Improved composable key rates for CV-QKD

Basic Information

• Paper ID: 2301.10270
• Title: Improved composable key rates for CV-QKD
• Authors: Stefano Pirandola (University of York), Panagiotis Papanastasiou (nodeQ)
• Classification: quant-ph, physics.app-ph, physics.comp-ph
• Publication Date: arXiv v5 (First submitted January 2023, Latest version November 2025)
• Paper Link: https://arxiv.org/abs/2301.10270

Abstract

Security proofs for modern quantum key distribution (QKD) must account for finite-size effects and composability. The same applies to continuous-variable (CV) protocols based on coherent state transmission and detection using bosonic modes. This paper improves and advances the theoretical framework in this field, providing tighter formulations for composable key rates of general CV-QKD protocols. Through these theoretical improvements, the authors' general formula demonstrates more optimistic key rates than previously reported in the literature.

Research Background and Motivation

Problems to be Addressed

This paper aims to improve the key rate theory for continuous-variable quantum key distribution (CV-QKD) protocols under finite-size and composable security frameworks. Specifically:

1. Finite-size effects: Practical QKD systems use a finite number of quantum states, rather than the ideal infinite asymptotic case
2. Composable security: Keys must remain secure within larger cryptographic systems, requiring rigorous epsilon-security proofs
3. Key rate optimization: Existing theoretical frameworks are overly conservative, resulting in achievable key rates lower than theoretical potential

Importance of the Problem

1. Practical requirements: CV-QKD offers practical advantages through use of standard telecommunications equipment, but the rigor of security proofs directly impacts practical deployment
2. Performance bottleneck: Conservative key rate estimates limit CV-QKD transmission distance and practical utility
3. Theoretical completeness: More precise mathematical tools are needed to characterize finite-size security

Limitations of Existing Approaches

The authors identify key problems in prior literature 20-22:

1. Insufficient precision in tensor product reduction: After error correction (EC), the state loses tensor product structure; previous treatment methods were overly conservative
2. Imprecise leakage term estimation: Information leakage during error correction was not handled with sufficient care
3. Suboptimal epsilon parameter setting: The combination of various epsilon security parameters was not optimally configured

Research Motivation

Through more refined mathematical treatment, particularly improved tensor product reduction theorems (proven in Appendix A) and more precise information leakage estimation, the authors expect to:

• Increase theoretical bounds on key rates
• Reduce required block sizes
• Enhance practical utility and competitiveness of CV-QKD

Core Contributions

1. Improved tensor product reduction theorem: Proves the smooth min-entropy relationship between the subnormalized state after error correction and the tensor product state before error correction (Eq. 31), which is the main improvement over reference 20
2. More precise composable key rate formulas:
   • Upper bound formula: $R_{UB} = \frac{p_{ec}[nR_\infty - \sqrt{n}\Delta_{aep} + \theta]}{N}$ (Eq. 40)
   • Lower bound formula: $R_{LB} = R_{UB} - \frac{p_{ec}}{N}$ (Eq. 41)
   • Including more precise leakage term $\theta = \log_2(2\varepsilon_h^2\varepsilon_{cor})$ (Eq. 30)
3. General theoretical framework: Applicable to multiple CV-QKD protocols:
   • Discrete alphabet coherent state protocols
   • Gaussian-modulated coherent state protocols (homodyne/heterodyne detection)
   • CV measurement-device-independent (MDI) QKD
   • Post-selection protocol variants
4. Complete treatment of parameter estimation: Detailed derivation of how channel parameter estimation affects key rates, including estimators and worst-case values for transmittance and noise
5. Numerical performance improvements: Under identical parameters, compared to prior literature:
   • Higher key rates
   • Greater loss robustness
   • Smaller block size requirements

Detailed Methods

Task Definition

Input:

• N single-mode quantum systems (coherent states)
• Channel parameters: transmittance T, excess noise ξ
• Protocol parameters: modulation variance V, detection efficiency η, electronic noise u_el

Output:

• Composable secure key rate R (bits/use)
• Epsilon security parameter ε = ε_cor + ε_sec + ε_ent + ε_pe

Constraints:

• Finite block size N
• Collective attacks (extendable to coherent attacks)
• Epsilon-security framework

Model Architecture

Overall Process

CV-QKD protocol consists of the following stages:

Quantum Communication → Parameter Estimation (PE) → Error Correction (EC) → Privacy Amplification (PA) → Key
        ↓                        ↓                           ↓                      ↓
     N systems              m systems for PE          n systems for key      sn bits of key

1. Output State Structure (Sec. II.A)

Under collective attacks, the classical-quantum (CQ) state after n uses has tensor product form: $\rho^{\otimes n} = \sum_{k,l} p(k,l) |k\rangle_A\langle k| \otimes |l\rangle_B\langle l| \otimes \rho^{k,l}_E$

Where:

• k, l ∈ {0,...,2^d-1} are multi-symbol indices (discretized via ADC)
• p(k,l) is the joint probability distribution
• ρ^{k,l}_E is Eve's conditional state

2. Error Correction and Epsilon-Correctness (Sec. II.B-C)

Error correction is equivalent to a projection process: $\rho^{\otimes n} \rightarrow \Pi_\Gamma \rho^{\otimes n} \Pi_\Gamma$

Where $\Gamma = \{(k,l): \text{Prob}(k \neq l) \leq \varepsilon_{cor}\}$ is the set of "good" sequences.

Key constraint: $p_{ec}\text{Prob}(\hat{l} \neq l|T_{ec}) \leq \varepsilon_{cor}$

The subnormalized state after error correction is: $\tilde{\rho}^n_{ABE|T_{ec}} = \sum_{(k,l)\in\Gamma} \frac{p(k,l)}{p_{ec}} |\hat{l},l\rangle\langle\hat{l},l| \otimes \rho^{k,l}_{E^n}$

3. Privacy Amplification and Epsilon-Secrecy (Sec. II.D)

Using 2-universal hash function families, compress nd bits to sn bits of key.

Secrecy constraint: $p_{ec}D(\bar{\rho}^n_{BEF|T_{ec}}, \omega^n_B \otimes \bar{\rho}^n_{EF|T_{ec}}) \leq \varepsilon_{sec}$

Where D is trace distance and $\omega^n_B$ is uniform distribution.

4. Leftover Hash Lemma (Sec. II.F)

Apply the inverse leftover hash bound: $p_{ec}D(\bar{\rho}^n_{BEF|T_{ec}}, \omega^n_B \otimes \bar{\rho}^n_{EF|T_{ec}}) \leq \varepsilon_s + \frac{1}{2}\sqrt{2^{sn - H^{\varepsilon_s}_{min}(B^n|E^n)_{\sigma^n}}}$

Where $\sigma^n$ is the subnormalized state after error correction and before privacy amplification.

Technical Innovations

Innovation 1: Improved Tensor Product Reduction (Core Contribution)

Theorem (Eq. 31): $H^{\varepsilon_s}_{min}(B^n|E^n)_{\sigma^n} \geq H^{\varepsilon_s}_{min}(B^n|E^n)_{\rho^{\otimes n}}$

Significance: Can use the smooth min-entropy lower bound of the tensor product state before error correction (easier to handle) to bound the smooth min-entropy of the state after error correction.

Proof sketch (Appendix A):

1. Construct CCQ extended state $\rho_{C'CQ}$
2. Prove existence of $\tau_{C'CQ} \in B^\varepsilon(\rho_{C'CQ})$ such that $H^{\varepsilon}_{min}(C|Q)_\rho = H_{min}(C|Q)_\tau$
3. Apply projection and guessing channel; use monotonicity to obtain $\tilde{\tau}_{CQ} \in B^\varepsilon(\tilde{\rho}_{CQ})$
4. Prove $H_{min}(C|Q)_{\tilde{\tau}} \geq H_{min}(C|Q)_\tau$ (key inequality)
5. Combine to obtain final result

Difference from reference 20: Reference 20 directly applies AEP on the post-EC state σ^n, losing the p_ec factor, leading to more conservative estimates.

Innovation 2: More Precise Leakage Term Treatment (Sec. II.G)

Consider the complete dimensionality of error correction leakage: $\dim R = 2^{\text{leak}_{ec} + \lceil -\log_2 \varepsilon_{cor}\rceil}$

Through properties of smooth min-entropy: $H^{\varepsilon_s}_{min}(B^n|E^nR)_{\sigma^n} \geq H^{\varepsilon_s}_{min}(B^n|E^n)_{\sigma^n} - \text{leak}_{ec} - \log_2(2/\varepsilon_{cor})$

Final key length upper bound: $sn \leq H^{\varepsilon_s}_{min}(B^n|E^n)_{\sigma^n} - \text{leak}_{ec} + \theta$

Where $\theta = \log_2(2\varepsilon_h^2\varepsilon_{cor})$ is more precise than previous $\log_2(2\varepsilon_h^2)$.

Innovation 3: Asymptotic Equipartition Property (AEP) Application (Sec. II.H)

Since the pre-EC state has tensor product structure, AEP can be applied: $H^{\varepsilon_s}_{min}(B^n|E^n)_{\rho^{\otimes n}} \geq nH(B|E)_\rho - \sqrt{n}\Delta_{aep}$

Where: $\Delta_{aep} = 4\log_2(\sqrt{|L|+2})\sqrt{-\log_2(1-\sqrt{1-\varepsilon_s^2})} \approx 4\log_2(\sqrt{|L|+2})\sqrt{\log_2(2/\varepsilon_s^2)}$

Innovation 4: Rigorous Treatment of Parameter Estimation (Sec. II.L, Appendix B)

For transmittance T and noise ξ, construct estimators and worst-case values:

Transmittance: $\hat{T} \approx T, \quad T_{wc} \approx T - w\sigma_T$$\sigma_T = \frac{2T}{\sqrt{V_0 m}}\sqrt{c_{pe} + \frac{\xi + (V_0+u_{el})/(\eta T)}{V}}$

Noise: $\hat{\xi} \approx \xi, \quad \xi_{wc} \approx \frac{T}{T_{wc}}\xi + w\sigma_\xi$$\sigma_\xi = \sqrt{\frac{2}{V_0 m}}\frac{\eta T\xi + V_0 + u_{el}}{\eta T_{wc}}$

Where w is determined by error probability ε_pe:

• Gaussian approximation: $w = \sqrt{2}\text{erf}^{-1}(1-2\varepsilon_{pe})$
• Chi-square distribution bound: $w = \sqrt{2\ln\varepsilon_{pe}^{-1}}$

Final Key Rate Formula

Asymptotic key rate: $R_\infty = H(l) - \chi(l:E)_\rho - n^{-1}\text{leak}_{ec}$

For Gaussian-modulated protocols: $R_\infty = \beta I(x:y) - \chi(y:E)_\rho$

Composable key rate upper bound: $R_{UB} = \frac{p_{ec}[nR_\infty - \sqrt{n}\Delta_{aep} + \theta]}{N}$

Composable key rate lower bound (optimal PA): $R_{LB} = R_{UB} - \frac{p_{ec}}{N}$

Including parameter estimation: Replace $R_\infty$ with $R^{pe}_\infty = R_\infty(\hat{p}, p_{wc})$

Total epsilon security: $\varepsilon = \varepsilon_{cor} + \varepsilon_s + \varepsilon_h + p_{ec}\varepsilon_{ent} + p_{ec}n_{pm}\varepsilon_{pe}$

Experimental Setup

Protocol Configuration

This paper primarily analyzes two Gaussian-modulated coherent state protocols:

1. Homodyne Detection

• Mutual information: $I(x:y) = \frac{1}{2}\log_2[1 + \frac{V}{\xi + (1+u_{el})/(T\eta)}]$
• Eve's Holevo information: Computed via symplectic eigenvalues of covariance matrix

2. Heterodyne Detection

• Mutual information: $I(x:y) = \log_2[1 + \frac{V}{\xi + (2+u_{el})/(T\eta)}]$
• Extendable to coherent attacks (via Gaussian de Finetti reduction)

Channel Model

Thermal loss channel:

• Transmittance: $T = 10^{-D/10}$ (D in dB loss)
• Excess noise: ξ
• Eve injects two-mode squeezed vacuum state (TMSV) with variance $\omega = \frac{T\xi}{1-T} + 1$

Parameter Settings

Experimental parameters for Figures 1 and 2:

• Reconciliation efficiency: β = 0.98
• Error correction success probability: p_ec = 0.95
• Excess noise: ξ = 0.01
• Detection efficiency: η = 0.6
• Electronic noise: u_el = 0.1
• Security parameters: all epsilon = 2^{-32}
• Alphabet size: |L| = 2^7 (homodyne), |L| = 2^{14} (heterodyne)
• Block size: N = 10^7
• Parameter estimation: m = N/10

Evaluation Metrics

1. Key rate (bits/use): Secure key bits generated per channel use
2. Loss robustness: Key rate variation with channel loss (dB)
3. Block size dependence: Key rate variation with block size N

Comparison Methods

• Baseline: Based on old formulas from references 20-21 (Eq. 43): $R^{old}_{LB} = \frac{p_{ec}[nR_\infty - \sqrt{n}\Delta'_{aep} + \theta' - 1]}{N}$ Where $\theta' = \theta + \log_2[p_{ec}(1-\varepsilon_s^2/3)]$ and $\Delta'_{aep}$ uses more conservative epsilon values

Experimental Results

Main Results

Figure 1: Key Rate vs. Channel Loss

Homodyne Detection:

• At low loss (0-2 dB): Minor difference between new and old methods (~10^{-2} bits/use)
• At medium loss (3-4 dB): New method significantly outperforms old method
• At high loss (5-6 dB):
  • New method: key rate ~10^{-4} bits/use
  • Old method: key rate ~10^{-5} bits/use
  • ~10-fold improvement
• Loss threshold extended: New method maintains positive key rate at higher losses

Heterodyne Detection:

• Overall key rate lower than homodyne (due to V_0=2)
• Similar improvement trend as homodyne
• At 6 dB loss, new method key rate is 5-10 times that of old method

Key findings:

1. Improvements more pronounced in high-loss regime
2. Upper bound R_UB and lower bound R_LB nearly overlap, indicating tight theory
3. New method enables CV-QKD viability at greater distances

Figure 2: Key Rate vs. Block Size

Fixed loss at 7 dB:

• Block size range: 10^8 - 10^9
• New method (solid line):
  • 10^8: ~2×10^{-4} bits/use
  • 10^9: ~6×10^{-4} bits/use
• Old method (dashed line):
  • 10^8: ~5×10^{-5} bits/use
  • 10^9: ~3×10^{-4} bits/use

Improvement magnitude:

• At N=10^8, new method key rate is 4 times that of old method
• At N=10^9, improvement is 2 times
• More significant improvements at smaller block sizes

Practical significance:

• Reduced required block size means faster key generation
• Decreased demands on quantum storage and computational resources
• Enhanced feasibility of practical deployment

Performance Comparison Summary

Theoretical Validation

1. Upper-lower bound consistency: R_UB ≈ R_LB, indicating tight theoretical analysis
2. Asymptotic behavior: Key rate increases with N, consistent with diminishing $\sqrt{n}$ term effects
3. Parameter optimization: Further performance gains possible through modulation variance V optimization

Related Work

Development History of CV-QKD

1. Early theory (1999-2002):
   • Ralph 7: Continuous variable cryptography foundations
   • Grosshans & Grangier 11: Coherent state QKD
2. Security proofs (2006-2008):
   • Navascues et al. 12: Optimality of Gaussian attacks
   • Pirandola et al. 13: Characterization of collective attacks
3. Finite-size analysis (2010-2015):
   • Leverrier et al. 14: First finite-size analysis
   • Ruppert et al. 15: Long-distance CV-QKD
4. Composable security (2015-2021):
   • Leverrier 17, 19: Coherent state composable security
   • Pirandola 20, 21: Free-space and network security
   • This paper: Improved composable key rates

Key Technical Comparison

Advantages of This Paper

1. Mathematical rigor: Appendix A provides complete proofs
2. Generality: Applicable to multiple CV-QKD protocol variants
3. Practicality: Reduced block size requirements, improved loss tolerance
4. Completeness: Includes parameter estimation, entropy estimation, and all practical considerations

Conclusions and Discussion

Main Conclusions

1. Theoretical improvement: Through improved tensor product reduction and precise leakage term treatment, obtain superior composable key rate formulas
2. Performance enhancement: 2-10× key rate improvement over prior literature, especially at high loss and small block sizes
3. General framework: Theory applicable to discrete/continuous modulation, homodyne/heterodyne detection, MDI-QKD, and other protocol variants
4. Practical value: Enables CV-QKD viability at greater distances and smaller block sizes

Limitations

1. Collective attack assumption: Main results based on collective attacks; while heterodyne protocols extend to coherent attacks, additional overhead required
2. Parameter estimation method: Uses specific estimation method (Appendix B); actual systems may employ different approaches
3. Idealization assumptions:
   • Assumes stable channel (multi-block sessions)
   • Assumes local parameters like detection efficiency are trusted
   • Does not account for finite-resolution ADC effects
4. Numerical optimization: Requires optimization of parameters like modulation variance V, increasing implementation complexity

Future Directions

1. Extension to more attack models: Generalize improvements to general coherent attacks
2. Experimental verification: Validate theoretical predictions in actual CV-QKD systems
3. Adaptive protocols: Combine real-time parameter estimation with adaptive modulation strategies
4. Network scenarios: Extend theory to multi-user and network topologies
5. Comparison with DV-QKD: Detailed performance boundary comparison between CV and discrete-variable QKD

Important Clarifications (Sec. IV)

Correct understanding of epsilon-security:

• ε_cor and ε_sec are unconditional probabilities (already averaged)
• ε_pe and ε_ent must be multiplied by p_ec (since PE precedes EC)
• Total epsilon: $\varepsilon \leq \varepsilon_{cor} + \varepsilon_{sec} + \varepsilon_{ent} + n_{pm}\varepsilon_{pe}$

Two definitions of key rate:

• Conditional key rate: $R_{cond} = sn/N$ (given EC success)
• Unconditional key rate: $R = p_{ec}R_{cond}$ (averaged output)

In-Depth Evaluation

Strengths

1. Mathematical Rigor

• Complete proofs: Appendix A provides detailed proof of tensor product reduction theorem (12-step construction)
• Rigorous derivation: Each step grounded in theoretical foundations
• Tight bounds: Upper and lower bounds nearly coincide (differ only by p_ec/N)

2. Theoretical Innovation

• Core breakthrough: Eq. 31 tensor product reduction is key innovation, solving the difficult problem of analyzing post-EC states
• Refined treatment: More precise handling of leakage terms and epsilon parameters
• General framework: Theory applicable to multiple protocol variants

3. Practical Value

• Significant improvement: 2-10× key rate enhancement, not marginal
• Lowered barriers: Reduced block size requirements, decreased implementation difficulty
• Extended range: Increased transmission distance, enhanced CV-QKD competitiveness

4. Completeness

• Full process coverage: From quantum communication through parameter estimation, error correction, privacy amplification
• Practical considerations: Includes entropy estimation, error correction efficiency, and engineering details
• Multi-protocol support: Homodyne, heterodyne, MDI-QKD, etc.

5. Writing Quality

• Clear structure: Theory built step-by-step, easy to follow
• Consistent notation: Uniform mathematical symbol usage
• Detailed appendices: Key proofs and derivations in appendices

Weaknesses

1. Lack of Experimental Verification

• Theory only: No experimental data from actual CV-QKD systems
• Parameter assumptions: Figure parameters (β=0.98, p_ec=0.95) are assumed values without justification of practical achievability
• Limited comparisons: No numerical comparison with other recent methods (e.g., 23-27)

2. Insufficient Complexity Analysis

• Computational overhead: No discussion of computational complexity of new method
• Optimization difficulty: Requires joint optimization of multiple parameters (V, ε_cor, ε_sec, etc.)
• Implementation guidance: Lacks concrete implementation algorithms and pseudocode

3. Limited Applicability Range

• Collective attacks primary: Coherent attack extension limited to heterodyne protocols
• Stable channel assumption: Multi-block sessions require channel stability
• Idealized models: Does not account for real system non-idealities (e.g., phase noise, frequency drift)

4. Parameter Estimation Limitations

• Specific method: Appendix B estimation method based on specific assumptions (e.g., CLT, chi-square distribution)
• Finite samples: m=N/10 choice insufficiently justified
• Ignored correlations: Assumes independent T and ξ estimation; actual systems may have correlations

5. Missing DV-QKD Comparison

• Performance comparison: No comparison with latest discrete-variable QKD results
• Advantage analysis: Unclear in which scenarios CV-QKD outperforms DV-QKD
• Cost-benefit: No discussion of implementation cost vs. performance tradeoffs

Impact

Contributions to the Field

1. Theoretical progress: Advances precision of CV-QKD composable security theory
2. Methodology: Tensor product reduction technique potentially applicable to other quantum cryptography protocols
3. Practical promotion: Enhances CV-QKD practicality, facilitates commercialization

Potential Impact

• Short-term: Influences CV-QKD system design and parameter selection
• Medium-term: Likely becomes standard method for CV-QKD security analysis
• Long-term: Facilitates CV-QKD deployment in quantum communication networks

Reproducibility

• Theory reproducible: Detailed mathematical derivations, easily verifiable
• Numerics reproducible: Figure 1-2 parameters explicit, results reproducible
• Experiments reproducible: Requires actual CV-QKD system, higher barrier

Applicable Scenarios

Ideal Application Scenarios

1. Metropolitan quantum networks: 10-50 km distances, block sizes 10^7-10^8
2. Stable fiber links: Slowly varying channel parameters, multi-block sessions feasible
3. High security requirements: Applications requiring composable security guarantees
4. Standard telecom equipment: Leveraging CV-QKD hardware advantages

Inapplicable Scenarios

1. Ultra-short distances (<5 km): Improvements marginal, DV-QKD possibly superior
2. Highly dynamic channels: Mobile communications, difficult parameter estimation
3. Ultra-long distances (>100 km): Even with improvements, key rates remain very low
4. Low computational resources: Requires optimization and numerical computation

Extension Directions

1. Satellite communications: Extension to free-space channels (requires atmospheric turbulence consideration)
2. Measurement-device-independent: Application to CV-MDI-QKD (mentioned in paper)
3. Post-quantum cryptography: Hybrid use with classical post-quantum algorithms
4. Quantum networks: Multi-user and relay scenarios

Key References

1 Pirandola et al., Advances in quantum cryptography, Adv. Opt. Photon. 2020 - Survey literature

4-6 Pirandola et al., PLOB bound and network capacity - Fundamental limit theory

17 Leverrier, Composable security proof for CV-QKD, PRL 2015 - Composable security foundations

19 Leverrier, Gaussian de Finetti reduction, PRL 2017 - Coherent attack extension

20-21 Pirandola, Previous composable security works, PRR 2021 - Baseline improved by this paper

36-37 Tomamichel, Leftover hashing and quantum information theory - Mathematical tools

Overall Evaluation

This is a high-quality theoretical paper making substantive contributions to CV-QKD composable security. The core innovation (improved tensor product reduction) possesses mathematical depth, and performance improvements (2-10×) have practical value. The paper's mathematical rigor and completeness are commendable, though lack of experimental verification and comprehensive comparison with latest methods represent main shortcomings.

Recommendation Score: ⭐⭐⭐⭐☆ (4.5/5)

• Theoretical novelty: ⭐⭐⭐⭐⭐
• Mathematical rigor: ⭐⭐⭐⭐⭐
• Practical value: ⭐⭐⭐⭐
• Experimental validation: ⭐⭐
• Writing quality: ⭐⭐⭐⭐⭐

Target Readers: Quantum cryptography researchers, CV-QKD system designers, quantum information theorists