Practical continuous-variable quantum key distribution with composable security

The study addresses a central challenge in continuous-variable quantum key distribution (CVQKD): achieving universally composable security in realistic, finite-size conditions using coherent states. While CVQKD is attractive for telecom integration, prior composable security proofs either relied on squeezed states with limited distance or required very large block sizes, making practical demonstrations elusive. The paper aims to demonstrate a coherent-state CVQKD implementation that yields positive, composably secure keys against collective attacks with practical block sizes by improving parameter estimation and system operation. It contextualizes the need for composability because QKD keys are used in other cryptographic applications, and it highlights the adverse impact of finite-size effects and stringent excess-noise requirements that have previously prevented experimental demonstrations with coherent states.

Prior work established composable security for CVQKD using two-mode squeezed states via entropic uncertainty relations, but with limited communication distance due to loose bounds. Subsequent theoretical advances provided composable security for coherent-state CVQKD with dual-quadrature detection and even against general attacks (e.g., Gaussian de Finetti reduction), but practical implementations typically lacked composable definitions or required very large N. Earlier coherent-state CVQKD demonstrations focused on long distance or high rate without composability. Security against collective attacks with finite-size analysis has been explored, but practical parameter estimation—with tight confidence intervals—remained a bottleneck. The authors build on the composable framework of Leverrier (2015) and later refinements, addressing the need for tighter parameter estimation via improved confidence intervals and an improved AEP penalty to reduce finite-size overheads, thereby enabling composable key generation at smaller block sizes.

Security framework and key length: The protocol uses reverse reconciliation. The composable secret key length s for n transmitted symbols accounts for the leftover hash lemma and smooth min-entropy H_min(Y|E), subtracting information reconciliation leakage leak_IR and including smoothing parameters and failure probabilities (for hashing, IR correctness, and parameter estimation). Finite-size effects are handled via: (1) a correction for non-i.i.d. data after discarding failed IR frames, H_min' ≥ H_min + log2(p') with p' = 1 − FER and n' = n p'; (2) an AEP-based bound H_min ≥ n' H(Y|E) − n' Δ_AEP(δ,d), with an improved penalty Δ_AEP(δ,d) ≤ 4(d+1) log2(2/δ^2); and (3) H(Y|E) = H(Y) − I(Y;E), where H(Y) is estimated from data up to probability ε_ent and I(Y;E) is upper-bounded using Gaussian extremality and worst-case covariance matrix estimates. Parameter estimation improvements: The Holevo information is bounded using worst-case confidence intervals for variance and covariance entries derived using properties of the Beta distribution, yielding tighter bounds than previous Gaussian-based approximations. For estimators x (modulation variance), y (received variance), and z (covariance), the true parameters are bounded using functions δ_var(n,ε) and δ_cov(n,ε) expressed via inverse CDFs of Beta distributions. These tighter intervals significantly reduce finite-size penalties, especially for covariance (which impacts untrusted noise quadratically), enabling positive keys at smaller N. Digitization and discretization: Although devices have finite range and resolution, a practical discretization was used: range of 7 standard deviations with d = 6 bits per quadrature (4096 coherent states). Recent results suggest negligible security impact at this resolution; for analysis simplicity, perfect Gaussian modulation is assumed. Experimental setup: A prepare-and-measure CVQKD link over 20 km standard single-mode fiber with real local oscillator (RLO) RF heterodyning. Transmitter: 1550 nm CW laser (Tx), IQ modulator with carrier-suppressed optical single-sideband modulation (OSSB-CS), driven by a 16-bit 1 GSps AWG. Gaussian random symbols from a vacuum-fluctuation-based QRNG (security parameter ε_Qrng = 2×10^−6) form the complex amplitudes. Quantum data bandwidth B = 100 MHz centered at f = 200 MHz; a strong pilot tone at f_p = 25 MHz is frequency-multiplexed for phase reference. Receiver: free-running Rx laser detuned by −320 MHz from Tx to generate a beat for RF heterodyne detection with a homemade balanced detector, followed by 16-bit 1 GSps ADC and digital signal processing (DSP). A low-pass filter (~360 MHz) limits bandwidth. Vacuum and electronic noise were measured to ensure >15 dB clearance of vacuum over electronics across the quantum band. Noise analysis and calibration: Careful frequency planning avoids spurious mixing products from polluting the quantum band. Non-paranoid model: some receiver loss and detector noise are trusted. Receiver efficiency (trusted transmittance) τ = 0.69; trusted detector noise = 25.71×10^3 photon number units (PNU). Noise and variances are expressed in PNU (1 PNU = 2 SNU). Mean photon number modulation strength μ calibrated via heterodyne with Tx and Rx directly connected; μ = 1.45 PNU selected. A total of 10^10 ADC samples were recorded for each calibration. Protocol operation and post-processing: State preparation/measurement yielded 10^9 complex symbols; after synchronization trimming, N_IR = 9.88×10^8 symbols entered IR. IR employed multidimensional reconciliation with multi-edge-type LDPC codes, achieving reconciliation efficiency β = 94.3% and frame error rate FER = 12.1%. Failed IR frames were discarded, leaving N_PA = 8.69×10^8 symbols for PE and PA. Parameter estimation used corrected symbols plus publicly announced erroneous frames to estimate the covariance matrix and derive worst-case channel parameters via receiver calibration. Total measured excess noise was 30.9 mPNU; subtracting trusted noise yields untrusted noise 5.2 mPNU. Total transmittance 0.25 implies untrusted transmittance η = 0.36 when dividing by τ. Privacy amplification used Toeplitz hashing with high-speed, large-scale PA. Security parameters used in the key-length computation included ε terms for hashing, entropy estimation, calibration, smoothing, and PE set to 10^−10, and a correctness parameter of 10^−12. The final composable security parameter is the linear sum of all ε terms.

- Demonstration of a coherent-state CVQKD system generating composable keys secure against collective attacks over a 20 km fiber channel, with practical finite-size operation. - Positive composable key length achievable with as few as N = 2×10^6 transmitted coherent states in this setup; with N ≥ 10^7, more than 41 Mbits of composably secure key material were distilled (worst-case analysis) from an experimental run of N_PA = 8.69×10^8 symbols and n = 2N_PA due to dual-quadrature data. - Achieved key length in worst-case evaluation: s = 41,378,264 bits, using β = 94.3% reconciliation efficiency and FER = 12.1%. - System parameters: μ = 1.45 PNU (mean photon number), total transmittance ≈ 0.25, trusted receiver efficiency τ = 0.69 (implying untrusted transmittance η = 0.36), total excess noise = 30.9 mPNU, trusted detector noise = 25.7 mPNU, untrusted excess noise = 5.2 mPNU. Vacuum noise clearance over electronic noise > 15 dB across the quantum band. - Tightened parameter-estimation confidence intervals based on Beta distributions significantly reduce finite-size penalties, especially for covariance; without these, no composable key would be obtained until N ≈ 10^8, where the worst-case SKF would be ≈ 6.04×10^−7, almost two orders of magnitude below the achieved values. - Secret key fraction (example comparison at N ≈ 10^6): ≈ 0.0471 bits/symbol (Table 1), competitive with prior coherent-state CVQKD experiments that did not include composability. - Operation at B = 100 MSymbols/s with pilot-tone-assisted phase recovery and machine-learning-aided DSP enabled stable, low-noise performance essential for minimizing finite-size corrections.

The work directly addresses the longstanding challenge of realizing composable security in coherent-state CVQKD under realistic finite-size constraints. By introducing tighter, Beta-distribution-based confidence intervals for parameter estimation and refining the AEP penalty, the authors reduce the finite-size overheads that previously required impractically large data blocks. This allows positive composable keys at N as low as 2×10^6 and multi-megabit keys at N ≥ 10^7 over 20 km fiber, highlighting the effectiveness of improved statistical estimation in CVQKD security proofs. The experimental system design—featuring RLO RF heterodyning, careful spectral planning to avoid spurious tones, strong but managed pilot tone for phase reference, and robust DSP including machine-learning-based phase compensation—keeps untrusted noise below the key-null threshold. The results narrow the gap between CV and DV QKD in terms of practical, secure key generation with composability. Compared to prior coherent-state implementations lacking composability, the present system demonstrates both practicality and rigorous finite-size security against collective attacks. The analysis also clarifies that covariance estimation is a critical lever; improved confidence intervals have an outsized impact due to the quadratic dependence of untrusted noise on covariance. The study further discusses that with modest hardware and DSP improvements to reduce untrusted noise and increase N, operation over higher loss (∼8 dB, ∼40 km) should be feasible. While the current work targets collective attacks, the framework indicates what would be needed to attain composable security against general attacks, including stricter ε budgets and symmetrization steps, guiding future research directions.

This paper demonstrates, for the first time with coherent states, a practical CVQKD system that generates composable keys secure against collective attacks in a realistic finite-size regime over 20 km fiber. Key enablers include improved parameter-estimation confidence intervals (via Beta distributions), a reduced AEP penalty, and a fast, low-noise, and stable experimental platform with pilot-tone-assisted heterodyne detection and advanced DSP. Positive composable keys are shown with N = 2×10^6, and over 41 Mbits were distilled in a larger run, significantly reducing the data requirements compared to earlier proofs. Future work includes: reducing untrusted noise and scaling N to extend distance to ∼40 km (∼8 dB loss); moving from offline to real-time end-to-end operation; and advancing towards composable security against general attacks by improving QRNG parameters, implementing efficient large-scale symmetrization, and exploiting Gaussianity assumptions to tighten bounds further.

- Security scope: Composable security is proven against collective attacks; achieving composable security against general attacks remains open due to stricter ε requirements and the need for data symmetrization. - Trusted model: Non-paranoid (trusted receiver) assumptions are used; some receiver loss and detector noise are assumed beyond the eavesdropper’s control, which may limit applicability in fully untrusted scenarios. - Digitization and modulation: The analysis assumes perfect Gaussian modulation while using finite-range, 6-bit discretization (4096-point constellation). Although argued to be sufficient, residual modeling mismatch could introduce small biases. - Operational constraints: DSP, IR, PE, and PA are performed offline; real-time implementation would require significant computational resources. Symmetrization for general-attack security is computationally demanding for large N. - QRNG limitation: The final ε budget for general-attack composability is currently constrained by QRNG digitization error (ε_qrng = 2×10^−6), necessitating longer measurement times or improved hardware for tighter ε. - Incomplete affiliation detail for one author in the provided text does not affect technical results but reflects minor documentation inconsistency.