluctuation information.The No Entry sign in case (2) means that the intensity fluctuation information will not be disclosed to Alice or Eve.

Security proof for case (0)
Here, we briefly review the security proof for an ideal CV QKD system.Because the security against coherent attacks can be reduced to that against collective attacks by using de Finetti representation theorem for infinite dimensions [27], for simplicity, we only consider asymptotic security against collective attack .Given reverse reconciliation communication, the asymptotic secret key rate is given by the Devetak-Winter formula [28][29][30]: where β is the reverse reconciliation efficiency, I AB is the mutual information between Alice and Bob, and χ BE is the mutual Holevo information between Bob and Eve.Given parameter estimations of transmittance T and excess noise ε, the computation for I AB and χ BE can be found in the Supplementary Section I.

Security proof for case (1)
In case (1), Alice has access to the intensity fluctuation values k and can further revise her data from X A to √ kX A for each pulse.The security proof is based on two conclusions: a) the strong superadditivity of secret key rate; b) the weak law of large numbers.Suppose Alice and Bob share n modes in a joint state ρ A1,2,...nB1,2,...n , and Alice has the intensity fluctuation information k i for the i th mode.Conditional on the k i , The secret key rate for this joint state can be shown as where P DF (k) is the probability density function of k, R(ρ AiBi|ki ) is the secret key rate conditional on the k i .In the first line of Eq.( 2) , we use the strong superadditivity of the secret key rate from [23].Then in second line, we argue that by the weak law of large numbers, the sum over all reduced modes converges to the average over its probability density function in the limit n→∞.
Given the intensity fluctuation information, we propose that a simple refined data analysis can be adopted by Alice to improve the maximum distance and defend against possible attacks based on intensity fluctuations.Here, we describe a refined data analysis process as below: (1) Based on the probability density function of k, Alice will divide k into a number of sets with equal probability.(2) Alice and Bob will perform the parameter estimation individually for each set, obtaining the channel transmittance and excess noise and verifying whether the channel transmittance matches with that from another set.This process is used to defend any possible attack for Eve based on intensity fluctuation information.(3) For certain sets, if R 0 (k,T )<0, Alice and Bob will simply drop all the data from such sets.
After a refined data analysis, the secret key rate can be expressed as TABLE I: Evaluation parameters for fiber-based QKD [28,31] η ε c v el V A β 0.60 0.02 0.02 18 95.6  I, where η and v el are, respectively, the detection efficiency and electronic noise of the homodyne detector, ε c is the excess noise in the channel, V A is the modulation variance and β is the reverse reconciliation efficiency.In Fig 2(a), we choose the probability density function of k to be an uniform distribution from 0.9 to 1.1.In Fig 2 (b), we choose the probability density function of k to be an uniform distribution from 0.8 to 1.2.Through simulation, we find that the secret key rate R 1 is approximately same as R 0 .By refined data analysis, the maximum transmission distance can be improved from 94km to 130km in Fig 2(a), and from 94 km to 199km in Fig 2(b).This maximum transmission distance improvement is expected, since the refined data analysis can be regarding as a pre-selection of optimal Gaussian states for long distance.
where I(X A ,X B ) is the mutual information between Alice's and Bob's classical recorded data X A and X B , and A is the Holevo mutual information between Bob and Eve given the actual input mode Â1 before the channel.Here, I(X A ,X B ) can be directly obtained from the data sets, while an upper bound for χ(X B ,E) | √ kX A is needed.Next, we use the Gaussian extremality [22,23] that the Holevo information χ(X B ,E) | √ kX A between Eve's and where X G A and X G B are, respectively, the Gaussian random variable with the same first and second moments as X A and X B .
Next, we will estimate the equivalent transmittance T s and excess noise ε s in the source caused by the data mismatch.According to the Supplementary Section II, suppose Alice records X A and the actual encoded data is √ kX A , the equivalent T s and ε s can be expressed as In addition to the channel transmittance T c and excess noise ε c , Alice and Bob would estimate an overall transmittance T and excess noise ε such that   I.In Fig 4(a), we compute the secret key rates for the uniform distributed intensity.Even if the pulse intensity fluctuate 5%, the maximum transmission distance will still drop about 10 km.In Fig 4(b), the secret key rates are obtained for the Gaussian distributed intensity.The variances of the Gaussian distribution range from 0 to 10 −2 .When the variance increases to 10 −2 , the maximum transmission distance will decrease by about 40 km.In other words, when the standard deviation of Gaussian distribution is 10%, the maximum transmission distance will drop significantly.

Security proof for case (2B)
In this section, we consider case (2B): Eve has intensity fluctuation information while Alice has no information.Before we jump into security proof, we first define the untagged Gaussian state.Here, we apply the concept of "tagging" [24] to case (2B) of CV QKD.Suppose Alice sends out n Gaussian modulated coherent pulses to Bob and the i th pulse has a intensity fluctuation value k i .However, Alice has no information about the intensity fluctuation value for each pulse, and Alice can only record data set as k i =1.Now we define the Gaussian modulated coherent states with intensity fluctuation value k i <1 as untagged Gaussian states.It is easy to verify that when Alice sends out a stronger pulse than what she is supposed to send, Alice and Bob will definitely overestimate the secret key rate by underestimating the channel loss and excess noise.Therefore, the untagged Gaussian states are defined to be the states from which Alice and Bob will not overestimate the secret key rate.In other words, the untagged Gaussian states are always conservative secure.Next, we can introduce an cutoff k max based on the intensity fluctuation probability density function.As depicted in Fig 5,if Alice chooses a cutoff k max , the Gaussian states associated with lower intensities than k max I A would always be untagged.Then the probability to get untagged Gaussian states can be expressed as Note that a modified QKD protocol is needed to implement an optimal cutoff for CV QKD.The modified protocol only requires a different data recording process on the state preparation stage while maintaining the same output states.In other words, suppose Alice desires to encode X A and the actual encoded data is √ kX A , Alice should always record the data as rather than X A for each pulse.Here, we conservatively assume the attenuation from a stronger pulse A 0 to a weaker pulse A 1 can be controlled by Eve.In Fig 6(b), for each tagged signal, the intensity is always larger than the threshold value recorded by Alice.Following GLLP security proof [24] , we conservatively assume that tagged signals are insecure.Therefore, we only consider the secret key rate extracted from untagged Gaussian states.
Suppose that a fraction p s of the pulses emitted by the source are untagged by Eve.The secret key for direct reconciliation can be extracted from untagged Gaussian states at an asymptotic rate as [24] The secret key for reverse reconciliation can be shown as where X A and X B are Alice's and Bob's recording data, p s H(X A ) and p s H(X B ) is the differential entropy used to generate the secret key rate depending on direct reconciliation or reverse reconciliation, H(X A |X B ) and H(X B |X A ) is the conditional differential entropy for error correction, χ A E,ps is the Holevo information between Alice and Eve for the untagged states, and χ BE,ps is the Holevo information between Bob and Eve for the untagged states.The Holevo information between Alice/Bob and Eve should be eliminated by the privacy amplification process.H(X A ) and H(X A |X B ) and H(X B ) can be directly estimated by Alice and Bob's data.Given the reconciliation efficiency β, the secret key rate can be shown as Next, we need to find a bound for the Holevo information.Mathematically, it can be shown that Holevo information is monotonically increasing on the domain of k.Physically, when the input pulse has a stronger intensity, Eve can obtain more information about Alice's and Bob's recorded results.Therefore, for the untagged states, the Holevo information can be bounded χ A E,ps ≤p s χ A E , where χ A E and χ BE are the Holevo mutual information between Alice/Bob and Eve estimated from Alice's and Bob's recording results X A and X B .
Next, we will estimate the equivalent transmittance T s and excess noise ε s .According to the Supplementary Section III, the equivalent T s and ε s can be expressed as In addition to the channel transmittance T c and excess noise ε c , Alice and Bob would estimate an overall transmittance T and excess noise ε such that ε=ε c /T s +ε s For the secret key rate evaluation, we compare the secret key rates for two intensity fluctuation models: Gaussian distribution and uniform distribution.We still use the parameters in the Table I.For the optimization, if we increase the k max , p s will be increased, while T s will be decreased.Therefore, we need to optimize k max to get the maximum secret key rates.
Fig 7 shows the key rate optimization results for the uniform distribution.Here, we consider the reverse reconciliation scheme.Compared to case (2A), the maximum transmission distance decreases faster due to intensity fluctuations.The maximum transmission distance will drop by about 20 km even if the pulse intensity fluctuates 5%.Meanwhile, the optimal k max will always be the maximum value of its domain for a uniform distribution.
Fig 8 shows the key rate optimization results for the Gaussian distribution.Here, we also consider the reverse reconciliation scheme.The maximum transmission distance decreases rapidly when the intensity fluctuations increase.Other than the uniform distribution, the optimal k max will be monotonically increasing as a function of distance.When comparing these two intensity fluctuation models with same variance, we find that QKD with Gaussian distributed variation will have a lower key rate and transmission distance, since it always has a tail part for tagged Gaussian states.
Secret key rate with finite-size effects In this section, we compute the secret key rate under finite-size scenario.Without loss of generality, we consider case (2B) as a example.As discussed in [32,33], by setting confidence intervals for both T and ε, we can can obtain the lower bound of the transmittance, T L , and the upper bound of the excess noise, ε U .By incorporating our tagging idea, we should also obtain the lower bound of the probability, p L s , to get untagged Gaussian states.With the three bounds, the secret key rate with finite-size effects, R f , can be shown as [32,33]:

III. CONCLUSION
We have studied the security of CV QKD with intensity fluctuating sources.Generally, We divide current CV QKD systems into two cases for security proof.Depending on Alice's realistic assumptions for the devices, Alice and Bob can choose different security proofs and obtain different secret key rates.In case (1) , Alice can monitor the intensity fluctuation value for each pulse.She can revise her data and obtain almost the same secret key rate as what she can obtain from the ideal CV QKD systems.Furthermore, by a refined data analysis, the maximum transmission distance can be observably improved.In case (2), depending on the devices assumptions, we also divide CV QKD systems into two subcases (2A) and (2B).In case (2A), both Alice and Eve cannot obtain any intensity fluctuation information of each pulse.Here, we prove the security based on Gaussian extremality.The secret key rate will decrease if the intensity fluctuation increases.In case (2B), Eve could have the intensity fluctuation information of each pulse while Alice cannot.Here, we apply the tagging idea from [24].We divide the signals into tagged and untagged signals, and the secret key will only be generated from untagged signals.After considering the total error correction cost and privacy amplification, the security of case (2B) can be proved.In addition, we also validate our method under finite-size regime.Overall, our security proofs are simple to implement without any hardware adjustment for current CVQKD systems.In the future, we are looking for applying our methods to solve other imperfections such as phase modulation errors or atmospheric channel effects.

FIG. 1 :
FIG.1: Here, practical CV QKD systems can be divided into two cases based on the Alice's information about intensity fluctuations.One ideal case (0) is added for comparison.In case (0), a CV QKD system does not have any intensity fluctuations.In case(1), Alice can monitor the intensity fluctuations.In case (2), Alice cannot monitor the intensity fluctuations.Depending on whether Eve has intensity fluctuation information or not, case (2) is divided into two subcases (2A) and (2B).Here, T c and ε c are, respectively, the channel transmittance and excess noise between Alice and Bob.η and v el are the the detection efficiency and electronic noise of the homodyne detector.Here, the symbol "?" in case (1) means two possible subcases that Eve can or cannot have access to the intensity fluctuation information.The No Entry sign in case(2) means that the intensity fluctuation information will not be disclosed to Alice or Eve.

Fig 2
Fig 2  shows the simulation result for the secret key rate R 0 , R 1 and R 1R .We use the parameters listed in TableI, where η and v el are, respectively, the detection efficiency and electronic noise of the homodyne detector, ε c is the excess noise in the channel, V A is the modulation variance and β is the reverse reconciliation efficiency.In Fig2(a), we choose the probability density function of k to be an uniform distribution from 0.9 to 1.1.In Fig2 (b), we choose the probability density function of k to be an uniform distribution from 0.8 to 1.2.Through simulation, we find that the secret key rate R 1 is approximately same as R 0 .By refined data analysis, the maximum transmission distance can be improved from 94km to 130km in Fig2(a), and from 94 km to 199km inFig 2(b).This maximum transmission distance improvement is expected, since the refined data analysis can be regarding as a pre-selection of optimal Gaussian states for long distance.
Security proof for case (2A) Here, we consider case (2A): Alice and Eve both have no intensity fluctuation information.As shown in Fig 3, for each pulse, Alice has no intensity fluctuation information and can only record the data X A .However, what Alice really encodes is the mode Â1 = 0+ √ kX A .By considering reverse reconciliation with the Bob's recorded data X B , The secret key rate can be expressed as

1 FIG. 2 :
FIG.2: Here, we compare the secret key rate, R 0 ,R 1 and R 1R .In Fig2(a), the intensity fluctuation model is a uniform distribution from 0.9 to 1.1.The secret key rate R 1 is approximately same as the key rate R 0 for ideal CV QKD system.In Fig2(b), the intensity fluctuation model is a uniform distribution from 0.8 to 1.2.It is clearly demonstrated that both maximum transmission distances can be improved by refined data analysis.

) ε=ε c /T s +ε s
FIG. 4: Here, we compute the secret key rates R 2A with two intensity fluctuation models.(a)The secret key rates versus transmission distance for different intensity fluctuation models of uniform distribution.(b)The secret key rates versus transmission distance for different intensity fluctuation models of Gaussian distribution.

FIG. 5 :
FIG.5: Here, we apply a cutoff k max to increase the probability of untagged Gaussian states.

(
FIG.6: Here, we show the CVQKD system with untagged and tagged Gaussian states.Suppose that Alice always records the data as √ k max X A and has a virtual mode Â0 corresponding to the modulation Â0 = 0+ √ k max X A .Alice's actual output mode is Â1 = 0+ √ kX A .In Fig6(a), untagged states are always secure because we conservatively assume the attenuation from a virtual mode Â0 to a actual output Â1 can be controlled by Eve.InFig 6(b), tagged states are insecure if we consider the same attenuation mentioned before is controlled by Eve.

8 FIG. 9 :
FIG.9: Here, we compute the secret key rate vs distance with finite-size effects.Numerically optimized secret key rates are obtained for a fixed block size N =10 s with s=8,9,10,11 and 12.The rightmost curve corresponds to the asymptotic secret key rate.Here, we consider the Gaussian distribution model with variance 10 −4 .The failure probability of parameter estimation is P E =10 −10 .The failure probability of untagged Gaussian states is ugs =10 −10 .The failure probability of privacy amplification is P A =10 −10 .
AB shared by Alice and Bob is Gaussian.In other words, we can obtain the upper bound of χ(X B ,E) | √ kX A by substituting Alice's and Bob's actual mode Â1 , B with Gaussian modes which have the same first and second quadrature moments.By calculating the mean value and variance of √ kX A , we can obtain that < √ kX A >=<X A >=0,<kX 2 A >=<X 2 A >=V A .Furthermore, we obtain the upper bound that 8 to 1.2.It is clearly demonstrated that both maximum transmission distances can be improved by refined data analysis.Classical processing FIG.3:Here, we consider case (2A) that Eve also has no intensity fluctuation information.Therefore, Eve can only manipulate the signal states in the channel.Due to intensity fluctuation, Alice will have a recorded data mismatched with what she really encodes.Bob's classical variables, is maximized when then the state ρ