QKD parameter estimation by two-universal hashing

This paper proposes and proves security of a QKD protocol which uses two-universal hashing instead of random sampling to estimate the number of bit flip and phase flip errors. This protocol dramatically outperforms previous QKD protocols for small block sizes. More generally, for the two-universal hashing QKD protocol, the difference between asymptotic and finite key rate decreases with the number $n$ of qubits as $cn^{-1}$, where $c$ depends on the security parameter. For comparison, the same difference decreases no faster than $c'n^{-1/3}$ for an optimized protocol that uses random sampling and has the same asymptotic rate, where $c'$ depends on the security parameter and the error rate.


Motivation
Quantum Key Distribution allows two users, Alice and Bob, to agree on a shared secret key using an authenticated classical channel and a completely insecure quantum channel. There are information theoretic security proofs for QKD protocols (for example [20,19,11,8,2,24,23] among many others). Quantum key distribution has also been realized experimentally and is commercially available. The rare combination of information theoretic security and practical achievability has attracted considerable attention to QKD.
A QKD protocol has several important parameters: 1. Block size: the number of pairs of qubits that Alice and Bob receive. Following [23,Part 1], this paper considers entanglement based protocols and defines the block size as the number of qubits after sifting.
2. Output size: the number of bits of secret key that the protocol produces.
3. Key rate: the ratio of output size to block size. The higher the key rate is, the more efficiently the protocol converts the available quantum resource to a secret key. 4. Security level: the distance of the output from an ideal secret key. The lower the security level, the better the guarantee that no future evolution of the protocol output and adversary registers will be able to distinguish between the output and an ideal key. 5. Robustness: the amount and type of noise that the protocol can tolerate without aborting. In particular, the QKD protocol should be able to tolerate at the very least the imperfections of whatever quantum channel and entanglement source are used to implement the protocol.
Existing QKD protocols and security proofs exhibit trade-offs between these parameters: improving the security or robustness of the protocol worsens the key rate. These trade-offs are particularly severe when the block size is small. The phenomenon that the key rate of a QKD protocol deteriorates significantly for small block sizes has been called finite size effect [16, Sections II-C and IX].
The finite size effect has practical consequences in cases when the distribution of entangled quantum states is particularly difficult. As an example, consider the problem of using QKD between users who are far apart on the surface of the earth. The Micius satellite experiment [26] tried to solve this problem by using a satellite to distribute entangled photon pairs to two ground stations that are 1120km apart. However, sending entangled photon pairs from space to earth is difficult. In the Micius experiment, several nights of good weather had to pass until the ground stations accumulated sifted block size 3100. The error rate that the ground stations needed to tolerate was 4.51%. Reference [12] performed a state-of-the-art security analysis on this data, and concluded that security levels better than around 10 −6 lead to no secret key at all, while at security level 10 −6 , only six bits of secret key are extracted. The output size and security level achieved in this example are not sufficient for cryptographic applications. This provides the motivation for the present paper. Are there QKD protocols and security proofs that achieve a combination of small block size with output size and security level sufficient for cryptographic applications?

Contributions
This paper presents the two-universal hashing QKD protocol and proves its security. The twouniversal hashing QKD protocol is an entanglement based protocol with block size n, that can tolerate any combination of up to r bit flip errors and up to r phase flip errors, and at the end extract n − 2 nh(r/n) + 2 log 2 (1/ ) + 5 secret key bits, that are close to an ideal secret key.
For small block sizes, the two-universal hashing QKD protocol dramatically outperforms protocols of the BBM92 type. To illustrate, consider again the security analysis developed in the sequence of papers [24,23,12] applied to the Micius satellite example.
1. Fix the tolerated error rate at 4.51%, the security level at 10 −6 and the output size at 6 bits.
The BBM92 type protocol with the security proof developed in [24,23,12] requires block size 3100. The two-universal hashing protocol requires block size 200.
2. Fix the block size at 3100 and fix the error rate at 4.51%. The BBM92 type protocol with the security proof developed in [24,23,12] can extract 6 secret key bits with security level 10 −6 . The two universal hashing protocol can extract 385 secret key bits with security level 10 −80 .
The advantage of the two-universal hashing QKD protocol is particularly noticeable for small block sizes; however, it is not limited to them. For fixed error rate δ = r/n and fixed security parameter , the asymptotic rate of this protocol is 1 − 2h(δ), and the deviation of finite from asymptotic rate is between (4 log 2 (1/ )+10)/n and (4 log 2 (1/ )+12)/n. By contrast, the deviation of finite from asymptotic key rate for the BBM92 type protocol with the security proof [24,23,12] is of the form cn −1/3 , where c depends on the tolerated error rate and the security level. A discussion of the reasons for the difference in parameter trade-offs follows.
In the BBM92 type protocol, a random subset of n pe positions is measured and the outcomes are publicly compared. If the error rate on this subset is below some threshold δ, then parameter estimation accepts and outputs the promise that the error rate on the remaining positions is at most δ + ν, where ν is the gap between observed and inferred error rate. The failure probability for parameter estimation scales roughly as exp(−4n pe v 2 ). To get a sense of this scaling, suppose that the target failure probability is e −100 and that the target gap is ν = 0.01. Then, n pe has to be chosen to be 250000, clearly orders of magnitude more than can be afforded for block sizes around 1000 or 10000. Now, consider the rest of the protocol. Information reconciliation and privacy amplification have to operate with the promise that the error rate is at most δ + ν. Thus, to extract a secret key, information reconciliation and privacy amplification have to sacrifice a substantial number of positions beyond the initial n pe sacrificed for parameter estimation.
By contrast, in the two-universal hashing protocol, 2k ebits are sacrificed for parameter estimation. If the test passes, then Alice and Bob know that the post-parameter-estimation state is a particular Bell state of n − 2k ebits; thus, Alice and Bob do not need to sacrifice any further ebits for information reconciliation and privacy amplification. Moreover, the scaling of the failure probability for parameter estimation with the number of sacrificed ebits does not have the ν 2 coefficient in front of the number of sacrificed ebits.

Related work
The present paper builds on a number of previous ideas.
In classical information theory, random linear functions have been used to obtain ensembles of error correcting codes since the 1950s: see for example [9,Section 2.1] where the idea was attributed to Elias [7]. Random linear functions are also a special case of two-universal hash functions and can be used to authenticate classical messages [6]. Further, [3,Theorem 6], [19,Section 6.3.2] observed that two-universal hash functions can be used to achieve information reconciliation with minimum leakage.
In quantum information theory, [1] used a variant of linear two-universal hash functions to perform entanglement purification. [13] applied the technique of [1] to construct an LOCC protocol by which Alice and Bob can verify that a state they received from the adversary was in fact n perfect EPR pairs. [20] observed that when parameter estimation has already been performed by random sampling, arguments related to quantum CSS codes [5,21] can be used to prove security of a QKD protocol. [11] presented an interesting generalization of the proof technique of [20] that works also in the case of imperfect devices. [2] translated the guarantees of classical random sampling to the quantum case and used this to obtain a QKD security proof. [24,8] focused on the performance of QKD for small block sizes, and optimized their protocols by using random sampling to estimate the number of errors in only one of the measurement bases, while using a two-universal hash in the information reconciliation phase to ensure correctness. [23] developed the proof idea of [24] with much greater mathematical rigour. [12] proved a better random sampling tail bound and thus obtained better parameter trade-offs than [23].
From the references above, closest to the present paper is [13]. The current paper develops further the ideas in [13] in the following ways: 1. Some mathematical details in the proof of [13] were skipped, other details were entrusted to the papers on stabilizer codes and entanglement purification. Further, [13] did not discuss composable security 1 and did not give any explicit bounds on the achievable parameters for specific finite block sizes. The present paper gives a detailed, rigorous and self-contained proof of composable security, and gives explicit formulas for the achievable parameters at any finite block size.
2. [13] proposed a QKD protocol that employed full error correction with a stabilizer error correcting code, followed by their verification subroutine; thus the quantum phase of their protocol required the ability to implement stabilizer error correcting codes. The present paper relies on quantum CSS codes to simplify the quantum phase of the protocol as much as possible.

Structure of the paper
The rest of this paper is structured as follows: Section 2 introduces material that is needed to present and prove the security of the two universal hashing QKD protocol, including the security and robustness criteria for QKD protocols, a number of useful lemmas related to the stabilizer formalism, and a number of useful lemmas about two-universal hashing and random matrices over the field with two elements. Section 3 presents the two-universal hashing QKD protocol and shows that it is secure and robust. Section 4 shows that for fixed security level and tolerated error rate, the finite key rate converges to the asymptotic rate as cn −1 for two-universal hashing and as c n −1/3 for the BBM92 protocol with the security proof developed in [24,23,12]. Section 5 concludes and gives some open problems.

Preliminaries
This section presents definitions and results that are used to state and prove the main result on the security and robustness of the two-universal hashing protocol. Subsection 2.1 recalls the standard security criterion for QKD. Then, subsection 2.2 contains a number of lemmas related to the stabilizer formalism; these are used during the security proof. Finally, subsection 2.3 contains lemmas related to two-universal hashing. Subsection 2.3 also discusses an application of twouniversal hashing to approximately compute certain functions from partial information about the input; this is used during the security proof.

Security and robustness of quantum key distribution
This section recalls the security and robustness criteria from [19] that ensure that the key produced by QKD can be used in any application. See [18] for a proof of the equivalence of this security criterion and security in the Abstract Cryptography framework for composable security.
As is common in the QKD literature, this paper assumes that the adversary Eve is active in the quantum phase of the protocol but remains passive during the classical phase, i.e. Eve eavesdrops the classical communication but does not attempt to modify or block it. Under this assumption, an entanglement-based QKD protocol is a completely positive trace preserving map that transforms input states ρ ABE of Alice, Bob and Eve into output statesρ W A W B CE , where W A , W B are registers containing Alice and Bob's output: a secret key or indication ⊥ of protocol abort, and where C is a register containing a transcript of the classical communication between Alice and Bob.
Since registers W A , W B contain classical values, the final stateρ W A W B CE can be decomposed asρ This decomposition is used to formulate the definition of security: where |W | denotes the size of the secret key space.
Alternatively, -security can be further subdivided into requirements for secrecy and correctness:

Definition 2.
A QKD protocol is correct if for all input states ρ ABE , the probability that Alice and Bob accept and output different keys is bounded by .
The following lemma establishes the relation between security and correctness plus secrecy:

Lemma 1. If a QKD protocol is secure, then it is correct and Alice's key is secret. Conversely, if the protocol is correct and Alice's key is δ secret, then the protocol is
Proof. The forward direction follows from monotonicity of the trace distance and its interpretation as distinguishing advantage. The reverse direction follows by considering the hybrid state and the triangle inequality.
Next, note that in the standard definition of QKD security (Definition 1) the ideal state, beyond being close to the real state, satisfies the following additional conditions: 1. The probabilities of accepting and rejecting are the same for the real and ideal state.
2. The real and ideal state differ only in the accept case.
3. The sub-normalized reduced density matrix of registers C, E in the accept case is equal tõ ρ CE −ρ CE (⊥) for both the real and the ideal state.
Now, suppose an ideal state is found that is close to the real state, but which does not necessarily satisfy these additional conditions. This suffices to demonstrate security: Then, the protocol is 2 secure.
Proof. By assumption, From the triangle inequality it follows that The lemma then follows by another application of the triangle inequality.
Finally, note that a protocol that always aborts is secure, but not useful. For a useful QKD protocol, the probability of acceptance is bounded below by 1 − δ for some δ ∈ (0, 1) on a suitable class of input states. In the present paper, robustness of the two-universal hashing protocol is shown by giving explicit bounds on the probability of acceptance as a function of the input state.

The Pauli group and the Bell basis
This section presents a number of useful lemmas related to the stabilizer formalism [10,4].
Denote the Pauli matrices by Let F 2 denote the field with two elements, F n 2 denote the n-dimensional vector space over this field, and F n×m 2 denote the space of n by m matrices over F 2 . For a row vector u ∈ F 1×n 2 , denote The Pauli group on n qubits is Matrix multiplication of elements of G n can be performed in terms of u, v, ω: This also shows that the map F : G n → F 1×2n 2 given by is a group homomorphism. Any element of the Pauli group squares to either I or −I; any two elements g, g of the Pauli group satisfy gg = (−1) F (g)SF (g ) T g g (14) where S ∈ F 2n×2n 2 is the matrix with block form Say that a tuple of elements of the Pauli group are linearly independent. Given such an independent tuple and given any x ∈ F m 2 , it is possible to find g ∈ G n such that by solving the corresponding linear system of equations over F 2 . A tuple of independent commuting self-adjoint elements of the Pauli group g = (g 1 , . . . g m ) T defines a projective measurement on its joint eigenspaces. The measurement outcomes can be indexed by x ∈ F m 2 and the corresponding projections are given by The projections P ( g, x) form a complete set of orthogonal projections. The elements of the Pauli group map these projections to each other under conjugation, as can be seen from Lemma 3 below. Therefore, the projections P ( g, x) all have the same rank 2 n−m .
Now, take a tuple g of m independent commuting self-adjoint elements, take k ≤ m and take a full rank matrix L ∈ F k×m 2 . The matrix L transforms the tuple g to the k-tuple The tuple L g also consists of independent commuting self-adjoint elements. The transformation of g to L g satisfies M (L g) = (M L) g (23) for any g, L, M of compatible size. The matrix F(L g) can be expressed in terms of the matrix F( g): The measurement projections of L g can be expressed in terms of the measurement projections of g.
Then, for any x ∈ F m 2 such that Lx = y, P (L g, y)P ( g, x) = P ( g, x) holds. Since {P ( g, x) : Lx = y} is a collection of 2 m−k orthogonal projections of rank 2 n−m and since P (L g, y) has rank 2 n−k , the lemma follows.
The maximally entangled state in C 2 n ⊗ C 2 n is The collection is the Bell basis of C 2 n ⊗ C 2 n . First, the maximally entangled state has the properties: Proof. Follows by expanding M in the computational basis.
Pauli group measurements acting on Bell basis states satisfy the following: Lemma 6. For all tuples g of independent self-adjoint commuting elements of G n such that the associated projections P ( g, x) have only real entries when expressed as matrices in the computational basis, for all α, β ∈ F n 2 , for all x, y ∈ F m 2 , where for an expression that takes the values true or false, 1(expression) takes the corresponding values 1 or 0.

Proof. Follows from Lemma 3 and the relation
The QKD security proof also uses the following lemma. It gives two equivalent expressions for the projection on the subspace of C 2 n ⊗ C 2 n that corresponds to a specific pattern of bit flip errors or a specific pattern of phase flip errors.
The first relation of Lemma 7 now follows from and Lemma 4. The second relation follows similarly.

Approximately computing certain functions from only a two-universal hash of the input
Take any subset S ⊂ F n 2 . Consider the function f S : F n 2 → S ∪ {⊥} given by If α specifies errors, then f S computes whether α belongs to a set S of acceptable errors, if so computes the entire string α, and otherwise outputs an error message. It is very convenient to have functions of this form when constructing QKD protocols and security proofs. It turns out that it is possible to approximately compute f S (α) given only a two universal hash of the input. Recall [6,25]: implies the event The union bound and Definition 4 give The remainder of this section specializes Theorem 1 to the case that the family H is a family of matrices over F 2 , and the set S is a Hamming Ball.
First, consider the following useful lemmas about random matrices over the field with two elements.
Recall a property of random linear functions: , and take any fixed x by omitting the i-th column and i-th entry respectively. Now, L i is uniform over F k 2 and independent from L −i , so Lx is also uniform over F k 2 .
Thus, for all y = z ∈ F n 2 , Pr L (Ly = Lz) = 2 −k , so random linear functions are two-universal. Later on, it will be more convenient to select matrices not from all of F k×n 2 , but from the subset consisting of those matrices of rank k. This subset also satisfies the two-universal condition, as the following two lemmas show.
completing the proof of Lemma 10.
Interestingly, the collision probability bound = 2 n−k −1 2 n −1 achieved by the full rank matrices is the lowest possible for a two-universal family F n 2 → F k 2 . This follows from a slight strengthening of [6, Proposition 1]:

Lemma 11. For every family H (not necessarily two-universal) of functions from finite set
Proof. Follow the same proof as [6] until the point they apply the pigeonhole principle. At that point, observe that the number of non-zero terms in the sum is not only less than |X| 2 , as they say there, but is in fact at most |X|(|X| − 1). In more detail, for h ∈ H, x, x ∈ X, define For every h ∈ H partition X = ∪ y∈Y h −1 (y) then observe that by the quadratic mean-arithmetic mean inequality. Now, sum over h ∈ H: Later results will also use the fact that a row submatrix of a random invertible matrix has the uniform distribution over full rank matrices: Thus, L S is uniform over the full rank matrices in F k×n 2 .
Applying Theorem 1 when the set S is a Hamming ball requires a bound on the size of Hamming balls. For x, y ∈ F n 2 , let d H (x, y) = |{i : x i = y i }| denote the Hamming distance between them. Let B n (x, r) denote the Hamming ball of radius r around x. Then: Lemma 13. For all n, r ∈ N such that 2r ≤ n, for all x ∈ F n 2 , |B n (x, r)| < 2 nh(r/n) Proof. 3 The two-universal hashing QKD protocol and its security Consider the following family π(n, k, r) of entanglement-based QKD protocols, parameterized by n, k, r ∈ N. The interpretation of the parameters is the following: n is the number of qubits that each of Alice and Bob receive, k is the size of each of their syndrome measurements and n − 2k is the size of their output secret key, and r is the maximum number of bit flip or phase flip errors on which the protocol does not abort. The protocols output a secret key with security guarantees when 2nh(r/n) < 2k < n. It will be clear throughout that the size of the two syndrome measurements can vary independently, and so can the maximum number of tolerated bit flip and phase flip errors, but that would lead to overly complex notation, with five parameters n, k, k , r, r , so it is not pursued explicitly below.
1. Alice and Bob each receive an n qubit state from Eve, and they inform each other that the states have been received. 3. Alice applies the isometry z |z, L 1 z AU A z| A and Bob applies the isometry z |z,

Alice and
This can be done by preparing k ancilla qubits in state 0 and applying a CNOT gate for each entry L 1 (i, j) that equals 1.

Alice and Bob discard registers
9. If both of s, t are not ⊥, then Alice takes w A to be the output secret key, and Bob takes w B + M 3 t to be the output secret key.
As is usual in the literature on QKD, the protocol assumes that classical communication takes place over an authenticated channel. Unconditionally secure message authentication with composable security in the Abstract Cryptography framework can be obtained from a short secret key [17], or using an advantage in channel noise [15].
If it is desired that the classical communication is minimized, then the following exchange of messages suffices: Bob confirms to Alice that he has received the qubits, Alice sends to Bob L, u A , v A , Bob informs Alice whether both of s, t are not ⊥. However, the initial formulation above better emphasizes the symmetry of the protocol, and makes clear that it is not important to keep the values u B , v B , s, t secret.
The following theorem establishes the security and robustness of the protocols π(n, k, r).
Theorem 2. Take any n, k, r ∈ N such that 2nh(r/n) < 2k < n. Then, the protocol π(n, k, r) is 2 −k/2+nh(r/n)/2+5/2 secure. Moreover, for any input state ρ AB , the probability that π(n, k, r) accepts on input ρ AB is 2 −k/2+nh(r/n)/2+3/2 close to T r(Π n,r ρ AB Π n,r ), where Π n,r is the projection on the subspace of systems AB spanned by the Bell states with at most r bit flip and at most r phase flip errors.

Proof of Theorem 2
The main idea of the proof of Theorem 2 is that the real values g Bn(0,r) (L 1 , u A + u B ) and g Bn(0,r) (M 2 , v A +v B ) computed during the protocol can be replaced by the corresponding ideal values f Bn(0,r) (α), f Bn(0,r) (β). From now on, use shorthand notation and skip the subscript B n (0, r), thus writing f for f Bn(0,r) and g for g Bn(0,r) .
The steps of the proof of Theorem 2 are the propositions below. Start by writing the action of the protocol as an isometry followed by a partial trace.

S, T and the quantum register of Eve equals T r ABL S T U
is a purification of the choice of random matrix L, where is an isometry that captures the measurement through which Alice and Bob obtain the values u A = L 1 z A and u B = L 1 z B as well as the subsequent computation of the value s = g(L 1 ,

is an isometry that captures the measurement through which Alice and Bob obtain the values w
Proof. Recall the Stinespring dilation theorem [22]. Systematically express each step of the protocol as an isometry followed by a partial trace. The step in which Alice and Bob choose the random matrix L can be expressed as preparing the purification |L LL and then taking T r L .
The steps in which Alice and Bob apply the isometry then measure registers U A , U B in the computational basis, discarding the post-measurement state and keeping only the outcome, then compute the value s can be expressed by the isometry U real followed by T r S U A U B . The steps in which Alice and Bob measure the qubits in A, B in the |+ , |− basis obtaining x A , x B , then compute v A , v B , w A , w B , t, then discard the post-measurement state of the qubits in A, B and the outcomes x A , x B can be expressed by the product of isometries WV real followed by Finally, note that all the partial trace operations can be commuted to the end.
Next, note that U real can be approximated by an ideal isometry followed by a simulator isometry.

This isometry captures the measurement through which Alice and Bob obtain the values u
Proof. Simplify: Therefore, Now, apply Lemma 7: Now, the marginal distribution of L 1 is uniform over the rank k matrices in F k×n 2 because L is selected uniformly among invertible matrices in F n×n 2 (Lemma 12). Complete the proof of Proposition 2 by applying Corollary 1.
Next, perform the same approximation for V real .
This ideal isometry computes whether the number of phase flip errors is acceptable and if so it computes the entire string of phase flip error positions. Let

This isometry captures the measurement through which Alice and Bob obtain the values v
Then: Proof. As in the proof of Proposition 2, use Lemma 7 to compute , so Lemma 12 and Corollary 1 complete the proof.
Next, observe that: Proof. Rewrite: where the last step uses Lemma 4 and the notation of Section 2.2 for the tuple σ 3 of single qubit σ 3 operations.
Similarly, rewrite where σ 1 is the tuple of single qubit σ 1 operations. Proposition 4 now follows by observing that the elements of the two tuples L 1 ( σ 3 ) and M 2 ( σ 1 ) commute and therefore for all u, v, the corresponding projections P (L 1 ( σ 3 ), u) and P (M 2 ( σ 1 ), v) also commute.
Next, use propositions 1, 2, 3, 4 to construct an ideal transformation that approximates E real : Proposition 5. Let E ideal be the transformation that prepares |L , then applies isometries U ideal , V ideal , V simulator , U simulator , W, and finally applies T r ABL S T U A U B V A V B W A W B . Then, the diamond distance of E real and E ideal is at most 2 −k/2+nh(r/n)/2+3/2 .
Proof. Take any input state ρ ABE and purify it to |φ ABEE . From Proposition 2 deduce that the fidelity of V real U simulator U ideal |φ |L and V real U real |φ |L is at least 1 − 2 −k+nh(r/n) . Using the relation of fidelity and trace distance for pure states [14,Equation 9.99], the trace distance between these two states is Next, from Proposition 4 deduce Next, from Proposition 3 deduce that the fidelity of is at least 1 − 2 −k+nh(r/n) , so the trace distance between them is at most 2 −k/2+nh(r/n)/2+1/2 . Finally, from Proposition 1, the triangle inequality and monotonicity of the trace distance deduce that the trace distance between E real (ρ) and E ideal (ρ) is at most 2 −k/2+nh(r/n)/2+3/2 .
Next, compute the output state of E ideal : and such that at least one of ST contains ⊥ and such that Proof. Simplify: Also, using the notation of section 2.2, the observation that the elements of the three tuples L 1 σ 3 , M 2 σ 1 , M 3 σ 1 are independent and commute, and Lemma 4. Next, use Lemma 6 to deduce that Next, break this up into a sum of two sub-normalized vectors |τ accept and |τ reject , where |τ accept contains those terms of the sum with α, β ∈ B n (0, r) and |τ reject contains all other terms of the sum. Note that T r S T |τ accept τ reject | = 0 and deduce Finally, simplify and use Lemma 5 to deduce that which completes the proof.

Comparison with previous work
The introduction illustrated the advantage of two-universal hashing over random sampling using specific examples. This section reveals the general pattern behind the examples in the introduction. To study the advantage of the two-universal hashing protocol for all block sizes, fix values for the tolerated error rate and security level, and consider key rate as a function of block size. How fast does key rate converge to the asymptotic value as block size goes to infinity? Subsection 4.1 gives the rate of convergence for the two-universal hashing protocol. Subsection 4.2 gives a bound on the rate of convergence of the random sampling protocol.
4.1 Key rate of the two-universal hashing protocols π(n, k, r) Given n qubits per side, the target to tolerate δn bit flip and δn phase flip errors, and a target security parameter , it suffices to choose k = nh(δ) + 2 log 2 (1/ ) + 5 . The key rate 1 − 2k/n then satisfies: Therefore, the rate of convergence of the finite to the asymptotic rate is of the form cn −1 .

Key rate of the random sampling protocols
The sequence of works [24,23,12] develops QKD protocols and security proofs optimized for the finite key regime. The current evolution of the entanglement-based protocol can be found in [23,Section 3]; the difference between [12] and [23] is only in the random sampling tail bound that is used. For comparison with the present work we take only the case of perfect measurements in the rectilinear and diagonal basis. A summary of the protocol in this case is as follows: 1. Eve prepares a state of 2n qubits and sends n to Alice and n to Bob.
2. Alice and Bob agree on a uniformly random choice of either the rectilinear or the diagonal basis measurement for each pair of qubits.
3. Alice and Bob select a uniformly random subset of n pe positions to serve for parameter estimation, leaving the remaining n rk = n − n pe to serve as the raw key.
4. Alice and Bob compare their outcomes on the parameter estimation positions. If the error rate on these positions exceeds a threshold δ, Alice and Bob abort.
5. Alice sends a syndrome of her raw key to Bob, and a two-universal hash of her raw key to Bob. Bob uses the syndrome to correct his raw key, and uses the hash to verify that the correction was successful. For simplicity, take the combined length of syndrome and hash to be the theoretical minimum n rk h(δ) − log 2 ( ec ), where ec is the desired bound on the probability that the hash test passes but Bob's corrected raw key does not match Alice's.
6. Alice and Bob compress their raw keys to shorter output keys of length n out using a twouniversal family of hash functions.
The security qkd of these protocols can be written in the form where ec is the desired bound on the correctness of the protocol, where is a bound on the secrecy of the protocol, and where comes from a tail bound for random sampling. The precise form of the function pe (ν, ξ) is given in [12,Lemma 2] and satisfies the equation For the purpose of this section, consider the following lower bound on pe (ν): Lemma 14. Suppose n rk ≥ n/2. Then, Proof. Take any ξ ∈ (0, ν). Note that and therefore exp − 2nn pe ξ 2 n rk + 1 ≥ exp −4n pe ν 2 The lemma follows.

Conclusion and open problems
The present paper has proposed and proved security of a QKD protocol that uses two-universal hashing instead of random sampling to perform parameter estimation. This protocol dramatically outperforms previous QKD protocols for small block sizes. This provides a new approach in QKD use-cases such as the Micius satellite example, where the difficulty of accumulating a large enough block size makes the BBM92 protocol impractical. The quantum phase of the two-universal hashing protocol is also impractical with current technology. However, it appears easier to make a moderate advance in ground stations and a moderate advance in the transmission of entangled photon pairs from space to earth, rather than to put the entire burden on only one of these approaches. The first group of open problems are related to the quantum phase of the two-universal hashing protocol. On the theoretical side, what are the fundamental trade-offs between the complexity of the quantum phase of a QKD protocol and its performance? Can good performance be achieved using a simpler quantum phase than the two-universal hashing protocol? Further, can QKD hardware be developed capable of more than just single qubit measurements?
Second, the algorithm given in section 2.3 for computing the function g Bn(0,r) is not efficient. This leads to the following open problem: is there a probability distribution over CSS codes, such that the marginal distributions of the two parity check matrices satisfy a two-universal hashing condition with some good collision probability bound, and such that each of the two parity check matrices has additional structure that allows efficient computation of g Bn(0,r) during the protocol? There is a long history in information theory of approximating the performance of random codes with brute force decoding by more structured codes with efficient decoding, so there is reason to hope that the same can be done in the present case.
Third, the arguments in the present paper are for the case where Alice and Bob can apply perfect quantum operations. It thus remains an open problem to generalize the present security proof to the case of imperfect devices.