Finite-key analysis for twin-field quantum key distribution with composable security

Long-distance quantum key distribution (QKD) has long time seriously relied on trusted relay or quantum repeater, which either has security threat or is far from practical implementation. Recently, a solution called twin-field (TF) QKD and its variants have been proposed to overcome this challenge. However, most security proofs are complicated, a majority of which could only ensure security against collective attacks. Until now, the full and simple security proof can only be provided with asymptotic resource assumption. Here, we provide a composable finite-key analysis for coherent-state-based TF-QKD with rigorous security proof against general attacks. Furthermore, we develop the optimal statistical fluctuation analysis method to significantly improve secret key rate in high-loss regime. The results show that coherent-state-based TF-QKD is practical and feasible, with the potential to apply over nearly one thousand kilometers.

The other is the coherent-state-based TF-QKD 19,20,[24][25][26][27][28] , or called phase-matching QKD, which directly exploits the coherent state to extract secret key by implementing entangled coherent state measurement 28 . However, so far, taking into account all finite-size effects in TF-QKD with rigorously composable security proof is still missing, which severely influences TF-QKD to become as practical and feasible as typical QKD 29,30 and MDI-QKD 31 with composable security under realistic conditions.
In this work, we provide a composable finite-key analysis for coherent-state-based TF-QKD with rigorous security proof against general attacks. We make three contributions to obtain the optimal secret key rate and show that the transmission distance can surpass 800 km fibre with the realistic technology. First, we use the entropic uncertainty relation 32 to prove the security of coherent-state-based TF-QKD in the finite-key regime. It is known to all that entropic uncertainty relation is well suited for the composable security proof against general attacks, which is rather direct and avoids various estimations [29][30][31] . Second, we develop the tight and rigorous multiplicative Chernoff bound and its variant to deal with the difference between the observed value and the expected value, which closes the gap between the large-deviation Chernoff bound method 31 and the not-sufficiently-rigorous Gaussian analysis. Third, the tailored tail inequality for random sampling without replacement is the tightest, which further improves the secret key rate in the finite-key regime.

Results
Security definition. Before introducing our protocol, we follow the discussion of the so-called universally composable framework 33 . A general QKD protocol either outcomes a pair of key bit strings S and Ŝ for Alice and Bob or aborts denoted by S = S = ⊥. The length of bit strings S and S are both equal to . In general, the QKD protocol is called secure if the key bit strings satisfy two criteria, namely, the correctness and the secrecy criteria.
The correctness criterion is met if the key bit strings of Alice and Bob are identical, i.e., S = Ŝ . However, the correctness criterion cannot be perfectly satisfied in experiment, which means that we may allow some negligible errors. Specifically, we say that a protocol is ε cor -correct if ε ≠ ≤ S S Pr[ ] cor , i.e., the probability that Alice's and Bob's key bit strings are not identical does not exceed ε cor .
Let system E be the information of eavesdropper during the process of the QKD protocol, s { } s be an orthonormal basis for Alice's system and ρ s E be the state of the system E given any fixed value s of key bit string S. In order to define secrecy, we should introduce a description of the correlation between the key bit string of Alice S and eavesdropper, which can be given by the joint classical-quantum state ρ ρ = ∑ ⊗ p s s s s s SE E . The secrecy criterion is met if the system E completely has no correlation with the key bit string of Alice, i,e., is the uniform mixture of all possible values of the key bit string S. However, the secrecy criterion can still never be perfectly satisfied in experiment. We say that a protocol is ε sec -secret if the trace distance between the joint classical-quantum state ρ SE and the ideal case described by U S ⊗ρ E is no more than Δ, i.e., about sec , where ∥·∥ 1 is the trace norm and p abort is the probability that the protocol aborts. Therefore, we say that a protocol is ε-secure if it is ε cor -correct and ε sec -secret with ε ε ε + ≤ cor s ec . Protocol definition. Here, we follow two protocols proposed in our very recent work 28 . One prepares cat state to bound the leaked information, called Protocol 1. The other exploits the phase-randomized coherent state (PRCS) to estimate the leaked information, called Protocol 2. For simplicity, we only consider the case of symmetric channel, while the case of the asymmetric channel can be directly generalized 28 . The schematic diagram of two protocols are illustrated in Fig. 1. Alice randomly chooses Z and X bases with probabilities p Z and 1 − p Z , respectively. Alice randomly prepares optical pulses with coherent states α and α − in equal probabilities for the logic bits 0 and 1 if choosing the Z basis. For Protocol 1 (2), Alice randomly generates optical pulses with cat states ) / 2 in equal probabilities for the logic bits 0 and 1 (PRCS) if choosing the X basis. Likewise, Bob does the same. The optical pulses are sent to the untrusted Charlie, who is assumed to perform the entangled coherent state measurement that projects them into an entangled coherent state. The decoy-state method 34-36 will be used in Protocol 2 to estimate the leaked information.
Next, Charlie will disclose whether he has acquired a successful measurement result and which entangled coherent state is obtained. Alice and Bob only keep the data of successful measurement and discard the rest. They announce the basis and intensity information through the authenticated classical channel and only keep the events of the same basis. Finally, Bob flips a part of his key bit to correctly correlate with Alice's (see Table 1). A detailed description of each step of Protocols 1 and 2 as follows.
State preaparation. The first four steps are repeated by Alice and Bob for i = 1, …, N until the conditions in the Sifting step are satisfied. In Protocol 1, Alice chooses a basis β ∈ {Z, X} and uniformly random bit r ∈ {0, 1} with probability p β /2. Next, Alice prepares optical pulses with coherent state α π e ir (cat state α α + − π e ( ) / 2 ir ) for Z (X) basis given by r. Likewise, Bob does the same thing. In Protocol 2, Alice chooses a basis β ∈ {Z, X} with probability p β . Then, she chooses uniformly random bit r ∈ {0, 1} with probability 1/2 given by the Z basis and an intensity with probability p a given by the X basis. Next, Alice prepares optical pulses with coherent state α π e ir for the Z basis given by r. She generates PRCS optical pulses of intensity a for X basis. Likewise, Bob does the same thing.
Sifting. Alice and Bob announce their basis choices and intensity settings over an authenticated classical channel when Charlie reports a successful event. Bob flips part of his key bits to correctly correlate with Alice's (see Table 1). In Protocol 1, we define the set  ( ), which identifies signals when Alice and Bob select the same basis Z (X) and Charlie has a successful measurement. The protocol repeats these steps until  | | ≥ n and  | | ≥ k. In Protocol 2, we define two groups of sets  and  a b , . The first (second) one identifies signals where Alice and Bob select the basis Z (X and the intensities a and b) and Charlie has a successful measurement. The protocol repeats these steps till Parameter estimation. Alice and Bob exploit the random bits from  to form the raw key bit strings Z and Z′, respectively. In Protocol 1 (2), Alice and Bob use  and  ( a b , ) to estimate the upper bound of phase error rate φ Z . If φ φ > ol Z t , Alice (Bob) assigns an empty string ⊥ to S (S) and aborts this protocol.
Error correction. Bob exploits an information reconciliation scheme to acquire an estimate Ẑ of Z by revealing at most leak EC bits of error correction data. Then, Alice computes a hash of length ⌈ ⌉ log (1/ ) 2 cor  by using a random universal 2 hash function 37 to Z. She sends the choice function and the hash to Bob. Bob uses the received hash function to compute the hash of Ẑ and compares with Alice's. If they are different, Alice (Bob) assigns an empty string to S (Ŝ) and aborts this protocol.
Privacy amplification. Alice exploits a random universal 2 hash function 37 to extract length  bits of secret key S from Z. Bob uses the same hash function (sent by Alice) to extract length  bits of secret key Ŝ from Ẑ .
Identifying any one of two entangled coherent states is the normalization factor, and μ = |α| 2 is the intensity of coherent states α ± . Here, we consider that two entangled coherent states ( ) (PRCS) if choosing X basis. They send the prepared quantum signals through insecure channel to the untrusted Charlie, who is supposed to perform an entangled coherent state measurement. As an example, Charlie let the two received optical pulses interfere at a symmetric beam splitter (BS), which has on each end a threshold single-photon detector. A click in the single-photon detector L implies a projection into the entangled coherent state Details can be found in main text. Table 1. Post-processing of raw key in the sifting step. Bob will decide whether he implements a key bit flip to guarantee correct correlations, depending on the announced entangled coherent state and the selected basis. Note that there is no key bit in the X basis for Protocol 2.

Measurement results of Charlie
www.nature.com/scientificreports www.nature.com/scientificreports/ both can be identified. Indeed, the coherent-state-based TF-QKD is a prepare-and-measure protocol reduced from the entanglement-based QKD using heralded entanglement generation protocol (see Methods).

Security analysis.
Here, we show the main result of our paper. One can make sure that Protocol 1 (2) introduced above is both ε cor -correct and ε sec -secret if we choose an appropriate secret key of length . The required correctness criterion could be ensured by the error-verification step. Alice and Bob compare the random hash values of their corrected keys with failure probability ε hash , which means that identical probability of key bit strings S and Ŝ is more than ε − 1 hash . Even if the protocol is aborted, resulting in S = Ŝ = ⊥, it is also correct. Thereby, the correctness of the protocol is ε ε = cor h ash . For Protocol 1, the protocol is ε sec -secret if the secret key of length  satisfies is the binary Shannon entropy function. Recall that n and φ Z are the number of bits and phase error rate in bit string Z. A sketch of the proof of Eq. (1) can be found in Methods. In the asymptotic limit, φ = E Z X since statistical fluctuations could be neglected, and thus  satisfies leak X E C , as recently acquired in 28 . φ nh( ) Z is the amount of information acquired by the eavesdropper in the quantum process, while leak EC is the information revealed by Alice in the error correction step.
For Protocol 2, the protocol is ε sec -secret if the secret key of length  satisfies (see Methods) The other two main contributions of our work are the rigorous and tight statistical fluctuation analysis methods. One is the tightest multiplicative Chernoff bound and its variant to deal with the difference between the observed value and the expected value. The other is the tightest tail inequality for random sampling without replacement. In order to meet the composable security proof against general attacks in the finite-key regime, one can only assume the random variables are independent but not identically distributed. Traditionally, a large deviation theory with the Chernoff bound is proposed to deal with the parameter estimation in MDI-QKD with finite-key analysis 31 , which is a rigorous but not tight method, i.e., significant statistical fluctuations quickly decrease the expected secret key rate in the high-loss regime. Whereafter, another approach 38 is proposed, attempting to close the gap between the rigorous large-deviation Chernoff bound method 31 and the not-sufficiently-rigorous Gaussian analysis (independent and identically distributed). However, this approach offers a tighter estimation of the lower bound (given the small observed value) than the Gaussian analysis, which seems to be a counterfactual result as the method 38 is superior to the Gaussian analysis. Our rigorously improved method are always inferior but comparable to the Gaussian analysis. Furthermore, we give two tailored tail inequalities (lower and upper tails) to deal with the random sampling without replacement issue, which directly utilizes hypergeometric function distribution and avoids any inequality scaling 30,39 . The rigorous proof and detailed analysis can be found in Supplementary Notes 1-3.

Discussion
Here, we perform the behaviour of the expected secret key rate provided in Eq. (1) of Protocol 1 and Eq. (2) of Protocol 2. In our simulation, we use the following parameters, a fibre-based channel with an ultralow-loss of 0.16 dB/km 12 . The efficiency and dark count rate of single-photon detector are 85% and 10 −11 in the untrusted relay 13 . The security bounds of secrecy and correctness are fixed to ε = − 10 sec 10 and ε = − 10 cor 15 , the latter of which corresponds to a realistic hash tag size in practice 37 . For simplicity, we assume an error correction leakage that is a fixed fraction of the sifted key length n, i.e., leak EC = nζh(E Z ), with the efficiency of error correction ζ = 1.1 and the quantum bit error rate E Z of the Z basis.
The results are shown in Figs. 2 and 3 where Alice and Bob exploit the three-intensity PRCS, one of which is a vacuum state. The detailed computational process of the phase error rate φ Z can be found in Methods. The expected secret key rate (per pulse)  N / as a function of the transmission distance between Alice and Bob for different values of the total number of signals N sent by Alice and Bob given by overall misalignment 2% in the channel is shown in Fig. 2. For a given transmission distance, we optimize numerically  N / over all the free parameters of Protocols 1 and 2. For the case of symmetric channel, all parameters chosen by Alice and Bob are set to the same. Our simulation result shows clearly that coherent-state-based TF-QKD is the feasible scheme in the finite-key regime. Considering the case of 1 GHz repetition rate 15 , the secret key rate of Protocols 1 and 2 can break the repeaterless Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound 5 even with a small finite size of data, say N = 10 8 (data collected in 0.1 s) for Protocol 1 and 10 10 (data collected in 10 s) for Protocol 2. Moreover, the maximum transmission distance of Protocols 1 and 2 can be expanded up to 1000 km and 800 km with the realistic finite size of data N = 10 13 (less than 2.8 h data). The secret key rate in Protocols 1 and 2 given by 470 km are both larger than 10 −6 per pulse (1 kbps) under the finite size of data N = 10 12 . It means that the coherent-state-based TF-QKD has the potential to be actually used even when the communication distance is approximate to 500 km. This is impossible when using the traditional QKD or MDI-QKD, where the best results are 0.25 bps at 421 km of traditional QKD under the collective attacks assumption 13  www.nature.com/scientificreports www.nature.com/scientificreports/ infinite number of signals 28 and the repeaterless PLOB bound. For a given number of signals, we optimize numerically  N / over all the free parameters of Protocols 1 and 2. The fixed parameters are the ones described in the caption of Fig. 3. The simulation results show that the secret key rates of Protocols 1 and 2 are about 10 −7 at the distance of 500 km with 10 11 and 5 × 10 13 signals, even given that the misalignment rate is up to 15%. The significant secret key rate of Protocols 1 and 2 at the distance of 500 km can be acquired only with 10 9 and 10 11 signals when the misalignment rate is less than 5%.
In summary, we have proved the composable security of coherent-state-based TF-QKD in the finite-key regime against general attacks. The maximum transmission distance of Protocols 1 and 2 are more than 1000 km and 800 km with the realistic finite size of data, respectively. The coherent-state-based TF-QKD is the fully practical QKD protocol that offers an avenue to bridge the gap between trusted relay and quantum repeater in long-distance QKD implementations. In order to be immune to general attacks in the finite-key regime, the independent and identically distributed assumption of Gaussian analysis (the central-limit theorem) is no longer applicable. We have rigorously proved an improved Chernoff bound and its variant, which can close the gap between the large-deviation Chernoff bound method and the Gaussian analysis. Numerical simulations display that our improved method is always inferior but comparable to the Gaussian analysis. The rigorous and tight statistical fluctuation analysis methods of this work will be widely applied to quantum cryptography protocols with the finite-size effects, such as QKD, quantum digital signature, and quantum secret sharing. We remark that cat state has a certain distance from the actual application with current technique. Last but not least, the homodyne   28 . In comparison, the black line represents the PLOB bound given by the transmission distance of 500 km. The results show that the coherent-state-based TF-QKD is robust to the large misalignment rate even for a finite size of signals sent by Alice and Bob.
www.nature.com/scientificreports www.nature.com/scientificreports/ measurement may be exploited to identify the entangled coherent state in the coherent-state-based TF-QKD, which is worth considering in the future.

Methods
Entanglement-based protocol. In order to establish the secrecy of the protocols, we introduce an equivalently virtual entanglement-based protocol 28 , in which Alice and Bob prepare entangled states of a qubit and an optical mode ψ α α = + + − − z z ( ) 1 2 , where qubit states ±z are the eigenstates of Pauli's Z operator. They keep the qubit and send the optical mode to the untrusted Charlie, who performs the entangled coherent state measurement. The bipartite qubit entanglement states between Alice and Bob are thus generated via entanglement swapping. Indeed, the coherent states α ± and the cat states ξ α ± ( ) will be sent to Charlie if they perform the Z-and X-basis measurement on the qubit system, respectively. Thereby, the coherent-state-based TF-QKD is a prepare-and-measure protocol reduced from the entanglement-based QKD using heralded entanglement generation protocol (we refer to the article 28 for details).
Secrecy. Let us keep the entanglement-based QKD using heralded entanglement generation protocol in our mind. We exploit the entropic uncertainty relations 29,32 to estimate bounds on the smooth min-entropy of the raw key conditioned on eavesdropper's information. The Quantum Leftover Hash Lemma 37 is exploited to give a direct operational meaning to the smooth min-entropy. Let E′ summarizes all information of eavesdropper learned about raw key of Alice Z, up to the error-correction step. By applying a random universal 2 hash function to Z, one may extract a Δ-secret key of length  from Z, denotes the smooth min-entropy 37 , which quantifies the average probability that the eavesdropper guesses Z correctly by exploiting the optimal strategy with access to E′.
The amount of bit information ε + leak log (2/ ) EC 2 cor will be revealed to the adversary during the error-correction step. By using a chain-rule inequality for smooth entropies, we have , where E is the information of eavesdropper before the classical post-processing.
In order to bound the smooth min-entropy  ′ | H Z E ( ) min by using the uncertainty relation for smooth entropies 32 , we consider a gedankenexperiment that Alice and Bob prepare the cat states instead of coherent states when they choose the Z basis. Alice and Bob need to use the bit strings X and X′ of length n to replace the raw key bit strings Z and Z′ in this hypothetical protocol, respectively. The smooth min-entropy can be given by quantifies the required number of bits that Bob uses bit string X′ to reconstruct X, which leads to the second inequality 29 . φ Z is the phase error rate of bit strings Z and Z′, i.e., the bit error rate of bit strings X and X′. In reality, φ Z cannot be directly observed, which has to be estimated by using random-sampling (without replacement) theory.

Tight tail inequality.
Here, we introduce three Lemmas to deal with the statistical fluctuation in the finite-key regime. Specifically, Lemma 1 is tailored for random sampling without replacement. Lemma 2 is the multiplicative Chernoff bound, which is used to bound the observed value, given the expected value. Lemma 3 is a variant of the multiplicative Chernoff bound, which is tailored to estimate the expected value, given the observed value. The rigorously proved tail inequalities in each lemma are the tightest due to avoiding excessive inequality scaling. See Supplementary Notes 1-3 for details.
be a string of binary bits with n + k size, in which the number of bit value 1 is unknown. Let k  be a random sample (without replacement) bit string with k size from + n k  . Let λ k be the probability of observed bit value 1 in  k . Let  n be the remaining bit string, where the probability of observed bit value 1 in n  is λ n . Then, i j be the binomial coefficient. For any  > 0, we have the upper tail . For any > 0  , we have the lower tail www.nature.com/scientificreports www.nature.com/scientificreports/ Lemma 2: Let X 1 , X 2 , ..., X N be a set of independent Bernoulli random variables that satisfy Pr(X i = 1) = p i (not necessarily equal), and let = ∑ = X X : x x where δˆ is the positive root of the equation Lemma 3: Let X 1 , X 2 ..., X N be a set of independent Bernoulli random variables that satisfy Pr(X i = 1) = p i (not necessarily equal), and let = ∑ = X X : 1 . An observed outcome of X is represented as x for a given trial. For any > 0  , we have μ x that satisfies  Statistical fluctuation of Protocol 1. In order to bound the phase error rate φ Z , we consider the gedankenexperiment picture. There are n + k bits corresponding to X basis. The observed error rate of k bits random sampled from n + k bits is where r x and ′ r x are Alice's and Bob's bits in set  . By using the upper tail inequality for random sampling without replacement in Lemma 1, the remaining error rate of n bits, i.e., the phase error rate, can be given by Statistical fluctuation of Protocol 2. Since the cat states are replaced by PRCS for the X basis choice in Protocol 2, the bit error rate E X in the X basis cannot be directly observed. In order to bound the phase error rate φ Z , we need to use the following three steps. First, let ⁎ Q a b , be the expected gain when Alice and Bob send PRCS with intensities a and b, respectively, a, b ∈ {ν, ω, 0}. Therefore, we have the relations = ⁎ ⁎ k Np p p Q a b a b a b , X 2 , , where f are the expected values corresponding to the observed values k a,b . In reality, we only know the observed values k a,b . By using a variant of the multiplicative Chernoff bound in Lemma 3, we can use the observed value for a given trial to estimate the upper (lower) bound of the expected value with a small failure probability ε 3 . The PRCS can be seen as the mixed Fock states from the eavesdropper's view. Let ⁎ Y n m , be the expected yield when Alice sends n-photon and Bob sends m-photon. Thereby, the expected values ⁎ Y n m , can be estimated by using the decoy-state method with the three-intensity PRCS 25,28,40 . Once obtaining the upper bound of the expected yield ⁎ Y n m , , one can calculate the upper bound of the observed yield Y n m , by using the lower tail of the multiplicative Chernoff bound in Lemma 2. See Supplementary Note 4 for details. Note that for the case of n + m ≥ 5, we let the observed yield = Y 1 n m , . Second, we consider the gedankenexperiment picture, in which Alice and Bob still send the cat states ξ α ± ( ) instead of PRCS when they choose the X basis in Protocol 2. Let Q Z (Q X ) be the observed gain when Alice and Bob both prepare coherent states α ± (cat states ξ α ± ( ) ) for a given trial. By using the tail inequality for random sampling without replacement in Lemma 1, the observed value Q X can be bounded by with failure probability ε 1 , where we have the relations n = N Z Q Z , N Z = Np Z 2 and N X = Np X 2 . Thereby, the lower bound of the observed value is = k N Q X X . Third, the upper bound of the observed value of the bit error rate E X can be estimated by 28