Security of continuous-variable quantum key distribution: towards a de Finetti theorem for rotation symmetry in phase space

Proving the unconditional security of quantum key distribution (QKD) is a highly challenging task as one needs to determine the most efficient attack compatible with experimental data. This task is even more demanding for continuous-variable QKD as the Hilbert space where the protocol is described is infinite dimensional. A possible strategy to address this problem is to make an extensive use of the symmetries of the protocol. In this paper, we investigate a rotation symmetry in phase space that is particularly relevant to continuous-variable QKD, and explore the way towards a new quantum de Finetti theorem that would exploit this symmetry and provide a powerful tool to assess the security of continuous-variable protocols. As a first step, a single-party asymptotic version of this quantum de Finetti theorem in phase space is derived.


Introduction and motivation
The greatest novelty brought by quantum key distribution (QKD) is that, for the first time, a secret key agreement scheme can be proven unconditionally secure, that is, without making any assumptions about the power of an adversary.
Even if this claim has been made repeatedly since the proposal of the first QKD protocol in 1984 [1], it is only recently that complete proofs of security have been rigorously established.Proving the security of a scheme without making any simplifying assumptions is indeed quite challenging: the legitimate parties, Alice and Bob, need to infer what is the most efficient attack that an eavesdropper, Eve, could perform.This can be achieved by considering all bipartite states, ρ AB , compatible with Alice and Bob's data, but this quickly becomes almost untractable since the dimension of the Hilbert space, H ⊗n , relevant to describe ρ AB grows exponentially with the number, n, of quantum signals exchanged during the protocol.As a consequence, security proofs were often derived while restricting the adversary to the so-called collective attacks.In such attacks, the state ρ AB is supposed to be independent and identically distributed (i.i.d.), meaning that there exists a state σ AB ∈ H such that ρ AB = σ ⊗n AB .As a consequence, the Hilbert space needed to analyze the protocol becomes H instead of H ⊗n : no need to emphasize that this 'small' assumption considerably simplifies the analysis!
The question then is to know whether such a hypothesis limits the power of the adversary in a non-trivial way, or, said otherwise, whether this leads to an unreasonably optimistic view of the security of QKD.Fortunately, this is not the case as collective attacks were recently proven asymptotically optimal against protocols described with a finite-dimensional Hilbert space [2].The main tool used to answer this problem was a quantum de Finetti theorem, which means, roughly speaking, that a certain class of states in H ⊗n , namely symmetric states, can be well approximated by mixtures of i.i.d.states.From a cryptographic point of view, this means that general symmetric attacks are almost the same as collective attacks.The last step to complete the proof is to show that a symmetric attack is optimal for the eavesdropper, or, equivalently, that the state ρ AB can safely be assumed symmetric, which is indeed the case for most QKD protocols.
The quantum de Finetti theorem is thus quite powerful as it allows us to derive the security of a QKD scheme against arbitrary attacks as soon as it is proven.Moreover, the full security is obtained almost for free, in the sense that the decrease of key size caused by allowing the adversary to perform any non-collective attack is negligible, at least in an asymptotic regime.In a finite size scenario, however, the impact on the key size could be significant, although it should be compared with other finite-size effects such as the precision of parameter estimation or the efficiency of error correction [3,4].In this context, alternatives to the de Finetti theorem might also be worth investigating as they can lead to improved bounds [5].
Unfortunately, the application of the quantum de Finetti theorem, that was presented in [2], is restricted to QKD schemes that are described in a finite-dimensional Hilbert space.Apart from the fact that describing any protocol in the finite-dimensional Hilbert space is nothing less than an approximation (even though quite a reasonable one for protocols involving qubits), it is clear that it does not apply to protocols genuinely described in infinite-dimensional Hilbert spaces, such as protocols explicitly built on the continuous amplitude components of the light field (see [6] and references therein).The reason for this is that the quantum de Finetti theorem fails as soon as the dimension, d, of the Hilbert space H is not small compared to the number n of subsystems considered, which is obviously the case if d is infinite.Moreover, not only is the present version of the quantum de Finetti theorem limited to low dimensional Hilbert spaces, but counter-examples have been exhibited that demonstrate that a dimension-independent de Finetti theorem cannot exist [7].
Nevertheless, the impossibility of a general dimension-independent theorem does not rule out the possibility of more restricted versions of the theorem, which may still be highly relevant to prove the security of QKD schemes.In particular, the quantum de Finetti theorem of [2] is concerned with (permutation) symmetric states in H ⊗n , that is, states that are invariant under arbitrary permutations of their n subsystems.The only approach that has been pursued to date, in order to extend the range of application of this theorem to the infinite-dimensional Hilbert spaces, has consisted in restricting the set of states in such a way that a finite-dimension theorem can be applied [8]- [10], [12].In particular reference [10], the quantum de Finetti theorem of [2] has been applied to infinite-dimensional quantum systems conditioned on certain measurement results.The main consequence is to rigorously justify the assumption of a finite-dimension theorem in the context of QKD protocols using attenuated coherent pulses as the support for qubits.The theorem can then be used to derive the security of some continuous-variable schemes [11], as long as the energy of the signal states is not too important.The main drawback is that some experimental conditions need to be checked, which was not the case for finitedimensional protocols.
In this paper, we explore a radically different approach, which might greatly simplify the security proofs of continuous-variable QKD.The idea is to derive a new quantum de Finetti theorem corresponding to symmetry classes other than permutations of the subsystems.Our main insight is to describe the protocol in a phase space instead of Fock representation, and to study a symmetry group that is specific to the phase space.This choice features several advantages.First, the phase space representation is the natural choice for the analysis of continuous-variable QKD, where the information is typically encoded onto the quadratures of the light field (see [6]).Moreover, if collective attacks are indeed asymptotically optimal, as they generally are for discrete-variable QKD, it would be useful to have an interpretation of this result using covariance matrices.It should be pointed out that when restricted to collective attacks, the security of the protocol is completely characterized by the covariance matrix of the system shared by Alice and Bob [13,14].Last but not least, the phase space representation has the remarkable property to be finite dimensional: by trading a discrete description in the infinite-dimensional Hilbert space (the Fock representation) for a continuous description in the finite-dimensional real space.
Interestingly, in a classical setting, versions of the de Finetti theorem that apply to orthogonally invariant continuous probability distributions have been known for a long time [15].Here, we make the first steps towards the generalization of this theorem to a quantum setting.Obviously, since a general dimension-independent quantum de Finetti theorem is impossible, we cannot hope to establish one by switching between an infinite-dimensional state-space representation and a finite-dimensional phase-space representation.The idea is that the symmetry hypotheses, needed for the phase-space de Finetti theorem, are stronger than the ones used in the previous quantum versions of the de Finetti theorem.We will show that these stronger symmetry hypotheses are, however, perfectly compatible with the continuous-variable QKD protocols.
The outline of the paper is as follows.In section 2, we explicitly make the link between symmetry properties and security proofs.In section 3, we present continuous-variable QKD and introduce a new symmetry for such protocols.This symmetry is then presented in more details in section 4, where we make the preliminary steps towards the derivation of a new quantum de Finetti theorem for continuous variables.Finally, the conclusions are drawn in section 5.

Role of symmetry in the security proofs
The goal of this section is to explain how symmetry considerations can simplify the theoretical analysis of quantum cryptography.In particular, we would like to provide a theoretical justification to the common attitude of considering the state ρ AB shared by Alice and Bob as being symmetric.Note that a more mathematical argument can be found in [5].
As we mentioned previously, applying the de Finetti theorem to prove the security of QKD protocols works if one can first assume, without loss of generality, that the state ρ AB is symmetric, that is invariant under any permutation of its n subsystems.Here, we show that this assumption is justified, but that one is actually not limited to considering the action of this particular symmetry group S n (one can also consider larger symmetry groups).Basically, the idea is that by assuming any symmetry, Alice and Bob will always underestimate the secret key rate they can extract from their data.
The secret key rate for a particular instance of a QKD protocol is a function of the state ρ AB shared by the legitimate parties, Alice and Bob.The eavesdropper, Eve, is assumed to have the maximal information compatible with ρ AB meaning that her state ρ E is such that ρ E = tr AB (| ABE ) where | ABE is any purification of ρ AB .Note that all purifications are equivalent up to an unitary operation applied on system E.More precisely, ρ AB represents the knowledge that Alice and Bob have about the quantum state they share.For this reason, ρ AB is subjective and inevitably depends on the assumptions made by Alice and Bob.It must be emphasized that this cannot be avoided by performing a quantum tomography of the state, since the latter is also subject to hypotheses, namely that one has access to an arbitrary large number of independent and identical copies of a single state.The exponential version of the quantum de Finetti theorem as derived in [2] gives a partial answer to this problem: if ρ AB is invariant under permutations of its subsystems, then it can be well approximated by a mixture of i.i.d.states, so quantum tomography is therefore justified.
A crucial observation is that Alice and Bob would like to ignore or forget the properties of ρ AB they are not interested in, typically possible correlations between the n subsystems of their state, hence obtaining ρ AB = σ ⊗n AB for some prototype state σ AB ∈ H. Unfortunately, this action of forgetting comes at a price, namely erasing some potentially useful information.The first idea to make the argument more rigorous is that Alice and Bob can actually enforce the symmetry they want.Let us, for instance, consider symmetry under permutations of the subsystems of ρ AB which is the symmetry commonly used in various QKD security proofs (with the notable exception of protocols such as the differential phase shift (DPS) [16] or the coherent one-way (COW) [17]).This symmetry can be enforced in the following way: Alice and Bob can perform the same random permutation π over their respective state, with π being chosen uniformly over the symmetric group S n .This operation transforms ρ AB into where π is the unitary operator implementing the permutation π to both systems A and B, {|π } π is an orthogonal family of vectors and C is a classical auxiliary space whose sole purpose is to store the information concerning the permutation π that was applied.Then, tracing over system C (or equivalently giving this system to Eve), Alice and Bob obtain the state ρAB , which is symmetric by construction.Obviously, for any practical purpose, applying such a procedure is out of the question as it would at least involve a quantum memory in order to store each subsystem while Alice and Bob wait for the total state ρ AB .One may object, however, that applying such a permutation π to ρ AB is equivalent to merely relabeling the indices of Alice and Bob's data, which is much simpler to implement.The key is that both procedures are indistinguishable, which is a clear consequence of the fact that the permutation of subsystems commutes with the measurement procedure and classical post-processing.This is true for most protocols, such as BB84 or continuous-variable protocols, but not for DPS or COW as explained below.In order for the two procedures to be completely equivalent, Alice and Bob should completely forget which particular permutation was performed.A second crucial point is that, in reality, Alice and Bob do not even need to permute the labels of their data.What is really necessary is that they should never use any information related to the order of their data (the labeling of their data) when they extract the key.It must be realized that enforcing such a symmetry can only decrease the secret key rate, since Alice and Bob give additional information to Eve, or, equivalently, forget some a priori available information.On the other hand, while they are only throwing information that they do not use in practice (the labeling of their data), the impact of this symmetrization step to the key rate is actually negligible.Note that nothing forbids one to use such a technique in the study of the DPS and COW protocols.However, correlations between different subsystems are essential for these protocols to work and no key could be extracted if one was forgetting them.In principle, any symmetrization is applicable to any QKD protocol, but some symmetrization procedures essentially erase all the relevant information and are consequently useless for the study of such protocols.Other symmetries have been investigated in the literature, for instance random bit-flip or phase-flip applied simultaneously by Alice and Bob, and have led to simplifications in the analysis of some protocols [18].
The above reasoning can easily be generalized to other symmetries.Let G be a symmetry group in H ⊗n .Alice and Bob can perform a random g drawn from G and later forget about g, thus transforming ρ AB into where #G is the cardinal of G.The group G can even be continuous (albeit compact), in which case the discrete sum should simply be replaced by an integral over the Haar distribution of G.This is actually what we will do for continuous-variable protocols.

Brief summary of the theoretical analysis of continuous-variable QKD
We rapidly describe continuous-variable protocols, as a more detailed presentation can be found in [6].Continuous-variable QKD comes with two flavors depending on whether the quantum state shared by Alice and Bob is characterized by a quantum bit error rate (QBER) or by a covariance matrix.In the first category lie protocols where the quadratures of the light field are just the support for encoding bits.Such protocols usually use postselection to improve their QBER [19].Then, the analysis is somewhat similar to that of discrete-variable protocols.
In the second category of protocols, such as [20], with which we are only concerned here, the quantum state shared by Alice and Bob is characterized by its covariance matrix.This means that the continuous-variable approach is used even for the description of the state, and not only as a means to carry information over quantum channels.On the positive side, these protocols, and in particular their security, are easier to study.However, this approach suffers an important drawback, namely that postselection is a priori impossible: one must keep all data.This is particularly damaging during the classical post-processing of the protocol where one now has to deal with real random variables instead of binary random variables.
The main implication is that the reconciliation step, which roughly corresponds to correcting discrepancies between Alice and Bob's classical data, becomes a task that is much more involved than correcting errors between two binary strings.The error rate may indeed be much higher as the protocols with continuous variables may tolerate very low signal-to-noise ratio.
The classical problem of reconciliation was until recently limiting the range of continuousvariable QKD protocols [21].However, simpler discrete modulation schemes can help dealing with the reconciliation problem [11].

Rotation symmetries for continuous-variable QKD
One of the nice features of continuous-variable QKD is that the security against collective attacks is entirely characterized by the covariance matrix of ρ AB [13,14].As we restrict our analysis to collective attacks, one has ρ AB = σ ⊗n AB , and the covariance matrix of σ AB is usually assumed to be of the form: where σ z = diag(1, −1), and X , Y and Z are real numbers referring to Alice's variance, Bob's variance, and the covariance between Alice and Bob, respectively.Note that this form can easily be understood from an experimental point of view since the quantum channel is not supposed to induce correlations between different quadratures, for instance, but no theoretical justification has been given so far.Here, we use the ideas explained in the previous section to prove that can indeed take this simple form.Since we make the assumption of a collective attack, the covariance matrix is well defined and can be estimated by Alice and Bob.The most general form for is The idea is that Alice and Bob can perform some symmetrization operation, which transforms into sym .First, note that their classical data are two strings x, y ∈ R n , which correspond to the results of homodyne measurements of the various quadratures of ρ AB .The reconciliation is always optimized for a Gaussian channel, meaning that the random variable y is modeled as y = t x + z [21], where t is a transmission factor and z is a random variable modeling the added noise and characterized by its variance σ 2 .Therefore, the reconciliation procedure would not be affected if Alice and Bob both performed the same random orthogonal transformation R ∈ O(n) to their respective data, since one would then have Ry = t Rx + z , where z is a rotated noise with the same variance σ 2 .If Alice and Bob apply such a random orthogonal transformation and forget which one has been performed, their data becomes 'symmetric' in the sense that the matrix takes the form of sym , where The fact that the covariance matrix sym features Z σ z instead of Z 1 2 simply reflects the fact that sym is not the covariance matrix of the classical data of Alice and Bob in the prepare-and-measure scenario, but the covariance matrix of ρ AB in the equivalent entanglementbased scenario.In the latter case, Alice and Bob would actually apply conjugate orthogonal transformations to their respective share of the state instead of the same transformation.By conjugate transformation, we mean the transformation whose corresponding 2n × 2n matrix in phase space is obtained from the original one by flipping the sign of all rows whose label corresponds to a p quadrature and then flipping the sign of all columns whose label corresponds to a p quadrature.This can be understood by considering a two-mode squeezed vacuum, which is the state characterizing the inherent symmetry of continuous-variable QKD: this state has a covariance matrix sym where Y = X and Z = √ X 2 − 1, and is invariant under conjugate orthogonal transformations performed by Alice and Bob.
As we will see, this new symmetrization (based on orthogonal transformations in phase space instead of permutations in state space) has several crucial consequences.First, it allows us to rigorously prove that Alice and Bob can safely assume their covariance matrix to have a simple structure, characterized by only three parameters which are easily estimated experimentally (this was done until now with no firm theoretical justification).The second consequence, which we will study in the next section, is that it gives a simple structure to the state ρ AB which enables us to investigate the unconditional security using a de Finetti approach.

Invariant states under orthogonal transformations in phase space
The goal of this section is to give some insights on the structure of the states which are invariant under orthogonal transformations in phase space.More precisely, if Alice and Bob perform n homodyne measurements on ρ AB (Alice and Bob are assumed to measure the same quadrature since they discard the data corresponding to measurements of incompatible quadratures), they obtain two random vectors x, y ∈ R n .We are interested in unitary transformations whose effect on ρ AB is described by an orthogonal transformation on the probability distributions of x and y.As these probability distributions are completely characterized by the Wigner function of ρ AB , the states of interest are simply those whose Wigner function is invariant under such transformations.
Before describing the bipartite case, it is useful to consider first the single-party case, where the state of Bob is traced out.

Single party case
Here, we are interested in generalizing the concept of orthogonally invariant probability distributions to the quantum setting, that is, to Wigner functions.A n-mode state ρ (n) is termed orthogonally invariant in phase space if it is invariant under the action of any n-mode Gaussian unitary operator to an orthogonal transformation in the 2n-dimensional phase space of ρ (n) .Physically, this means that ρ (n) remains unchanged after being processed via any n-mode passive linear interferometer (the orthogonal transformations that are not in the special orthogonal subgroup are irrelevant in the single-party case).The set of such orthogonally invariant states is convex and is, therefore, characterized by its extremal points, namely the states where |k 1 . . .k n is the n-mode Fock state with k i photons in mode i and a n k = n+k−1 n−1 .Physically, these extremal states are (proportional to) the projectors onto the different eigenspaces of the total number operator n = n1 + • • • nn labeled with the integer parameter k, corresponding to the total number of photons distributed over the n modes.The normalization constant a n k simply counts the number of ways of distributing k photons into n modes.These extremal states σ (n)  k form a discrete infinite set of mixed states.Importantly, any pure eigenstate chosen in the eigenspace corresponding to a given total photon number k is generally not orthogonally invariant; only the uniform mixture of them fulfils this invariance (Schur's lemma), which is why the extremal states σ (n)  k are mixed for n > 1.Finally, any state ρ (n) that is invariant under orthogonal transformations in phase space can be written as where the weights c k satisfy 0 c k 1 and k c k = 1.

An asymptotic quantum de Finetti theorem for orthogonally invariant states
Let us now introduce a classical de Finetti theorem for continuous variables.An infinite sequence of real-valued random variables X 1 , . . ., X n , . . . is called orthogonally invariant if, for every n, the probability distribution of X 1 , . . ., X n is invariant under all orthogonal transformations of R n .It was proven in [22,23] that orthogonally invariant distributions are exactly mixtures of i.i.d.normal distributions.
This result holds only approximately for finite sequences: if the probability distribution of X 1 , . . ., X n is invariant under orthogonal transformations of R n , then there exists a mixture of i.i.d.normals such that its variation distance to the marginal law of the first k coordinates of X 1 , . . ., X n is bounded by O(k/n) for k n [15].This cannot be directly applied to quantum systems, however, since Wigner functions are not necessary legitimate probability distributions (they can be negative).Here, we prove that this generalization is nevertheless correct in the asymptotic regime.In particular, we prove that an orthogonally invariant state tends to a mixture of multimode thermal states, which are products of n thermal states with the same mean photon number.
Let us consider an n-mode state ρ (n) which is orthogonally invariant in phase space.For any N > n, ρ (n) is the partial trace over (N − n) modes of an N -mode orthogonally invariant state ρ (N ) .As stated above, ρ (N ) is a convex mixture of the states σ (N )  k .Therefore, it is enough to prove that the trace over (N − n) modes of σ (N ) k becomes asymptotically close (for the trace distance) to a multimode thermal state as N tends to infinity.Since the state of interest tr N −n σ (N ) k as well as the 'target' n-mode thermal state ρ (n)  th with k/n photons per mode are orthogonally invariant, they can both be written as mixtures of σ (n) Note that f and g also depend on k, n and N , but we do not mention these parameters explicitly in order to simplify the notations.The trace distance between the two states is given by the variation distance between the two classical probability distributions f and g It can be bounded from above as where the last inequality follows from the triangle inequality, and (x) + stands for x if x ≥ 0 and 0 if x < 0. Let us introduce the notation The rest of the proof consists in approximating sup h in the asymptotic regime.This is done by using the asymptotic approximation of a yn xn with n → ∞ resulting from Stirling's formula, namely where G(z) = (z + 1) log 2 (z + 1) − z log 2 (z) is the von Neumann entropy of a thermal state with z photons.Let us introduce the reduced variables x = k/N , y = n/N , z = l/N and t = (1 − y)/(x − z).We can approximate the function of interest h(l) as where Deriving B with respect to z, one has Therefore, B is extremal for t = 1/x, that is z = x y, giving B 0. As a result, one has Hence, tr N −n σ (N ) k − ρ (n) th 1 → 0 for N → ∞, which proves the quantum continuous-variable version of the de Finetti theorem for orthogonally invariant states in the asymptotic regime.Note that the technique of this proof is very similar to that used to establish a de Finetti theorem for Werner states in [7] (theorem III.7).

Bipartite case
So far, we only discussed single-partite orthogonally invariant states.Obviously, in order to use this approach to the study of QKD security, one needs a bipartite generalization.Let us consider the case of a 2n-mode bipartite state ρ AB , meaning that Alice and Bob each have n modes.Such a state ρ AB is termed invariant under conjugate orthogonal transformations in phase space if, for any Gaussian unitary operation U corresponding to an orthogonal transformation in Alice's 2n-dimensional phase space, it satisfies where U * is the Gaussian unitary operation corresponding to the conjugate orthogonal transformation in Bob's phase space.Physically, this invariance means that ρ AB remains unchanged when Alice processes her n modes into any passive linear interferometer while Bob processes his n modes into the passive linear interferometer effecting the conjugate orthogonal transformation in phase space (the orthogonal transformations that are not in the special orthogonal subgroup should be applied at the measurement outcomes, not at the level of quantum states).
Ideally, one should have a quantum de Finetti theorem for bipartite orthogonally invariant states since this is the case which is directly relevant for proving the security of continuous-variable QKD.The reason is that, following the arguments in section 2, Alice and Bob can indeed assume their bipartite state ρ AB to be invariant under conjugate orthogonal transformations.Thus, a bipartite quantum de Finetti theorem would rigorously prove that ρ AB is 'close to' a product of Gaussian states.Note, however, that an exponential version of the theorem would actually be required to address the security of continuous-variable QKD, meaning that it is enough to trace over only a negligible number of modes in order to get an exponentially good approximation by a Gaussian state.Then, such a Gaussian state would actually be the product of n i.i.d.Gaussian states, and the security against collective attacks would, therefore, imply the security against arbitrary attacks.
Finding a bipartite version of this quantum de Finetti theorem is the subject of further work.Although we do not have a rigorous proof yet, the fact that a bipartite version of the theorem holds is very likely.In particular, both partial traces ρ A = tr B ρ AB and ρ B = tr A ρ AB are singlepartite orthogonally invariant states, for which the theorem applies.Hence, locally, we already know that a state ρ AB that is invariant under conjugate orthogonal transformations in phase space becomes asymptotically Gaussian.One only needs to prove that the correlations between Alice and Bob also behave according to the bipartite version of the theorem.

Conclusion and perspectives
We have discussed the role of symmetries in the security analysis of QKD, and introduced a new symmetry that is especially suited to continuous-variables schemes.This rotation symmetry, which can be spelled out in the phase space representation, encompasses the usual symmetry under permutations in state space that have been considered so far in the context of discretevariable QKD.We then derived an asymptotic quantum de Finetti theorem for orthogonally invariant states in phase space, and showed that Gaussian states play a role similar to that of i.i.d.states in the usual de Finetti theorem.More precisely, any orthogonally invariant state can be shown to be asymptotically close to a mixture of product Gaussian (thermal) states.This first application of a symmetry in phase space to the QKD security analysis seems very promising as Gaussian states have been known to play a fundamental role in the analysis of continuousvariable QKD.
The perspectives of this work towards proving the unconditional security of continuousvariable QKD are twofold.A first approach would be to study the generalization of our (asymptotic) continuous-variable quantum de Finetti theorem in phase space to the bipartite scenario, and then investigate whether an exponential version can be derived.The second option would be to see if the techniques recently introduced in [5] can be generalized to continuousvariable QKD.