Refined finite-size analysis of binary-modulation continuous-variable quantum key distribution

Recent studies showed the finite-size security of binary-modulation CV-QKD protocols against general attacks. However, they gave poor key-rate scaling against transmission distance. Here, we extend the security proof based on complementarity, which is used in the discrete-variable QKD, to the previously developed binary-modulation CV-QKD protocols with the reverse reconciliation under the finite-size regime and obtain large improvements in the key rates. Notably, the key rate in the asymptotic limit scales linearly against the attenuation rate, which is known to be optimal scaling but is not achieved in previous finite-size analyses. This refined security approach may offer full-fledged security proofs for other discrete-modulation CV-QKD protocols.


Introduction
Quantum key distribution (QKD) [1] enables two remote parties to share identical random secret bits that are secure against arbitrary eavesdropping allowed under the law of quantum mechanics.Using the one-time pad [2] with random secret bits shared by the QKD, we can realize the information-theoretic security for bipartite communication.Nowadays, there is increasing interest in implementing QKD in the real world.Among other things, continuous-variable (CV) QKD [3,4,5,6,7,8,9] has the advantages of low-cost implementation and high bit rates at short distances.Furthermore, it is relatively easy to multiplex several QKD channels via wavelength division multiplexing and co-propagate them with the classical telecommunication because homodyne and heterodyne detectors used in CV-QKD protocols do not require a low-temperature environment and have good wavelength selectivity.The (single-)photon detectors used in discrete-variable (DV) QKD, on the other hand, typically require a low-temperature environment for stable operation and a high-quality frequency filter for the wavelength division multiplexing.
The main problem with CV-QKD protocols is the difficulty in establishing a complete security proof.Compared to the DV-QKD protocols, most of which have complete security proofs even in the finite-size regime, almost all the CV-QKD protocols only have asymptotic security proofs [10,11,12,13,14,15,16,17,18,19,20] or security proofs against collective attacks [21,22,23,24,25,26,27].There are, however, some results for the composable finite-size security against general attacks.One is for the protocol using the two-mode squeezed vacuum state [28,29,30], whose security proof is based on the entropic uncertainty relation in the infinite dimensional systems [31].Unfortunately, this protocol is difficult to implement and has a key-rate that scales poorly as transmission distance grows.Another is for the U (N )-symmetric protocol that uses coherent states with their complex amplitudes modulated according to a Gaussian distribution [32,22,33]."Failure" with probability 1 − suc 2  − suc − 2 Figure 1: Setups of the protocols.In both protocols, the sender Alice modulates the optical phase of a laser pulse prepared in a coherent state |µ⟩ with 0 or π according to her random bit â = 0 or 1.(a) "Homodyne protocol", which is similar to the protocol proposed in Ref. [40].In this protocol, the receiver Bob randomly switches three types of measurements according to probabilities psig, ptest, and p trash , respectively.In "Signal", Bob performs homodyne measurement and obtains the outcome x ∈ R.Then, he obtains b ∈ {0, 1} with probability fsuc (−1) b x , respectively, or announces "Failure" with probability 1 − fsuc(x) − fsuc(−x).In "Test", Bob performs heterodyne measurement and obtains the outcome ω ∈ C.Then, he computes Λm,r |ω − (−1) â| 2 with Alice's bit â announced.In "Trash", Bob discards the received optical pulse and produces no outcome.(b) "Heterodyne protocol", which is similar to the protocol proposed in Ref. [41].In this protocol, the receiver Bob performs heterodyne measurement, obtains the outcome ω, and randomly switches three types of postprocessings according to probabilities psig, ptest, and p trash , respectively.In "Signal", Bob defines x = ℜ[ω] and follows the same procedure of obtaining the bit b or "Failure" as in Homodyne protocol.In "Test", Bob follows the same procedure of computing Λm,r |ω − (−1) â| 2 as in Homodyne protocol.In "Trash", Bob discards the outcome ω.

Security proof
In this section, we define two binary-modulation CV-QKD protocols that are closely related to the ones proposed in Refs.[40,41], and present their security proofs based on the reverse reconciliation.
The definition of the (composable) security is the same as that in Ref. [40] and given in Appendix A.

Definition of the protocol
The setups of the protocols are illustrated in Fig. 1.In the following, a random number is denoted with a hat such as •.For the places where the slash "/" is used, one can adopt either its left-hand side or right-hand side depending on which of "Homodyne protocol" or "Heterodyne protocol" defined in Fig. 1 one chooses.Note that Homodyne protocol is the same as the protocol proposed in Ref. [40] except for the definition of f suc (x) as well as the way of bit error correction, and Heterodyne protocol is the same as the protocol proposed in Ref. [41] except for the additional trash round as well as the way of bit error correction.
Prior to the protocol, Alice and Bob determine the number N of total rounds, the acceptance probability function f suc (x) (x ∈ R) of the homodyne/heterodyne measurement satisfying f suc (x) + f suc (−x) ≤ 1, an odd integer m and a real r for the test function Λ m,r (ν) := e −rν (1 + r)L (1) m ((1 + r)ν) with L (1) m being the associated Laguerre polynomial [40], and the protocol parameters (µ, p sig , p test , p trash , β, s, κ, γ) satisfying p sig + p test + p trash = 1 and β < √ µ, where all the parameters are positive.Alice and Bob then run the protocol described in Box 1, where the outcome x ∈ R of a homodyne measurement and the outcome ω ∈ C of a heterodyne measurement shall be normalized such that their variances are ⟨(∆x for the vacuum.Unless aborted or N suc = 0, the protocol generates a shared final key of length where ⌈•⌉ is the ceiling function, h(x) is the binary entropy function defined as and the function U ( F , N trash ) will be specified later.

Box 1: Actual protocol
1.For each of the N rounds, Alice generates a random bit â ∈ {0, 1} and sends an optical pulse C in a coherent state with amplitude (−1) â√ µ to Bob. Bob receives an optical pulse C for each round.
2. For the received pulse C in each round, Bob chooses a label from {signal, test, trash} with probabilities p sig , p test , and p trash , respectively, and announces it.According to the label, Alice and Bob do one of the following procedures.
[signal] Bob performs a homodyne/heterodyne measurement on the received optical pulse C and obtains an outcome x ∈ R. (For the heterodyne measurement, x is defined as the real part of the outcome ω ∈ C.) Bob defines a sifted-key bit b as b = 0 with a probability f suc (x) and b = 1 with a probability f suc (−x).When Bob has defined his sifted key bit, he announces "success", and otherwise, he announces "failure".In the case of a success, Alice (resp.Bob) records a bit â ( b).
[test] Bob performs a heterodyne measurement on the received optical pulse C and obtains an outcome ω.Alice announces her bit a. Bob calculates the value of Λ m,r (|ω − (−1) âβ| 2 ).
[trash] Alice and Bob produce no outcomes.
3. We refer to the numbers of "success" and "failure" signal rounds, test rounds, and trash rounds as N suc , N fail , N test , and N trash , respectively.(N = N suc + N fail + N test + N trash holds by definition.) Bob calculates the sum of Λ m,r (|ω obtained in the N test test rounds, which is denoted by F .

4.
For error correction, they use H EC -bits of encrypted communication consuming a pre-shared secret key to do the following.According to (the upper bound on) the bit error rate e qber , Bob randomly chooses an error-correcting code and sends it with the H EC -bits syndrome to Alice.Alice reconciles her sifted key accordingly.
5. Bob computes and announces the final key length N fin according to Eq. (1).Alice and Bob apply privacy amplification to obtain the final key.
For simplicity, we omitted the bit-error-sampling rounds in the above protocol.To satisfy the required correctness ε cor for the final key (see Appendix A), Alice and Bob randomly insert N smp sampling rounds among N rounds in which Bob performs the same measurement as that of the signal round and estimate an upper bound e qber on the bit error rate.Let N suc smp be the number of "success" in N smp sampling rounds, and let Êobs be the number of discrepancies between Alice's and Bob's bits observed in the "success" sampling rounds.Then, Bob sets e qber to where the function MN,n,ϵ is defined in Eq. (117) in Appendix B.2.The proof that this definition of e qber upper-bounds the actual bit error rate with probability no smaller than 1 − ε cor /2 is also shown in Appendix B.2.The required amount H EC of the error syndrome Bob sends to Alice in the bit error correction depends on the error correction method; here we assume where f ∈ [0, 1] denotes an error correction efficiency [52,53,16,17,18,54] for the error correction to succeed with the probability no smaller than 1 − ε cor /2.The net key gain Ĝ per pulse is thus given by Ĝ = ( N fin − H EC )/(N + N smp ). (5) Here, we do not use verification in the post-processing, unlike Refs.[40,41], due to the subtleties to incorporate it in our security proof.The acceptance probability f suc (x) should be chosen to post-select the rounds with larger values of x, for which the bit error probability is expected to be lower.The definition of f suc (x) in this article follows Ref. [41] and is slightly more general than that of Ref. [40].(Note that Ref. [40] can also use this definition of f suc (x).)It is ideally a step function with a threshold x th (> 0), but our security proof applies to any form of f suc (x).The test function Λ m,r (ν) is the same as the one defined in Ref. [40] where it is shown to satisfy for any odd integer m, positive real r, and density operator ρ (see Appendix B.1).The parameter β is typically chosen to be √ ηµ with η being a nominal transmissivity of the quantum channel, while the security proof itself holds for any choice of β.The parameter s is related to the overall security parameter in the security proof below.

Construction of a virtual protocol and reduction to an estimation protocol
We determine a sufficient amount of the privacy amplification according to the complementarity, or in other words, the phase error correction [47,49], which has been widely used for the DV-QKD protocols.We aim at showing the secrecy of Bob's final key against the adversary Eve (see Appendix A).To do so, we consider a virtual protocol in which Bob has a qubit for each success signal round such that the outcome of the Z-basis measurement on it is equivalent to his sifted key bit b.Alice can do arbitrary quantum operations in the virtual protocol as long as all the statistics and available information to the adversary Eve are the same as those in the actual protocol.Then, after Bob's Z-basis measurement on the qubit, the reduced classical-quantum state between Bob and Eve in the virtual protocol is the same as that in the actual protocol.
In the following, we explicitly describe the virtual protocol.For Alice, we introduce a qubit A and assume that she entangles it with an optical pulse C in a state where |ω⟩ C with ω ∈ C denotes the coherent state with the amplitude ω, which is defined as Then, the optical pulse C emitted by Alice is in the same state as that in the actual protocol.
For Bob, we construct a process of probabilistically converting the received optical pulse C to a qubit B, which can be regarded as a coherent version of Bob's signal measurement.For Homodyne protocol, consider a map K hom C→B defined as [40] with where ⟨x| maps a state vector to the value of its wave function at x; i.e., for a coherent state vector |ω⟩, ⟨x| acts as where ω = ω r + iω i with ω r , ω i ∈ R. Let Π ev(od) denote a projection operator onto the subspace of even(odd) photon numbers.Since ⟨x| (Π ev − Π od ) = ⟨−x| holds, we have This defines an instrument I hom C→B for the process of producing the outcome x and leaving C in a post-measurement state; i.e., given a measurable set ∆ ⊆ R, the unnormalized post-measurement state is given by with Tr[I hom C→B (∆)(ρ C )] being a probability of "success" signal event with the outcome x ∈ ∆.Similarly, for Heterodyne protocol, consider a map K het C→B defined as [41] with where |ω⟩ denotes a coherent state vector and ω = ω r + iω i with ω r , ω i ∈ R. Similarly to Homodyne protocol, we can define an instrument I het C→B composed of the heterodyne outcome and the (unnormalized) post-measurement state, which is given by where ∆ ′ ⊆ R 2 is a measurable set.If Bob measures the qubit B in the Z basis after the instrument (13) (resp.( 16)), he obtains the same sifted key bit with the same probability as in the actual protocol when x ∈ ∆ (resp.ω ∈ ∆ ′ ) [40,41].
At this point, one has a degree of freedom to perform quantum operations on the system AB for each outcome x (resp.ω) as long as it does not change the Z-basis value of the qubit B. This is because we aim at showing the secrecy of Bob's final key against the adversary Eve with Alice's system traced out.Thus, after applying the map K hom C→B (resp.K het C→B ), we assume that Alice and Bob perform a controlled isometry V hom B;A→R (x) (resp.V het B;A→R (ω)) of the form where C-X BA := |0⟩⟨0| B ⊗ I A + |1⟩⟨1| B ⊗ X A denotes the Controlled-NOT gate and V (j) A→R (ω)) for j = 0, 1 denotes an isometry from the system A to another system R that is no smaller than ) is an identity, then the analysis reduces to the previous results [40,41].Let V hom B;A→R (x) (resp.V het B;A→R (ω)) be the CPTP map defined as The composition of the map V hom B;A→R (x) and the map (9) (resp.map V het B;A→R (ω) and the map (14)) with Alice's system traced out at the end defines a quantum operation F hom AC→B (resp.F het AC→B ) that (probabilistically) outputs Bob's qubits for his sifted key as 1 Here, a subtlety for using the verification comes in.In order to know whether verification succeeds or not, Alice has to confirm the syndrome bits for the verification.However, this procedure may not commute with the action of V hom B;A→R (x) (resp.V het B;A→R (ω)).We do not currently have a method to evaluate how much the verification affects the secrecy condition.
with K ′ hom AC→B (x) (resp.K ′ het AC→B (ω)) given by where Id denotes the identity map.Note that the idea of acting the isometry V hom B;A→R (x) or V het B;A→R (ω) is closely related to the twisting operation on the shield system [55,56,57,58,59].The difference is that in our case it acts on the system A in a way that is incompatible with the Z-basis measurement on A. This is allowed in a security proof based on complementarity since what we need to prove in the virtual protocol is that the outcome of the Z-basis measurement on B is secret to Eve when the system A is traced out [47]; i.e., the system A works as a shield system.
We then introduce a virtual protocol that explicitly incorporates the action of F hom AC→B in Eq. (21) (resp.F het AC→B in Eq. ( 22)) in Box 2.
Box 2: Virtual protocol 1 ′ .For each of the N rounds, Alice prepares a qubit A and an optical pulse C in a state |Ψ⟩ A C defined in (7) and sends the pulse C to Bob. Bob receives an optical pulse C for each round.
2 ′ .For the received pulse C in each round, Bob announces a label in the same way as that at Step 2. Alice and Bob do one of the following procedures according to the label.
[signal] Alice and Bob perform the quantum operation on the system A and the received pulse C specified by the map F hom AC→B defined in Eq. (21) (resp.F het AC→B defined in Eq. ( 22)) to determine success or failure of detection, obtain the qubit B upon success, and perform the controlled isometry given in Eq. (17) (resp.Eq. ( 18)).Bob announces the success or failure of the detection.
[test] Bob performs a heterodyne measurement on the received optical pulse C, and obtains an outcome ω.Alice measures her qubit A in the Z basis and announces the outcome â ∈ {0, 1}.Bob calculates the value of Λ m,r (|ω − (−1) âβ| 2 ).
3 ′ .N suc , N fail , N test , N trash , and F are defined in the same way as those at Step 3. Let Q− be the number of rounds with â′ = − among the N trash trash rounds.
4 ′ .According to (the upper bound on) the bit error rate e qber , Bob performs H EC bits of encrypted communication consuming a pre-shared secret key to send a dummy message.
5 ′ .Bob computes and announces the final key length N fin according to Eq. (1).Bob performs a randomly chosen unitary on his qubits (see the main text), and measures the first N fin qubits in the Z bases.
In the last line of Step 5 ′ , the random choice of a unitary is constructed so that, along with the subsequent N fin -qubit measurement in the Z bases, it is equivalent to the privacy amplification.This is possible because for any n × n linear transformation C on the n-bit sequence, there always exists a corresponding unitary U (C) that satisfies U (C) |z⟩ = |Cz⟩ in the Z basis.As has already been claimed, if Eve performs the same attacks as those in the actual protocol, the resulting classical-quantum state between Bob and Eve is the same as that in the actual protocol.The complementarity argument [47] in a reverse reconciliation scenario relates the amount of privacy amplification to the so-called phase error patterns of Bob's qubits.Suppose that, just before the Z-basis measurement at Step 5 ′ of the virtual protocol, Bob's quantum state on the first in terms of the infidelity when averaged over N fin , where the cases N fin = 0 are regarded to have no infidelity.Then, the secrecy condition of the final key is satisfied with a secrecy parameter √ 2ε sc [49,60,61].For this to be true, the errors in the X bases (i.e., the phase errors) on Bob's qubits should be corrected by the procedure at Step 5 ′ of the virtual protocol with failure probability no larger than ε sc when averaged over N fin ( N fin = 0 cases are regarded as no failure).To see the correctability of the phase errors at Step 5 ′ , suppose that Bob measured his N suc qubits in the X basis {|+⟩ , |−⟩} at the end of Step 3 ′ , and obtained a sequence of + and −.The minuses in the sequence are regarded as phase errors.It has already been known that, if we can find an upper bound on the number of possible phase-error patterns, then we can prove the security [47,61].To make the argument more precise, we introduce an estimation protocol in Box 3.

Box 3: Estimation protocol
1 ′′ .For each of the N rounds, Alice prepares a qubit A and an optical pulse C in a state |Ψ⟩ A C defined in (7) and sends the pulse C to Bob. Bob receives an optical pulse C for each round.
2 ′′ .For the received pulse C in the ith round (i = 1, . . ., N ), Bob announces a label in the same way as that at Step 2. Alice and Bob do one of the following procedures according to the label and obtain the values of random variables , F (i) , and Q(i) − .Unless explicitly written, these random variables are set to be zeros.
[signal] Alice and Bob do the same procedure as that at "signal" of Step 2 ′ .Upon "success", Bob performs the X-basis measurement on qubit B and obtains b′ ∈ {+, −}.
ph is set to be unity.
[trash] Alice does the same procedure as that at "trash" of Step 2 ′ .When â′ = −, Q(i) − is set to be unity.
3 ′′ .Same as Steps 3 ′ of the virtual protocol.Note that F = N i=1 If we could uniquely identify the N suc -bit sequence xph with failure probability at most ε sc (when averaged over N fin with N fin = 0 cases regarded as no failure), then we could identify the phase errors in the virtual protocol as well and correct them by appropriately acting Pauli-Z operations, and thus the actual protocol can be made √ 2ε sc -secret.Therefore, the task of proving the security of the actual protocol is now reduced to identifying the N suc -bit sequence xph with a bounded failure probability (when averaged over N fin ) in the estimation protocol.
We show in the following that the task is further reduced to constructing a function U ( F , N trash ) that satisfies for any attack in the estimation protocol, and setting the final key length to , where H PA is defined as In fact, if the condition (25) is satisfied, then the number of possible patterns of xph can be bounded from above by 2 H PA [62,61] except for the failure case with its probability no larger than ϵ.When the number of candidates of xph were restricted to 2 H PA , Bob could uniquely identify xph with failure probability no larger than 2 −s by extracting an (H PA + s)-bit syndrome from xph using a universal 2 hash function [47,63,50,48,61].Therefore, using the union bound, the failure probability of identifying xph can be bounded from above by ϵ + 2 −s (when averaged over N fin ) if the condition (25) is satisfied and the final key length is set to be max{ N suc − H PA − s, 0} at the end of the estimation protocol.Finally, we mention that Step 5 ′ in the virtual protocol realizes a phase error correction.In fact, the ( N suc − N fin )-bit syndrome extraction in the X bases via the universal 2 hash function can be realized through the randomly chosen unitary at Step 5 ′ in the virtual protocol, and the error recovery in the X bases of the rest N fin qubits by the Pauli-Z action leaves Z-basis values of these qubits unchanged and thus irrelevant (due to the successive Z-basis measurement at Step 5 ′ ).Since a unitary U (C −1 ) that acts as the matrix C −1 in the Z bases acts as C ⊤ in the X bases, i.e., U (C −1 ) |x X ⟩ = |C ⊤ x X ⟩ where • X denotes the X basis, the (random) unitary that acts as the universal 2 hashing in the X bases of the last ( N suc − N fin ) qubits acts as the dual universal 2 hashing in the Z bases of the first N fin qubits [63,48] (i.e., in the actual protocol).Thus, we can conclude that the actual protocol is is satisfied in the estimation protocol, the final key length is set as Eq.(1), and the privacy amplification is done by the dual universal 2 hashing.
Combining these, the condition (25) implies that the actual protocol with the adaptive final key length given in Eq. ( 1) is ε sec -secure with a security parameter [47,49,60].From now on, we thus focus on the estimation protocol for finding a function U ( F , N trash ) to satisfy Eq. (25).

Phase error operator
In this section, we explain how to obtain refined phase error operators that eventually lead to tighter bounds on phase errors than those in Refs.[40,41].The phase error operators depend on the choice of the controlled isometry V hom B;A→R (x) or V het B;A→R (ω) in the virtual and the estimation protocol.As we mentioned previously, when the isometries V A→R (x), the analysis reduces to the previous one [40].This is because in this case the phase error can be defined as the state |−⟩ in the X basis of Bob's qubit after acting Controlled-NOT operation from Bob's qubit to Alice's, as can be seen from Eqs. (17), (21), and (23).This is equivalent to observing the discrepancy between the X-basis values of Alice's and Bob's qubits before the action of Controlled-NOT, and thus equivalent to the definition of the phase error in Ref. [40].The relation between our new analysis for Heterodyne protocol and that in Ref. [41] can be interpreted in the same way.Here in our proposal, we have a degree of freedom to "twist" the Alice's qubit system with these isometries depending on protocol parameters as well as a homodyne (resp.heterodyne) outcome.Unfortunately, finding the optimal choice of these isometries with respect to all protocol parameters and observables in the actual protocol may be intractable.We thus take a suboptimal strategy; fix V hom B;A→R (x) (resp.V het B;A→R (ω)) so that the probability of the phase error event b′ = − in the estimation protocol is minimized for an ideal pure-loss channel [51] with transmission η = β 2 /µ, where β and µ are the positive parameters predetermined in the actual protocol.There are several reasons to do this.One is that the loss is the dominant noise for CV-QKD protocols and thus we prioritize the robustness against it to obtain better performance.Another is that the optimization for the pure-loss channel is much easier since we have an analytical expression of the state when the initial state Eq.(7) in the virtual protocol is subject to the pure-loss channel.In fact, when the state |Ψ⟩ A C in Eq. ( 7) is put into a pure-loss channel with the channel output being |±β⟩ C , the resulting state |Φ⟩ ACE on systems A, C, and an adversary's system E (i.e., an environment of the pure-loss channel) is given by Tracing out the system E, the reduced state Φ AC is given by where and Now we aim at obtaining the optimal choice of V hom B;A→R (x) (resp.V het B;A→R (ω)) so that the probability that Bob obtains b′ = − is minimized for the state Φ AC in Eq. (28).For Homodyne protocol, we observe that where P (ψ) := ψψ † (and thus P (|ψ⟩) = |ψ⟩⟨ψ|), and g m,V is the normal distribution with the mean m and the variance V , i.e., In the above (i.e., Eqs.(32)-( 35)), the first equality follows from Eq. (12), and the third follows from Eq. (11) as well as the fact that β is real.We define τ hom AB (x) as From Eqs. (17), ( 23), (35), and (37), the probability density of an outcome x with occurrence of the phase error is given by where the last inequality follows from the matrix Hölder inequality.If we write the polar decomposition of the equality in (40) can be achieved by setting From Eq. (37), ⟨0| B τ hom AB (x) |1⟩ B is given by which is hermitian with two eigenvalues having opposite signs.Let |u hom + (x)⟩ A and |u hom − (x)⟩ A be eigenvectors of ⟨0| B τ hom AB (x) |1⟩ B with positive and negative eigenvalues, respectively.Then, The explicit form of |u hom ± (x)⟩ A is given in Eq. (173) in Appendix C. The choice of the isometry V (j) A→R (x) to satisfy Eq. (41) is not unique; one of the reasons is the arbitrariness of the dimension of the system R. Here, we set R = A and set which, with Eqs. ( 17) and (43), leads to For Heterodyne protocol, the calculation similar to Eqs. (32)-( 37) leads to in order to have We define τ het AB (ω r ) as Thus, the structure of the matrix τ het AB (ω r ) is essentially the same as τ hom AB (x) of Homodyne protocol.(The heuristics of inserting R Z A (θ) above is for this reduction.)In the same way as Homodyne protocol, the probability density of outcome ω with the occurrence of a phase error is given by If we write the polar decomposition of , then the equality of Eq. ( 54) can be achieved by setting From Eq. (52), ⟨0| B τ het AB (ω r ) |1⟩ B is given by B with positive and negative eigenvalues, respectively.Then, W het A (ω r ) is given by We can choose V ′(j) A→R (ω) to satisfy Eq. (55) in the same way as Homodyne protocol.We set R = A and set which, with Eqs. ( 18) and (57), leads to (59) We thus obtained the optimal choice of the controlled isometry V hom B;A→R (x) in Eq. (45) for Homodyne protocol (resp.V het B;A→R (ω) in Eq. (59) for Heterodyne protocol) so that the probability that Bob obtains b′ = − is minimized for the pure-loss channel.As explained previously, we set V (j) A→R (x) to the one in Eq. (44) (resp.V ′(j) A→R (ω) to the one in Eq. ( 58)) also for arbitrary channels, i.e., arbitrary coherent attacks by Eve.This choice is suboptimal for general channels but is expected to be close to optimal for channels that are close to the pure-loss one.Now that the controlled isometry V hom B;A→A (x) (resp.V het B;A→A (ω)) is fixed, we can interpret the event that Bob announces "success" and obtains b′ = − (i.e., the phase error) at the signal round of Estimation protocol as the outcome of a generalized measurement on Alice's qubit A and the optical pulse C, and define the corresponding POVM element M hom/het ph (i.e., the phase error operator) through Eq. (21) (resp.Eq. ( 22)) as where ‡ denotes the adjoint map.Then, for any density operator ρ on the joint system AC, M hom ph in Homodyne (resp.Heterodyne) protocol, where N suc (i) ph is defined in Estimation protocol (see Box 3).For Homodyne protocol, by using Eqs.(9), (23), and (45), we have where we used the fact that the adjoint map of the tracing-out Tr A is taking the tensor product with as well as Eq. ( 12), we have where two orthogonal projections Π (+,od),(−,ev) AC and Π (−,od),(+,ev) AC are defined as (−,od),(+,ev) A similar relation holds for Heterodyne protocol by replacing K hom suc (x) with K het suc (ω) and V hom B;A→A (x) with V het B;A→A (ω) as well as using Eqs.(15), ( 59), (66), and (67): Using Eq. (11), we observe that Applying this to Eq. (69) and changing the integration variable appropriately, we have where the operator O β AC (x) is defined as

Finite-size analysis
Since the phase error operator was defined on systems A and C, we can follow essentially the same analysis as that in Ref. [40].Let us define the following operators: where |ϕ ± ⟩ AC are defined in Eqs. ( 29) and (30).For any density operator ρ on the joint system AC, these operators satisfy where the first inequality follows from Corollary 1 in Appendix B.1 as well as the definition of F (i) in Estimation protocol (see Box 3), and the second equality follows from the definition of in Estimation protocol (see Box 3).Let M hom/het [κ, γ] for positive numbers κ and γ determined prior to the protocol be defined as In Corollaries 3 and 4 in Appendix C, we show an inequality with a computable convex function B hom/het (κ, γ).Let T (i) [κ, γ] be a linear combination of random variables at ith round in Estimation protocol given by From Eqs. (62), (78), (79), and (81), we have for any density operator ρ.Furthermore, from the definition of N suc (i) ph , F (i) , and Let δ 1 (ϵ) be defined as (85) Then, by applying Proposition 2 in Appendix B.3 to { T (k) [κ, γ]} k=1,...,N as well as using Eqs.(82)-(85), we have (86) Since Q− is determined solely by Alice's qubits, each in the state Tr C (|Φ⟩⟨Φ| A C ) with |Φ⟩ A C given in Eq. (7), it follows the same statistics as a tally of N trash Bernoulli trials with a probability )/2.Hence, by using the Chernoff-Hoeffding inequality [64,62], we have Here, δ 2 (ϵ; n) is defined as [40] where is the Kullback-Leibler divergence.Combining Eqs.(86), and (87), by setting (90) we observe that Eq. (25) holds from the union bound.

Numerical simulations
We compute (the lower bound on) the net key gain per pulse (i.e., key rate Ĝ) against the transmission distance with various values of excess noise at the channel output.In this model, Bob receives Gaussian states ρ â√ ηµ⟩ with attenuation rate η to increase their variances via factor of (1 + ξ), i.e., For simplicity, the number N smp of the sampling rounds is set to be N/100, and the bit error correction efficiency f in Eq. ( 4) is to be 0.952 .The acceptance probability f suc (x) is assumed to be a step function Θ(x − x th ) with a threshold x th (> 0), where Θ(x) denotes the Heaviside step function.The expected amplitude of the coherent state β is chosen to be √ ηµ.We set the security parameter ε sec = 2 −50 , and set ε cor = ε sec /2 and ϵ = 2 −s = ε 2 sec /16.We assume that the number of "success" signal rounds N suc is equal to its expectation, i.e., where for Homodyne protocol [40].In the above, P + hom (resp.P − hom ) denotes the probability that Alice and Bob obtain coincident (resp.incoincident) bit values in the signal round.(Note that the apparent a-dependence in the definition of P ± hom above is not the case because of the symmetry of ρ (a) model defined in Eq. (91).)In a similar way, we obtain for Heterodyne protocol that We also assume that the number of "success" sampling rounds is equal to (P + hom/het +P − hom/het )N smp , the number of test rounds N test is equal to p test N , and the number of trash rounds N trash is equal to p trash N .The test outcome F is assumed to be equal to its expectation given by [40] For the test function Λ m,r in the above, we adopt m = 1 and r = 0.4120, which leads to (max ν≥0 Λ m,r (ν), min ν≥0 Λ m,r (ν)) = (2.824,−0.9932).We assume that the number Êobs of bit errors observed in the "success" sampling rounds is equal to its expectation Êobs = P − hom/het N smp .The upper-bound e qber on the bit error rate is thus given by Eq. (3) with the parameters N suc , N suc smp , and Êobs given above.Under these assumptions, the remaining parameters to be determined are six parameters (µ, x th , p sig , p test , κ, γ).We determined (κ, γ) via a convex optimization using CVXPY 1.2.1 and (µ, x th , p sig , p test ) via the Nelder-Mead in the scipy.minimizelibrary in Python, for each transmission distance L with the attenuation rate η assumed to be 10 −0.02L .
Figure 2 shows the key rates of Homodyne protocol for the channel model explained above.Figures show that under the condition of low excess noise, our refined analysis results in significantly higher key rates and longer transmission distance than that of the previous results [40] even in the finite-key case.Furthermore, the logarithm of the asymptotic key rate in the pure-loss case (i.e., ξ = 0) is in parallel to the PLOB bound [51] against the transmission distance; that is, it achieves a linear scaling against the channel transmission, which is known to be optimal for one-way QKD in the pure-loss channel.When the excess noise ξ is around 10 −3.0 -10 −2.0 , however, the improvements in our refined analysis are lost.The result of the parameter optimization implies that our refined analysis generates the key with relatively small intensity µ of the input coherent states compared to the previous analyses; e.g., the optimized input intensity µ of Homodyne protocol is ∼ 0.04 in our refined analysis compared to ∼ 0.2 in the previous analysis [40] at η = 0.1 (i.e., 50 km) for the asymptotic pure-loss case.
The key rate of Heterodyne protocol has a similar behavior.Figure 3 shows the key rates of Heterodyne protocol with the same noise model as above.Figures show that our refined analysis significantly improves the key rate against the pure-loss channel, but is fragile against excess noise.One can see, however, that, while the key rate of Heterodyne protocol is still low compared to that of Homodyne protocol, the achievable distance (i.e., the distance with a non-zero key rate) now becomes comparable with our refined analysis.This implies that our refined analysis based on the reverse reconciliation is more effective for Heterodyne protocol.

Discussion
We propose a refined security analysis for the protocol proposed in Ref. [40] based on the reverse reconciliation.The motivating ideas of our refinement come from the facts that the distillability of a secret key from a quantum state is a looser condition than the distillability of an entanglement from Figure 2: Key rates of the Homodyne protocol against transmission distance over an optical fiber.The attenuation rate of the optical fiber is assumed to be 10 −0.02L with transmission distance L km, an error correction efficiency f in Eq. ( 4) is set to be 0.95, and the number of sampling rounds Nsmp is set to be N/100.a) Key rates when the excess noise ξ at the channel output is zero; that is, the channel is pure loss.The bold solid lines show the key rates with our refined analysis developed here, the broken lines show those with the previous analysis [40], and the black thin line shows the PLOB bound, which is the ultimate limit of the key rate of one-way QKD [51].One can see that the logarithm of the asymptotic key rate decreases in parallel to the PLOB bound with our refined analysis against the transmission distance (≫ 1 km) as opposed to the previous results [40].Improvement in the key rate is sustained in the finite-size case.b) Key rates when N = 10 12 with various values of excess noise parameter ξ.(The detail of the noise model is given in the main text.)The solid lines show the key rates with our refined analysis, and the broken lines show those with the previous results [40].One can see that, although the key rate significantly improves for the pure-loss channel, the excess noise as high as ξ = 10 −3 -10 −2 degrades the performance to almost the same level as that of the previous results.
it [55,56,57,46,58,47] and that the reverse reconciliation can increase the key rate for CV QKD protocols [10].To exploit the ideas, we developed the procedure of "twisting" Alice's system with V hom B;A→R (x) (resp.V het B;A→R (ω)) controlled by Bob's qubit.Similar techniques have already appeared in previous works [55,46,57,58,47,59].Our finding is that by using the twisting operation that minimizes the phase error probability for the pure-loss channel, the protocol has asymptotically optimal scaling in the key rates both for Homodyne and Heterodyne protocols.This is a clear distinction from the previous results [40,41]; there, the asymptotic key rate non-linearly decreases against the channel transmission.This results challenge conventionally considered limitations on the phase error correction applied to the CV QKD.For example, in Ref. [30], the security proof based on the entropic uncertainty relation and the phase error correction did not achieve optimal linear key-rate scaling in the asymptotic case even with reverse reconciliation.The author ascribed this bad performance to the gap between a conditional entropy with a quantum conditioning and one with a classical conditioning, where the latter corresponds to measuring the quantum system with a fixed basis.Here, our security proof can be seen from Eqs. (45), ( 59) and the definitions of |u hom/het ± (x)⟩ A as "twisting" the (measurement) basis in which Alice's system is reduced to classical depending on the expected amplitude of a received optical signal as well as an observed homodyne/heterodyne outcome.This may minimize the above mentioned gap and thus achieve the asymptotically optimal scaling.In this sense, the conventionally-thought limitation may not be an actual limitation.
The improvement in the performance remains in the finite-key case but is lost under the existence of excess noise as high as ξ = 10 −3 -10 −2 at the channel output.This may limit the feasibility of our binary-modulation protocol, but current theoretical progress in CV QKD reveals that the discrete-modulation CV-QKD protocols with four types of modulation have more tolerance against excess noise than those with binary modulation [16,17,18].What is important is that our security proof can be extended to the four-state protocols with binary outcomes, such as Protocol 2 in Ref. [17] and a protocol in Ref. [18], by replacing the bit-extracting measurements of these protocols with the qubit-extracting maps as shown in Eq. ( 9) and constructing the corresponding phase error operator.This is, however, much more complicated than the previous analysis, and we leave the problem as future work.Figure 3: Key rates of the Heterodyne protocol against transmission distance over an optical fiber.The noise models are the same as those of Homodyne protocol.a) Key rates when the excess noise ξ at the channel output is zero; that is, the channel is pure loss.The bold solid lines show the key rates with our refined analysis developed here, the broken lines show those with the previous analysis [41], and the black thin line shows the PLOB bound, which is the ultimate limit of the key rate of one-way QKD [51].One can see that the logarithm of the asymptotic key rate is in parallel to the PLOB bound when the transmission distance is large in the same way as that of Homodyne protocol.The key rate is still less (about half) than that of Homodyne protocol.b) Key rates when N = 10 12 with various values of excess noise parameter ξ.The solid lines show the key rates with our refined analysis, and the broken lines show those with the previous result [41].
There are several remaining questions with our present results.The first and foremost is whether we can obtain higher tolerance against excess noise by extending our analysis to the fourstate protocols.As explained above, our analysis can be extended to the four-state protocols with binary outputs [17,18], i.e., protocols that use homodyne measurement to distinguish signals.With the same type of argument based on the phase error estimation, we can carry out the finitesize security proof for these protocols in principle.However, developing the analyses that preserve the robustness against excess noise for these protocols still has non-triviality.A more challenging problem is to apply our finite-size security proof to the four-state protocols with more than two outputs, such as a protocol in Ref. [16] and Protocol 1 in Ref. [17].In this case, the definition of phase errors is already non-trivial as opposed to those with binary outputs, and we have to develop more elaborated finite-size security proof.Whether we can extend our techniques to these protocols or protocols with even more constellations [20] is still open.
Another important theoretical question is whether the trusted-noise model can be applied to our security analysis.In practice, even the excess noise of ξ = 10 −3 at the channel output is difficult to realize if all the noises are untrusted.Recently, efforts have been made in the field of CV QKD on how to incorporate noises that are intrinsic to apparatuses and thus inaccessible to Eve into the security proof as trusted noises.This effectively eases the requirement on the experimental apparatuses.In the present security analysis as well as ones in Refs.[40,41], the fidelity test measures the fidelity to a pure coherent state, which cannot be naively generalized to the fidelity to a mixed state.Whether we can incorporate trusted noises into the fidelity test may be crucial in this direction.
From the viewpoint of the feasibility of the protocol, the total number of 10 12 of rounds to obtain a tolerable finite-size performance may be demanding.The finite-size performance may be improved by applying recently developed refinement [65] of the Azuma's inequality [66] that utilizes unconfirmed knowledge.What is non-trivial for the application of this is that the random variable in our application of Azuma's inequality can not directly be observed even at the end of the protocol.Whether we can apply the refined concentration inequality [65] with the information accessible in our protocol (in a similar fashion to Ref. [67]) may be an interesting problem.

A Definition of (composable) security
In this section, we give a definition of security, which can be divided into two conditions, secrecy and correctness.The definition satisfies the so-called universal composability [68].Since the correctness is satisfied by the procedure in the actual protocol, it is the secrecy that is the focus of our security proof.In this section, when the index to denote a system is dropped from a joint quantum state, the partial trace is implicitly taken for that system; e.g., for the state ρ AB , Let us assume that a given (prepare-and-measure) QKD protocol generates the final key bits ẑfin A and ẑfin B between Alice and Bob with the length denoted as N fin .When the protocol generates null key or is aborted, we set ẑfin A = ẑfin B = ∅ and N fin = 0. Given the final key length N fin = N ≥ 1, let ρ fin ABE|N be a quantum state between Alice's and Bob's N -bit final key as well as Eve's system at the end of the actual protocol.Definition 1.Given an arbitrary positive real number ε sec > 0, a QKD protocol is called ε secsecure if it satisfies the following: where ρ ideal ABE|N is defined as Proposition 1.For arbitrary positive real numbers ε cor > 0 and ε sc > 0, let us assume that the following two conditions are satisfied: Then, the protocol is (ε cor + ε sc )-secure as long as the protocol uses direct reconciliation.
The condition Eq. (107) is called the correctness condition and the condition Eq. (108) is called the secrecy condition.

Remark. Proposition 1 holds for protocols with reverse reconciliation if the system
A is replaced with B in the secrecy condition Eq. (108).

B Lemmas and Theorems used in the main text B.1 Lower bound on the fidelity to a coherent state
This section summarizes the technical result of Ref. [40].
As a Corollary, we obtain the following.
Corollary 1.Let |β⟩ (β ∈ C) be the coherent state with amplitude β.Then, for any β ∈ C and for any odd positive integer m, we have The proofs of Theorem 1 and Corollary 1 are given in Ref. [40].

B.2 Bit error sampling
In this section, we summarize how to determine an upper bound on the bit error rate from the given sample.As explained in the main text, N smp sampling rounds are randomly inserted in the actual protocol in which Alice and Bob announce their bit values if Bob's detection succeeds (in the same way as in the signal round).The number of "success" sampling rounds is denoted by N suc smp , and the observed number of discrepancies between Alice and Bob is denoted by Êobs .Let us first introduce a Chernoff-type bound for the hypergeometric distribution.
Then, the following corollary is essential for the bit error sampling.
We set the function f (M ) to the restriction of the function f N,n,ϵ ( M ) of the real number M that satisfies ), and its image lies in [0, n).Thus, from Eq. ( 118), we have for any m ∈ [0, n).We define the function MN,n,ϵ (m) := f −1 N,n,ϵ (m) for m ∈ [0, n).To incorporate the case m = n, we use the following weaker condition that trivially follows from Eq. (120): and define MN,n,ϵ (n) = N so that the above holds also for m = n.These show that Eq. ( 115) holds while MN,n,ϵ (m) satisfies Eqs. ( 116) and (117) by construction in Eq. ( 119).
With Corollary 2, we can bound the number of total bit-error events from the sample under the given failure probability ε cor /2 by setting N = N suc + N suc smp , n = N suc smp , and ϵ = ε cor /2 for MN,n,ϵ .As a result, we have the following statement; the number E of bit errors in N suc -bit sifted key is bounded from above by Thus, we can define an upper bound e qber of the bit error rate as in Eq. (3), which holds with probability no smaller than 1 − ε cor /2.

B.3 Azuma's inequality combined with the Doob decomposition
This section summarizes the Azuma's inequality [66,70,71] adapted to our security analysis.The main claim is the following.

C Proof of the operator inequality
In this section, we prove the inequality (81) used in the security proof in the main text.We first prove the following lemma.
where M ++ , M −− , M +− , and M −+ are given respectively by Then, for any real numbers γ ± , we have where σ sup (X) denotes the supremum of the spectrum of the operator X, and M 6d is given by Let Π ev(od) and M hom [κ, γ] be as defined in the main text, and let M hom oo , M hom ee , M hom (±,o)(∓,e) , and M hom (∓,e)(±,o) be defined as follows: Define the following (real) parameters:  Then, for κ, γ ≥ 0, we have Proof.We first derive the explicit form of |u hom ± (x)⟩ A introduced in Eq. (43).Notice that Let θ(x) be defined to satisfy Noticing that Tr Y A ⟨0| B τ hom AB (x) |1⟩ B = 0, we have From Eqs. ( 42), ( 170), (171), and (172), we can see that θ(x) coincides with θ hom µ,β (x) defined in Eq. ( 150).We now observe that where |ϕ − ⟩ AC is defined in Eq. (30).Since so-defined M only has continuous spectrum, we can apply Lemma 2 and obtain In the same way, we apply Lemma 2 to Π As can be seen from Eq. ( 73) as well as Eqs.( 75 Note that the elements of the matrices M (0) 6d and M (1) 6d in Eqs.(166) and (167) depend linearly on the parameters κ and γ.Since the largest eigenvalue of a matrix is a convex function of its elements [72,73], the largest eigenvalues σ sup (M (0) 6d ) and σ sup (M (1) 6d ) are convex functions of κ and γ, and so is B hom (κ, γ) in Eq. (168).The same fact can also be applied to B het (κ, γ) in Eq. (215).

4
′′ .Regarding + as zero and − as unity for each b′ in success signal round, define the N sucbit sequence xph .Let N suc ph be the Hamming weight of xph , i.e., N suc ph = N i=1 N suc (i) ph .5 ′′ .Bob performs a universal 2 hashing on xph and obtains ( N suc − N fin )-bit syndrome.From this syndrome, Bob estimates the binary string xph .