*Article* **Improving Parameter Estimation of Entropic Uncertainty Relation in Continuous-Variable Quantum Key Distribution**

#### **Ziyang Chen 1, Yichen Zhang 2, Xiangyu Wang 2, Song Yu <sup>2</sup> and Hong Guo 1,\***


Received: 19 April 2019 ; Accepted: 1 July 2019; Published: 2 July 2019

**Abstract:** The entropic uncertainty relation (EUR) is of significant importance in the security proof of continuous-variable quantum key distribution under coherent attacks. The parameter estimation in the EUR method contains the estimation of the covariance matrix (CM), as well as the max-entropy. The discussions in previous works have not involved the effect of finite-size on estimating the CM, which will further affect the estimation of leakage information. In this work, we address this issue by adapting the parameter estimation technique to the EUR analysis method under composable security frameworks. We also use the double-data modulation method to improve the parameter estimation step, where all the states can be exploited for both parameter estimation and key generation; thus, the statistical fluctuation of estimating the max-entropy disappears. The result shows that the adapted method can effectively estimate parameters in EUR analysis. Moreover, the double-data modulation method can, to a large extent, save the key consumption, which further improves the performance in practical implementations of the EUR.

**Keywords:** entropic uncertainty relation; continuous-variable quantum key distribution; finite-size effect; composable security; double-data modulation

#### **1. Introduction**

The quantum key distribution (QKD) [1–5] is one of the most mature quantum cryptography technologies, which can provide information-theoretical provable security together with the one-time pad method. The idea of QKD is to employ the basic principles of quantum physics to ensure the security of random keys and to use classical post-processing methods to find potential eavesdropping behaviors. Based on the dimension of the Hilbert space of the encoding, QKD can be roughly divided into two categories. One kind of protocol is called the discrete-variable (DV) protocol, in which the dimension of the Hilbert space is finite. DV-QKD protocols have the superiority of long transmission distance, but depending on high-performance dedicated devices such as single-photon detectors. As an alternative, continuous-variable (CV) protocols, which use the infinite dimension of Hilbert space as the key space, give us opportunities to achieve the QKD process via off-the-shelf commercial components, e.g., homodyne detector and heterodyne detector.

The first idea of the CV-QKD protocol was exploiting squeezed states to carry the key information [6–9]. Then, in order to weaken the dependence on the squeezed-state sources, the coherent-state-based CV-QKD protocols were proposed [10–12]. During these twenty years, research on protocol design and corresponding experimental verification was developing rapidly. Different

novel CV-QKD protocols have been proposed, such as the two-way protocol [13–18], the discrete modulation protocol [19–21], the measurement-device-independent (MDI) protocol [22–28], etc., each of which has its own advantages in different scenarios. Besides the protocol design, the experiments also have made a tremendous step forward with the progress of today's technology [29–31].

The core of QKD is the security, and there have been many security analysis methods proposed to investigate the security of different CV-QKD protocols [4]. For the convenience of the security analysis, the eavesdropper's ability is usually restricted to three different levels, namely individual attacks, collective attacks, and coherent attacks. Individual attacks and collective attacks are, to some extent, to restrict the eavesdropper's (Eve's) attack ability, so that the exchanged state between Alice (sender) and Bob (receiver) can be treated as an identical and independently distributed (i.i.d.) state, i.e., *<sup>ρ</sup>A<sup>N</sup> <sup>B</sup><sup>N</sup>* = *<sup>σ</sup>*⊗*<sup>N</sup> AB* (where *N* is the number of exchanged signals), which can simplify the security analysis. However, a protocol is unconditionally secure only when it is secure under coherent attacks, due to the fact that coherent attacks do not limit the ability of eavesdroppers, thereby the most general attacks. In the case of coherent attacks, the exchanged states between Alice and Bob do not have the i.i.d. structure anymore; thus, the security proof is complicated.

Diverse security analysis techniques have been developed to analyze the security of different protocols under coherent attacks, typically the de Finetti theorem [32,33], the post-selection technique [34,35], and the entropic uncertainty relation (EUR) [36–38]. Those analysis methods can also be applied to analyze the quantum random number generation protocols [39,40]. Different analysis methods have their advantages and disadvantages, so they are suitable for the analysis of different protocols (see [4] for detailed discussions). The advantages of the EUR lies in its intuitive physical meaning (corresponding to the guessing game [41]) and the simple estimation method. Most of the work has been done in the EUR in [36], except for the finite-size effect in estimating the covariance matrix (CM). However, in practical experiments, the estimation of the CM is always achieved by limited data; thus, the finite-size effect not only affects the estimation of min-entropy, but also the estimation of leakage information.

In this work, we focus on the parameter estimation of the EUR in CV-QKD, especially on the finite-size estimation of the CM, and the modified estimation on the max-entropy. The discussion involves only the squeezed state/homodyne detection-type protocols and has no assumption on Eve's ability, namely under coherent-attack cases. Due to the influence of the finite block length of the key, the estimation of the CM is inaccurate in the case of a short block length, compared with the ideal CM estimation cases (as shown in [36,37]). We exploit the parameter estimation technique developed in [42] to consider the estimation of the CM under practical block sizes. Furthermore, inspired by the double-modulation method developed in [42], we propose a double-data modulation method to estimate the parameters in the security analysis effectively, and only one modulation is needed rather than two, which simplifies the experimental structure of the double-modulation protocol. Since the exchanged state can be used for both parameter estimation and key generation, the estimation of the max-entropy is modified, and the statistical fluctuation of estimating the max-entropy disappears. The simulation result shows that the modified estimation method can, to a large extent, save the key consumption.

This paper is organized as follows. In Section 2, we review the composable security frameworks in QKD and give the description of the discussed protocol. In Section 3, we discuss in detail the channel parameter estimation process with finite-size. In Section 4, the modified parameter estimation method is proposed with double-data modulation. The numerical simulation and discussion are give in Section 5, and the conclusions are drawn in Section 6.

#### **2. Composable Security and Description of the Protocol**

In this work, we investigate the CV-QKD protocol under the universal composable framework (UCF), which can be seen in [43,44] for the details, and the discussion is under the coherent-attack cases. The UCF is of great importance to compose sequential rounds of a protocol, and even if some of the rounds are imperfect and deviate from the ideal model, the UCF can well describe their defects. A general QKD protocol can always be divided into different parts; thus, one of the benefits of UCFs is that even if part of the protocol is imperfect, this imperfection can still be applied to subsequent analysis of the rest part of the protocol to obtain the final non-ideal key. Another advantage of UCFs is that the final imperfect key generated from a QKD system can be well quantified as *ε*-secure and then can be applied to other classical communication tasks, such as the one-time pad scenario.

To illustrate the composable security of QKD, we first use *sA* to denote Alice's key and use *sB* to denote Bob's key. In the ideal case, the keys should be correct, secret, and robust. Correctness means, for each round of the protocol, the keys of Alice and Bob are always the same, namely *sA* = *sB* = *S*. Secrecy means the key is independent of the third part and only known to Alice and Bob themselves. Robustness requires that, in every round of the protocol, Alice and Bob can always generate a non-empty key, namely *S* = ⊥. If a QKD protocol can satisfy correctness, secrecy, and robustness, the protocol then can be called perfectly secure. We denote by {|*s*}*s*∈*<sup>S</sup>* the orthogonal bases of the key, by *ρ<sup>E</sup>* Eve's auxiliary quantum systems, and by *p*<sup>⊥</sup> the probability of generating an empty key set. The perfectly secure classical-quantum (cq) state between the key *S* and the environment *E* can be shown as follows,

$$\rho\_{sE}^{perfect} = (1 - p\_\perp) \sum\_{s \in S} \frac{1}{|S|} \left| s \right> \left< s \right| \otimes \rho\_E^s + p\_\perp \left| \perp \right> \left< \perp \right| \otimes \rho\_E^\perp. \tag{1}$$

Nevertheless, a protocol is always imperfect with practical issues, resulting in the security deviating from the ideal model. Therefore, the *ε*-security can be used to describe the practical security with imperfect features. We denote by *εc*,*εr*,*ε<sup>s</sup>* the smoothness parameters of practical correctness, robustness, and secrecy, respectively. *εc*-correctness requires that the key in Alice and Bob's sides be different only with very small probability *εc*, namely Pr(*sA* = *sB*) ≤ *εc*. *εr*-robustness requires that the set of the keys is empty only with a small probability, given by Pr(*S* = ⊥) ≤ *εr*. *εs*-secrecy can be treated as the distance between the practical security and the perfect security, in terms of the trace distance, given by <sup>1</sup> 2 ) ) )*ρsE* <sup>−</sup> *<sup>ρ</sup>per f ect sE* ) ) ) <sup>1</sup> <sup>≤</sup> *<sup>ε</sup>s*. In summary, if a QKD protocol can contain *<sup>ε</sup>c*-correctness, *εr*-robustness, and *εs*-secrecy, then the protocol can be called *ε*-secure, with *ε* = *ε<sup>c</sup>* + *ε<sup>r</sup>* + *εs*.

Let us start with the execution of the prepare-and-measure (PM) version of the squeezed-states protocol. The protocol can be divided into sequential parts, as shown in Figure 1, which can be described by the following steps:


classical error reconciliation algorithm, e.g., low-density-parity-check (LDPC) code, to correct Alice's error (in reverse reconciliation cases) or Bob's error (in direct reconciliation cases).

6. **Privacy amplification**: Alice and Bob randomly choose a universal2 hash function [45] and apply it to their respective keys to get the final private keys *sA* and *sB* with length , which are only known to themselves.

**Figure 1.** Prepare-and-measure (PM) scheme of continuous-variable (CV)-quantum key distribution (QKD) using squeezed states. Source: squeezed-state source with squeezed variance *VS*; Mod: modulators containing amplitude and phase quadrature modulators with total modulation variance *VM*; Hom: homodyne detection; *xM*: Gaussian modulation data on Alice's side; *xB*: measurement results on Bob's side; Quantum channel: channel for the transmission of quantum states, with the transmittance *τ* and the excess noise *ε*; Classical channel: channel for the transmission of classical data during the post-processing procedure.

According to the UCF, one can write the upper bound of the final key length *low*, even if the above steps are not ideal, given by [43]:

$$\ell\_{low} = H\_{\min}^{\varepsilon} \left( \mathbf{x}\_{\text{B}} | E \right) - \ell\_{\text{EC}} - \log\_2 \frac{1}{\varepsilon\_1^2 \varepsilon\_\text{c}} + 2,\tag{2}$$

where *H<sup>ε</sup>* min (*xB*|*E*) is the smooth min-entropy of *xB* conditioned on the information Eve may hold, with smoothing parameter *ε*, and *ε*<sup>1</sup> is the smoothness of the physical part of the protocol.

#### **3. Channel Parameter Estimation with Finite-Size**

There are roughly two parameters that need to be bounded in the protocol. One is the smooth min-entropy *H<sup>ε</sup>* min (*xB*|*E*), and the other is the leakage information *EC*. We separately discuss the estimation of the two parameters in two parts.

#### *3.1. Estimation of Smooth Min-Entropy*

There are different ways to estimate the min-entropy under coherent attacks. For instance, the de Finetti theorem [32,33], which can reduce the analysis from the coherent attack case to the collective attack case, has been successfully used to prove the security of CV-QKD protocols with the source of coherent states [27,46]. The EUR has also been exploited to prove the security of squeezed-state-type protocols [28,36,37]. In this work, we focus on using the uncertainty relation to bound the min-entropy of the key.

In practical experiments, *xM* and *xB* are always discretized. We denote *α* as the maximum discretization range of the sampling interval and denote *δ* as the discrete precision of the measurement, which satisfy <sup>2</sup>*α*/*δ*=2*<sup>L</sup>* <sup>∈</sup> <sup>N</sup>, where *<sup>L</sup>* is the number of discrete bits. Therefore, the measurement result will fall into different intervals, namely,

$$\left( \left( -\infty, -a \right], \left( -\infty, -a + \delta \right] \right), \dots \left( -a + (k-1)\delta, -a + k\delta \right], \dots \left( a - \delta, a \right], \left( a, +\infty \right), \tag{3}$$

where *k* = {1, 2, . . . , 2*α*/*δ*}. One can bound the smooth min-entropy of the discretized data *xB* conditioned on Eve's information *H<sup>ε</sup>* min (*xB*|*E*) according to the CV version of EUR, given by:

$$H\_{\text{min}}^{\varepsilon} \left( \mathbf{x} \boldsymbol{\varrho} | \boldsymbol{E} \right) \geq -n \log \mathcal{c} \left( \boldsymbol{\delta} \right) - H\_{\text{max}}^{\varepsilon'} \left( \mathbf{x} \boldsymbol{\mu} | \mathbf{x} \boldsymbol{\varrho} \right), \tag{4}$$

where *c* quantifies the maximum overlap of the two measurements, namely *c* = max *<sup>x</sup>*,*<sup>z</sup>* |X*<sup>x</sup>* <sup>|</sup> <sup>Z</sup>*z*|<sup>2</sup> and X and Z are mutually unbiased bases; hence, *c* (*δ*) is the overlap between discrete quadrature measurements related to the interval length *δ*, which reads:

$$
\mathcal{L}\left(\delta\right) = \frac{1}{2\pi} \delta^2 S\_0^{(1)} \left(1, \frac{\delta^2}{4}\right)^2,\tag{5}
$$

where *S*(1) <sup>0</sup> (.) is the zeroth radial prolate spheroidal wave function of the first kind [47] and *S*(1) 0 1, *<sup>δ</sup>*<sup>2</sup> 4 2 is approximately one if *δ* is small. The term *Hε* max (*xM*|*xB*) in Equation (4) denotes the max-entropy between Alice's and Bob's data, with smoothing parameter *ε* = *ε<sup>s</sup>* \* 4*ppass* − 2 ( 2 1 − (1 − *pα*) *<sup>n</sup>*+√*ppass*, where *<sup>p</sup><sup>α</sup>* is the probability that the measurement is outside of the detection range.

According to Equation (4), in order to give a lower bound of the min-entropy, one should estimate the upper bound of the max-entropy using some of the raw keys during the parameter estimation phase. First, the average distance, which quantifies the correlation between Alice's and Bob's data, should be estimated, given by:

$$d\left(\mathbf{x}\_{M}^{PE}, \mathbf{x}\_{B}^{PE}\right) = \frac{1}{m} \sum\_{i=1}^{m} |M\_{i} - B\_{i}| \,\tag{6}$$

where we use *Mi* to denote the *i* th modulating value and *Bi* denotes the *i* th measurement result, for *i* = 1, 2, ... , *m*, respectively. If the data distance *d xPE <sup>M</sup>* , *<sup>x</sup>PE B* is smaller than a certain threshold *d*0, the parameter estimation step passes. Then, one can bound the max-entropy according to Serfling's large deviation bound [48], given by:

$$H\_{\text{max}}^{\varepsilon} \left( \mathfrak{x}\_{M} | \mathfrak{x}\_{B} \right) \leq n \log\_{2} \gamma \left( d\_{0} + \mu \right),\tag{7}$$

where *γ* is a large deviation function, which reads:

$$\gamma(t) = \left(t + \sqrt{t^2 + 1}\right) \left[\frac{t}{\sqrt{t^2 + 1} - 1}\right]^t,\tag{8}$$

and *μ* quantifies the impact of statistical fluctuations resulting from estimating "data parameter" *Hε* max (*xM*|*xB*) by "PEparameter" *<sup>H</sup><sup>ε</sup>* max *xPE <sup>M</sup>* <sup>|</sup>*xPE B* , which reads:

$$
\mu = \frac{2\alpha}{\delta} \sqrt{\frac{\mathcal{N}\left(m+1\right)}{nm^2} \ln \frac{1}{\mathcal{E}'}} \tag{9}
$$

where *N* denotes the total number of exchanged signals and satisfies *N* = *n* + *m*.

#### *3.2. Ideal Estimation of Leakage Information with Infinite-Size*

To estimate the leakage information in the error correction phase, we model Eve's behavior by the entangling cloner attack model, which is the most common example of a Gaussian attack [49]. We point out that the whole analysis of this paper is under the most general coherent attacks and has no restriction on Eve's ability. The model of the entangling cloner attack is only for intuitive understanding, and it is convenient to investigate the performance of the protocol, which can be used

to estimate the lower bound of the key rate. Even if Eve's attack is not the entangling cloner attack, the following analysis also holds, resulting from the fact that in a practical experiment, we do not need to assume the eavesdropper's strategy in advance and only need to estimate the channel parameters by the existing data that Alice and Bob hold.

The quadrature of the quantum state sent by Alice's side is denoted by *xA* = *xs* + *xM*. In order to obtain the correlation between Alice and Bob after passing through the channel, we assume Eve performs the entangling cloner attack, where Eve's state is modeled by a two-mode squeezed vacuum (TMSV) state *ρeE*<sup>0</sup> with the CM *γeE*<sup>0</sup> , which reads:

$$\gamma\_{\varepsilon \to 0} = \left( \begin{array}{c} \omega \mathbf{I} \\ \sqrt{\omega^2 - 1} \mathbf{Z} \end{array} \begin{array}{c} \sqrt{\omega^2 - 1} \mathbf{Z} \\ \omega \mathbf{I} \end{array} \right), \tag{10}$$

where *ω* is the variance of the TMSV, **I** = diag (1, 1), and **Z** = diag (1, −1). The channel is modeled by a beam splitter with the transmittance *τ*, whose CM is given by:

$$S\_{\mathsf{T}} = \begin{pmatrix} \sqrt{\mathsf{T}}\mathbf{I} & \sqrt{\mathsf{I} - \mathsf{T}}\mathbf{I} \\ -\sqrt{\mathsf{I} - \mathsf{T}}\mathbf{I} & \sqrt{\mathsf{T}}\mathbf{I} \end{pmatrix} \tag{11}$$

and the excess noise *ε* can be defined as *ε* := (1 − *τ*) (*ω* − 1) \* *τ*. Thus, it is easy to deduce the quadrature on Bob's side after passing through the quantum channel, given by:

$$\mathbf{x}\_{B} = \sqrt{\tau}\mathbf{x}\_{A} + \sqrt{1-\tau}\mathbf{x}\_{0} + \mathbf{x}\_{\varepsilon} = \sqrt{\tau}\mathbf{x}\_{M} + \mathbf{x}\_{N\prime} \tag{12}$$

where *xN* <sup>=</sup> <sup>√</sup>*τxs* <sup>+</sup> <sup>√</sup><sup>1</sup> <sup>−</sup> *<sup>τ</sup>x*<sup>0</sup> <sup>+</sup> *<sup>x</sup>ε*. Assuming that the squeezing operation is performed for *<sup>x</sup>* quadrature, the mutual information between Alice and Bob reads:

$$I^x(A:B) = \frac{1}{2} \log\_2 \frac{V\_B}{V\_{B|A}} = \frac{1}{2} \log\_2 \left( 1 + \frac{\tau \sigma\_x}{V\_N} \right),\tag{13}$$

and *VN* has the form:

$$V\_N = 1 + \tau \varepsilon + \tau \left(V\_S - 1\right) := 1 + V\_\varepsilon + \tau \left(V\_S - 1\right). \tag{14}$$

When Alice and Bob perform the error correction step, they need to randomly announce part of the information through the public channel, which is also revealed to Eve. It is assumed that eavesdroppers can monitor all classical communication processes; thus, the amount of information leaked in the error correction process must be well estimated and then removed from the final keys. The leakage information *EC* in the error correction step can be described as

$$\ell\_{E\overline{C}}^{DR} = H(\mathbf{x}\_M) - \beta I^\mathbf{x} \text{ ( $A : B$ )}\,,\tag{15}$$

in the direct reconciliation (DR) case and:

$$\ell\_{\rm EC}^{RR} = H(\mathfrak{x}\_B) - \beta I^{\chi} \left( A : B \right) \,, \tag{16}$$

in the reverse reconciliation (RR) case, where *β* is the reconciliation efficiency.

#### *3.3. Practical Estimation of Leakage Information with Finite-Size*

In the previous works, the estimator of the leakage information ˆ *EC* was treated as an asymptotic parameter, which is independent of the total key length. However in practice, the estimation of ˆ *EC* cannot be accurate especially when the key length is not large, further affecting the performance of the error correction. To take finite-size effects into consideration, the estimator ˆ *EC* under a practical block length needs to be estimated. We adapt the estimation method shown in [42] to analyze the characteristics of the channel. Here, we only give the main results of the previous work, and the detailed derivation can be seen in [42]. In the practical experiment, the data on Alice's side is actually the modulated data *xM*; thus, the key of parameter estimation is to estimate the CM *γMB*, namely *γMB* = [*VM***I**, *cMB***Z**; *cMB***Z**, *VB***I**]. The relation of *xM* and *xB* (Alice's and Bob's data) has the form of *xB* <sup>=</sup> <sup>√</sup>*τxM* <sup>+</sup> *xN*, where *xN* is the aggregated noise with zero mean, and the variance is shown in Equation (14). The covariance of *xM* and *xB* is:

$$\mathcal{C}ov\left(\mathbf{x}\_{M}, \mathbf{x}\_{B}\right) = \sqrt{\pi}V\_{M} =: \mathbf{c}\_{MB}.\tag{17}$$

For obtaining the estimator of covariance *c*ˆ*MB*, we also use *Mi* denoting the *i* th modulating value and *Bi* denoting the *i* th measurement result, for *i* = 1, 2, ... , *m*, respectively. According to the maximum likelihood estimation, we can get:

$$\mathcal{E}\_{MB} = \frac{1}{m} \sum\_{i=1}^{m} \mathcal{M}\_{\bar{i}} B\_{\bar{i}}.\tag{18}$$

and it is easy to compute the expectation value E [*c*ˆ*MB*] and the variance V [*c*ˆ*MB*] by assuming *Mi* and *Bi* are two independent Gaussian variables with zero mean values, which read:

$$\mathbb{E}\left[\mathcal{E}\_{MB}\right] = \mathcal{c}\_{MB} \tag{19}$$

$$\mathbb{V}\left[\hat{\varepsilon}\_{MB}\right] = \frac{\mathbb{1}V\_M^2}{m}\left(2 + \frac{V\_N}{\pi V\_M}\right). \tag{20}$$

According to Equation (17), we can get the estimator *τ*ˆ of *τ*, which reads:

$$\mathfrak{X} = \frac{\hat{\mathcal{C}}\_{MB}^2}{V\_M^2} = \frac{\mathbb{V}\left[\mathbb{\mathcal{E}}\_{MB}\right]}{V\_M^2} \left(\frac{\mathbb{\mathcal{E}}\_{MB}}{\sqrt{\mathbb{V}\left[\mathbb{\mathcal{E}}\_{MB}\right]}}\right)^2,\tag{21}$$

where  <sup>√</sup>*c*ˆ*MB* V[*c*ˆ*MB*] 2 follows the *χ*2-distribution, namely,

$$\left(\frac{\hat{\varepsilon}\_{MB}}{\sqrt{\mathbb{V}\left[\hat{\varepsilon}\_{MB}\right]}}\right)^2 \sim \chi^2\left(1, \frac{\hat{\varepsilon}\_{MB}^2}{\mathbb{V}\left[\hat{\varepsilon}\_{MB}\right]}\right). \tag{22}$$

Then, we can calculate the expectation value of *τ*ˆ, which reads:

$$\mathbb{E}\left(\mathbf{f}\right) = \boldsymbol{\tau} + O\left(1/m\right),\tag{23}$$

and the variance is given by:

$$\mathbb{V}\left(\hat{\tau}\right) = \frac{4\pi^2}{m} \left(2 + \frac{V\_N}{\pi V\_M}\right) + O\left(1/m^2\right). \tag{24}$$

For *m* 1, which is practical in experiments, the term *O* 1 \* *m*2 can be negligible due to the order 1 \* *m*<sup>2</sup> being small. Thus, we define new variance of *τ*ˆ under a practical block length, which reads:

$$
\sigma\_{\ddagger}^2 = \frac{4\pi^2}{m} \left( 2 + \frac{V\_N}{\pi V\_M} \right) , \tag{25}
$$

so that the confidence interval of estimating *τ* can be well quantified.

In order to estimate the upper bound of the leakage information *up EC*, one should give the lower bound of the transmittance *τ*. For practical purposes, we set the failure probability of the parameter estimation to *εPE* = 10−10, which corresponds to the confidence interval of 6.5*στ*ˆ, and one can estimate the lower bound of *τ*ˆ*low*, given by:

$$\mathfrak{t}^{low} = \mathbb{E}\left(\mathfrak{t}^{low}\right) := \mathfrak{t} - \mathfrak{6}.5\sigma\_{\mathfrak{t}}.\tag{26}$$

According to:

$$\mathbf{x}\_B = \sqrt{\tau} \left( \mathbf{x}\_M + \mathbf{x}\_S \right) + \sqrt{1 - \tau} \mathbf{x}\_0 + \mathbf{x}\_\ell = \sqrt{\tau} \mathbf{x}\_M + \mathbf{x}\_{N\prime} \tag{27}$$

the estimator of *Vε* can also be calculated by the maximum likelihood estimation with the following form:

$$\hat{\mathcal{V}}\_{\mathfrak{c}} = \frac{1}{m} \sum\_{i=1}^{m} \left( B\_i - \sqrt{\hat{\mathfrak{r}}} \mathcal{M}\_i \right)^2 + \mathfrak{r} \left( 1 - V\_S \right) - 1. \tag{28}$$

In the case of *m* 1, the estimator *τ*ˆ converges rapidly to the actual value *τ* as *m* increases, owing to the variance of *τ*ˆ being negligible. Thus, here, we use *τ* to replace *τ*ˆ to simplify the estimation process. Noticing that the term <sup>1</sup> *m m* ∑ *i*=1 *Bi*−<sup>√</sup> <sup>√</sup> *<sup>τ</sup>Mi VN* 2 also follows the *χ*2-distribution with the expectation value E 1 *m m* ∑ *i*=1 *Bi*−<sup>√</sup> <sup>√</sup> *<sup>τ</sup>Mi VN* 2 = *m* and variance V 1 *m m* ∑ *i*=1 *Bi*−<sup>√</sup> <sup>√</sup> *<sup>τ</sup>Mi VN* 2 = 2*m*, respectively, resulting from *Bi* <sup>−</sup> <sup>√</sup>*τMi* being Gaussian distributed with variance *VN*, therefore, one can get the following approximation when *m* is large:

$$\sum\_{i=1}^{m} \left( B\_i - \sqrt{\tau} M\_i \right)^2 \approx V\_N \cdot \sum\_{i=1}^{m} \left( \frac{B\_i - \sqrt{\tau} M\_i}{\sqrt{V\_N}} \right)^2. \tag{29}$$

The expectation value of *V*ˆ *ε* can be obtained, which reads:

$$\mathbb{E}\left(\hat{V}\_{\varepsilon}\right) \approx \frac{1}{m} V\_N \cdot \mathbb{E}\left(\sum\_{i=1}^{m} \left(\frac{B\_i - \sqrt{\tau}M\_i}{\sqrt{V\_N}}\right)^2\right) + \tau \left(1 - V\_S\right) - 1 = V\_{\varepsilon} \tag{30}$$

and the variance of *V*ˆ *ε* can also be calculated, given by:

$$V \vee \left(\hat{V}\_{\varepsilon}\right) \approx \frac{2}{m} V\_N^2 + \sigma\_t^2 (1 - V\_S)^2 := \sigma\_{\mathcal{V}\_{\varepsilon}}^2. \tag{31}$$

The upper bound of the variance of excess noise can be given, also considering the failure probability of the parameter estimation to *εPE* = 10−10, which is:

$$\mathcal{V}\_{\varepsilon}^{\mu p} = \mathbb{E}\left(V\_{\varepsilon}^{\mu p}\right) := \mathcal{V}\_{\varepsilon} + 6.5r\_{\hat{V}\_{\varepsilon}}.\tag{32}$$

#### **4. Double-Data Modulation Method and the Modified Estimation Process**

Inspired by the double-modulation method developed in [42], we find that this estimation method is also useful in the parameter estimation of the EUR analysis method.

Here, we slightly modify the double-modulation method by pre-generating two sets of Gaussian random numbers, namely *xM*<sup>1</sup> and *xM*2, with variances *VM*<sup>1</sup> and *VM*<sup>2</sup> and zero mean values, encoding quantum states by new random variable *xM*, where *xM* = *xM*<sup>1</sup> + *xM*2. In this double-data modulation method, Alice holds both data *xM*<sup>1</sup> and *xM*<sup>2</sup> in her memories and then generates data *xM* according to data *xM*<sup>1</sup> and *xM*2. The generated data *xM* are used to modulate the quantum states. After Alice and Bob finish the key distribution processes, Alice reveals data *xM*<sup>2</sup> to perform the channel parameter estimation, and all the information about data *xM*<sup>1</sup> is not announced throughout the parameter estimation phase; thus, *xM*<sup>1</sup> can be used for the key extraction step without leaking information about the key during the parameter estimation step. The idea is very similar to that in [42], and the difference is that this double-data modulation method only needs one modulation rather than two, since we perform the pre-processing of two independent random variables, which simplifies the experimental setup of the double-modulation method.

Since all the exchanged signals can be used for both parameter estimation and key extraction, the estimation of the max-entropy needs to be modified. Recalling that in Section 3, the key point of estimating the max-entropy is to quantify the data distance *d xtotal <sup>M</sup>* , *<sup>x</sup>total B* . However, in traditional EUR method, not all the data can be used for the parameter estimation, and only part of the data (parameter estimation data) can be used to estimate the total data distance, resulting in the statistical fluctuation of the estimating distance, thereby *d xtotal <sup>M</sup>* , *<sup>x</sup>total B* is approximately replaced by *d xPE <sup>M</sup>* , *<sup>x</sup>PE B* + *μ*, where the first term is the distance between the parameter estimation data and the second term is the statistical fluctuation of estimating the total data distance by using the parameter estimation data. In the double-data modulation protocol, we modify the *L*<sup>1</sup> distance between the key-extraction data *xM*<sup>1</sup> and Bob's data *xB* by exploiting the absolute value inequality, given by:

$$\begin{split} d\left(\mathbf{x}\_{M1}, \mathbf{x}\_{B}\right) &= \frac{1}{N} \sum\_{N} \left| \mathbf{x}\_{B}^{i} - \mathbf{x}\_{M1}^{i} \right| \\ &\leq \frac{1}{N} \sum\_{N} \left| \mathbf{x}\_{B}^{i} - \mathbf{x}\_{M2}^{i} \right| + \frac{1}{N} \sum\_{N} \left| \mathbf{x}\_{M2}^{i} - \mathbf{x}\_{M1}^{i} \right| = d\left(\mathbf{x}\_{M2}, \mathbf{x}\_{B}\right) + d\left(\mathbf{x}\_{M1}, \mathbf{x}\_{M2}\right), \end{split} \tag{33}$$

where *d* (*xM*2, *xB*) denotes the *L*<sup>1</sup> distance between data *xM*<sup>2</sup> and *xB*, which can be estimated after Alice reveals data *xM*2, and *d* (*xM*1, *xM*2) denotes the *L*<sup>1</sup> distance between data *xM*<sup>1</sup> and *xM*2, which can be calculated on Alice's side locally. Here, we replace the number of parameter estimation signals *m* by *N* since all the exchanged signals are used in this step. Therefore, the max-entropy can be bounded after modifying the parameter estimation step, which reads:

$$H\_{\text{max}}^{\varepsilon} \left( \mathbf{x}\_{M1} | \mathbf{x}\_{B} \right) \le \text{Nlog}\_{2} \left( d \left( \mathbf{x}\_{M2}, \mathbf{x}\_{B} \right) + d \left( \mathbf{x}\_{M1}, \mathbf{x}\_{M2} \right) \right). \tag{34}$$

Due to the fact that all the states are exploited to perform parameter estimation, the statistical fluctuation of estimating *L*<sup>1</sup> distance disappears, which reduces the finite-size effect on estimating the max-entropy, especially in the short block size regime, where the statistical fluctuation cannot be negligible.

The remaining task is to estimate the confidence intervals of the channel parameters by using data *xM*<sup>2</sup> and *xB*, which is the standard estimation method shown in [42]. The quadrature of the received states on Bob's side can be rewritten in the following form after using the double-data modulation method,

$$\mathbf{x}\_{B} = \sqrt{\tau} \left( \mathbf{x}\_{M} + \mathbf{x}\_{S} \right) + \sqrt{1 - \tau} \mathbf{x}\_{0} + \mathbf{x}\_{t} = \sqrt{\tau} \mathbf{x}\_{M2} + \mathbf{x}\_{N'}^{\*} \tag{35}$$

where *x*∗ *<sup>N</sup>* <sup>=</sup> <sup>√</sup>*<sup>τ</sup>* (*xs* <sup>+</sup> *<sup>x</sup>*1) <sup>+</sup> <sup>√</sup><sup>1</sup> <sup>−</sup> *<sup>τ</sup>x*<sup>0</sup> <sup>+</sup> *<sup>x</sup><sup>ε</sup>* is the aggregated noise when we use *xM*<sup>2</sup> to perform the parameter estimation, with variance *V*∗ *<sup>N</sup>* = *τ* (*xs* + *x*<sup>1</sup> − 1) + 1 + *Vε*.

After comparing Equation (35) with Equation (27), it is easy to obtain the variances of the estimators *τ*ˆ and *V*ˆ *<sup>ε</sup>* by replacing *VM* with *VM*2, *VN* with *V*∗ *<sup>N</sup>*, and *m* with *N*, which are given by:

$$
\sigma\_{t^\*}^2 = \frac{4\tau^2}{N} \left( 2 + \frac{V\_N^\*}{\pi V\_{M2}} \right),
\tag{36}
$$

$$
\sigma\_{\hat{V}\_{\mathbf{t}}^{\*}}^{2} = \frac{2}{N} V\_{N}^{\*2} + \sigma\_{\mathbf{t}^{\*}}^{2} (1 - V\_{\mathbf{S}})^{2}. \tag{37}
$$

#### **5. Numerical Simulation and Discussion**

In this section, we focus on the simulation analysis of the protocol with the finite-size effect, containing the comparison of the protocol's performances between ideal and practical estimations of the CM and the comparison between standard estimation method and the modified double-data modulation method. The simulation assumes that Eve's attack is the entangling cloner attack. We stress

again that this attack model does not affect the security of the protocol and is just for the convenience of the simulation. In practice, we do not need to assume the attack model in advance and only need to estimate the correlation through the data in the hands of Alice and Bob. The correlation between Alice's and Bob's data can be verified according to whether the *L*<sup>1</sup> distance *d xPE <sup>M</sup>* , *<sup>x</sup>PE B* shown in Equation (6) is greater than the threshold parameter *d*0. If the relation *d xPE <sup>M</sup>* , *<sup>x</sup>PE B* < *d*<sup>0</sup> holds, we think the data between Alice and Bob are correlated. Otherwise, we abort the protocol. In order to determine whether the amount of data is sufficient for the parameter estimation, one needs to use the experimental data of Alice and Bob with a finite block size to estimate the practical parameters and to determine whether the finite-size effect is acceptable by simulation.

We point out that the analysis using the EUR does not rely on Eve's attack method in the experiment, which is due to two reasons. One reason is that the EUR security analysis method itself does not restrict Eve's ability [36], which means there is no need to assume that the quantum state is a product state *σ*⊗*<sup>N</sup> AB* , like the collective-attack analysis. Another reason is that the parameter estimation does not need to assume Eve's attacking model. The estimation of max-entropy only needs to estimate the data distance *d xPE <sup>M</sup>* , *<sup>x</sup>PE B* by *xM* and *xB*. The estimation of *EC* needs the variance of the measured data and the signal-to-noise ratio after transmission, which can be obtained from the statistical CM directly. Using the entangling cloner attack model to model Eve's behavior just aims at getting the lower bound of the transmittance *τ* and the upper bound of the excess noise *ε*, and then, the lower bound of the key rate can be calculated.

In the following discussion, we consider the squeezed vacuum states with a squeezing level of 13.1 dB and an anti-squeezing level of 25.8 dB, which has experimentally been achieved at 1550 nm with today's technology [50]. We set the reconciliation efficiency *β* to 95%, which is also easily achievable with CV-QKD's post-processing method [51,52]. The excess noise is chosen as *ε* = 0.01, and the security parameters are chosen as *ε<sup>c</sup>* = *ε<sup>s</sup>* = 10−9.

In Figure 2, we plot the key rate as a function of the transmission distance, expressed in terms of km. The lower bound of the key length is given by Equation (2), and the secret key rate is calculated by *low*\* *N*. The left panel and the right panel are the performances under the DR and RR cases, respectively. We give the comparison between the ideal CM estimation and the practical CM estimation with different practical block sizes, namely 107, 108, and 109. The solid lines are the protocol under ideal CM estimation, and the dashed lines are the performances under practical CM estimation. We can find that the finite-size effect of estimating the CM will slightly influence the final key rates, and the larger the block size, the smaller the impact. For a practical block size of the order of 109, there is almost no influence on the secret key rate.

In Figure 3, we plot the key rate of the protocol as a function of the block size and compare the performances under different transmission distances. In the DR case (left panel), the performances under transmission distances of 3 km, 5 km, and 10 km are illustrated, while the key rates under transmission distances of 3 km, 10 km, and 15 km are plotted in the RR case (right panel), respectively. We can see that the block length of the order of 107–109 is sufficient for the protocol under the composable security analysis, achieving rates over 10−<sup>1</sup> bits per channel use for transmission distances of about 10 km in DR and 15 km in RR, respectively. The results also show that, in the case of short transmission distance, the limited block length has a small impact on the performance of the protocol, which will be weakened with the increase of the block length. Moreover, in the case of relatively long transmission distance (approximately more than 10 km), the estimation of leakage information with finite-size has little effect on the final key since the case of long transmission distance requires a larger block size for the error correction.

**Figure 2.** Comparison of performances between the previous key rates and the modified results under different block lengths, namely, 107, 108, and 109. (**a**) shows the direct reconciliation (DR) cases, and (**b**) shows the reverse reconciliation (RR) cases. The solid lines are the performances under the ideal covariance matrix (CM) estimation, and the dashed lines are the performances under practical CM estimation considering finite-size. The reconciliation efficiency *β* is under a practical value of 95%, and the excess noise is chosen as *ε*= 0.01. We set the security parameters *ε<sup>c</sup>* = *ε<sup>s</sup>* = 10−<sup>9</sup> and the detection range to *α* = 61.6.

**Figure 3.** Comparison of performances between the previous key rates and the modified results under different transmission distances. (**a**) shows the direct reconciliation cases, and (**b**) shows the reverse reconciliation cases. The solid lines are the performances under ideal CM estimation, and the dashed lines are the performances under practical CM estimation considering finite-size. The parameters are chosen as in Figure 2.

The comparison of the performances between the standard estimation method and the modified double-data modulation method is shown in Figure 4, where the left panel shows the performances of two scenarios under different block sizes, while the right panel shows the protocol's performances under different transmission distances. We optimize the performance of the double-data method by adopting the optimization method shown in [42]. In the left panel, we plot the performances of the double-data modulation method under block sizes of 10<sup>5</sup> and 106 and the asymptotic case, respectively, which are shown with solid lines, while the performances of the standard estimation method are depicted with dashed lines, under block sizes of 10<sup>8</sup> and 10<sup>9</sup> and the asymptotic case. It can be seen that, with the help of the double-data modulation method, using less quantum states can achieve better performance than the standard estimation method in a short block-size regime, due to the fact that the data fluctuation term *μ* in the previous estimation method is not negligible when the block-size is not large, which makes the statistical fluctuation of the finite-size effect more significant in short key lengths. Thus, the double-data modulation method can efficiently improve the parameter estimation process when the block size is not large. We also note that since we use all the states to extract the key, leading to a high utilization of quantum states, the key rate of the modified method is higher than that of the previous method. However, the double-data modulation method cannot achieve the transmission distance as far as the single-modulation method in the asymptotic case. This is intuitive since the statistical fluctuation in the standard estimation method converges to zero with *N* going to infinity, while there still exit some noises in estimating data distance in double-data modulation method, namely *d* (*xM*1, *xM*2), which will compromise the transmission distance. In the right panel of Figure 4, we can see that the block length of the order of 105 <sup>−</sup> <sup>10</sup><sup>7</sup> is sufficient for the protocol to support the previous transmission distances with the block size of the order of 107 <sup>−</sup> 109, which we believe, to a large extent, saves the key consumption.

**Figure 4.** Comparison of the performances between the standard estimation method and the modified double-data modulation method under the reverse reconciliation case. (**a**) shows the performances of two scenarios under different block sizes, while (**b**) shows the protocol's performances under different transmission distances. The dashed lines are the performances using the standard estimation method, and the solid lines are the performances using double-data modulation method.

#### **6. Conclusions**

In this work, we investigated the EUR used for the composable security analysis of the CV-QKD protocol and focused on the parameter estimation step, containing the finite-size effect on estimating the CM and the improvement of the parameter the estimation phase using the double-data modulation method, which were not discussed in previous works [36–38]. We believe it is necessary to study the finite-size effect on the parameter estimation in the EUR method, as well as its improvement, since in practice, only limited exchanged states can be used for the parameter estimation, making the estimation process non-ideal.

The analysis showed that the finite-size effect of estimating the CM had a slight influence on the key rate. The larger the block size, the smaller the influence. For a practical block length of the order of 109, the influence on the protocol's performance was almost negligible. Thus, in a practical experiment, if the amount of data is large, treating the estimators of parameters as ideal parameters will not have a great influence on the key rate. The result also showed that the parameter estimation method developed in [42] was very effective at handling the finite-size analysis of the covariance matrix in EUR analysis.

To further reduce the impact of the finite-size effect in the parameter estimation phase, we also improved the parameter estimation process by exploiting the double-data modulation method, which was inspired by L. Ruppert, et al. [42]. All the quantum states can be used for both parameter estimation and key extraction, which improves the utilization of exchanged states. After modifying the estimation of the max-entropy, we found that the finite-size effect was to a large extent suppressed when the block size was not large, which saved the key consumption, while the longest transmission distances in the asymptotic case were compromised.

Our work is an improvement of previous works [36,37]. We believe that the modified estimation method is practical by using less states to perform parameter estimation.

**Author Contributions:** Z.C.: conception and design of the study, performing theoretical calculations and numerical simulations, and drafting the article; Y.Z.: conception of the study, providing critical advice, and revision of the manuscript; X.W.: conception of the study, providing critical advice, and revision of the manuscript; S.Y.: conception and design of the study, providing critical advice, and revision of the manuscript; H.G.: conception and design of the study, providing critical advice, and revision of the manuscript; all authors have read and approved the final manuscript.

**Funding:** This work is supported by the National Natural Science Foundation under Grant No. 61531003, the National Science Fund for Distinguished Young Scholars of China (Grant No. 61225003), and the China Postdoctoral Science Foundation (Grant No. 2018M630116).

**Acknowledgments:** We would like to thank Tobias Gehring for the valuable discussions.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **Abbreviations**

The following abbreviations are used in this manuscript:


#### **References**


c 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
