Improving parameter estimation of entropic uncertainty relation in continuous-variable quantum key distribution
aa r X i v : . [ qu a n t - ph ] J u l Improving parameter estimation of entropic uncertainty relation incontinuous-variable quantum key distribution
Ziyang Chen , Yichen Zhang , Xiangyu Wang , Song Yu , and Hong Guo ∗ State Key Laboratory of Advanced Optical Communication,Systems and Networks, Department of Electronics,and Center for Quantum Information Technology, Peking University, Beijing 100871, China and State Key Laboratory of Information Photonics and Optical Communications,Beijing University of Posts and Telecommunications, Beijing 100876, China (Dated: July 5, 2019)The entropic uncertainty relation (EUR) is of significant importance in the security proof ofcontinuous-variable quantum key distribution under coherent attacks. The parameter estimation inthe EUR method contains the estimation of the covariance matrix (CM), as well as the max-entropy.The discussions in previous works have not involved the effect of finite-size on estimating the CM,which will further affect the estimation of leakage information. In this work, we address this issue byadapting the parameter estimation technique to the EUR analysis method under composable securityframeworks. We also use the double-data modulation method to improve the parameter estimationstep, where all the states can be exploited for both parameter estimation and key generation; thus,the statistical fluctuation of estimating the max-entropy disappears. The result shows that theadapted method can effectively estimate parameters in EUR analysis. Moreover, the double-datamodulation method can, to a large extent, save the key consumption, which further improves theperformance in practical implementations of the EUR.
I. INTRODUCTION
The quantum key distribution (QKD) [1–5] is one ofthe most mature quantum cryptography technologies,which can provide information-theoretical provable se-curity together with the one-time pad method. The ideaof QKD is to employ the basic principles of quantumphysics to ensure the security of random keys and touse classical post-processing methods to find potentialeavesdropping behaviors. Based on the dimension of theHilbert space of the encoding, QKD can be roughly di-vided into two categories. One kind of protocol is calledthe discrete-variable (DV) protocol, in which the dimen-sion of the Hilbert space is finite. DV-QKD protocolshave the superiority of long transmission distance, butdepending on high-performance dedicated devices such assingle-photon detectors. As an alternative, continuous-variable (CV) protocols, which use the infinite dimensionof Hilbert space as the key space, give us opportunitiesto achieve the QKD process via off-the-shelf commercialcomponents, e.g., homodyne detector and heterodyne de-tector.The first idea of the CV-QKD protocol was exploitingsqueezed states to carry the key information [6–9]. Then,in order to weaken the dependence on the squeezed-state sources, the coherent-state-based CV-QKD proto-cols were proposed [10–12]. During these twenty years,research on protocol design and corresponding exper-imental verification was developing rapidly. Differentnovel CV-QKD protocols have been proposed, such as thetwo-way protocol [13–18], the discrete modulation proto-col [19–21], the measurement-device-independent (MDI) ∗ [email protected] protocol [22–28], etc., each of which has its own advan-tages in different scenarios. Besides the protocol design,the experiments also have made a tremendous step for-ward with the progress of today’s technology [29–31].The core of QKD is the security, and there have beenmany security analysis methods proposed to investigatethe security of different CV-QKD protocols [4]. Forthe convenience of the security analysis, the eavesdrop-per’s ability is usually restricted to three different levels,namely individual attacks, collective attacks, and coher-ent attacks. Individual attacks and collective attacks are,to some extent, to restrict the eavesdropper’s (Eve’s) at-tack ability, so that the exchanged state between Alice(sender) and Bob (receiver) can be treated as an iden-tical and independently distributed (i.i.d.) state, i.e., ρ A N B N = σ ⊗ NAB (where N is the number of exchangedsignals), which can simplify the security analysis. How-ever, a protocol is unconditionally secure only when it issecure under coherent attacks, due to the fact that co-herent attacks do not limit the ability of eavesdroppers,thereby the most general attacks. In the case of coherentattacks, the exchanged states between Alice and Bob donot have the i.i.d. structure anymore; thus, the securityproof is complicated.Diverse security analysis techniques have been de-veloped to analyze the security of different protocolsunder coherent attacks, typically the de Finetti theo-rem [32, 33], the post-selection technique [34, 35], and theentropic uncertainty relation (EUR) [36–38]. Those anal-ysis methods can also be applied to analyze the quantumrandom number generation protocols [39, 40]. Differentanalysis methods have their advantages and disadvan-tages, so they are suitable for the analysis of differentprotocols (see [4] for detailed discussions). The advan-tages of the EUR lies in its intuitive physical meaning(corresponding to the guessing game [41]) and the sim-ple estimation method. Most of the work has been donein the EUR in [36], except for the finite-size effect in es-timating the covariance matrix (CM). However, in prac-tical experiments, the estimation of the CM is alwaysachieved by limited data; thus, the finite-size effect notonly affects the estimation of min-entropy, but also theestimation of leakage information.In this work, we focus on the parameter estimation ofthe EUR in CV-QKD, especially on the finite-size esti-mation of the CM, and the modified estimation on themax-entropy. The discussion involves only the squeezedstate/homodyne detection-type protocols and has no as-sumption on Eve’s ability, namely under coherent-attackcases. Due to the influence of the finite block length ofthe key, the estimation of the CM is inaccurate in thecase of a short block length, compared with the idealCM estimation cases (as shown in [36, 37]). We exploitthe parameter estimation technique developed in [42] toconsider the estimation of the CM under practical blocksizes. Furthermore, inspired by the double-modulationmethod developed in [42], we propose a double-data mod-ulation method to estimate the parameters in the securityanalysis effectively, and only one modulation is neededrather than two, which simplifies the experimental struc-ture of the double-modulation protocol. Since the ex-changed state can be used for both parameter estimationand key generation, the estimation of the max-entropyis modified, and the statistical fluctuation of estimatingthe max-entropy disappears. The simulation result showsthat the modified estimation method can, to a large ex-tent, save the key consumption.This paper is organized as follows. In Section II,we review the composable security frameworks in QKDand give the description of the discussed protocol. InSection III, we discuss in detail the channel parameterestimation process with finite-size. In Section IV, themodified parameter estimation method is proposed withdouble-data modulation. The numerical simulation anddiscussion are give in Section V, and the conclusions aredrawn in Section VI. II. COMPOSABLE SECURITY ANDDESCRIPTION OF THE PROTOCOL
In this work, we investigate the CV-QKD protocol un-der the universal composable framework (UCF), whichcan be seen in [43, 44] for the details, and the discussionis under the coherent-attack cases. The UCF is of greatimportance to compose sequential rounds of a protocol,and even if some of the rounds are imperfect and deviatefrom the ideal model, the UCF can well describe theirdefects. A general QKD protocol can always be dividedinto different parts; thus, one of the benefits of UCFs isthat even if part of the protocol is imperfect, this imper-fection can still be applied to subsequent analysis of therest part of the protocol to obtain the final non-ideal key. Another advantage of UCFs is that the final imperfectkey generated from a QKD system can be well quanti-fied as ε -secure and then can be applied to other classicalcommunication tasks, such as the one-time pad scenario.To illustrate the composable security of QKD, we firstuse s A to denote Alice’s key and use s B to denote Bob’skey. In the ideal case, the keys should be correct, se-cret, and robust. Correctness means, for each round ofthe protocol, the keys of Alice and Bob are always thesame, namely s A = s B = S . Secrecy means the key isindependent of the third part and only known to Aliceand Bob themselves. Robustness requires that, in everyround of the protocol, Alice and Bob can always gener-ate a non-empty key, namely S = ⊥ . If a QKD protocolcan satisfy correctness, secrecy, and robustness, the pro-tocol then can be called perfectly secure. We denote by {| s i} s ∈ S the orthogonal bases of the key, by ρ E Eve’sauxiliary quantum systems, and by p ⊥ the probabilityof generating an empty key set. The perfectly secureclassical-quantum (cq) state between the key S and theenvironment E can be shown as follows, ρ perfectsE = (1 − p ⊥ ) X s ∈ S | S | | s i h s | ⊗ ρ sE + p ⊥ |⊥i h⊥| ⊗ ρ ⊥ E . (1)Nevertheless, a protocol is always imperfect with prac-tical issues, resulting in the security deviating from theideal model. Therefore, the ε -security can be used to de-scribe the practical security with imperfect features. Wedenote by ε c , ε r , ε s the smoothness parameters of prac-tical correctness, robustness, and secrecy, respectively. ε c -correctness requires that the key in Alice and Bob’ssides be different only with very small probability ε c ,namely Pr ( s A = s B ) ≤ ε c . ε r -robustness requires thatthe set of the keys is empty only with a small probabil-ity, given by Pr ( S = ⊥ ) ≤ ε r . ε s -secrecy can be treatedas the distance between the practical security and theperfect security, in terms of the trace distance, given by (cid:13)(cid:13)(cid:13) ρ sE − ρ perfectsE (cid:13)(cid:13)(cid:13) ≤ ε s . In summary, if a QKD pro-tocol can contain ε c -correctness, ε r -robustness, and ε s -secrecy, then the protocol can be called ε -secure, with ε = ε c + ε r + ε s .Let us start with the execution of the prepare-and-measure (PM) version of the squeezed-states protocol.The protocol can be divided into sequential parts, asshown in Figure 1, which can be described by the fol-lowing steps:1. State preparation : Alice holds the squeezedstates with squeezed variance V S before the pro-tocol begins, where V S ∈ (0 , x M to encode the displacement of quadratures byusing modulators (generally containing amplitudeand phase modulators), and the total modulationvariance is denoted by V M .2. State transmission : Alice sends the modulatedstate in the quantum channel, which is treated asa totally untrusted channel and controlled by Eve.3.
State measurement : Bob receives the quantumstate and randomly measures x or p quadrature byan ideal homodyne detector. Resulting from thefact that the practical measurement phase is alwaysdiscrete, the ideal measurement outcomes shouldbe discretized by the analogue-to-digital converter(ADC). The final discretized results are denoted by x B .4. Parameter estimation : Alice and Bob repeat theabove steps many times until they have enough rawdata (e.g., N ). Then, Alice or Bob reveals some ofthe raw data (with length m ) through the classi-cal channel to estimate the key parameters of thechannel, especially the data distance d betweenAlice’s and Bob’s data, the transmittance τ , andthe excess noise ε . See Section III for a detailedexplanation of the parameter estimation step.5. Error correction : According to the estimationparameters τ and ε , the communication parts esti-mate the leakage information ℓ EC during the errorcorrection phase and choose an appropriate classi-cal error reconciliation algorithm, e.g., low-density-parity-check (LDPC) code, to correct Alice’s error(in reverse reconciliation cases) or Bob’s error (indirect reconciliation cases).6. Privacy amplification : Alice and Bob randomlychoose a universal hash function [45] and apply itto their respective keys to get the final private keys s A and s B with length ℓ , which are only known tothemselves. Alice Eve Bob
Hom (cid:2206) (cid:1776) (cid:1796) (cid:2175)
S AM (cid:2206) (cid:2169)
ADCPM (cid:4666)(cid:2254)(cid:481) (cid:2239)(cid:4667)
Classical ChannelQuantum Channel(Postprocessing)Reveal Reveal (cid:2201) (cid:2157) (cid:2201) (cid:2158)
Key extractionPrivate Private (cid:1796) (cid:2169) (cid:2252) (cid:2180) (cid:2252) (cid:2172)
FIG. 1. Prepare-and-measure (PM) scheme of continuous-variable (CV)-quantum key distribution (QKD) usingsqueezed states. Source: squeezed-state source with squeezedvariance V S ; Mod: modulators containing amplitude andphase quadrature modulators with total modulation variance V M ; Hom: homodyne detection; x M : Gaussian modulationdata on Alice’s side; x B : measurement results on Bob’s side;Quantum channel: channel for the transmission of quantumstates, with the transmittance τ and the excess noise ε ; Clas-sical channel: channel for the transmission of classical dataduring the post-processing procedure. According to the UCF, one can write the upper boundof the final key length ℓ low , even if the above steps are not ideal, given by [43]: ℓ low = H ε min ( x B | E ) − ℓ EC − log ε ε c + 2 , (2)where H ε min ( x B | E ) is the smooth min-entropy of x B con-ditioned on the information Eve may hold, with smooth-ing parameter ε , and ε is the smoothness of the physicalpart of the protocol. III. CHANNEL PARAMETER ESTIMATIONWITH FINITE-SIZE
There are roughly two parameters that need to bebounded in the protocol. One is the smooth min-entropy H ε min ( x B | E ), and the other is the leakage information ℓ EC . We separately discuss the estimation of the twoparameters in two parts. A. Estimation of Smooth Min-Entropy
There are different ways to estimate the min-entropyunder coherent attacks. For instance, the de Finetti the-orem [32, 33], which can reduce the analysis from thecoherent attack case to the collective attack case, hasbeen successfully used to prove the security of CV-QKDprotocols with the source of coherent states [27, 46]. TheEUR has also been exploited to prove the security ofsqueezed-state-type protocols [28, 36, 37]. In this work,we focus on using the uncertainty relation to bound themin-entropy of the key.In practical experiments, x M and x B are always dis-cretized. We denote α as the maximum discretizationrange of the sampling interval and denote δ as the discreteprecision of the measurement, which satisfy 2 α / δ =2 L ∈ N , where L is the number of discrete bits. Therefore,the measurement result will fall into different intervals,namely,( −∞ , − α ] , ... ( − α + ( k − δ, − α + kδ ] , ..., ( α, + ∞ ) , (3)where k = { , , ..., α / δ } . One can bound the smoothmin-entropy of the discretized data x B conditioned onEve’s information H ε min ( x B | E ) according to the CV ver-sion of EUR, given by: H ε min ( x B | E ) ≥ − n log c ( δ ) − H ε ′ max ( x M | x B ) , (4)where c quantifies the maximum overlap of the two mea-surements, namely c = max x,z |h X x | Z z i| and X and Z aremutually unbiased bases; hence, c ( δ ) is the overlap be-tween discrete quadrature measurements related to theinterval length δ , which reads: c ( δ ) = 12 π δ S (1)0 (cid:18) , δ (cid:19) , (5)where S (1)0 ( . ) is the zeroth radial prolate spheroidal wavefunction of the first kind [47] and S (1)0 (cid:16) , δ (cid:17) is ap-proximately one if δ is small. The term H ε ′ max ( x M | x B )in Equation 4 denotes the max-entropy between Al-ice’s and Bob’s data, with smoothing parameter ε ′ = ε s /4 p pass − p − (1 − p α ) n ] . √ p pass , where p α is theprobability that the measurement is outside of the detec-tion range.According to Equation 4, in order to give a lower boundof the min-entropy, one should estimate the upper boundof the max-entropy using some of the raw keys duringthe parameter estimation phase. First, the average dis-tance, which quantifies the correlation between Alice’sand Bob’s data, should be estimated, given by: d (cid:0) x P EM , x
P EB (cid:1) = 1 m m X i =1 | M i − B i | , (6)where we use M i to denote the i th modulating value and B i denotes the i th measurement result, for i = 1 , , ..., m ,respectively. If the data distance d (cid:0) x P EM , x
P EB (cid:1) is smallerthan a certain threshold d , the parameter estimationstep passes. Then, one can bound the max-entropy ac-cording to Serfling’s large deviation bound [48], given by: H ε max ( x M | x B ) ≤ n log γ ( d + µ ) , (7)where γ is a large deviation function, which reads: γ ( t ) = (cid:16) t + p t + 1 (cid:17) (cid:20) t √ t + 1 − (cid:21) t , (8)and µ quantifies the impact of statistical fluctuations re-sulting from estimating “data parameter” H ε max ( x M | x B )by “PEparameter” H ε max (cid:0) x P EM | x P EB (cid:1) , which reads: µ = 2 αδ r N ( m + 1) nm ln 1 ε ′ , (9)where N denotes the total number of exchanged signalsand satisfies N = n + m . B. Ideal Estimation of Leakage Information withInfinite-Size
To estimate the leakage information in the error cor-rection phase, we model Eve’s behavior by the entanglingcloner attack model, which is the most common exampleof a Gaussian attack [49]. We point out that the wholeanalysis of this paper is under the most general coher-ent attacks and has no restriction on Eve’s ability. Themodel of the entangling cloner attack is only for intuitiveunderstanding, and it is convenient to investigate the per-formance of the protocol, which can be used to estimatethe lower bound of the key rate. Even if Eve’s attack isnot the entangling cloner attack, the following analysis also holds, resulting from the fact that in a practical ex-periment, we do not need to assume the eavesdropper’sstrategy in advance and only need to estimate the chan-nel parameters by the existing data that Alice and Bobhold.The quadrature of the quantum state sent by Alice’sside is denoted by x A = x s + x M . In order to ob-tain the correlation between Alice and Bob after passingthrough the channel, we assume Eve performs the entan-gling cloner attack, where Eve’s state is modeled by atwo-mode squeezed vacuum (TMSV) state ρ eE with theCM γ eE , which reads: γ eE = (cid:18) ω I √ ω − Z √ ω − Z ω I (cid:19) , (10)where ω is the variance of the TMSV, I = diag (1 , Z = diag (1 , − τ , whose CM is given by: S τ = (cid:18) √ τ I √ − τ I −√ − τ I √ τ I (cid:19) , (11)and the excess noise ε can be defined as ε :=(1 − τ ) ( ω − τ . Thus, it is easy to deduce the quadra-ture on Bob’s side after passing through the quantumchannel, given by: x B = √ τ x A + √ − τ x + x ε = √ τ x M + x N , (12)where x N = √ τ x s + √ − τ x + x ε . Assuming that thesqueezing operation is performed for x quadrature, themutual information between Alice and Bob reads: I x ( A : B ) = 12 log V B V B | A = 12 log (cid:18) τ σ x V N (cid:19) , (13)and V N has the form: V N = 1 + τ ε + τ ( V S −
1) := 1 + V ε + τ ( V S − . (14)When Alice and Bob perform the error correction step,they need to randomly announce part of the informationthrough the public channel, which is also revealed to Eve.It is assumed that eavesdroppers can monitor all classicalcommunication processes; thus, the amount of informa-tion leaked in the error correction process must be wellestimated and then removed from the final keys. Theleakage information ℓ EC in the error correction step canbe described as ℓ DREC = H ( x M ) − βI x ( A : B ) , (15)in the direct reconciliation (DR) case and: ℓ RREC = H ( x B ) − βI x ( A : B ) , (16)in the reverse reconciliation (RR) case, where β is thereconciliation efficiency. C. Practical Estimation of Leakage Informationwith Finite-Size
In the previous works, the estimator of the leakage in-formation ˆ ℓ EC was treated as an asymptotic parameter,which is independent of the total key length. However inpractice, the estimation of ˆ ℓ EC cannot be accurate espe-cially when the key length is not large, further affectingthe performance of the error correction. To take finite-size effects into consideration, the estimator ˆ ℓ EC under apractical block length needs to be estimated. We adaptthe estimation method shown in [42] to analyze the char-acteristics of the channel. Here, we only give the mainresults of the previous work, and the detailed derivationcan be seen in [42]. In the practical experiment, the dataon Alice’s side is actually the modulated data x M ; thus,the key of parameter estimation is to estimate the CM γ MB , namely γ MB = [ V M I , c MB Z ; c MB Z , V B I ]. The re-lation of x M and x B (Alice’s and Bob’s data) has theform of x B = √ τ x M + x N , where x N is the aggregatednoise with zero mean, and the variance is shown in Equa-tion 14. The covariance of x M and x B is: Cov ( x M , x B ) = √ τ V M =: c MB . (17)For obtaining the estimator of covariance ˆ c MB , we alsouse M i denoting the i th modulating value and B i denot-ing the i th measurement result, for i = 1 , , ..., m , respec-tively. According to the maximum likelihood estimation,we can get: ˆ c MB = 1 m m X i =1 M i B i . (18)and it is easy to compute the expectation value E [ˆ c MB ]and the variance V [ˆ c MB ] by assuming M i and B i are twoindependent Gaussian variables with zero mean values,which read: E [ˆ c MB ] = c MB , (19) V [ˆ c MB ] = τ V M m (cid:18) V N τ V M (cid:19) . (20)According to Equation 17, we can get the estimator ˆ τ of τ , which reads:ˆ τ = ˆ c MB V M = V [ˆ c MB ] V M ˆ c MB p V [ˆ c MB ] ! , (21)where (cid:18) ˆ c MB √ V [ˆ c MB ] (cid:19) follows the χ -distribution, namely, ˆ c MB p V [ˆ c MB ] ! ∼ χ (cid:18) , ˆ c MB V [ˆ c MB ] (cid:19) . (22) Then, we can calculate the expectation value of ˆ τ ,which reads: E (ˆ τ ) = τ + O (1/ m ) , (23)and the variance is given by: V (ˆ τ ) = 4 τ m (cid:18) V N τ V M (cid:19) + O (cid:0) (cid:14) m (cid:1) . (24)For m ≫
1, which is practical in experiments, the term O (cid:0) (cid:14) m (cid:1) can be negligible due to the order 1 (cid:14) m beingsmall. Thus, we define new variance of ˆ τ under a practi-cal block length, which reads: σ τ = 4 τ m (cid:18) V N τ V M (cid:19) , (25)so that the confidence interval of estimating τ can be wellquantified.In order to estimate the upper bound of the leak-age information ℓ upEC , one should give the lower boundof the transmittance τ . For practical purposes, we setthe failure probability of the parameter estimation to ε P E = 10 − , which corresponds to the confidence in-terval of 6 . σ ˆ τ , and one can estimate the lower bound ofˆ τ low , given by:ˆ τ low = E (cid:0) τ low (cid:1) := ˆ τ − . σ ˆ τ . (26)According to: x B = √ τ ( x M + x S ) + √ − τ x + x ε = √ τ x M + x N , (27)the estimator of V ε can also be calculated by the maxi-mum likelihood estimation with the following form:ˆ V ε = 1 m m X i =1 (cid:16) B i − √ ˆ τ M i (cid:17) + ˆ τ (1 − V S ) − . (28)In the case of m ≫
1, the estimator ˆ τ converges rapidlyto the actual value τ as m increases, owing to the varianceof ˆ τ being negligible. Thus, here, we use τ to replace ˆ τ tosimplify the estimation process. Noticing that the term m m P i =1 (cid:16) B i −√ τM i √ V N (cid:17) also follows the χ -distribution withthe expectation value E (cid:18) m m P i =1 (cid:16) B i −√ τM i √ V N (cid:17) (cid:19) = m andvariance V (cid:18) m m P i =1 (cid:16) B i −√ τM i √ V N (cid:17) (cid:19) = 2 m , respectively, re-sulting from B i − √ τ M i being Gaussian distributed withvariance V N , therefore, one can get the following approx-imation when m is large: m X i =1 (cid:0) B i − √ τ M i (cid:1) ≈ V N · m X i =1 (cid:18) B i − √ τ M i √ V N (cid:19) . (29)The expectation value of ˆ V ε can be obtained, whichreads: E (cid:16) ˆ V ε (cid:17) ≈ m V N · E m X i =1 (cid:18) B i − √ τ M i √ V N (cid:19) ! + τ (1 − V S ) − V ε , (30)and the variance of ˆ V ε can also be calculated, given by: V (cid:16) ˆ V ε (cid:17) ≈ m V N + σ τ (1 − V S ) := σ V ε . (31)The upper bound of the variance of excess noise canbe given, also considering the failure probability of theparameter estimation to ε P E = 10 − , which is:ˆ V upε = E ( V upε ) := ˆ V ε + 6 . σ ˆ V ε . (32) IV. DOUBLE-DATA MODULATION METHODAND THE MODIFIED ESTIMATION PROCESS
Inspired by the double-modulation method developedin [42], we find that this estimation method is also usefulin the parameter estimation of the EUR analysis method.Here, we slightly modify the double-modulationmethod by pre-generating two sets of Gaussian randomnumbers, namely x M and x M , with variances V M and V M and zero mean values, encoding quantum states bynew random variable x M , where x M = x M + x M . Inthis double-data modulation method, Alice holds bothdata x M and x M in her memories and then generatesdata x M according to data x M and x M . The generateddata x M are used to modulate the quantum states. Af-ter Alice and Bob finish the key distribution processes,Alice reveals data x M to perform the channel parame-ter estimation, and all the information about data x M is not announced throughout the parameter estimationphase; thus, x M can be used for the key extraction stepwithout leaking information about the key during the pa-rameter estimation step. The idea is very similar to thatin [42], and the difference is that this double-data mod-ulation method only needs one modulation rather thantwo, since we perform the pre-processing of two indepen-dent random variables, which simplifies the experimentalsetup of the double-modulation method.Since all the exchanged signals can be used for both pa-rameter estimation and key extraction, the estimation ofthe max-entropy needs to be modified. Recalling that inSection III, the key point of estimating the max-entropyis to quantify the data distance d (cid:0) x totalM , x totalB (cid:1) . How-ever, in traditional EUR method, not all the data can beused for the parameter estimation, and only part of thedata (parameter estimation data) can be used to estimatethe total data distance, resulting in the statistical fluctu-ation of the estimating distance, thereby d (cid:0) x totalM , x totalB (cid:1) is approximately replaced by d (cid:0) x P EM , x
P EB (cid:1) + µ , where thefirst term is the distance between the parameter estima-tion data and the second term is the statistical fluctua- tion of estimating the total data distance by using theparameter estimation data. In the double-data modu-lation protocol, we modify the L distance between thekey-extraction data x M and Bob’s data x B by exploitingthe absolute value inequality, given by: d ( x M , x B ) = 1 N X N (cid:12)(cid:12) x iB − x iM (cid:12)(cid:12) ≤ N X N (cid:12)(cid:12) x iB − x iM (cid:12)(cid:12) + 1 N X N (cid:12)(cid:12) x iM − x iM (cid:12)(cid:12) = d ( x M , x B ) + d ( x M , x M ) , (33)where d ( x M , x B ) denotes the L distance between data x M and x B , which can be estimated after Alice revealsdata x M , and d ( x M , x M ) denotes the L distance be-tween data x M and x M , which can be calculated on Al-ice’s side locally. Here, we replace the number of param-eter estimation signals m by N since all the exchangedsignals are used in this step. Therefore, the max-entropycan be bounded after modifying the parameter estima-tion step, which reads: H ε max ( x M | x B ) ≤ N log ( d ( x M , x B ) + d ( x M , x M )) . (34)Due to the fact that all the states are exploited toperform parameter estimation, the statistical fluctuationof estimating L distance disappears, which reduces thefinite-size effect on estimating the max-entropy, espe-cially in the short block size regime, where the statisticalfluctuation cannot be negligible.The remaining task is to estimate the confidence inter-vals of the channel parameters by using data x M and x B ,which is the standard estimation method shown in [42].The quadrature of the received states on Bob’s side canbe rewritten in the following form after using the double-data modulation method, x B = √ τ ( x M + x S ) + √ − τ x + x ε = √ τ x M + x ∗ N , (35)where x ∗ N = √ τ ( x s + x ) + √ − τ x + x ε is the aggre-gated noise when we use x M to perform the parameterestimation, with variance V ∗ N = τ ( x s + x −
1) + 1 + V ε .After comparing Equation 35 with Equation 27, it iseasy to obtain the variances of the estimators ˆ τ and ˆ V ε by replacing V M with V M , V N with V ∗ N , and m with N ,which are given by: σ τ ∗ = 4 τ N (cid:18) V ∗ N τ V M (cid:19) , (36) σ V ∗ ε = 2 N V ∗ N + σ τ ∗ (1 − V S ) . (37) V. NUMERICAL SIMULATION ANDDISCUSSION
In this section, we focus on the simulation analysisof the protocol with the finite-size effect, containing thecomparison of the protocol’s performances between idealand practical estimations of the CM and the compari-son between standard estimation method and the mod-ified double-data modulation method. The simulationassumes that Eve’s attack is the entangling cloner at-tack. We stress again that this attack model does notaffect the security of the protocol and is just for theconvenience of the simulation. In practice, we do notneed to assume the attack model in advance and onlyneed to estimate the correlation through the data in thehands of Alice and Bob. The correlation between Al-ice’s and Bob’s data can be verified according to whetherthe L distance d (cid:0) x P EM , x
P EB (cid:1) shown in Equation 6 isgreater than the threshold parameter d . If the rela-tion d (cid:0) x P EM , x
P EB (cid:1) < d holds, we think the data betweenAlice and Bob are correlated. Otherwise, we abort theprotocol. In order to determine whether the amount ofdata is sufficient for the parameter estimation, one needsto use the experimental data of Alice and Bob with afinite block size to estimate the practical parameters andto determine whether the finite-size effect is acceptableby simulation.We point out that the analysis using the EUR does notrely on Eve’s attack method in the experiment, which isdue to two reasons. One reason is that the EUR secu-rity analysis method itself does not restrict Eve’s abil-ity [36], which means there is no need to assume that thequantum state is a product state σ ⊗ NAB , like the collective-attack analysis. Another reason is that the parameter es-timation does not need to assume Eve’s attacking model.The estimation of max-entropy only needs to estimate thedata distance d (cid:0) x P EM , x
P EB (cid:1) by x M and x B . The estima-tion of ℓ EC needs the variance of the measured data andthe signal-to-noise ratio after transmission, which can beobtained from the statistical CM directly. Using the en-tangling cloner attack model to model Eve’s behavior justaims at getting the lower bound of the transmittance τ and the upper bound of the excess noise ε , and then, thelower bound of the key rate can be calculated.In the following discussion, we consider the squeezedvacuum states with a squeezing level of 13.1 dB andan anti-squeezing level of 25.8 dB, which has experi-mentally been achieved at 1550 nm with today’s tech-nology [50]. We set the reconciliation efficiency β to95%, which is also easily achievable with CV-QKD’s post-processing method [51, 52]. The excess noise is chosenas ε = 0 .
01, and the security parameters are chosen as ε c = ε s = 10 − .In Figure 2, we plot the key rate as a function of thetransmission distance, expressed in terms of km. Thelower bound of the key length is given by Equation 2,and the secret key rate is calculated by ℓ low / N . The leftpanel and the right panel are the performances under the DR and RR cases, respectively. We give the comparisonbetween the ideal CM estimation and the practical CMestimation with different practical block sizes, namely10 , 10 , and 10 . The solid lines are the protocol underideal CM estimation, and the dashed lines are the perfor-mances under practical CM estimation. We can find thatthe finite-size effect of estimating the CM will slightly in-fluence the final key rates, and the larger the block size,the smaller the impact. For a practical block size of theorder of 10 , there is almost no influence on the secretkey rate.In Figure 3, we plot the key rate of the protocol as afunction of the block size and compare the performancesunder different transmission distances. In the DR case(left panel), the performances under transmission dis-tances of 3 km, 5 km, and 10 km are illustrated, whilethe key rates under transmission distances of 3 km, 10km, and 15 km are plotted in the RR case (right panel),respectively. We can see that the block length of the or-der of 10 − is sufficient for the protocol under thecomposable security analysis, achieving rates over 10 − bits per channel use for transmission distances of about10 km in DR and 15 km in RR, respectively. The resultsalso show that, in the case of short transmission distance,the limited block length has a small impact on the per-formance of the protocol, which will be weakened withthe increase of the block length. Moreover, in the caseof relatively long transmission distance (approximatelymore than 10 km), the estimation of leakage informationwith finite-size has little effect on the final key since thecase of long transmission distance requires a larger blocksize for the error correction. -4 -3 -2 -1 Direct reconciliation(a) S ecre t k e y r a t e ( b i t s / pu l s e ) Transmission distance (km)
Ideal CM, N = 10 Ideal CM, N = 10 Ideal CM, N = 10 Practical CM, N = 10 Practical CM, N = 10 Practical CM, N = 10 -4 -3 -2 -1 (b) Ideal CM, N = 10 Ideal CM, N = 10 Ideal CM, N = 10 Practical CM, N = 10 Practical CM, N = 10 Practical CM, N = 10 S ecre t k e y r a t e ( b i t s / pu l s e ) Transmission distance (km)Reverse reconciliation
FIG. 2. Comparison of performances between the previ-ous key rates and the modified results under different blocklengths, namely, 10 , 10 , and 10 . (a) shows the direct recon-ciliation (DR) cases, and (b) shows the reverse reconciliation(RR) cases. The solid lines are the performances under theideal covariance matrix (CM) estimation, and the dashed linesare the performances under practical CM estimation consider-ing finite-size. The reconciliation efficiency β is under a prac-tical value of 95%, and the excess noise is chosen as ε = 0 . ε c = ε s = 10 − and the de-tection range to α = 61 . The comparison of the performances between the stan-dard estimation method and the modified double-datamodulation method is shown in Figure 4, where theleft panel shows the performances of two scenarios un-der different block sizes, while the right panel shows -4 -3 -2 -1 Direct reconciliation(a) S ecre t k e y r a t e ( b i t s / pu l s e ) Block size
Ideal CM, 3 km Ideal CM, 5 km Ideal CM, 10 km Practical CM, 3 km Practical CM, 5 km Practical CM, 10 km -4 -3 -2 -1 Ideal CM, 3 km Ideal CM, 10 km Ideal CM, 15 km Practical CM, 3 km Practical CM, 10 km Practical CM, 15 km (b) S ecre t k e y r a t e ( b i t s / pu l s e ) Block sizeReverse reconciliation
FIG. 3. Comparison of performances between the previouskey rates and the modified results under different transmis-sion distances. (a) shows the direct reconciliation cases, and(b) shows the reverse reconciliation cases. The solid lines arethe performances under ideal CM estimation, and the dashedlines are the performances under practical CM estimation con-sidering finite-size. The parameters are chosen as in Figure 2. the protocol’s performances under different transmissiondistances. We optimize the performance of the double-data method by adopting the optimization method shownin [42]. In the left panel, we plot the performances ofthe double-data modulation method under block sizes of10 and 10 and the asymptotic case, respectively, whichare shown with solid lines, while the performances of thestandard estimation method are depicted with dashedlines, under block sizes of 10 and 10 and the asymptoticcase. It can be seen that, with the help of the double-data modulation method, using less quantum states canachieve better performance than the standard estimationmethod in a short block-size regime, due to the fact thatthe data fluctuation term µ in the previous estimationmethod is not negligible when the block-size is not large,which makes the statistical fluctuation of the finite-sizeeffect more significant in short key lengths. Thus, thedouble-data modulation method can efficiently improvethe parameter estimation process when the block size isnot large. We also note that since we use all the statesto extract the key, leading to a high utilization of quan-tum states, the key rate of the modified method is higherthan that of the previous method. However, the double-data modulation method cannot achieve the transmis-sion distance as far as the single-modulation method inthe asymptotic case. This is intuitive since the statisticalfluctuation in the standard estimation method convergesto zero with N going to infinity, while there still exit somenoises in estimating data distance in double-data mod-ulation method, namely d ( x M , x M ), which will com-promise the transmission distance. In the right panel ofFigure 4, we can see that the block length of the orderof 10 − is sufficient for the protocol to support theprevious transmission distances with the block size of theorder of 10 − , which we believe, to a large extent,saves the key consumption. -4 -3 -2 -1 (a) S ecre t k e y r a t e ( b i t s / pu l s e ) Transmission distance (km)
Single modulation, N = 10 Single modulation, N = 10 Single modulation, N = ¥ Double-data modulation, N = 10 Double-data modulation, N = 10 Double-data modulation, N = ¥ -4 -3 -2 -1 Single modulation, 3 km Single modulation, 10 km Single modulation, 15 km Double-data modulation, 3 km Double-data modulation, 10 km Double-data modulation, 15 km (b) S ecre t k e y r a t e ( b i t s / pu l s e ) Block size
FIG. 4. Comparison of the performances between the stan-dard estimation method and the modified double-data mod-ulation method under the reverse reconciliation case. (a)shows the performances of two scenarios under different blocksizes, while (b) shows the protocol’s performances under dif-ferent transmission distances. The dashed lines are the per-formances using the standard estimation method, and thesolid lines are the performances using double-data modula-tion method.
VI. CONCLUSIONS
In this work, we investigated the EUR used for thecomposable security analysis of the CV-QKD protocoland focused on the parameter estimation step, contain-ing the finite-size effect on estimating the CM and theimprovement of the parameter the estimation phase us-ing the double-data modulation method, which were notdiscussed in previous works [36–38]. We believe it is nec-essary to study the finite-size effect on the parameterestimation in the EUR method, as well as its improve-ment, since in practice, only limited exchanged states canbe used for the parameter estimation, making the esti-mation process non-ideal.The analysis showed that the finite-size effect of es-timating the CM had a slight influence on the key rate.The larger the block size, the smaller the influence. For apractical block length of the order of 10 , the influence onthe protocol’s performance was almost negligible. Thus,in a practical experiment, if the amount of data is large,treating the estimators of parameters as ideal parameterswill not have a great influence on the key rate. The resultalso showed that the parameter estimation method devel-oped in [42] was very effective at handling the finite-sizeanalysis of the covariance matrix in EUR analysis.To further reduce the impact of the finite-size effectin the parameter estimation phase, we also improved theparameter estimation process by exploiting the double-data modulation method, which was inspired by L. Rup-pert, et al [42]. All the quantum states can be used forboth parameter estimation and key extraction, which im-proves the utilization of exchanged states. After modify-ing the estimation of the max-entropy, we found that thefinite-size effect was to a large extent suppressed whenthe block size was not large, which saved the key con-sumption, while the longest transmission distances in theasymptotic case were compromised.Our work is an improvement of previous works [36,37]. We believe that the modified estimation methodis practical by using less states to perform parameterestimation. ACKNOWLEDGMENTS
We would like to thank Tobias Gehring for the valuablediscussions. This work is supported by the National Nat-ural Science Foundation under Grant No. 61531003, theNational Science Fund for Distinguished Young Scholarsof China (Grant No. 61225003), and the China Postdoc-toral Science Foundation (Grant No. 2018M630116). [1] Gisin, N.; Ribordy, G.; Tittel, W.; Zbinden, H. Quantumcryptography.
Rev. Mod. Phys. , , 145–195.[2] Scarani, V.; Bechmann-Pasquinucci, H.; Cerf, N.J.;Duˇsek, M.; L¨utkenhaus, N.; Peev, M. The security ofpractical quantum key distribution. Rev. Mod. Phys. , , 1301–1350.[3] Weedbrook, C.; Pirandola, S.; Garc´ıa-Patr´on, R.; Cerf,N.J.; Ralph, T.C.; Shapiro, J.H.; Lloyd, S. Gaussianquantum information. Rev. Mod. Phys. , , 621–669.[4] Diamanti, E.; Leverrier, A. Distributing secret keys withquantum continuous variables: Principle, security andimplementations. Entropy , , 6072–6092.[5] Pirandola, S.; Andersen, U.L.; Banchi, L.; Berta, M.;Bunandar, D.; Colbeck, R.; Englund, D.; Gehring, T.;Lupo, C.; Ottaviani, C.; et al. Advances in quantumcryptography. arXiv , arXiv:1906.01645.[6] Ralph, T.C. Continuous variable quantum cryptography. Phys. Rev. A , , 010303(R).[7] Hillery, M. Quantum cryptography with squeezed states. Phys. Rev. A , , 022309.[8] Cerf, N.J.; L´evy, M.; Van Assche, G. Quantum distribu-tion of Gaussian keys using squeezed states. Phys. Rev.A , , 052311.[9] Usenko, V.C.; Filip, R. Squeezed-state quantum key dis-tribution upon imperfect reconciliation. New J. Phys. , 13, 113007.[10] Grosshans, F.; Grangier, P.; Continuous variable quan-tum cryptography using coherent states.
Phys. Rev. Lett. , , 057902.[11] Grosshans, F.; van Assche, G.; Wenger, J.; Brouri, R.;Cerf, N.J.; Grangier, P. Quantum key distribution usinggaussian-modulated coherent states. Nature , ,238–241.[12] Weedbrook, C.; Lance, A.M.; Bowen, W.P.; Symul, T.;Ralph, T.C.; Lam, P.K. Quantum cryptography withoutswitching. Phys. Rev. Lett. , , 170504.[13] Pirandola, S.; Mancini, S.; Lloyd, S.; Braunstein, S.L.Continuous-variable quantum cryptography using two-way quantum communication. Nat. Phys. , , 726–730.[14] Sun, M.; Peng, X.; Shen, Y.; Guo, H. Security of a newtwo-way continuous-variable quantum key distributionprotocol. Int. J. Quantum Inf. , , 1250059.[15] Zhang, Y.-C.; Li, Z.; Weedbrook, C.; Yu, S.; Gu, W.;Sun, M.; Peng, X.; Guo, H. Improvement of two-waycontinuous-variable quantum key distribution using op-tical amplifiers. J. Phys. B , , 035501.[16] Ottaviani, C.; Mancini, S.; Pirandola, S. Two-way Gaus-sian quantum cryptography against coherent attacks indirect reconciliation. Phys. Rev. A , , 062323. [17] Ottaviani, C.; Pirandola, S. General immunity and su-peradditivity of two-way Gaussian quantum cryptogra-phy. Sci. Rep. , , 22225.[18] Zhang, Y.; Li, Z.; Zhao, Y.; Yu, S.; Guo, H. Numeri-cal simulation of the optimal two-mode attacks for two-way continuous-variable quantum cryptography in re-verse reconciliation. J. Phys. B: At. Mol. Opt. Phys. , , 035501.[19] Leverrier, A.; Grangier, P. Unconditional security proofof long-distance continuous-variable quantum key distri-bution with discrete modulation. Phys. Rev. Lett. , , 180504.[20] Leverrier, A.; Grangier, P. Continuous-variablequantum-key-distribution protocols with a non-Gaussianmodulation. Phys. Rev. A , , 042312.[21] Li, Z.; Zhang, Y.; Guo, H. User-defined quantum keydistribution. arXiv , arXiv: 1805.04249.[22] Li, Z.; Zhang, Y.-C.; Xu, F.; Peng, X.; Guo, H.Continuous-variable measurement-device-independentquantum key distribution. Phys. Rev. A , ,052301.[23] Zhang, Y.-C.; Li, Z.; Yu, S.; Gu, W.; Peng,X.; Guo, H. Continuous-variable measurement-device-independent quantum key distribution using squeezedstates. Phys. Rev. A , , 052325.[24] Pirandola, S.; Ottaviani, C.; Spedalieri, G.; Weedbrook,C.; Braunstein, S.L.; Lloyd, S.; Gehring, T.; Jacob-sen, C.S.; Andersen, U.L. High-rate measurement-device-independent quantum cryptography. Nat. Photon. , , 397–402.[25] Zhang, X.; Zhang, Y.; Zhao, Y.; Wang, X.; Yu,S.; Guo, H. Finite-size analysis of continuous-variablemeasurement-device-independent quantum key distribu-tion. Phys. Rev. A , , 042334.[26] Papanastasiou, P.; Ottaviani, C.; Pirandola, S. Finite-size analysis of measurement-device-independent quan-tum cryptography with continuous variables. Phys. Rev.A , , 042332.[27] Lupo, C.; Ottaviani, C.; Papanastasiou, P.; Piran-dola, S. Continuous-variable measurement-device- inde-pendent quantum key distribution: Composable securityagainst coherent attacks. Phys. Rev. A , , 052327.[28] Chen, Z.; Zhang, Y.; Wang, G.; Li, Z.; Guo, H.Composable security analysis of continuous-variablemeasurement-device-independent quantum key distribu-tion with squeezed states for coherent attacks. Phys. Rev.A , , 012314.[29] Jouguet, P.; Kunz-Jacques, S.; Debuisschert, T.; Fos-sier, S.; Diamanti, E.; All´eaume, R.; Tualle-Brouri, R.;Grangier, P.; Leverrier, A.; Pache, P.; et al. Field testof classical symmetric encryption with continuous vari- ables quantum key distribution. Opt. Express , ,14030–14041.[30] Jouguet, P.; Kunz-Jacques, S.; Leverrier, A.; Grangier,P.; Diamanti, E. Experimental demonstration of long-distance continuous-variable quantum key distribution. Nat. Photon. , , 378–381.[31] Zhang, Y.; Li, Z.; Chen, Z.; Weedbrook, C.; Zhao, Y.;Wang, X.; Huang, Y.; Xu, C.; Zhang, X.; Wang, Z.;et al. Continuous-variable QKD over 50km commercialfiber. Quantum Sci. Technol. , , 035006.[32] Leverrier, A. Composable security proof for continuous-variable quantum key distribution with coherent states. Phys. Rev. Lett. , , 070501.[33] Leverrier, A. Security of continuous-variable quantumkey distribution via a Gaussian de Finetti reduction. Phys. Rev. Lett. , , 200501.[34] Christandl, M.; K¨onig, R.; Renner,R. Postselection tech-nique for quantum channels with applications to quan-tum cryptography. Phys. Rev. Lett. , , 020504.[35] Leverrier, A.; Garc´ıa-Patr´on, R.; Renner, R.; Cerf, N.J.Security of continuous-variable quantum key distributionagainst general attacks. Phys. Rev. Lett. , ,030502.[36] Furrer, F.; Franz, T.; Berta, M.; Leverrier, A.; Scholz,V.B.; Tomamichel, M.; Werner, R.F. Continuous variablequantum key distribution: finite-key analysis of compos-able security against coherent attacks. Phys. Rev. Lett. , , 100502.[37] Furrer, F. Reverse-reconciliation continuous-variablequantum key distribution based on the uncertainty prin-ciple. Phys. Rev. A , , 042325.[38] Gehring, T.; H¨andchen, V.; Duhme, J.; Furrer, F.; Franz,T.; Pacher, C.; Werner, R.F.; Schnabel. R. Implemen-tation of continuous-variable quantum key distributionwith composable and one-sided-device-independent secu-rity against coherent attacks. Nat. Commun. , ,8795.[39] Marangon, D.G.; Vallone,G.; Villoresi, P. Source-device-independent ultrafast quantum random number genera-tion. Phy. Rev. Lett. , , 060503. [40] Xu, B.; Chen, Z.; Li, Z.; Yang, J.; Su, Q.; Huang,W.; Zhang, Y.; Guo, H. High speed continuous vari-able source-independent quantum random number gen-eration. Quantum Sci. Technol. , , 025013.[41] Coles, P.J.; Berta, M.; Tomamichel, M.; Wehner, S. En-tropic uncertainty relations and their applications. Rev.Mod. Phys. , , 015002.[42] Ruppert, L.; Usenko, V.C.; Filip, R. Long-distancecontinuous-variable quantum key distribution with effi-cient channel estimation. Phys. Rev. A , , 062310.[43] Renner, R. Security of quantum key distribution. Ph.D.thesis, Swiss Federal Institute of Technology (ETH)Zurich, Zurich, Swiss, 2006.[44] M¨uller-Quade, J.; Renner, R. Composability in quantumcryptography. New J. Phys. , , 085006.[45] Carter, J.L.; Wegman, M.N. Universal classes of hashfunctions. J. Comput. Syst. Sci. , , 143.[46] Ghorai, S.; Diamanti, E.; Leverrier, A. Composable se-curity of two-way continuous-variable quantum key dis-tribution without active symmetrization. Phys. Rev. A , , 012311.[47] Kiukas, J.; Werner, R.F. Maximal violation of Bell in-equalities by position measurements. J. Math. Phys. , , 072105.[48] Serfling, R.J. Probability inequalities for the sum in sam-pling without replacement. Ann. Stat. , , 39.[49] Grosshans, F.; Cerf, N.J.; Wenger, J.; Tualle-Brouri, R.;Grangier, P. Virtual entanglement and reconciliation pro-tocols for quantum cryptography with continuous vari-ables. Quantum Inf. Comput. , , 535.[50] Sch¨onbeck, A.; Thies, F.; Schnabel, R. 13dB squeezedvacuum states at 1550nm from 12mW external pumppower at 775nm. Opt. Lett. , , 110.[51] Wang, X.; Zhang, Y.; Li, Z.; Xu, B.; Yu, S.; Guo, H.; Effi-cient rate-adaptive reconciliation for CV-QKD protocol. Quantum Inf. Comput. , , 1123.[52] Wang, X.; Zhang, Y.; Yu, S.; Guo, H. High speed errorcorrection for continuous-variable quantum key distribu-tion with multi-edge type LDPC code. Sci. Rep. ,8