Composable finite-size effects in free-space CV-QKD systems

Nedasadat Hosseinidehaj [email protected] Centre for Quantum Computation and Communication Technology, School of Mathematics and Physics, University of Queensland, St Lucia, Queensland 4072, Australia Nathan Walk Dahlem Center for Complex Quantum Systems, Freie Universität Berlin, 14195 Berlin, Germany. Timothy C. Ralph Centre for Quantum Computation and Communication Technology, School of Mathematics and Physics, University of Queensland, St Lucia, Queensland 4072, Australia

Abstract

Free-space channels provide the possibility of establishing continuous-variable quantum key distribution (CV-QKD) in global communication networks. However, the fluctuating nature of transmissivity in these channels introduces an extra noise which reduces the achievable secret key rate. We consider two classical post-processing strategies, post-selection of high-transmissivity data and data clusterization, to reduce the fluctuation-induced noise of the channel. We undertake the first investigation of such strategies utilising a composable security proof in a realistic finite-size regime against both collective and individual attacks. We also present an efficient parameter estimation approach to estimate the effective Gaussian parameters over the post-selected data or the clustered data. Although the composable finite-size effects become more significant with the post-selection and clusterization both reducing the size of the data, our results show that these strategies are still able to enhance the finite-size key rate against both individual and collective attacks with a remarkable improvement against collective attacks–even moving the protocol from an insecure regime to a secure regime under certain conditions.

I Introduction

Quantum key distribution (QKD) Scarani.et.al.RVP.09 ; Xu.et.al.arxiv.19 ; Pirandola.et.al.arxiv.19 allows two trusted parties (traditionally called Alice and Bob) to share a secret key which is unknown to a potential eavesdropper (traditionally called Eve) by using quantum communication over an insecure quantum channel and classical communication over an authenticated classical channel. QKD systems were first proposed for discrete-variable quantum systems Bennett.Brassard.IEEE.84 ; Ekert.PRL.91 , where the key information is encoded onto the degrees of freedom of single photons, and the detection is realized by single-photon detectors, and then extended for continuous-variable (CV) quantum systems Ralph.PRA.99 ; Hillery.PRA.00 ; Reid.PRA.00 , where the key information is encoded onto the amplitude and phase quadratures of the quantized electromagnetic field of light, and detection is realised by (faster and more efficient) homodyne or heterodyne detectors. CV-QKD systems (see Garcia-Patron.PhD.07 ; Weedbrook.et.al.RVP.12 ; Diamanti.Leverrier.Entropy.15 ; Pirandola.et.al.arxiv.19 for review) have the potential of achieving higher secret key rates, as well as the advantage of compatibility with current telecommunication optical networks.

CV-QKD systems have experimentally been demonstrated over optical fibres experiment-CVQKD-2013 ; experiment-CVQKD-2016 ; chip-CVQKD-2019 ; commercial-fiber-CVQKD-2019 ; 200km-CVQKD-2020 , however the maximum secure transmission distance is still limited to few hundred kilometres. As an alternative, free-space channels have the potential to extend the maximum transmission range of CV-QKD systems Hosseini.et.al.IEEE.19 ; Hosseini.Malaney.PRA1.15 as thay provide a possibility for the implementation of satellite-based QKD systems satellite-2017-1 ; satellite-2017-2 . However, in free-space channels (in contrast to optical fibers) the channel suffers from atmospheric turbulence (causing beam-wandering, beam shape deformation, beam broadening, etc.), which results in a random variation of channel transmissivity in time. This fluctuation effect can be characterized by a probability distribution of the channel transmissivity. Depending on the atmospheric effects, advanced probability distribution models have been proposed for the channel transmissivity Semenov.Vogel.PRA.09 ; Vasylyev.et.al.PRL.12 ; Vasylyev.et.al.PRL.16 ; Vasylyev.et.al.PRA.17 ; Vasylyev.et.al.PRA.18 , which accurately describe free-space experiments squeezing-freespace ; Usenko-NJP-12 .

A free-space channel can be considered as a set of sub-channels, where the transmissivity of the channel is relatively stable for each sub-channel Usenko-NJP-12 . In a Gaussian CV-QKD protocol Garcia-Patron.PhD.07 ; Weedbrook.et.al.RVP.12 , Alice prepares Gaussian quantum states, which are modulated with a Gaussian distribution. Once these Gaussian states are transmited over a free-space channel to Bob, the fluctuating transmissivity of the channel makes the received state (at Bob’s station) a non-Gaussian mixture of the Gaussian states obtained for each sub-channel Bohmann-Gaussianentanglement . This non-Gaussian effect introduces an extra noise, which reduces the key rate Usenko-NJP-12 ; Hosseini.Malaney.ICC.15 ; NJP-2018 , however, the fluctuating transmissivity also provides a possibility to recover the key rate through the post-selection of data from sub-channels with high transmissivity Usenko-NJP-12 . The post-selection decreases the amount of channel fluctuation (i.e., decreases the variance of the transmissity distribution), which leads to a post-selected state with a more Gaussian nature (i.e., with less non-Gaussian noise). This post-selection has been shown to be effective for CV-QKD protocols in the asymptotic regime Usenko-NJP-12 ; Hosseini.Malaney.ICC.15 against Gaussian collective attacks¹¹1Note that the post-selection of transmission bins with high value has also been shown effective for enhancing the squeezing properties of light transmitted through the turbulent atmosphere squeezing-freespace ; Vasylyev.et.al.PRL.16 , and improving the fidelity of the coherent-state teleportation over the turbulent atmosphere teleportation-freespace .. The other classical post-processing strategy which can also reduce the negative effect of the fluctuation-induced noise is to partition the recorded data into different clusters cluster-2019 , and analyse the security for each cluster separately. Although these strategies are both effective in reducing the fluctuation-induced noise, they also reduce the size of the effective data set used for the security analysis. Hence, since in practice a finite number of signals are exchanged between Alice and Bob, the composable finite-size issues become even more significant when either post-selection or clusterisation is applied. Thus, whether these classical post-processing strategies are still effective in a composable finite-size regime remains an open question.

We consider the no-switching no-switching-2004 ; no-switching-2005 CV-QKD protocol (based on Gaussian-modulated coherent states and heterodyne detection) over a free-space channel. For the channel probability distribution we consider the elliptic-beam model Vasylyev.et.al.PRL.16 , which accounts for the deflection and deformation of a Gaussian beam caused by turbulence in atmospheric channels. We analyse the composable finite-size security of the protocol by using the recent security proof, stating that according to the Gaussian de Finetti reduction, for the no-switching protocol it is sufficient to consider Gaussian collective attacks in the finite-size, composable security proof Finite-size-Leverrier2017 ; Finite-size-Leverrier2019 . We answer the question whether the post-selection of high-tranmissivity sub-channels and data clusterisation can improve the performance of the free-space CV-QKD system in a composable finite-size regime against both collective and individual attacks²²2Note that when Eve has a restricted quantum memory, individual attacks can become the optimal eavesdropping attacks for the no-switching CV-QKD protocol Neda-Nathan-Tim ..

For both post-selection and clusterisation, the sub-channel transmissivity has to be estimated by publicly revealing a randomly-chosen subset of the data obtained over the stability time. There are other proposed methods channel-estimation-2012 ; channel-estimation-2015 ; channel-estimation-LO , which utilize classical auxiliary probes or the local oscillator to estimate the sub-channel transmissivity. However, since these classical signals could be likely manipulated by Eve, the classical estimation of the channel may compromise the security. Note that in principle the parameters of the channel, i.e., transmissivity and excess noise, can be estimated for each sub-channel realization separately, however, in practice only a small number of signals can be transmitted over the stability time of the channel, which results in pessimistic error bars for the estimated parameters, which consequently overestimates Eve’s information, and leads to a pessimistic bound for key rate. Hence, to estimate Eve’s information, instead of estimating the parameters of each sub-channel, we utilize the data revealed over all sub-channels (which are used for the security analysis) to estimate the effective Gaussian parameters. Our security analysis shows that the optimised post-selection can improve the finite-size key rate against both individual and collective attacks. Our previous work on Gaussian post-selection postselection-Neda showed a relatively modest improvement in the finite-size collective attacks in comparison with the significant improvement predicted by an asymptotic analysis. Surprisingly, our present work shows that the post-selection of high-transmissivity sub-channels provides a significant improvement in the composable finite-size regime, comparable to that predicted asymptotically. Further, we show that the data clusterisation can also significantly improve the composable finite key rates against collective attacks, provided an optimal clusterisation of sub-channels are chosen.

The structure of the remainder of the paper is as follows. In Sec. II, the no-switching CV-QKD system is described, with the security discussed in the composable finite-size regime. In Sec. III, the CV-QKD system over free-space channels is discussed, with the security analysed using two approaches in the composable finite-size regime by introducing an efficient parameter estimation approach. In Sec. IV, the finite-size composable security is analysed for the system with post-selection of high-transmissivity sub-channels and for the system with data clusterisation, and the significant improvement of the composable finite key rates against collective attacks using these strategies is illustrated. Finally, concluding remarks are provided in Sec. V.

II System model

We consider a Gaussian no-switching CV-QKD protocol no-switching-2004 ; no-switching-2005 , where Alice prepares Gaussian modulated coherent states and Bob uses heterodyne detection. In a prepare-and-measure scheme Alice generates two random real variables, $(a_{q},a_{p})$ , drawn from two independent Gaussian distributions of variance $V_{A}$ . Alice prepares coherent states by modulating a coherent laser source by amounts of $(a_{q},a_{p})$ . The variance of the beam after the modulator is $V_{A}+1=V$ (where the 1 is for the shot noise variance), hence an average output state is thermal of variance $V$ . The prepared coherent states are transmitted over an insecure quantum channel to Bob. For each incoming state, Bob uses heterodyne detection and measures both the $\hat{q}$ and $\hat{p}$ quadratures to obtain $(b_{q},b_{p})$ . In this protocol, sifting is not needed, since both of the random variables generated by Alice are used for the key generation. When all the incoming quantum states have been measured by Bob, classical post-processing (including discretization, parameter estimation, error correction, and privacy amplification) over a public but authenticated classical channel is commenced to produce a shared secret key.

The prepare-and-measure scheme can be represented by an equivalent entanglement-based scheme Garcia-Patron.PhD.07 ; Weedbrook.et.al.RVP.12 , where Alice generates a pure two-mode squeezed vacuum state with the quadrature variance $V$ . Alice keeps one mode, while sending the second mode to Bob over the insecure quantum channel. When Alice applies a heterodyne detection to her mode, she projects the other mode onto a coherent state. At the output of the channel, Bob applies a heterodyne detection to the received mode.

II.1 Composable Finite-size security analysis

In the asymptotic regime collective attacks are as powerful as coherent attacks Renner.Cirac.PRL.2009 , and for Gaussian protocols, Gaussian collective attacks are asymptotically optimal Garcia-Patron.Cerf.PRL.06 ; Navascues.Grosshans.PRL.06 ; Wolf.Giedke.Cirac.PRL.06 . Note also that for Gaussian protocols, among individual attacks, Gaussian individual attacks are asymptotically optimal Garcia-Patron.PhD.07 .

In the finite-size regime, the no-switching CV-QKD protocol with $N$ coherent states sent by Alice to Bob is $\epsilon$ -secure against Gaussian collective attacks in a reverse reconciliation scenario if $\epsilon{=}2\epsilon_{\rm sm}{+}\bar{\epsilon}{+}\epsilon_{\rm PE}{+}\epsilon_{\rm cor}$ Finite-size-Leverrier-2015 ; Finite-size-Lupo-MDI and if the key length $\ell$ is chosen such that Finite-size-Leverrier-2015 ; Finite-size-Lupo-MDI

\begin{array}[]{l}\ell{\leq}N^{\prime}[\beta I(a{:}b){-}\chi^{\epsilon_{\rm PE}}(b{:}E)]{-}\sqrt{N^{\prime}}{\Delta_{\rm AEP}}{-}2\log_{2}(\frac{1}{{2\bar{\epsilon}}}),\end{array}

(1)

where Finite-size-Leverrier-2015 ; Finite-size-Lupo-MDI

\begin{array}[]{l}\Delta_{\rm AEP}=(d{+}1)^{2}{+}4(d{+}1)\sqrt{\log_{2}({2{/}\epsilon_{\rm sm}^{2}})}{+}\\ \\ 2\log_{2}({2}{/}({\epsilon^{2}\epsilon_{\rm sm}})){+}4{\epsilon_{\rm sm}d}{/}{(\epsilon\sqrt{N^{\prime}})},\end{array}

(2)

where $N^{\prime}=N-k$ , with $k$ the number of data points Alice and Bob are required to disclose during the parameter estimation, $d$ is the discretization parameter (i.e., each symbol is encoded with $d$ bits of precision), $\epsilon_{\rm sm}$ is the smoothing parameter, $\epsilon_{\rm cor}$ and $\epsilon_{\rm PE}$ are the maximum failure probabilities for the error correction and parameter estimation, respectively, and $I(a{:}b)$ is the classical mutual information shared between Alice and Bob, and $0\leq\beta\leq 1$ is the reconciliation efficiency. Note that in the finite-size regime the usual $\chi(b{:}E)$ (the maximum mutual information shared between Eve and Bob limited by the Holevo bound for the collective attack) has to be replaced by $\chi^{\epsilon_{\rm PE}}(b{:}E)$ , taking into account the finite precision of the parameter estimation. In fact, it is now assumed that Eve’s information is upper bounded by $\chi^{\epsilon_{\rm PE}}(b{:}E)$ , except with the probability $\epsilon_{\rm PE}$ . The final key rate is then given by $\ell/N$ .

Note that for the $\epsilon$ -security analysis of the same protocol against Gaussian individual attacks we can still use Eq. (1), where $\chi^{\epsilon_{\rm PE}}(b{:}E)$ must be replaced by the classical mutual information between Eve and Bob, maximised by $I^{\epsilon_{\rm PE}}(b{:}E)$ except with the probability $\epsilon_{\rm PE}$ .

Note also that based on the recent security proof in Finite-size-Leverrier2017 ; Finite-size-Leverrier2019 , for analysing the composable finite-size security of the no-switching CV-QKD protocol against general attacks, the security of the protocol can be first analysed against Gaussian collective attacks with a security parameter $\epsilon$ Finite-size-Leverrier-2015 through the use of Eq. (1), and then, by using the Gaussian de Finetti reduction Finite-size-Leverrier2017 , the security can be obtained against general attacks with a polynomially larger security parameter $\tilde{\epsilon}$ Finite-size-Leverrier2017 . Note that the security loss due to the reduction from general attacks to Gaussian collective attacks scales like $\mathit{O}(N^{4})$ Finite-size-Leverrier2017 . More precisely, according to Finite-size-Leverrier2017 , $\epsilon$ -security against Gaussian collective attacks implies $\tilde{\epsilon}$ -security against general attacks, with $\tilde{\epsilon}/\epsilon=\mathit{O}(N^{4})$ .

III Free-space CV-QKD systems

In free-space channels the atmospheric effects will cause the transmitted beam to experience fading. Hence, in contrast to a fiber link with a fixed transmissivity, the transmissivity, $\eta$ , of a free-space channel fluctuates in time. Such fading channels can be characterized by a probability distribution $p(\eta)$ Usenko-NJP-12 ; Dong-PRA-10 . In fact, a fading channel can be decomposed into a set of sub-channels. Each sub-channel ${\eta_{i}}$ is defined as the set of events, for which the transmissivity is relatively stable, meaning that the fluctuations of the transmissivity is negligible. Each sub-channel ${\eta_{i}}$ occurs with probability $p_{i}$ so that $\sum\limits_{i}{p_{i}}=1$ or $\int_{0}^{\eta_{\rm max}}{p(\eta)}d\eta=1$ for a continuous probability distribution, where $\eta_{\rm max}$ is the maximum realizable value of transmissivity of the fading channel. Thus, the Wigner function of the output state is the sum of the Wigner functions of the states after sub-channels weighted by sub-channel probabilities Dong-PRA-10 . Hence, the input Gaussian state $\rho_{\rm in}$ remains Gaussian after passing through each sub-channel, however, the resulting state at the output of the channel, $\rho_{\rm out}=\sum\limits_{i}{p_{i}\rho_{i}}$ , (with $\rho_{i}$ the Gaussian state resulted from the transmission of the input Gaussian state $\rho_{\rm in}$ through the sub-channel $\eta_{i}$ ) is a non-Gaussian state Dong-PRA-10 .

In the equivalent entanglement-based scheme of the no-switching CV-QKD protocol, the initial pure two-mode Gaussian entangled state $\rho_{A{B_{0}}}$ with the quadrature variance $V$ is completely described by its first moment, which is zero, and its covariance matrix,

\displaystyle{\bf{M}}_{A{B_{0}}}=\left[{\begin{array}[]{*{20}{c}}{V\,\bf{I}}&{\sqrt{{V^{2}}-1}\,\bf{Z}}\\ {\sqrt{{V^{2}}-1}\,\bf{Z}}&{V\,\bf{I}}\end{array}}\right].

(5)

Alice keeps mode $A$ and sends mode ${B_{0}}$ through an insecure free-space channel. After transmission of mode ${B_{0}}$ through a quantum sub-channel with transmissivity $\eta$ and excess noise $\xi_{\eta}$ (relative to the input of the sub-channel with transmissivity $\eta$ ), the covariance matrix of the Gaussian state ${\rho_{{A{B_{1}}},\eta}}$ at the output of the sub-channel is given by

{{\bf{M}}_{{A{B_{1}}},\eta}}=\left[{\begin{array}[]{*{20}{c}}{V\,\bf{I}}&{\sqrt{\eta\,}\sqrt{{V^{2}}-1}\,\bf{Z}}\\ {\sqrt{\eta\,}\,\sqrt{{V^{2}}-1}\,\bf{Z}}&{\left[{\eta(V-1)+\eta\xi_{\eta}+1}\right]\,\bf{I}}\end{array}}\right].

(6)

Since the ensemble-average state at the output of a free-space channel, ${\rho_{{A{B_{1}}}}}$ , is a non-Gaussian mixture of Gaussian states obtained from individual sub-channels, the elements of the covariance matrix of the ensemble-average state ${\rho_{{A{B_{1}}}}}$ are given by the convex sum of the moments given by Eq. (6). Hence, the covariance matrix of the non-Gaussian ensemble-average state ${\rho_{A{B_{1}}}}$ at the output of the free-space channel is given by

{{\bf{M}}_{A{B_{1}}}}{=}\left[{\begin{array}[]{*{20}{c}}{V\,\bf{I}}&{\left\langle{\sqrt{\eta}}\right\rangle\sqrt{{V^{2}}-1}\,\bf{Z}}\\ {\left\langle{\sqrt{\eta}}\right\rangle\,\sqrt{{V^{2}}-1}\,\bf{Z}}&{\left[{\left\langle{\eta}\right\rangle(V-1)+\left\langle{\eta\xi_{\eta}}\right\rangle+1}\right]\,\bf{I}}\end{array}}\right].

(7)

where the symbol $\left\langle.\right\rangle$ denotes the mean value over the sub-channels (or over all possible values of $\eta$ ), i.e.,

\begin{array}[]{l}{\left\langle\eta\right\rangle}=\int_{0}^{\eta_{\rm max}}{\eta p(\eta)}d\eta,\,\,{\left\langle{\sqrt{\eta}}\right\rangle}=\int_{0}^{\eta_{\rm max}}{\sqrt{\eta}p(\eta)}d\eta,\\ \\ {\left\langle\eta\xi_{\eta}\right\rangle}=\int_{0}^{\eta_{\rm max}}{\eta\xi_{\eta}p(\eta)}d\eta.\end{array}

(8)

Note that unlike the previous theoretical works on free-space CV-QKD Usenko-NJP-12 ; Hosseini.Malaney.ICC.15 ; NJP-2018 ; Hosseini.Malaney.PRA2.15 ; Hosseini.Malaney.QIC.17 ; Hosseini.Malaney.GLOBECOM.16 ; fast-fading with the assumption of fixed excess noise, here we have assumed the channel excess noise can also randomly vary in time, where the value of the excess noise depends on the the value of the channel transmissivity.

From the covariance matrix of the non-Gaussian ensemble-average state in Eq. (7), it is evident that the fluctuating channel can be considered as a non-fluctuating channel with the effective transmissivity $\eta_{f}$ and effective excess noise $\xi_{f}$ , so that the covariance matrix of the ensemble-average state can be rewritten as

\begin{array}[]{l}{{\bf{M}}_{A{B_{1}}}}{=}\left[{\begin{array}[]{*{20}{c}}{V\,\bf{I}}&{\sqrt{\eta_{f}}\sqrt{{V^{2}}-1}\,\bf{Z}}\\ {\sqrt{\eta_{f}}\,\sqrt{{V^{2}}-1}\,\bf{Z}}&{\left[{{\eta_{f}}(V{-}1){+}\eta_{f}\xi_{f}{+}1}\par\right]\,\bf{I}}\end{array}}\right],{\rm{with}}\\ \\ \eta_{f}={\left\langle{\sqrt{\eta}}\right\rangle}^{2},\\ \\ \eta_{f}\xi_{f}=\rm{Var}(\sqrt{\eta})(V-1)+\langle{\eta\xi_{\eta}}\rangle,\,\,\,\,\rm{and\,\,where}\\ \\ \rm{Var}(\sqrt{\eta})=\left\langle\eta\right\rangle-{\left\langle{\sqrt{\eta}}\right\rangle^{2}}.\end{array}

(9)

According to Eq. (9), the extra non-Gaussian noise, caused by the fluctuating nature of the channel, depends on the variance of the transmissivity fluctuations, $\rm{Var}(\sqrt{\eta})$ , and the modulation variance, $V_{A}=V-1$ .

IV Composable finite-size Security analysis for free-space CV-QKD sytems

Here we analyse the composable finite-size security of the no-switching CV-QKD protocol implemented over free-space channels using two approaches, first by analysing the security over all data, and second by analysing the security for each sub-channel separately. We also analyse the security against both general attacks (i.e., memory-assisted attacks) and individual attacks (i.e., non-memory attacks).

IV.1 Security analysis over all data

IV.1.1 General attacks

Based on the leftover hash lemma lemma1 ; lemma2 , the number of approximately secure bits, $\ell$ , that can be extracted from the raw key should be slightly smaller than the smooth min-entropy of Bob’s string $b$ conditioned on Eve’s system $E^{\prime}$ (which characterizes Eve’s quantum state $E$ , as well as the public classical variable $C$ leaked during the QKD protocol), denoted by $H_{\min}^{\epsilon_{\rm sm}}(b|E^{\prime})$ lemma1 , i.e., we have $\ell\leq N^{\prime}H_{\min}^{\epsilon_{\rm sm}}(b|E^{\prime}){-}2\log_{2}(\frac{1}{{2\bar{\epsilon}}})$ , where $\bar{\epsilon}$ comes from the leftover hash lemma. Note that $N^{\prime}$ indicates the length of Bob’s string $b$ after the parameter estimation. The chain rule for the smooth min-entropy Finite-size-Leverrier-2015 gives $N^{\prime}H_{\min}^{\epsilon_{\rm sm}}(b|E^{\prime})=N^{\prime}H_{\min}^{\epsilon_{\rm sm}}(b|EC)\geq N^{\prime}H_{\min}^{\epsilon_{\rm sm}}(b|E)-\log_{2}|C|$ , where $\log_{2}|C|=l_{\rm EC}$ , with $l_{\rm EC}$ the size of data leakage during the error correction. Note that the leakage during the error correction can be given by $l_{\rm EC}=N^{\prime}[H(b)-\beta I(a{:}b)]$ Finite-size-Leverrier-2015 ; Finite-size-Furrer ; Finite-size-Lupo-MDI , where $H(b)$ is Bob’s Shannon entropy. In order to calculate the length $\ell$ of the final key which is $\epsilon$ -secure ( $\epsilon{=}2\epsilon_{\rm sm}{+}\bar{\epsilon}{+}\epsilon_{\rm PE}{+}\epsilon_{\rm cor}$ Finite-size-Leverrier-2015 ; Finite-size-Lupo-MDI ), the conditional smooth min-entropy $H_{\min}^{\epsilon_{\rm sm}}(b|E)$ has to be lower bounded when the protocol did not abort. Under the assumption of independent and identically distributed (i.i.d) attacks such as collective or individual attacks, where every signal transmitted is attacked with the same quantum operation, the asymptotic equipartition property Finite-size-Leverrier-2015 ; Marco-thesis ; Marco can be utilized to lower bound the conditional smooth min-entropy with the conditional von Neumann entropy. Explicitly, we have $N^{\prime}H_{\min}^{\epsilon_{\rm sm}}(b\left|E\right.)\geq N^{\prime}S(b\left|E\right.)-\sqrt{N^{\prime}}\Delta_{\rm AEP}$ Finite-size-Leverrier-2015 ; Finite-size-Lupo-MDI , where $S(b\left|E\right)$ is the conditional von Neumann entropy. The conditional von Neumann entropy $S(b\left|E\right)$ is given by $S(b|E)=H(b)-H^{\epsilon_{\rm PE}}(b{:}E)$ , where Eve’s information on Bob’s string $b$ is upper bounded by $H^{\epsilon_{\rm PE}}(b{:}E)$ , except with probability $\epsilon_{\rm PE}$ for a given attack (for collective attacks we have $H^{\epsilon_{\rm PE}}(b{:}E)=\chi^{\epsilon_{\rm PE}}(b{:}E)$ and for individual attacks we have $H^{\epsilon_{\rm PE}}(b{:}E)=I^{\epsilon_{\rm PE}}(b{:}E)$ ).

In our finite-size security analysis the assumption of collective attacks to lower bound the conditional smooth min-entropy comes with no loss of generality because based on the Gaussian de Finetti reduction, for the security analysis of the no-switching protocol against general attacks, it is sufficient to consider Gaussian collective attacks in the composable finite-size security proof Finite-size-Leverrier2017 ; Finite-size-Leverrier2019 .

Since the covariance matrix of the non-Gaussian ensemble-average state resulting from a free-space channel, given by Eq. (9), can be described by the effective parameters $\eta_{f}$ and $\xi_{f}$ , for the security analysis we can consider an optimal Gaussian collective attack with parameters $\eta_{f}$ and $\xi_{f}$ . In this optimal attack Eve interacts individually with each transmitted signal through an optimal entangling cloner attack Entangling-cloner-2008 with the effective parameters $\eta_{f}$ and $\xi_{f}$ , with her output ancillae stored in her quantum memory to be collectively measured later. Since this attack is i.i.d over all sub-channels, the conditional smooth min-entropy can be lower bounded by the conditional von Neumann entropy. Thus the total finite-size key rate with the security parameter $\epsilon$ against Gaussian collective attacks is given by

K^{\rm FS}_{\rm col}=\frac{1}{N}\left[N^{\prime}[\beta I(a{:}b){-}\chi^{\epsilon_{\rm PE}}(b{:}E)]{-}\sqrt{N^{\prime}}{\Delta_{\rm AEP}}{-}2\log_{2}(\frac{1}{{2\bar{\epsilon}}})\right].

(10)

Note that we assume $N_{s}$ is the number of signals transmitted over each sub-channel, from which $k_{s}$ signals are revealed for the parameter estimation and $N^{\prime}_{s}=N_{s}-k_{s}$ signals are used for the key generation. In total, a number of $N$ signal states are transmitted, from which $k$ signals are revealed over all sub-channels for the parameter estimation and $N^{\prime}=N-k$ signals are used for the key generation. Note that in Eq. (10), $I(a{:}b)$ is calculated based on the effective parameters $\eta_{f}$ and $\xi_{f}$ , and Eve’s information from collective attack, $\chi^{\epsilon_{\rm PE}}(b{:}E)$ , is calculated based on the covariance matrix of the ensemble-average state, which can be estimated based on a relatively large number of signals $k$ (where $k\gg k_{s}$ ) revealed over all sub-channels (see Sec. IV.3). Note that according to Finite-size-Leverrier2017 , for the no-switching protocol, $\epsilon$ -security against collective attacks implies $\tilde{\epsilon}$ -security against general attacks, with $\tilde{\epsilon}/\epsilon=\mathit{O}(N^{\prime 4})$ .

IV.1.2 Individual attacks

Considering the fact that in reality Eve has access to a restricted quantum memory with limited coherence time, where each state stored into her quantum meory undergoes a specific amount of decoherence over the storage time, individual attacks might be more beneficial for Eve than collective attacks Neda-Nathan-Tim . In terms of the interaction with the transmitted signals, an individual attack is the same as a collective attack, while in terms of the measurement Eve performs an individual measurement instead of a collective measurement. Among individual attacks, Gaussian attacks are also known to be optimal for the Gaussian CV-QKD protocols.

For the security analysis against Gaussian individual attacks we can also consider an optimal Gaussian individual attack with parameters $\eta_{f}$ and $\xi_{f}$ . In this attack Eve interacts individually with each signal sent from Alice to Bob with the effective parameters $\eta_{f}$ and $\xi_{f}$ ³³3Note that different schemes have been proposed for a Gaussian interaction in an optimal individual attack against the no-switching CV-QKD protocol, with the entangling cloner is one of them individula-2007-1 ; individula-2007-2 ., with an individual measurement on her output ancillary state as soon as she obtains it. Note that in the no-switching CV-QKD protocol Eve does not need a quantum memory to perform the individual measurement, since there is no basis information withheld in this protocol. This individual attack is also i.i.d over all sub-channels, which means the conditional smooth min-entropy can be lower bounded by the conditional von Neumann entropy. Thus the total finite-size key rate with the security parameter $\epsilon$ against Gaussian individual attacks can also be given by Eq. (10), where $\chi^{\epsilon_{\rm PE}}(b{:}E)$ must be replaced by $I^{\epsilon_{\rm PE}}(b{:}E)$ . Note that $I^{\epsilon_{\rm PE}}(b{:}E)$ has to be calculated based on the effective parameters of the channel, i.e., $\eta_{f}$ and $\xi_{f}$ .

IV.2 Security analysis for each sub-channel separately

For the security analysis against collective attacks with the security parameter $\epsilon$ ( $\epsilon{=}2\epsilon_{\rm sm}{+}\bar{\epsilon}{+}\epsilon_{\rm PE}{+}\epsilon_{\rm cor}$ ) one could also write $H_{\min}^{\epsilon_{\rm sm}}(b\left|E\right){=}\sum\nolimits_{i}p_{i}{H_{\min,i}^{\epsilon_{\rm sm},i}(b\left|E\right)}$ , where $H_{\min,i}^{\epsilon_{\rm sm},i}(b\left|E\right)$ is the conditional smooth min-entropy for a sub-channel with parameters $\eta_{i}$ and $\xi_{\eta_{i}}$ occurring with probability $p_{i}$ , and $\epsilon_{{\rm sm},i}=p_{i}\epsilon_{\rm sm}$ . By considering an optimal Gaussian collective attack with parameters $\eta_{i}$ and $\xi_{\eta_{i}}$ over the sub-channel, one can lower bound $H_{\min,i}^{\epsilon_{\rm sm},i}(b\left|E\right)$ by the conditional von Neumann entropy since the attack is i.i.d over the sub-channel (note that this attack is not i.i.d over all sub-channels). More explicitly, one can analyse the security for each sub-channel separately, i.e., calculate the composable finite-size key length for each sub-channel with the security parameter $\epsilon_{i}$ (where $\epsilon_{i}=p_{i}\epsilon$ ) as $\ell_{i}=N^{\prime}_{s}[\beta I_{i}(a{:}b){-}\chi_{i}^{\epsilon_{\rm PE},i}(b{:}E)]{-}\sqrt{N^{\prime}_{s}}{\Delta_{\rm AEP}}{-}2\log_{2}(\frac{1}{{2\bar{\epsilon}_{i}}})$ (where $N_{s}^{\prime}=p_{i}N^{\prime}$ , and where $I_{i}(a{:}b)$ is the classical mutual information between Alice and Bob for the sub-channel, and $\chi_{i}^{\epsilon_{\rm PE},i}(b{:}E)$ is Eve’s information from collective attack over the sub-channel, which is calculated based on the covariance matrix ${{\bf{M}}_{A{B_{1}},\eta}}$ with parameter $\epsilon_{{\rm PE},i}=p_{i}\epsilon_{\rm PE}$ ), and then average over all sub-channels to obtain the total finite-size key rate with the security parameter $\epsilon$ as $\frac{1}{N}\sum\nolimits_{i}\ell_{i}$ . Note that in a realistic finite-size regime this approach might result in pessimistic key rates. This is due to the fact that in practice only a small number of signal states can be transmitted over each sub-channel, which results in a very pessimistic finite key length for each sub-channel, i.e., $\ell_{i}$ , since Eve’s information, $\chi_{i}^{\epsilon_{\rm PE},i}(b{:}E)$ , which is estimated based on a small number of signals $k_{s}$ (where $k_{s}=p_{i}k$ ), might be overestimated (when the block size is reduced, the error bar on the estimators of channel parameters increases, which results in estimating higher information for Eve). Note that this type of security analysis can also be used against individual attacks, however as discussed earlier the resulting key rate is expected to be pessimistic.

Note that in practice, it would be more practical to estimate the average SNR of the free-space channel based on the whole revealed data, and then choose an error-correction code rate based on this average SNR for the error correction of the whole remaining data. This means the mutual information should be calculated theoretically based on the effective parameters of the channel, i.e., $\eta_{f}$ and $\xi_{f}$ . Alternatively and also ideally, it could be possible to estimate the SNR for each sub-channel separately, and then choose an error-correction code rate based on the sub-channel SNR for the error correction of the sub-channel data, which means the mutual information should be calculated theoretically by averaging over the mutual information obtained from each sub-channel as $\sum\nolimits_{i}p_{i}I_{i}(a{:}b)$ . However, estimation of SNR for each sub-channel based on a small number of signals revealed for each sub-channel does not give a good estimation of SNR. Note that in our numerical simulations we calculate the mutual information based on the effective parameters $\eta_{f}$ and $\xi_{f}$ , which is a lower bound on $\sum\nolimits_{i}p_{i}I_{i}(a{:}b)$ .

IV.3 Parameter estimation for free-space CV-QKD systems

Alice and Bob are able to estimate the channel transmissivity and check its stability during the transmission of data cluster-2019 ; PE-freespace2019 . This is experimentally feasible, as the typical rate of free-space channel fluctuations is of the order of KHz, while the modulation and detection rate is typically of the order of several MHz, i.e., at least thousands of signal states can be transmitted during the stability time of the free-space channel Usenko-NJP-12 . The proper sub-channel estimation requires a large number of states to be sent through the channel during its stability. Then, some of the states for each sub-channel occurrence are randomly chosen for the parameter estimation.

For instance, let us consider the free-space channel fluctuation rate of 1 KHz. Then, we can assume that within each millisecond the channel is relatively stable and can be modelled with a fixed-transmissivity sub-channel of transmissivity $\eta$ . Let us also consider the transmission and detection rate of 100 MHz. Hence, $N_{s}=10^{5}$ signal states can be transmitted and detected at the receiver during the stability time of the channel. A fraction of these signals ( $k_{s}=cN_{s}$ ) can be randomly chosen to reveal for parameter estimation, with the remaining data contributing to the secret key. Finally, for instance, for 100 seconds of data transmission we will have transmitted $N=10^{10}$ signal states (with $10^{5}$ signal states being transmitted during each stability time of the channel), with a fraction of which, $k=cN$ , revealed over all sub-channels for the parameter estimation. Then, a number of $N^{\prime}=N-k=(1-c)N$ signals will contribute to the shared secret key. Note that the security is not analysed for each sub-channel occurrence separately as it results in pessimistic key rates (see Sec. IV.2), instead the security is shown for the ensemble-average state, being obtained from the set of data of size $N-k$ upon all sub-channels.

Since in our security analysis it is sufficient to consider an optimal Gaussian attack with parameters $\eta_{f}$ and $\xi_{f}$ , we can generalize the parameter estimation method introduced for a fixed-transmissivity quantum channel in MLE-estimator2010 ; MLE-estimator2012 to estimate the covariance matrix of the ensemble-average state using the data of size $k$ revealed over all sub-channels. For a no-switching CV-QKD protocol with Bob’s heterodyne detector efficiency $\eta_{B}$ and electronic noise $\nu_{B}$ , for a channel with fluctuating transmissivity $\eta$ , we can consider a normal linear model for Alice and Bob’s correlated variables, $x_{A}$ and $x_{B}$ , respectively.

x_{B}=tx_{A}+x_{n},

(11)

where $t=\sqrt{\frac{\eta_{B}}{2}}{\langle{\sqrt{\eta}}\rangle}=\sqrt{\frac{\eta_{B}\eta_{f}}{2}}$ , and $x_{n}$ follows a centred normal distribution with unknown variance $\sigma^{2}=1+\nu_{B}+\frac{\eta_{B}}{2}(\langle{\eta{\xi_{\eta}}}\rangle+{\rm{Var}}(\sqrt{\eta})V_{A})=1+\nu_{B}+\frac{\eta_{B}}{2}\eta_{f}\xi_{f}$ (note that Alice’s variable $x_{A}$ has the variance $V_{A}$ ). Using the total revealed data of size $k$ , we can calculate the maximum-likelihood estimators for $t$ and $\sigma^{2}$ , which are given by

\begin{array}[]{l}\hat{t}=\frac{{\sum\nolimits_{i=1}^{k}{{{A_{i}}}{{B_{i}}}}}}{{\sum\nolimits_{i=1}^{k}{{{{{A_{i}}}}^{2}}}}},\\ \\ \hat{\sigma}^{2}=\frac{1}{{k}}\sum\nolimits_{i=1}^{k}{{{({{B_{i}}}-\hat{t}{{A_{i}}})}^{2}}},\end{array}

(12)

where $A_{i}$ and $B_{i}$ are the realizations of $x_{A}$ and $x_{B}$ , respectively. The confidence intervals for these parameters are given by $t\in[\hat{t}-\Delta(t),\hat{t}+\Delta(t)]$ , and $\sigma^{2}\in[\hat{\sigma}^{2}-\Delta(\sigma^{2}),\hat{\sigma}^{2}+\Delta(\sigma^{2})]$ where

\begin{array}[]{l}\Delta(t)={z_{\epsilon_{\rm PE}/2}}\sqrt{\frac{{{\hat{\sigma}^{2}}}}{{\sum\nolimits_{i=1}^{k}{{{{{A}_{i}}}^{2}}}}}},\\ \\ \Delta({{\sigma}^{2}})={z_{\epsilon_{\rm PE}/2}}\frac{{{\hat{\sigma}^{2}}\sqrt{2}}}{{\sqrt{k}}}.\end{array}

(13)

Note that when no signal is exchanged, Bob’s variable with realization $B_{0i}$ follows a centred normal distribution with unknown variance $\sigma_{0}^{2}=1+\nu_{B}$ , which is Bob’s shot noise variance. The maximum-likelihood estimator for $\sigma_{0}^{2}$ is given by $\hat{\sigma}_{0}^{2}=\frac{1}{{N}}\sum\nolimits_{i=1}^{N}{{{{{B_{0i}}}}}}$ . The confidence intervals for this parameters is given by $\sigma_{0}^{2}\in[\hat{\sigma}_{0}^{2}-\Delta(\sigma_{0}^{2}),\hat{\sigma}_{0}^{2}+\Delta(\sigma_{0}^{2})]$ , where $\Delta(\sigma_{0}^{2})={z_{\epsilon_{\rm PE}/2}}\frac{{{\hat{\sigma}_{0}^{2}}\sqrt{2}}}{{\sqrt{N}}}$ ⁴⁴4Note that ${z_{\epsilon_{\rm PE}/2}}$ is such that $1-{\rm erf}(\frac{{z_{\epsilon_{\rm PE}/2}}}{\sqrt{2}})/2=\epsilon_{\rm PE}/2$ .. Now we can estimate the effective parameters $\eta_{f}$ and $\xi_{f}$ , which are given by

\begin{array}[]{l}\hat{\eta}_{f}=\frac{2\hat{t}^{2}}{{{\hat{\eta}_{B}}}},\\ \\ \Delta(\eta_{f})=\hat{\eta}_{f}\left({\left|{\frac{{2{\Delta(t)}}}{{{\hat{t}}}}}\right|+\left|{\frac{{\Delta(\eta_{B})}}{{\hat{\eta}_{B}}}}\right|}\right),\\ \\ \hat{\xi}_{f}=2\frac{\hat{\sigma}^{2}-\hat{\sigma}_{0}^{2}}{\hat{\eta}_{f}\hat{\eta}_{B}},\\ \\ \Delta(\xi_{f})=\hat{\xi}_{f}{\left({\left|{\frac{{\Delta({\sigma^{2}})}}{{{\hat{\sigma}^{2}}-\hat{\sigma}_{0}^{2}}}}\right|+\left|{\frac{{\Delta(\sigma_{0}^{2})}}{{{\hat{\sigma}^{2}}-\hat{\sigma}_{0}^{2}}}}\right|+\left|{\frac{{\Delta(\eta_{B})}}{{\hat{\eta}_{B}}}}\right|+\left|{\frac{{\Delta(\eta_{f})}}{{\hat{\eta}_{f}}}}\right|}\right)},\end{array}

(14)

where $\hat{\eta}_{B}$ is the estimator of Bob’s detector efficiency with uncertainty $\Delta(\eta_{B})$ . Note that in order to maximise Eve’s information from collective and individual attacks, the worst-case estimators of the effective parameters $\eta_{f}$ and $\xi_{f}$ should be used to evaluate Eve’s information.

Note that for the sub-channel post-selection which we discuss in the next section, Alice and Bob also need to estimate the transmissivity of each sub-channel separately. We can use the similar method as discussed above to estimate the sub-channel transmissivity. Considering a normal linear model $x_{B}=t_{s}x_{A}+x_{n,s}$ for a sub-channel with transmissivity $\eta$ , the maximum-likelihood estimators for the sub-channel parameters, $t_{s}$ and $\sigma^{2}_{s}$ (i.e., the variance of $x_{n,s}$ ), are given by MLE-estimator2010 ; MLE-estimator2012

\begin{array}[]{l}\hat{t}_{s}=\frac{{\sum\nolimits_{i=1}^{k_{s}}{{{A_{i}}}{{B_{i}}}}}}{{\sum\nolimits_{i=1}^{k_{s}}{{{{{A_{i}}}}^{2}}}}},\\ \\ {\hat{\sigma}^{2}_{s}}=\frac{1}{{k_{s}}}\sum\nolimits_{i=1}^{k_{s}}{{{({{B_{i}}}-\hat{t}_{s}{{A_{i}}})}^{2}}},\end{array}

(15)

where $A_{i}$ and $B_{i}$ are the realizations of $x_{A}$ and $x_{B}$ for the sub-channel, respectively, and $k_{s}$ is the number of signals revealed for the sub-channel. The error bar for these parameters are given by

\begin{array}[]{l}\Delta(t_{s})={z_{\epsilon_{\rm PE}/2}}\sqrt{\frac{{{\hat{\sigma}^{2}_{s}}}}{{\sum\nolimits_{i=1}^{k_{s}}{{{{{A}_{i}}}^{2}}}}}},\\ \\ \Delta({{\sigma}^{2}_{s}})={z_{\epsilon_{\rm PE}/2}}\frac{{{\hat{\sigma}^{2}_{s}}\sqrt{2}}}{{\sqrt{k_{s}}}}.\end{array}

(16)

The worst-case estimator of the sub-channel transmissivity $\eta$ is then given by

\begin{array}[]{l}\eta^{\rm min}=\hat{\eta}-\Delta(\eta),{\rm where}\\ \\ \hat{\eta}=\frac{2\hat{t}_{s}^{2}}{{\hat{\eta}_{B}}},\\ \\ \Delta(\eta)=\hat{\eta}\left({\left|{\frac{{{2\Delta(t_{s})}}}{{{\hat{t}_{s}}}}}\right|+\left|{\frac{{\Delta(\eta_{B})}}{{\hat{\eta}_{B}}}}\right|}\right),\end{array}

(17)

Note that Alice and Bob have to perform their post-selection based on $\eta^{\rm min}=\hat{\eta}-\Delta(\eta)$ .

V Classical post-processing strategies to improve free-space CV-QKD systems

If we compare a fluctuating channel with an equivalent fixed-transmissivity channel with transmissivity $\eta_{f}=\langle\sqrt{\eta}\rangle^{2}$ and excess-noise $\langle{\eta\xi_{\eta}}\rangle$ , the fluctuating channel has an extra non-Gaussian noise of ${\rm{Var}}(\sqrt{\eta})(V-1)$ (see Eq. (9)), which reduces the key rate. Although fluctuating transmissivity of a free-space channel reduces the key rate, it also provides the possibility to improve or even recover it through the post-selection of sub-channels with high transmissivity Usenko-NJP-12 or the clusterisation of sub-channels cluster-2019 .

In the post-selection technique as introduced in Usenko-NJP-12 , the data collected for each sub-channel is kept, conditioned on the estimated sub-channel transmissivity being larger than a post-selection threshold $\eta_{\rm th}$ , and discarded otherwise. In this technique, the security should be analysed over the post-selected data. With such a post-selection, the post-selected data becomes more Gaussian and more strongly correlated, since the post-selection reduces the fluctuation variance of the channel, while increases the average transmissivity of the channel.

In the clusterisation technique as introduced in cluster-2019 , for the classical post-processing, Alice and Bob partition their data into $n$ different clusters, and perform classical post-processing (including reconciliation and privacy amplification) over each cluster separately. The clusterization we consider here is such that the $j$ th cluster $(j=1,2,...,n)$ corresponds to the $j$ th channel transmissivity bin $(j-1)\delta<\eta<j\delta$ , with the bin size $\delta=\frac{\eta_{\rm max}}{n}$ . Note that the clusterisation we consider here is the uniform binning of the probability distribution, however, in principle the width of each cluster can be optimised depending on the probability distribution. With such a technique, the clusterised data becomes more Gaussian, since the fluctuation variance of the channel is reduced within each cluster.

The post-selection has been shown to improve the free-space CV-QKD performance in terms of the key rate in the asymptotic regime against Gaussian collective attacks Usenko-NJP-12 ; Hosseini.Malaney.ICC.15 , and the clusterisation has been shown to improve the key rate in the finite-size regime against Gaussian collective attacks Usenko-NJP-12 ; Hosseini.Malaney.ICC.15 , but not in a composable-security regime. However, both post-selection and clusterisation reduces the size of the data used for the security analysis and the size of the data used for the parameter estimation. Hence, the composable finite-size effects become more significant in these scenarios. In the following sections we investigate the effectiveness of the post-selection and clusterisation in the composable finite-size regime against both individual and collective attacks (where the security against general attacks can be obtained by the security against collective attacks with a larger security parameter).

V.1 Composable finite-size security analysis for the post-selection

In the finite-size regime, the size of the post-selected data is $N_{\rm ps}=P_{s}N$ , where $P_{s}$ is the post-selection success probability, i.e., the total probability for the channel transmissivity to fall within the post-selected region, $\eta\geq\eta_{\rm th}$ , and is given by ${P_{s}}=\int_{{\eta_{\rm th}}}^{\eta_{\rm max}}{p(\eta)}d\eta$ . Note that since in the post-selection protocol Eve’s information should be estimated based on the post-selected data, Alice and Bob can only use the revealed data over the post-selected sub-channels to estimate the covariance matrix of the post-selected ensemble-average state, which means a data of size $k_{\rm ps}=P_{s}k$ is used for the parameter estimation. Recall that $k$ is the amount of revealed data over all sub-channels. Hence, the data of size $N^{\prime}_{\rm ps}=N_{\rm ps}-k_{\rm ps}$ contributes to the post-selected key. Explicitly, the finite-size key length of the post-selection protocol which is $\epsilon$ -secure against Gaussian collective attacks in the reverse reconciliation scenario is given by

\begin{array}[]{l}\ell^{\rm col}_{\rm ps}\leq N^{\prime}_{\rm ps}[\beta I_{\rm ps}(a{:}b){-}\chi^{\epsilon_{\rm PE}}_{\rm ps}(b{:}E)]{-}\sqrt{N^{\prime}_{\rm ps}}{\Delta_{\rm AEP}}{-}2\log_{2}(\frac{1}{{2\bar{\epsilon}}}).\end{array}

(18)

Eve’s information from Gaussian collective attack in the post-selection protocol, is calculated based on the covariance matrix of the post-selected ensemble-average state ${\rho^{\rm ps}_{A{B_{1}}}}$ , which is given by

\begin{array}[]{l}{{\bf{M}}^{\rm ps}_{A{B_{1}}}}{=}\left[{\begin{array}[]{*{20}{c}}{V\,\bf{I}}&{\sqrt{\eta^{\rm ps}_{f}}\sqrt{{V^{2}}-1}\,\bf{Z}}\\ {\sqrt{\eta^{\rm ps}_{f}}\,\sqrt{{V^{2}}-1}\,\bf{Z}}&{\left[{{\eta^{\rm ps}_{f}}(V{-}1){+}\eta^{\rm ps}_{f}\xi^{\rm ps}_{f}{+}1}\par\right]\,\bf{I}}\end{array}}\right],\\ \\ \eta^{\rm ps}_{f}={\left\langle{\sqrt{\eta}}\right\rangle}_{\rm ps}^{2},\\ \\ \eta^{\rm ps}_{f}\xi^{\rm ps}_{f}=\rm{Var}_{\rm ps}(\sqrt{\eta})(V-1)+\langle{\eta\xi_{\eta}}\rangle_{\rm ps},\\ \\ \rm{Var}_{\rm ps}(\sqrt{\eta})=\left\langle\eta\right\rangle_{\rm ps}-{\left\langle{\sqrt{\eta}}\right\rangle_{\rm ps}^{2}}.\end{array}

(19)

where the symbol $\left\langle.\right\rangle_{\rm ps}$ denotes the mean value over the post-selected sub-channels, i.e.,

\begin{array}[]{l}{\left\langle\eta\right\rangle_{\rm ps}}=\frac{1}{P_{s}}\int_{{\eta_{\rm th}}}^{\eta_{\rm max}}{\eta p(\eta)}d\eta,\,\,{\left\langle{\sqrt{\eta}}\right\rangle_{\rm ps}}=\frac{1}{P_{s}}\int_{{\eta_{\rm th}}}^{\eta_{\rm max}}{\sqrt{\eta}p(\eta)}d\eta,\\ \\ {\left\langle\eta\xi_{\eta}\right\rangle}_{\rm ps}=\frac{1}{P_{s}}\int_{\eta_{\rm th}}^{\eta_{\rm max}}{\eta\xi_{\eta}p(\eta)}d\eta.\end{array}

(20)

Similarly, the finite-size key length of the post-selection protocol which is $\epsilon$ -secure against Gaussian individual attacks in the reverse reconciliation scenario is given by

\begin{array}[]{l}\ell^{\rm ind}_{\rm ps}\leq N^{\prime}_{\rm ps}[\beta I_{\rm ps}(a{:}b){-}I^{\epsilon_{\rm PE}}_{\rm ps}(b{:}E)]{-}\sqrt{N^{\prime}_{\rm ps}}{\Delta_{\rm AEP}}{-}2\log_{2}(\frac{1}{{2\bar{\epsilon}}}),\end{array}

(21)

where Eve’s information from Gaussian individual attack in the post-selection protocol has to also be calculated based on the effective parameters $\eta^{\rm ps}_{f}$ and $\xi^{\rm ps}_{f}$ . Note that Eve’s information $\chi^{\epsilon_{\rm PE}}_{\rm ps}(b{:}E)$ and $I^{\epsilon_{\rm PE}}_{\rm ps}(b{:}E)$ should be calculated based on the worst-case estimators of the effective parameters $\eta^{\rm ps}_{f}$ and $\xi^{\rm ps}_{f}$ , where the estimations in Eqs. (12) to (14) have to be calculated based on the revealed data over the post-selected sub-channels of size $k_{\rm ps}$ . Note also that the classical mutual information between Alice and Bob obtained from the post-selection, $I_{\rm ps}(a{:}b)$ , is calculated based on the effective parameters $\eta^{\rm ps}_{f}$ and $\xi^{\rm ps}_{f}$ , and ${\Delta_{\rm AEP}}$ is calculated using Eq. (2) with $N^{\prime}$ being replaced by $N^{\prime}_{\rm ps}$ . Finally, the finite-size key rate of the post-selection protocol is given by $\ell_{\rm ps}/N$ . See Appendix A for the detailed calculation of Eve’s information and Alice and Bob’s mutual information.

Note that the post-selection of high-transmissivity sub-channels has two different effects on the finite-size key rate. In fact, on the positive side the post-selection makes the ensemble-average state more Gaussian and more strongly correlated, while on the negative side the post-selection reduces the block size, and also makes the error bars larger in the parameter estimation.

As discussed earlier in Sec. IV.3, Alice and Bob can estimate the transmissivity of each sub-channel by revealing a fraction of the data allocated to each sub-channel. In the post-selection protocol, based on such an estimation of sub-channel transmissivity, they decide to keep or discard the sub-channel data. Note that the sub-channel transmissivity can be estimated using different schemes, e.g., by transmitting auxiliary coherent (classical) light probe signals that are intertwined with the quantum information channel-estimation-2012 ; channel-estimation-2015 , or by monitoring the local oscillator at the receiver, where the signal and the local oscillator have been sent in two orthogonally polarized modes through the free-space channel channel-estimation-LO . However, in all these scenarios it would be very likely for Eve to manipulate the classical probe signal or the local oscillator in such a way to gain an advantage, for instance, forcing Alice and Bob to post-select a particular sub-channel, which is not actually within the post-selection region, can result in underestimating Eve’s information by Alice and Bob.

Refer to caption — Figure 1: Post-selected key rate in the asymptotic (dashed lines) and composable finite-size (solid lines) regime as a function of the post-selection threshhold $\eta_{\rm th}$ , secure against collective (red lines) and individual (blue lines) attacks. The numerical values for the finite-size regime are the securiy parameter $\epsilon=10^{-9}$ , with the parameter estimation being analysed for $\epsilon_{\rm PE}=10^{-10}$ , and the discretization parameter $d=5$ . The other parameters are chosen from the most recent CV-QKD experiment 200km-CVQKD-2020 as follows. Bob’s detector has efficieny $\eta_{B}=0.6$ , and electronic noise $\nu_{B}=0.25$ . The reconciliation efficiency is considered to be $\beta=0.98$ . The expected excess noise of each sub-channel is assumed to be fixed as $\xi=0.01$ ⁶⁶6Note that although in our numerical simulations we have assumed a fixed excess noise for each sub-channel, our parameter estimation presented in Sec. IV.3 also works for the case of fluctuating excess noise. The block size is chosen to be $N=10^{10}$ , half of which is used in total for parameter estimation. Since the non-Gaussian noise (i.e., the term $\rm{Var}(\sqrt{\eta})(V-1)$ in Eq. (9)) depends on the modulation variance, the modulation variance is optimized for each post-selection threshold to maximise the key rate secure against collective and individual attacks. We consider a probability distribution for the free-space channel given by the elliptic-beam model (see Appendix B for more details on the model). From left to right we have the average $\langle{\eta}\rangle=0.54,0.32,0.12,0.08$ , $\langle{\sqrt{\eta}}\rangle=0.73,0.56,0.34,0.27$ , the variance $\rm{Var}(\sqrt{\eta})=0.003,0.005,0.003,0.002$ , and the maximum transmissivity $\eta_{\rm max}=0.68,0.46,0.20,0.13$ (see Fig. 3 in Appendix for the corresponding probability distributions $p(\eta)$ ).

Fig. 6 shows the post-selected key rate in both the asymptotic and composable finite-size regime as a function of the post-selection threshold $\eta_{\rm th}$ , where the security is analysed against both collective and individual attacks. As can be seen for both asymptotic and finite-size regime, the key rate resulting from both collective and individual attacks first improves up to an optimized value, as the threshold value increases, and then the key rate decreases. As the threshold value increases, the variance of the channel fluctuations, $\rm{Var}(\sqrt{\eta})$ decreases, while the effective efficiency, $\langle{\sqrt{\eta}}\rangle$ increases. As a result, the post-selected state becomes more Gaussian (i.e., with less non-Gaussian noise) and more strongly correlated, which increases the mutual information between Alice and Bob. However, this increase in the mutual information happens at the cost of lower success probability, $P_{s}$ , and larger error bars for the estimated parameters. Hence, there is an optimal threshold value which maximizes the post-selected key rate. As can be seen, from left to right, the post-selection becomes more effective. In fact, this type of post-selection is more useful for recovering the key rate in cases where it was strongly diminished by the free-space channel. Fig. 6 also shows the significant improvement of the finite-size key rate from collective attacks due to the post-selection compared to the asymptotic regime. While without the post-selection, positive finite key rates cannot be generated against collective attacks for $\langle{\eta}\rangle=0.08$ , by performing the post-selection beyond $\eta_{\rm th}=0.05$ , Alice and Bob are able to move from an insecure regime to a secure regime, and generate non-trivial positive finite key rates.

V.2 Composable finite-size security analysis for the clusterisation

For the clusterisation technique, in order to compute the key rate with security parameter $\epsilon$ (where $\epsilon=2\epsilon_{\rm sm}+\bar{\epsilon}+\epsilon_{\rm PE}+\epsilon_{\rm cor}$ ), the conditional smooth min-entropy $H_{\min}^{\epsilon_{\rm sm}}(b|E)$ can be written as the convex sum of the conditional smooth min-entropy of $n$ different clusters of data, i.e., $H_{\min}^{\epsilon_{\rm sm}}(b|E)=\sum_{j=1}^{n}{P_{j}\,\,H_{\min,j}^{\epsilon_{\rm sm},j}(b|E)}$ , with $P_{j}=\int_{\frac{(j-1)\eta_{\rm max}}{n}}^{\frac{j\eta_{\rm max}}{n}}{p(\eta)}d\eta$ is the probability for the channel transmissivity to fall within the $j$ th cluster, and $\epsilon_{{\rm sm},j}=P_{j}\epsilon_{\rm sm}$ . Note that for each cluster Eve’s attack can be considered as an i.i.d Gaussian attack with effective parameters $\eta^{j}_{f}$ and $\xi^{j}_{f}$ , given by

\begin{array}[]{l}\eta^{j}_{f}={\left\langle{\sqrt{\eta}}\right\rangle}_{j}^{2},\\ \\ \eta^{j}_{f}\xi^{j}_{f}={\rm{Var}}_{j}(\sqrt{\eta})(V-1)+\langle{\eta\xi_{\eta}}\rangle_{j},\\ \\ {\rm{Var}}_{j}(\sqrt{\eta})=\left\langle\eta\right\rangle_{j}-{\left\langle{\sqrt{\eta}}\right\rangle_{j}^{2}},\end{array}

(22)

where the symbol $\left\langle.\right\rangle_{j}$ denotes the mean value over all sub-channels within the $j$ th cluster, i.e.,

\begin{array}[]{l}{\left\langle\eta\right\rangle_{j}}=\frac{1}{P_{j}}\int_{\frac{(j-1)\eta_{\rm max}}{n}}^{\frac{j\eta_{\rm max}}{n}}{\eta p(\eta)}d\eta,\\ \\ {\left\langle{\sqrt{\eta}}\right\rangle_{j}}=\frac{1}{P_{j}}\int_{\frac{(j-1)\eta_{\rm max}}{n}}^{\frac{j\eta_{\rm max}}{n}}{\sqrt{\eta}p(\eta)}d\eta,\\ \\ \\ {\left\langle\eta\xi_{\eta}\right\rangle}_{j}=\frac{1}{P_{j}}\int_{\frac{(j-1)\eta_{\rm max}}{n}}^{\frac{j\eta_{\rm max}}{n}}{\eta\xi_{\eta}p(\eta)}d\eta.\end{array}

(23)

Since the attack can be considered i.i.d over each cluster, we can lower bound $H_{\min,j}^{\epsilon_{\rm sm},j}(b|E)$ with the conditional von Neumann entropy and compute the key length with security parameter $\epsilon_{j}=P_{j}\epsilon$ for the $j$ th cluster as $\ell^{\rm col}_{j}=P_{j}N^{\prime}[\beta I_{j}(a{:}b){-}\chi_{j}^{\epsilon_{\rm PE},j}(b{:}E)]{-}\sqrt{P_{j}N^{\prime}}{\Delta_{\rm AEP}}{-}2\log_{2}(\frac{1}{{2\bar{\epsilon}_{j}}})$ against collective attacks, and $\ell^{\rm ind}_{j}=P_{j}N^{\prime}[\beta I_{j}(a{:}b){-}I_{j}^{\epsilon_{\rm PE},j}(b{:}E)]{-}\sqrt{P_{j}N^{\prime}}{\Delta_{\rm AEP}}{-}2\log_{2}(\frac{1}{{2\bar{\epsilon}_{j}}})$ against individual attacks, where $I_{j}(a{:}b)$ is the classical mutual information between Alice and Bob for the $j$ th cluster calculated based on the effective parameters $\eta^{j}_{f}$ and $\xi^{j}_{f}$ , and $\chi_{j}^{\epsilon_{\rm PE},j}(b{:}E)$ is Eve’s information from collective attack over the $j$ th cluster, which is calculated based on the covariance matrix ${{\bf{M}}^{j}_{A{B_{1}}}}$

\begin{array}[]{l}{{\bf{M}}^{j}_{A{B_{1}}}}{=}\left[{\begin{array}[]{*{20}{c}}{V\,\bf{I}}&{\sqrt{\eta^{j}_{f}}\sqrt{{V^{2}}-1}\,\bf{Z}}\\ {\sqrt{\eta^{j}_{f}}\,\sqrt{{V^{2}}-1}\,\bf{Z}}&{\left[{{\eta^{j}_{f}}(V{-}1){+}\eta^{j}_{f}\xi^{j}_{f}{+}1}\par\right]\,\bf{I}}\end{array}}\right],\end{array}

(24)

and $I_{j}^{\epsilon_{\rm PE},j}(b{:}E)$ is Eve’s information from individual attack over the $j$ th cluster, which is calculated based on the effective parameters $\eta^{j}_{f}$ and $\xi^{j}_{f}$ . Note that Eve’s information, $\chi_{j}^{\epsilon_{\rm PE},j}(b{:}E)$ and $I_{j}^{\epsilon_{\rm PE},j}(b{:}E)$ , is now estimated based on the worst-case estimators of the effective parameters $\eta^{j}_{f}$ and $\xi^{j}_{f}$ , where the estimations in Eqs. (12) to (14) have to be calculated based on the revealed data over cluster $j$ of size $P_{j}k$ , with the maximum failure probability $\epsilon_{{\rm PE},j}=P_{j}\epsilon_{\rm PE}$ . Note also that $\Delta_{\rm AEP}$ is calculated using Eq. (2) with $N^{\prime}$ being replaced by $P_{j}N^{\prime}$ , and $\Delta_{\rm AEP}$ is now calculated based on the parameters $\epsilon_{j}$ , $\epsilon_{{\rm sm},j}$ , and $\bar{\epsilon}_{j}=P_{j}\epsilon$ . The total key rate with security parameter $\epsilon$ is then given by $\frac{1}{N}\sum_{j=1}^{n}\ell_{j}$ .

Fig. 2 shows the key rate in both the asymptotic and composable finite-size regime secure against collective/individual attacks as a function of the number of clusters $n$ . Note that $n=1$ indicates no clusterization, where security is analysed over all data. As can be seen clusterization always increases the asymptotic key rate against collective/individual attacks. However, by considering composable finite-size effects in the security analysis, there is an optimal number of clusters which maximises the key rate. In fact, as the number of clusters increases, the variance of channel fluctuation within each cluster decreases. As a result, the non-Gaussian noise becomes smaller for each cluster, which makes the state obtained over each cluster more Gaussian. However, as the number of clusters increases, the number of signals for each cluster decreases. As a result, the composable finite-size effects (i.e., the effect of $\Delta$ -term, and the effect of parameter estimation which is now performed based on $P_{j}k$ signals with $\epsilon_{{\rm PE},j}$ ) become more significant, which reduces the key rate. Fig. 2 shows that while for $\langle{\eta}\rangle=0.08$ , without clusterization (i.e., $n=1$ ) the protocol is not secure against collective attacks in the composable finite-size regime, if Alice and Bob perform clusterisation as described above, the protocol becomes secure against collective attacks and finite key rate is maximised for $n=2$ . Note that when the number of clusters, $n$ , becomes sufficiently large, the security analysis is performed as if the security is analysed over each sub-channel separately (as described in Sec. IV.2).

VI Conclusions

We have analysed the security of the no-switching CV-QKD protocol over free-space channels with fluctuating transmissivity in the composable finite-size regime against both collective and individual attacks. We introduced a parameter estimation approach, where Alice and Bob can efficiently estimate the effective parameters (i.e., the effective transmissivity and excess noise) of an optimal Gaussian attack using the data revealed over all sub-channels used for the security analysis. We analysed two classical post-processing strategies, the post-selection of high-transmissivity sub-channels and partitioning sub-channels into different clusters, in the composable finite-size regime, showing that these strategies can improve the finite-size key rate against both individual and collective attacks. Most remarkable improvement is for the finite-size collective attacks, which are the most practically relevant, where we see these classical post-processing allows significant key rates in situations that would otherwise be completely insecure.

VII Acknowledgements

The authors gratefully acknowledge valuable discussions with Andrew Lance, and Thomas Symul. This research is supported by the Australian Research Council (ARC) under the Centre of Excellence for Quantum Computation and Communication Technology (Project No. CE170100012). NW acknowledges funding support from the European Unions Horizon 2020 research and innovation programme under the Marie Sklodowska-Curie grant agreement No.750905 and Q.Link.X from the BMBF in Germany.

Appendix A Key rate calculation

A.1 Eve’s information from collective attack

At the output of the channel Bob applies heterodyne detection to mode $B_{1}$ . Bob’s heterodyne detector with efficiency $\eta_{B}$ and electronic noise variance of $\nu_{B}$ can be modeled by placing a beam splitter of transmissivity $\eta_{B}$ before an ideal heterodyne detector inefficient_homodyne ; inefficient_heterodyne . The heterodyne detector’s electronic noise can be modelled by a two-mode squeezed vacuum state, $\rho_{{F_{0}}G}$ , of quadrature variance $\upsilon$ , where $\upsilon=1+{2\nu_{B}}/(1-\eta_{B})$ . One input port of the beam splitter is the received mode $B_{1}$ , and the second input port is fed by one half of the entangled state $\rho_{{F_{0}}G}$ , mode $F_{0}$ , while the output ports are mode $B_{2}$ (which is measured by the ideal heterodyne detector) and mode $F$ .

In a collective attack, Eve’s information, $\chi(b{:}E)$ , is given by $\chi(b{:}E)=\mathcal{S}(\rho_{E})-\mathcal{S}(\rho_{E|B})$ , where $\mathcal{S}(\rho)$ is the von Neumann entropy of the state $\rho$ . Here we assume Bob’s detection noise is not accessible to Eve. In this case $\mathcal{S}(\rho_{E})=\mathcal{S}(\rho_{AB_{1}})$ , where the entropy $\mathcal{S}(\rho_{AB_{1}})$ can be calculated through the symplectic eigenvalues $\nu_{1,2}$ of covariance matrix ${\bf{M}}_{A{B_{1}}}$ ⁷⁷7The von Neumann entropy of an $n$ -mode Gaussian state $\rho$ with the covariance matrix $\bf{M}$ is given by $\mathcal{S}(\rho)=\sum\nolimits_{i=1}^{n}{G(\frac{\nu_{i}-1}{2})}$ , where $\nu_{i}$ are the symplectic eigenvalues of the covariance matrix ${\bf{M}}$ , and $G(x)=(x+1){\log_{2}}(x+1)-x{\log_{2}}(x)$ . in Eq. (9). The second entropy we require in order to determine $\chi(b{:}E)$ can be written as $\mathcal{S}(\rho_{E|B})=\mathcal{S}(\rho_{E|B_{2}})=\mathcal{S}(\rho_{AFG|B_{2}})$ . The covariance matrix of the conditional state $\rho_{AFG|B_{2}}$ is given by ${\bf{M}}_{AFG|B_{2}}={\bf{M}}_{AFG}-{\bm{\sigma}}_{AFG,{B_{2}}}\,\,{\bf{H}}_{\rm het}\,\,\bm{\sigma}^{T}_{AFG,{B_{2}}}$ , where ${\bf{H}}_{\rm het}=({\bf{M}}_{B_{2}}+\bf{I})^{-1}$ , and where ${\bf{M}}_{B_{2}}={V_{B2}\bf{I}}$ , where

V_{B2}=\eta_{B}[\eta_{f}(V-1)+\eta_{f}\xi_{f}+1]+(1-\eta_{B})\upsilon.

(25)

Note that the matrices ${\bf{M}}_{AFG},\bm{\sigma}_{AFG,{B_{2}}}$ , and ${\bf{M}}_{B_{2}}$ can be derived from the decomposition of the covariance matrix

{{\bf{M}}_{AFG{B_{2}}}}=\left[{\begin{array}[]{*{20}{c}}{{{\bf{M}}_{AFG}}}&{\bm{\sigma}_{AFG,{B_{2}}}}\\ {{\bm{\sigma}^{T}_{AFG,{B_{2}}}}}&{{{\bf{M}}_{{B_{2}}}}}\\ \end{array}}\right].

(26)

Note that the covariance matrix ${\bf{M}}_{AFG{B_{2}}}$ is given by ${\bf{M}}_{AFG{B_{2}}}=({\mathds{1}_{A}\oplus{\bf{S}}_{\rm bs}\oplus\mathds{1}_{G}})^{T}[{\bf{M}}_{A{B_{1}}}\oplus{\bf{M}}_{{F_{0}}G}]({\mathds{1}_{A}\oplus{\bf{S}}_{\rm bs}\oplus\mathds{1}_{G}})$ , where ${\bf{S}}_{\rm bs}$ is the matrix for the beam splitter transformation (applied on modes $B_{1}$ and $F_{0}$ ), given by

\displaystyle{\bf{S}}_{\rm bs}=\left[{\begin{array}[]{*{20}{c}}{\sqrt{\eta_{B}}\,\bf{I}}&{\sqrt{1-\eta_{B}}\,\bf{I}}\\ {-\sqrt{1-\eta_{B}}\,\bf{I}}&{\sqrt{\eta_{B}}\,\bf{I}}\end{array}}\right],

(29)

and the covariance matrix of the entangled state $\rho_{{F_{0}}G}$ is given by

\displaystyle{\bf{M}}_{{F_{0}}G}=\left[{\begin{array}[]{*{20}{c}}{\upsilon\,\bf{I}}&{\sqrt{{\upsilon^{2}}-1}\,\bf{Z}}\\ {\sqrt{{\upsilon^{2}}-1}\,\bf{Z}}&{\upsilon\,\bf{I}}\end{array}}\right].

(32)

Note that in the finite-size regime, $\chi^{\epsilon_{\rm PE}}(b{:}E)$ should be calculated based on the worst-case estimators of $\eta_{f}$ and $\xi_{f}$ . Note also that for the post-selection protocol, the parameters $\eta_{f}$ and $\xi_{f}$ have to be replaced by the post-selection parameters $\eta^{\rm ps}_{f}$ and $\xi^{\rm ps}_{f}$ from Eq. (19), and for the clusterisation, the parameters $\eta_{f}$ and $\xi_{f}$ have to be replaced by the cluster parameters $\eta^{j}_{f}$ and $\xi^{j}_{f}$ from Eq. (22).

A.2 Eve’s information from individual attack

Considering a free-space channel with effective parameters $\eta_{f}$ and $\xi_{f}$ , defined in Eq. (9), in the individual attack, Eve’s information, $I(b{:}E)$ , is given by $I(b{:}E)={\log_{2}}\frac{{{V_{B_{2}^{\rm het}}}}}{{{V_{{B_{2}}^{\rm het}\left|E\right.}}}}$ individula-2007-1 ; individula-2007-2 , where $V_{B_{2}^{\rm het}}$ is the variance of heterodyne-detected mode $B_{2}$ for the post-selected sub-channel, and is given by $V_{B_{2}^{\rm het}}=(V_{B2}+1)/2$ , where $V_{B2}$ is given in Eq. (25). Note that $V_{{B_{2}^{\rm het}}|E}$ in the case of Bob’s detection noise not being accessible to Eve is given by $V_{{B_{2}}^{\rm het}|E}=\eta_{B}[\frac{V{x_{E}}+1}{V+x_{E}}+\chi_{\rm het}]/2$ , where $x_{E}=\eta_{f}(2-\xi_{f})^{2}/(\sqrt{2-2\eta_{f}+\eta_{f}\xi_{f}}+\sqrt{\xi_{f}}))^{2}+1$ , and $\chi_{\rm het}=[1+(1-\eta_{B})+{2\nu_{B}}]/\eta_{B}$ . Note that in the finite-size regime, $I^{\epsilon_{\rm PE}}(b{:}E)$ should be calculated based on the worst-case estimators of $\eta_{f}$ and $\xi_{f}$ . Note also that the parameters $\eta_{f}$ and $\xi_{f}$ have to be replaced by parameters $\eta^{\rm ps}_{f}$ and $\xi^{\rm ps}_{f}$ from Eq. (19) for the post-selection protocol, and by parameters $\eta^{j}_{f}$ and $\xi^{j}_{f}$ from Eq. (22) for cluster $j$ .

A.3 Mutual information between Alice and Bob

The classical mutual information between Alice and Bob is given by $I(a{:}b)={\log_{2}}\frac{{{V_{B_{2}^{\rm het}}}}}{{{V_{{B_{2}}^{\rm het}\left|A^{\rm het}\right.}}}}$ . The conditional variance $V_{{B_{2}}^{\rm het}|A^{\rm het}}$ is the variance of heterodyne-detected mode $B_{2}$ conditioned on Alice’s heterodyne detection of mode $A$ , which is given by $V_{{B_{2}}^{\rm het}|A^{\rm het}}{=}\eta_{B}\eta_{f}(1+\chi_{\rm tot})/2$ , where $\chi_{\rm tot}={\chi_{\rm line}}+\frac{{{\chi_{\rm het}}}}{\eta_{f}}$ , with ${\chi_{\rm line}}=\xi_{f}-1+\frac{1}{\eta_{f}}$ . Note that for the post-selected protocol, the parameters $\eta_{f}$ and $\xi_{f}$ have to be replaced by the post-selection parameters $\eta^{\rm ps}_{f}$ and $\xi^{\rm ps}_{f}$ , and for the clusterisation, the parameters $\eta_{f}$ and $\xi_{f}$ have to be replaced by the cluster parameters $\eta^{j}_{f}$ and $\xi^{j}_{f}$ .

Appendix B Elliptic-beam model

We have considered a free-space channel, where the probability distribution for the channel transmissivity is given by the elliptic-beam model Vasylyev.et.al.PRL.16 . This model can be used for an atmospheric channel including beam wandering, beam broadening and beam shape deformation Vasylyev.et.al.PRL.16 . However, for this model, referred to as the elliptic beam approximation, there is not an explicit form for the probability distribution. Here, we briefly discuss how to apply the model of the elliptic-beam approximation for calculation of the key rate. Further details on the model can be found in Vasylyev.et.al.PRL.16 . Within this model, it is assumed that turbulent disturbances along the propagation path result in beam wandering and deformation of the Gaussian beam profile into an elliptical form. The elliptic beam at the aperture plane is characterized by the beam-centroid position ${\bf{r}}_{0}=(x_{0},y_{0})^{T}=(r_{0}\cos\psi_{0},r_{0}\sin\psi_{0})^{T}$ , and $W_{1}$ and $W_{2}$ as semi-axes of the elliptic spot, where the semi-axis $W_{1}$ has an angle $\psi\in[0,\pi/2)$ relative to the $x$ axis. Defining $\phi=\psi-\psi_{0}$ , the aperture transmissivity $\eta_{a}$ is a function of real parameters $[x_{0},y_{0},\Theta_{1},\Theta_{2},\phi]$ Vasylyev.et.al.PRA.17 , which are randomly changed by the atmosphere. Note that $\Theta_{1}$ and $\Theta_{2}$ are related to the semi-axes, as $W_{j}^{2}=W_{0}^{2}\exp(\Theta_{j})$ Vasylyev.et.al.PRL.16 for $j=1,2$ with $W_{0}$ the initial beam-spot radius. Note also that random fluctuations of the beam-centroid position ${\bf{r}}_{0}$ , i.e. the parameters $x_{0}$ and $y_{0}$ cause the effect of beam wandering. For the parameters $[x_{0},y_{0},\Theta_{1},\Theta_{2}]$ , we can assume a four-dimensional Gaussian distribution, and for the parameter $\phi$ , by assuming isotropic turbulence, we can assume a uniform distribution in the interval $[0,\pi/2]$ Vasylyev.et.al.PRA.17 . Under the assumption of isotropic turbulence, there is no correlation between $\phi$ with other linear parameters Vasylyev.et.al.PRL.16 . We also assume that $\left\langle{\bf{r}}_{0}\right\rangle=0$ , i.e., beam wandering fluctuations are placed around the reference-frame origin. Under this assumption, correlations between $x_{0}$ , $y_{0}$ and $\Theta_{j}$ vanish Vasylyev.et.al.PRL.16 . Hence, we first generate $n$ independent Gaussian random vectors ${\bf{v}}_{i}=(x_{0i},y_{0i},\Theta_{1i},\Theta_{2i})$ , $i=1,...,n$ and $n$ random uniformly-distributed angles $\phi_{i}\in[0,\pi/2]$ . The Gaussian random parameters $(x_{0i},y_{0i},\Theta_{1i},\Theta_{2i})$ can be characterized by the covariance matrix,

{\bf{M}}=\left({\begin{array}[]{*{20}{c}}{\left\langle{\Delta x_{0}^{2}}\right\rangle}&0&0&0\\ 0&{\left\langle{\Delta y_{0}^{2}}\right\rangle}&0&0\\ 0&0&{\left\langle{\Delta\Theta_{1}^{2}}\right\rangle}&{\left\langle{\Delta{\Theta_{1}}\Delta{\Theta_{2}}}\right\rangle}\\ 0&0&{\left\langle{\Delta{\Theta_{1}}\Delta{\Theta_{2}}}\right\rangle}&{\left\langle{\Delta\Theta_{2}^{2}}\right\rangle}\end{array}}\right)

(33)

and the mean value $\left({0,0,\left\langle{{\Theta_{1}}}\right\rangle,\left\langle{{\Theta_{2}}}\right\rangle}\right)$ . The elements of the covariance matrix and the mean values for weak turbulence are given by Vasylyev.et.al.PRL.16

\begin{array}[]{l}\left\langle{\Delta x_{0}^{2}}\right\rangle=\left\langle{\Delta y_{0}^{2}}\right\rangle=0.33W_{0}^{2}\sigma_{R}^{2}{\Omega^{-\frac{7}{0}}},\\ \\ \left\langle{\Delta\Theta_{1}^{2}}\right\rangle=\ln\left[{1+\frac{{1.2\sigma_{R}^{2}{\Omega^{\frac{5}{6}}}}}{{{{\left({1+2.96\sigma_{R}^{2}{\Omega^{\frac{5}{6}}}}\right)}^{2}}}}}\right],\\ \\ \left\langle{\Delta{\Theta_{1}}\Delta{\Theta_{2}}}\right\rangle=\ln\left[{1-\frac{{0.8\sigma_{R}^{2}{\Omega^{\frac{5}{6}}}}}{{{{\left({1+2.96\sigma_{R}^{2}{\Omega^{\frac{5}{6}}}}\right)}^{2}}}}}\right],\\ \\ \left\langle{{\Theta_{1}}}\right\rangle=\left\langle{{\Theta_{2}}}\right\rangle=\ln\left[{\frac{{{{\left({1+2.96\sigma_{R}^{2}{\Omega^{\frac{5}{6}}}}\right)}^{2}}}}{{{\Omega^{2}}\sqrt{{{\left({1+2.96\sigma_{R}^{2}{\Omega^{\frac{5}{6}}}}\right)}^{2}}+1.2\sigma_{R}^{2}{\Omega^{\frac{5}{6}}}}}}}\right],\end{array}

(34)

where ${\sigma_{R}^{2}}$ is the Rytov parameter, $\Omega=\frac{{kW_{0}^{2}}}{{2L}}$ is the Fresnel parameter, $k$ is the wave number and $L$ is the propagation distance. After generating $n$ random vectors ${\bf{v}}_{i}=(x_{0i},y_{0i},\Theta_{1i},\Theta_{2i})$ , and $n$ random angles $\phi_{i}\in[0,\pi/2)$ , we can generate $n$ random transmissivity $\eta_{a,i}=\eta_{a}({\bf{v}}_{i},\phi_{i})$ as Vasylyev.et.al.PRL.16

\eta_{a}({\bf{v}}_{i},\phi_{i})={\eta_{0}}\exp\left\{{-{{\left[{\frac{{{r_{0}}/a}}{{R\left({\frac{2}{{{W_{\rm eff}(\phi)}}}}\right)}}}\right]}^{\lambda\left({\frac{2}{{{W_{\rm eff}(\phi)}}}}\right)}}}\right\},

(35)

where $r_{0}=\sqrt{x_{0}^{2}+y_{0}^{2}}$ , is the distance between the beam and the aperture center, and $a$ is the radius of the circular receiver aperture. The transmissivity for the centered beam, i.e., for $r_{0}=0$ is given by Vasylyev.et.al.PRL.16

\begin{array}[]{l}{\eta_{0}}=1-{I_{0}}\left({{a^{2}}\left[{\frac{1}{{W_{1}^{2}}}-\frac{1}{{W_{2}^{2}}}}\right]}\right)\exp\left\{{-{a^{2}}\left[{\frac{1}{{W_{1}^{2}}}+\frac{1}{{W_{2}^{2}}}}\right]}\right\}\\ \\ -2\left[{1-\exp\left\{{-\frac{{{a^{2}}}}{2}{{\left[{\frac{1}{{{W_{1}}}}-\frac{1}{{{W_{2}}}}}\right]}^{2}}}\right\}}\right]\\ \\ \times\exp\left\{{-{{\left[{\frac{{\frac{{{{\left({{W_{1}}+{W_{2}}}\right)}^{2}}}}{{\left|{W_{1}^{2}-W_{2}^{2}}\right|}}}}{{R\left({\frac{1}{{{W_{1}}}}-\frac{1}{{{W_{2}}}}}\right)}}}\right]}^{\lambda\left({\frac{1}{{{W_{1}}}}-\frac{1}{{{W_{2}}}}}\right)}}}\right\}.\end{array}

(36)

The further parameters, including effective squared spot radius, $W_{\rm eff}^{2}(\phi)$ , the scale $R(\zeta)$ and shape $\lambda(\zeta)$ functions are given by are given by Vasylyev.et.al.PRL.16

\begin{array}[]{l}W_{\rm eff}^{2}(\phi)=4{a^{2}}\times\\ \\ {\left[{\mathcal{W}\left({\frac{{4{a^{2}}}}{{{W_{1}}{W_{2}}}}\exp\left\{{\frac{{{a^{2}}}}{{W_{1}^{2}}}(1{+}2{{\cos}^{2}}\phi)}\right\}\exp\left\{{\frac{{{a^{2}}}}{{W_{2}^{2}}}(1{+}2{{\sin}^{2}}\phi)}\right\}}\right)}\right]^{-1}},\\ \\ R(\zeta)={\left({\ln\left[{2\frac{{1-\exp\left\{{-\frac{1}{2}{a^{2}}{\zeta^{2}}}\right\}}}{{1-\exp\left\{{-{a^{2}}{\zeta^{2}}}\right\}{I_{0}}({a^{2}}{\zeta^{2}})}}}\right]}\right)^{-\frac{1}{{\lambda(\zeta)}}}},\\ \\ \lambda(\zeta)=2{a^{2}}{\zeta^{2}}\frac{{\exp\left\{{-{a^{2}}{\zeta^{2}}}\right\}{I_{1}}({a^{2}}{\zeta^{2}})}}{{1-\exp\left\{{-{a^{2}}{\zeta^{2}}}\right\}{I_{0}}({a^{2}}{\zeta^{2}})}}\\ \\ \times{\left({\ln\left[{2\frac{{1-\exp\left\{{-\frac{1}{2}{a^{2}}{\zeta^{2}}}\right\}}}{{1-\exp\left\{{-{a^{2}}{\zeta^{2}}}\right\}{I_{0}}({a^{2}}{\zeta^{2}})}}}\right]}\right)^{-1}},\end{array}

(37)

where $\mathcal{W}(\zeta)$ is the Lambert $W$ function, and $I_{j}(\zeta)$ is the modified Bessel function of the $j$ th order.

We also consider a deterministic (constant) tranmissivity $\eta_{m}\in[0,1]$ , which means the total transmissivity of the channel would be $\eta_{i}=\eta_{m}\eta_{a,i}$ . Note that $\eta_{m}$ can be considered as the extinction factor of the atmospheric channel describing the absorption and scattering losses Vasylyev.et.al.PRA.17 . Based on the generated sampling data, one can estimate the mean value of any function of the transmissivity $f(\eta)$ as $\left\langle{f(\eta)}\right\rangle=\frac{1}{n}\sum\limits_{i=1}^{n}{f(\eta_{i})}$ . For instance, Eq. (8) can be modified as

\begin{array}[]{l}{\left\langle\eta\right\rangle}=\frac{1}{n}\sum\limits_{i=1}^{n}{\eta_{i}},\,\,{\left\langle{\sqrt{\eta}}\right\rangle}=\frac{1}{n}\sum\limits_{i=1}^{n}\sqrt{\eta_{i}},\\ \\ {\left\langle\eta\xi_{\eta}\right\rangle}=\frac{1}{n}\sum\limits_{i=1}^{n}{\eta_{i}\xi_{\eta_{i}}}.\end{array}

(38)

In our numerical analysis we have first fitted a probability distribution to the generated sampled data $\eta_{i}$ (shown in Fig. 3), which gives us a numerical form for $p(\eta_{i})$ . Note that since no closed-form solution for $p(\eta)$ could be used, the integrals required to be computed for the security analysis (provided in Eqs. (20) and (23)) should be numerically evaluated.

References

(1) V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, The security of practical quantum key distribution, Rev. Mod. Phys. 81, 1301 (2009).
(2) S. Pirandola, et al., Advances in Quantum Cryptography, arXiv:1906.01645.
(3) F. Xu, X. Zhang, H.-K. Lo, J.-W. Pan, Quantum cryptography with realistic devices, arXiv:1903.09051.
(4) C. Bennett and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India. IEEE, New York, p. 175, 1984.
(5) A. K. Ekert, Quantum cryptography based on Bell’s theorem, Phys. Rev. Lett. 67, 661 (1991).
(6) T. C. Ralph, Continuous variable quantum cryptography, Phys. Rev. A 61, 010303(R) (1999).
(7) M. Hillery, Quantum cryptography with squeezed states, Phys. Rev. A 61, 022309 (2000).
(8) M. D. Reid, Quantum cryptography with a predetermined key, using continuous-variable Einstein-Podolsky-Rosen correlations, Phys. Rev. A 62, 062308 (2000).
(9) R. Garcia-Patron, (PhD Thesis. Universite Libre de Bruxelles, 2007).
(10) C. Weedbrook, S. Pirandola, R. García-Patrón, N. J. Cerf, T. C. Ralph, J. H. Shapiro, and S. Lloyd, Rev. Mod. Phys. 84, 621-699 (2012).
(11) E. Diamanti and A. Leverrier, Distributing secret keys with quantum continuous variables: Principle, security and implementations, Entropy 17, 6072 (2015).
(12) F. Grosshans, G. van Assche, J. Wenger, R. Brouri, N. J. Cerf, and P. Grangier, Quantum key distribution using gaussian-modulated coherent states, Nature 421, 238 (2003).
(13) P. Jouguet, S. Kunz-Jacques, A. Leverrier, P. Grangier, and E. Diamanti, Experimental demonstration of long-distance continuous-variable quantum key distribution, Nat. Photonics 7, 378 (2013).
(14) D. Huang, P. Huang, D. Lin, and G. Zeng, Long-distance continuous-variable quantum key distribution by controlling excess noise, Scientific Reports 6, 19201 (2016).
(15) G. Zhang, J. Haw, H. Cai, F. Xu, S. Assad, J. Fitzsimons, X. Zhou, Y. Zhang, S. Yu, J. Wu et al., An integrated silicon photonic chip platform for continuous-variable quantum key distribution, Nat. Photonics 13, 839 (2019).
(16) Y. Zhang et al., Continuous-variable QKD over 50 km commercial fiber, Quantum Sci. Technol. 4, 035006 (2019).
(17) Y.-C. Zhang, Z. Chen, S. Pirandola, X. Wang, C. Zhou, B. Chu, Y. Zhao, B. Xu, S. Yu, H. Guo, Long-distance continuous-variable quantum key distribution over 202.81 km fiber, arXiv:2001.02555.
(18) N. Hosseinidehaj, Z. Babar, R. Malaney, S. X. Ng, and L. Hanzo, Satellite-Based Continuous-Variable Quantum Communications: State-of-the-Art and a Predictive Outlook, IEEE Communications Surveys and Tutorials 21, 881 (2019).
(19) N. Hosseinidehaj and R. Malaney, Gaussian entanglement distribution via satellites, Phys. Rev. A 91, 022304 (2015).
(20) S.-K. Liao, Satellite-to-ground quantum key distribution, Nature 549, 43 (2017).
(21) J. Yin, Satellite-to-Ground Entanglement-Based Quantum Key Distribution, Phys. Rev. Lett. 119, 200501 (2017).
(22) A. A. Semenov and W. Vogel, Quantum light in the turbulent atmosphere, Phys. Rev. A 80, 021802(R) (2009).
(23) D. Yu. Vasylyev, A. A. Semenov, and W. Vogel, Toward Global Quantum Communication: Beam Wandering Preserves Nonclassicality, Phys. Rev. Lett. 108, 220501 (2012).
(24) D. Yu. Vasylyev, A. A. Semenov, and W. Vogel, Atmospheric Quantum Channels with Weak and Strong Turbulence, Phys. Rev. Lett. 117, 090501 (2016).
(25) D. Vasylyev, A. A. Semenov, W. Vogel, K. Günthner, A. Thurn, Ö. Bayraktar, and C. Marquardt, Free-space quantum links under diverse weather conditions, Phys. Rev. A. 96, 043856 (2017).
(26) D. Vasylyev, W. Vogel, and A. A. Semenov, Theory of atmospheric quantum channels based on the law of total probability, Phys. Rev. A 97, 063852 (2018).
(27) V. C. Usenko, B. Heim, C. Peuntinger, C. Wittmann, C. Marquardt, G. Leuchs, and R. Filip, New J. Phys. 14, 093048 (2012).
(28) C. Peuntinger, B. Heim, C. R. Müller, C. Gabriel, C. Marquardt, and G. Leuchs, Distribution of Squeezed States through an Atmospheric Channel, Phys. Rev. Lett. 113, 060502 (2014).
(29) M. Bohmann, A. A. Semenov, J. Sperling, and W. Vogel, Gaussian entanglement in the turbulent atmosphere, Phys. Rev. A 94, 010302(R) (2016).
(30) N. Hosseinidehaj and R. Malaney, Quantum key distribution over combined atmospheric fading channels, IEEE International Conference on Communications (ICC), London, pp. 7413-7419 (2015).
(31) S. Wang, P. Huang , T. Wang, and G. Zeng, Atmospheric effects on continuous-variable quantum key distribution, New J. Phys. 20, 083037 (2018).
(32) K. Hofmann, A. A. Semenov, W. Vogel, and Martin Bohmann, Quantum teleportation through atmospheric channels, Phys. Scr. 94, 125104 (2019).
(33) L. Ruppert, C. Peuntinger, B. Heim, K. Günthner, V. C. Usenko, D. Elser, G. Leuchs, R. Filip and C. Marquardt, Fading channel estimation for free-space continuous-variable secure quantum communication, New J. Phys. 21 123036 (2019).
(34) C. Weedbrook, A. M. Lance, W. P. Bowen, T. Symul, T. C. Ralph, and P. K. Lam, Phys. Rev. Lett. 93, 170504 (2004).
(35) A. M. Lance, T. Symul, V. Sharma, C. Weedbrook, T. C. Ralph, and P. K. Lam, Phys. Rev. Lett. 95, 180503 (2005).
(36) A. Leverrier, Security of continuous-variable quantum key distribution via a Gaussian de Finetti reduction, Phys. Rev. Lett. 118, 200501 (2017).
(37) S. Ghorai, E. Diamanti, and A. Leverrier, Composable security of two-way continuous-variable quantum key distribution without active symmetrization, Phys. Rev. A 99, 012311 (2019).
(38) N. Hosseinidehaj, N. Walk, and T. C. Ralph, Optimal realistic attacks in continuous-variable quantum key distribution, Phys. Rev. A 99, 052336 (2019).
(39) I. Capraro, A. Tomaello, A. Dall’Arche, F. Gerlin, R. Ursin, G. Vallone, and P. Villoresi, Impact of Turbulence in Long Range Quantum and Classical Communications, Phys. Rev. Lett. 109, 200502 (2012).
(40) G. Vallone et al., Adaptive real time selection for quantum key distribution in lossy and turbulent free-space channels, Phys. Rev. A 91, 042320 (2015).
(41) A. A. Semenov, F. Töppel, D. Y. Vasylyev, H. V. Gomonay, and W. Vogel, Homodyne detection for atmosphere channels, Phys. Rev. A 85, 013826 (2012).
(42) N. Hosseinidehaj, A. M. Lance, T. Symul, N. Walk, T. C. Ralph, Finite-size effects in continuous-variable QKD with Gaussian post-selection, arXiv:1912.09638.
(43) R. Renner and J. I. Cirac, de Finetti representation theorem for infinite-dimensional quantum systems and applications to quantum cryptography, Phys. Rev. Lett. 102, 110504 (2009).
(44) M. M. Wolf, G. Giedke, and J. I. Cirac, Extremality of Gaussian quantum states, Phys. Rev. Lett. 96, 080502 (2006).
(45) M. Navascues, F. Grosshans, and A. Acin, Optimality of Gaussian Attacks in Continuous-Variable Quantum Cryptography, Phys. Rev. Lett. 97, 190502 (2006).
(46) R. Garcia-Patron, and N. J. Cerf, Unconditional Optimality of Gaussian Attacks against Continuous-Variable Quantum Key Distribution, Phys. Rev. Lett. 97, 190503 (2006).
(47) A. Leverrier, Composable security proof for continuous-variable quantum key distribution with coherent states, Phys. Rev. Lett. 114, 070501 (2015).
(48) C. Lupo, C. Ottaviani, P. Papanastasiou, and S. Pirandola, Continuous-variable measurement-device-independent quantum key distribution: Composable security against coherent attacks, Phys. Rev. A 97, 052327 (2018).
(49) R. Dong, M. Lassen, J. Heersink, C. Marquardt, R. Filip, G. Leuchs, and U. L. Andersen, Continuous-variable entanglement distillation of non-Gaussian mixed states, Phys. Rev. A 82, 012312 (2010).
(50) N. Hosseinidehaj and R. Malaney, Entanglement generation via non-Gaussian transfer over atmospheric fading channels, Phys. Rev. A 92, 062336 (2015).
(51) N. Hosseinidehaj and R. Malaney, CV-QKD with Gaussian and Non-Gaussian Entangled States over Satellite-Based Channels, IEEE Global Communications Conference (GLOBECOM), Washington, DC, pp. 1-7 (2016).
(52) N. Hosseinidehaj and R. Malaney, CV-MDI quantum key distribution via satellite, Quantum Inf. Comput. 17, 361 (2017).
(53) P. Papanastasiou, C. Weedbrook, and S. Pirandola, Continuous-variable quantum key distribution in uniform fast-fading channels, Phys. Rev. A 97, 032311 (2018).
(54) R. Renner, Security of qunatum key distribution, Int. J. Quantum Inf. 6, pp. 1-127 (2008).
(55) M. Tomamichel, C. Schaffner, A. Smith, and R. Renner, Leftover Hashing against quantum side information, IEEE Trans. Inf. Theory 57, 5524 (2011).
(56) F. Furrer, T. Franz, M. Berta, A. Leverrier, V. B. Scholz, M. Tomamichel, and R. F. Werner, Continuous variable quantum key distribution: Finite-key analysis of composable security against coherent attacks, Phys. Rev. Lett. 109, 100502 (2012).
(57) M. Tomamichel, Ph.D. thesis, Swiss Federal Institute of Technology (ETH), Zurich (2012), arXiv:1203.2142.
(58) M. Tomamichel, R. Colbeck, and R. Renner, “A Fully quantum Asymptotic Equipartition property, IEEE Trans. Inf. Theory 55, 5840 (2009).
(59) S. Pirandola, S. L. Braunstein, and S. Lloyd, Characterization of Collective Gaussian Attacks and Security of Coherent-State Quantum Cryptography, Phys. Rev. Lett. 101, 200504 (2008).
(60) J. Lodewyck and P. Grangier, Tight bound on the coherent-state quantum key distribution with heterodyne detection, Phys. Rev. A 76, 022332 (2007).
(61) J. Sudjana, L. Magnin, R. Garcia-Patron, and N. J. Cerf, Tight bounds on the eavesdropping of a continuous-variable quantum cryptographic protocol with no basis switching, Phys. Rev. A 76, 052301 (2007).
(62) G. Chai, Z. Cao, W. Liu, S. Wang, P. Huang, and G. Zeng, Parameter estimation of atmospheric continuous-variable quantum key distribution, Phys. Rev. A 99, 032326 (2019)
(63) A. Leverrier, F. Grosshans, and P. Grangier, Finite-size analysis of a continuous-variable quantum key distribution, Physical Review A 81, 062343 (2010).
(64) P. Jouguet, S. Kunz-Jacques, E. Diamanti, and A. Leverrier, Analysis of imperfections in practical continuous-variable quantum key distribution, Physical Review A 86, 032309 (2012).
(65) A. A. Semenov1, and W. Vogel, Entanglement transfer through the turbulent atmosphere, Phys. Rev. A 81, 023835 (2010).
(66) R. Garcia-Patron and N. J. Cerf, Continuous-Variable quantum key distribution protocols over noisy channels, Phys. Rev. Lett. 102, 130501 (2009).
(67) S. Fossier, E. Diamanti, T Debuisschert, R. Tualle-Brouri, and P. Grangier, Improvement of continuous-variable quantum key distribution systems by using optical preamplifiers, J. Phys. B: At. Mol. Opt. Phys. 42, 114014 (2009).