Convergence of Density Operators and Security of Discrete Modulated CVQKD Protocols

In this section, we discuss the discrete modulated (DM) CVQKD protocol and the framework of our analysis. Consider a complex-valued random variable $X_{n}$, $n\geq 1$ with alphabet $\mathcal{X}_{n}$ and $Pr[X_{n}=x]=p_{X_{n}}(x)$. For simplicity and compatibility with usual digital communication systems, we assume that $|\mathcal{X}_{n}|=(n+1)^{2}=m^{2}$ and whenever it is clear from the context, we drop the subscript and use only $p(x_{i})$. We also use the notation $[N]=\quantity{1,2,\cdots,N}$ and assume that $X_{n}$ is symmetric around the origin¹¹1This assumptions comes without loss of generality as the constellations approaching the AWGN channel capacity are usually symmetric., that is, $p(x_{i})=p(-x_{i})$. The $m^{2}$-state DM-CVQKD prepare and measure protocol induced by $X_{n}$ works as follows.

1. 1.

   State Preparation - At each round, Alice draws $x$ from $X_{n}$ and prepares a coherent state $\ket{x}$. The modulation scheme is represented by the ensemble $\mathcal{A}=\quantity{\ket{x_{k}},p(x_{k})}_{k=1}^{m^{2}}$, $x_{k}\in\mathcal{X}_{n}$, which is the mixture $\hat{\rho}_{X_{n}}=\sum_{x\in\mathcal{X}}p(x)\outerproduct{x}{x}$ and the register $\bm{X}^{\prime}$ stores Alice’s random experiment outcomes.

2. 2.

   Quantum Transmission and Measurement - The prepared state is sent through a one-mode quantum channel $\mathcal{N}_{A\rightarrow B}$ such that Bob observes the mixture $\hat{\rho}_{B}=\mathcal{N}_{A\rightarrow B}(\hat{\rho}_{X_{n}})$ and performs heterodyne detection, denoted by the operator $\mathcal{M}_{B\rightarrow Y}$. Measurement results are stored in $\bm{Y}^{\prime}=\mathcal{M}_{B\rightarrow Y}(\hat{\rho}_{B})$.

3. 3.

   Sifting - After the conclusion of $N$ rounds, Alice and Bob agree on a small random subset of $I_{test}\subset[N]$ to form the test set to be used in parameter estimation. The values of $\bm{X}^{\prime}$ and $\bm{Y}^{\prime}$ indexed by $I_{test}$ are publicly announced and then discarded. The remaining raw key values are indexed by $I_{key}=[N]\setminus I_{test}$ and represented by $\bm{X}$ and $\bm{Y}$ on Alice and Bob’s sides, respectively.

4. 4.

   Parameter estimation - Once the test set is defined, Alice and Bob use them to estimate the quantum channel parameters, mainly by estimating the data first and second moments. Based on the estimated values, they evaluate whether it is possible to distill a secret key and if it is not, they abort the protocol and go back to step (i).

5. 5.

   Data Estimation - Before information reconciliation, Bob performs an estimation procedure in order to retrieve a sequence $\hat{\bm{X}}=\theta(\bm{Y})$, where $\theta$ is some estimation function. If $X_{n}$ has uniform distribution, i.e., $p(x_{i})=\frac{1}{n}$, $\theta$ is a minimum distance estimator

   $$\hat{\bm{X}}[j]=\arg\min_{x\in\mathcal{X}_{n}}||\bm{Y}[j]-x||^{2},$$

   (1)

   where $\hat{\bm{X}}[j]$ (respec. $\bm{Y}[j]$) denotes the $j$-th element of $\hat{\bm{X}}$ (respec. $\bm{Y}$). In the case of nonuniform distribution, which will be the relevant case, $\theta$ is the maximum a posteriori (MAP) estimator,

   $$\hat{\bm{X}}[j]=\arg\max_{x\in\mathcal{X}_{n}}p_{X_{n}|Y}(x|\bm{Y}[j]),$$

   (2)

6. 6.

   Reconciliation and Privacy Amplification - Alice and Bob choose a suitable error correction protocol and privacy amplification, which must agree with the quantities evaluated during parameter estimation. They then apply error correction and privacy amplification to generate the secret key.

A direct consequence of Teorema 1 is that the density operators representing constellations of coherent states also converge in trace norm to the Gaussian mixture of coherent states, $\hat{\rho}_{X_{G}}$. However, it is of interest to know the convergence speed of the constellation. The next proposition provides an upper bound for the distance between $\hat{\rho}_{X_{n}}$ and $\hat{\rho}_{X_{G}}$ by considering a reduction in the relevant subspace dimension.

The limit provided by Proposição 2 is related to the results developed in [3], where the unconditional security of the Gaussian modulation protocol against arbitrary attacks is reduced to collective attacks by using an energy test that truncates the Fock space. The next proposition relates the convergence of the sequence of operators to the convergence of the eigenvalues and eigenvectors. To address this issue, we will use some results from the theory of perturbation of linear operators.

The following theorem provides an upper bound for the distance between the eigenvalues of linear operators, which will be useful in analyzing the convergence of the eigenvalues of the convergent sequence of density operators [4, Chapter V, Theorem 4.10].

Having dealt with the convergence of the purification of the bipartite state that purifies the constellation, the next step is to address the covariance matrix, specifically the lower bound $Z^{*}$ for the covariance between different-mode quadratures. As discussed earlier, the amount of information available to the eavesdropper is inversely proportional to the magnitude of $Z^{*}$, and the results previously discussed show the secret key rate of QAM-like modulations close to the rates for continuous Gaussian modulation indicate that $Z^{*}$ approaches $Z$.

Among the relevant terms, $V_{A}$ and $V_{B}$ depend only on the average energy of the modulation scheme, which is a protocol parameter and does not depend on the specific type of constellation shape. Therefore, the secret key rate, being a function of the covariance matrix, where they differ only in the off-diagonal term (from the perspective of a block matrix), leads to using the Hilbert-Schmidt inner product for matrices $\expectationvalue{A,B}=\operatorname{tr}(A^{\dagger}B)$ and the induced norm. The Hilbert-Schmidt distance $d_{HS}(\cdot,\cdot)$ between the matrices

will be {widetext}

			(27)
			(28)
			(29)
			(30)
			(31)
			(32)
			(33)

since $w$ depends on $\hat{\rho}_{X_{n}}$ and, in the limit $\lim_{n\rightarrow\infty}\hat{\rho}_{X_{n}}=\hat{\rho}_{X_{G}}$, $w\rightarrow 0$; similarly, due to the convergence of the bipartite state, $\operatorname{tr}[\hat{\rho}_{AB_{n}}(\hat{a}\hat{b}+\hat{a}^{\dagger}\hat{b}^{\dagger})]\rightarrow 2\sqrt{\bar{m}^{2}+\bar{m}}$.

The two techniques used to reduce the class of arbitrary attacks to collective attacks are effective in the context of QKD protocols with discrete variables, such as BB84, but they are not directly applicable in the analysis of protocols with continuous variables due to the dimension of the Hilbert space. One solution is to use an energy test before the protocol’s execution in conjunction with a projector in a finite-dimensional subspace $d$. The idea is that if the states measured by Bob have an average energy lower than a pre-established parameter, the probability of the bipartite state shared by Alice and Bob ”residing” in a finite-dimensional subspace increases exponentially with $d$”.

In particular, the security proof against arbitrary attacks developed in [3] for the protocol²²2The analyzed protocol uses Gaussian modulation combined with heterodyne detection. $\mathcal{E}_{0}$ uses an energy test $\mathcal{T}$ and the projection $\mathcal{P}$ in a $d$-dimensional subspace, such that

$$\norm{\mathcal{E}-\mathcal{F}}_{\diamondsuit}\leq\norm*{\tilde{\mathcal{E}}-\tilde{\mathcal{F}}}_{\diamondsuit}+2\norm{(\mathbbm{1}-\mathcal{P})\circ\mathcal{T}}_{\diamondsuit},$$

(34)

where $\mathcal{E}=\mathcal{E}_{0}\circ\mathcal{T}$, $\mathcal{F}=\mathcal{S}\circ\mathcal{E}$, $\tilde{\mathcal{E}}=\mathcal{E}_{0}\circ\mathcal{P}\circ\mathcal{T}$, and $\tilde{\mathcal{F}}=\mathcal{S}\circ\mathcal{E}_{0}$. By employing the projector map in a finite-dimensional subspace, it was possible to use the results of the Postselection theorem to bound the first term on the right side of inequality (34), while the second term was upper-bounded by fixing the state of the diamond distance optimization to a product state, equivalent to the assumption of a collective attack, such that

$$\norm{(\mathbbm{1}-\mathcal{P})\circ\mathcal{T}}_{\diamondsuit}\leq\epsilon_{test}=O\quantity(\quantity(\frac{\bar{m}}{\bar{m}+1})^{d}).$$

(35)

The term $\epsilon_{\text{test}}$ precisely denotes the probability of the state shared by Alice and Bob passing the energy test $\mathcal{T}$ and being outside the relevant $d$-dimensional subspace for security analysis, which decreases exponentially with $d$ and is proportional to the distance between a thermal state and a convergent mixture of coherent states (Proposition LABEL:prop:erro-aproximacao). Therefore, it is expected that the unconditional security factor for a protocol with discrete modulation, where the constellation converges in distribution to a Gaussian curve, is proportional to the security developed in [3] for a protocol with continuous modulation.

However, there are still operational factors that may make the unconditional security proofs developed for Gaussian protocols incompatible with non-Gaussian modulation protocols, mainly due to the symmetrization procedures used to guarantee the necessary symmetry arguments. The Finetti and Postselection theorems assume that the protocol is invariant under permutations, and in [3, 5, 6], the security (and composability) proofs of protocols with Gaussian modulation use passive linear operations (beam splitters and phase displacements) before measuring the states received by Bob to apply rotations in the phase space and exploit the protocol’s invariance to rotations. As discussed in Section LABEL:sec:problemas-formatacao, the architecture of a transmitter for constellations with probabilistic shaping would be incompatible with random permutations of subsystems, preventing the protocol from having the required property in the assumptions of the security proof.

Regarding rotations in the phase space, a potential problem is that these rotations result in rotations in the vector representing the measurement outcomes. The possibility of reversing the effect of the symmetrization procedure by applying the inverse operation $R^{-1}$ does not solve the problem since DM-CVQKD protocols must use an optimized detection architecture that is tailored to the constellation format. Therefore, it is naive to assume that applying the symmetrization procedure to the multimode state and then reversing the effect by applying a rotation to the measurement data maintains the protocol’s performance intact. To achieve this, it is necessary to ensure that the operation that performs rotations in the phase space commutes with the coherent pulse detection system and the constellation symbol estimation, whose description in terms of POVMs is not yet known [7]. Additionally, the symmetrization procedure, which corresponds to a network of beam splitters and phase displacements, becomes impractical in realistic scenarios with a large number of transmitted states.

Furthermore, it is important to emphasize that the assumption used in [8], that for a protocol with non-Gaussian modulation in which the distance $\norm{\hat{\rho}-\hat{\sigma}}\leq\epsilon_{\text{prep}}$ and the Gaussian modulation protocol has unconditional security $\epsilon$, the non-Gaussian protocol would then be $(\epsilon+\epsilon_{\text{prep}})$-secure, where $\epsilon_{\text{prep}}$ encompasses a ”preparation error” of the thermal state in a Gaussian modulation, derived in [9]. The problem with this approach is that in [9], the preparation error refers to the limitation of the modulation device in generating truncated values in the preparation of coherent states and is calculated in the scenario where the running protocol is with Gaussian modulation, such that Bob and Eve expect to observe a thermal state. Therefore, the security factor does not directly apply to the case of discrete modulations, where there is no truncation error in the modulation, and Bob (and Eve) do not expect to observe a thermal state at Alice’s laboratory output.

[Perturbation Theory in a Nutshell] In this section, a brief introduction to the theory of perturbation of linear operators will be given, restricted only to the necessary points for the proof of LABEL:prop:spectrum-convergence. For further details, refer to the textbook Consider a Banach space³³3A Banach space $X$ is defined as a complete normed vector space, where completeness is related to the existence of limits for every Cauchy sequence $\quantity{u_{n}}$, $u_{n},u\in X$. A Hilbert space is then a Banach space whose norm is induced by the inner product. $X$ and a linear operator $T\in\mathcal{B}(X)$. An eigenvalue of $T$ is defined as a complex number $\lambda$ for which there exists a nonzero element $u$ in the domain of $T$ that satisfies the identity $Tu=\lambda u$, and $u$ is an eigenvector of $T$ associated with the eigenvalue $\lambda$. Similarly, $\lambda$ is an eigenvalue of $T$ if the null space $N$ of the transformation $T-\lambda$ is nontrivial, with $\operatorname{dim}[N(T-\lambda)]=m$ being the multiplicity of $\lambda$. Assume that $T$ is closed⁴⁴4An operator $T$ is said to be closed if its domain is a closed set. in $X$. Then, $T-z$ is closed for every $z\in\mathbb{C}$, and if $T-z$ is invertible,

$$R(z)=R(z,T)=(T-z)^{-1}\in\mathcal{B}(X),$$

(36)

is called the resolvent of $T$, and $z$ belongs to the resolvent set of $T$, defined as the complement (with respect to the complex plane) of the spectrum of $T$, i.e., $P(T)=\mathbb{C}\setminus\Lambda(T)$. The resolvent set is a subset of $\mathbb{C}$ for which, given a nonzero element $v\in X$, there exists a solution to the equation

$$(T-z)u=v.$$

(37)

Consider the perturbed operator $T(x)=T+xT^{\prime}$, $x\in\mathbb{C}$. $T(0)$ is called the unperturbed operator, and it is valid to question how the eigenvalue spectrum and eigenvectors of $T(x)$ change as the operator is perturbed. In general, the perturbation will be of the same order of magnitude as $|x|$. As it will be relevant in this work to analyze the perturbation of eigenvalues and eigenvectors according to the norm of the perturbation operator, $\norm{xT^{\prime}}$, we will use the notation $A=xT^{\prime}$, and denote the perturbed operator by $T(x)=T+xT^{\prime}=T+A=T_{A}$. Represent the resolvent of the perturbed operator $T$ by $A$ as

$$R_{A}(z)=(T_{A}-z)^{-1}.$$

(38)

It is possible to represent the resolvent as a power series in $x$ (and consequently in $A$), resulting in

	$\displaystyle R_{A}(z)$	$\displaystyle=R(z)\sum_{p=0}^{\infty}[-AR(z)]^{p}$		(39)
		$\displaystyle=R(z)+R(z)\sum_{p=1}^{\infty}\quantity[-A\cdot R(z)]^{p}.$		(40)

where $R(z)=R(z,0)$, is called the second Neumann series for the resolvent and denotes the effects of the operator $A$ on the resolvent set, which is directly connected to the eigenvalue spectrum. Similarly, the perturbation in the eigenprojectors of $T$ can be observed. Let $\lambda$ be an eigenvalue of $T$ with multiplicity $m$, and let $\Gamma$ be a closed curve in $P(T)$ containing $\lambda$ and no other eigenvalues of $T$. The operator defined by

	$\displaystyle P(x)=P_{A}$	$\displaystyle=-\frac{1}{2\pi i}\int_{\Gamma}R_{A}(z)\differential[2]{z}$		(41)
		$\displaystyle=P_{\lambda}-\frac{1}{2\pi i}\int_{\Gamma}R(z)\sum_{p=1}^{\infty}[-AR(z)]^{p}\differential[2]{z},$		(42)

is a projector that equals the sum of all eigenprojectors related to the eigenvalues of $T_{A}$ that lie within $\Gamma$, where $P_{\lambda}=P(0)$.