Discrete-phase-randomized measurement-device-independent quantum key distribution

Zhu Cao caozhu@ecust.edu.cn Key Laboratory of Advanced Control and Optimization for Chemical Processes of Ministry of Education, East China University of Science and Technology, Shanghai 200237, China Shanghai Institute of Intelligent Science and Technology, Tongji University, Shanghai 200092, China

Abstract

Measurement-device-independent quantum key distribution removes all detector-side attacks in quantum cryptography, and in the meantime doubles the secure distance. The source side, however, is still vulnerable to various attacks. In particular, the continuous phase randomization assumption on the source side is normally not fulfilled in experimental implementation and may potentially open a loophole. In this work, we first show that indeed there are loopholes for imperfect phase randomization in measurement-device-independent quantum key distribution by providing a concrete attack. Then we propose a discrete-phase-randomized measurement-device-independent quantum key distribution protocol as a solution to close this source-side loophole.

I Introduction

Quantum key distribution (QKD) provides an information-theoretically secure method to distribute identical keys between two parties, and is hence one of the most important ingredients in information-theoretically secure communication. The first QKD protocol was developed by Bennett and Brassard in 1984 Bennett and Brassard (1984), which consisted of two sides, a source side and a detector side. We refer to this protocol as BB84 hereafter. The security of BB84, however, relies on a few idealized assumptions. These assumptions are often violated in practice, which allows attacks mostly on the detector side. Measurement-device-independent (MDI) QKD is hence developed to close all loopholes on the detector side Lo et al. (2012). To achieve higher security, it is ideal to also close loopholes on the source side in MDI-QKD.

In an idealized MDI-QKD, each of the two parties, called Alice and Bob, provide single photons in the eigenstates of the rectilinear basis or the diagonal bases. The measurement device performs a Bell measurement on Alice’s and Bob’s signals. It can be shown that if both Alice and Bob choose the rectilinear basis, they can recover identical keys based on the Bell measurement outcomes. The events that Alice and Bob choose different bases are discarded. It was shown that the security of this protocol can be proved by treating the protocol as the time-reversed version of an entanglement-based QKD Ekert (1991).

In a practical scenario, single photon sources are not available. Instead, a phase-randomized weak coherent laser is often utilized to approximate a single photon source. However, continuous phase randomization is impossible to be realized experimentally. Heuristically, the laser is turned off and then on again to approximate phase randomization, but there is no theoretical guarantee that this can provide perfect phase randomization. Indeed there is evidence that this method is far from perfect phase randomization Xu et al. (2012).

Failure in phase randomization can yield the QKD system insecure with respect to the original security analysis. In a related work Cao et al. (2015), it was shown that the phase randomization loophole in BB84 can be closed by using discrete phase randomization. Inspired by that work, we propose a discrete-phase-randomized (DPR) MDI-QKD protocol for solving the phase randomization loophole in MDI-QKD. In addition, we provide a formal security proof of the DPR MDI-QKD protocol.

The roadmap for the rest of the paper is as follows. In Sec. II, we first provide a brief review of the MDI-QKD protocol. In Sec. III, we show an attack against a MDI-QKD system with imperfect phase randomization. In Sec. IV, we describe the DPR MDI-QKD protocol and provide its security analysis. In Sec. V, we summarize the results and discuss future work.

II Review of MDI-QKD

A diagram of the MDI-QKD protocol is shown in Fig. 1. In a typical MDI-QKD setup, Alice and Bob prepare source states in the rectilinear basis or in the diagonal basis. A measurement device which may be controlled by Eve performs a joint Bell measurement on Alice’s and Bob’s states, and outputs either $\mbox{$\left|01\right\rangle$}+\mbox{$\left|10\right\rangle$}$ or $\mbox{$\left|01\right\rangle$}-\mbox{$\left|10\right\rangle$}$ (other Bell measurement outcomes are discarded). Afterwards, Alice and Bob announce the bases they used and discard the events that they use different bases. It can be shown that if both Alice and Bob were using the rectilinear basis with different (the same) eigenstates, the measurement result is always $\mbox{$\left|01\right\rangle$}-\mbox{$\left|10\right\rangle$}$ ( $\mbox{$\left|01\right\rangle$}+\mbox{$\left|10\right\rangle$}$ ). If both parties were using the diagonal bases, then outputting $\mbox{$\left|01\right\rangle$}+\mbox{$\left|10\right\rangle$}$ and $\mbox{$\left|01\right\rangle$}-\mbox{$\left|10\right\rangle$}$ will have the same probability 0.5. By these properties, Alice and Bob can use the rectilinear basis to generate keys, and use the diagonal basis to estimate the errors in the measurement device. In addition, the two parties use the decoy state method Hwang (2003); Lo et al. (2005); Wang (2005) to estimate the channel gain and error rate with higher precision. The MDI-QKD protocol can be viewed as a time-reversed version of an entanglement-based QKD protocol Ekert (1991) and indeed its security can be proved using this time-reversal symmetry Lo et al. (2012).

Refer to caption — Figure 1: Diagram of the MDI-QKD protocol. There are three modules, including Alice, Bob and Eve. Alice and Bob generate source states, whereas the measurement device controlled by Eve performs a joint measurement on the states of Alice and Bob. Here, WCP stands for a weak coherent source; PM stands for a phase modulator; Decoy-IM stands for an intensity modulator that switches between the signal states and the decoy states. Conv is a converter that converts the phase encoding to the polarization encoding Tamaki *et al.* (2012); BS is a beam splitter; PBS is a polarization beam splitter; $D_{1H}$ , $D_{1V}$ , $D_{2H}$ , $D_{2V}$ are single-photon detectors.

III Vulnerability of imperfect phase randomization

In this section, we propose an attack to show that there is a serious loophole in MDI-QKD if the phase of the coherent source is not properly randomized. For simplicity, we consider the extreme case that there is no phase randomization, and the phases of the signal state and the decoy state are known to the eavesdropper Eve. We now describe how to use unambiguous state discrimination (USD) to attack a MDI-QKD system without phase randomization.

In the first step, Eve uses USD to distinguish the signal state and the decoy state on both Alice’s and Bob’s sides, each with some probability $q$ (note that in the case of perfect phase randomization, Eve cannot distinguish the signal state and the decoy state, i.e., $q=0$ ). Eve discards the events that he fails to distinguish the signal state and the decoy state. Then Eve measures the photon number and chooses to forward some of the photons conditioned on the results of signal or decoy states and the photon number to preserve the channel statistics.

In a normal MDI-QKD, the key rate is lower bounded by

R^{l}=-Q_{\textrm{Rect}}f(E_{\textrm{Rect}})H(E_{\textrm{Rect}})+Q^{1,1}_{n}(1-H(E^{1,1,b}_{\textrm{Diag}})),

(1)

where the first term is the error correction term and the second term is the privacy amplification term. Here $Q_{\textrm{Rect}}$ is the gain of the rectilinear basis, $E_{\textrm{Rect}}$ is the bit error rate of the rectilinear basis, $Q^{1,1}_{n}$ is the estimated gain when both parities emit single-photon states, $f(\cdot)\geq 1$ is the error correction efficiency, $E^{1,1,b}_{\textrm{Diag}}$ is the bit error rate of the diagonal basis, and $H(\cdot)$ is the binary Shannon entropy. Under the attack, the key rate is upper bounded by $R^{u}=Q^{1,1}_{a}$ where $Q^{1,1}_{a}$ is the actual gain of the single photon states from both parities under the attack. Apparently, if $R_{l}>R^{u}$ , then Alice and Bob would mistakenly generate keys with a key rate higher than the maximal secure key rate possible under the attack, thus leaking part of the key information to Eve. The goal of Eve is hence to minimize $R^{u}$ to the extent that it is smaller than $R^{l}$ . We next show that this indeed can happen.

Suppose the intensities of the signal state and the decoy state are $\mu$ and $\nu$ respectively, it can be shown Tang et al. (2013) that on each side, the optimal success probability of unambiguous state discrimination is

q_{\textrm{opt}}=1-\textrm{exp}(-\frac{|\sqrt{\mu}-\sqrt{\nu}|^{2}}{4}).

(2)

In the attack, the gains of the signal state and the decoy state at each side are

	$\displaystyle Q_{\mu}$	$\displaystyle=$	$\displaystyle\sum\limits_{i=1}^{\infty}q_{opt}Z_{i}^{\mu}e^{-\mu}\frac{\mu^{i}}{i!},$
	$\displaystyle Q_{\nu}$	$\displaystyle=$	$\displaystyle\sum\limits_{i=1}^{\infty}q_{opt}Z_{i}^{\nu}e^{-\nu}\frac{\nu^{i}}{i!}$		(3)

respectively, where $Z_{i}^{\mu}$ ( $Z_{i}^{\nu}$ ) is the probability of Eve forwarding the photons conditioned on the signal state (the decoy state) and the photon number $i$ . Here we make the simplified assumption that the dark count is zero, so the summation index starts from 1.

Eve should choose $Z_{i}^{\mu}$ and $Z_{i}^{\nu}$ properly so that his faked gains match the normal channel gains of both the signal state and the decoy state, namely,

	$\displaystyle Q_{\mu}$	$\displaystyle=$	$\displaystyle 1-e^{-\eta\mu},$
	$\displaystyle Q_{\nu}$	$\displaystyle=$	$\displaystyle 1-e^{-\eta\nu}.$		(4)

Here $\eta$ is the channel loss and we assume there is no dark count for simplicity. In addition, since

R^{u}=Q^{1,1}_{a}=(q_{\mu}Z_{1}^{\mu}e^{-\mu}\mu)^{2},

(5)

minimizing $R^{u}$ is equivalent to minimizing $Z_{1}^{\mu}$ .

Assume $\mu\ll 1$ and $\mu>\nu>\mu^{2}/2$ and let $\eta=q_{\textrm{opt}}\mu/2$ , we can take

$\displaystyle Z_{2}^{\mu}$	$\displaystyle=$	$\displaystyle 1,$
$\displaystyle Z_{1}^{\nu}$	$\displaystyle=$	$\displaystyle\mu^{2}/2\nu,$
$\displaystyle Z_{i}^{\mu}$	$\displaystyle=$	$\displaystyle 0\;\forall i\neq 2,$	(6)
$\displaystyle Z_{i}^{\nu}$	$\displaystyle=$	$\displaystyle 0\;\forall i\neq 1.$

For these parameters, it can be checked that the constraints Eqs. (III) to (III) are satisfied. Hence we have $Z_{1}^{\mu}=0$ , thus $R^{u}=0$ , meaning that all the key information is leaked to Eve. It only remains to show that $R^{l}>0$ for these parameters.

For simplicity, we assume there are no errors, namely $E_{\mu}=0$ . The estimated key rate lower bound $R^{l}$ is then reduced to $Q^{1,1}_{n}$ . In a normal estimation, since Eve cannot distinguish the signal state and the decoy state, we have

$\displaystyle Q_{\mu,\mu}$	$\displaystyle=$	$\displaystyle\sum\limits_{i.j=1}^{\infty}Y_{i,j}e^{-\mu}\frac{\mu^{i}}{i!}e^{-\mu}\frac{\mu^{j}}{j!},$
$\displaystyle Q_{\nu,\mu}$	$\displaystyle=$	$\displaystyle\sum\limits_{i,j=1}^{\infty}Y_{i,j}e^{-\nu}\frac{\nu^{i}}{i!}e^{-\mu}\frac{\mu^{j}}{j!},$
$\displaystyle Q_{\mu,\nu}$	$\displaystyle=$	$\displaystyle\sum\limits_{i,j=1}^{\infty}Y_{i,j}e^{-\mu}\frac{\mu^{i}}{i!}e^{-\nu}\frac{\nu^{j}}{j!},$	(7)
$\displaystyle Q_{\mu,\mu}$	$\displaystyle=$	$\displaystyle\sum\limits_{i.j=1}^{\infty}Y_{i,j}e^{-\mu}\frac{\mu^{i}}{i!}e^{-\mu}\frac{\mu^{j}}{j!}.$

Here $Q_{\alpha,\beta}$ stands for the gain when the mean photon number of Alice’s state is $\alpha$ and the mean photon number of Bob’s state is $\beta$ , $Y_{i,j}$ stands for the gain when Alice’s state contains $i$ photon and Bob’s state contains $j$ photons. Since Alice and Bob send their states independently, we have $Q_{\alpha,\beta}=Q_{\alpha}Q_{\beta}$ , where $Q_{\alpha}$ and $Q_{\beta}$ are given by Eq. (III).

By a two-step estimation, we first estimate the intermediate quantities $Y^{1}_{\mu}$ and $Y^{1}_{\nu}$ defined by

	$\displaystyle Y^{1}_{\mu}$	$\displaystyle=$	$\displaystyle\sum\limits_{i=1}^{\infty}Y_{1,i}e^{-\mu}\frac{\mu^{i}}{i!},$
	$\displaystyle Y^{1}_{\nu}$	$\displaystyle=$	$\displaystyle\sum\limits_{i=1}^{\infty}Y_{1,i}e^{-\nu}\frac{\nu^{i}}{i!}.$		(8)

Using Eq. (III), $Y^{1}_{\mu}$ can be estimated from $Q_{\mu,\mu}$ and $Q_{\nu,\mu}$ as

	$\displaystyle Y^{1}_{\mu}$	$\displaystyle\geq$	$\displaystyle\frac{\mu}{\mu\nu-\nu^{2}}(Q_{\nu,\mu}e^{\nu}-Q_{\mu,\mu}e^{\mu}\frac{\nu^{2}}{\mu^{2}})$		(9)
		$\displaystyle\approx$	$\displaystyle\eta^{2}\mu,$		(9)

and similarly for $Y^{1}_{\nu}$ , we have

Y^{1}_{\nu}\approx\eta^{2}\nu.

(10)

Finally, by Eqs. (III) to (10), $Y_{1,1}$ can be estimated as

	$\displaystyle Y_{1,1}$	$\displaystyle\geq$	$\displaystyle\frac{\mu}{\mu\nu-\nu^{2}}(Y^{1}_{\nu}e^{\nu}-Y^{1}_{\mu}e^{\mu}\frac{\nu^{2}}{\mu^{2}})$		(11)
		$\displaystyle\approx$	$\displaystyle\eta^{2}.$		(11)

Thus $R^{l}=Q_{1,1}=Y_{1,1}(e^{-\mu}\mu)^{2}>0=R^{u}$ , which shows that Eve’s attack is successful.

It should be noted that this example is not the only case that Eve can successfully attack a MDI-QKD system without phase randomization. The exact parameter region which is vulnerable to Eve’s attack is beyond the scope of this paper, and is left as an interesting future research direction.

IV Discrete-phase-randomized MDI-QKD protocol

In this section, we first describe our discrete-phase-randomized MDI-QKD protocol and then provide its security analysis.

A weak coherent laser can be described by the following state Glauber (1963)

\mbox{$\left|\alpha\right\rangle$}=e^{-\frac{|\alpha|^{2}}{2}}\sum\frac{\alpha^{n}}{\sqrt{n!}}\mbox{$\left|n\right\rangle$},

(12)

where $\alpha$ is a complex number and $\left|n\right\rangle$ is the Fock state of $n$ photons. In continuous phase randomization, a random phase $\theta\in[0,2\pi)$ is applied on $\left|\alpha\right\rangle$ , and the input state becomes

\frac{1}{2\pi}\int_{0}^{2\pi}\mbox{$\left|\alpha e^{i\theta}\right\rangle$}\mbox{$\left\langle\alpha e^{i\theta}\right|$}d\theta=\sum\limits_{n=0}^{\infty}e^{-|\alpha|^{2}}\frac{|\alpha|^{2}}{n!}\mbox{$\left|n\right\rangle$}\mbox{$\left\langle n\right|$}.

(13)

Conditioning on sufficiently small $|\alpha|$ and photon detection, this input state approximates the single photon state $\left|1\right\rangle$ $\left\langle 1\right|$ quite well and hence is a good substitute for a single photon source.

In contrast to continuous phase randomization, in our discrete-phase-randomized MDI-QKD protocol, we apply one of the discrete phases

\{\theta_{k}=\frac{2\pi k}{N}|k=0,1,\dots,N-1\}

(14)

randomly on the weak coherent laser $\left|\sqrt{2}\alpha\right\rangle$ . Here $N$ is the number of discrete phases. Using the virtual qudit formalism of randomization, the input state can be written as

	$\left\|\Psi_{N}\right\rangle$	$\displaystyle=$	$\displaystyle\sum\limits_{k=0}^{N-1}\mbox{$\left\|a_{k}\right\rangle$}_{A}\mbox{$\left\|\sqrt{2}\alpha e^{2k\pi i/N}\right\rangle$}_{B}$
		$\displaystyle=$	$\displaystyle\sum\limits_{j=0}^{N-1}\mbox{$\left\|b_{j}\right\rangle$}_{A}\mbox{$\left\|\lambda_{j}\right\rangle$}_{B},$

where

\mbox{$\left|\lambda_{j}\right\rangle$}=\sum_{k=0}^{N-1}e^{-2kj\pi i/N}\mbox{$\left|e^{2k\pi i/N}\sqrt{2}\alpha\right\rangle$}.\\

(16)

Here $\{\mbox{$\left|a_{k}\right\rangle$}\}_{k=0,1,\dots,N-1}$ and $\{\mbox{$\left|b_{j}\right\rangle$}\}_{j=0,1,\dots,N-1}$ are sets of orthogonal bases, and $\left|a_{k}\right\rangle$ can be transformed from $\left|b_{j}\right\rangle$ by

\mbox{$\left|a_{k}\right\rangle$}=\sum_{j=0}^{N-1}e^{-2kj\pi i/N}\mbox{$\left|b_{j}\right\rangle$}.

(17)

By Taylor expansion on $\left|\lambda_{j}\right\rangle$ , one has

\mbox{$\left|\lambda_{j}\right\rangle$}=\sum_{l=0}^{\infty}\frac{(\sqrt{2}\alpha)^{lN+j}}{\sqrt{(lN+j)!}}\mbox{$\left|lN+j\right\rangle$}.\\

(18)

The probability of obtaining $\left|\lambda_{j}\right\rangle$ is

\displaystyle P_{j}=\frac{\mbox{$\left\langle\lambda_{j}|\lambda_{j}\right\rangle$}}{\sum_{j=0}^{N-1}\mbox{$\left\langle\lambda_{j}|\lambda_{j}\right\rangle$}}=\sum_{l=0}^{\infty}\frac{\mu^{lN+j}e^{-\mu}}{(lN+j)!},

(19)

where $\mu=2|\alpha|^{2}$ . It can be seen that as $N$ goes to infinity, $\left|\lambda_{j}\right\rangle$ approaches the Fock state $\left|j\right\rangle$ . Therefore we will call $\left|\lambda_{j}\right\rangle$ the approximated $j$ -photon state.

The input state $\left|\lambda_{j}\right\rangle$ is then encoded into four BB84 states with the phase encoding and becomes one of

$\left\|0_{x}^{L}\right\rangle$	$\displaystyle=$	$\displaystyle\sum_{k=0}^{N-1}e^{-2kj\pi i/N}\mbox{$\left\|e^{2k\pi i/N}\alpha\right\rangle$}\mbox{$\left\|e^{2k\pi i/N}\alpha\right\rangle$},$
$\left\|1_{x}^{L}\right\rangle$	$\displaystyle=$	$\displaystyle\sum_{k=0}^{N-1}e^{-2kj\pi i/N}\mbox{$\left\|e^{2k\pi i/N}\alpha\right\rangle$}\mbox{$\left\|-e^{2k\pi i/N}\alpha\right\rangle$},$
$\left\|0_{y}^{L}\right\rangle$	$\displaystyle=$	$\displaystyle\sum_{k=0}^{N-1}e^{-2kj\pi i/N}\mbox{$\left\|e^{2k\pi i/N}\alpha\right\rangle$}\mbox{$\left\|ie^{2k\pi i/N}\alpha\right\rangle$},$	(20)
$\left\|1_{y}^{L}\right\rangle$	$\displaystyle=$	$\displaystyle\sum_{k=0}^{N-1}e^{-2kj\pi i/N}\mbox{$\left\|e^{2k\pi i/N}\alpha\right\rangle$}\mbox{$\left\|-ie^{2k\pi i/N}\alpha\right\rangle$},$

where $\left|0_{x}^{L}\right\rangle$ and $\left|1_{x}^{L}\right\rangle$ are logical qubits in the $X$ basis, and $\left|0_{y}^{L}\right\rangle$ and $\left|1_{y}^{L}\right\rangle$ are logical qubits in the $Y$ basis, the first coherent state is the reference state and the second coherent state is the signal state with BB84 phases. Since the probabilities of choosing the eigenstates are equal, the overall states encoded in the $X$ basis and the $Y$ basis are

	$\displaystyle\rho_{AB}^{X}$	$\displaystyle=$	$\displaystyle(\mbox{$\left\|0_{x}^{L}\right\rangle$}\mbox{$\left\langle 0_{x}^{L}\right\|$}+\mbox{$\left\|1_{x}^{L}\right\rangle$}\mbox{$\left\langle 1_{x}^{L}\right\|$})_{A}\otimes(\mbox{$\left\|0_{x}^{L}\right\rangle$}\mbox{$\left\langle 0_{x}^{L}\right\|$}+\mbox{$\left\|1_{x}^{L}\right\rangle$}\mbox{$\left\langle 1_{x}^{L}\right\|$})_{B},$
	$\displaystyle\rho_{AB}^{Y}$	$\displaystyle=$	$\displaystyle(\mbox{$\left\|0_{y}^{L}\right\rangle$}\mbox{$\left\langle 0_{y}^{L}\right\|$}+\mbox{$\left\|1_{y}^{L}\right\rangle$}\mbox{$\left\langle 1_{y}^{L}\right\|$})_{A}\otimes(\mbox{$\left\|0_{y}^{L}\right\rangle$}\mbox{$\left\langle 0_{y}^{L}\right\|$}+\mbox{$\left\|1_{y}^{L}\right\rangle$}\mbox{$\left\langle 1_{y}^{L}\right\|$})_{B},$

respectively. In the ideal case of basis-independent sources, we have

\rho_{AB}^{X}=\rho_{AB}^{Y}.

(22)

We can characterize the deviation from the ideal case by bounding the fidelity between $\rho_{AB}^{X}$ and $\rho_{AB}^{Y}$ as

	$\displaystyle F_{j,j}(\rho_{AB}^{X},\rho_{AB}^{Y})=\mathrm{tr}\sqrt{\sqrt{\rho_{AB}^{Y}}\rho_{AB}^{X}\sqrt{\rho_{AB}^{Y}}}$		(23)
	$\displaystyle\geq\left\|\frac{\sum_{l=0}^{\infty}\frac{\mu^{lN+j}}{(lN+j)!}2^{-\frac{lN+j}{2}}\left(\cos\frac{lN+j}{4}\pi+\sin\frac{lN+j}{4}\pi\right)}{\sum_{l=0}^{\infty}\frac{\mu^{lN+j}}{(lN+j)!}}\right\|^{2}.$

The concrete derivation can be found in Appendix A. The first order approximation of $F_{1,1}$ with respect to $\mu^{N}$ is

F^{(1)}_{1,1}\geq 1-2\left(1-2^{-\frac{N}{2}}\cos\frac{N}{4}\pi\right)\frac{\mu^{N}}{(N+1)!}.

(24)

This will be later used in the key rate formula. Its derivation can also be found in Appendix A.

IV.1 Key rate

In a normal MDI-QKD, the key rate formula is given by Eq. (1). In the discrete phase version, we need to modify the key rate formula to

	$\displaystyle R$	$\displaystyle\geq$	$\displaystyle-Q_{\textrm{Rect}}f(E_{\textrm{Rect}})H(E_{\textrm{Rect}})$		(25)
			$\displaystyle+\sum_{i}\sum_{j}P_{i}P_{j}Y_{i,j}[1-H(E^{i,j,p}_{\textrm{Rect}})].$		(25)

The error correction part stays unchanged. For the privacy amplification part, $P_{i}$ is the probability of obtaining the state $\left|\lambda_{i}\right\rangle$ when a party uses a signal state, $Y_{i,j}$ and $E^{i,j,p}_{\textrm{Rect}}$ are the gain and the phase error rate of the rectilinear basis when Alice’s state is $\left|\lambda_{i}\right\rangle$ , Bob’s state is $\left|\lambda_{j}\right\rangle$ and both parties use signal states.

Recall that a phase error of the rectilinear basis occurs when Alice and Bob’s states are both encoded in the $X$ basis, and their joint state after the Bell measurement is $\mbox{$\left|0_{x}^{L}\right\rangle$}_{A}\mbox{$\left|0_{x}^{L}\right\rangle$}_{B}+\mbox{$\left|1_{x}^{L}\right\rangle$}_{A}\mbox{$\left|1_{x}^{L}\right\rangle$}_{B}$ instead of the correct outcome $\mbox{$\left|0_{x}^{L}\right\rangle$}_{A}\mbox{$\left|0_{x}^{L}\right\rangle$}_{B}-\mbox{$\left|1_{x}^{L}\right\rangle$}_{A}\mbox{$\left|1_{x}^{L}\right\rangle$}_{B}$ . If their joint state after the Bell measurement is $\mbox{$\left|0_{x}^{L}\right\rangle$}_{A}\mbox{$\left|1_{x}^{L}\right\rangle$}_{B}-\mbox{$\left|0_{x}^{L}\right\rangle$}_{A}\mbox{$\left|1_{x}^{L}\right\rangle$}_{B}$ , a bit error of the rectilinear basis is said to occur. Similarly, for the diagonal basis where Alice and Bob’s states are both encoded in the $Y$ basis, the correct outcome after the Bell measurement should be $\mbox{$\left|0_{y}^{L}\right\rangle$}_{A}\mbox{$\left|0_{y}^{L}\right\rangle$}_{B}-\mbox{$\left|1_{y}^{L}\right\rangle$}_{A}\mbox{$\left|1_{y}^{L}\right\rangle$}_{B}$ . If the actual joint state is $\mbox{$\left|0_{y}^{L}\right\rangle$}_{A}\mbox{$\left|0_{y}^{L}\right\rangle$}_{B}+\mbox{$\left|1_{y}^{L}\right\rangle$}_{A}\mbox{$\left|1_{y}^{L}\right\rangle$}_{B}$ , a phase error of the diagonal basis is said to occur. If the actual joint state is $\mbox{$\left|0_{y}^{L}\right\rangle$}_{A}\mbox{$\left|1_{y}^{L}\right\rangle$}_{B}-\mbox{$\left|1_{y}^{L}\right\rangle$}_{A}\mbox{$\left|0_{y}^{L}\right\rangle$}_{B}$ , a bit error of the diagonal basis is said to occur.

In the key formula, since $Q_{\textrm{Rect}}$ and $E_{\textrm{Rect}}$ can be directly measured, only $Y_{i,j}$ and $E^{i,j,p}_{\textrm{Rect}}$ need to be estimated. In the basis-independent case, $E^{1,1,p}_{\textrm{Rect}}=E^{1,1,b}_{\textrm{Diag}}$ , hence the phase error of the rectilinear basis can be estimated using the bit error rate of the diagonal basis. However, in the discrete phase case, the basis independence property no longer holds. Fortunately, we can estimate the difference between $e_{1,1}^{b}=E^{1,1,b}_{\textrm{Diag}}$ and $e_{1,1}^{p}=E^{1,1,p}_{\textrm{Rect}}$ as follows Lo and Preskill (2007),

	$\displaystyle e_{j,j}^{p}\leq$	$\displaystyle e_{j,j}^{b}+4\Delta_{j,j}(1-\Delta_{j,j})(1-2e_{j,j}^{b})$			(26)
		$\displaystyle+4(1-2\Delta_{j,j})\sqrt{\Delta_{j,j}(1-\Delta_{j,j})e_{j,j}^{b}(1-e_{j,j}^{b})},$			(26)

where

\Delta_{j,j}=\frac{1-F_{j,j}}{2Y_{j,j}}.

(27)

Here $F_{j,j}$ is given by Eq. (23). Next we show how to estimate the parameters $Y_{1,1}$ and $e_{1,1}^{b}$ .

IV.2 Parameter estimation

In discrete-phase-randomized MDI-QKD, we need to estimate the gain $Y^{\alpha,\beta}_{i,j}$ and the error rate $e^{\alpha,\beta}_{i,j}$ . First we note that the following relations hold:

	$\displaystyle Q^{\alpha,\beta}$	$\displaystyle=$	$\displaystyle\sum_{i,j=0}^{N-1}P^{\alpha}_{i}P^{\beta}_{j}Y^{\alpha,\beta}_{i,j},$
	$\displaystyle Q^{\alpha,\beta}E^{\alpha,\beta}$	$\displaystyle=$	$\displaystyle\sum_{i,j=0}^{N-1}P^{\alpha}_{i}P^{\beta}_{j}Y^{\alpha,\beta}_{i,j}e^{\alpha,\beta}_{i,j},$		(28)

where $\alpha$ ( $\beta$ ) distinguishes the signal state and the decoy states, $i$ ( $j$ ) stands for the approximated $i$ -photon( $j$ -photon) state, $Q^{\alpha,\beta}$ and $E^{\alpha,\beta}$ are the observed gain and error rate in the case that Alice uses the intensity setting $\alpha$ and Bob uses the intensity setting $\beta$ , $Y^{\alpha,\beta}_{i,j}$ and $e^{\alpha,\beta}_{i,j}$ are the intrinsic gain and error rate in the case that Alice uses the intensity setting $\alpha$ and the approximated $i$ -photon state, Bob uses the intensity setting $\beta$ and the approximated $j$ -photon state, $P^{\alpha}_{i}$ is the probability of generating an approximated $i$ -photon state when the intensity setting is $\alpha$ .

There is an inherent assumption in normal MDI-QKD, namely

	$\displaystyle Y_{i,j}^{\alpha_{1},\beta_{1}}$	$\displaystyle=Y_{i,j}^{\alpha_{2},\beta_{2}},$
	$\displaystyle e_{i,j}^{\alpha_{1},\beta_{1}}$	$\displaystyle=e_{i,j}^{\alpha_{2},\beta_{2}}.$			(29)

This no longer holds in the case of discrete phase randomization as

\mbox{$\left|\lambda_{i,j}^{\alpha_{1},\beta_{1}}\right\rangle$}\neq\mbox{$\left|\lambda_{i,j}^{\alpha_{2},\beta_{2}}\right\rangle$},

(30)

where $\left|\lambda_{i,j}^{\alpha,\beta}\right\rangle$ is the joint state of Alice and Bob when Alice uses the intensity setting $\alpha$ together with the approximated $i$ -photon state, and Bob uses the intensity setting $\beta$ together with the approximated $j$ -photon state. Nevertheless, we can bound the difference between gains and errors of different intensities as

	$\displaystyle\|Y_{i,j}^{\alpha,\mu}-Y_{i,j}^{\alpha,\nu}\|$	$\displaystyle\leq\sqrt{1-F^{2}_{\mu\nu}},$
	$\displaystyle\|Y_{i,j}^{\alpha,\mu}e_{i,j}^{\alpha,\mu}-Y_{i,j}^{\alpha,\nu}e_{i,j}^{\alpha,\nu}\|$	$\displaystyle\leq\sqrt{1-F^{2}_{\mu\nu}},$			(31)

where

F_{\mu\nu}=\frac{\sum_{l=0}^{\infty}\frac{(\mu\nu)^{lN/2}}{(lN)!}}{\sqrt{\sum_{l=0}^{\infty}\frac{\mu^{lN}}{(lN)!}\sum_{l=0}^{\infty}\frac{\nu^{lN}}{(lN)!}}}.

(32)

The derivation of these bounds can be found in Appendix B.

The estimation of the gain $Y^{\alpha,\beta}_{i,j}$ and the error rate $e^{\alpha,\beta}_{i,j}$ is similar to normal MDI-QKD. We start with the estimation of the gain $Y^{\alpha,\beta}_{i,j}$ . Note that the first equation in Eq. (IV.2) can be rewritten as

Q^{\alpha,\beta}=\sum_{i=0}^{N-1}P^{\alpha}_{i}Y^{\alpha,\beta}_{i},

(33)

where

Y^{\alpha,\beta}_{i}=\sum_{j=0}^{N-1}P^{\beta}_{j}Y^{\alpha,\beta}_{i,j}.

(34)

For notation simplicity, let

\epsilon=\sqrt{1-F^{2}_{\mu\nu}}.

(35)

From Eq. (34), we get

$\displaystyle\|Y^{\alpha,\beta}_{i}-Y^{\mu,\beta}_{i}\|$	$\displaystyle=$	$\displaystyle\|\sum_{j=0}^{N-1}P^{\beta}_{j}(Y^{\alpha,\beta}_{i,j}-Y^{\mu,\beta}_{i,j})\|$
	$\displaystyle\leq$	$\displaystyle\sum_{j=0}^{N-1}P^{\beta}_{j}\|Y^{\alpha,\beta}_{i,j}-Y^{\mu,\beta}_{i,j}\|$
	$\displaystyle\leq$	$\displaystyle\sum_{j=0}^{N-1}P^{\beta}_{j}\epsilon=\epsilon,$

where the last inequality holds because $\sum_{j=0}^{N-1}P_{j}^{\beta}=1$ . Hence, we can estimate the upper bound and the lower bound of $Y^{\mu,\beta}_{i}$ under the following constraint,

$\displaystyle Q^{\mu,\beta}$	$\displaystyle=$	$\displaystyle\sum_{i=0}^{N-1}P^{\mu}_{i}Y^{\mu,\beta}_{i},$
$\displaystyle Q^{\alpha,\beta}$	$\displaystyle=$	$\displaystyle\sum_{i=0}^{N-1}P^{\alpha}_{i}Y^{\alpha,\beta}_{i}=\sum_{i=0}^{N-1}P^{\alpha}_{i}Y^{\mu,\beta}_{i}\pm\epsilon,$	(37)
$\displaystyle 0$	$\displaystyle\leq$	$\displaystyle Y^{\mu,\beta}_{i}\leq 1.$

After the range of $Y^{\mu,\beta}_{i}$ is estimated for all $\beta$ , we can estimate the upper bound and the lower bound of $Y^{\mu,\mu}_{i,j}$ under the following constraint:

$\displaystyle Y^{\mu,\mu}_{i}$	$\displaystyle=$	$\displaystyle\sum_{j=0}^{N-1}P^{\mu}_{j}Y^{\mu,\mu}_{i,j},$
$\displaystyle Y^{\mu,\beta}_{i}$	$\displaystyle=$	$\displaystyle\sum_{j=0}^{N-1}P^{\beta}_{j}Y^{\mu,\beta}_{i,j}=\sum_{j=0}^{N-1}P^{\beta}_{j}Y^{\mu,\mu}_{i,j}\pm\epsilon,$	(38)
$\displaystyle 0$	$\displaystyle\leq$	$\displaystyle Y^{\mu,\mu}_{i,j}\leq 1.$

The estimation of $Y^{\alpha,\beta}_{i,j}e^{\alpha,\beta}_{i,j}$ is almost identical to the estimation of $Y^{\alpha,\beta}_{i,j}$ . We can rewrite the second equation in Eq. (IV.2) as

Q^{\alpha,\beta}E^{\alpha,\beta}=\sum_{i}^{N-1}P^{\alpha}_{i}W^{\alpha,\beta}_{i},

(39)

where

W^{\alpha,\beta}_{i}=\sum_{j=0}^{N-1}P^{\beta}_{j}Y^{\alpha,\beta}_{i,j}e^{\alpha,\beta}_{i,j}.

(40)

From Eq. (40), we get

$\displaystyle\|W^{\alpha,\beta}_{i}-W^{\mu,\beta}_{i}\|$	$\displaystyle=$	$\displaystyle\|\sum_{j=0}^{N-1}P^{\beta}_{j}(Y^{\alpha,\beta}_{i,j}e^{\alpha,\beta}_{i,j}-Y^{\mu,\beta}_{i,j}e^{\mu,\beta}_{i,j})\|$
	$\displaystyle\leq$	$\displaystyle\sum_{j=0}^{N-1}P^{\beta}_{j}\|Y^{\alpha,\beta}_{i,j}e^{\alpha,\beta}_{i,j}-Y^{\mu,\beta}_{i,j}e^{\mu,\beta}_{i,j}\|$
	$\displaystyle\leq$	$\displaystyle\sum_{j=0}^{N-1}P^{\beta}_{j}\epsilon=\epsilon.$

Hence, we can estimate the upper bound and the lower bound of $W^{\mu,\beta}_{i}$ under the following constraint:

$\displaystyle Q^{\mu,\beta}E^{\mu,\beta}$	$\displaystyle=$	$\displaystyle\sum_{i=0}^{N-1}P^{\mu}_{i}W^{\mu,\beta}_{i},$
$\displaystyle Q^{\alpha,\beta}E^{\alpha,\beta}$	$\displaystyle=$	$\displaystyle\sum_{i=0}^{N-1}P^{\alpha}_{i}W^{\alpha,\beta}_{i}=\sum_{i=0}^{N-1}P^{\alpha}_{i}W^{\mu,\beta}_{i}\pm\epsilon,$	(42)
$\displaystyle 0$	$\displaystyle\leq$	$\displaystyle W^{\mu,\beta}_{i}\leq 1.$

After the range of $W^{\mu,\beta}_{i}$ is estimated for all $\beta$ , we can estimate the upper bound and the lower bound of $Y^{\mu,\mu}_{i,j}e^{\mu,\mu}_{i,j}$ under the following constraint:

$\displaystyle W^{\mu,\mu}_{i}$	$\displaystyle=$	$\displaystyle\sum_{j=0}^{N-1}P^{\mu}_{j}Y^{\mu,\mu}_{i,j}e^{\mu,\mu}_{i,j},$
$\displaystyle W^{\mu,\beta}_{i}$	$\displaystyle=$	$\displaystyle\sum_{j=0}^{N-1}P^{\beta}_{j}Y^{\mu,\beta}_{i,j}e^{\mu,\beta}_{i,j}=\sum_{j=0}^{N-1}P^{\beta}_{j}Y^{\mu,\mu}_{i,j}e^{\mu,\mu}_{i,j}\pm\epsilon,$	(43)
$\displaystyle 0$	$\displaystyle\leq$	$\displaystyle Y^{\mu,\mu}_{i,j}e^{\mu,\mu}_{i,j}\leq 1.$

This completes the parameter estimation of the discrete-phase-randomized MDI-QKD protocol.

Each linear system presented in this section can be efficiently solved through linear programming. When there are $M$ decoy states, each linear system contains $N$ variables and $2N+2M+1$ constraints. Hence, the computation of its solution is manageable when $N$ is small (e.g., $N<20$ ). When $N$ is large (e.g., $N>10\;000$ ), the computation time can be infeasibly long. In that case, one method to accelerate the computation at a cost of a small decrease in performance is that we keep only variables with the lowest $K$ indices, such as $Y_{0}^{\mu,\beta},\dots,Y_{K-1}^{\mu,\beta}$ , and relax other variables to 0 or 1 in all constraining equations and inequalities. The reduced linear system then contains $K$ variables and $2K+2M+2$ constraints. In later simulations, we take $M=2$ and $K=3$ . Larger values of $M$ and $K$ can lead to more accurate estimation of the parameters.

IV.3 Simulation result

In Fig. 2, we plot the key rate of continuous randomization (annotated as “random phases”) and various number of discrete phases (9, 10, 11, 12, 14 phases, respectively) under different transmission distances. It can be seen that 14 phases already approximate continuous phase randomization quite well. The detailed simulation model and simulation parameters are shown in Appendix C.

With the same simulation model, we plot the key rate of continuous randomization (annotated as “random phases”) and various number of discrete phases (9, 10, 11, 12, 14 phases, respectively) under different noise levels $e_{1,1}^{b}$ in Fig. 3. It can be seen that the security threshold (maximally tolerable noise) of 14 phases is already very close to that of continuous phase randomization, which is about 8.7%.

In a practical experiment, the deviation of experimental parameters from the simulation parameters used here should be accounted for by substituting the actual experimental parameters into the simulation model, and the selection of the number of discrete phases should be determined through this revized simulation.

V Conclusion

In summary, we showed that MDI-QKD with imperfect phase randomization is vulnerable to attacks and, as a solution, proposed a discrete-phase-randomized measurement-device-independent quantum key distribution protocol. We also provided a security proof of the protocol. Simulation results confirm that the protocol with only a few phases (14 phases) already approximates continuous phase randomization quite well.

As future work, we can consider further source imperfection in measurement-device-independent quantum key distribution. One direction is to consider imperfectly prepared discrete phases $\{\mbox{$\left|\alpha e^{i(2\pi k/N\pm\delta)}\right\rangle$}\}_{k=1,\dots,N}$ , where $\delta$ is a small quantity characterizing the deviation from the exact discrete phases. One can modify the fidelity calculation to accommodate for this change. Another direction is to extend our analysis to other MDI protocols requiring weak coherent sources, such as MDI entanglement witness Branciard et al. (2013).

Acknowledgements

This work was supported by the internal Grant No. SLH00202007 from East China University of Science and Technology.

Appendix A Fidelity Calculation

In this section, we will provide the details on the calculation of the fidelity between the input states prepared in different bases. We will utilize a few results from Ref. Cao et al. (2015).

By Eqs. (IV) and (23) in the main text, we have

	$\displaystyle F_{j,j}(\rho_{AB}^{X},\rho_{AB}^{Y})$	(44)
$\displaystyle=$	$\displaystyle F((\mbox{$\left\|0_{x}^{L}\right\rangle$}\mbox{$\left\langle 0_{x}^{L}\right\|$}+\mbox{$\left\|1_{x}^{L}\right\rangle$}\mbox{$\left\langle 1_{x}^{L}\right\|$})_{A}\otimes(\mbox{$\left\|0_{x}^{L}\right\rangle$}\mbox{$\left\langle 0_{x}^{L}\right\|$}+\mbox{$\left\|1_{x}^{L}\right\rangle$}\mbox{$\left\langle 1_{x}^{L}\right\|$})_{B},$
	$\displaystyle\;\;\;\;(\mbox{$\left\|0_{y}^{L}\right\rangle$}\mbox{$\left\langle 0_{y}^{L}\right\|$}+\mbox{$\left\|1_{y}^{L}\right\rangle$}\mbox{$\left\langle 1_{y}^{L}\right\|$})_{A}\otimes(\mbox{$\left\|0_{y}^{L}\right\rangle$}\mbox{$\left\langle 0_{y}^{L}\right\|$}+\mbox{$\left\|1_{y}^{L}\right\rangle$}\mbox{$\left\langle 1_{y}^{L}\right\|$})_{B})$
$\displaystyle=$	$\displaystyle F(\mbox{$\left\|0_{x}^{L}\right\rangle$}\mbox{$\left\langle 0_{x}^{L}\right\|$}+\mbox{$\left\|1_{x}^{L}\right\rangle$}\mbox{$\left\langle 1_{x}^{L}\right\|$},\mbox{$\left\|0_{y}^{L}\right\rangle$}\mbox{$\left\langle 0_{y}^{L}\right\|$}+\mbox{$\left\|1_{y}^{L}\right\rangle$}\mbox{$\left\langle 1_{y}^{L}\right\|$})^{2}$

In Ref. Cao et al. (2015), it was shown that

			$\displaystyle F(\mbox{$\left\|0_{x}^{L}\right\rangle$}\mbox{$\left\langle 0_{x}^{L}\right\|$}+\mbox{$\left\|1_{x}^{L}\right\rangle$}\mbox{$\left\langle 1_{x}^{L}\right\|$},\mbox{$\left\|0_{y}^{L}\right\rangle$}\mbox{$\left\langle 0_{y}^{L}\right\|$}+\mbox{$\left\|1_{y}^{L}\right\rangle$}\mbox{$\left\langle 1_{y}^{L}\right\|$})$
		$\displaystyle\geq$	$\displaystyle\left\|\frac{\sum_{l=0}^{\infty}\frac{\mu^{lN+j}}{(lN+j)!}2^{-\frac{lN+j}{2}}\left(\cos\frac{lN+j}{4}\pi+\sin\frac{lN+j}{4}\pi\right)}{\sum_{l=0}^{\infty}\frac{\mu^{lN+j}}{(lN+j)!}}\right\|.$

Thus Eq. (23) in the main text holds.

In addition, in Ref. Cao et al. (2015), it was shown that

			$\displaystyle\left\|\frac{\sum_{l=0}^{\infty}\frac{\mu^{lN+j}}{(lN+j)!}2^{-\frac{lN+j}{2}}\left(\cos\frac{lN+j}{4}\pi+\sin\frac{lN+j}{4}\pi\right)}{\sum_{l=0}^{\infty}\frac{\mu^{lN+j}}{(lN+j)!}}\right\|$		(46)
		$\displaystyle\geq$	$\displaystyle 1-\left(1-2^{-\frac{N}{2}}\cos\frac{N}{4}\pi\right)\frac{\mu^{N}}{(N+1)!}.$		(46)

So we have

			$\displaystyle F_{j,j}(\rho_{AB}^{X},\rho_{AB}^{Y})$
		$\displaystyle=$	$\displaystyle\left\|\frac{\sum_{l=0}^{\infty}\frac{\mu^{lN+j}}{(lN+j)!}2^{-\frac{lN+j}{2}}\left(\cos\frac{lN+j}{4}\pi+\sin\frac{lN+j}{4}\pi\right)}{\sum_{l=0}^{\infty}\frac{\mu^{lN+j}}{(lN+j)!}}\right\|^{2}$
		$\displaystyle\geq$	$\displaystyle\left(1-\left(1-2^{-\frac{N}{2}}\cos\frac{N}{4}\pi\right)\frac{\mu^{N}}{(N+1)!}\right)^{2}$
		$\displaystyle\geq$	$\displaystyle 1-2\left(1-2^{-\frac{N}{2}}\cos\frac{N}{4}\pi\right)\frac{\mu^{N}}{(N+1)!}.$

Hence, the first-order approximation of the fidelity in the main text is proved.

Appendix B Decoy-State Parameter Deviation

In this section, we show the details on the deviation of decoy state gain and error rate. Like the previous section, here we will also utilizes some results from Ref. Cao et al. (2015).

By the quantum coin idea Gottesman et al. (2004), we have

	$\displaystyle\sqrt{Y_{i,j}^{\alpha,\mu}Y_{i,j}^{\alpha,\nu}}+\sqrt{(1-Y_{i,j}^{\alpha,\mu})(1-Y_{i,j}^{\alpha,\nu})}$
	$\displaystyle\geq F(\mbox{$\left\|\lambda_{i}^{\alpha}\right\rangle$}\mbox{$\left\|\lambda_{j}^{\mu}\right\rangle$},\mbox{$\left\|\lambda_{i}^{\alpha}\right\rangle$}\mbox{$\left\|\lambda_{j}^{\nu}\right\rangle$}),$
	$\displaystyle\sqrt{Y_{i,j}^{\alpha,\mu}e_{i,j}^{\alpha,\mu}Y_{i,j}^{\alpha,\nu}e_{i,j}^{\alpha,\nu}}+\sqrt{(1-Y_{i,j}^{\alpha,\mu}e_{i,j}^{\alpha,\mu})(1-Y_{i,j}^{\alpha,\nu}e_{i,j}^{\alpha,\nu})}$
	$\displaystyle\geq F(\mbox{$\left\|\lambda_{i}^{\alpha}\right\rangle$}\mbox{$\left\|\lambda_{j}^{\mu}\right\rangle$},\mbox{$\left\|\lambda_{i}^{\alpha}\right\rangle$}\mbox{$\left\|\lambda_{j}^{\nu}\right\rangle$}).$		(48)

The right-hand side can be simplified as

F(\mbox{$\left|\lambda_{i}^{\alpha}\right\rangle$}\mbox{$\left|\lambda_{j}^{\mu}\right\rangle$},\mbox{$\left|\lambda_{i}^{\alpha}\right\rangle$}\mbox{$\left|\lambda_{j}^{\nu}\right\rangle$})=F(\mbox{$\left|\lambda_{j}^{\mu}\right\rangle$},\mbox{$\left|\lambda_{j}^{\nu}\right\rangle$})\geq F_{\mu\nu}.

(49)

The first inequality is because the first systems of the two states are identical, and the second inequality was shown in Ref. Cao et al. (2015).

Hence

	$\displaystyle\sqrt{Y_{i,j}^{\alpha,\mu}Y_{i,j}^{\alpha,\nu}}+\sqrt{(1-Y_{i,j}^{\alpha,\mu})(1-Y_{i,j}^{\alpha,\nu})}\geq F_{\mu\nu},$
	$\displaystyle\sqrt{Y_{i,j}^{\alpha,\mu}e_{i,j}^{\alpha,\mu}Y_{i,j}^{\alpha,\nu}e_{i,j}^{\alpha,\nu}}+\sqrt{(1-Y_{i,j}^{\alpha,\mu}e_{i,j}^{\alpha,\mu})(1-Y_{i,j}^{\alpha,\nu}e_{i,j}^{\alpha,\nu})}$
	$\displaystyle\geq F_{\mu\nu}.$		(50)

In Ref. Cao et al. (2015), it was shown that if

\sqrt{xy}+\sqrt{(1-x)(1-y)}\geq F_{\mu\nu},

(51)

then

|x-y|\leq\sqrt{1-F_{\mu\nu}^{2}}.

(52)

Hence we have

	$\displaystyle\|Y_{i,j}^{\alpha,\mu}-Y_{i,j}^{\alpha,\nu}\|$	$\displaystyle\leq\sqrt{1-F^{2}_{\mu\nu}},$			(53)
	$\displaystyle\|Y_{i,j}^{\alpha,\mu}e_{i,j}^{\alpha,\mu}-Y_{i,j}^{\alpha,\nu}e_{i,j}^{\alpha,\nu}\|$	$\displaystyle\leq\sqrt{1-F^{2}_{\mu\nu}}.$

This finishes the proof.

Appendix C Simulation

In this section, we describe our simulation model and calculate the key rate.

In the simulation model, we have

$\displaystyle\eta$	$\displaystyle=$	$\displaystyle 10^{-\alpha_{1}L/10}\eta_{1}$
$\displaystyle Q_{\mu\nu}$	$\displaystyle=$	$\displaystyle(Y_{0}+1-e^{-\eta\mu})(Y_{0}+1-e^{-\eta\nu}),$	(54)
$\displaystyle E_{\mu\nu}Q_{\mu\nu}$	$\displaystyle=$	$\displaystyle Y_{0}(Y_{0}+2-e^{-\eta\mu}-e^{-\eta\nu})/2$
		$\displaystyle+e_{d}(1-e^{-\eta\mu})(1-e^{-\eta\nu}),$

where $L$ is the transmission distance, $\eta$ is the total transmission loss. For simplicity, we use three states on each side, namely the signal state, decoy state, and vacuum state, denoted as 1,2,3 on Alice’s side, and 4,5,6 on Bob’s side.

The simulation parameters are as follows: The fiber loss is $\alpha_{1}=0.2~{}\textrm{db/km}$ . Other losses excluding the fibre loss is $\eta_{1}=0.045$ . The misalignment error rate is $e_{d}=0.033$ . The error correction efficiency is $f=1.16$ . The dark count is $Y_{0}=1.7\times 10^{-6}$ .

To estimate the gain and the error rate, we exploit Eqs. (IV.2) to (43) in the main text. Then the intensities of the signal state and the decoy state are optimized to maximize the key rate.

References

Bennett and Brassard (1984) C. H. Bennett and G. Brassard, in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing (IEEE, New York, 1984) pp. 175–179.
Lo et al. (2012) H.-K. Lo, M. Curty, and B. Qi, Phys. Rev. Lett. 108, 130503 (2012).
Ekert (1991) A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991).
Xu et al. (2012) F. Xu, B. Qi, X. Ma, H. Xu, H. Zheng, and H.-K. Lo, Opt. Express 20, 12366 (2012).
Cao et al. (2015) Z. Cao, Z. Zhang, H.-K. Lo, and X. Ma, New J. Phys. 17, 053014 (2015).
Hwang (2003) W.-Y. Hwang, Phys. Rev. Lett. 91, 057901 (2003).
Lo et al. (2005) H.-K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94, 230504 (2005).
Wang (2005) X.-B. Wang, Phys. Rev. Lett. 94, 230503 (2005).
Tamaki et al. (2012) K. Tamaki, H.-K. Lo, C.-H. F. Fung, and B. Qi, Phys. Rev. A 85, 042307 (2012).
Tang et al. (2013) Y.-L. Tang, H.-L. Yin, X. Ma, C.-H. F. Fung, Y. Liu, H.-L. Yong, T.-Y. Chen, C.-Z. Peng, Z.-B. Chen, and J.-W. Pan, Phys. Rev. A 88, 022308 (2013).
Glauber (1963) R. J. Glauber, Phys. Rev. 131, 2766 (1963).
Lo and Preskill (2007) H.-K. Lo and J. Preskill, Quantum Inf. Comput. 7, 0431 (2007).
Branciard et al. (2013) C. Branciard, D. Rosset, Y.-C. Liang, and N. Gisin, Phys. Rev. Lett. 110, 060405 (2013).
Gottesman et al. (2004) D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, Quantum Inf. Comput. 4, 325 (2004).

	$\left\|\Psi_{N}\right\rangle$	$\displaystyle=$	$\displaystyle\sum\limits_{k=0}^{N-1}\mbox{$\left\|a_{k}\right\rangle$}_{A}\mbox{$\left\|\sqrt{2}\alpha e^{2k\pi i/N}\right\rangle$}_{B}$
		$\displaystyle=$	$\displaystyle\sum\limits_{j=0}^{N-1}\mbox{$\left\|b_{j}\right\rangle$}_{A}\mbox{$\left\|\lambda_{j}\right\rangle$}_{B},$