PHYSICAL REVIEW RESEARCH 3, 013047 (2021)

Continuous-variable quantum cryptography with discrete alphabets: Composable security

under collective Gaussian attacks

Panagiotis Papanastasiou and Stefano Pirandola

Department of Computer Science, University of York, York YO10 5GH, United Kingdom

(Received 27 February 2020; accepted 30 July 2020; published 14 January 2021)

We consider continuous-variable quantum key distribution with discrete-alphabet encodings. In particular, we

study protocols where information is encoded in the phase of displaced coherent (or thermal) states, even though
the results can be directly extended to any protocol based on finite constellations of displaced Gaussian states.
In this setting, we study the composable security in the finite-size regime assuming the realistic but restrictive
hypothesis of collective Gaussian attacks. Under this assumption, we can efficiently estimate the parameters of
the channel via maximum likelihood estimators and bound the corresponding error in the final secret key rate.

DOI: 10.1103/PhysRevResearch.3.013047

I. INTRODUCTION binary and ternary alphabets of displaced coherent states. The

Quantum key distribution (QKD) [1–4] allows two remote
authenticated parties to establish a shared secret key without
any assumption on the computational power of the eavesdrop-
per, the security being based on fundamental laws of quantum
mechanics, such as the no-cloning theorem [5,6]. The first
QKD protocols were based on the use of discrete variables
(DVs), i.e., discrete degrees of freedom of the electromagnetic
field, such as polarization or time bins. Later, at the end of
the 1990s and beginning of 2000, QKD was extended to
continuous-variables (CVs) [7,8] by the work of Ralph [9] and
other authors [10–13], culminating in the seminal GG02 pro-
tocol [14] based on Gaussian modulation of coherent states.
This seminal work also introduced the notion of reverse rec-
onciliation that allowed experimental CV-QKD to reach long
distances and led to the theoretical introduction of the re-
verse coherent information of a bosonic channel [15,16]. The
authors of Ref. [16] first explored the ultimate limits of point-
to-point (i.e., repeaterless) QKD, culminating in 2015 with
the discovery and proof of the Pirandola-Laurenza-Ottaviani-
Banchi (PLOB) bound [17] (see Refs. [4,18] for more details
on the historical developments).
Other theoretical advances in CV-QKD were the introduc-
tion of thermal-state protocols [19–24] (where the authors
of Refs. [21,22] specifically studied the extension to longer
wavelengths, down to the microwaves), two-way quantum
communication protocols [25,26], one-dimensional protocols
[27,28], and CV measurement-device independent (MDI)
QKD [29]. Last but not least, there was the important de-
velopment of CV-QKD with discrete-alphabet encoding. This
idea was first introduced in the postselection protocol of the
authors of Ref. [30] and later developed in a number of works
[31–39] . In particular, the authors of Refs. [30–33] considered
authors of Ref. [34] considered four coherent states and, later,
other works studied alphabets with arbitrary number of states
under pure-loss [35] and thermal-loss [36] attacks. All these
security proofs were limited to the asymptotic case of infinite
signals exchanged by the parties. In particular, the security of
discrete-alphabet CV QKD has been proven asymptotically
under collective attacks using decoy-like states in Ref. [37]
and, more recently, under general attacks using a Gaussian
bound in Ref. [38] (see also Ref. [39]).
In this work, we depart from the asymptotic security as-
sumption and study the finite-size composable security of
discrete-alphabet CV-QKD protocols. However, this exten-
sion comes with the price of another restriction. In fact, our
analysis holds under the assumption of collective Gaussian
attacks [40] and, in particular, collective entangling cloner
attacks [4,41] which results into a realistic thermal-loss chan-
nel between the remote parties. While the general arguments
apply to any discrete alphabet, we focus on the case of
phase-encoded coherent (or thermal) states, so that they are
displaced in the phase-space to create regular constellations at
fixed distance from the vacuum state. Our techniques combine
tools from Refs. [24,42–50]. The assumption of collective
Gaussian attack is particularly useful for the purpose of pa-
rameter estimation, for which we follow the approach found in
Refs. [24,42,43]. The composable analysis resorts to various
tools as combined in the approach found in Ref. [44] here
specified and applied to a discrete-alphabet protocol.
The paper is organized as follows. In Sec. II, we de-
scribe the discrete-alphabet (phase-encoded) QKD protocol,
for which we discuss the asymptotic security analysis. In
Sec. III, we discuss parameter estimation in the presence of
finite-size effects and, in Sec. IV, we study the key rate of the
protocol in the composable security framework. Section V is
for conclusions.

II. ASYMPTOTIC SECURITY

Published by the American Physical Society under the terms of the OF A PHASE-ENCODED PROTOCOL
Creative Commons Attribution 4.0 International license. Further
distribution of this work must maintain attribution to the author(s) In a generic phase-encoded CV-QKD protocol with N
and the published article’s title, journal citation, and DOI. states, Alice randomly chooses between N coherent states |αk 

2643-1564/2021/3(1)/013047(10) 013047-1 Published by the American Physical Society

PAPANASTASIOU AND PIRANDOLA PHYSICAL REVIEW RESEARCH 3, 013047 (2021)

with amplitude αk := 2−1 α exp(i2kπ N −1 ), where α  0 and with β  0 and θ ∈ [−π N −1 , π N −1 ], we obtain
k = 0, . . . , N − 1 (so that the classical label k is chosen with 1 −[β cos(2lπN −1 +θ )−√τ α cos(2lπN −1 )]2
probability Pk = N −1 ). More generally, she prepares her mode Pβθl|k = e 2

A in one of N displaced thermal states ρA|k with amplitudes 2π 

√
−[β sin (2lπN −1 +θ )− τ α sin (2lπN −1 )]2
αk , each with a fixed mean number of photons n̄th . In terms of ×e 2 . (10)
quadrature operators x̂A := (q̂A , p̂A )T (with the quantum shot
noise equal to 1), Alice’s conditional thermal state has mean Integrating over for β and for θ , we derive
value   ∞,πN −1
  Pl|k = βPβθl|k dβdθ , (11)
cos(2kπ N −1 ) 0,−πN −1
x̄A|k := Tr(x̂A ρk ) = α , (1)
sin(2kπ N −1 )
which can be calculated numerically. Here l is Bob’s estimator
and covariance matrix (CM) VA|k = (νth + 1)I, where νth = of Alice’s encoding variable k. Using Bayes’ formula we may
2n̄th and I is the bidimensional identity matrix. write
The signal state ρA|k is traveling through a Gaussian Pl|k Pk
(thermal-loss) channel which is under the full control of Eve. Pk|l = N−1 , (12)
k=0 Pk Pl|k
This is described by transmissivity τ and injected thermal
noise ω  1. This channel can always be dilated into an and compute the residual entropy
entangling cloner attack [40], where Eve has a two-mode
squeezed-vacuum (TMSV) state ρeE0 with zero mean x̄eE0 = H (k|l ) = Pl (−Pk|l log2 Pk|l ). (13)
l k
(0, 0, 0, 0) and CM
 √  The mutual information between the variables k and l is
ωI ω2 − 1Z given by
VeE0 = √ , (2)
ω2 − 1Z ωI I (k : l ) = H (k) − H (k|l ) = log2 N − H (k|l ). (14)
where Z = diag{1, −1}. In particular, mode e is mixed with In reverse reconciliation (RR), Eve’s information on l is
Alice’s traveling mode A in a beam-splitter with transmissivity bounded by the Holevo quantity
τ described by the symplectic matrix
 √ √  χ (E : l ) = S(ρE ) − Pl S(ρE |l ) (15)
τI 1 − τI l
B(τ ) = √ √ . (3)
− 1 − τI τI with E := e E0 , where ρE := l Pl ρE |l is non-Gaussian, and
the conditional state ρE |l is calculated by using the replace-
After the interaction, modes e and E0 are kept in a quantum
ment of Eq. (9) in the Gaussian state ρE |qB pB k [54] and
memory for an optimal final measurement taking into consid-
averaging over the probability Pkβθ|l , i.e., we have
eration all the classical communication between the parties.
For each use of the channel, Eve’s and Bob’s conditional N−1   ∞,πN −1
output state ρBe E0 |k has mean value and CM given by ρE |l = Pβθk|l ρE |βθlk dθ dβ, (16)
0,−πN −1
  k=0
x̄Be E0 |k = [B(τ ) ⊕ I] x̄A|k ⊕ x̄eE0 = x̄B|k ⊕ x̄e E0 |k , (4)
where
 
VBe E0 |k = [B(τ ) ⊕ I] VA|k ⊕ VeE0 [B(τ )T ⊕ I] Pβθl|k Pk
  Pβθk|l = . (17)
Pl
B C
= . (5)
CT Ve E0 |k Thus, the asymptotic secret key rate in RR is given by [55]

At the output, assume that Bob applies heterodyne R = ξ I (k : l ) − χ (E : l ), (18)

measurement with outcome (qB , pB ). Then, Eve’s triply con- where ξ ∈ [0, 1] is the reconciliation efficiency. In Fig. 1, we
ditional state ρe E0 |kqB pB has mean value and CM [51–53] plotted this rate (solid black line) for the case of two states
   (N = 2) with ξ = 1, assuming excess noise ε := τ −1 (1 −
−1 q
x̄e E0 |qB pB k = x̄e E0 |k − C (B + I) x̄B|k − B , (6)
T τ )(ω − 1) = 0.01 and setting α = 2. In Fig. 2, we showed the
pB
corresponding rate for N = 3, assuming the same parameters.
Ve E0 |qB pB k = Ve E0 |k − CT (B + I)−1 C, (7)
III. CHANNEL PARAMETER ESTIMATION
while the probability of the outcome is given by
√ √
The asymptotic rate in Eq. (18) is a function of Alice’s
[qB − τ α cos(2kπN −1 )]2 +[pB − τ α sin(2kπN −1 )]2
e− 21  encoding parameters, i.e., α, N, and νth , together with the
PqB pB |k = , (8) channel parameters, i.e., τ and ω, or equivalently τ and ε.
2π 
To estimate the parameters of the channel, Alice and Bob
with  := 2 + τ νth + (1 − τ )(ω − 1). Setting sacrifice m signal states. By communicating their outcomes
−1
for these m signals, Alice and Bob can compute estimators
+θ )
qB + ipB = βei(2lπN , (9) for τ and Vε := τ ε, and corresponding confidence intervals.

013047-2
CONTINUOUS-VARIABLE QUANTUM CRYPTOGRAPHY … PHYSICAL REVIEW RESEARCH 3, 013047 (2021)

associated to a specific Alice’s encoding k. Because we as-

sume heterodyne detection, the discussion of the q̂ and p̂
quadratures is symmetric. In the q̂ quadrature, Bob’s sampled
10-1 q-quadratures Bk i can be described by the following stochastic
variable:
Rate (bits/use)

τ
10-2 qBk = α cos (2kπ /N ) + qno , (19)
2
τ 1−τ 1
qno := qth + qE + qh , (20)
2 2 2
-3
10
where qth is Alice preparation noise with variance ν th + 1, qE
is Eve’s noise variable with variance ω, and qh is the noise
variable due to Bob’s heterodyne measurement. The variable
10-4 qBk is Gaussian with mean
0 2 4 6 8
Attenuation in dB   τ
E qBk = α cos (2kπ /N ), (21)
2
FIG. 1. Secret key rate for N = 2 versus attenuation in dB. We
assume α = 2 and excess noise ε = 0.01. We show the asymptotic and variance
case with ξ = 1 (black solid line) and the composable case, for which
we assume s = h = 10−10 , PE = 10−10 , p = 0.9, ξ = 0.99, and Vno = 21  = 21 (τ νth + Vε + 2). (22)
r = 0.01, for M = 1012 (blue dashed line) and M = 109 (blue solid
We can then create maximum likelihood estimators for the
line). All the lines have a truncation accuracy of 10 Fock-basis states.
For comparison, we also plot the corresponding asymptotic rate (gray
mean value and variance of qBk starting from the samples Bk i .
solid line) assuming a pure loss channel. In fact, we may write
m/N m/N
N N  2
They can choose worst-case parameters to be used in the q̄Bk = Bk i , Vnok = Bk i − q̄Bk . (23)
m i=1
m i=1
computation of the key rate in Eq. (18).
Therefore, assume that Alice reveals the encoding k of m The mean value and variance of the estimator q̄Bk are given by
signal states out of a block of M = m + n signal states. For
m/N
m sufficiently large, we have that m/N can be chosen to be   N  
an integer. Bob will have samples Bk i for i = 1, . . . , m/N E q̄Bk = E(Bk i ) = E qBk , (24)
m i=1
  2 m/N
N N
100 Var q̄Bk = 2 Var(Bk i ) = Vno , (25)
m i=1
m

since Bk i can be considered to be i.i.d. variables (in a collective

Gaussian attack).
10-1 Note that the estimator q̄Bk can be replaced by its expected
Rate (bits/use)

value E(qBk ) due to the fact that its variance in Eq. (25)
vanishes for m  1. Thus, we can write the variance estimator
Vnok in Eq. (23) as
10-2
m/N    2
N Bk i − E qBk
Vnok = Vno √ . (26)
m i=1 Vno
10-3 The term inside the brackets follows a standard normal distri-
bution with zero mean and unit variance. Therefore, the sum
0 5 10 15 term follows a noncentral chi-squared distribution with mean
Attenuation in dB equal to m/N and variance 2m/N. Consequently, for the mean
and variance of the estimator Vnok we obtain
FIG. 2. The secret key rate for N = 3 versus attenuation in dB.  m/N    2 
We assume α = 2 and excess noise ε = 0.01. We include the asymp-   N Bk i − E qBk
totic case with ξ = 1 (black solid line) and the composable case, for E Vnok = Vno E √ = Vno , (27)
m Vno
which we assume s = h = 10−10 , PE = 10−10 , p = 0.9, ξ = 0.99, i=1
 2 m/N    2 
and r = 0.01, for M = 1012 (blue dashed line) and M = 109 (blue   2 N Bk i −E qBk N
solid line). All the lines have a truncation accuracy of 10 Fock-basis Var Vnok = Vno Var √ = 2 Vno2 .
m i=1
Vno m
states. For comparison, we also plot the corresponding asymptotic
rate (gray solid line) assuming a pure loss channel. (28)

013047-3
PAPANASTASIOU AND PIRANDOLA PHYSICAL REVIEW RESEARCH 3, 013047 (2021)

Based on the estimator q̄Bk we can build an estimator for for the transmissivity is equal to
the transmissivity [cf. Eq. (19)]
8 V no
 2 τ PE = τ − 6.5 τ . (35)
τ̂k = 2α −2 cos−2 (2kπ /N ) q̄Bk . (29) m α2
Starting from Vnok we may also define an estimator for the
The estimator q̄Bk is the sample mean of Bk i and as such
excess noise. Solving Eq. (22) with respect to Vε , we obtain
follows a Gaussian distribution. We then can express Eq. (29)
with the help of the noncentral chi-squared variable χk ≡ Vεk = 2Vnok − τ̂ νth − 2. (36)
 q̄ 2
( Nm √VBk ) as follows: Then the mean and variance of this estimator are given by
no
 
 2 E Vεk = 2Vno − τ νth − 2, (37)
Vno N m q̄Bk
τ̂k = 2 √ . (30)
[α cos (2kπ /N )]2 m N Vno   N
Var Vεk := sk2 = 8 Vno2 + σ 2 νth2 , (38)
m τ [α cos (2kπ/N )]2
m
Because χk has mean value 1 + N 2Vno
and variance
where we used Eqs. (27), (28), and (34). The variance of the
2 Nm τ [α cos2V2kπ/N]
2
2(1 + ), the estimator of the transmissivity has
no
optimal linear combination Vε of all the estimators Vεk (also
mean and variance equal to considering the p-quadrature) is given by
2Vno N 4Vno2 σ 2 νth2
E(τ̂k ) = s2 = + . (39)
mα 2 cos2 (2kπ /N ) m 2N
 
m τ [α cos (2kπ /N )]2 Based on the assumption of large m, we approximate the
× 1+ distribution of each Vnok to be Gaussian. As a result, the
N 2Vno
distribution of Vε is Gaussian with the same mean and variance
= τ + O(1/m), (31) given by s2 above. Assuming an error PE = 10−10 , we obtain
 2 the 6.5 confidence intervals for Vε . Therefore, the worst-case
2Vno N
Var(τ̂k ) := σk2 = value is give by
mα 2 cos2 (2kπ /N ) 
  σ 2 νth2
m τ [α cos(2kπ /N )]2 PE 4Vno2
×2 1 + 2 Vε = Vε + 6.5 + . (40)
N 2Vno m 2N
N Vno Using the worst-case values τ PE and VεPE , we can write a
= 8τ + O(1/m2 ). (32) finite-size expression of the key rate R = R(τ, Vε ) of Eq. (18)
m α 2 cos2 (2kπ /N )
which accounts for the imperfect parameter estimation and the
Since there will be other estimators corresponding to the reduced number of signals. This is given by replacing
other values of Alice’s encoding k, we can create an optimal n   n
linear combination of them with variance [43] R(τ, Vε ) → R τ PE , VεPE := RPE . (41)
M M
N−1 −1
 2 −1
σq =
2
σk IV. COMPOSABLE SECURITY UNDER
k=0 COLLECTIVE ATTACKS
N−1 −1 The following study for the composable security is based
N Vno
= 8τ cos (2kπ /N ) on various ingredients [44–50]. More precisely, it follows the
m α2 k=0 procedure formulated in Ref. [44], which is here specified and
16 Vno applied to a discrete alphabet.
=τ . (33) After the parties exchange n signal states and apply error
m α2 correction (EC), they share a state ρ̃ n from which, according
So far, we used only samples from the q-quadrature to the leftover hash lemma, they can extract sn bits of uniform
of Bob’s outcomes. Similar relations will hold for the p- randomness, or in other words secret key bits. This number of
quadrature. Combining all the available q- and p-samples, the bits is bounded according to the following relation [47,48]:
optimal linear estimator τ̂ of the transmissivity will have s
√
sn  Hmin (l n |E n )ρ̃ n + 2 log2 2h − leak n,EC (n, cor ). (42)
8 Vno s
E(τ̂ ) = τ, Var(τ̂ ) := σ 2 = τ . (34) Here, Hmin (l n |E n ) is the smooth min-entropy of Bob’s variable
m α2 l conditioned on Eve’s systems E , and leak EC (n, cor ) is the
In fact, for large m, we can approximate all the 2N estimators classical information exchanged by the parties for EC (stored
τ̂k to have Gaussian distributions with the same mean and by Eve in her register).
variance σ p2 = σq2 . As a result, the global estimator τ̂ is a The uniform randomness h and smoothing s parameters
Gaussian variable with the same mean τ and variance equal define the secrecy of the protocol sec = h + s which, along
to σ 2 . Now, assuming an error PE = 10−10 for channel pa- with the EC parameter cor , defines the security parameter
rameter estimation (PE), we have to consider a 6.5 standard tot = cor + sec . The later bounds the trace distance D of the
deviation interval for τ . This means that the worst-case value state ρ̄ n (after privacy amplification) from the ideal output

013047-4
CONTINUOUS-VARIABLE QUANTUM CRYPTOGRAPHY …
state ρid of a QKD protocol, i.e., a classical-quantum state
where the uniformly distributed classical registers of Alice
and Bob are uncorrelated from Eve’s systems [50]. Each of
the epsilon parameters introduced above can be considered to
be very small. We take them of the order of 10−10 .
Equation (42) can be further simplified so as to be con-
nected with the asymptotic secret key rate. In fact, we can
further bound the smooth min-entropy calculated in terms of
ρ̃ n with the smooth min-entropy of the state before EC ρ ⊗n ,
which is in a tensor-product form due to the fact that we
assumed a collective attack. More precisely, we exploit the
following inequality [44]:
  
s
Hmin
p 2 /3
(l n |E n )ρ̃ n  Hmins (l n |E n )ρ ⊗n + log2 p 1 − s2 /3 .
(43)
Here p is the probability of successful EC, i.e., the probability
that the protocol is not aborted after Alice and Bob compared
hashes of their sequences [4]. The value of 1 − p is given
by the experimental frame error rate [56]. Note that, even
if the protocol does not abort (because the hashes are the
same), Alice’s and Bob’s sequences are identical up to an error
probability cor .
The replacement in Eq. (43) allows us to use the asymptotic
equipartition property (AEP) theorem [49] so as to reduce the
conditional smooth-min entropy of the tensor-product form
ρ ⊗n to the conditional von Neumann entropy S(l|E )ρ of the
single copy ρ. In particular, one may write the following [48]:
 
p 2 /3 √ (1 − r)M
Hmins (l n |E n )ρ ⊗n  nS(l|E )ρ − nAEP ps2 /3, |L| , (44)
where
   
AEP (s , |L|) := 4 log2 (2 |L| + 1) log 2/s2 . (45)
The parameter |L| is the cardinality of Bob’s outcome (alpha-
bet) and, in our case, it is equal to N.
Replacing Eqs. (43) and (44) in Eq. (42), one obtains the
following bound for the number of secret bits:
√   the reconciliation efficiency parameter is ξ = 0.99 and the EC
sn  nS(l|E )ρ − nAEP ps2 /3, N
  
+ log2 p 1 − s2 /3
√ key rate for N = 3, both in the asymptotic (black line) and
+ 2 log2 2h − leak EC (n, cor ). (46)
To further simplify the bound above, consider the definition
of quantum mutual information between two systems Q and
E in terms of the (conditional) von Neumann entropy
I (Q : E ) = S(Q) − S(Q|E ). (47)
When Q is a classical system described by a variable l, I (l :
E ) takes the form of the Holevo information χ (E : l ) and the
von Neumann entropy simplifies to the Shannon entropy H (l ).
Thus we can write
S(l|E )ρ = H (l )ρ − χ (E : l )ρ . (48)
Moreover, let us set the quantity
H (l )ρ − n−1 leak EC (n, cor ) := ξ I (k : l )ρ , (49)
where I (k : l ) is the classical mutual information between
Alice’s and Bob’s variables and ξ ∈ [0, 1] defines the recon-
ciliation efficiency [57]. As a result, the asymptotic secret key
013047-5
PHYSICAL REVIEW RESEARCH 3, 013047 (2021)
rate of Eq. (18) appears if we make the previous replacements
in Eq. (46) obtaining
√  
sn  nRρ − nAEP ps2 /3, N
   √
+ log2 p 1 − s2 /3 + 2 log2 2h . (50)
Finally, let us account for the PE in the bound above. This
means that we need to write Eq. (50) considering the worst-
case scenario state ρM−m
PE
, where the channel parameters τ and
Vε are bounded by τ PE and VεPE , and also accounting for the
fact that we sacrificed m out of M signal states. Therefore, we
obtain
√  
sM−m  (M − m)RPE − M − mAEP ps2 /3, N
   √
+ log2 p 1 − s2 /3 + 2 log2 2h , (51)
where RPE is the finite-size rate of Eq. (41). This is true only
with probability 1 − PE since there is a nonzero probability
PE that the actual values of the channel parameters are not
bounded by τ PE and VεPE . Dividing Eq. (51) by the total
number M of signal states, multiplying by the EC success
probability p, and setting r = Mm
, we obtain the secret key rate

1  
RM,r  (1 − r)p RPE − √ AEP ps2 /3, N
(1 − r)M
   √ 
log2 p 1 − s2 /3 + 2 log2 2h
+ , (52)
which is valid up to an overall tot = cor + s + h + pPE .
See Ref. [44] for corresponding analytical formulas but in the
setting of Gaussian-modulated protocols.
In Fig. 1, we plot the composable key rate for the proto-
col with two states (N = 2) versus the attenuation in dB for
r = 0.01, M = 1012 (blue dashed line) and M = 109 (blue
solid line). We assume excess noise ε = 0.01 and set the se-
curity parameters to s = h = PE = 10−10 . We assume that
success probability is p = 0.9. (Note that, in our analysis the
EC error cor is contained in ξ .) In Fig. 2, we plot the secret
the composable cases (blue lines) for channel excess noise
ε = 0.01. As expected, the performance of the protocol is
dependent on the number M of signals.
As we can see in Fig. 3, increasing preparation (trusted)
thermal noise νth [23], the fidelity of the signal states in-
creases, making them more difficult to distinguish, resulting
in a better secret key rate performance. In more detail, we
observe that the fidelity (computed according to Ref. [61])
reaches a saturation point faster when α is smaller. Further-
more, in this point the fidelity becomes closer to 1 as α gets
smaller. Taking into consideration the channel propagation,
this leads to a configuration where Bob’s states may have
almost the initial fidelity, while the fidelity of Eve’s states
may be at the saturation point. This can happen for example
for transmissivities that are close to 1. An additional optimal
value of the thermal preparation noise can boost this effect for
other transmissivities. In fact, we can observe this in Fig. 4,
where we consider excess noise ε = 0.01 and preparation
noise νth = 0.1, i.e., Alice sending thermal states. We observe
PAPANASTASIOU AND PIRANDOLA
1 100
0.8
0.6
Fidelity
0.4
0.2
0
0 1 2 3
Trusted thermal noise th
FIG. 3. The fidelity between two signal states (N = 2) for k = 0
and k = 1 versus the thermal preparation noise νth . We include plots
for different amplitudes α = 0.5 (solid line), α = 1 (dashed line),
and α = 2 (dashed-dotted line). As the thermal noise increases, the
fidelity between the two states arrives at a saturation point close to 1.
The smaller the value of α the faster this saturation happens.
an advantage for the secret key rate when we use preparation
noise that compensates the rate degradation due to the finite-
size effects.
V. CONCLUSION AND DISCUSSION
In this work, we study the finite-size composable se-
curity of a discrete-alphabet CV-QKD protocol under the
assumption of collective Gaussian attacks. This assumption is
realistic because the standard model of loss and noise in opti-
cal quantum communications is the memoryless thermal-loss
channel, which is dilated into a collective entangling cloner
attack, i.e., a specific type of collective Gaussian attack [40].
Our analysis extends previous asymptotic analyses [38,39]
to the finite-size and composable regime, but simultaneously
pays the price to be restricted to collective Gaussian attacks.
Removing this assumption is the subject of future investiga-
tions.
Since our analysis applies not only to displaced coherent
states but also to displaced thermal states, it can be useful for
studying the security of phase-encoded protocols at frequen-
cies lower than the optical. Moreover, the use of displaced
thermal states can increase the difficulty in distinguishing
the signal states with a beneficial effect for the secret key
rate. It is also worth stressing that our derivation, described
for phase-encoded signals, can immediately be extended to
any constellation of displaced Gaussian states (e.g., coherent,
thermal, or squeezed). The most crucial part is the finite-size
rate RPE which can always be estimated, under the assumption
of collective Gaussian attacks, by using maximum likelihood
estimators and their confidence intervals, i.e., adopting sim-
ple variations of the technique in Sec. III. In this way, the
finite-size rate RPE can always be expressed in terms of the
013047-6
PHYSICAL REVIEW RESEARCH 3, 013047 (2021)
10-1
Rate (bits/use)
10-2
10-3
4 10-4
0 2 4 6 8
Attenuation in dB
FIG. 4. The secret key rate for N = 2 and νth = 0.1 versus the
attenuation in dB. We assume α = 2 and excess noise ε = 0.01. We
include the asymptotic case with ξ = 1 (red solid line) and the com-
posable case, for which we assume s = h = 10−10 , PE = 10−10 ,
p = 0.9, ξ = 0.99, and r = 0.01, for M = 1012 (yellow dashed line)
and M = 109 (yellow solid line). For comparison, we also plot the
secret key rate assuming coherent states (νth = 0, black solid line).
We observe an advantage when we use preparation trusted noise
(compare red and black lines) that can be exploited to mitigate the
decrease of the rate in the finite-size regime (similar performance
of yellow dashed line and black solid line). All the lines have a
truncation accuracy of 14 Fock-basis states.
asymptotic key rate R of the specific protocol under consider-
ation via the transformation in Eq. (41).
Note that, for Gaussian-modulated coherent-state proto-
cols, one can apply a Gaussian de Finetti reduction [62] that
enables one to extend the composable security to general
coherent attacks. However, this technique does not seem to be
applicable to coherent-state protocols with discrete, finite al-
phabets. Finally, also note that our study involves calculations
based on a suitable truncation of the Fock space. The compu-
tational cost associated with these calculations is discussed in
the Appendix.
ACKNOWLEDGMENTS
The authors would like to thank Q. Liao and C. Ottaviani
for feedback. This work was sponsored by the the European
Union via “Continuous Variable Quantum Communications”
(CiViQ, Grant Agreement No. 820466) and the EPSRC via the
Quantum Communications Hub (Grant No. EP/T001011/1).
The computational part of this study was carried out on the
Viking Cluster of the University of York.
APPENDIX: COMPUTATIONAL COST
Here we present some results on the computational cost
associated with the calculation of the secret key rate. More
precisely, we focus on the time required for the convergence
of the entropy of Eve’s average state as the number of Fock
CONTINUOUS-VARIABLE QUANTUM CRYPTOGRAPHY … PHYSICAL REVIEW RESEARCH 3, 013047 (2021)

1.073934 0.784915
12 =0.01, =1.01, =0.01,
1.0739335
N=2, =2, =1.01, N=2,
=0.001 0.784914
1.073933 =1, =0.001

1.0739325 0.784913
entropy

entropy
10 12 14
1.073932 16 18

1.0739315 0.784912

1.073931
0.784911
14 18
1.0739305 16

0 1 2 3 4 5
Time (h)
FIG. 5. Entropy convergence versus computational time. Every
point has been plotted with a different truncation number in the Fock
basis which is indicated on top of the point. As this number is getting
larger the entropy is converging to its actual value. For keeping
the sixth significant digit, we need to truncate at 14 states, which
needs about 1.5h. For this plot, we used preparation noise ν = 0.01,
channel thermal noise ω = 1.01, number of ensemble states N = 2,
amplitude α = 2 and channel transmissivity τ = 0.001.
states increases. This functional is simpler to examine and
provides a good estimate of the time needed for the full
key rate. Note that, as the transmissivity decreases, i.e., the
distance increases, the secret key becomes lower and lower;
for this reason, we need more significant digits to approxi-
mate it. Correspondingly, this demands extra significant digits
for the calculation of the entropy. In Figs. 5–7 we compare
this convergence for different values of α = 1, 2, 3 while we
0.78491
6 0 1 2 3 4 5 6
Time (h)
FIG. 7. Entropy convergence versus computational time. For
completeness, we present the case of Fig. 5 but for α = 1, where 10
to 12 states could be enough if we want to keep the fifth significant
digit.
set preparation noise ν = 0.01, channel noise ω = 1.01, and
transmissivity τ = 0.001. From Figs. 5, 8, and 9, we may
also compare the performances with different values of the
transmissivity τ = 0.001, 0.1, 0.6. In Fig. 10, we present the
corresponding case for zero preparation noise. Calculations
were performed using MATLAB 2018 on a core of a 20-core
2.0 GHz Intel Xeon 6138 of the Viking cluster [63].

1.0908 1.05935
=0.01, =1.01, =0.01, =1.01,
N=2, =3, 1.059345 N=2, =2, =0.1
1.09075 =0.001

1.05934
entropy

entropy

14
1.0907 1.059335
14
16 18
1.05933
1.09065 16

1.059325

1.0906 1.05932
0 1 2 3 4 0 2 4 6 8 10
Time (h) Time (h)

FIG. 6. Entropy convergence versus computational time. Here FIG. 8. Entropy convergence versus computational time. We
we present the case of Fig. 5 but for α = 3. For keeping the fourth present the case of Fig. 5 but for τ = 0.1. Here we need at least 14
significant digit we need to truncate at 16 states or more. states for keeping the fourth significant digit.

013047-7
PAPANASTASIOU AND PIRANDOLA
0.88571
=0.01, =1.01,
N=2, =2, =0.6
0.885705
entropy
10
12 14 16 18
0.8857
0.885695
0.88569
0 2 4 6 8 0
Time (h)
FIG. 9. Entropy convergence versus computational time. We
present the case of Fig. 5 but for τ = 0.6. We observe that as the
transmissivity increases, the convergence becomes faster.
[1] C. H. Bennett and G. Brassard, Quantum cryptography: Public
key distribution and coin tossing, Proceedings of the Interna-
tional Conference on Computers, Systems & Signal Processing,
Bangalore, India, pp. 175-179, December 1984. See also Theor.
Comput. Sci. 560, 7 (2014).
[2] A. K. Ekert, Quantum cryptography based on Bell’s theorem,
Phys. Rev. Lett. 67, 661 (1991).
[3] C. H. Bennett, G. Brassard, and N. D. Mermin, Quantum
cryptography without Bell’s theorem, Phys. Rev. Lett. 68, 557
(1992).
[4] S. Pirandola, U. L. Andersen, L. Banchi, M. Berta, D. Bunandar,
R. Colbeck, D. Englund, T. Gehring, C. Lupo, C. Ottaviani,
J. L. Pereira, M. Razavi, J. Shamsul Shaari, M. Tomamichel,
V. C. Usenko, G. Vallone, P. Villoresi, and P. Wallden, Ad-
vances in quantum cryptography, Adv. Opt. Photon. 12, 1012
(2020).
[5] W. Wootters and W. Zurek, A single quantum cannot be cloned,
Nature 299, 802 (1982).
[6] J. Park, The concept of transition in quantum mechanics, Found.
Phys. 1, 23 (1970).
[7] S. L. Braunstein and P. van Loock, Quantum informa-
tion with continuous variables, Rev. Mod. Phys. 77, 513
(2005).
[8] C. Weedbrook, S. Pirandola, R. García-Patrón, N. J. Cerf, T. C.
Ralph, J. H. Shapiro, and S. Lloyd, Gaussian quantum informa-
tion, Rev. Mod. Phys. 84, 621 (2012).
[9] T. C. Ralph, Continuous variable quantum cryptography, Phys.
Rev. A 61, 010303 (1999).
[10] M. Hillery, Quantum cryptography with squeezed states, Phys.
Rev. A 61, 022309 (2000).
[11] M. D. Reid, Quantum cryptography with a predetermined
key, using continuous-variable Einstein-Podolsky-Rosen corre-
lations, Phys. Rev. A 62, 062308 (2000).
013047-8
PHYSICAL REVIEW RESEARCH 3, 013047 (2021)
1.03212
=0, =1.01,
N=2, =2,
1.032115 =0.001
14 16 18
entropy
12
1.03211
1.032105
1.0321
1 2 3 4 5 6
Time (h)
FIG. 10. Entropy convergence versus computational time. For
completeness, we present the case of Fig. 5 but for ν = 0.
[12] N. J. Cerf, M. Levy, and G. Van Assche, Quantum distribu-
tion of Gaussian keys using squeezed states, Phys. Rev. A 63,
052311 (2001).
[13] G. Van Assche, J. Cardinal, and N. Cerf, Reconciliation of a
quantum-distributed Gaussian key, IEEE Trans. Inf. Theory 50,
394 (2004).
[14] F. Grosshans and P. Grangier, Continuous Variable Quantum
Cryptography Using Coherent States, Phys. Rev. Lett. 88,
057902 (2002).
[15] R. García-Patrón, S. Pirandola, S. Lloyd, and J. H. Shapiro,
Reverse Coherent Information, Phys. Rev. Lett. 102, 210501
(2009).
[16] S. Pirandola, R. García-Patrón, S. L. Braunstein, and S. Lloyd,
Direct and Reverse Secret-Key Capacities of a Quantum Chan-
nel, Phys. Rev. Lett. 102, 050503 (2009).
[17] S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi, Fun-
damental limits of repeaterless quantum communications, Nat.
Commun. 8, 15043 (2017).
[18] S. Pirandola, S. L. Braunstein, R. Laurenza, C. Ottaviani,
T. P. W. Cope, G. Spedalieri, and L. Banchi, Theory of channel
simulation and bounds for private communication, Quantum
Sci. Technol. 3, 035009 (2018).
[19] R. Filip, Continuous-variable quantum key distribution with
noisy coherent states, Phys. Rev. A 77, 022310 (2008).
[20] V. C. Usenko and R. Filip, Feasibility of continuous-variable
quantum key distribution with noisy coherent states, Phys. Rev.
A 81, 022318 (2010).
[21] C. Weedbrook, S. Pirandola, S. Lloyd, and T. C. Ralph, Quan-
tum Cryptography Approaching the Classical Limit, Phys. Rev.
Lett. 105, 110501 (2010).
[22] C. Weedbrook, S. Pirandola, and T. C. Ralph, Continuous-
variable quantum key distribution using thermal states, Phys.
Rev. A 86, 022318 (2012).
CONTINUOUS-VARIABLE QUANTUM CRYPTOGRAPHY …
[23] V. C. Usenko and R. Filip, Trusted Noise in Continuous-
Variable Quantum Key Distribution: A Threat and a Defense,
Entropy 18, 20 (2016).
[24] P. Papanastasiou, C. Ottaviani, and S. Pirandola, Gaussian one-
way thermal quantum cryptography with finite-size effects,
Phys. Rev. A 98, 032314 (2018).
[25] S. Pirandola, S. Mancini, S. Lloyd, and S. L. Braunstein,
Continuous-variable quantum cryptography using two-way
quantum communication, Nat. Phys. 4, 726 (2008).
[26] C. Weedbrook, C. Ottaviani, and S. Pirandola, Two-way quan-
tum cryptography at different wavelengths, Phys. Rev. A 89,
012309 (2014).
[27] V. C. Usenko and F. Grosshans, Unidimensional continuous-
variable quantum key distribution, Phys. Rev. A 92, 062337
(2015).
[28] T. Gehring, C. S. Jacobsen, and U. L. Andersen, Single-
quadrature continuous-variable quantum key distribution,
Quantum Inf. Comput. 16, 1081 (2016).
[29] S. Pirandola, C. Ottaviani, G. Spedalieri, C. Weedbrook, S. L.
Braunstein, S. Lloyd, T. Gehring, C. S. Jacobsen, and U. L.
Andersen, High-rate measurement-device-independent quan-
tum cryptography, Nat. Photon. 9, 397 (2015).
[30] C. Silberhorn, T. C. Ralph, N. Lütkenhaus, and G. Leuchs,
Continuous Variable Quantum Cryptography: Beating the 3 dB
Loss Limit, Phys. Rev. Lett. 89, 167901 (2002).
[31] M. Heid and N. Lütkenhaus, Security of coherent-state quantum
cryptography in the presence of Gaussian noise, Phys. Rev. A
76, 022313 (2007).
[32] Y.-B. Zhao, M. Heid, J. Rigas, and N. Lütkenhaus, Asymptotic
security of binary modulated continuous-variable quantum key
distribution under collective attacks, Phys. Rev. A 79, 012307
(2009).
[33] K. Bradler and C. Weedbrook, Security proof of continuous-
variable quantum key distribution using three coherent states,
Phys. Rev. A 97, 022310 (2018).
[34] A. Leverrier and P. Grangier, Unconditional Security Proof
of Long-Distance Continuous-Variable Quantum Key Distribu-
tion with Discrete Modulation, Phys. Rev. Lett. 102, 180504
(2009).
[35] D. Sych and G. Leuchs, Coherent state quantum key distribution
with multi letter phase-shift keying, New J. Phys. 12, 053019
(2010).
[36] P. Papanastasiou, C. Lupo, C. Weedbrook, and S. Pirandola,
Quantum key distribution with phase-encoded coherent states:
Asymptotic security analysis in thermal-loss channels, Phys.
Rev. A 98, 012340 (2018).
[37] A. Leverrier and P. Grangier, Continuous-variable quantum-
key-distribution protocols with a non-Gaussian modulation,
Phys. Rev. A 83, 042312 (2011).
[38] S. Ghorai, P. Grangier, E. Diamanti, and A. Leverrier, Asymp-
totic Security of Continuous-Variable Quantum Key Distri-
bution with a Discrete Modulation, Phys. Rev. X 9, 021059
(2019).
[39] J. Lin, T. Upadhyaya, and N. Lütkenhaus, Asymptotic Security
Analysis of Discrete-Modulated Continuous-Variable Quantum
Key Distribution, Phys. Rev. X 9, 041064 (2019).
[40] S. Pirandola, S. L. Braunstein, and S. Lloyd, Characterization
of Collective Gaussian Attacks and Security of Coherent-
State Quantum Cryptography, Phys. Rev. Lett. 101, 200504
(2008).
013047-9
PHYSICAL REVIEW RESEARCH 3, 013047 (2021)
[41] F. Grosshans, N. J. Cerf, J. Wenger, R. Tualle-Brouri, and
P. Grangier, Virtual Entanglement and Reconciliation Proto-
cols for Quantum Cryptography with Continuous Variables,
Quantum Inf. Comput. 3(7), 535 (2003).
[42] A. Leverrier, F. Grosshans, and P. Grangier, Finite-size analysis
of a continuous-variable quantum key distribution, Phys. Rev.
A 81, 062343 (2010).
[43] L. Ruppert, V. C. Usenko, and R. Filip, Long-distance
continuous-variable quantum key distribution with efficient
channel estimation, Phys. Rev. A 90, 062310 (2014).
[44] S. Pirandola, Limits and security of free-space quantum com-
munications, arXiv:2010.04168.
[45] A. Leverrier, Composable Security Proof for Continuous-
Variable Quantum Key Distribution with Coherent States, Phys.
Rev. Lett. 114, 070501 (2015).
[46] C. Lupo, C. Ottaviani, P. Papanastasiou, and S. Pirandola,
Continuous-variable measurement-device-independent quan-
tum key distribution: Composable security against coherent
attacks, Phys. Rev. A 97, 052327 (2018).
[47] M. Tomamichel, C. Schaffner, A. Smith, and R. Renner, Left-
over Hashing Against Quantum Side Information, IEEE Trans.
Inf. Theory 57, 5524 (2011).
[48] M. Tomamichel, Ph.D. thesis, Swiss Federal Institute of Tech-
nology (ETH), Zurich, 2012, arXiv:1203.2142.
[49] M. Tomamichel, R. Colbeck, and R. Renner, A Fully Quantum
Asymptotic Equipartition Property, IEEE Trans. Inf. Theory 55,
5840-5847 (2009).
[50] C. Portmann and R. Renner, Cryptographic security of quantum
key distribution, arXiv:1409.3525v1.
[51] G. Giedke and J. I. Cirac, Characterization of Gaussian op-
erations and distillation of Gaussian states, Phys. Rev. A 66,
032316 (2002).
[52] J. Eisert and M. Plenio, Introduction to the basics of entangle-
ment theory in continuous-variable systems, Int. J. Quantum.
Inform. 1, 479 (2003).
[53] S. Pirandola, G. Spedalieri, S. L. Braunstein, N. J. Cerf, and
S. Lloyd, Optimality of Gaussian Discord, Phys. Rev. Lett. 113,
140405 (2014).
[54] This state is calculated by using [[4], Eq. (A7)] replacing
its mean and CM from Eqs. (6) and (7) and expressing the
quadrature operators in terms of the Fock basis considering the
appropriate truncation.
[55] I. Devetak, The private classical capacity and quantum capac-
ity of a quantum channel, IEEE Trans. Inf. Theory 51, 44
(2005).
[56] Y. Zhang, Z. Chen, S. Pirandola, X. Wang, C. Zhou, B. Chu, Y.
Zhao, B. Xu, S. Yu, and H. Guo, Long-Distance Continuous-
Variable Quantum Key Distribution over 202.81 km of Fiber,
Phys. Rev. Lett. 125, 010502 (2020).
[57] The analytical dependence of leak EC (n, cor ) on cor is deter-
mined in an experimental scenario after the choice of the linear
EC code. At that point, one can more precisely relate ξ to cor
through Eq. (49). From typical experiments for Gaussian pro-
tocols, it is known that ξ = 0.95 [58] and ξ = 0.98 [[59,60]] is
achievable. In the case of discrete-alphabet encoding the EC is
very efficient. This is why we chose a reconciliation efficiency
equal to ξ = 0.99.
[58] P. Jouguet, D. Elkouss, and S. Kunz-Jacques, High-bit-rate
continuous-variable quantum key distribution, Phys. Rev. A 90,
042329 (2014).
PAPANASTASIOU AND PIRANDOLA
[59] M. Milicevic, C. Feng, L. M. Zhang, and P. G.
Gulak, Quasi-cyclic multi-edge LDPC codes for long-
distance quantum cryptography, npj Quant. Info. 4, 21
(2018).
[60] X. Wang, Y.-C. Zhang, Z. Li, B. Xu, S. Yu, and H. Guo,
Efficient rate-adaptive reconciliation for continuous-variable
quantum key distribution, Quantum Inf. Comput. 17, 1123
(2017).
013047-10
PHYSICAL REVIEW RESEARCH 3, 013047 (2021)
[61] L. Banchi, S. L. Braunstein, and S. Pirandola, Quantum Fidelity
for Arbitrary Gaussian States, Phys. Rev. Lett. 115, 260501
(2015).
[62] A. Leverrier, Security of Continuous-Variable Quantum Key
Distribution via a Gaussian de Finetti Reduction, Phys. Rev.
Lett. 118, 200501 (2017).
[63] https://wiki.york.ac.uk/display/RHPC/Viking+-+The+York+
Super+Advanced+Research+Computing+Cluster