Finite-size security proof of binary-modulation continuous-variable quantum key distribution using only heterodyne measurement

Continuous-variable quantum key distribution (CV-QKD) has many practical advantages including compatibility with current optical communication technology. Implementation using heterodyne measurements is particularly attractive since it eliminates the need for active phase locking of the remote pair of local oscillators, but the full security of CV QKD with discrete modulation was only proved for a protocol using homodyne measurements. Here we propose an all-heterodyne CV-QKD protocol with binary modulation and prove its security against general attacks in the finite-key regime. Although replacing a homodyne measurement with a heterodyne measurement would be naively expected to incur a 3-dB penalty in the rate-distance curve, our proof achieves a key rate with only a 1-dB penalty.


I. INTRODUCTION
Quantum key distribution (QKD) is the technology that enables information-theoretically secure communication between two separate parties.QKD is classified into two categories: discrete-variable (DV) QKD and continuous-variable (CV) QKD.DV-QKD protocols often encode information to a photon in different optical modes such as different polarizations or time bins.They use photon detectors to read out the encoded information.This type has a long history since early studies [1,2].A lot of knowledge about the finite-key analysis and how to handle imperfections of actual devices has been accumulated.On the other hand, CV-QKD protocols encode information to quadrature in the phase space of an optical pulse.They use homodyne or heterodyne detection [3,4], which is highly compatible with the coherent optical communication technology currently widespread in industry [5][6][7][8][9][10][11][12].See Refs.[13,14] for comprehensive reviews of the topic.
To implement the homodyne measurement, the local oscillator (LO) phases of the sender (Alice) and the receiver (Bob) should be matched.Since they are independently drifted in the actual experiment, they have to be calibrated continuously.For this purpose, the so-called local LO scheme is mainly used [15,16] in the implementation.In this scheme, using pilot pulses as a phase reference, the relative phase between the two remote LOs is tracked and corrected.This real-time feedback scheme, however, complicates Bob's receiver and makes it difficult to be integrated into the conventional systems [17][18][19][20][21].
On the other hand, in the heterodyne measurement, the difficulty related to the phase locking is greatly reduced.The heterodyne measurement outputs two * yamano@qi.t.u-tokyo.ac.jp quadrature amplitudes, which contain the information about the relative phase to the LO.As shown in some experiments [22,23], Bob can compensate for the phase mismatch between the two LO after the measurement.Therefore the CV-QKD protocol using only heterodyne measurement removes the need for the real-time phasecompensation system and makes the implementation easier.
In terms of security analysis, due to difficulty in dealing with continuous observables, the security of CV-QKD was proved only under limited conditions, such as specific attacks [24][25][26] and asymptotic cases [27][28][29][30][31][32].The full security in the finite-size regime against general attacks was then proved for a Gaussian modulation protocol [33,34], but it did not cover discretization of modulation necessary in actual implementation [35][36][37].Recently, a binary phase modulated CV-QKD protocol with a full security proof was reported [38].It uses both homodyne and heterodyne measurements which should be actively switched.In this protocol, a homodyne measurement is used for generating a raw key and a heterodyne measurement for monitoring the attacks.Since this protocol involves homodyne measurements, it has the phase locking problem mentioned above.
In this paper, we propose a finite-key analysis of a CV-QKD protocol with binary phase modulation that uses only heterodyne measurements.The heterodyne measurement consists of two homodyne measurements whose inputs are made by splitting the original input into two halves.Due to this apparent 3-dB loss, straightforward application of the security proof in Ref. [38] to the allheterodyne protocol may suffer from a 3-dB penalty in the key rate as a function of distance.Our security proof here shows that the penalty in the key rate can be suppressed to be only about 1 dB.Moreover, we show that the security can be guaranteed even if we simplify the protocol by omitting the random discarding of rounds required in Ref. [38].
The article is organized as follows.In Sec.II, we introduce our protocol with only heterodyne measurements.In Sec.III, we provide a sketch of the security proof based on analyzing the statistics of phase errors in a virtual protocol, while we describe the detail of the proof in Methods.Numerical simulations of the key rates as a function of distance are given in Sec.IV.In Sec.V, we discuss how our proof mitigates the apparent 3-dB penalty in the key rate.We describe our protocol as follows (see Fig. 1).In the description, the outcome of the heterodyne measurement is represented by a complex number that is normalized such that its mean coincides with the complex mean amplitude of the input.The definition of the function Λ m,r will be given in the next subsection.The binary entropy function is defined by
1. Alice randomly chooses a bit a ∈ {0, 1}.She sends an optical pulse C in the coherent state with complex amplitude (−1) a √ µ to Bob.She repeats it N times.
2. On each pulse C of the received N pulses, Bob performs a heterodyne measurement and obtains an outcome ω = ωR + iω I (ω R , ωI ∈ R).
3. Alice and Bob processes the raw data associated with each of the N transmissions, which we call a round, in the following way.Bob randomly chooses the role of the round and announces it such that a "signal round" is chosen with probability p sig and a "test round" with p test .According to the announced role, Alice and Bob do one of the following procedures.
[ signal ] Bob determines the bit b ∈ {0, 1} or "failure" according to the real part ωR of the measurement outcome, such that the probability for each event is given by the acceptance functions as follows: Bob announces "success" when he obtained the bit b ∈ {0, 1} and announces "failure" otherwise.If he announces "failure", Alice discards her bit a.
4. The N rounds are divided into "signal-success", "signal-failure" and "test" rounds, whose numbers are denoted by N suc , N fail and N test , respectively.The number of "signal" rounds is denoted by N sig := N suc + N fail .
Alice and Bob concatenate their own bits kept in the signal-success rounds to define N suc -bit sifted keys.Bob calculates the sum of Λ m,r (|ω − (−1) a β|) in all test rounds, which is denoted by F .
5. Alice and Bob perform bit error correction on the sifted keys.They consume H EC bits of the preshared key for privately transmitting the syndrome of a linear code and s bits of that for the verification.
6. Alice and Bob perform privacy amplification on the N suc -bit reconciled keys.The length is shortened by N suc h(U ( F )/ N suc ) + s, where the function U ( F ) will be given in Eq. ( 86).The final key length N fin is thus given by In the above protocol, the net key gain per pulse is given by Ĝ = N fin − H EC − s /N. ( The above protocol is feasible even when Alice's and Bob's LOs are not phase-locked, as long as one can provide a good guess on their relative phase for each pulse.In such a case, the outcome ω in Step 2 is determined as follows.First, Bob records the complex amplitude ω obtained directly from his heterodyne measurement.
Then, using the guess on the relative phase, he appropriately choose an angle θ to define a compensated value ω := e iθ ω such that the real axis of ω coincides with the direction of Alice's binary modulation.
B. Definition of Λm,r and its property The function Λ m,r relates the outcome of the heterodyne measurement to a bound on the fidelity of the input state to a coherent state [38], see also Ref. [39].It is defined as Λ m,r (µ) := e −rµ (1 + r)L (1)  m ((1 + r)µ), where L m is the associated Laguerre polynomial and L n (ν) is the Laguerre polynomial For a state ρ of an optical pulse, the heterodyne measurement produces an outcome ω ∈ C with a probability measure where |ω is a coherent state The expectation value of a function f (ω) based on the probability measure in Eq. ( 9) is denoted as In Ref. [38], it has been shown that a fidelity β| ρ |β satisfies the following relation

III. SKETCH OF THE SECURITY PROOF
The finite-size security of the proposed protocol against general attacks can be shown using the Shor and Preskill approach [40], similar to Ref. [38].This approach connects the amount of the privacy amplification to the so-called phase error rate.Here, we describe the sketch of the security proof.We mainly focus on the intuitive explanation on how we can bound the number of the phase errors and we also comment on differences between our proof and that of Ref. [38].The full proof will be described in Methods.
First, we define the phase error.For that purpose, we introduce an entanglement-sharing protocol in which Alice and Bob share N suc pairs of qubits in the signal-success rounds in such a way that measuring those qubits should produce binary sequences equivalent to the sifted keys in Actual protocol.A major difference from Ref. [38] appears in how we define Bob's qubits, because Bob's sifted key bit is generated from a heterodyne measurement in our protocol instead of a homodyne measurement in Ref. [38].
Entanglement-sharing protocol 1. Alice prepares a qubit A and an optical pulse C in the state |Ψ A C defined as and sends C to Bob.She repeats it N times.
2. For each of the N rounds, with the probabilities p sig and p test , Bob determines whether each round is "signal" or "test" and announces it.Based on this label, Alice and Bob proceed as follows.
[ signal ] Bob performs a quantum operation (specified by trace-non-increasing and completely positive map) F on the received optical pulse C, where This operation heralds "success" or "failure", which Bob announces, and in the former case produces a qubit B in the state F(ρ)/Tr(F(ρ)).
3. Alice and Bob define N suc , N fail , N test , N sig , and F as in Actual protocol.At this point, Alice and Bob share N suc qubits.
This entanglement-sharing protocol can be made equivalent to Actual protocol by measuring the N suc pairs of qubits left by the protocol on the Z basis.This can be confirmed by the following two observations.First, measuring the qubit A of the state |Ψ A C on the Z basis reproduces the bit a as well as the state of the optical pulse C of Actual protocol.Second, Eqs. ( 13)-( 15 which shows that Bob's procedure of determining the bit b is equivalent to that in Actual protocol. Based on this entanglement-sharing protocol, we define the phase error as follows.After Entanglement-sharing protocol, suppose that Alice and Bob measure each of their N suc qubits on the X basis {|± := |0 ±|1 √ 2 } instead of the Z basis.Each outcome can be denoted by + or −.The pair of Alice's and Bob's outcomes can thus be written as an element in {(x A , x B )|x A , x B ∈ {+, −}}.We call the outcomes (+, −) and (−, +) as a "phase error".The number of phase errors is denoted by Nph .
It is known [41,42] that if we can find a function U of the data observed in the test rounds that bounds Nph from above, we can derive a sufficient amount of the privacy amplification to achieve the required secrecy of the protocol.In our case, if we can find U that satisfies in Entanglement-sharing protocol followed by X-basis measurements on the N suc qubits, our protocol is For the construction of U ( F ), we regard occurrence of a phase error as an outcome of a generalized measurement on Alice's qubit A and the optical pulse C received by Bob.The positive-operator-valued measure (POVM) for this measurement is constructed as follows.Bob's measurement has three outcomes, (+, −, failure), whose POVM elements are denoted, respectively, by (M ev , M od , M fail ).The use of ev/od is because the outcomes + and − implies even and odd photon numbers, respectively (see Methods).The explicit form of the operators can be determined from the relations Tr(M ev ρ for Alice's and Bob's X-basis measurement is then given by The phase error is then represented by the operator As an intuitive explanation, let us consider an asymptotic limit of N → ∞, in which Eve's attack is fully characterized by the state ρ out,AC for Alice's qubit A and the optical pulse C received by Bob, averaged over the N rounds.In this limit, Nph /N p sig converges to Tr(M ph ρ out,AC ) and hence finding an upper bound U ( F ) in Eq. ( 17) amounts to finding an upper bound on Tr(M ph ρ out,AC ).
The state ρ out,AC is restricted by two conditions about the input states and about the observed data in the test rounds.The first condition comes from the fact that the reduced state of Alice's qubit A is unaffected by Eve's attack, implying that Tr C ρ out,AC is the same as the reduced state of the initial state |Ψ A C in Eq. (12).It leads to a constraint written as where and The second condition comes from Eq. ( 11): where We note that the right-hand side of Eq. ( 23) corresponds to F /(N p test ) in the asymptotic limit.The analysis in the asymptotic limit now reduces to finding a bound on Tr(M ph ρ out,AC ) under the constraints Eq. ( 21) and Eq.(23).In Methods, we derive a family of bounds B(κ, γ) with nonnegative parameters κ and γ satisfying for any density operator ρ AC .Using B(κ, γ), an upper bound on the phase error rate in the asymptotic limit is given by Next, we consider the finite-key analysis.From the asymptotic analysis, we expect that the bound U ( F ) in (17) will be written in the form U ( F ) = N p sig u( F /N p test ) + ∆, in which the finite-size correction ∆ is to be determined.In order to find ∆ that bounds Nph from above under general attacks, we use Azuma's inequality [43].It is applicable to a series of events with general correlations, and can be used to analyze a large deviation of the total sum T (i) of a series of random variables {T (i) } from its expectation if there is a known constraint on the conditional expectation of T (i) , where conditioning is made on the events prior to the i-th.In order to apply this inequality to our case, we write Nph = N i=1 F (i) and seek a constraint on the conditional statistics of random variables ( N (i) ph , F (i) ).A problem here is that the conditional state ρ (i) AC on systems A and C has no guarantee on its reduced state on A, and hence does not satisfy Tr(ρ This prevents us from using Eq. ( 20) to find a tight constraint on the statistics of ( N (i) ph , F (i) ).One way to connect the property of Eq. ( 20) to Azuma's inequality is to add a measurement corresponding to the operator Π sig − to the protocol.In Ref. [38], the trash round, in which Alice and Bob discards every data, is randomly chosen with a probability p trash in Actual protocol.This modification allows us to assume that, after Entanglement-sharing protocol, Alice makes measurement {Π sig − , 1 − Π sig − } in the trash rounds to determine the total number Q− of the events corresponding to Π sig − .Its purpose is to treat the property of Eq. ( 20) as that of a measurement outcome.In fact, the expectation of Q− is N p trash q − , and its deviation can be easily analyzed.Azuma's inequality is then used to analyze the large deviation of the three variables, ( Nph , F , Q− ), for which the conditional statistics can be directly bounded using Eq. ( 25).An obvious drawback in this approach is that it wastes N p trash rounds in Actual protocol and lowers the finite-size key rate.
Here we improve the above approach in such a way that one does not need to waste rounds.It comes from the observation that the operator Π sig − commutes with M ph .It means that we can perform the measurement {Π sig − , 1− Π sig − } at the same time as the measurement of the phase error at the signal round.Thus, we do not have to add the trash rounds to obtain Q− .Since this structure is in common with Ref. [38], the same trick is also applicable to the protocol of Ref. [38].An explicit form of U ( F ) and the proof of Eq. ( 17) is given in Methods.

IV. NUMERICAL SIMULATION
We simulated the key rate G for the Gaussian channel specified by a transmissivity η and an excess noise ξ.The transmissivity η represents the amplitude damping of a coherent state.The excess noise ξ represents an environmental noise generated on Bob's side, which increases the variance by a factor of (1 + ξ) [44,45] (see Methods for the explicit definition).We set s = 104, s = 51, and = 2 −s .It makes the protocol 2 −50 -secure.For the predetermined parameters (m, r) of the bounded function Λ m,r , we adopt (m, r) = (1, 0.4120), which leads to (max Λ m,r , min Λ m,r ) = (2.824,−0.9932) as shown in Ref. [38].As for β and f suc,0 (x), we adopt β = √ ηµ and f suc,0 (x) = Θ(x − x th ), where Θ(x) = 1 for x ≥ 0 and Θ(x) = 0 for x < 0. For each transmissivity η, we determined two coefficients (κ, γ) via a convex optimization using the CVXPY 1.0.25 [46,47] and four parameters (µ, p sig , p test , x th ) via the Nelder-Mead in the scipy.minimizelibrary in Python, in order to maximize the key rate.We compare the key rate of our protocol with that in the previous protocol [38] (we call it "homodyne protocol" henceforth) in Fig. 2 at ξ = 0, 10 −3.0 , 10 −2.75 , 10 −2.5 , 10 −2.25 , 10 −2.0 for N = 10 11 and in the asymptotic limit.As expected, the key rate of our protocol using only the heterodyne measurement is lower than that of the homodyne protocol.We see that if we shift each curve for the homodyne protocol by −1 dB, it will be close to the corresponding curve for our protocol, except in the case of (ξ = 0 and N → ∞).

V. DISCUSSION
Since our protocol uses a binary phase modulation, the heterodyne measurement in the signal rounds is used only for measuring the amplitude in one quadrature.This is also seen in Eqs. ( 1)-( 3), where only ω R is used and there is no reference to ω I .This observation may lead to an alternative way of proving its security as follows.
Although the main motivation in using the heterodyne measurement is to dispense with the phase locking of the two LOs, for the sake of proving the security, one can assume that Bob uses an LO phase-locked to Alice's and configure his apparatus in Fig. 1 such that outcome ω R is obtained from the upper-right pair of detectors, while outcome ω I is from the lower-left pair.Then, in a signal round, the lower part are redundant and the measurement of ω R is equivalent to a homodyne measurement placed behind a half beam splitter.This suggests that one may just repurpose the security proof and the key length formula of the homodyne protocol [38], as it is, to our protocol.In what follows, we argue that it is indeed true in the asymptotic limit but the achievable key rate is much worse than that of the security proof presented in the previous sections.
Let us introduce four protocols, summarized in Fig. 3, by modifying our protocol in stages toward the homodyne protocol of Ref. [38].(II) (Equivalent protocol) In the test round, Bob performs the heterodyne measurement on the received pulse C. Based on the test results, Alice and Bob confirm that the fidelity of the pulse C is no smaller than F .In the signal round, Bob sends the received pulse C to a 3-dB-pure-loss channel which is out of Eve's reach.Then he performs the homodyne measurement on the output C of the 3-dB-pureloss channel.As described below, this protocol is equivalent to (I).
(III) (Homodyne protocol with trusted loss channel) The signal round is the same with the protocol (II).In the test round, Bob performs the heterodyne measurement on C .Based on the results, Alice and Bob confirm that the fidelity of the pulse C is no smaller than F .
(IV) (Homodyne protocol with untrusted loss channel) This protocol itself is the same with the protocol (III).In this case, unlike (II) and (III), we assume that Eve can attack the channel from C to C .
Protocol (I) is the all-heterodyne protocol proposed in this paper.Protocol (IV) is the case where the homodyne protocol of Ref. [38] is carried out on a channel whose transmission is lower by 3 dB.In the following, we compare the above four protocols with the same value of the fidelity bound F .
First, we compare (I) and (II).As explained above, the heterodyne protocol (I) is equivalent to a half beam splitter followed by a homodyne measurement.Since a half beam splitter is equivalent to a 3-dB-pure-loss channel, protocol (II) is equivalent to (I).
To compare other protocols, let us denote the 3-dBpure-loss channel appearing in protocols (II) and (III) by a CPTP (completely positive and trace preserving) map N C→C , which satisfies for any coherent state |ω .We compare the protocols (II), (III), and (IV) by considering Eve's possible attacks in each case, assuming that the same value of the fidelity bound F was observed in the test.An attack by Eve can be characterized by a CPTP map from C to C E, where E means Eve's system.We denote the allowed sets of maps for the three protocols by L II , L III , and L IV .To simplify the notation, we introduce an abbreviation and the density operator for the state of C prepared by Alice as Then, the sets L II , L III , and L IV can be written as From the monotonicity of the fidelity and Eq. ( 27), we find It means L II ⊂ L III .Since the map Ē is a special case of the general CPTP map E C→C E , L III ⊂ L IV holds.We thus obtain The above inclusive relation with the equivalence between Protocols (I) and (II) justifies that we are able to repurpose the key rate formula for the homodyne protocol of Ref. [38] to achieve a secure key rate for the heterodyne protocol.In Fig. 4, the key rates from such a repurposed formula are plotted as broken curves.Because of the property of our channel model that the noise characteristics (see Eq. ( 103)) are independent of the channel transmission, those curves are exactly the one shifted by 3 dB from the rate curves of the homodyne protocol.On the other hand, as seen in Sec.IV, the key rate obtained from the present security proof (also plotted in Fig. 4) has only about 1-dB degradation.
Since the removal of trash rounds does not affect the asymptotic key rate, we can ascribe the origin of the key rate difference between the two security proofs shown in Fig. 4 to two factors deduced from the inclusive relation of Eq. ( 35): ( i ) the repurposed formula assumes the fidelity test at a different point and may fail to fully utilize the observed fidelity bound F and (ii) the repurposed formula overestimates Eve's ability as if she could eavesdrop on the fictitious 3-dB loss channel.
In conclusion, by using only heterodyne measurement, our protocol eliminates the need for the phase locking of the local oscillators used by the sender and the receiver.
It thus makes its implementation easier and enhances the practical advantages of the CV-QKD protocol.Comparison with a similar protocol with a homodyne measurement and with the same level of the security, our all-heterodyne protocol suffers only 1-dB penalty in the rate-distance curve.This is much better than the naive expectation based on the fact that a heterodyne detection in one quadrature is equivalent to a homodyne measurement with a 3-dB loss.In addition, we improved the proof technique to remove the "trash rounds" required in the homodyne protocol [38], which simplifies the structure of the protocol.FIG. 4. Comparison of the secure key rates of the heterodyne protocol obtained from the two security arguments.Solid curves are the rates derived from our security proof.Broken curves are the rates obtained by repurposing the key-rate formula [38] for the homodyne protocol.The latter curves are exactly the one shifted by 3 dB from the rate curves of the homodyne protocol.

A. Derivation of operator bound B(κ, γ)
Here we construct a computable bound B(κ, γ), which satisfies an operator inequality for κ ≥ 0 and γ ≥ 0. Note that Eq. ( 37) implies that for any density operator ρ AC .We denote by σ sup (O) the supremum of the spectrum of a bounded self-adjoint operator O.The following lemma is shown in Ref. [38].

B. Detailed security proof
Here, we construct a function U satisfying Eq. ( 17), which determines the final key length through Eq. ( 4) and guarantees the security.
For that purpose, we will define a protocol which we call the estimation protocol.It reproduces the statistics of ( Nph , F ) and is suited to the use of Azuma's inequality.The main difference from Entanglement-sharing protocol followed by the X-basis measurements is that Alice conducts the X-basis measurement on her qubit A even when Bob's measurement outcome is a failure.We thus define the operators for such measurements as for x A = +, −.The protcol is then formally defined as follows.
Estimation protocol 1. Alice prepares a qubit A and an optical pulse C in the state |Ψ A C defined in Eq. ( 12) and sends C to Bob.She repeats it N times.
2. For each of the N rounds, with the probabilities p sig and p test , Bob determines whether each round is "signal" or "test" and announces it.Based on this label, Alice and Bob proceed as follows.
[ signal ] Alice and Bob measure their systems and obtain (x A , xB ), where the POVM elements are given by {M x A ,x B } x A ∈{+,−},x B ∈{+,−,fail} defined in Eq. ( 18).
[ test ] Alice measures her qubit A on the Z basis ({|0 , |1 }) to obtain a bit â. Bob performs a heterodyne measurement to obtain a complex number ω.
3. For i = 1, . . ., N , variables N (i) ph , F (i) , Q(i) − , and T (i) are defined according to Table I by using the outcomes in Step 2 for the i-th round.Finally, the sum of these variables are defined as The way to determine ( Nph , F ) is equivalent to Entanglement-sharing protocol followed by the X-basis measurement.Therefore, if we can show that Eq. ( 17) holds true in Estimation protocol, the security of Actual protocol immediately follows.
In contrast to Ref. [38], here we defined Q− without introducing the trash rounds.It is achieved because − can be simultaneously measured with N (i) ph in Estimation protocol, which can be seen from the commutativity of the corresponding POVMs Π sig − and M ph .Thus, we can dispense with the trash rounds and improve the finite-key performance.
To find an upper bound U ( F ) satisfying Eq. ( 17), we first find an upper bound on the expectation of T (i) for arbitrary state ρ AC on Alice's qubit A and Bob's received pulse C. From Table I, we see that T (i) and T are related to other variables as

T = Nph
For state ρ AC , we have and According to Eq. ( 11), the operator Π fid satisfies From the relations Eqs. ( 25), ( 78), (80), ( 81) and (82), we have  for any state ρ AC .Using this property, we can derive a bound on T in the form of by using Azuma's inequality [43].The detail is given in the next subsection and δ 1 ( ) is defined in Eq. ( 96).
Next, we derive an explicit form of δ 2 ( ).Since the sequence of outcomes { Q(i) − } i obeys the Bernoulli distribution with probability p sig q − , we can use the Chernoff-Hoeffding bound [48] to obtain Pr Q− ≥ N p sig q − + δ ≤ exp −N D p sig q − + δ N p sig q − (98) with 0 < δ < (1 − p sig q − )N , where is the Kullback-Leibler divergence.We define δ 2 (ε) > 0 as the unique solution for the following equations: Then, combined with Eq. ( 98), we have from which Eq. ( 85) follows.

D. Channel model and simulation
Calculation of the final key length N fin in Sec.IV was done by assuming a channel model, from which we determined the values of parameters N suc , F , and H EC .We adopted a Gaussian channel as a model, and here we describe its detail.
Our model is characterized by transmissivity η and excess noise ξ.When Alice sends |(−1) a √ µ through this channel, the state ρ a model that Bob receives is written as We used this value as the observed value of F in Actual protocol.
For N suc , let us define the probability P ± that Alice and Bob succeed in the detection and have the same/different bits in the signal round in Actual protocol.Under our model and the choice of the step function f suc,0 (x) = Θ(x − x th ) in Sec.IV, it can be written as which was used as the value of N suc in the simulation of the key rate.
For the cost H EC of the error correction, we assume that the efficiency of the error correction is 1.1.It means that H EC can be given by with e bit = P − P + + P − . (109)

DATA AVAILABILITY
Data sharing not applicable to the article as no datasets were generated or analyzed during the current study.

FIG. 1 .
FIG. 1. Alice sends coherent state | √ µ or |− √ µ randomly.Bob performs a heterodyne measurement.After N rounds of communication, Bob randomly decides whether the role of each round is "signal" or "test".Alice and Bob use independent LOs (local oscillators).Bob's outcome (ωR, ωI ) can be compensated when Alice and Bob learns the phase difference between their LOs later.

FIG. 2 .
FIG.2.Comparison of the secure key rates of our protocol and the homodyne protocol[38].The abscissa represents attenuation in decibel, i.e., 10 log 10 η, where η is the channel transmission.Solid lines are the key rates of our protocol.Dash-dotted lines are those of the homodyne protocol.a: The finite-size key rates for various values of excess noise ξ for N = 10 11 rounds.b: The asymptotic key rates for various values of ξ.

(
FIG.3.Four protocols for understanding the difference between the proposed all-heterodyne protocol and the homodyne protocol: (I) Our protocol, (II) Equivalent protocol, (III) Homodyne protocol with trusted loss channel, and (IV) Homodyne protocol with untrusted loss channel.

TABLE I .
Measurement outcomes in Estimation protocol and definitions of the random variables.