Block length: During the run of the protocol the two honest parties, typically called Alice and Bob, prepare,
send and measure quantum signals and store the results of these measurements in bit strings that they store
on their respective (classical) computers. These bit strings will eventually be used to check for the presence
of an interfering eavesdropper and to compute a secret key. As these strings get longer it gets easier to
guard against eavesdroppers and secret keys can be extracted more eﬃciently. On the other hand there
are limitations on the length because we would like to start producing a secret key as early as possible
and because computations on longer strings get more and more diﬃcult. The length of the bit strings
used in the protocol is called the block length. Current experimental and commercial implementations of
quantum key distribution typically work with block lengths of the order 10
whereas block lengths
of the order 10
can be achieved, but require an extreme stability of the system during the several
hours required to collect the data , .
Key length: The secret key length is the length of the secret key (in bits) that is extracted from a single block
of measurement data. An ideal secret key is a uniformly random bit string perfectly correlated between
Alice and Bob and independent of any information the eavesdropper might have collected after the run of
the protocol. The ratio of the key length to the block length is a key performance indicator of quantum
key distribution systems.
Security parameters: Modern security deﬁnitions for quantum key distribution rely on approximate indis-
tinguishability from an ideal protocol, which ensures that the resulting key can be safely used in any other
(secure) application. In this case, the ideal protocol either has the two parties produce an ideal secret
key or an abort ﬂag that indicates that no secret key can be extracted, either because an eavesdropper
is present, or more mundanely because the quantum channel is too noisy. The security parameter is the
distinguishing advantage between the real and the ideal protocols, given by the diamond norm distance
between the two protocols. Evidently we would like this parameter to be very small and while there is no
consensus on what value it should have we will take it to be 10
for our numerical examples.
Robustness: According to the notion of security discussed above, a quantum key distribution protocol can be
perfectly secure and completely useless because it always aborts. As an additional requirement we thus
impose that the protocol succeeds with high probability when the quantum channel is subject to noise
below a speciﬁc (and realistic) threshold. This describes the robustness of the protocol against noise, that
is, the probability that the protocol returns a nontrivial key for a given noise level. The noise model
used should capture the dynamics of the quantum channel in the expected ﬁeld operation; however, the
exact speciﬁcation of the noise model — and whether the noise is caused by an eavesdropper or just by
the undisturbed operation of the channel — is independent of any security considerations and can thus
be treated independently. The robustness, and more speciﬁcally the values of the channel parameters for
which the robustness goes to zero, is an important ﬁgure of merit to compare the expected performance
of various protocols.
The tradeoﬀs between these parameters have been signiﬁcantly improved since Renner’s proof , in par-
ticular by Tomamichel et al.  and Hayashi and Tsurumaru , so that the proofs are now suﬃciently tight
to provide security for realistic implementations of quantum key distribution. The present analysis will mostly
follow the approach in the former paper .
So what justiﬁes us revisiting this problem here? Firstly, we believe that presenting a complete and rigorous
security proof in a single article will make the topic of ﬁnite size security more accessible to researchers in
quantum cryptography. Secondly, thanks to some improvements in the technical derivation and a steamlining
of the analysis, our proof yields signiﬁcantly stronger tradeoﬀ relations between security and performance
parameters. It is worth noting here that strengthening theoretical tradeoﬀ relations of a QKD protocol has
rather direct implications for practical implementations as it allows for the generation of more secure key at the
same noise level without any changes to the hardware. Thirdly, although all the necessary technical ingredients
and conceptual insights are present in the literature, we were not able to ﬁnd a concise security proof for any
QKD protocol that satisﬁes the following two stringent criteria:
1. The protocol is able to extract a composably secure key for reasonable parameters (i.e. realistic noise levels,
security parameters and block lengths that can be handled with state-of-the-art computer hardware).
2. The protocol and all the assumptions on the physical devices used in the protocol are completely speciﬁed
and all aspects of the protocol are formalized, including the randomness that is required and all the
communication transcripts that are produced.
This is most relevant for implementations that suﬀer from a low rate of measurement events, e.g. entanglement-based imple-
Accepted in Quantum 2017-06-08, click title to verify 2