Continuous-variable source-device-independent quantum key distribution against general attacks

The continuous-variable quantum key distribution with entanglement in the middle, a semi-device-independent protocol, places the source at the untrusted third party between Alice and Bob, and thus has the advantage of high levels of security with the purpose of eliminating the assumptions about the source device. However, previous works considered the collective-attack analysis, which inevitably assumes that the states of the source has an identical and independently distributed (i.i.d) structure, and limits the application of the protocol. To solve this problem, we modify the original protocol by exploiting an energy test to monitor the potential high energy attacks an adversary may use. Our analysis removes the assumptions of the light source and the modified protocol can therefore be called source-device-independent protocol. Moreover, we analyze the security of the continuous-variable source-device-independent quantum key distribution protocol with a homodyne-homodyne structure against general coherent attacks by adapting a state-independent entropic uncertainty relation. The simulation results indicate that, in the universal composable security framework, the protocol can still achieve high key rates against coherent attacks under the condition of achievable block lengths.


Introduction
Quantum key distribution (QKD) [1][2][3] , as one of the most practical quantum cryptography technology, allows two users (traditionally called Alice and Bob) to establish a set of secret keys exploiting both quantum mechanics and classical post-processing methods.This can provide information-theoretic security even against existing potential eavesdroppers.
Continuous-variable (CV) QKD protocol 4,5 , of which the characteristic is that the information is encoded on the quadratures of the light field and measured with coherent measurement methods, e.g., homodyne 6 and heterodyne detection 7 , has developed rapidly.There are two main reasons resulting in CV-QKD attracting so much attention in recent years: it can be easily implemented with standard telecom components 8,9 and compatible with wavelength division multiplexing 10,11 , and it can achieve high key rate in metropolitan distance 12 , which has advantages of short-range implementation.
There are plenty of CV-QKD protocols proposed to deal with different scenarios.In the case of fully trusted-device protocols, it is always assumed that both Alice and Bob are honest, and Eve can only control the quantum channels rather than the devices at the two parties.A large number of distinctive trusted-device protocols, including discrete modulation CV-QKD protocols [13][14][15] , two-way protocols [16][17][18][19][20][21] and so forth, have been put forward to enrich the protocol design.However, because of the imperfection of the practical source and detection devices, a QKD system may be attacked by a potential eavesdropper, and it compromises the security of a protocol 22 .To eliminate all the loopholes of devices, fully device-independent protocols are proposed, which do not make any assumptions for all experimental devices and allows Eve to control them all.Nevertheless, those protocols face experimental challenges because they have to perform a detection-loophole-free Bell test 23 .
As a compromise, semi-device-independent (semi-DI) protocols are proposed, such as measurement-device-independent (MDI) [24][25][26] and one-sided device-independent (1sDI) 27,28 QKD protocols, to give a trade off between the security of some devices and the performance of a protocol, which regard that part of the protocol is honest and the other part is untrusted.Remarkably, both CV-MDI [29][30][31] and CV-1sDI protocols 27,32,33 have been analyzed against general coherent attacks, which improves the security analysis of the protocols.
CV-QKD with entanglement in the middle 34 is the protocol of which the source is placed at the untrusted third party in the middle and controlled by the malicious eavesdropper.Alice and Bob then measure one of the modes they received separately, with either homodyne or heterodyne detection.The goal of the protocol is that we do not need to give assumptions on the Figure 1.Schematic of the entanglement-in-the-middle CV-QKD protocol 34 .EPR: untrusted two-mode squeezed state with variance V .Hom: homodyne detection.QM: quantum memory.Only the homodye detections are discussed here and Eve's attacks are considered as two correlated modes attacks without loss of generality.source, which is sometimes ill-characterised and unsafe in communication.Nevertheless, the security analysis of the CV-QKD with entanglement in the middle protocol is only confined to the collective attack cases, which inevitably assumes that the states of the source has identical and independently distributed (i.i.d) structure, i.e., ρ A n B n = σ ⊗n AB , leading to the protocol unable to reach the original idea of source-device-independent (SDI).
Inspired by the security analysis technique used in the 1sDI protocol by F. Furrer et al. 32,33 , we adapt one type of stateindependent entropic uncertainty relation with CVs to analyse the security of the CV-QKD with entanglement in the middle protocol under coherent attacks and only consider the case that both Alice and Bob perform homodyne detections.We modify the original protocol by exploiting an energy test at the reconciliation side (Bob's side for reverse reconciliation as an example) to monitor the potential high energy attacks an adversary may use.By properly quantifying the correlation between Alice's and Bob's data, which could be used for estimating Eve's knowledge of the raw key, we obtain the secret key rate of a finite number of exchanged signals supposing that the strategy Eve exploits is a coherent attack.Our analysis removes the assumptions of the light source and assumes that the sampling process performed in Alice's and Bob's sides are i.i.d, which is needed for exploiting the entropic uncertainty relation.Therefore, The modified protocol can be called CV-SDI QKD protocol.Finally, simulation shows that even when the coherent attack is considered, CV-QKD with entanglement in the middle can still reach a non-zero key rate over short distance, without giving any constrains of the source.

Results
The original CV-QKD protocol with entanglement in the middle against collective attacks We begin by describing the CV-QKD protocol with entanglement in the middle, which was originally proposed in Ref. 34 .A two-mode squeezed vacuum state EPR, with an unknown variance V , is prepared by the untrusted third party, see Fig. 1.The EPR source can be created either by an untrusted communication party Charlie or by the potential adversary Eve.The two modes of an EPR source, e.g., EPR 1 and EPR 2 , are sent to Alice and Bob separately through quantum channels.As the general assumption in QKD is that both of the two quantum channels could be totally controlled by potential eavesdropper Eve; leading to the introduction of loss and noise to the states after transmission.Assuming the quadratures of the two modes of the EPR source are XEPR 1 and XEPR 2 with the covariance matrix (CM) where , and the transmissivities of two channels are τ A and τ B respectively, then we have the quadratures after transmissions, given by where E 1 and E 2 are the ancillary systems which Eve inject into the links to attack the protocol.The two-correlated-mode eavesdropping strategy is considered here, which is the general two-mode attack strategy, where the CM γ E 1 E 2 of the two correlated modes is where ω A and ω B are the variance of modes E 1 and E 2 , and the correlation term G = diag [g, g ′ ] with the correlation parameters g and g ′ satisfying the constraints shown in Ref. 35 .The attack is optimal by setting modes E 1 and E 2 as coherent given in Refs. 24,36,37 .
Originally, Alice and Bob perform quadrature measurements via homodyne or heterodyne detections, and in this paper, we only consider the scenario that both Alice and Bob employ homodyne detections to get one measurement result, i.e., quadrature x or p.After finishing the state preparation and measurement phases, both Alice and Bob announce which quadrature they choose through an authenticated pubic channel to sift their keys.They hold the data for which the selected quadratures are the same and discard the rest.Finally, the two communication parties proceed with classical data post-processing, namely parameter estimation, error correction and privacy amplification to distill their keys.
In the case of collective attacks setting, the state ρ A N B N E N after all runs can be considered as a tensor product state, namely where N is the total number of quantum signals exchanged during the protocol.In this paper, we only focus on the asymptotic case under collective attacks to show the ideal performance of the protocol, where the total number of quantum states N tends to infinite.The asymptotic secret key rate K asym collective (for reverse reconciliation) is given by the Devetak-Winter formula 38 , which reads where β is the reconciliation efficiency, I (A : B) is the classical mutual information between Alice's and Bob's data, and χ (B : E) is the Holevo information between Bob's data and the eavesdropper 39 .This is given by χ (B : where S (E) is the von Neumann entropy of Eve and S (E|B) is the conditional von Neumann entropy of Eve given Bob's information.χ (B : E) can be bounded with the help of the Gaussian state extremality theorem 40,41 in the case of collective attacks, hence we assume that the state ρ AB is Gaussian to minimize the final secret key rates, which can be calculated from the CM.A detailed derivation of the CM and the key rate can be seen in Methods section.
The modified CV-SDI QKD protocol against general coherent attacks In the case of general coherent attacks, the assumption that ρ A N B N E N has tensor product structure is invalid, so we cannot apply Eq. ( 4) directly to bound the security key rate after finite runs of the protocol.There are in general two main securityproof techniques developed in CV-QKD to handle coherent attack issues.One method is the de Finetti theorem 42,43 , which have the ability to reduce the security from coherent attacks to collective attacks, and it was successfully employed to analyse the protocol which has some symmetric properties 30 .The alternative is the entropic uncertainty relation 32,33,44 , which requires that the protocol needs to randomly measure between two quadratures and perform the sifting process 27,31 .We exploit the latter tool in this paper to obtain the security of the entanglement-in-the-middle protocol with homodyne-homodyne structure against coherent attacks.We point out that the protocol in Ref. 33 has no assumption on Alice's side (also be treated as the source side), thus it is also called one-sided device independent protocol.In our protocol, there is also no assumption on the source.However, since the structure of our protocol is a network structure, where the source is located in a third party, and Alice and Bob only perform measurements, this structure is very different from previous protocol, where the source is located in one side of the protocol.We named our protocol "source device independent" to distinguish it from previous one-sided device independent protocols.
We analyse the protocol under general coherent attacks with untrusted source in the middle by adapting the approach described in Ref. 33 .Thanks to the composable security framework, we have the ability to study the protocol considering some imperfect situation, such as the practical detection model, the energy test and finite-size effect, which allows us to modify the protocol in coherent-attack case.
Simulation Using the results in the previous section, we can plot the secret key rate as a function of the total transmission distance focusing on the symmetric configuration where we set τ A = τ B = √ T and T is the transmissivity of the channel.The simulations are under two-mode optimal attacks to show the performance of the protocol and both collective and coherent attack scenarios are discussed shown in Fig. 2. Note that modeling an eavesdropper's attack behavior here does not limit the eavesdropping ability, but just for the convenience of simulations.Actually, in experiment, we only need to know the parameter estimation data x pe A , p pe A and x pe B , p pe B of Alice and Bob to execute the security analysis of the protocol.Therefore there is no need to assume which model Eve's attack strategy belongs to before the protocol starts.Modeling attacks of eavesdroppers with two-mode coherent attacks yields the worst performance of the protocol 24,36,37 , thus we use this modeling method to well 3/11 reflect the performance of the protocol.The results are shown in Fig. 2 and Fig. 3, where Fig. 2 shows the secret key rates of the CV-SDI QKD as the function of transmission distance under different block sizes, while Fig. 3 is the key rate varying with the block size.√ T where T is the total transmissivity of the channel.We consider the protocol with perfect reconciliation efficiency β = 1 and ideal modulation variance V = 10 5 .We also set the excess noise as ξ = 0.001 in each channel and the overall security parameter is smaller than 10 −20 .The gray dot line is the PLOB bound 45 and the black solid line is the key rate under collective attacks.The red solid line is the key rate under coherent attacks with infinite exchanged signals.The four dashed lines, from top to bottom, are the secret key rates under coherent attacks, with the block lengths from 10 10 to 10 7 .

Discussion
In order to facilitate the analysis of the performance of the protocol, we simulate the key rate with some ideal parameters.For instance, we assume that the protocol has an ideal modulation variance V = 10 5 (which could replace an infinite modulation variance) and perfect reconciliation efficiency β = 1.Also, to get the lower bound of the protocol, we set g = min (ω A − 1) (ω B + 1), (ω A + 1) (ω B − 1) and ω A = ω B = 1 + T ξ (1 − T ) with excess noise ξ in one channel for two-mode optimal attacks.In the coherent attack cases, we set the interval parameter α to 52 32 and the overall security parameter is smaller than 10 −20 .Meanwhile, the parameter M th is set to 12 to ensure that the energy test fails with probability smaller than 10 −20 .In Fig. 2, the gray dot line shows the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound 45 , which gives an upper bound of the secret key capacity of the lossy channel.The black solid line is the asymptotic key rate under collective attacks, and the longest transmission distance is over 18km, which is a little shorter than that of the two-mode individual attacks case (where the correlation parameter g = 0) 34 .The other five curves, from top to bottom, describe the key rates under coherent attacks.The red solid curve is obtained for N → ∞, and the other dashed lines describe the rate for N = 10 10 to N = 10 7 with finite exchanged signals.In Fig. 3, we also plot the secret key rate under coherent attacks as a function of block size for different distances.The distances are 5km, 10km and 14km, respectively.We point out that when the block size reduces, the secret key rate decreases, and it is not achievable if the block size is below 10 7 .
We notice that there is a gap between the performance of CV-QKD protocol with entanglement in the middle under collective attacks and that under asymptotic coherent attacks cases.The reason is that the bound given by the entropic uncertainty relation is not very tight especially in the high losses regime, which has been shown in Ref. 33 .
In conclusion, we have analyzed the security of continuous-variable source-device-independent quantum key distribution protocol against general coherent attacks, where the source of the protocol is untrusted and may be controlled by the malicious adversary.By exploiting the state-independent entropic uncertainty relation together with the energy test, our analysis has no assumptions on the source, making the protocol source-device-independent even under coherent attacks.The simulation Secret key rates as functions of block size of the CV-SDI QKD protocol.The black solid line shows the performance with the distance of 5km.The red dot-dashed line and the blue dashed line are the key rates of the protocol with distances of 10km and 14km, respectively.The other parameters are as in Fig. 2 results indicate that, in the universal composable security framework, the protocol is still secure, achieving high key rates against coherent attacks under the condition of achievable block lengths (N from 10 7 to 10 10 ).

Methods
Covariance matrix and the secret key rate under collective attacks The final bipartite quantum state ρ AB of Alice and Bob has the CM with the form where and we let g = min by setting modes E 1 and E 2 are coherent.Then the secret key rate K asym collective can be calculated by Eq. ( 4) if we restrict our discussion in reverse reconciliation cases.The mutual information between Alice's and Bob's data can be described as To obtain the von Neumann entropy S (E) and S (E|B), we always assume that Eve can purify the whole system in order to maximize her information, thus we have S (E) = S (AB) and S (E|B) = S (A|B).S (AB) is a function of the symplectic eigenvalues λ 1,2 of γ AB , which reads where where we use the notations that ∆ = a 2 + b 2 − 2c 2 and D = ab − c 2 .After Bob performs homodyne detection, Alice's CM conditioned on Bob's measurement results will transform to where γ A = aI, γ B = bI, Σ C = cZ and X = [1, 0; 0, 0].S (A|B) = G (λ 3 − 1) 2 is a function of the symplectic eigenvalue λ 3 of the covariance matrix γ x b A with λ 3 = a a − c 2 b .Therefore, the secret key rate under collective attacks when the reverse reconciliation is performed is The practical detection model and the measurement phase We model the practical detector as an ideal homodyne detector followed by an analog-to-digital converter (ADC) with finite sampling range, and therefore the measurement process can be divided into two steps.
In Step 1, Alice and Bob exploit ideal homodyne detectors to measure the input signal with infinite ranges and resolutions.The measurement quadratures are ideal continuous variables with infinite dimensions, hence the measurement results are also continuous.Assuming that the sifting process is done, we denote the outputs of ideal homodyne detectors as Q A and Q B in two sides.In general CV-QKD scenario, the statistical distribution of each outcome should follow a Gaussian distribution.
In order to obtain a tight bound using the entropic uncertainty relation, we need to rescale one of two results, Q A or Q B , and ensure that Alice's and Bob's measurement outcomes have high correlations after transmission through untrusted channels.We use the transformations below (using Alice as an example) to scale the quadrature measurements: where t q denotes the rescaling factor related to the channel losses of Alice and Bob, which can be determined by matching the variances of Alice's and Bob's measurement results.Supposing that m signals are randomly chosen to do the parameter estimation, the average value of quadrature measurement results both in Alice's and Bob's sides can be estimated by where , and it is easy to estimate the parameter t q by 31 tq In the symmetric case, where the channel losses and noises of Alice and Bob are approximately the same, we can simplify the analysis by assuming that t q ≈ 1.
In Step 2, the ADCs with finite range and finite precision followed by homodyne detectors are exploited to discretize continuous measuring intervals into discrete intervals, and the continuous variables QA and Q B are also discretized.The measurement results are grouped into intervals: where α is the maximum discretization range of the ADCs, which takes the finite range of detectors into consideration, and δ denotes the resolution of the measurement, which shows how much detail the detector can detect.The corresponding outcome alphabet is denoted by χ = 1, 2, ..., 2α δ , where we assume 2α δ ∈ N and every measurement outcome corresponds to one of the intervals.After this step, the continuous outcomes are replaced by the discrete results, which are denoted by This detection model can effectively illustrate the practical detector with finite range and resolution, without considering the efficiency of the detector, which could be modeled by a beam splitter with transmissivity T d 46 .However, the "discretization" process may cause security issues when compared with the ideal detection case since the detection results are missing information about the quadratures.One issue is that any measurement outcomes inside one of the equal-length intervals (−α, −α + δ ] , ...., (α − δ , α] will map to the same value and it may cause a reduction in the information about the state within each sampling interval due to the finite sampling bits.This effect can be suppressed by increasing the number of sampling bits.The other problem is caused by two intervals with infinite length, namely (−∞, −α] and [α, ∞), and users cannot know the full information about the state outside the detection range.In other word, users cannot distinguish whether the energy of the measured pulse is low or high, which may leave some loopholes for eavesdropping.This problem can be solved by the energy test solution.
The energy test For fear of the large energy attack that Eve may exploit during the communication process, the protocol should be modified by adding the energy test step to ensure that the energy of measured states is below a certain threshold.We adapt the energy test method proposed in Ref. 33 to study entanglement-in-the-middle protocol to remove the assumption of the source in the security analysis, which should be considered in trusted source scenario 32 , hence this protocol also can be called sourcedevice-independent protocol.
Assuming that the protocol is performed with reverse reconciliation, the energy test is exploited in Bob's side before Bob performs the measurement step, which is described in Fig. 4. Bob uses a beam splitter with almost perfect transmissivity T to split incoming mode X B into two parts, and a is the vacuum mode introduced by the other port of the beam splitter.Mode X ′ B is the transmitted mode of the output used for generating Bob's raw data using a homodyne detector, and a ′ is the reflected mode for the energy test.The reflected mode a ′ is measured by a heterodyne detector, which consists of a balanced beam splitter and two homodyne detectors.Modes t 1 and t 2 are the output modes of the balanced beam splitter used for checking whether the amplitude of one output |q t 1 | and the phase of the other output |p t 2 | are below a certain threshold.If for every measured signal, both the amplitude |q t 1 | and the phase |p t 2 | are not larger than the threshold M th , we say that the energy test passes; and the protocol aborts otherwise.The probability that Bob measures with homodyne detection larger than the detection range α can be bounded by the function Γ (α, T, M th ), which reads 33 where µ = 1−T 2T and λ = 2T −1 T 2 .The smoothness of the energy test ε further can be bounded by Finite-size effect and the key rate

7/11
In the coherent-attack scenario, due to the leftover hash lemma, the ε c -correct and ε s -secret key of length ℓ sec can be extracted 47 , which can be expressed by where ℓ EC denotes the leaked information in error correction step, and it can be estimated before the error correction begin during the parameter estimation phase, H ε min X key B |E is the smooth conditional min-entropy of data X key B with smoothing parameter ε, conditioned on the information Eve may have, which quantifies Eve's uncertainty about the Alice's measurement outcomes.ε satisfies ε ≤ (ε s − ε 1 ) 2p pass − 2 ε, where p pass is the probability that the parameter estimation step passes, ε is the security parameter related to the energy test given in Eq. ( 20) and we choose ε 1 = ε s 2 for simplification 48 .Equation ( 21) is a CV type key formula considering the quantum side information E in infinite-dimensional Hilbert space 32 .
The parameter ℓ EC can be easily obtained by publishing some of Bob's data (in the reverse reconciliation case), which is where H (X B ) denotes the discrete Shannon entropy of the data in Bob side, which can be described by and I (X B : X A ) is the mutual information between Alice and Bob.
Our target is to bound the smooth min-entropy H ε min X key B |E in the presence of quantum adversaries.The entropic uncertainty relations were originally introduced in discrete variable QKD to bound the min-entropy and to show the protocols' security 49,50 .They were thereafter extended to infinite dimensions by F. Furrer et al. 51,52 .Therefore we exploit one type of uncertainty relation formula shown in Ref. 33 to bound the min-entropy in the entanglement-in-the-middle protocol, and the feature of the entropic uncertainty relation together with the energy test, resulting in making the protocol being source-deviceindependent.
Entropic uncertainty relation gives a bound of guessing the uncertainty that the eavesdropper may have, when both communication parties randomly measure in two bases.The relationship between smooth min-and max-entropies is given by where c (δ ) quantifies the overlap of the two measurements and is independent of the measured states, which considers the detectors' discretization process and has the form: where S (1) 0 is the 0 th radial prolate spheroidal wave function of the first kind 53 , which can be well approximated by c (δ ) ≈ δ 2 (2π) if the interval length δ is not large.H ε max X key B |A n ω is the smooth max-entropy between Bob's data and Alice's system with smoothing parameter ε.In Eq. ( 24), we assume that the random sampling of detections are i.i.d.The goal of estimating the smooth min-entropy H ε min X key B |E is to give an upper bound of the smooth max-entropy H ε max X key B |A n ω .
To estimate the upper bound of H ε max X key B |A n ω , first due to the data processing inequality 54 , we can obtain that and we need to bound the correlation between data X key B and X key A .For that we exploit the average distance, to give the bound of the smooth max-entropy.It has been shown in Ref. 32

Figure 2 .
Figure 2. Secret key rates of the CV-SDI QKD protocol.The protocol is under symmetric configuration with τ A = τ B =√ T where T is the total transmissivity of the channel.We consider the protocol with perfect reconciliation efficiency β = 1 and ideal modulation variance V = 10 5 .We also set the excess noise as ξ = 0.001 in each channel and the overall security parameter is smaller than 10 −20 .The gray dot line is the PLOB bound45 and the black solid line is the key rate under collective attacks.The red solid line is the key rate under coherent attacks with infinite exchanged signals.The four dashed lines, from top to bottom, are the secret key rates under coherent attacks, with the block lengths from 10 10 to 10 7 .

Figure 3 .
Figure 3.Secret key rates as functions of block size of the CV-SDI QKD protocol.The black solid line shows the performance with the distance of 5km.The red dot-dashed line and the blue dashed line are the key rates of the protocol with distances of 10km and 14km, respectively.The other parameters are as in Fig.2

Figure 4 .
Figure 4. Schematic of the energy test at Bob's side.Bob uses a beam splitter with transmissivity T to split the incoming signal into two parts.The transmission mode X ′ B is used for generating Bob's data and the reflection mode a ′ is exploited to perform the energy test.a and b are two vacuum modes induced by beam splitters.Modes t 1 and t 2 are the output modes of the balanced beam splitter used for checking whether |q t 1 | and |p t 2 | are below a certain threshold.