Finitekey analysis for timeenergy highdimensional quantum key distribution
Abstract
Timeenergy highdimensional quantum key distribution (HDQKD) leverages the highdimensional nature of timeenergy entangled biphotons and the loss tolerance of singlephoton detection to achieve longdistance key distribution with high photon information efficiency. To date, the generalattack security of HDQKD has only been proven in the asymptotic regime, while HDQKD’s finitekey security has only been established for a limited set of attacks. Here we fill this gap by providing a rigorous HDQKD security proof for general attacks in the finitekey regime. Our proof relies on a novel entropic uncertainty relation that we derive for time and conjugatetime measurements using dispersive optics, and our analysis includes an efficient decoystate protocol in its parameter estimation. We present numericallyevaluated secretkey rates illustrating the feasibility of secure and composable HDQKD over metropolitanarea distances when the system is subjected to the most powerful eavesdropping attack.
I Introduction
Quantum key distribution (QKD) enables secure communication based on fundamental laws of quantum physics bennett1984quantum (); ekert1991quantum (), as opposed to the security that is presumed from computational complexity in conventional publickey cryptography. Current work on QKD focuses on patching security holes in practical implementations, increasing secretkey rates and securetransmission distances, and unifying understanding of the many different protocols lo2014review (). Existing QKD protocols can be divided into two major categories: discretevariable (DV) bennett1984quantum (); Huang2003 (); Wang2003 (); Lo2005 () and continuousvariable (CV) grosshans2002continuous () QKD. The predominant DVQKD is more robust to loss than CVQKD, and thus offers longer securetransmission distance liu2010decoy (); wang2012 (); korzh2015 (); curty2014finite (). CVQKD, on the other hand, offers higher photon information efficiency (PIE) than DVQKD, and thus potentially higher key rates at short distances jouguet2013experimental ().
Highdimensional QKD (HDQKD) exploits the best features of DV and CV protocols to simultaneously achieve high PIE and long securetransmission distance cerf2002security (); Gisin2004 (); WalmsleyPRL2008 (); lee2014entanglement (); zhong2015photon (); mirhosseini2015high (); Boyd2015 (). One of the most appealing candidates for implementation is timeenergy HDQKD zhong2015photon (); Kwiat2013 (); mower2013high (); lee2013finite (); zhang2014unconditional (); DariusPRA2015 (); bao2016finite (). It generates keys using the detection times of timeenergy entangled photon pairs, whose continuous nature permits encoding of extremely large alphabets. The security analysis of timeenergy HDQKD has been improving ever since the protocol was proposed Kwiat2013 (); mower2013high (); DariusPRA2015 (); lee2013finite (); zhang2014unconditional (); bao2016finite (). Nevertheless, a rigorous security proof that satisfies the composability condition renner2005security () and takes full account of the finitesize effects against general attacks (the most powerful eavesdropping attack) has been missing. For this reason, the feasibility of secure, metropolitanarea, timeenergy HDQKD using a reasonable time interval for signal transmission has yet to be fully established.
In this paper we make three contributions. First, we derive a new entropic uncertainty relation between time and conjugatetime measurements that are made via nonlocal dispersion cancellation. Second, we use the new uncertainty principle to prove the composable security of timeenergy HDQKD in the finitekey regime against general (coherent) attacks. Third, we find the dispersion strength for the conjugatetime basis transformation mower2013high () that maximizes HDQKD’s secretkey rate.
The entropic uncertainty relation is indispensable for analyzing general attacks against timeenergy HDQKD. Although an entropic uncertainty relation for field quadratures has been developed furrer2014position (), and applied recently to CVQKD security analysis furrer2012continuous (), it cannot be directly applied to timeenergy HDQKD because time and conjugatetime measurements are not described by maximally incompatible operators walach2001 (), such as position and momentum. To overcome this challenge, we construct a new entropic uncertainty relation specifically for time and conjugatetime measurements. Because entropic uncertainty relations figure prominently in quantum metrology metrology (), quantum randomness certification random (); XuQRNG (), entanglement witnesses entanglement1 (); entanglement2 (), twoparty cryptography crypto1 (); crypto2 (), QKD security analysis (curty2014finite, ; QKD, ; tomamichel2011uncertainty, ; tomamichel2012tight, ; Wang2013, ; Zhou2014, ), and other applications Patrick2015 (), we expect that our uncertainty relation for time and conjugatetime measurements may have uses well beyond what will be presented below.
The secretkey rate formula we obtain using our entropic uncertainty relation allows us to verify important advantages that HDQKD offers over alternative protocols. In particular, HDQKD offers higher PIE (3.3 bits/photon) than both CVQKD (0.5 bits/photon furrer2014reverse ()) and DVQKD (0.1 bits/photon lim2014concise ()), thus ensuring higher secretkey rates under photonstarved conditions, in which the photondetection rate is much lower than the photongeneration rate because of the loss incurred in longdistance propagation and the relatively long recovery times of available singlephoton detectors. Also, HDQKD offers a longer maximum securetransmission distance for general attacks (e.g., 160 km for a 30min session using the system parameters given below in Table 1) as compared to that for CVQKD furrer2012continuous (); leverrier2013security (), even in the case of reverse reconciliation (e.g., 16 km furrer2014reverse ()). Furthermore, because our entropic uncertainty relation is parametrized by the HDQKD protocol’s timebin duration, , and conjugatetime basis transformation’s groupvelocity dispersion (GVD) coefficient, , optimizing the value can increase HDQKD’s securetransmission distance to 210 km—and provide a 17 Mbit/s expected secretkey rate at zero distance—without resorting to a higher clock rate.
The remainder of the paper is organized as follows. The HDQKD protocol is described briefly in Sec. II, with a detailed account—including its use of decoy states for channel estimation—appearing in Appendix A. The security analysis for coherent attacks in the finitekey regime is contained in Sec. III. Its security proof relies on the entropic uncertainty relation that is derived in Sec. IV. (For comparison, the entropic uncertainty relation obtained from the conventional dilation assumption is presented in Appendix B.) A numerical evaluation of HDQKD’s secretkey rate and PIE follows in Sec. V, which illustrates the advantages offered by this protocol, and Sec. VI provides summarizing discussion.
Ii Protocol
Timeenergy HDQKD that relies on dispersive optics works as follows mower2013high (); lee2013finite (). In each round, Alice generates a timeenergy entangled photon pair from a spontaneous parametric downconversion (SPDC) source, sends one photon to Bob and retains the other. Alice and Bob choose independently and at random to measure their photons in either the time basis () or the conjugatetime basis (), where the latter is a dispersiveoptics proxy for a frequency measurement. Alice and Bob discretize their outcomes into time bins of duration . The process repeats for rounds until Alice and Bob obtain enough detections to begin postprocessing. At the end of all measurements, the two sides reveal their basis choices and discard all data measured using mismatched bases. Secret keys are extracted from the events in which Alice and Bob both chose the basis, while the basis outcomes are publicly announced for parameter estimation. Using the decoystate method Huang2003 (); Wang2003 (); Lo2005 (); DariusPRA2015 (); lim2014concise (), Alice and Bob estimate the number of detections in that were generated from singlepair SPDC emissions, and the corresponding code distance in the basis, see Appendix C for the details. They abort the protocol if this distance exceeds a predetermined value (see Appendix D). Otherwise, they perform error correction and privacy amplification to generate the secret key.
The conjugatetime measurement for the basis is realized by direct detection at Alice and Bob’s terminals after they have sent their photons through normal and anomalous GVD elements, respectively mower2013high (); lee2013finite (). These GVD elements’ dispersion coefficients have equal magnitudes (and opposite signs) so their effects are nonlocally canceled Franson1992 (). As a result, Alice and Bob’s basis measurements are as strongly correlated as those in the basis, i.e., the dispersion transformation allows them to perform a spectralcorrelation measurement with only timeresolved singlephoton detection mower2013high (); lee2013finite ().
Iii Security Analysis
iii.1 Security Definition
Given that the parameterestimation test is passed with probability , Alice and Bob end up with final keys that are classical random vectors, and , which might be correlated with a quantum system, , held by Eve. Mathematically, this situation corresponds to a classicalquantum state , where denotes an orthonormal basis for Alice’s dimension key space, and the subscript indicates Eve’s quantum state. We characterize a QKD protocol by its correctness and secrecy. For that we use a notion of security based on the approach developed in renner2005security (). A protocol is called correct if the probability that differs from is smaller than . We say that a protocol is secret if the state is close to the ideal situation described by the tensor product of uniformly distributed keys on Alice’s side and Eve’s quantum state, , such that . A QKD protocol is then said to be secure if it is both correct and secret, with . Our security definitions ensure that the protocol remains secure in combination with any other protocol, i.e., the protocol is secure in the universally composable framework renner2005security ().
iii.2 Assumptions
Before deriving our lower bound on secretkey length, we first specify the assumptions that will be employed: (1) Alice’s SPDC source produces independent, identicallydistributed biphotons whose correlation time and coherence time are well characterized. (2) For each pump pulse, Alice is able to randomly set her SPDC source’s biphoton intensity (mean photonpairs generated per pump pulse) to be either , , or with probabilities , , and . (3). Alice and Bob’s laboratories are secure, i.e., free from any information leakage. (4) Alice and Bob independently and randomly choose between measuring in the time and conjugatetime bases with probabilities and . Most of these assumptions are already made in conventional CVQKD and DVQKD security analysis.
iii.3 Security Proof
In order to characterize information leakage in a realistic quantum communication system with a finite number of communication rounds, we use smooth minentropy instead of von Neumann entropy renner2005security (); tomamichel2011leftover (). Discretizing Alice and Bob’s photondetection times to time bins of duration results in data vectors comprised of integers representing bin numbers. In particular, with random vectors and denoting Alice and Bob’s raw keys from her intensity transmissions, Eve’s uncertainty (lack of knowledge) is measured by her difficulty in guessing Alice’s raw key , i.e., the conditional smooth minentropy , where denotes Eve’s quantum state. quantifies the randomness that can be extracted from which is statistically independent of renner2005security (); tomamichel2011leftover () with error probability .
The secretkey length that is secret is given by renner2005security ()
(1) 
Here, is the information leaked to Eve during error correction, which can be directly measured during that correction process, and is the smooth minentropy maximized over states that are close to the classicalquantum state . The correctness of the protocol is guaranteed by the keyverification step, which uses a twouniversal hash function to ensure that Bob’s corrected key differs from Alice’s with probability at most , implying that the protocol is correct with .
The essential insight is that Eve’s information about the intensity, basis detection times can be bounded using the complementary basis measurements. In particular, if Alice and Bob’s basis measurements are highly correlated, then Eve’s knowledge about the outcome of their basis measurements is nearly zero, because the two observables are incompatible.
Let and be Alice and Bob’s random vectors of intensity conjugatetime measurement outcomes. Without loss of generality we set the length of these four classical strings to be equal: . Then, from tomamichel2012tight (); furrer2012continuous (); tomamichel2011uncertainty (); furrer2014position (), we have the uncertainty relation:
(2) 
where the smooth maxentropy measures the amount of information needed to reconstruct given with error probability bounded above by , and is the overlap between the time and conjugatetime measurement operators, which depends on , the timebin duration, and , the magnitude of the GVD elements’ dispersion coefficient.
With and being an arbitrary pair of positive operatorvalued meausurements (POVMs), their overlap, , quantifies their incompatibility, i.e., lower values of mean increased incompatibility. Our uncertainty bound involves the overlapquantified incompatibility between the time and conjugatetime POVMs whose outcomes are used for key generation and parameter estimation, respectively. Typically, see Sec. V, lower values allow longer secret keys to be extracted. Our tripartite entropic uncertainty relation and the security analysis that follows therefrom are adapted from CVQKD’s finitekey analysis furrer2012continuous (), an approach that works for all QKD protocols which rely on a pair of incompatible continuous measurements for key generation and parameter estimation. In our case, the security analysis requires accounting for our use of discretized time and conjugatetime measurements that are obtained from underlying continuous POVMs. Note that the different measurement operators employed in different QKD protocols lead to different overlap behaviors in their entropic uncertainty relations.
The major difficulty in determining for our protocol comes from the absence of negative energy for electromagneticfield modes, which implies that under the conventional commutation relation, the timemeasurement operator cannot be projective busch1994 (); delgado1997 (), thus preventing existing results Fabian2015 () being applied to the time and conjugatetime POVMs. We can, however, dilate the time and conjugatetime operators by forsaking the constraint of positive frequency on photonannihilation operators werner1987 (); kiukas2012 (). Such dilations are well justified for the quantum theory of coincidence measurement Jeff (); Franson1992 (), because the negative frequency components do not contribute to detection outcomes. But, because we are not assured that the dilationassumption will suffice for our security proof, we derive the following entropic uncertainty relation for time and conjugatetime measurements without dilation in Sec. IV:
(3) 
Next, we use a generalized chainrule result vitanov2013chain () to decompose into , which is a concatenation of the raw keys arising from vacuum, singlepair, and multipair coincidences. Neglecting the multipair contribution, we have , with and being lower bounds on and , the coincidencecount contributions from vacuum and singlepair events, respectively, when Alice’s SPDC intensity is (see Appendix C). We then have the following lower bound on the smooth minentropy lim2014concise ():
(4) 
Using a result from CVQKD furrer2012continuous (), we get the following upper bound on the smooth maxentropy:
(5) 
where obeys
(6) 
The parameter is the statistical fluctuation that quantifies how well the data subset used for parameter estimation represents the entire dataset,
(7) 
where . and is the probability, for a given pump pulse, that Alice and Bob detect photons separated by more than a frame duration, , and .
Combining the preceding results, we obtain the following lower bound on the secretkey length:
(8) 
Iv TimeConjugate Time Entropic Uncertainty Relation
To justify (3), we only need to evaluate the overlap, , in (2) for the discretized singlephoton time and conjugatetime measurement operators that derive from their continuoustime counterparts, and , by coarsegraining to time bins of duration . Here, we omit polarization degrees of freedom as they do not affect the overlap. Our starting point is the infinitedimensional version of the general uncertainty relation for smooth minentropy and smooth maxentropy tomamichel2011uncertainty () that was derived in furrer2014position ().
We use to denote the singlephoton state detuned by frequency from some fixed center frequency . (Later, this center frequency will be , i.e., half the SPDC source’s pump frequency.) This state satisfies the orthonormality condition . The singlephoton Hilbert space is simply , i.e., the space of squareintegrable, complexvalued functions on the frequencydomain region , where the minimum detuning satisfies . In particular, we associate a function to the state
(9) 
so the inner product between two such states, and , is .
Using the above notation we have that the timemeasurement operator can be expressed as
(10) 
where . Similarly, we can write
(11)  
where . We then introduce partitions, and , of the time and conjugatetime axes, from which we obtain the coarsegrained versions of and , namely the POVMs and , where
(12) 
From tomamichel2011uncertainty (); furrer2014position () the overlap for these discrete POVMs satisfies
(13) 
where and .
Because the and are not projective, it is difficult to evaluate Eq. (13) directly. Instead, we will use the approximation from furrer2014position (), in which an uncertainty relation is derived in the continuoustime case. We take and to represent the continuoustime classical outcomes of the time and conjugatetime measurements, and and to be their discretized versions. From furrer2014position () we have that
(14)  
(15) 
where and are the differential minentropy and differential maxentropy of the continuoustime outcome conditioned on Eve’s state () and Bob’s state (), respectively. We also know that these differential entropies satisfy furrer2014position ()
(16) 
where
(17) 
Inequalities (14) and (15) yield the following uncertainty relation for coarsegrained measurements:
(18) 
We can find the overlap for the differential entropies via
(19) 
where we have used and similarly for . Inserting the definitions of and from Eqs. (10) and (11), we obtain
(20) 
A simple calculation now gives us
(21) 
For , performing the optimization with and yields the maximum overlap
(22) 
Inserting the above result into (18) gives us the overlap for the discrete measurements used in the secretkey length bound
(23) 
This uncertainty bound is tighter than the overlap, obtained in Appendix B, when dilation is used by taking so that the and operators become projective and maximally incompatible, i.e., analogous to position and momentum. These overlap results showcase the subtle difference between the entropic uncertainty relation of quantum time and conjugatetime measurements and that of the homodyne measurements from furrer2012continuous (). Indeed, the factor of 1.37 in Eq. (23) is crucial for the generalattack security of HDQKD, because a secretkey length that presumed the dilation result for the overlap would be insecure.
V Performance Example
90%  1 kHz  18 ps  0.21 dB/km  ps  55.6 MHz Footnote1 () 
2 ps  6 ns  20 ps  0.91  0.9 
Parameters  BB84 lim2014concise ()  CVQKD furrer2014reverse ()  HDQKD 

PIE (bits/photon)^{1}^{1}1PIE in HDQKD is defined as secret bits per single photon detection by Bob given that Alice has made a detection in the same basis; PIE in BB84 is defined as secret bits per use lucamarini2013efficient (); and PIE in CVQKD is defined as secret bits per signal furrer2014reverse ().  0.1  0.5  3.3 
Key rate at 0 Dist (bits/s)  8 M^{2}^{2}2Assumes a decoystate BB84 system with a 1 GHz clock rate lucamarini2013efficient ().  6 M^{3}^{3}3Assumes a CVQKD system with the same 55.6 MHz clock rate as HDQKD.  8.6 M 
Max Dist. (km)  170  16  96 
Based on the secretkey rate formula (8), we numerically evaluated the performance of the timeenergy HDQKD protocol in the finitekey regime under general attacks. See Table 1 for the parameters that were assumed. The calculated secretkey rates and PIEs at different lengths of standard telecom fiber are shown in Figs. 1(a) and 1(b). We see that HDQKD can easily tolerate a 100 km standard fiber within a reasonable running time for transmission (e.g., 10 min). This securetransmission distance significantly exceeds that of CVQKD (around 10 km furrer2014reverse ()). In addition, the secretkey rate of HDQKD at zero distance is about 8.6 Mbit/s (see Table 2), which is comparable to that of CVQKD with the same 55.6 MHz clock rate, and to that of decoystate BB84 with a stateoftheart 1 GHz clock rate lucamarini2013efficient (). Moreover, HDQKD can offer a higher PIE, up to 4.3 bits/photon (with 30 min running time), than does decoystate BB84 lim2014concise (), whose PIE can never exceed 1 bit per use.
In Fig. 1(c) we show the secretkey rate as a function of block size. Here we see that the minimum required block size for HDQKD is slightly larger than those of decoystate BB84 lim2014concise () and CVQKD furrer2014reverse (). Finally, Fig. 1(d) plots the secretkey rate versus transmission distance for different timebin durations, showing that shorter duration time bins offer higher key rates for a given biphoton source. We remark that detectors with less than 20 ps jitter have already been demonstrated in recent experiments Tang2012 ().
Our work clarifies how the secretkey rate of timeenergy HDQKD using dispersiveoptics depends on the timebin duration and the GVD coefficient . Indeed, a higher GVD coefficient and a lower detector time jitter—so that timebin duration may be decreased—might increase HDQKD’s secretkey rate. The secretkey rates shown in Fig. 1 have already presumed a bin duration limited by stateoftheart detector time jitter, but the value used is achievable with commercial devices lee2014entanglement (). Increasing the GVD coefficient without changing the other system parameters, however, does not always increase the secretkey rate. In particular, (8) shows that a fold increase in increases secretkey length by , if there is no offsetting increase in the error rate between Alice and Bob’s raw keys, as quantified by the term in (5). Our numerical evaluation of the secretkey rate at zero distance versus —using the other parameters from Table 1 and the threshold code distance employed in Fig. 1—verifies this insight, see Fig. 2. Here we see the secretkey rate initially increasing linearly with increasing , until it saturates and begins to decrease. Saturation occurs because our protocol requires for there to be a positive secretkey rate, and the minimum threshold code distance increases with increasing , as shown in Appendix D. So, the secretkey rate saturation and decay in Fig. 2 results from the increases that are required at high values. That said, Fig. 2 still shows that the highest key rate, 17 Mbit/s, is realized with the experimentally feasible ps lee2014entanglement (), and we have found that the maximum distance for a nonzero secretkey rate is then 210 km.
Vi Summary
We have reported the generalattack security analysis for the timeenergy HDQKD protocol in the finitekey regime by combining the entropic uncertaintyrelation security analysis of CVQKD with the decoystate technique from DVQKD. In particular, we derived a new entropic uncertainty relation for the time and conjugatetime operators using optical dispersion transformations. This result validates the difference between the uncertainty relation of time and conjugatetime operators and that of conventional maximallyincompatible operators, such as position and momentum. With the new uncertainty bound, we showed that under the most powerful attacks timeenergy HDQKD can produce a higher PIE than conventional decoystate BB84 and CVQKD, and still tolerate longdistance fiber transmission. We also showed that optimizing the HDQKD protocol’s GVD coefficient enables realizing a Mbit/s secretkey rate at zero distance and a 210 km maximum securetransmission distance, the latter being comparable to that of stateoftheart decoystate BB84. We expect this finding will provide theoretical support for optimizing HDQKD implementations. Our results constitute an important step toward the unified understanding of distinct QKD schemes that is needed for development of practical longdistance highrate quantum communication.
Acknowledgment
The authors thank Zheshen Zhang, Catherine Lee, Darius Bunandar, and Franco Wong for many helpful discussions. We acknowledge support from ONR grant number N000141310774 and AFOSR grant number FA95501410052. F. Xu acknowledges support from an NSERC postdoctoral fellowship.
Appendix A Protocol
 a. Preliminaries

Before contacting Bob, Alice makes measurements on her trusted spontaneous parametric downconversion (SPDC) source of timeenergy entangled biphotons to determine the coherence time of the pulsed pump field , the biphoton correlation time , and the SPDC intensities , i.e., the mean photonpairs generated per pump pulse with different pump powers. Then, Alice and Bob use a preshared key to authenticate each other, after which they negotiate parameters to be employed during the protocol run.
 b. Biphoton preparation and distribution

Alice pumps her SPDC source at a clock rate (repetition rate) . For each pump pulse, Alice prepares a timeenergy entangled state within a duration () frame centered on the peak of the pump pulse. She sends one photon to Bob via a quantum channel (e.g., an optical fiber) and retains the companion photon for her own measurements. To implement decoy states Wang2003 (); Lo2005 (); DariusPRA2015 (), Alice randomly pumps the SPDC source to select intensities with probabilities .
 c. Measurement phase

For each frame, Alice and Bob select their measurement basis at random and independently from with probabilities and perform measurements in their chosen bases. Their basis measurements are made using timeresolved singlephoton detectors with a temporal resolution set primarily by the detectors’ time jitter, zhong2015photon (). They sort their data into time bins of duration , where , that will generate rawkey bits when they both obtain basis photon detections in the same frame. Their basis measurements are realized by means of dispersive optics and singlephoton detection mower2013high (), i.e., they pass their photons through normal and anomalous groupvelocity dispersion (GVD) elements, respectively, measure them with timeresolved singlephoton detectors, and then sort that data into duration time bins.
 d. Basis reconciliation

Alice and Bob announce their measurement bases over an authenticated public channel and discard all measurement results for frames in which they measured in different bases. They are then left with detectiontime coincidence measurements of () frames in which they both used the () basis and both obtained one photon detection.
 e. Decoystate processing

Alice announces her SPDC intensity choice for each frame. Alice and Bob thus identify sets and for , in which they have both made basis or basis measurements when Alice’s SPDC source intensity was . They repeat their quantum communication, i.e., steps (b)–(e), until the cardinality of these sets satisfies: and , where are prechosen values that ensure sufficient quality in the ensuing parameter estimation steps. Note that . Next, they publicly announce their basis detection times {, } for each SPDC intensity, where , denote Alice and Bob, indexes the frame, and each detectiontime value is relative to the peak of its associated pump pulse. After that, they compute these detection times’ meansquared differences for each , viz., . By virtue of their use of normal and anomalous GVD elements, can be used to find the anticorrelation between the detunings from the SPDC outputs’ center frequencies of the singlephoton pairs (i.e., biphotons) that Alice and Bob detected in their basis measurements when Alice’s SPDC intensity was mower2013high (), see Appendix C.
 f. Parameter estimation

Alice and Bob use only their data for secretkey generation, while they use their and data for parameter estimation. Alice and Bob use their basis data to estimate , the number of frames out of their that are due to vacuum coincidences (either Alice or Bob did not detect a photon), and , the number of frames out of their that are due to singlepair coincidences (Alice and Bob each detected one photon). They use their basis data to estimate , the distance between their detected photons’ frequency detunings (after accounting for their anticorrelation) that is due to singlepair coincidences DariusPRA2015 (); lim2014concise () (see Appendix. C). Finally, they check that is less than , where is a predetermined threshold (see Appendix. D). If this condition is not met, they abort the protocol. Otherwise they proceed to the protocol’s next step.
 g. Key generation and error correction

Alice and Bob use their basis data to generate raw keys from the frames in which Alice’s SPDC intensity was . Each frame used in generating these raw keys contains bits. Alice and Bob perform error correction on their raw keys using an algorithm with reconciliation efficiency zhou2013layered (). This procedure reveals at most bits of information to Eve. Next, to ensure that they have shared identical keys, Alice and Bob perform key verification using a twouniversal hash function that publishes bits of information, with being the probability that a pair of nonidentical keys passes the test.
 h. Calculation of secretkey length

Using the results from (f) and (g), Alice and Bob calculate the secretkey length . If is negative, they abort the protocol. Otherwise, they apply another (different) twouniversal hash function (for privacy amplification) to their errorcorrected raw keys to produce the length secret keys, and .
Appendix B Timefrequency uncertainty relation for dilated measurements
To compare with the overlap developed in the main text, we derive the overlap with dilation in this appendix. Instead of the frequency domain, it is now more convenient to work in the time domain, using to denote the singlephoton localized at time that satisfies the orthonormality condition . The singlephoton Hilbert space is simply , i.e., the space of squareintegrable, complexvalued functions on the timedomain . We evaluate the overlap under dilation werner1987 (); kiukas2012 () when . In this case, the POVMs and for the time and conjugatetime measurements are projection valued mower2013high ():
(24)  
(25) 
Here, is obtained from via the unitary transformation
(26) 
The associated time and conjugatetime observables are then
(27)  
(28)  
The conjugatetime observable can be further simplified as follows:
(29)  
(30)  
(31)  
(32) 
where is the conventional unboundedfrequency observable that is maximally incompatible with the time observable. It immediately follows that
(33) 
Finally, using the overlap result for maximallyincompatible observables Fabian2015 (), we obtain
(34) 
for the dilated measurements. Compared with the overlap derived with nonprojective POVM in Sec. IV, this overlap is slightly smaller, and thus offers a weaker bound on the uncertainty relation. In the paper we therefore used the nondilated overlap in bounding the secretkey length.
Appendix C Decoy states with finite keys
A decoystate method for HDQKD in the asymptotic regime was previously derived in DariusPRA2015 (). Here, based on lim2014concise (), we extend the work in DariusPRA2015 () to the finitekey case against general attacks (i.e., without any assumptions on the statistical distributions). We presume that Alice randomly chooses between three intensity levels, and for her SPDC source. Let be the number of frames in which Alice and Bob both measure in the basis and Alice’s source has emitted biphotons in each frame, so that is the total number of frames in which Alice and Bob both made basis measurements. In the asymptotic regime, , the number frames in which Alice’s source intensity was and she and Bob made basis measurements, approaches its ensembleaverage value, namely
where is the conditional probability of Alice’s source emitting biphotons in a frame, given its source intensity was . For finite sample sizes, Hoeffding’s inequality for independent events hoeffding1963probability () implies that will satisfy
(35) 
with probability at least , where . Note that the deviation term is the same for all . Inequality (35) allows us to establish a relation between the asymptotic values and the observed values . More precisely, we have the following bounds for finitekey analysis:
(36)  
(37) 
c.0.1 Lowerbound on the number of vacuum coincidences,
The following lower bound on was derived in Ref. lim2014concise ():
(38) 
Using this result we obtain the lower bound on the number of vacuum coincidences when Alice’s source intensity is given by
c.0.2 Lower bound on the number of singlepair coincidences,
The following lower bound on was derived in Ref. lim2014concise ():
(39) 
Using this result we obtain the lower bound on the number of singlepair coincidences when Alice’s source intensity is given by
with probability at least .
c.0.3 Upper bound on the distance of singlepair coincidences,
After the nonlocal dispersion cancellation that occurs when Alice and Bob both make basis measurements on the same frame, their meansquare time difference, for , can be written as
where and are the meansquared differences due to singlepair and multiplepair coincidences including all source intensities, and is the number of frames in which Alice and Bob both measure in the basis given that Alice’s source has emitted biphoton in each frame. Then, we have
(40)  
where the term on the right is nonnegative for . Dropping the term, the preceding result can be rearranged to provide the lower bound
(41) 
where the lower bound, , can be derived using the same method employed in lim2014concise () to obtain inequality (39). Our upper bound on the distance of singlepair coincidences is then
(42) 
where the factor arises from relating distance to the meansquared difference of jointly Gaussian random variables.
Appendix D Theoretical model for the threshold,
To find the threshold, , for the meansquared difference between Alice and Bob’s singlepair basis measurements beyond which Alice and Bob will abort the QKD protocol, we start from the time and frequency wavefunctions for the biphoton emission when Alice’s SPDC source is pumped by a pulse centered at time zhang2014unconditional (), i.e.,
(43)  
(44) 
Here: and denote the times of the biphoton’s signal and idler photons, and and denote their frequencies; , , , and ; and we have assumed that Alice’s source is phase matched at frequency degeneracy for its pump’s center frequency.
When both Alice and Bob choose the conjugatetime basis, they send their photons into normal and anomalous groupvelocity dispersion elements whose dispersion coefficients have common magnitude but opposite signs. After the propagation through the dispersive elements at Alice and Bob’s terminal, the frequency wavefunction becomes
(45) 
from which the associated time wavefunction can be found via
(46)  
The basis meansquared time difference in the absence of Eve is therefore