Composable end-to-end security of Gaussian quantum networks with untrusted relays

Gaussian networks are fundamental objects in network information theory. Here many senders and receivers are connected by physically motivated Gaussian channels, while auxiliary Gaussian components, such as Gaussian relays, are entailed. Whilst the theoretical backbone of classical Gaussian networks is well established, the quantum analog is yet immature. Here, we theoretically tackle composable security of arbitrary Gaussian quantum networks, with generally untrusted nodes, in the finite-size regime. We put forward a general methodology for parameter estimation, which is only based on the data shared by the remote end-users. Taking a chain of identical quantum links as an example, we further demonstrate our study. Additionally, we find that the key rate of a quantum amplifier-assisted chain can ideally beat the fundamental repeaterless limit with practical block sizes. However, this objective is practically questioned leading the way to future network/chain designs.


Introduction
− log 2 (1 − ), where  is the channel's transmissivity, is the maximum fundamental rate, in bits, at which two distant parties can distribute quantum bits, entanglement bits, or secret bits.This is known as the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound and holds for any point-to-point protocol of quantum communication [1].Since the discovery of PLOB, vast efforts have been made to break its hindrance, e.g., by using quantum repeater chains [2,3].In fact to outclass the PLOB bound, it is necessary to insert in-the-middle quantum stations, which can also be set out in a non-chain configuration to build a quantum network withal.Thus, one ultimate goal is not only to surpass the PLOB bound, but also to branch out a network of quantum links that would enable simultaneous secure communication or key distribution between more than just a few pairs of users [4].Such telecommunication networks can further develop to provide us with a future quantum internet for quantum-secure communications [2,3] and distributing quantum computing [5][6][7][8].
Gaussian networks, inter alia, are at the core of classical information theory, upon which concepts of communication networks have been developed [9].Such networks, e.g., a large network of optical fibre links, have been studied and evolved in response to our continuous demand for data communications.They, as the name suggests, enjoy Gaussian signal assumptions and Gaussian links, where random variables with Gaussian probability density functions describe the channel noise.In addition, any other component, e.g., repeater relays, that makes the process of data communications possible or alleviates it is Gaussian, such that none of the shared * These authors have contributed equally to this work.FIG. 1.Quantum communication network.Two arbitrary endusers, Alice () and Bob (), can communicate through diverse, not necessarily direct, routes that extend across intermediate untrusted sender-receiver pairs that act as relays (yellow nodes).Two possible routes are highlighted in red.The quantum network is Gaussian if the operations at the nodes and the channels associated with links are all Gaussian, so that the final state shared by Alice and Bob is Gaussian.More weakly, we also include the possibility of non-Gaussian post-selection operations which however project into a Gaussian state when they are successful (see text for more details).
variables/distributions between users of the network becomes non-Gaussian.In this work, we put our focus on Gaussian quantum networks that benefit from Gaussian input signals, Gaussian quantum channels, and auxiliary Gaussian quantum devices.In particular, we study end-to-end security between two arbitrary users of a Gaussian quantum network who are generally linked via untrusted nodes (see Fig. 1).More weakly, as we explain later, we also admit some post-selection operations that are conditionally Gaussian, i.e., projecting into a Gaussian state when they are successful (discarding their output otherwise).
While examining a quantum network, not only is it fundamental to compute the relevant communication rates between arbitrary users, namely upper, lower and achievable rates, but it is crucial to evaluate composable key rates with a finite number of uses of the network.Evaluating the rate is possible by analysing the data statistics that the parties would obtain through the so-called parameter estimation (PE) [10][11][12].For a typical single link, PE analysis, which commonly refers to estimating channel parameters (loss and noise), is relatively straightforward [13,14].However, PE can become very challenging in large-scale quantum networks.For these reasons, we do not consider estimating channel parameters; instead, we use PE in a more general sense by directly estimating measurable quantities, e.g., the covariance matrix of the end parties.
In the context of continuous-variable (CV) quantum key distribution (QKD), we show that any two users of a Gaussian quantum network can successfully extract composable secret keys from their local shared data, together with any classical public data that they might receive from other stations of the network.As mentioned above, an important point to remark is that we allow the network to deviate from being Gaussian, including the possibility to be conditionally Gaussian, i.e., described by a Gaussian state only after the success of a non-Gaussian, post-selection mechanism (feature which is needed for effective entanglement distillation [15][16][17][18][19]).In particular, this happens when non-deterministic quantum amplifiers are in use, where they sporadically fail to amplify [20][21][22][23][24][25].We further investigate the use of such amplifiers in a linear quantum chain.

Results and Discussion
Gaussian quantum networks.We consider the scenario where Alice and Bob are two arbitrary users of a quantum network, as sketched in Fig. 1; their objective is to remotely share a secret key.Let us assume that there are  − 1 stations that relay signals from Alice to Bob through a specific route that is made of  basic links.As Fig. 2a schematically illustrates, an arbitrary route can be seen as a chain of quantum links.It is also assumed that a powerful eavesdropper (Eve) may operate the intermediate stations and also store all the lost portion of the signals into her quantum memories (QMs).The relay stations may consist of several components.For instance, they can be equipped with entanglement sources, such as two-mode squeezed vacuum (TMSV), quantum amplifiers, quantum memories, and a classical communication system; see Fig. 2b.Nonetheless, the key role of the relays is to connect adjacent links via joint Bell measurements, whose outcomes   (for  = 1, . . .,  − 1) are aired to Alice and Bob for local data processing.Note that, in case the relays operate differently from expected, this would reflect in high amount of noise in Alice and Bob's shared data.
Figure 2c captures the role of the network in terms of quantum teleportation-stretching formalism [1].The network provides end-parties, Alice and Bob, with a bipartite (entangled) Gaussian state, which we call the network state    | {  } , before   's corrections are applied.We conventionally assume that the initial single links are of zero mean.However, execution of a relay, e.g.,  1 , displaces the mean value of the state by an amount  ( 1 ) proportional to  1 .In order to 'correct' this a displacement operation, e.g.,  1 , should be applied accordingly.Similar displacement operations are applied due to other relay outcomes that can all be postponed to one end.Thus, in this way, the mean value of the network state after   corrections, now described by    , becomes independent of the   's (in fact we balance it to zero).Further, since displacements are local operations, the network state will have a covariance matrix (CM) V   = V   | {  } , which is described in the normal form Therefore, the network state supplies Alice and Bob with an overall two-mode Gaussian state that can be used to implement different one-way-like communication protocols.We remark that the Gaussianity assumption can be weakened because of conditioning, or post-selection, where re-FIG.2. A quantum communication chain within a network.a, An arbitrary route between Alice and Bob can be seen as a linear chain between them that consists of  links and  − 1 stations (  's).b, Each station can encompass a noiseless linear amplifier (NLA, ), a bipartite entanglement TMSV source (), a couple of QMs, and a non-ideal Bell detection, whose loss is simulated by a couple of beam splitters with transmissivity  B .c, A Gaussian quantum network provides the end parties with a Gaussian bipartite state, called the network state    .Displacement operations need to be applied according to the information received form the stations, as shown in a. d, The effect of the Gaussian quantum network in c can be simulated via a one-way Gaussian protocol with an equivalent source  , and an equivalent channel, E , with loss  and excess noise  .lays can actually impose non-Gaussianity on the entire network, yet the system can be assumed conditionally Gaussian.This situation occurs because measurable quantities, such as CM elements, depend on relay measurement outcomes, which may vary for different sets of {  }.This is similar to post-selection [26,27] or discrete-alphabet protocols [28,29] where, for example, the outcome set #1 gives V #1    , while the outcome set #2 gives V #2   that differs from the CM associated to that of set #1.Thus, one needs to build an average rate over all possible outcome sets.Therefore, the average state/CM would be non-Gaussian.Nevertheless, if in such situations we choose to discard the unsuccessful events, then the post-selected state between Alice and Bob is Gaussian.
Security reduction.It is conceivable that the types of attack that eavesdroppers may apply on a multi-link quantum network can be more complex than the way they would attack conventional one-link protocols.For instance, in a quantum network a subset of the links that form the route from Alice to Bob may have correlations.In fact, Eve may adapt her attack on a link based on the information she has gained while attacking other, previous links.This generally defines a collective network attack, which has memory between the links but is memory-less between different uses of the network.Such inter-link correlations are taken into account in the network state or, alternatively, its corresponding CM.This is due to the fact that we consider only the end-to-end Gaussian CM for the analysis. 1As a requirement for our analysis, it is important to note that the CM of the network state is in normal form of Eq. ( 1).
Nevertheless, there may also be correlations between subsequent uses of a route, which defines an even more powerful and general, coherent attack.Hence, we need to prove the security when the eavesdroppers develop inter-use correlations, i.e., when they apply a coherent attack.Our solution is to tackle this problem by reducing the Gaussian quantum network security to that of one-way protocols, for which optimality of collective Gaussian attacks has been proven [30].In this way, we reduce the complexity of the problem and extend the security analysis under collective attacks to coherent attacks.
Assume that the end-nodes of the network,  and  , remain in the Gaussian regime.We can seek for equivalent parameters of a single Gaussian channel that does the same job.In fact, the overall function of a Gaussian quantum network can be reduced to, and modelled by, a one-way Gaussian channel, with loss  and excess noise  , applied to an equivalent source with modulation  .See Fig. 2d, where we have that such equivalent parameters builds up a CM in normal form It is straightforward to find the elements of the CM of the equivalent state, given by Eq. ( 2), in the terms of the triplet (a, b, c) in Eq. ( 1) that describes the network state    ; one can obtain ( Note that V eqv   is bona fide, i.e.,  ≥ 1,  ≤ 1, and  ≥ 0, when the CM in Eq. ( 1) is bona fide, i.e., a, b ≥ 1 and c ≤ min . This means that the original collective network attacks can be extended to coherent network attacks where correlations could happen between different uses of the network.Consequently, the optimality of Gaussian attacks in typical oneway Gaussian protocols is extended to Gaussian quantum networks.It is therefore a reasonable assumption to consider Gaussian eavesdropping which is the optimal strategy in the presence of protocols based on Gaussian resources.For this reason, for our security analysis and composable study we consider network attacks that are collective and Gaussian.
Emulation of sending-and receiving-only relays.It is conceivable that a node in a quantum network is exploited to only send/share or only receive/measure quantum signals.In order to keep our study as general as possible, especially when it comes to parameter estimation, we shall simulate such specific relays that include either a relay with some outcome  or a source with some variance  to feed its adjacent relays; see Fig. 3a1.Assume three single links that are connected via two Bell detection modules.The emulation can be performed by (i) applying the second relay on modes  and , which produces the outcome  2 , (ii) applying a correction/displacement,  2 , at the first relay on mode , which subsequently teleports mode  to  , and (iii) taking the limit  → ∞.As sketched in Fig. 3a2, we show that the above steps would reduce the two 'full' relays, which include a Bell measurement as well as a TMSV source, to a receiving-only and a sending-only relays.
For convenience, let us describe the situation in terms of the teleportation-stretching technique, developed in [1], as shown in Fig. 3b1 and b2.We shall show that in both cases, after taking the limit  → ∞, the resultant CM for modes   is the same.By assuming that E is a thermal-loss with transmissivity  and noise at channel output , we see that the scheme in Fig. 3b2 gives With a bit of math one can show that the execution of the relay in Fig. 3b1 gives One can then verify that V b1   equals the CM in Eq. ( 4) in the limit  → ∞.
In Fig. 3c1 and c2, we further verify that corrections based on broadcasted   's can be postponed to one end (here to the end-mode '').We do so by checking the equivalence when the displacement operator  2 can be postponed and performed along with  1 .The equivalence can be verified through checking both CMs and mean values.From upper and lower panels in Fig. 3c, it is clear that the equality holds for CMs since both scenarios start with the same resources and channels, on which only local displacement operations, which do not change the CMs, are applied.
For mean values, we start by the fact that initial mean value vector for the four involved modes is zero, i.e., x    = 0. Let us start from Fig. 3c1.The displacement  2 := (  2 +    2 )/ √ 2 implies that x    = (0 0   2   2 0 0 0 0) T , which after applying the balanced beam splitter of the Bell detection varies to Next, it can be shown that the execution of homodyne detection modules, with the outcomes   1 and   1 that forms  1 :=   1 +    1 , gives the mean value vector for the mode Then the parties apply the following displacement dependent on the outcomes FIG. 3. Emulation of specific nodes of a quantum network.a1 and a2, We emulate receiving-only and sending-only nodes.b1 and b2, We sketch the teleportation stretching form of a1 and a2, respectively.c1 and c2, We show that all displacement operations can be postponed to one, receiver end (see main text).Here, E and  represent a thermal-loss channel and single-mode displacement operation, respectively.(see main text for explanation).
and obtain the mean of mode  (rescaled by the factor Γ) In Fig. 3c2, after applying the Bell detection module, with outcomes   1 and   1 , we have that hence, we apply the displacement  1 (  1 ,   1 ) to obtain One can show that the mean value vector for the mode  after the displacement  2 (  2 ,   2 ) is given by whose entries can be tuned so that x down  = x up  .Note that we can define a "network number,"  net , which tells us how a generic network is different from a fully designed network whose nodes are all sending-receiving.Precisely, the number  net accounts for the number of onlyreceiving plus only-sending nodes.A fully designed network then has  net = 0. Note also that, as described in Fig. 3, such nodes always appear in pairs, such that  net is an even number, the reason being directionality of the generated signals as well as network's symmetry.In fact, like an entanglement source that feeds the two ends of a single link, the function of the network is to distribute entanglement towards both farends.Installing nodes that result in  net being an odd number, would break the directionality, and the symmetry, which therefore breaks off the links of the network.
Parameter estimation.The outcomes of the relays are bidimensional Gaussian variables   = (   ,    )  , which are taken into account by Alice and Bob to post-process their local variables.Let us focus on the -quadrature for the next derivations since equivalent steps hold for the -variable.To simplify the derivations, we in fact assume that  and  quadratures are not mixed by the eavesdropper so that they can be treated as independent variables.(This is a reasonable protocol assumption; extension is just a matter of technicalities).
In this work we assume that both Alice and Bob apply heterodyne measurements on the end-to-end modes  and  with outcomes   := (  ,   ) and   := (  ,   ), respectively, to establish a secure key.By assuming that the relays work properly and that the quadratures follow a normal distribution, we can write the variables that build the raw key for Alice and Bob, respectively, as where   's and   's are real numbers. 2For security reasons, we require   and   to be uncorrelated with the public variables    's that are known to Eve, i.e.,      = 0, which 2 In a prepare and measure variant, where Alice prepares coherent states, she generates variable z = √︃ is the variance of the Gaussian modulation of z .Hence, before applying Eqs. ( 13) and ( 14), one needs to apply a transformation, L = √︃ −1 +1 I, on z in order to obtain   .
imposes the following constraints from which one can calculate the weights   's (similar relations hold for   ,   and   's).Now, let us consider and study the sampled data [  ]  and [   ]  , for  = 1, . . ., , associated with variables   and    , respectively.From these, Alice can calculate the corresponding maximum likelihood estimators Next, to obtain values of the weights   's, she replaces these values in the set of  equalities in Eq. ( 15).She then continues with calculating [  ]  by replacing the   's, and the data points [  ]  and [   ]  , in Eq. ( 13).Indeed, Bob obtains similar relations for   and   's.At this stage the parties are in a position to compute the classical CM associated to their post-processed data where , and For the -quadrature we have that (not to mention that the parties repeat the same process for the -quadrature) when  pe is the number of signals sacrificed for PE.Note that, in principle, the parties can locally calculate the values from the estimators V  and V  using  data points while     demands sharing  pe data points through the public classical channel.These data can be easily acquired by Eve and thus must not contribute to the key generation.In general, the parties optimize the amount of shared data,  pe , so as to limit the uncertainty of terms such as     while still keeping as many samples as possible for the secret key.
The parties can compute an interval, with confidence 1 −  pe , for the estimated CM from which they derive the worstcase scenario CM, i.e., the CM that minimizes the key rate according to the sampled data with a probability larger than 1 −  pe .This CM is given by with  = ln(8 −1 pe ).This is calculated by using suitable tail bounds for the chi-squared distribution (see Methods).It is valid for any CM of two correlated systems even if the entries are given theoretically via a model, e.g.,  = √  + , with scale factor √  and variance  2  for the normal variable .Asymptotic key rate.We define the asymptotic secret key rate of sharing a key between two arbitrary users of a quantum network based on the Devetak-Winter rate [32] where  (  :   |{  }) is the mutual information between   and   and ( :   ) is the Holevo information between Eve's system and the reconciliation variable   , with  = () indicating direct (reverse) reconciliation.In this work, we focus on the reverse reconciliation  = .By definition, we have where is the von Neumann entropy of Eve's state,   (conditioned on the knowledge of the 's), and where   |    is the state conditioned on Bob's variable   (after the 's).With this in mind, the parties neither know the explicit description of Eve's system nor how she interacts with the links.However, by assuming that Eve purifies the system between Alice and Bob, such that   | {  } is a pure state, it holds that ( |{  }) = ( |{  }) and ( |  {  }) = ( |  {  }) [33], where the later equality also exploits the fact that Bob performs a rank-1 measurement (like heterodyne detection) therefore projecting the global pure state   | {  } into a reduced pure state   |  {  } .Since the state   | {  } is Gaussian, it is characterized by its CM, V  | {  } .In practice, this can be estimated by the worst-case quantum CM, V wc (compatible with the classical data shared by the parties) By setting we have that the conditional CM after Bob's heterodyne is given by Next, from the symplectic spectra   | {  } and  |  {  } , of V  | {  } and V |  {  } , we compute the Holevo information where In addition, the mutual information is given by [34]  (  : Therefore, the parties have calculated a modified asymptotic key rate that encompasses the worst-case scenario given the sampled data.This is correct up to an error  pe and is calculated from Alice's and Bob's remote, shared, data that account for the relay outputs   's without any assumption on the structure of the intermediate channels.To put it more precisely, the rate should be re-scaled in a way to account for the number of uses sacrificed for parameter estimation.We discuss this and other aspects in detail shortly.
Let us also remark that in all the derivation above, we assume that the conditioning associated with the   's create the same conditional CM for the shared state regardless of the actual values of   's.This makes sense only under the Gaussian assumptions for the network, but this is still true even in the presence of NLAs, where the network is conditionally Gaussian.
Composable finite-size key rate.The security of Gaussian quantum networks can be further extended by considering finite-size correction terms dependent on small failure probabilities of different processes of the protocol.Over a chosen route of the network, Alice and Bob would share the following classical-quantum state between themselves and Eve, who is assumed to perform a collective Gaussian attack, where  ≡  1  2 . . .  are Eve's systems; see Fig. 2a.Thus, at the end of the error correction, Alice and Bob possess correlated discretized variables   and   respectively associated with  ⊗  .As we discussed, the end-to-end CM, either built from sampled data or given by means of a proper model, would suffice to derive the secret key rate or suitable bounds by using the notions of coherent information and reverse coherent information of bosonic channels [35,36], as well as the relative entropy of entanglement [37].Since in a real-world scenario the parties exchange only a finite number of signal states, here the focus is put on composable finite-size analysis, which has become the touchstone for QKD security, rather than the ultimate bounds.The security of a QKD protocol is desired to be composable, i.e., the protocol must not be distinguished from an ideal protocol which is secure by construction [2].Mathematically, a composable security proof can be provided by incorporating proper error parameters, 's, for each segment of the protocol, namely, error correction (EC), privacy amplification (PA), smoothing, and hashing [10,11].
We assume that a total number of  Gaussian signals are measured by Alice and Bob.An amount  of these would be used for key extraction, while the rest  pe =  −  are left for PE, i.e., the evaluation of the CM.Upon successful completion of the EC procedure, with probability  ec , the composable finite-size secret key rate is given by [38] where the higher-order terms read The above equation is valid for a protocol with overall security  =  cor +  s +  h +  ec  pe , where  pe is the total error probability associated with PE.Assuming reverse reconciliation, the hash comparison stage of the finite-key analysis requires Bob sending log 2 (1 −  cor ) bits to Alice for some proper  cor (called  cor -correctness) and bounds the probability that Alice's and Bob's sequences are different even if their hashes coincide. h(s) is the hashing (smoothing) parameter.Conveniently one can also define the frame error rate FER = 1−  ec .
It is also assumed that by using an analog-to-digital conversion, each continuous-variable symbol is encoded with  bits of precision.The value of  pe in Eq. ( 33) can be computed in different ways depending on the level of reliability.In practice, one would use the sampled data to compute  pe using Eq. ( 23) and the worst-case CM shared by the end-users.Remarkably this is practically the most appropriate choice in the case of multihop quantum networks with untrusted relays.In the presence of a conditionally Gaussian network, the rate in Eq. ( 33) modifies by setting  →   s where  s is the probability of successful post-selection.As an example, in the following, we study a quantum repeater chain and compute the composable finite-size key rate considering the worst-case parameters for the end-to-end shared CM.
Numerical results.As we mentioned earlier, a route between two nodes in a quantum network can be seen as a chain of quantum links.We here apply our general techniques for quantum networks to study a quantum chain of identical links and generally-untrusted stations.We note that this is a mere example and that our methodology is generic that can be applied to any chain.Subsequently, by assuming the illustration in Fig. 2, we find the end-to-end CM and compute the composable finite-size key rate.
Let us assume the chain is made of  = 2  identical links (we call  the repeater depth), each described by a standard CM For a typical link (without an NLA), with a TMSV source , channel loss  and excess noise  (referred to the channel's input), we have that a 0 = , b 0 =  + 1 −  + , and c 0 = √︁ ( 2 − 1).By using similar techniques introduced in [39], the end-to-end CM between Alice and Bob, in the case of nonideal Bell measurements, is found to have the standard form with the following parameters As expected, for  B = 1 the above equations reduce to the previous results in [39].Next, we can apply the formula for finite-size key rate, given in Eq. (33).
In Fig. 4, we plot the secret key rate versus the overall distance between Alice and Bob.Assuming the CV QKD protocol with heterodyne detection, we compute  pe for the worstcase scenario CM.The links are thermal-loss channels, which we simulate by considering optical fibres with the loss factor of 0.2 dB/km and noise parameter .Here, we choose an initial modulation at the input of each link, , such that the maximum distance is achieved.It was observed that the composable rate is highly sensitive to the relay loss,  B , as well as channel excess noise, .This can be seen in Fig. 4 where we compare the rates for  = 1 and  = 2 with that of ideal chain, with  B = 1 and  = 0.
It is known that Gaussian-only nodes cannot act as quantum repeaters [40,41].Expectedly, Fig. 4 verifies that the end-toend rate cannot reach/beat the repeaterless PLOB limit.This is because, in our example, the relays are Gaussian operation and as such they cannot do so.That being said, we emphasise that references [40,41] are more about entanglement distribution than QKD.The quantum repeater chain in our paper has an element of non-Gaussianity in the concept of being postselectively Gaussian, e.g., via NLAs.
One can also compare a part of our results to the wellstudied measurement-device-independent (MDI) QKD protocols [42].In the case where  = 1 our chain includes two links and one intermediate node, which very much resembles a MDI setup.It is known that the so-called symmetric MDI, wherein the links are identical and the node sits exactly at the middle, is poor in delivering a secret key at long distances, especially for non-zero excess noise and non-ideal relay [43].Whereas an asymmetric MDI, wherein the node is closer to one end, can reach longer distances.In our example, we assumed identical links and as such, comparing with symmetric MDI, we do not expect to reach longer distances.Now let us revamp the quantum chain to design a quantum repeater.Considering the class of continuous-variable quantum repeaters [39,[44][45][46][47][48], several proposals have been suggested to increase the reach of single-link CV QKD protocols, e.g., by utilizing NLAs [49], which nevertheless can improve the secure distance for only a few tens of kilometres [49][50][51].One idea is that a quantum repeater can essentially be built by a concatenation of such NLA-improved links.Key elements of any repeater chain include entanglement distribution, entanglement distillation or purification, and entanglement swapping.An NLA-based quantum repeater uses TMSV sources as an entanglement distribution source and CV Bell measurements as entanglement swapper device.Other components such as quantum memories [52,53] can help to improve the performance of quantum repeaters, though they are not essential [54][55][56].But due to the non-deterministic nature of NLAs, using QMs in the structure of amplifier-based repeaters seems indispensable.
To continue, we shall first account for the probabilistic (post-selection) nature of the NLAs.Take that in total  signals are transmitted, i.e., assume  runs.The meaning of 'run' is well understood in a single-link protocol.It however may be slightly more complex in a repeater setup with essentially probabilistic links.Here, by each run we mean that TMSV sources at all stations simultaneously transmit a signal.Each signal then has the chance to be successfully amplified by an NLA placed at the other end of the link.In the following, we account for the post-selection effect of the NLAs by referring to [57], which has studied a similar post-selection problem in the scope of free-space quantum communications.
Of the overall  runs of the protocol  s , where  s is suc-cess probability of the repeater system, will be post-selected by NLAs.In other words, they post-select a portion  s  of the signals.Hence, assuming that EC is successful with probability  ec , an average number of  s  ec signals contribute to the final key and, therefore, Eq. ( 33) takes the form Before we present numerical results, let us briefly weigh up the action of NLAs.Firstly, to see if such devices can be practically useful, we allow some weakening of the Gaussian assumption.This is because the NLA-assisted relays can actually impose non-Gaussianity, which as pointed out earlier, is necessary to (possibly) outdistance the PLOB.As a well-known realization, we can take the action of quantum scissors (QSs), as non-deterministic NLAs, as a guide.Quantum scissors were introduced in [20], and were studied further in [24,25].While the ideal NLA operation is unphysical, in the sense that it works only with zero probability of success, QSs can act as almost-ideal NLAs under weak signal assumptions.More precisely, it has been shown that a QS can almost-noiselessly amplify an input coherent state | to | with the success probability of a QS  s = 1/ 2 , assuming that  2 || 2 1 [21,22,24].In the prepare-and-measure (P&M) protocol, where each link has an initial Gaussian modulation variance   , a similar assumption holds:  2   1, where we have also take into account the channel loss (We note that the P&M and entanglement-based protocols are related via  =   + 1.).
In Fig. 5, by using the recursive equations, we plot the asymptotic secret key rate versus the overall distance between Alice and Bob.Here we have assumed that an ideal chain with  B = 1 and  = 0. We encounter a dual optimisation problem, which we solve numerically by optimizing over input modulation  and amplification gain , while making sure that  2   < 10 −2 .
We interpret the results as follows.The curves show that a quantum repeater chain with  = 1 ( = 2) can outperform the ultimate benchmarks at about 300 km (500 km), before which the optimized amplification gain is  = 1, meaning that no amplification in needed.Although these results look interesting, when we deviate from the ideal case, i.e., relay loss  < 1 and excess noise  > 0 (specifically we could not find a positive rate for, e.g.,  B = 0.999 and  = 0.001 SNU).As discussed for a chain without NLAs, this is partly due to the absolutely symmetric (MDI-like) design that we assumed through our example.With a different, possibly asymmetric, design of the repeater links, it may be possible that one can obtain positive rates (nevertheless, the methodology remains the same as presented in this manuscript).From this prospective, our results are the starting point for future studies on NLAbased quantum repeaters.

Conclusions
In summary, we have analysed the composable end-to-end security of Gaussian quantum networks in the presence of generally-untrusted nodes.Assuming two arbitrary end-users of the network, we established a methodology that enables FIG. 5. Asymptotic key rate per use of quantum repeater chain.We consider a heterodyne-based CV-QKD protocol implemented over a quantum repeater chain with depths  = 1 and  = 2. Here, we assume reconciliation efficiency  = 0.98, ideal Bell detection modules with  B = 1.0, and zero excess noise  = 0 for each single link.Rates are compared with the repeaterless capacity, i.e., PLOB bound [1], and the single-repeater capacity [4].them to complete the crucial task of parameter estimation based only on the data remotely possessed.We have further investigated how they can use the estimated parameters and compute the composable key rate in the finite-size regime.Our study does not need to estimate channel parameters of the individual links that make the route between the two users.In fact, other than being Gaussian, it does not make any assumptions about the communication links, stations, and/or any other components involved.
Furthermore, we backed up our theory by considering the specific case of a chain of identical quantum links, both with and without NLAs.In our NLA-assisted design, we assumed ideal NLAs for two reasons.Firstly, under weak signal assumptions, they can be assumed Gaussian operations [20,24,25] (a good example of these NLAs are quantum scissors [20]).Secondly, since they are ideal, in the sense that they do not add extra noise to the system, they help to obtain the ultimate performance that can be achieved by means of such designs.While we could show that an NLA-assisted chain can beat the repeaterless limit, we question its practicality.Compared with MDI protocols, we conclude that, apart from noise and loss, this is mostly due to symmetric design of the chain.In addition, for achieving a real-world analysis one can replace the ideal NLAs with realistic ones.This can nevertheless obsolete the Gaussianity of the network so this next step will have to be investigated cautiously.

Methods
The worst-case scenario covariance matrix.In the following, we discuss the confidence intervals for .Despite the fact that this procedure is based on the shared data, it can have a direct application on a theoretical CM as in Eq. ( 37) defined through a specific model of the links between the parties.Our