Detecting quantum attacks: a machine learning based defense strategy for practical continuous-variable quantum key distribution

Quantum key distribution (QKD) [1] is one of the most important application of quantum technologies, which enables two distant parties, Alice and Bob, to exchange secret keys in an untrusted environment without being eavesdropped by an eavesdropper, Eve its theoretical unconditional security is guaranteed by the fundamental laws of quantum mechanics [2, 3], which based on some assumptions that Alice and Bob's device are supposed to behave according to a perfect model. However, there are some deviations between the theoretical perfect assumptions and practical QKD implementations, such deviations may bring loopholes and enable Eve to break the security by stealing information from the legitimate parties [4–6].

According to different implementation methods, QKD can be divided into two types: discrete-variable (DV) QKD [7, 8] and continuous-variable (CV) QKD [9–11]. Compared with DVQKD, CVQKD has higher secret key rate and better compatibility with the current optical networks [12]. Gaussian modulated coherent state (GMCS) protocol is the most popular CVQKD scheme [13, 14], which has been proven theoretically secure against collective attacks [15–17]. However, the security of the practical GMCS CVQKD can be broken by some practical attack strategies, such as Trojan-horse attacks [18, 19], wavelength attacks [20, 21], calibration attacks [22], local oscillator (LO) intensity attacks [23], saturation attacks [24], and homodyne-detector-blinding attacks [25]. The main idea of these attacks is to exploit the imperfections of optical devices to bias the excess noise estimation, and the essence of the corresponding countermeasures is to add suitable real-time monitoring modules on the system, which significantly depend on the accuracy of the estimated excess noise and the calculated precision of a low bound of optical features disturbance for Eve successfully concealing herself [26]. However, in practice there are some natural fluctuations in the legitimate light as well as real detectors and electronics, Alice and Bob have to implement multiple iterative calculations to obtain an accurate estimation. In addition, the estimation procedure is usually implemented after the key transmission process is completed, once an attack is found the whole key data should be discarded, wasting a lot of time and resources. Moreover, in actual systems we do not know in advance which kind of attack Eve will launch, so we need a universal defense solution which can resist as many attack types as possible.

In this paper, we propose a defense strategy for CVQKD systems to address the disadvantages mentioned above. We investigate several typical features of the pulses that would be effected by the attacks, and the deviations of these features between normal unattacked pulses and abnormal attacked pulses. A set of feature vectors labeled by different attack types is constructed to train an artificial neural network (ANN). The trained ANN model can automatically detect abnormal feature vectors and classify them into different attack types. Consequently, a universal attack detection model is established, which can recognize most of the known attack types by using only one forward propagation calculating process. The secret keys received by Bob can be sequentially input into the model, and the transmission process will be aborted immediately once abnormal data is found. In this way Bob does not need to wait until the key transmission process is complete to check if the system is attacked. In our work, we mainly consider three typical attack strategies against GMCS CVQKD systems with homodyne detection, including the calibration attack, the LO intensity attack, and the saturation attack. In addition, two types of hybrid attack strategies [25, 27] is also investigated. Individual wavelength attacks [20, 21] are not considered here because they are only effective for heterodyne detection CVQKD systems. For one-way GMCS CVQKD systems, isolators and wavelength filters are the most suitable countermeasures against Trojan-horse attacks, thus the Trojan-horse attack is also not contained in our work.

2.1. Feature extraction of optical pulses

In a GMCS CVQKD protocol, Alice prepares a train of coherent states |X_A + iP_A⟩ where the quadrature values X_A and P_A subject to a bivariate Gaussian distribution with variance V_AN₀. Here N₀ represents the shot noise variance which corresponds to the variance of the homodyne detector output when the input signals are vacuum states. Then Alice sends the prepared states to Bob with a strong LO of intensity I_LO by using polarization multiplexing technique. The receiver Bob measures one of the quadratures of the signal states by performing a homodyne detection, with the help of the LO as a phase reference. After this process, Alice and Bob obtain two strings of correlated data x = {x₁, x₂, ..., x_N} and y = {y₁, y₂, ..., y_N}, where x represents the quadrature value modulated by Alice (X_A or P_A) and y represents the quadrature value measured by Bob (X_B or P_B). We note that

$$\begin{equation}\overline{x}=0,\quad {V}_{x}={V}_{\mathrm{A}}{N}_{0},\end{equation} \tag{ 1 }$$

$$\begin{equation}\bar{y}=0,\quad {V}_{y}=\eta T{V}_{\mathrm{A}}{N}_{0}+{N}_{0}+\eta T\xi +{V}_{\mathrm{e}\mathrm{l}},\end{equation} \tag{ 2 }$$

where T and η are the quantum channel transmittance and the efficiency of the homodyne detector, respectively. V_el = v_elN₀ is the detector's electronic noise and ξ = ɛN₀ is the technical excess noise of the system. In a practical CVQKD system, there are several features could be affected by different attack strategies, such as the intensity I_LO of the LO, the shot noise variance N₀, the mean value and variance V_y of Bob's measurement. Table 1 shows the impacts of different attack strategies on the measurable features. We find that the first four types of attacks affect different features. Although the last attack strategy and the saturation attack act on the same features, they have different degree of impact (more details can be found in the appendix A). Therefore, learning the variation of these features can help to detect and classify different attacks.

Table 1. Impacts of different attack strategies on measurable features. The symbol '√' under the features indicates that the corresponding feature will be changed by the corresponding attack.

Features		Vy	ILO	N0
LO intensity attack [23]	—	√	√	√
Calibration attack [22]	—	√	—	√
Saturation attack [24]	√	√	—	—
Hybrid attack 1 [27]	—	√	√	—
Hybrid attack 2 [25]	√	√	—	—

Figure 1 shows the schematic diagram of Bob's detection setup that is used for simultaneously measuring the features mentioned above. Firstly, the signal and LO pulses are demultiplexed by using a PBS. Then, an AM is applied on the signal path to randomly set a maximum attenuation with a probability of 10% for real-time shot-noise estimation, and the remaining signal pulses are not attenuated. Meanwhile, the LO pulses are split by a 90:10 beam splitter, part of which are used for homodyne detection and part of which are used for power monitoring and clock generation. After that, the analog measurement results are fed in the DPC for sampling and attack detection. We assume that Bob receives N pulses in a communication process and all these pulses can be divided into M blocks. For each block, we can calculate the mean and variance, the LO average power, and the shot noise variance. By this way, a feature vector $\overrightarrow {u}=\left\{\bar{y},{V}_{y},{I}_{\mathrm{L}\mathrm{O}},{N}_{0}\right\}$ is constructed to represent the corresponding block. M feature vectors $\left\{{ \overrightarrow {u}}_{1},{ \overrightarrow {u}}_{2},\dots ,{ \overrightarrow {u}}_{M}\right\}$ of the M blocks form the input of the ANN model, as shown in figure 2. The values of the feature vector are various under different types of attacks, since different attacks act on different features and change the values of them in different ways. According to the approximation theorem of the neural networks, it is possible to infinitely approximate to any given bounded continuous function on a given domain with a neural network [28]. It suggests that the neural network can fully learning the behaviours of the attacks based on the established feature vectors. It is worth noting that although there may be errors between the feature values of each block and these values of the whole data, the neural network can still use them to distinguish attacks because the errors under different attacks is also different.

Zoom In Zoom Out Reset image size

Zoom In Zoom Out Reset image size

2.2. Artificial neural network establishment for attack classification

In this section, we introduce how to establish the ANN attack detection model based on feature vectors. ANN is a popular machine learning technique inspired by the biological neural network in the human brain [29]. As shown in figure 2, an ANN consists of several layers and each layer contains many neurons, ANN sends the weight values of each neuron as output to the next layer after processing with inputs from neurons in the previous layer. Our target is to derive an output vector $\overrightarrow {v}$ according to the input vector $\overrightarrow {u}$ by constructing a classifier, which is represented by a function $f: \overrightarrow {u}\to \overrightarrow {v}$. The construction of the classifier is based on multiple training iterations on a training set ${S}_{\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}}=\left\{\left( \overrightarrow {{u}_{1}}, \overrightarrow {{v}_{1}}\right),\left( \overrightarrow {{u}_{2}}, \overrightarrow {{v}_{2}}\right),\left( \overrightarrow {{u}_{3}}, \overrightarrow {{v}_{3}}\right),\dots \right\}$. In our scheme, the input vector $\overrightarrow {u}$ consists of the features listed in table 1, the output vector $\overrightarrow {v}$ consists of a set of probability values, which represent the probability that the current input data belongs to each attack type. Figure 2(a) is a linear ANN model without hidden layers which can only solve linear separable problems. In order to applicable to distinguish different types of attacks, we join a hidden layer between the input layer and the output layer, and further construct a nonlinear ANN multi-classifier by using a softmax function. The number of neurons in the hidden layer can be adjusted for optimal performance. Figure 2(b) shows the nonlinear ANN multi-classifier that contains three layers: input layer, hidden layer and softmax layer (output layer). Each neuron in the current layer is a linear combination of neurons in the previous layer with weight ω and bias b. For example, the relationship between the input layer and the hidden layer is expressed as

$$\begin{equation}{v}_{j}^{\mathrm{h}}={\sigma }_{\mathrm{t}\mathrm{a}\mathrm{n}\mathrm{H}}\left(\sum _{i}{u}_{i}{\omega }_{ij}^{\mathrm{h}}+{b}_{j}^{\mathrm{h}}\right),\end{equation} \tag{ 3 }$$

where ${v}_{j}^{\mathrm{h}}$ is the jth output of the hidden layer, u_i is the ith element of the input vector $\overrightarrow {u}$, ${b}_{j}^{\mathrm{h}}$ is the jth bias unit input into the hidden layer, ${\omega }_{ij}^{\mathrm{h}}$ is the weight between the ith element of the input layer and the jth element of the hidden layer which will be iterative optimized in the training process. σ_tanH is the activation function which is defined as [30, 31]

$$\begin{equation}{\sigma }_{\mathrm{t}\mathrm{a}\mathrm{n}\mathrm{H}}\left(x\right)=\frac{{\mathrm{e}}^{x}-{\mathrm{e}}^{-x}}{{\mathrm{e}}^{x}+{\mathrm{e}}^{-x}}.\end{equation} \tag{ 4 }$$

In a similar manner the relationship between the hidden layer and the output layer is obtained by

$$\begin{equation}{v}_{j}^{\mathrm{o}}={\sigma }_{\mathrm{S}}\left(\sum _{i}{v}_{i}^{\mathrm{h}}{\omega }_{ij}^{\mathrm{o}}+{b}_{j}^{\mathrm{o}}\right),\end{equation} \tag{ 5 }$$

where σ_S is the softmax function which is given by

$$\begin{equation}{\sigma }_{\mathrm{S}}\left({x}_{i}\right)=\frac{\mathrm{exp}\left({x}_{i}\right)}{{\sum }_{j=1}^{6}\enspace \mathrm{exp}\left({x}_{j}\right)}.\end{equation} \tag{ 6 }$$

${\omega }_{ij}^{\mathrm{o}}$ is the weight between the ith element of the hidden layer and the jth element of the output layer, ${b}_{j}^{\mathrm{o}}$ is the jth bias unit input into the output layer, ${v}_{j}^{\mathrm{o}}$ is the jth element of the output layer, and the sum of the output ${\sum }_{j=1}^{6}{v}_{j}^{\mathrm{o}}=1$. The final output $\overrightarrow {v}$ of the ANN model consists of six probability values, which represent the probability that the vector $\overrightarrow {u}$ belongs to each class. In the training process, the back-propagation algorithm is used to quickly solve the partial derivatives of the objective function on the internal weights in the network [32], and the weights is accordingly adjusted by using the stochastic gradient descent optimization algorithm [33]. Finally, an ANN model that matches the target output is learned by minimizing the objective function $-\mathrm{log}\enspace {v}_{j}^{\mathrm{o}}$ when the target class is j.

2.3. Training and testing process

According to the data preparation process described in the appendix A, we generate six sets of data as training data Y_train = {y_normal, y_LOIA, y_calib, y_sat, y_hyb1, y_hyb2} and preprocess them by division and feature vector extraction, as shown in figure 3. Subsequently, the collected feature vectors labeled by the category of data set are fed into the ANN trainer to learn the characteristics of different attack strategies. In a similar way, we also generate another six sets of data as testing data Y_test = {y'_normal, y'_LOIA, y'_calib, y'_sat, y'_hyb1, y'_hyb2} and preprocess them. The resulting feature vectors are directly input into the trained ANN classifier to check the performance of attack classification. In our experiments, precision, recall, false positive rate (FPR) and false negative rate (FNR) are selected as the evaluation metrics to evaluate the performance of our scheme, which can be expressed as

$$\begin{equation}\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}=\frac{\mathrm{T}\mathrm{P}}{\mathrm{T}\mathrm{P}+\mathrm{F}\mathrm{P}},\end{equation} \tag{ 7 }$$

$$\begin{equation}\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}=\frac{\mathrm{T}\mathrm{P}}{\mathrm{T}\mathrm{P}+\mathrm{F}\mathrm{N}},\end{equation} \tag{ 8 }$$

$$\begin{equation}\mathrm{F}\mathrm{P}\mathrm{R}=\frac{\mathrm{F}\mathrm{P}}{\mathrm{T}\mathrm{N}+\mathrm{F}\mathrm{P}},\end{equation} \tag{ 9 }$$

$$\begin{equation}\mathrm{F}\mathrm{N}\mathrm{R}=\frac{\mathrm{F}\mathrm{N}}{\mathrm{T}\mathrm{P}+\mathrm{F}\mathrm{N}},\end{equation} \tag{ 10 }$$

where TP (true positive) denotes the number of the feature vectors that belong to an certain attack type are identified as such attack, FP (false positive) denotes the number of the feature vectors that do not belong to an certain attack type are identified as such attack. FN (false negative) denotes the number of the feature vectors that belong to an certain attack type but are not identified as such attack. TN (true negative) denotes the number of the feature vectors that do not belong to an certain attack type and are not identified as such attack. In general, a fine ANN classifier can achieve high values of precision and recall, and low values of FPR and FNR. In the testing stage, 'one vs others' method is employed to evaluate the performance of the classifier. For example, when calculating the precision of detecting LO intensity attack, the LO intensity attack-related feature vectors are considered as positive instances, while the other five types of vectors are considered as negative instances, which simplifies the multi-class problem to a binary-class problem.

Zoom In Zoom Out Reset image size

3.1. Implementation details

3.2. Performance of attack classification for CVQKD system

In this section we analyze the performance of the ANN model for attack detection and classification. Firstly, we introduce principal component analysis [35] to map the collected 6000 feature vectors of six types of data into a 2D metric space, as shown in figure 4(a). We can find that the feature vectors of the calibration attack, the saturation attack and the hybrid attack 2 are very different from the normal unattacked vectors, whereas the feature vectors of the LO intensity attack and the hybrid attack 1 are close to the normal vectors and hard to be separated by statistical analysis. Figure 4(b) shows the mapped instances after ANN classification, we can see that different types of data are significantly separated by the ANN model. In order to determine the optimal number of neurons n_e in the hidden layer, we calculate the values of precision, recall, FPR and FNR of the ANN model for attack classification, all of the results are the average of 20 iterations for fear of overfitting and underfitting. As illustrated in figure 5, the precision and recall of the calibration attack, the saturation attack, the hybrid attack 1 and the hybrid attack 2 reach the maximum 1 when the value of n_e = 15. For the LO intensity attack under the same condition, the performance of the ANN is the worst with precision and recall of 0.9969 and 0.9961, respectively. This is because the feature vectors of the LO intensity attack is closest to the normal data compared to other attacks. Similarly, the FPR and FNR of the calibration attack, the saturation attack, the hybrid attack 1 and the hybrid attack 2 achieve the minimum value of 0 at n_e = 15, but these two values of the LO intensity attack are 6.2 × 10⁻⁴ and 3.9 × 10⁻³, respectively. The performance of ANN classification is relatively stable when the value of n_e between 5 and 20, while the precision and recall are low when n_e = 1 because the ANN model does not have enough learning ability when the number of neurons in hidden layer is small. In addition, the results of precision, recall, FPR and FNR fluctuate apparently in the condition of n_e > 20, because too many neurons in hidden layer greatly increase the complexity of the ANN, thereby neurons in the hidden layer will lose their sensitivity to input signals, and the propagation of information is blocked severely, under this situation the network is easily trapped into a local minimum point and fail to converged to a global minimum within a reasonable number of iterations [36].

Zoom In Zoom Out Reset image size

Zoom In Zoom Out Reset image size

3.3. Secret key rate of ANN-based attack defense strategy

In this section, we compare the secret key rates for a CVQKD system that employs the ANN-based attack detection model and for a system that does not employ any countermeasures against attacks. The most commonly used method is the asymptotic secret key rate which is given by [13]

$$\begin{equation}{K}_{\mathrm{a}\mathrm{s}\mathrm{y}\mathrm{m}}=\beta {I}_{\mathrm{A}\mathrm{B}}-{\chi }_{\mathrm{B}\mathrm{E}},\end{equation} \tag{ 11 }$$

where β is the reverse reconciliation efficiency, I_AB is the Shannon mutual information between Alice and Bob, and χ_BE is the Holevo quantity for Eve's maximum accessible information. The detailed calculation about I_AB and χ_BE can be found in appendix B. In addition to asymptotic security, the finite-size effect [37] is also taken into consideration, since the signals exchanged by Alice and Bob are impossible unlimited in practice. In the finite-size scenario, the characteristics of the quantum channel cannot be known in advance. Even after quantum signals are exchanged, the quantum channel is only partially known. The results of the secret key rates for asymptotic and finite-size scenario are plotted in figure 6(a). We can find that in both asymptotic and finite-size cases, the secret key rate and transmission distance of our scheme are diminished comparing with the system without countermeasures, which is due to 10% of pulses are chosen to estimate the shot noise variance and the AM in Bob's signal path introduces extra insertion loss into the system. But it is deserving of sacrifice a part of secret keys and transmission distance to enhance the overall defense capability of the system. The detailed calculation about the secret key rate in the finite-size regime can be found in appendix C. Finally, we demonstrate the composable secret key rates of a CVQKD system with and without using the ANN-based attack detection model, and the results are plotted in figure 6(b). The composable security is based on the uncertainty of the finite-size effect, which carefully considers the failure probabilities of every step in CVQKD systems and can obtain the tightest secure bound of a protocol [38]. In figure 6(b), the solid lines from left to right correspond to the composable secret key rates with and without ANN-based attack detection at transmission distances of 10 km, 20 km, and 30 km, respectively. The dashed lines with the same color as the solid lines are their corresponding asymptotic secret key rates under the same conditions. We can see that the results are more pessimistic than that obtained in the finite-size and asymptotic regime, but as the number of exchanged signals increases, the composable secret key rates gradually approach the asymptotic values. The detailed calculation about the composable secret key rate can be found in appendix D.

Zoom In Zoom Out Reset image size

In this work, we introduced and experimentally addressed a quantum attack defense strategy for CVQKD systems by using ANN. We considered the impacts of existing attack strategies on the measurable features of signal and LO pulses, and established a set of feature vectors label by different attack types as input of an ANN model. According to the realistic assumption of the attacks, the training and testing data is prepared for performance evaluation. Simulation results show that the trained ANN can automatically identify and classify attacks with precision and recall values above 99%. Interestingly, we find that the performance of the ANN model is sensitive to the number of neurons n_e in the hidden layer, therefore how to select an appropriate values of n_e is important in practical implementation. Comparing with a system that does not adopt any anti-attack countermeasures, our scheme slightly diminished the secret key rate and transmission distance, but it constructed an overall defense model to anti most of the known attack strategies, significantly improves the security of the system.

This work was supported by the National Natural Science Foundation of China (NSFC) (61972418, 61977062, 61872390, 61871407 and 61801522) and the National Natural Science Foundation of Hunan Province, China (2019JJ40352).

In order to investigate the performance of the ANN model for attack classification, we need to establish several valid data sets based on a realistic assumption of Alice and Bob's implementation setup, as well as Eve's capability. Firstly, we assume the fixed parameters mentioned above as: V_A = 10, η = 0.6, ξ = 0.1N₀, V_el = 0.01N₀, T = 10^−αL/10, where L is the transmission distance which is set as a typical value of 30 km and α = 0.2 dB km⁻¹ is the loss coefficient of the optical fiber. The attenuation values set by Bob are r₁ = 1 (no attenuation) and r₂ = 0.001 (maximum attenuation). All of these values are selected according to the standard realistic assumption for CVQKD implementations [22, 39]. In a normal condition without any attacks, the mean and variance of the measurement results are given by

$$\begin{equation}\bar{y}=0,\quad {V}_{i}={r}_{i}\eta T\left({V}_{\mathrm{A}}{N}_{0}+\xi \right)+{N}_{0}+{V}_{\mathrm{e}\mathrm{l}},\end{equation} \tag{ A.1 }$$

where V_i = {V₁, V₂} corresponds to the values of r_i, the LO power I_LO at Bob side is set as 10⁷ photons per pulse with 1% fluctuation [26, 40]. Accordingly, the shot noise variance N₀ under normal condition is set as 0.4 based on the calibrated linear relationship in [22].

Secondly, we briefly recall the principles of the above-mentioned attack strategies, including the LO intensity attack, the calibration attack, the saturation attack, the hybrid attack 1 and the hybrid attack 2.

• (a)  
  In the LO intensity attack, Eve attacks the signal beam with a general Gaussian collective attack [15, 41] and attacks the LO beam by using a non-changing phase intensity attenuator with attenuation coefficient k(0 < k < 1). By this way, Eve can arbitrarily reduce the excess noise ɛ estimated by Alice and Bob to zero and hide her attack. For computational simplicity, we assume the variable attenuation coefficient k of each LO pulse is the same. Therefore, the variance of Bob's measurement results under this attack can be expressed as

  $$\begin{equation}{V}_{i}^{\mathrm{L}\mathrm{O}\mathrm{I}\mathrm{A}}=k\left[{r}_{i}\eta T\left({V}_{\mathrm{A}}{N}_{0}+\xi +{\xi }_{\mathrm{G}\mathrm{a}\mathrm{u}}\right)+{N}_{0}+{V}_{\mathrm{e}\mathrm{l}}\right],\end{equation} \tag{ A.2 }$$

  where

  $$\begin{equation}{\xi }_{\mathrm{G}\mathrm{a}\mathrm{u}}=\frac{\left(1-\eta T\right)\left(N-1\right)}{\eta T}{N}_{0},\end{equation} \tag{ A.3 }$$

  represents the noise introduced by Eve's Gaussian collective attack, N = (1 − kηT)/k(1 − ηT) represents the variance of Eve's EPR states. Similarly, the shot noise ${N}_{0}^{\mathrm{L}\mathrm{O}\mathrm{I}\mathrm{A}}$ is also deviated from the initial level as ${N}_{0}^{\mathrm{L}\mathrm{O}\mathrm{I}\mathrm{A}}=k{N}_{0}$.
• (b)  
  In the calibration attack, Eve intercepts a fraction μ of the signal pulses by implementing a partial intercept-resend (PIR) attack and modifies the shape of LO pulses to control the shot noise estimated by legitimate parties. According to the description in [22], the excess noise introduced by calibration attack is expressed as

  $$\begin{equation}\frac{{\xi }_{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}}{{N}_{0}}=\frac{{N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}}{{N}_{0}}\left[\frac{{\xi }_{\mathrm{P}\mathrm{I}\mathrm{R}}}{{N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}}+\frac{1}{\eta T}\left(1-\frac{{N}_{0}}{{N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}}\right)\right],\end{equation} \tag{ A.4 }$$

  where ξ_PIR = ξ + 2μN₀ is the excess noise introduced by Eve's PIR attack, ${N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}$ is the shot noise after calibration attack and N₀ is the shot noise before attack. In order to make the excess noise estimated by Alice and Bob close to zero, the ratio ${N}_{0}/{N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}$ must satisfy

  $$\begin{equation}\frac{{N}_{0}}{{N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}}=1+2.1\eta T,\end{equation} \tag{ A.5 }$$

  with μ = 1 and a typical value of $\xi /{N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}=0.1$. (A.5) indicates that the original shot noise N₀ is reduced into ${N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}$ by a factor of δ = 1/(1 + 2.1ηT). Therefore, the variance of the measurement results under this attack can be expressed as

  $$\begin{equation}{V}_{i}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}={r}_{i}\eta T\left({V}_{\mathrm{A}}{N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}+\varepsilon {N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}+2{N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}\right)+{N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}+{v}_{\mathrm{e}\mathrm{l}}{N}_{0}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}.\end{equation} \tag{ A.6 }$$
• (c)  
  In the saturation attack, Eve exploits the finite linearity domain of the homodyne detection response. In order to saturate Bob's detector, She intercepts all the pulses send by Alice and measures them with heterodyne detection, then displaces the quadratures of the resent coherent states with a value Δ. As shown in [24], the mean and variance of Bob under saturation attack are expressed as

  $$\begin{equation}{\bar{y}}^{\mathrm{s}\mathrm{a}\mathrm{t}}={r}_{i}\left(\alpha +C\right),\end{equation} \tag{ A.7 }$$

  $$\begin{equation}{V}_{i}^{\mathrm{s}\mathrm{a}\mathrm{t}}={V}_{i}^{\prime }\left(\frac{1+A}{2}-\frac{{B}^{2}}{2\pi }\right)-\left(\alpha -{\Delta}\right)\sqrt{\frac{{V}_{i}^{\prime }}{2\pi }}A{\ast}B+\frac{{\left(\alpha -{\Delta}\right)}^{2}}{4}\left(1-{A}^{2}\right),\end{equation} \tag{ A.8 }$$

  where

  $$\begin{equation}{V}_{i}^{\prime }={r}_{i}\eta T\left({V}_{\mathrm{A}}{N}_{0}+\xi +2{N}_{0}\right)+{N}_{0}+{V}_{\mathrm{e}\mathrm{l}},\end{equation} \tag{ A.9 }$$

  $$\begin{equation}A=\mathrm{e}\mathrm{r}\mathrm{f}\left(\frac{\alpha -{\Delta}}{\sqrt{2\enspace {\mathrm{V}}_{i}^{\prime }}}\right),\end{equation} \tag{ A.10 }$$

  $$\begin{equation}B={\mathrm{e}}^{-{\left(\alpha -{\Delta}\right)}^{2}/2\enspace {\mathrm{V}}_{i}^{\prime }},\end{equation} \tag{ A.11 }$$

  $$\begin{equation}C=-\left[\sqrt{\frac{{V}_{i}^{\prime }}{2\pi }}B+\frac{\left(\alpha -{\Delta}\right)}{2}+\frac{\left(\alpha -{\Delta}\right)}{2}A\right],\end{equation} \tag{ A.12 }$$

  in which α is the boundary of the linear range of the homodyne detector, and the function erf(x) is the error function defined as

  $$\begin{equation}\mathrm{e}\mathrm{r}\mathrm{f}\left(x\right)=\frac{2}{\sqrt{\pi }}{\int }_{0}^{x}{\mathrm{e}}^{-{t}^{2}}\mathrm{d}t.\end{equation} \tag{ A.13 }$$
• (d)  
  In the hybrid attack 1, we consider the strategy A that consists of two attack parts. The first part is similar with the LO intensity attack, Eve performs intercept-resend attack to obtain the information sent by Alice and prepares new signal and LO pulses with amplitude $\sqrt{\lambda T}\left({X}_{\mathrm{E}}+\mathrm{i}{P}_{\mathrm{E}}\right)/2$ and ${\alpha }_{\mathrm{L}\mathrm{O}}/\sqrt{\lambda }$, respectively, where X_E and P_E are the quadrature values measured by Eve, α_LO is the amplitude of the original LO and λ is a real number. In the second attack part Eve prepares and resends two extra coherent pulses with wavelengths different from the typical communication wavelength of 1550 nm, so that makes the shot noise measurement results seem normal. The variance of Bob's measurement results is given by

  $$\begin{equation}{V}_{i}^{\mathrm{h}\mathrm{y}\mathrm{b}\mathrm{1}}={r}_{i}\eta T\left({V}_{\mathrm{A}}{N}_{0}+2{N}_{0}+\xi \right)+\frac{{N}_{0}}{\lambda }+{V}_{\mathrm{e}\mathrm{l}}+{\left(1-{r}_{i}\right)}^{2}{D}^{2}+\left(35.81+35.47{r}_{i}^{2}\right)D,\end{equation} \tag{ A.14 }$$

  where D depends on the intensities I^s, I^lo and wavelengths λ^s, λ^lo of the extra two pulses. The shot noise level and excess noise estimated by legitimate parties are expressed as

  $$\begin{equation}{N}_{0}^{\mathrm{h}\mathrm{y}\mathrm{b}\mathrm{1}}=\frac{{N}_{0}}{\lambda }+\left(1-{r}_{1}{r}_{2}\right){D}^{2}+\left(35.81-35.47{r}_{1}{r}_{2}\right)D,\end{equation} \tag{ A.15 }$$

  $$\begin{equation}\frac{{\xi }^{\mathrm{h}\mathrm{y}\mathrm{b}\mathrm{1}}}{{N}_{0}^{\mathrm{h}\mathrm{y}\mathrm{b}\mathrm{1}}}=\left[\frac{\left(2+\xi \right){N}_{0}+\left({r}_{1}+{r}_{2}-2\right){D}^{2}}{\eta T}+35.47\left({r}_{1}+{r}_{2}\right)D\right].\end{equation} \tag{ A.16 }$$
• (e)  
  In the hybrid attack 2, Eve performs a full intercept-resend attack, and inserts external pluses into the signal port of Bob's homodyne detector along with the re-prepared signals. The pulse width and repetition rate of the external pulses are the same as the pulses sent by Alice. But the wavelength of them is slightly different with Alice's signals, in order to saturate Bob's homodyne detector output. In this way, the external light causes a non-negligible offset on the measurement results of Bob, which is given by

  $$\begin{equation}{D}_{\mathrm{e}\mathrm{x}\mathrm{t}}=\sqrt{\eta /{I}_{\mathrm{L}\mathrm{O}}}\left(1-2{T}_{\mathrm{e}\mathrm{x}\mathrm{t}}\right){I}_{\mathrm{e}\mathrm{x}\mathrm{t}},\end{equation} \tag{ A.17 }$$

  where T_ext is the overall transmission of Bob's homodyne detector regarding the external pulses and is related to the wavelength of the pulse, I_ext is the number of photons per pulse of the external light, and D_ext is normalized in $\sqrt{{N}_{0}}$. The excess noise of the system under this attack becomes

  $$\begin{equation}{\xi }_{\mathrm{h}\mathrm{y}\mathrm{b}\mathrm{2}}=\xi +{\xi }_{\mathrm{I}\mathrm{R}}+{\xi }_{\mathrm{e}\mathrm{x}\mathrm{t}},\end{equation} \tag{ A.18 }$$

  where ξ_IR = 2N₀ is the noise caused by the intercept-resend attack, and ξ_ext is the noise caused by the external light, which is related to the value of I_ext.

Thirdly, we define the values of the parameters employed in different attack types. For the LO intensity attack, we set the LO fluctuation rate 1 − k as 0.05 since the analysis in [23] shows that Eve can obtain the full secret keys with an LO fluctuation rate of 0.05 at a transmission distance of 30 km. For the calibration attack, the value of δ is set according to the specific values of η and T based on the equation δ = 1/(1 + 2.1ηT). For the saturation attack, the value of α is set to $20\sqrt{{N}_{0}}$ and the value of Δ is set to $19.5\sqrt{{N}_{0}}$ since the analysis in [24] shows that the value of Δ should close to α for better attack effect. For the hybrid attack 1, the values of D and λ are selected according to the equations (A.15) and (A.16) to make ${N}_{0}^{\mathrm{h}\mathrm{y}\mathrm{b}\mathrm{1}}={N}_{0}$ and ${\xi }^{\mathrm{h}\mathrm{y}\mathrm{b}\mathrm{1}}/{N}_{0}^{\mathrm{h}\mathrm{y}\mathrm{b}\mathrm{1}}$ arbitrarily cloze to zero. For the hybrid attack 2, the value of T_ext is set as 0.49, and the value of I_ext is selected according to the specific parameter values to make the estimated excess noise smaller than the null key threshold.

Finally, in order to explain the data preparation process more clearly, we summarize the parameters used to generate the data sets for the normal unattacked situation and five attacks strategies, as shown in table 2. The size of each type of data set is 1 × N, where 90% of the values in each data set are generated based on r_i = r₁, and 10% of the values are generated based on r_i = r₂. For example, we generate two groups of normal data, the first group is y₁ = {y₁, y₂, ..., y_N−0.1N} which follows a Gaussian distribution with zero mean and variance V₁ = r₁ηT(V_AN₀ + ξ) + N₀ + V_el, the second group is y₂ = {y₁, y₂, ..., y_0.1N} which follows a Gaussian distribution with zero mean and variance V₂ = r₂ηT(V_AN₀ + ξ) + N₀ + V_el. Combining the two groups of data evenly and obtaining y_normal = {y₁, y₂, ..., y_N}, which means that 10% of the data in y_normal is generated for shot noise estimation. In order to establish feature vectors, we divide y_normal into M blocks {b₁, b₂, ..., b_M}. In each block b_m, the values from y₁ are used for calculating the mean _m and variance ${V}_{y}^{m}$ of this block, the values from y₂ are used for estimating the shot noise variance ${N}_{0}^{m}$ of this block. The LO power of this block is obtained by calculating the average power of the pulses in the current block. Among all of the data sets, y_hyb2 is generated a little differently from the others. Firstly, we generate two groups of data y₁ and y₂. Then, add a value of ${D}_{\mathrm{e}\mathrm{x}\mathrm{t}}\sqrt{{N}_{0}}$ on them, respectively. For each value y_i in these two groups, perform the following calculation, as

$$\begin{equation}{y}_{i}=\begin{cases}\alpha ,\quad \hfill & {y}_{i}{\geqslant}\alpha ,\hfill \\ {y}_{i},\quad \hfill & {y}_{i}{< }\alpha .\hfill \end{cases}\end{equation} \tag{ A.19 }$$

Finally, combine the resulting two groups of values evenly and obtain y_hyb2. It is worth noting that we did not describe how to set the value of shot noise N₀ in table 2 because N₀ can be calculated based on the specific data in each block.

Table 2. Parameters used to generate the data sets of the normal unattacked data and the five attack strategies.

Data sets	Parameters for data generation
ynormal	, Vi, ILO
yLOIA	, ${V}_{i}^{\mathrm{L}\mathrm{O}\mathrm{I}\mathrm{A}}$, kILO
ycalib	, ${V}_{i}^{\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{i}\mathrm{b}}$, ILO
ysat	sat, ${V}_{i}^{\mathrm{s}\mathrm{a}\mathrm{t}}$, ILO
yhyb1	, ${V}_{i}^{\mathrm{h}\mathrm{y}\mathrm{b}\mathrm{1}}$, ILO/λ
yhyb2	, Vi, ξext, Dext, α, ILO

The asymptotic secret key rate under collective attacks with reverse reconciliation is given by equation (11), where the mutual information I_AB between Alice and Bob is derived from Bob's measured values V_B = ηT(V + χ_tol) and the conditional variance V_B|A = ηT(1 + χ_tol) by using Shannon's equation,

$$\begin{equation}{I}_{\mathrm{A}\mathrm{B}}=\frac{1}{2}\enspace {\mathrm{log}}_{2}\enspace \frac{{V}_{\mathrm{B}}}{{V}_{\mathrm{B}\vert \mathrm{A}}}=\frac{1}{2}\enspace {\mathrm{log}}_{2}\enspace \frac{V+{\chi }_{\mathrm{t}\mathrm{o}\mathrm{l}}}{1+{\chi }_{\mathrm{t}\mathrm{o}\mathrm{l}}},\end{equation} \tag{ B.1 }$$

where χ_tol = χ_line + χ_hom/T represents the total noise referred to the channel input. χ_line = T⁻¹ + ɛ − 1 is the channel-added noise referred to the channel input and χ_hom = [(1 − η) + v_el]/η is the detection-added noise referred to Bob's input. χ_BE denotes the maximum information available to Eve on Bob's key, which is given by

$$\begin{equation}{\chi }_{\mathrm{B}\mathrm{E}}=S\left({\rho }_{\mathrm{E}}\right)-\int {\mathrm{d}}_{{m}_{\mathrm{B}}}p\left({m}_{\mathrm{B}}\right)S\left({\rho }_{\mathrm{E}}^{{m}_{\mathrm{B}}}\right),\end{equation} \tag{ B.2 }$$

where m_B denotes the measurement of Bob, p(m_B) denotes the probability density of the measurement, ${\rho }_{\mathrm{E}}^{{m}_{\mathrm{B}}}$ denotes Eve's state conditional on Bob's measurement, and S denotes the Von Neumann entropy of the quantum state ρ. In the case of Gaussian attack, equation (B.2) can be simplified to

$$\begin{equation}{\chi }_{\mathrm{B}\mathrm{E}}=\sum _{i=1}^{2}G\left(\frac{{\lambda }_{i}-1}{2}\right)-\sum _{i=3}^{5}G\left(\frac{{\lambda }_{i}-1}{2}\right),\end{equation} \tag{ B.3 }$$

where G(x) = (x + 1)log₂(x + 1) − x log₂(x). λ_1,2 are the symplectic eigenvalues given by

$$\begin{equation}{\lambda }_{1,2}^{2}=\frac{1}{2}\left(A{\pm}\sqrt{{A}^{2}-4B}\right),\end{equation} \tag{ B.4 }$$

with

$$\begin{equation}A={V}^{2}+{T}^{2}{\left(V+{\chi }_{\mathrm{l}\mathrm{i}\mathrm{n}\mathrm{e}}\right)}^{2}+2T\left(1-{V}^{2}\right),\end{equation} \tag{ B.5 }$$

$$\begin{equation}B={T}^{2}{\left(1+V{\chi }_{\mathrm{l}\mathrm{i}\mathrm{n}\mathrm{e}}\right)}^{2}.\end{equation} \tag{ B.6 }$$

λ_3,4 are the symplectic eigenvalues given by

$$\begin{equation}{\lambda }_{3,4}^{2}=\frac{1}{2}\left(C{\pm}\sqrt{{C}^{2}-4D}\right),\end{equation} \tag{ B.7 }$$

with

$$\begin{equation}C=\frac{A{\chi }_{\mathrm{hom}}+V\sqrt{B}+T\left(V+{\chi }_{\mathrm{l}\mathrm{i}\mathrm{n}\mathrm{e}}\right)}{T\left(V+{\chi }_{\mathrm{t}\mathrm{o}\mathrm{t}}\right)},\end{equation} \tag{ B.8 }$$

$$\begin{equation}D=\frac{\sqrt{B}V+B{\chi }_{\mathrm{hom}}}{T\left(V+{\chi }_{\mathrm{t}\mathrm{o}\mathrm{t}}\right)}.\end{equation} \tag{ B.9 }$$

The last symplectic eigenvalue λ₅ = 1. Based on the above equations, we can obtain the secret key rate of the CVQKD system without taking any countermeasures against attacks. When calculating the secret key rate of our scheme, the insertion loss of the AM on Bob's signal path should be taken into consideration, as well as the 10% pulses used for real-time shot-noise measurement.

The secret key rate of a CVQKD system considering finite-size effects is given by [37]

$$\begin{equation}{K}_{\mathrm{fi}\mathrm{n}\mathrm{i}\mathrm{t}\mathrm{e}}=\frac{n}{N}\left[\beta {I}_{\mathrm{A}\mathrm{B}}-{S}_{\mathrm{B}\mathrm{E}}^{{{\epsilon}}_{\text{PE}}}-{\triangle}\left(n\right)\right],\end{equation} \tag{ C.1 }$$

where N denotes the number of the exchanged signals between Alice and Bob, and n denotes the number of the signals used for key establishment. m = N − n indicates the number of the remaining signals used for parameter estimation. _PE indicates the failure probability of parameter estimation. △(n) is related to the security of the privacy amplification, which is given by

$$\begin{equation}{\triangle}\left(n\right)=\left(2\enspace \mathrm{dim}\enspace {\mathcal{H}}_{Y}+3\right)\sqrt{\frac{{\mathrm{l}\mathrm{o}\mathrm{g}}_{2}\left(2/\bar{{\epsilon}}\right)}{n}}+\frac{2}{n}\enspace {\mathrm{l}\mathrm{o}\mathrm{g}}_{2}\enspace \left(1/{{\epsilon}}_{\text{PA}}\right),\end{equation} \tag{ C.2 }$$

where $\overline{{\epsilon}}$ is a smoothing parameter, _PA is the failure probability of the privacy amplification procedure, and ${\mathcal{H}}_{Y}$ is the Hilbert space corresponding to the variable y used in the raw key. We take $\mathrm{dim}\enspace {\mathcal{H}}_{Y}=2$ for secret key rate evaluation since the raw key is encoded on bits. ${S}_{\mathrm{B}\mathrm{E}}^{{{\epsilon}}_{\text{PE}}}$ represents the mutual information between Bob and Eve, which is determined by the covariance matrix Γ_AB of the bipartite state shared by Alice and Bob after the quantum channel, that is

$$\begin{equation}{{\Gamma}}_{\mathrm{A}\mathrm{B}}=\left[\begin{matrix}\hfill \left({V}_{\mathrm{A}}+1\right){\mathbb{I}}_{2}\hfill & \hfill \sqrt{{T}_{\mathrm{min}}\left({V}_{\mathrm{A}}^{2}+2{V}_{\mathrm{A}}\right)}{\sigma }_{z}\hfill \\ \hfill \sqrt{{T}_{\mathrm{min}}\left({V}_{\mathrm{A}}^{2}+2{V}_{\mathrm{A}}\right)}{\sigma }_{z}\hfill & \hfill \left[{T}_{\mathrm{min}}\left({V}_{\mathrm{A}}+{\varepsilon }_{\mathrm{max}}\right)+1\right]{\mathbb{I}}_{2}\hfill \end{matrix}\right],\end{equation} \tag{ C.3 }$$

where the matrices ${\mathbb{I}}_{2}=\mathrm{diag}\left(1,1\right)$ and σ_z = diag(1, −1). T_min and ɛ_max correspond, respectively, to the lower and upper bound of T and ɛ, which are defined as

$$\begin{equation}{T}_{\mathrm{min}}=\frac{{\hat{t}}_{\mathrm{min}}^{2}}{\eta }, {\varepsilon }_{\mathrm{max}}=\frac{{\hat{\sigma }}_{\mathrm{max}}^{2}-1-{v}_{\mathrm{e}\mathrm{l}}}{\eta T},\end{equation} \tag{ C.4 }$$

with

$$\begin{equation}{\hat{t}}_{\mathrm{min}}\approx \sqrt{\eta T}-{z}_{{{\epsilon}}_{\text{PE}}/2}\sqrt{\frac{1+\eta T\varepsilon +{v}_{\mathrm{e}\mathrm{l}}}{m{V}_{\mathrm{A}}}},\end{equation} \tag{ C.5 }$$

$$\begin{equation}{\hat{\sigma }}_{\mathrm{max}}^{2}\approx 1+\eta T\varepsilon +{v}_{\mathrm{e}\mathrm{l}}+{z}_{{{\epsilon}}_{\text{PE}}/2}\sqrt{\frac{\left(1+\eta T\varepsilon +{v}_{\mathrm{e}\mathrm{l}}\right)\sqrt{2}}{\sqrt{m}}},\end{equation} \tag{ C.6 }$$

where ${z}_{{{\epsilon}}_{\text{PE}}/2}$ follows $1-\mathrm{e}\mathrm{r}\mathrm{f}\left({z}_{{{\epsilon}}_{\text{PE}}/2}/\sqrt{2}\right)/2={{\epsilon}}_{\text{PE}}/2$. Substituting T_min and ɛ_max for the parameters T and ɛ used in equation (B.3), we can obtain the secret key rate in finite-size scenario. In the simulations, the above-mentioned error probabilities are set to

$$\begin{equation}\overline{{\epsilon}}={{\epsilon}}_{\text{PE}}={{\epsilon}}_{\text{PA}}=1{0}^{-10}.\end{equation} \tag{ C.7 }$$

In the composable security framework, the secret key rate of a CVQKD protocol against collective attacks is given by [38]

$$\begin{equation}{K}_{\mathrm{c}\mathrm{o}\mathrm{m}\mathrm{p}}=\left(1-{{\epsilon}}_{\text{rob}}\right)\left\{\beta {I}_{\mathrm{A}\mathrm{B}}-f\left({{\Sigma}}_{a}^{\mathrm{max}},{{\Sigma}}_{b}^{\mathrm{max}},{{\Sigma}}_{c}^{\mathrm{min}}\right)-\frac{1}{N}\left[{{\triangle}}_{\text{AEP}}+{{\triangle}}_{\text{ent}}+2\enspace \mathrm{l}\mathrm{o}\mathrm{g}\enspace \frac{1}{2\overline{{\epsilon}}}\right]\right\},\end{equation} \tag{ D.1 }$$

where _rob indicates the robustness of the protocol. f is the function computing the Holevo information between Eve and Bob's measurement results for a Gaussian state with covariance matrix parametrized by ${{\Sigma}}_{a}^{\mathrm{max}}$, ${{\Sigma}}_{b}^{\mathrm{max}}$, and ${{\Sigma}}_{c}^{\mathrm{min}}$, that is

$$\begin{equation}f\left({{\Sigma}}_{a}^{\mathrm{max}},{{\Sigma}}_{b}^{\mathrm{max}},{{\Sigma}}_{c}^{\mathrm{min}}\right)=G\left(\frac{{\nu }_{1}-1}{2}\right)+G\left(\frac{{\nu }_{2}-1}{2}\right)-G\left(\frac{{\nu }_{3}-1}{2}\right),\end{equation} \tag{ D.2 }$$

where ν₁ and ν₂ are the symplectic eigenvalues of the covariance matrix $\left[\begin{matrix}{cc}\hfill {{\Sigma}}_{a}^{\mathrm{max}}{\mathbb{I}}_{2}\hfill & \hfill {{\Sigma}}_{c}^{\mathrm{min}}{\sigma }_{z}\hfill \\ \hfill {{\Sigma}}_{c}^{\mathrm{min}}{\sigma }_{z}\hfill & \hfill {{\Sigma}}_{b}^{\mathrm{max}}{\mathbb{I}}_{2}\hfill \end{matrix}\right]$, ${\nu }_{3}={{\Sigma}}_{a}^{\mathrm{max}}-{\left({{\Sigma}}_{c}^{\mathrm{min}}\right)}^{2}/\left(1+{{\Sigma}}_{b}^{\mathrm{max}}\right)$. More explicitly,

$$\begin{equation}{\nu }_{1}^{2}+{\nu }_{2}^{2}={{{\Sigma}}_{a}^{\mathrm{max}}}^{2}+{{{\Sigma}}_{b}^{\mathrm{max}}}^{2}-2{{{\Sigma}}_{c}^{\mathrm{min}}}^{2},\end{equation} \tag{ D.3 }$$

$$\begin{equation}{\nu }_{1}^{2}{\nu }_{2}^{2}={\left({{\Sigma}}_{a}^{\mathrm{max}}{{\Sigma}}_{b}^{\mathrm{max}}-{{{\Sigma}}_{c}^{\mathrm{min}}}^{2}\right)}^{2}.\end{equation} \tag{ D.4 }$$

Then we define

$$\begin{equation}{{\Sigma}}_{a}^{\mathrm{max}}=\frac{1}{N}\left[1+2\sqrt{\frac{{\mathrm{log}}_{2}\left(36/{{\epsilon}}_{\text{PE}}\right)}{N/2}}\right]{\Vert}X{{\Vert}}^{2}-1,\end{equation} \tag{ D.5 }$$

$$\begin{equation}{{\Sigma}}_{B}^{\mathrm{max}}=\frac{1}{N}\left[1+2\sqrt{\frac{{\mathrm{log}}_{2}\left(36/{{\epsilon}}_{\text{PE}}\right)}{N/2}}\right]{\Vert}Y{{\Vert}}^{2}-1,\end{equation} \tag{ D.6 }$$

$$\begin{equation}{{\Sigma}}_{c}^{\mathrm{min}}=\frac{\langle X,Y\rangle }{N}-5\sqrt{\frac{{\mathrm{log}}_{2}\left(8/{{\epsilon}}_{\text{PE}}\right)}{{\left(N/2\right)}^{3}}}\left({\Vert}X{{\Vert}}^{2}+{\Vert}Y{{\Vert}}^{2}\right).\end{equation} \tag{ D.7 }$$

Assuming that the success probability of parameter estimation is at least 0.99, thereby the robustness of the protocol is _rob ⩽ 0.01, and the random variables ||X||², ||Y||², and ⟨X, Y⟩ satisfy the following restrains

$$\begin{equation}{\Vert}X{{\Vert}}^{2}{\leqslant}N\left(V+1\right)+3\sqrt{2N\left(V+1\right)},\end{equation} \tag{ D.8 }$$

$$\begin{equation}{\Vert}X{{\Vert}}^{2}{\leqslant}N\left(T{V}_{\mathrm{A}}+T\varepsilon +1\right)+3\sqrt{2N\left(T{V}_{\mathrm{A}}+T\varepsilon +1\right)},\end{equation} \tag{ D.9 }$$

$$\begin{equation}\langle X,Y\rangle {\leqslant}N\sqrt{T\left({V}^{2}-1\right)}-3\sqrt{{V}_{\mathrm{A}}\left(T\varepsilon +1\right)N/2}.\end{equation} \tag{ D.10 }$$

The parameters △_AEP and △_ent in equation (D.1) can be obtained by

$$\begin{equation}{{\triangle}}_{\text{AEP}}=\sqrt{N}\left[{\left(d+1\right)}^{2}+4\left(d+1\right){\mathrm{log}}_{2}\enspace \frac{2}{{{\epsilon}}_{\text{sm}}^{2}}+2\enspace {\mathrm{log}}_{2}\enspace \frac{2}{{{\epsilon}}^{2}{{\epsilon}}_{\text{sm}}}\right]+4\frac{{{\epsilon}}_{\text{sm}}d}{{\epsilon}},\end{equation} \tag{ D.11 }$$

$$\begin{equation}{{\triangle}}_{\text{ent}}={\mathrm{log}}_{2}\enspace \frac{1}{{\epsilon}}+\sqrt{2N\enspace {\mathrm{log}}_{2}^{2}\enspace N\enspace {\mathrm{log}}_{2}\enspace \frac{2}{{{\epsilon}}_{\text{sm}}}},\end{equation} \tag{ D.12 }$$

where d is the discretization parameter. ${\epsilon}=\sqrt{{{\epsilon}}_{\text{PE}}+{{\epsilon}}_{\text{cor}}+{{\epsilon}}_{\text{ent}}}+2{{\epsilon}}_{\text{sm}}+\overline{{\epsilon}}$ is a possible security parameter. In the simulations, we choose ${{\epsilon}}_{\text{sm}}=\overline{{\epsilon}}=1{0}^{-21}$, _PE = _cor = _ent = 10⁻⁴¹, and d = 5 for simplicity.