Security of quantum key distribution with imperfect phase randomisation

Guillermo Currás-Lorenzo Vigo Quantum Communication Center, University of Vigo, Vigo E-36315, Spain Escuela de Ingeniería de Telecomunicación, Department of Signal Theory and Communications, University of Vigo, Vigo E-36310, Spain atlanTTic Research Center, University of Vigo, Vigo E-36310, Spain Faculty of Engineering, University of Toyama, Gofuku 3190, Toyama 930-8555, Japan Shlok Nahar Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo, Waterloo, Ontario N2L 3G1, Canada Norbert Lütkenhaus Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo, Waterloo, Ontario N2L 3G1, Canada Kiyoshi Tamaki Faculty of Engineering, University of Toyama, Gofuku 3190, Toyama 930-8555, Japan Marcos Curty Vigo Quantum Communication Center, University of Vigo, Vigo E-36315, Spain Escuela de Ingeniería de Telecomunicación, Department of Signal Theory and Communications, University of Vigo, Vigo E-36310, Spain atlanTTic Research Center, University of Vigo, Vigo E-36310, Spain

Abstract

The performance of quantum key distribution (QKD) is severely limited by multiphoton emissions, due to the photon-number-splitting attack. The most efficient solution, the decoy-state method, requires that the phases of all transmitted pulses are independent and uniformly random. In practice, however, these phases are often correlated, especially in high-speed systems, which opens a security loophole. Here, we address this pressing problem by providing a security proof for decoy-state QKD with correlated phases that offers key rates close to the ideal scenario. Our work paves the way towards high-performance secure QKD with practical laser sources, and may have applications beyond QKD.

I Introduction

Quantum key distribution (QKD) allows two users, Alice and Bob, to securely establish a symmetric cryptographic key over an untrusted channel controlled by an adversary, Eve, with unlimited computational power [1, 2]. The security of QKD is based on information theory and the laws of quantum mechanics. However, a practical implementation of a QKD protocol is only secure if it meets all the assumptions made in its corresponding security proof. For example, the early proofs [3, 4] of the widely-known BB84 protocol [5] assumed the availability of single-photon sources, which are difficult to achieve in practice. Instead, implementations of the protocol typically rely on laser sources that emit weak coherent pulses (WCPs), either with or without randomised phases, which are vulnerable to the photon-number-splitting attack [6] and to an unambiguous state discrimination attack [7], respectively. This has a severe impact on the obtainable secret-key rate and limits the maximum distance to a few tens of kilometers [8, 9].

The most efficient solution to this problem is known as the decoy-state method [10, 11, 12, 13], and is currently used by the majority of commercial QKD systems. It requires the users to emit phase-randomised (PR) WCPs of various intensities, and exploits the fact that PR-WCPs are diagonal in the Fock basis, with each photon-number component containing no information about the intensity it originated from. Thanks to this, one can use the observed detection statistics to characterize the effect of the channel on different photon-number states, and derive tight bounds on the fraction of the sifted key that originates from single-photon emissions, as well as on its phase-error rate. As a result, one can ideally obtain a secret-key rate comparable to that offered by single-photon sources [14].

However, generating perfect PR-WCPs, i.e. WCPs whose phase is uniformly and independently random in $[0,2\pi)$ , may be challenging in certain scenarios, particularly at high repetition rates. The most common approach to randomise the pulse phase is to operate the laser under gain-switching conditions [15, 16, 17, 18, 19], i.e. to turn the laser on and off between pulses. However, due to the difficulty in attenuating the intracavity field of the laser strongly enough to ensure significant phase diffusion, experiments suffer from residue correlations between the phases of consecutive pulses [20, 21], which invalidate the standard decoy-state analysis. As an alternative, one can also actively randomise the phase of each emitted pulse by using a random number generator and a phase modulator [22], and security proofs have been proposed to deal with the resulting discretisation effect [23, 24]. However, due to memory effects in the phase modulator and the electronics that control it [21], this approach may also suffer from correlations, which the existing proofs do not take into account.

Because of this discrepancy between the existing security proofs of decoy-state QKD and its practical implementations, the security of the latter is not sufficiently guaranteed, which is an important open problem in the field. Here, we address this problem by proving its security in the presence of phase correlations between consecutive pulses, which arise when running gain-switched laser sources at high repetition rates. Importantly, our simulation results suggest that decoy-state QKD is robust against this imperfection, and that one could obtain key rates close to the ideal scenario when using currently-available high-speed laser sources.

II Assumptions and Protocol description

Clearly, the secret key rate obtainable in the presence of imperfect phase randomisation should depend on the strength of the imperfection. The case in which the phases are not random is known to result in a very poor performance [9], while one may expect that, if the source emits a train of pulses whose phases are close to the ideal scenario (i.e., all being independent and uniformly distributed), one should also be able to obtain a performance that is close to ideal. Thus, determining the obtainable key rate inevitably requires a certain degree of source characterisation, with the only question being which specific parameters are the relevant ones. Our proof demonstrates that only two parameters need to be characterized. The main parameter that determines the protocol performance, which we denote as the source quality $q\in(0,1]$ , evaluates how close each individual phase is to being uniformly random from the perspective of an eavesdropper that holds all possible side-information about it, i.e., that has knowledge of all previous and following phases that are correlated with it.

The other relevant parameter in our security proof is the correlation length $l_{c}$ , which does not affect the asymptotic key rate obtainable, but does have consequences in the post-processing step, see Section II.2 below. We remark that the case $l_{c}=0$ — i.e., the case in which the phases are independent but not uniformly random, which may be relevant if Eve performs an active laser seeding attack [25] — has already been considered in Refs. [26, 27]; our proof becomes similar to that of these works for this scenario. For concreteness, in this work, we focus on the applicability of our proof to the case of naturally-occurring phase correlations.

II.1 Assumptions of our proof

The sequence of phases $\Phi_{1}...\Phi_{N}$ of Alice’s pulse train constitute a discrete-time stochastic process whose joint distribution can be represented by a probability density function (PDF) $f(\phi_{1}...\phi_{N})$ . Our proof does not require a precise characterisation of this distribution; it requires just two pieces of knowledge, which we state as the following two assumptions:

(A1) The stochastic process $\Phi_{1}...\Phi_{N}$ has at most $l_{c}$ rounds of memory, for some finite and known $l_{c}$ . That is, for all rounds $i$ ,

f(\phi_{i}|\phi_{i-1}...\phi_{1})=f(\phi_{i}|\phi_{i-1}...\phi_{i-l_{c}}).

(1)

(A2) The conditional PDF of $\Phi_{i}$ given all other phases is lower bounded, i.e., for all $i$ and some known $0<q\leq 1$ ,

f(\phi_{i}|\phi_{1}...\phi_{i-1}\phi_{i+1}...\phi_{N})=f(\phi_{i}|\phi_{i-l_{c}}...\phi_{i-1}\phi_{i+1}...\phi_{i+l_{c}})\geq\frac{q}{2\pi}.

(2)

The equality in Eq. 2 follows from Eq. 1.

In addition, for simplicity, we consider that the phase randomisation process is not affected by the intensity modulation and bit-and-basis encoding processes; and for concreteness, we also consider that neither the latter processes nor Bob’s measurement setup suffer from imperfections. Precisely, we assume that (A3) Alice’s choice of intensities and the phase of her pulses are independent; (A4) Alice’s (bit-and-basis) encoding operations commute with the process that (imperfectly) randomises the phase of her pulses; (A5) Alice’s choice of bit, basis and intensity for round $i$ only affects the $i\textrm{-th}$ pulse; (A6) Alice’s encoding operations are characterised and identical for all rounds; (A7) the intensities of Alice’s pulses perfectly match her choices; and (A8) the efficiency of Bob’s measurement is independent of his basis choice. We note that previous works have investigated the security of QKD when some of these assumptions are not met [28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42].

II.2 Protocol description

(1) For each round, Alice probabilistically selects a random intensity $\mu$ from a predetermined set and attempts to generate a PR-WCP of that intensity. Then, she selects a random bit $b$ and basis $\omega\in\{Z,X\}$ , and applies an encoding operation $\hat{V}_{b_{\omega}}$ to her pulse, satisfying $\hat{V}_{b_{\omega}}^{\dagger}\hat{V}_{b_{\omega}}=\mathbb{I}$ ¹¹1We note that, in our description, $\hat{V}_{b_{\omega}}$ is an isometric operator, but not necessarily a unitary, which reflects the fact that the space after the encoding operation can be (and in fact typically is) larger than the original space. For example, in BB84 polarization encoding, ${\{}\hat{V}_{b_{\omega}}{\}}$ encodes a single mode of light in a prefixed input polarization into four possible outcome polarizations whose creation operators can be expressed as a linear function of those of horizontal and vertical polarizations. To compute the numerical results in Fig. 1, we have assumed that ${\{}\hat{V}_{b_{\omega}}{\}}$ are ideal BB84 $Z$ - and $X$ -basis encoding operators, such that, for any input coherent state $\ket{\alpha}$ , $\hat{V}_{0_{Z}}\ket{\alpha}=\ket{\alpha}\ket{0}$ , $\hat{V}_{1_{Z}}\ket{\alpha}=\ket{0}\ket{\alpha}$ , $\hat{V}_{0_{X}}\ket{\alpha}=\ket*{\frac{\alpha}{\sqrt{2}}}\ket*{\frac{\alpha}{\sqrt{2}}}$ and $\hat{V}_{1_{X}}\ket{\alpha}=\ket*{\frac{\alpha}{\sqrt{2}}}\ket*{-\frac{\alpha}{\sqrt{2}}}$ . However, we remark that our analysis is valid for any set of characterized encoding operators, regardless of the dimension of the encoding space..

In the security proof, we consider the following equivalent process for the state preparation: (1a) Alice generates $\ket{\sqrt{\nu}}^{\otimes N}$ , where $\nu\geq\mu\,\,\forall\mu$ ; (1b) she applies an imperfect phase randomisation operation to the pulse train, obtaining

\rho_{\rm laser}=\int_{0}^{2\pi}d\phi_{1}...\int_{0}^{2\pi}d\phi_{N}f(\phi_{1}...\phi_{N})\hat{P}(\ket{\sqrt{\nu}e^{i\phi_{1}}})\otimes...\otimes\hat{P}(\ket{\sqrt{\nu}e^{i\phi_{N}}}),

(3)

where $\hat{P}(\ket{\mkern 1.0mu\cdot\mkern 1.0mu})=\outerproduct{\mkern 1.0mu\cdot\mkern 1.0mu}{\mkern 1.0mu\cdot\mkern 1.0mu}$ ; (1c) she probabilistically selects all the intensities $\mu_{1},...,\mu_{N}$ and attenuates each pulse to match her selection; and (1d) she probabilistically makes all bit and basis choices $b_{\omega_{1}},...,b_{\omega_{N}}$ , and applies $\hat{V}_{b_{\omega_{1}}}...\hat{V}_{b_{\omega_{N}}}$ to her pulse train. Note that, because of Assumptions (A3) and (A4), steps (1b), (1c) and (1d) commute.

(2) For each incoming signal, Bob chooses a random basis $Z$ or $X$ , and measures the incoming pulse.

(3) Bob announces which rounds were detected and, for these rounds, both Alice and Bob reveal their basis choices, and Alice reveals her intensity choices. They define their sifted keys as the bit outcomes of the detected rounds in which both chose the $Z$ basis and Alice chose a certain signal intensity $\mu_{s}$ . Also, they define the test rounds as the detected rounds in which Bob used the $X$ basis, and reveal their bit values for these rounds. Moreover, they assign each round $i$ to a group $w\in\{0,...,l_{c}\}$ according to the value $w=i\bmod(l_{c}+1)$ . The $w\textrm{-th}$ sifted subkey is defined as the fraction of the sifted key belonging to group $w$ .

(4) Alice and Bob sacrifice a small fraction of the $w\textrm{-th}$ sifted subkey to estimate its bit-error rate, and use the detection statistics of the $w\textrm{-group}$ test rounds to estimate its phase-error rate. Then, they perform error correction and privacy amplification independently for each subkey.

III Security proof

The main idea and contribution of our security proof is finding an equivalence between the actual scenario described above, in which Alice’s source is correlated and partially uncharacterised, and an alternative scenario in which, within the $w$ -group rounds, Alice prepares characterised and uncorrelated states that are close to a PR-WCP, and then applies a global quantum operation that imprints the correlations present in the actual source, which, from the perspective of the security proof, can be considered to be part of the Eve-controlled quantum channel. In this alternative scenario, it is straightforward to prove the security of the $w\textrm{-th}$ subkey using numerical techniques; by doing so, we also indirectly prove the security of the $w\textrm{-th}$ subkey in the actual protocol. By repeating this procedure for all $w\in\{0,...,l_{c}\}$ , we can independently prove the security of each subkey, and guarantee the security of the concatenated final key due to the universal composability property of each individual security proof. For more information on this latter argument, we refer the reader to Appendix C of Ref. [43], as well as to Ref. [36] for an example of its application in the case $l_{c}=1$ .

III.1 Reduction to the ( $w\textrm{-th}$ ) alternative scenario

Let $\mathcal{G}_{w}\;(\mathcal{G}_{\overline{w}})$ be the set of rounds that belong (do not belong) to group $w$ , let $\vec{\phi}_{\mathcal{G}_{w}}$ ( $\vec{\phi}_{\mathcal{G}_{\overline{w}}}$ ) be a particular joint value for all phases in $\mathcal{G}_{w}$ ( $\mathcal{G}_{\overline{w}}$ ), let $f(\vec{\phi}_{\mathcal{G}_{\overline{w}}})$ be the joint marginal PDF of the phases in $\mathcal{G}_{\overline{w}}$ , and let $f(\vec{\phi}_{\mathcal{G}_{w}}|\vec{\phi}_{\mathcal{G}_{\overline{w}}})$ be the joint conditional PDF of the phases in $\mathcal{G}_{w}$ given $\vec{\phi}_{\mathcal{G}_{\overline{w}}}$ .

After the chain of equivalences (E1)-(E4) below, the actual protocol is reduced to the $w\textrm{-th}$ alternative scenario, in which Alice’s source is characterised and uncorrelated within the rounds in $\mathcal{G}_{w}$ . For the first equivalence, note that, due to Assumption (A1), the phases in $\mathcal{G}_{w}$ are conditionally independent of each other given knowledge of the phases in $\mathcal{G}_{\overline{w}}$ , i.e.,

f(\vec{\phi}_{\mathcal{G}_{w}}|\vec{\phi}_{\mathcal{G}_{\overline{w}}})=\prod_{i\in\mathcal{G}_{w}}f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}}),

(4)

as shown in Appendix A.

(E1) Let us assume that Alice performs step (1b) in the following way. First, she chooses $\vec{\phi}_{\mathcal{G}_{\overline{w}}}$ according to the marginal PDF $f(\vec{\phi}_{\mathcal{G}_{\overline{w}}})$ . Then, for each round $i$ , (a) if $i\in\mathcal{G}_{\overline{w}}$ , she shifts the phase of the pulse by her selected fixed value $\phi_{i}\in\vec{\phi}_{\mathcal{G}_{\overline{w}}}$ ; (b) if $i\in\mathcal{G}_{w}$ , she shifts the phase according to the conditional PDF $f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}})$ .

Conditioned on a specific value $\vec{\phi}_{\mathcal{G}_{\overline{w}}}$ , the state generated by Alice is

$\displaystyle\rho_{\vec{\phi}_{\mathcal{G}_{\overline{w}}}}=\bigotimes_{i^{\prime}\in\mathcal{G}_{\overline{w}}}\hat{P}(\ket{\sqrt{\nu}e^{i\phi_{i^{\prime}}}})\bigotimes_{i\in\mathcal{G}_{w}}\int_{0}^{2\pi}d\phi_{i}f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}})\hat{P}(\ket{\sqrt{\nu}e^{i\phi_{i}}}),$

(5)

and due to Eq. 4, the overall generated state is

\int_{0}^{2\pi}\!\!\!...\int_{0}^{2\pi}d\vec{\phi}_{\mathcal{G}_{\overline{w}}}f(\vec{\phi}_{\mathcal{G}_{\overline{w}}})\rho_{\vec{\phi}_{\mathcal{G}_{\overline{w}}}}=\rho_{\rm laser}.

(6)

For the next equivalence, note that Alice could attenuate her pulses before applying the phase shifts above, rather than afterwards. Also, for all $i\in\mathcal{G}_{w}$ ,

f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}})\\ \geq\frac{q}{2\pi},

(7)

due to Assumptions (A1) and (A2). As a consequence, instead of shifting the $i$ -th phase according to the PDF $f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}})$ when $i\in\mathcal{G}_{w}$ , Alice could have equivalently done the following [26, 27]: to flip a biased coin $C_{i}$ such that $C_{i}=0$ with probability $q$ , and (a) if $C_{i}=0$ , shift the phase by a uniformly random value, (b) if $C_{i}=1$ , shift it according to the PDF

f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}},C_{i}=1)=\frac{f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}})-\frac{q}{2\pi}}{1-q}.

(8)

The equivalence is due to

\begin{gathered}\scalebox{0.95}{\mbox{$\displaystyle f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}})=qf(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}},C_{i}=0)+(1-q)f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}},C_{i}=1),$}}\end{gathered}

(9)

where $f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}},C_{i}=0)=1/2\pi$ .

(E2) Instead of steps (1a) to (1c), for each round $i$ , Alice probabilistically chooses an intensity $\mu$ , and (a) if $i\in\mathcal{G}_{\overline{w}}$ , Alice prepares $\ket*{\sqrt{\mu}}$ ; (b) if $i\in\mathcal{G}_{w}$ , Alice prepares

\rho_{\rm model}^{\mu}\coloneqq q\,\rho_{\rm PR}^{\mu}+(1-q)\outerproduct{\sqrt{\mu}}{\sqrt{\mu}},

(10)

where $\rho_{\rm PR}^{\mu}$ is a perfect PR-WCP of intensity $\mu$ . Then, Alice chooses $\vec{\phi}_{\mathcal{G}_{\overline{w}}}$ according to the PDF $f(\vec{\phi}_{\mathcal{G}_{\overline{w}}})$ and, for each round $i$ , (a) if $i\in\mathcal{G}_{\overline{w}}$ , she shifts the phase by her selected fixed value $\phi_{i}\in\vec{\phi}_{\mathcal{G}_{\overline{w}}}$ ; (b) if $i\in\mathcal{G}_{w}$ , she shifts the phase according to the PDF $f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}},C_{i}=1)$ in Eq. 8.

Clearly, the rounds in $\mathcal{G}_{\overline{w}}$ are identical in both (E1) and (E2). The rounds in $\mathcal{G}_{w}$ are also identical. Alice’s phase shift does not affect the $\rho_{\rm PR}^{\mu}$ term in Eq. 10, and it causes the $\outerproduct*{\sqrt{\mu}}{\sqrt{\mu}}$ term to acquire the phase distribution in Eq. 8. Thus, the overall phase distribution of the pulse after the shift is $f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}})$ , due to Eq. 9. We can represent Alice’s probabilistic selection of $\vec{\phi}_{\mathcal{G}_{\overline{w}}}$ together with all the phase shifts described above as a single global quantum operation $\mathcal{E}_{w}$ .

(E3) Same as (E2), but Alice applies her encoding operations $\hat{V}_{b_{\omega_{1}}}...\hat{V}_{b_{\omega_{N}}}$ before $\mathcal{E}_{w}$ , rather than afterwards, which is possible thanks to Assumption (A4).

(E4) Since $\mathcal{E}_{w}$ is now the last operation before the quantum channel, we consider that Alice does not actually apply it. Eve may or may not apply $\mathcal{E}_{w}$ as part of her attack, putting her in a position that is never less advantageous than in the previous scenarios. Thus, if the $w\textrm{-th}$ subkey is secure in (E4), it is also secure in the actual protocol. We refer to (E4) as the $w\textrm{-th}$ alternative scenario.

III.2 Security of the $w\textrm{-th}$ subkey

As a consequence of the reduction above, when proving the security of the $w\textrm{-th}$ subkey, we can assume that, in the $w\textrm{-group}$ rounds, Alice generates the characterised and uncorrelated states $\{\rho_{\rm model}^{\mu}\}_{\mu}$ . Thanks to this, it becomes straightforward to prove its security using numerical methods. In particular, flexible techniques based on semidefinite programming (SDP) have been recently proposed [44, 45, 46, 47, 48, 49, 50, 27], which can handle almost any scenario, as long as the emitted states are characterised and uncorrelated, making them well suited to our purpose. The specific approach that we have developed uses ideas from these works but is targeted to this particular scenario. Below, we provide an overview of the main ideas, and refer the reader to Appendix B for a detailed description.

Each of Alice’s generated states $\{\rho_{\rm model}^{\mu}\}_{\mu}$ can be diagonalised as

\rho_{\rm model}^{\mu}=\sum_{n=0}^{\infty}p_{\lambda_{n}|\mu}\outerproduct*{\lambda_{n}^{\mu}}{\lambda_{n}^{\mu}},

(11)

where we have omitted the dependence of the eigenvalues and eigenstates on $q$ for notational simplicity. Each set of eigenstates $\{\ket{\lambda_{n}^{\mu}}\}_{n}$ forms an orthonormal basis of the Fock space, and can be regarded as imperfect versions of the Fock states $\{\ket{n}\}_{n}$ , with the two sets of states converging as $q\to 1$ . Similarly, the eigenvalues $\{p_{\lambda_{n}|\mu}\}_{n}$ approach a Poisson distribution when $q\to 1$ . Note that, when $q\neq 1$ , the states $\{\ket{\lambda_{n}^{\mu}}\}_{n}$ depend slightly on the intensity setting $\mu$ , and therefore the standard decoy-state method cannot be applied to this scenario. However, we can still assume a counterfactual scenario in which Alice holds the ancillary system that purifies $\rho_{\rm model}^{\mu}$ and measures it to learn the value of $n$ for each round. The information leakage of the $w\textrm{-th}$ sifted subkey can then be determined by estimating the fraction $q_{\lambda_{1},w}$ of its bits that originated from emissions of $\ket{\lambda_{1}^{\mu_{s}}}$ , and the phase-error rate $e^{\lambda_{1},\mu_{s}}_{\textrm{ph},w}$ of these bits, as shown in Appendix C. The first can be expressed as

q_{\lambda_{1},w}=\frac{p_{\lambda_{1}|\mu_{s}}Y_{\lambda_{1},\mu_{s}}^{Z,w}}{Q_{\mu_{s},w}^{Z}},

(12)

where $Y_{\lambda_{1},\mu_{s}}^{Z,w}$ is the yield probability of $\ket*{\lambda_{1}^{\mu_{s}}}$ when encoded in the $Z$ basis, which needs to be estimated, and $Q_{\mu_{s},w}^{Z}$ is the observed rate at which Bob obtains detections conditioned on Alice choosing the intensity $\mu_{s}$ , both users choosing the $Z$ basis, and the round being in $\mathcal{G}_{w}$ . On the other hand, to define the phase-error rate, we consider that, in the rounds in which both users choose the $Z$ basis and Alice prepares $\ket{\lambda_{1}^{\mu_{s}}}$ , she actually generates the entangled state

\ket{\Psi_{Z}}=\frac{1}{\sqrt{2}}\left(\ket{0_{Z}}_{A}\hat{V}_{0_{Z}}\ket{\lambda_{1}^{\mu_{s}}}+\ket{1_{Z}}_{A}\hat{V}_{1_{Z}}\ket{\lambda_{1}^{\mu_{s}}}\right),

(13)

and performs an $X$ -basis measurement on system $A$ [51]. Equivalently, she emits

\ket*{\lambda_{\textrm{vir}\beta}}\propto\ket*{\tilde{\lambda}_{\textrm{vir}\beta}}=\prescript{}{A}{\innerproduct{\beta_{X}}{\Psi_{Z}}}=\frac{1}{2}(\hat{V}_{0_{Z}}+(-1)^{\beta}\hat{V}_{1_{Z}})\ket{\lambda_{1}^{\mu_{s}}}

(14)

with probability $p_{\textrm{vir}\beta}=\norm*{\ket*{\tilde{\lambda}_{\textrm{vir}\beta}}}^{2}$ , where $\beta\in\{0,1\}$ and $\ket{\beta_{X}}=(\ket{0_{Z}}+(-1)^{\beta}\ket{1_{Z}})/\sqrt{2}$ . Also, we assume that Bob replaces his $Z$ -basis measurement by an $X$ -basis measurement, which is allowed due to the basis-independent detection efficiency assumption, (A8). The phase-error rate is then given by

e^{\lambda_{1},\mu_{s}}_{\textrm{ph},w}=\frac{p_{\textrm{vir}0}Y_{\textrm{vir}0}^{1_{X}}+p_{\textrm{vir}1}Y_{\textrm{vir}1}^{0_{X}}}{Y_{\lambda_{1},\mu_{s}}^{Z,w}},

(15)

where $Y_{\textrm{vir}\beta}^{(\beta\oplus 1)_{X}}$ is the probability that Bob obtains the measurement outcome $(\beta\oplus 1)_{X}$ conditioned on Alice emitting $\ket*{\lambda_{\textrm{vir}\beta}}$ .

In Appendix B, we show how to obtain a lower bound $Y_{\lambda_{1},\mu_{s}}^{Z,w,\textrm{L}}$ and an upper bound $e^{\lambda_{1},\mu_{s},\textrm{U}}_{\textrm{ph},w}$ on $Y_{\lambda_{1},\mu_{s}}^{Z,w}$ and $e^{\lambda_{1},\mu_{s}}_{\textrm{ph},w}$ , respectively, using SDP techniques. In doing so, the main hurdle to overcome is the fact that the states $\{\rho_{\rm model}^{\mu}\}_{\mu}$ are infinite-dimensional, preventing us from finding their exact eigendecompositions using numerical methods, and from constructing finite-dimensional SDPs using these states. Instead, we construct the SDPs using the finite projections of $\{\rho_{\rm model}^{\mu}\}_{\mu}$ onto the subspace with up to $M$ photons [26, 27], after numerically obtaining the eigendecompositions

\Pi_{M}\rho_{\rm model}^{\mu}\Pi_{M}=\sum_{n=0}^{M}p^{\prime}_{\lambda_{n}|\mu}\outerproduct*{\lambda_{n}^{\prime\mu}}{\lambda_{n}^{\prime\mu}},

(16)

where $\Pi_{M}=\sum_{n=0}^{M}\outerproduct{n}{n}$ . Then, by bounding the deviation between the eigenvalues and eigenvectors of $\rho_{\rm model}^{\mu}$ and $\Pi_{M}\rho_{\rm model}^{\mu}\Pi_{M}$ using perturbation theory results, we can correct the SDP constraints and solutions, ensuring that the final bounds $Y_{\lambda_{1},\mu_{s}}^{Z,w,\textrm{L}}$ and $e^{\lambda_{1},\textrm{U}}_{\textrm{ph},w}$ apply to the original infinite-dimensional scenario. The secret-key rate obtainable per emitted $w\textrm{-group}$ pulse is then given by

(p^{\prime}_{\lambda_{1}|\mu_{s}}-\epsilon_{\rm val}^{\mu_{s}})Y_{\lambda_{1},\mu_{s}}^{Z,w,\textrm{L}}\big{[}1-h(e^{\lambda_{1},\mu_{s},\textrm{U}}_{\textrm{ph},w})\big{]}-Q_{\mu_{s},w}^{Z}fh(E_{\mu_{s},w}^{Z}),

(17)

where $E_{\mu_{s},w}^{Z}$ is the bit-error rate of the $w\textrm{-th}$ sifted subkey, $\epsilon_{\rm val}^{\mu_{s}}=2\sqrt{1-\textrm{Tr}[\Pi_{M}\rho_{\rm model}^{\mu_{s}}\Pi_{M}]}$ is a correction term due to the finite projection, $h(x)$ is the binary entropy function, $f$ is the error correction inefficiency, and the rest of terms have already been defined.

IV Discussion

We have proven the security of decoy-state QKD in the presence of phase correlations, which appear when running gain-switched laser sources at high-repetition rates. For simplicity, we have focused on the BB84 protocol, although our analysis can be straightforwardly adapted to other schemes, such as the three-state protocol [52, 53] and measurement-device-independent QKD [54], and our techniques may be applicable to other quantum communication protocols that rely on phase-randomised weak coherent sources, such as blind quantum computing [55] and quantum coin flipping [56]. Our proof requires knowledge of the parameters $l_{c}$ and $q$ , see Eqs. 1 and 2. The former is an upper bound on the correlation length (in a generalised Markovian sense), while the latter can be regarded as a lower bound on the uniformity of the conditional distribution of each phase given knowledge of all the other phases.

In Fig. 1, we plot the overall secret-key rate obtainable for different values of $q$ . We note that the asymptotic key rate does not depend on $l_{c}$ , since it is only affected by the form of the states $\{\rho_{\rm model}^{\mu}\}_{\mu}$ , which is independent of $l_{c}$ ; see Eq. 10. To compute these results, we have used a simple channel model in which the only source of error is the dark count rate of Bob’s detectors. Moreover, for simplicity, we have assumed that $\{\hat{V}_{b_{\omega}}\}$ are ideal BB84 encoding operators, and set $M=9$ .

Refer to caption — Figure 1: Asymptotic secret-key rate of the decoy-state BB84 protocol with imperfect phase randomisation as a function of the overall system loss (solid lines), compared with the case of ideal phase randomisation [13] (dashed line). We assume three intensities $\mu_{s}>\mu_{w}>\mu_{v}=0$ . Moreover, for simplicity, we set $\mu_{w}=\mu_{s}/5$ , and optimise over $\mu_{s}$ ; while for the ideal case, we optimise over both $\mu_{s}$ and $\mu_{w}$ . We consider a dark count probability $p_{d}=10^{-8}$ for Bob’s detectors, and an error correction inefficiency $f=1.16$ .

To gauge the values of $q$ that one may expect in practical implementations, we examine the available literature. Recent works [20, 21] have studied the magnitude and properties of phase correlations in gain-switched lasers under the implicit assumption that $l_{c}=1$ . In particular, Ref. [20] argues that the phase difference between adjacent pulses follows a Gaussian distribution, and shows how to estimate its variance by measuring the fringe visibility $V$ in an asymmetric interferometer configuration. Under these assumptions, one can also calculate $q$ from the observed visibility, see Appendix D. In particular, the value $V=0.0019$ recently measured in Ref. [21] for a state-of-the-art 5 GHz source corresponds to $q=0.992407$ ; in Fig. 1, we have included the key rate obtainable for this value, which is quite close to that of the ideal scenario.

While $l_{c}=1$ might be a good approximation to the phase distribution of many gain-switched laser sources, non-negligible correlations could in principle exist beyond immediately adjacent pulses, especially in high-speed setups. Further work is needed to develop characterisation tests that can rigorously determine the value of $l_{c}$ and $q$ for any implementation. Since the asymptotic key rate offered by our proof is robust when decreasing the value of $q$ , as evidenced by Fig. 1, and independent of $l_{c}$ , it is well placed to guarantee the security of practical implementations while retaining key rates close to the ideal scenario, and we hope that the present paper will stimulate the experimental interest required to achieve this goal.

Note

The security of decoy-state QKD with imperfect phase randomisation has also been recently investigated in Refs. [57, 26]. These works introduced insightful ideas that sparked the development of our security proof, and we recognise these important contributions. That being said, their security analysis contains some conceptual flaws that invalidate its application in the presence of phase correlations; see Appendix E. We note that the claims made in Refs. [57, 26] have been amended in [27].

Data availability statement

No new data were created or analysed in this study.

Statement

This is the Accepted Manuscript version of an article accepted for publication in Quantum Science and Technology. IOP Publishing Ltd is not responsible for any errors or omissions in this version of the manuscript or any version derived from it. This Accepted Manuscript is published under a CC BY licence. The Version of Record is available online at 10.1088/2058-9565/ad141c.

Acknowledgements.

We thank Margarida Pereira and Víctor Zapatero for insightful discussions. G.C.-L. and M.C. acknowledge support by Cisco Systems Inc., the Galician Regional Government (consolidation of Research Units: AtlantTIC), the Spanish Ministry of Economy and Competitiveness (MINECO), the Fondo Europeo de Desarrollo Regional (FEDER) through Grant Number PID2020-118178RB-C21 and MICIN with funding from the European Union NextGenerationEU (PRTR-C17.I1), the Galician Regional Government with own funding through the ?Planes Complementarios de I+D+I con las Comunidades Autónomas? in Quantum Communication, and the European Union’s Horizon Europe research and innovation programme under the project QSNP (Quantum encryption and future quantum network technologies). G.C.-L. also acknowledges support from JSPS Postdoctoral Fellowships for Research in Japan. S.N. and N.L. acknowledge support from the Institute for Quantum Computing at the University of Waterloo through Innovation, Science, and Economic Development Canada, and the NSERC under the Discovery Grants Program, Grant No. 341495. K.T. acknowledges support from JSPS KAKENHI Grant Number JP18H05237 and JST-CREST JPMJCR 1671.

APPENDIX A Proof of Eqs. 4 and 7

Although these are relatively straightforward consequences of Assumptions (A1) and (A2), for completeness, here we prove Eqs. 4 and 7.

Below we prove that, as a consequence of Assumption (A1),

f(\phi_{i}|\phi_{N}...\phi_{i+1}\phi_{i-1}...\phi_{1})=f(\phi_{i}|\phi_{i+l_{c}}...\phi_{i+1}\phi_{i-1}...\phi_{i-l_{c}}),

(18)

which is the equality in Eq. 2. Let $\mathcal{G}_{w}^{\neg i}$ be the set of rounds in $\mathcal{G}_{w}$ , except the $i$ -th round. We have that, for all $i\in\mathcal{G}_{w}$ ,

\begin{gathered}f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}})=\int d\vec{\phi}_{\mathcal{G}_{w}^{\neg i}}f(\vec{\phi}_{\mathcal{G}_{w}^{\neg i}})f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}\mathcal{G}_{w}^{\neg i}})=\int d\vec{\phi}_{\mathcal{G}_{w}^{\neg i}}f(\vec{\phi}_{\mathcal{G}_{w}^{\neg i}})f(\phi_{i}|\phi_{i+l_{c}}...\phi_{i+1}\phi_{i-1}...\phi_{i-l_{c}})\\ =f(\phi_{i}|\phi_{i+l_{c}}...\phi_{i+1}\phi_{i-1}...\phi_{i-l_{c}}).\end{gathered}

(19)

where in the second to last equality we have used $\mathcal{G}_{\overline{w}}\mathcal{G}_{w}^{\neg i}=\{{N},...,{i+1},{i-1},...,1\}$ and Eq. 18; and in the last equality we have used $\{{i+l_{c}},...,{i+1},{i-1},...,{i-l_{c}}\}\notin\mathcal{G}_{w}^{\neg i}$ . Combining Eqs. 18 and 19, we obtain

\begin{gathered}f(\phi_{i}|\phi_{N}...\phi_{i+1}\phi_{i-1}...\phi_{1})=f(\phi_{i}|\vec{\phi}_{\mathcal{G}_{\overline{w}}}).\end{gathered}

(20)

This implies that the phases in $\mathcal{G}_{w}$ are conditionally independent of each other given knowledge of the phases in $\mathcal{G}_{\overline{w}}$ , i.e. Eq. 4. Also, combining Eq. 19 and Assumption (A2), we obtain Eq. 7.

Proof of Eq. 18

\begin{gathered}f(\phi_{i}|\phi_{N}...\phi_{i+1}\phi_{i-1}...\phi_{1})=\frac{f(\phi_{N}...\phi_{1})}{f(\phi_{N}...\phi_{i+1}\phi_{i-1}...\phi_{1})}\\ =\frac{f(\phi_{N}|\phi_{N-1}...\phi_{1})f(\phi_{N-1}|\phi_{N-2}...\phi_{1})...f(\phi_{i+l_{c}+1}|\phi_{i+l_{c}}...\phi_{1})f(\phi_{i+l_{c}}...\phi_{1})}{f(\phi_{N}|\phi_{N-1}...\phi_{i+1}\phi_{i-1}...\phi_{1})f(\phi_{N-1}|\phi_{N-2}...\phi_{i+1}\phi_{i-1}...\phi_{1})...f(\phi_{i+l_{c}+1}|\phi_{i+l_{c}}...\phi_{i+1}\phi_{i-1}...\phi_{1})f(\phi_{i+l_{c}}...\phi_{i+1}\phi_{i-1}...\phi_{1})}\\ \stackrel{{\scriptstyle(\times)}}{{=}}\frac{f(\phi_{N}|\phi_{N-1}...\phi_{N-l_{c}})f(\phi_{N-1}|\phi_{N-2}...\phi_{N-l_{c}-1})...f(\phi_{i+l_{c}+1}|\phi_{i+l_{c}}...\phi_{i+1})f(\phi_{i+l_{c}}...\phi_{1})}{f(\phi_{N}|\phi_{N-1}...\phi_{N-l_{c}})f(\phi_{N-1}|\phi_{N-2}...\phi_{N-l_{c}-1})...f(\phi_{i+l_{c}+1}|\phi_{i+l_{c}}...\phi_{i+1})f(\phi_{i+l_{c}}...\phi_{i+1}\phi_{i-1}...\phi_{1})}\\ =\frac{f(\phi_{i+l_{c}}...\phi_{1})}{f(\phi_{i+l_{c}}...\phi_{i+1}\phi_{i-1}...\phi_{1})}\\ =\frac{f(\phi_{1}|\phi_{2}...\phi_{i+l_{c}})f(\phi_{2}|\phi_{3}...\phi_{i+l_{c}})...f(\phi_{i-l_{c}-1}|\phi_{i-l_{c}}...\phi_{i+l_{c}})f(\phi_{i-l_{c}}...\phi_{i+l_{c}})}{f(\phi_{1}|\phi_{2}...\phi_{i-1}\phi_{i+1}...\phi_{i+l_{c}})f(\phi_{2}|\phi_{3}...\phi_{i-1}\phi_{i+1}...\phi_{i+l_{c}})...f(\phi_{i-l_{c}-1}|\phi_{i-l_{c}}...\phi_{i-1}\phi_{i+1}...\phi_{i+l_{c}})f(\phi_{i-l_{c}}...\phi_{i-1}\phi_{i+1}...\phi_{i+l_{c}})}\\ \stackrel{{\scriptstyle(*)}}{{=}}\frac{f(\phi_{1}|\phi_{2}...\phi_{1+l_{c}})f(\phi_{2}|\phi_{3}...\phi_{2+l_{c}})...f(\phi_{i-l_{c}-1}|\phi_{i-l_{c}}...\phi_{i})f(\phi_{i-l_{c}}...\phi_{i+l_{c}})}{f(\phi_{1}|\phi_{2}...\phi_{1+l_{c}})f(\phi_{2}|\phi_{3}...\phi_{2+l_{c}})...f(\phi_{i-l_{c}-1}|\phi_{i-l_{c}}...\phi_{i})f(\phi_{i-l_{c}}...\phi_{i-1}\phi_{i+1}...\phi_{i+l_{c}})}\\ =\frac{f(\phi_{i-l_{c}}...\phi_{i+l_{c}})}{f(\phi_{i-l_{c}}...\phi_{i-1}\phi_{i+1}...\phi_{i+l_{c}})}\\ =f(\phi_{i}|\phi_{i+l_{c}}...\phi_{i+1}\phi_{i-1}...\phi_{i-l_{c}}),\end{gathered}

(21)

where in the equality marked by an asterisk, we have used

\begin{gathered}f(\phi_{j}|\phi_{j+1}...\phi_{J})=\frac{f(\phi_{j}...\phi_{J})}{f(\phi_{j+1}...\phi_{J})}\\ =\frac{f(\phi_{J}|\phi_{J-1}...\phi_{j})f(\phi_{J-1}|\phi_{J-2}...\phi_{j})...f(\phi_{j+l_{c}+1}|\phi_{j+l_{c}}...\phi_{j})f(\phi_{j+l_{c}}...\phi_{j})}{f(\phi_{J}|\phi_{J-1}...\phi_{j+1})f(\phi_{J-1}|\phi_{J-2}...\phi_{j+1})...f(\phi_{j+l_{c}+1}|\phi_{j+l_{c}}...\phi_{j+1})f(\phi_{j+l_{c}}...\phi_{j+1})}\\ \stackrel{{\scriptstyle(\times)}}{{=}}\frac{f(\phi_{J}|\phi_{J-1}...\phi_{J-l_{c}})f(\phi_{J-1}|\phi_{J-2}...\phi_{J-l_{c}-1})...f(\phi_{j+l_{c}+1}|\phi_{j+l_{c}}...\phi_{j+1})f(\phi_{j+l_{c}}...\phi_{j})}{f(\phi_{J}|\phi_{J-1}...\phi_{J-l_{c}})f(\phi_{J-1}|\phi_{J-2}...\phi_{J-l_{c}-1})...f(\phi_{j+l_{c}+1}|\phi_{j+l_{c}}...\phi_{j+1})f(\phi_{j+l_{c}}...\phi_{j+1})}\\ =\frac{f(\phi_{j+l_{c}}...\phi_{j})}{f(\phi_{j+l_{c}}...\phi_{j+1})}=f(\phi_{j}|\phi_{j+1}...\phi_{j+l_{c}}),\end{gathered}

(22)

and in the equalities marked by a cross, we have used Assumption (A1).

APPENDIX B Obtaining the required bounds using SDPs

Here, we show how to obtain the bounds $q_{\lambda_{1},w}^{\rm L}$ and $e^{\lambda_{1},\mu_{s},\textrm{U}}_{\textrm{ph},w}$ using semidefinite programming techniques, and employ these to derive an asymptotic lower bound on the secret-key rate. To do so, for simplicity, we assume that Eve performs a collective attack. However, the set of bounds we obtain, and thus the overall security proof, is also valid for general attacks, due to the extension of the quantum de Finetti theorem [58] to infinite-dimensional systems [59]. We note that, as an alternative to the SDP approach presented here, which uses ideas from Refs. [26, 27], one could also obtain these bounds using linear programming techniques, by using the trace distance inequality to account for the dependence of the eigenstates $\ket{\lambda_{n}^{\mu}}$ on the intensity $\mu$ (see Refs. [23, 32, 33, 34]). However, according to our preliminary numerical simulations, this would result in much more pessimistic bounds.

Eve’s collective attack can be described as a quantum channel $\Lambda$ acting separately on each of Alice’s emitted photonic systems. Let us assume that, in a given round, Bob performs a POVM that contains some element $\Gamma$ . The probability that Bob obtains the outcome associated to $\Gamma$ when Alice sends him a quantum state $\sigma$ can be expressed as

\Tr[\Lambda(\sigma)\Gamma]=\Tr[\sum_{l}E_{l}\sigma E^{\dagger}_{l}\Gamma]=\sum_{l}\Tr[E_{l}\sigma E^{\dagger}_{l}\Gamma]=\sum_{l}\Tr[\sigma E^{\dagger}_{l}\Gamma E_{l}]=\Tr[\sigma\sum_{l}E^{\dagger}_{l}\Gamma E_{l}]=\Tr[\sigma H],

(23)

where $\{E_{l}\}$ are the set of Kraus operators of the operator-sum representation [60] for the channel $\Lambda$ , and

0\leq H\coloneqq\sum_{l}E^{\dagger}_{l}\Gamma E_{l}\leq\sum_{l}E^{\dagger}_{l}E_{l}=\mathbb{I}.

(24)

We denote Bob’s $Z$ and $X$ basis POVMs as, respectively, $\{\Gamma_{0_{Z}},\Gamma_{1_{Z}},\Gamma_{f}\}$ and $\{\Gamma_{0_{X}},\Gamma_{1_{X}},\Gamma_{f}\}$ . Note that the element associated to an inconclusive result, $\Gamma_{f}$ , is the same for both bases, due to Assumption (A8) (basis-independent detection efficiency).

B.1 Lower bound on $q_{\lambda_{1},w}$

To estimate the fraction $q_{\lambda_{1},w}$ , we need to estimate the yield $Y_{\lambda_{1},\mu_{s}}^{Z,w}$ , see Eq. 12. Substituting $\sigma\to\Big{(}\tfrac{1}{2}\hat{V}_{0_{Z}}\rho\hat{V}_{0_{Z}}^{\dagger}+\tfrac{1}{2}\hat{V}_{1_{Z}}\rho\hat{V}_{1_{Z}}^{\dagger}\Big{)}$ and $\Gamma\to(\Gamma_{0_{Z}}+\Gamma_{1_{Z}})$ in Eq. 23, we obtain

\begin{gathered}\Tr[\Lambda\Big{(}\tfrac{1}{2}\hat{V}_{0_{Z}}\rho\hat{V}_{0_{Z}}^{\dagger}+\tfrac{1}{2}\hat{V}_{1_{Z}}\rho\hat{V}_{1_{Z}}^{\dagger}\Big{)}(\Gamma_{0_{Z}}+\Gamma_{1_{Z}})]=\Tr[\left(\tfrac{1}{2}\hat{V}_{0_{Z}}\rho\hat{V}_{0_{Z}}^{\dagger}+\tfrac{1}{2}\hat{V}_{1_{Z}}\rho\hat{V}_{1_{Z}}^{\dagger}\right){H}]\\ =\Tr[\tfrac{1}{2}\rho\hat{V}_{0_{Z}}^{\dagger}{H}\hat{V}_{0_{Z}}+\tfrac{1}{2}\rho\hat{V}_{1_{Z}}^{\dagger}{H}\hat{V}_{1_{Z}}]=\Tr[\rho\tfrac{1}{2}(\hat{V}_{0_{Z}}^{\dagger}{H}\hat{V}_{0_{Z}}+\hat{V}_{1_{Z}}^{\dagger}{H}\hat{V}_{1_{Z}})]=\Tr[\rho J].\end{gathered}

(25)

where we have defined

0\leq J\coloneqq\tfrac{1}{2}(\hat{V}_{0_{Z}}^{\dagger}{H}\hat{V}_{0_{Z}}+\hat{V}_{1_{Z}}^{\dagger}{H}\hat{V}_{1_{Z}})\leq\tfrac{1}{2}(\hat{V}_{0_{Z}}^{\dagger}\hat{V}_{0_{Z}}+\hat{V}_{1_{Z}}^{\dagger}\hat{V}_{1_{Z}})=\mathbb{I}.

(26)

Substituting first $\rho\to\outerproduct{\lambda_{1}^{\mu_{s}}}{\lambda_{1}^{\mu_{s}}}$ and then $\rho\to\rho_{\rm model}^{\mu}$ in Eq. 25, we obtain

\begin{gathered}Y_{\lambda_{1},\mu_{s}}^{Z,w}=\Tr[\outerproduct{\lambda_{1}^{\mu_{s}}}{\lambda_{1}^{\mu_{s}}}J]\\ Q_{\mu,w}^{Z}=\Tr[\rho_{\rm model}^{\mu}J].\end{gathered}

(27)

This implies that we can express a lower bound on $Y_{\lambda_{1},\mu_{s}}^{Z,w}$ as the SDP

$\displaystyle\!\!\min_{J}\hskip 3.99994pt$	$\displaystyle\Tr[\outerproduct{\lambda_{1}^{\mu_{s}}}{\lambda_{1}^{\mu_{s}}}J]$		(28)
s.t.	$\displaystyle\Tr[\rho_{\rm model}^{\mu}J]=Q_{\mu,w}^{Z},\quad$	$\displaystyle\forall\mu$
$\displaystyle\;0\leq J\leq\mathbb{I}.$

However, as explained in the main text, one cannot solve this SDP numerically because (1) it is infinitely dimensional and (2) the eigendecomposition of $\rho_{\rm model}^{\mu}$ is unknown. To overcome these problems, we consider the projection of the state $\rho_{\rm model}^{\mu}$ onto the subspace with up to $M$ photons, and numerically find its eigendecomposition,

\rho_{\rm model}^{\prime\mu}=\frac{\Pi_{M}\rho_{\rm model}^{\mu}\Pi_{M}}{\Tr[\Pi_{M}\rho_{\rm model}^{\mu}\Pi_{M}]}=\sum_{n=0}^{M}\frac{p^{\prime}_{\lambda_{n}|\mu}}{{\Tr[\Pi_{M}\rho_{\rm model}^{\mu}\Pi_{M}]}}\outerproduct*{\lambda_{n}^{\prime\mu}}{\lambda_{n}^{\prime\mu}},

(29)

where the decomposition has $M+1$ terms because the projection is in a space of dimension $M+1$ .

The objective is to construct a relaxed version of LABEL:eq:fraction_sdp using the finite-dimensional states $\rho_{\rm model}^{\prime\mu}$ and $\ket*{\lambda_{1}^{\prime\mu_{s}}}$ rather than their infinite-dimensional counterparts. To do so, we make use of the following results from [26]

	$\displaystyle F(\rho_{\rm model}^{\mu},\rho_{\rm model}^{\prime\mu})=F_{\rm proj}^{\mu},$		(30)
	$\displaystyle\absolutevalue*{p_{\lambda_{n}\|\mu}-p^{\prime}_{\lambda_{n}\|\mu}}\leq\epsilon_{\rm val}^{\mu},$		(31)
	$\displaystyle\absolutevalue{\innerproduct{\lambda_{n}^{\prime\mu}}{\lambda_{n}^{\mu}}}^{2}\geq F_{\textrm{vec},\lambda_{n}}^{\mu},$		(32)

where $F(\sigma,\sigma^{\prime})$ is the fidelity between $\sigma$ and $\sigma^{\prime}$ , given by

F(\sigma,\sigma^{\prime})=\Tr[\sqrt{\sqrt{\sigma}\sigma^{\prime}\sqrt{\sigma}}]^{2},

(33)

and $F_{\rm proj}^{\mu},\epsilon_{\rm val}^{\mu},F_{\textrm{vec},\lambda_{n}}^{\mu}\in[0,1]$ are given by

	$\displaystyle F_{\rm proj}^{\mu}\coloneqq\sum_{n=0}^{M}p^{\prime}_{\lambda_{n}\|\mu},$		(34)
	$\displaystyle\epsilon_{\rm val}^{\mu}\eqqcolon 2\sqrt{1-F_{\rm proj}^{\mu}},$		(35)
	$\displaystyle\absolutevalue{\innerproduct{\lambda_{n}^{\prime\mu}}{\lambda_{n}^{\mu}}}^{2}\geq 1-\left(\frac{\epsilon_{\rm val}^{\mu}}{\delta_{n}}\right)^{2}\coloneqq F_{\textrm{vec},\lambda_{n}}^{\mu}.$		(36)

In Eq. 36, $\delta_{0}=p^{\prime}_{\lambda_{0}|\mu}-p^{\prime}_{\lambda_{1}|\mu}-\epsilon_{\rm val}^{\mu}$ and for $n>1$ ,

\delta_{n}=\min\{p^{\prime}_{\lambda_{n-1}|\mu}-p^{\prime}_{\lambda_{n}|\mu}-\epsilon_{\rm val}^{\mu},\,p^{\prime}_{\lambda_{n}|\mu}-p^{\prime}_{\lambda_{n+1}|\mu}-\epsilon_{\rm val}^{\mu}\},

(37)

Also, we use the following inequality

G_{-}(\textrm{Tr}[\sigma^{\prime}M],F(\sigma,\sigma^{\prime}))\leq\textrm{Tr}[\sigma M]\leq G_{+}(\textrm{Tr}[\sigma^{\prime}M],F(\sigma,\sigma^{\prime})),

(38)

which holds for any two density operators $\sigma,\sigma^{\prime}$ and any $0\leq M\leq\mathbb{I}$ , and where

G_{-}(y,z)=\begin{cases}g_{-}(y,z)&\quad\text{if }y>1-z\\ 0&\quad\text{otherwise}\end{cases}\quad\quad\textrm{and}\quad\quad G_{+}(y,z)=\begin{cases}g_{+}(y,z)&\quad\text{if }y<z\\ 1&\quad\text{otherwise}\end{cases}

(39)

with

g_{\pm}(y,z)=y+(1-z)(1-2y)\pm 2\sqrt{z(1-z)y(1-y)}.

(40)

The proofs for the results in Eqs. 30, 31, 32 and 38 are given in Section B.4 below.

Let $J^{\ast}$ be the operator that minimises the SDP in LABEL:eq:fraction_sdp. We have that

Y_{\lambda_{1},\mu_{s}}^{Z,w}\geq\expectationvalue*{J^{\ast}}{\lambda_{1}^{\mu_{s}}}\geq G_{-}\big{(}\expectationvalue*{J^{\ast}}{\lambda_{1}^{\prime\mu_{s}}},F_{\textrm{vec},\lambda_{1}}^{\mu_{s}}\big{)},

(41)

where in the last inequality we have used Eqs. 32 and 38 and the fact that $G_{-}$ is increasing with respect to its second argument. On the other hand, we have that

\expectationvalue*{J^{\ast}}{\lambda_{1}^{\prime\mu_{s}}}\geq\expectationvalue*{J^{\ast\ast}}{\lambda_{1}^{\prime\mu_{s}}}\eqqcolon Y_{\lambda_{1},\mu_{s}}^{\prime Z,w,\textrm{L}},

(42)

where $Y_{\lambda_{1},\mu_{s}}^{\prime Z,w,\textrm{L}}$ is the solution of the SDP

$\displaystyle\!\!\min_{J}\hskip 3.99994pt$	$\displaystyle\Tr[\outerproduct*{\lambda_{1}^{\prime\mu_{s}}}{\lambda_{1}^{\prime\mu_{s}}}J]$		(43)
s.t.	$\displaystyle G_{-}(Q_{\mu,w}^{Z},F_{\rm proj}^{\mu})\leq\Tr[\rho_{\rm model}^{\prime\mu}J]\leq G_{+}(Q_{\mu,w}^{Z},F_{\rm proj}^{\mu}),\,\quad$	$\displaystyle\forall\mu$
$\displaystyle\;0\leq J\leq\mathbb{I};$

and $J^{**}$ is the operator that minimises this SDP. In LABEL:eq:fraction_sdp_finite, $\rho_{\rm model}^{\prime\mu}$ is given by Eq. 29, and in the first inequality of LABEL:eq:fraction_sdp_finite, we have used Eqs. 30 and 38. Equation 42 holds because the constraints of LABEL:eq:fraction_sdp_finite are looser than those of LABEL:eq:fraction_sdp, i.e. all operators that satisfy the constraints of LABEL:eq:fraction_sdp, including $J^{\ast}$ , also satisfy the constraints of LABEL:eq:fraction_sdp_finite. Note that the states $\rho_{\rm model}^{\prime\mu}$ and $\ket*{\lambda_{1}^{\prime\mu_{s}}}$ live in the finite subspace spanned by $\{\ket{0},...,\ket{M}\}$ , and therefore, the action of $J$ outside this finite subspace is irrelevant as far as the optimisation problem in LABEL:eq:fraction_sdp_finite is concerned. As a consequence, we can restrict the optimisation search to operators $J$ that act only on this finite subspace, i.e. LABEL:eq:fraction_sdp_finite is actually a finite-dimensional SDP that we can solve numerically.

Combining Eqs. 41 and 42, and using the fact that $G_{-}$ is increasing with respect to its first argument, we obtain the bound

Y_{\lambda_{1},\mu_{s}}^{Z,w}\geq G_{-}\big{(}Y_{\lambda_{1},\mu_{s}}^{\prime Z,w,\textrm{L}},F_{\textrm{vec},\lambda_{1}}^{\mu_{s}}\big{)}\eqqcolon Y_{\lambda_{1},\mu_{s}}^{Z,w,\textrm{L}}.

(44)

Using Eqs. 31 and 44, we finally obtain the bound

q_{\lambda_{1},w}\geq\frac{(p^{\prime}_{\lambda_{n}|\mu}-\epsilon_{\rm val}^{\mu_{s}})Y_{\lambda_{1},\mu_{s}}^{Z,w,\textrm{L}}}{Q_{\mu_{s},w}^{Z}}\eqqcolon q_{\lambda_{1},w}^{\rm L}.

(45)

B.2 Upper bound on $e^{\lambda_{1},\mu_{s}}_{\textrm{ph},w}$

The phase-error rate is given by Eq. 15. We can express each term in the numerator of this equation as

\begin{gathered}p_{\textrm{vir}\beta}Y_{\textrm{vir}\beta}^{(\beta\oplus 1)_{X}}=p_{\textrm{vir}\beta}\Tr[\Lambda\left(\outerproduct*{\lambda_{\textrm{vir}\beta}}{\lambda_{\textrm{vir}\beta}}\right)\Gamma_{(\beta\oplus 1)_{X}}]\\ =\Tr[p_{\textrm{vir}\beta}\outerproduct*{\lambda_{\textrm{vir}\beta}}{\lambda_{\textrm{vir}\beta}}L_{(\beta\oplus 1)_{X}}]=\Tr[\outerproduct*{\tilde{\lambda}_{\textrm{vir}\beta}}{\tilde{\lambda}_{\textrm{vir}\beta}}L_{(\beta\oplus 1)_{X}}\big{]},\end{gathered}

(46)

where in the second equality we have used Eq. 23 with the substitutions $\Gamma\to\Gamma_{(\beta\oplus 1)_{X}}$ , $H\to L_{(\beta\oplus 1)_{X}}$ and $\sigma\to\outerproduct*{\lambda_{\textrm{vir}\beta}}{\lambda_{\textrm{vir}\beta}}$ . By substituting $\sigma\to\hat{V}_{b_{\omega_{A}}}\rho_{\rm model}^{\mu}\hat{V}_{b_{\omega_{A}}}^{\dagger}$ instead, we obtain

Q_{\mu,b_{\omega_{A}},w}^{(\beta\oplus 1)_{X}}=\Tr[\hat{V}_{b_{\omega_{A}}}\rho_{\rm model}^{\mu}\hat{V}_{b_{\omega_{A}}}^{\dagger}L_{(\beta\oplus 1)_{X}}\big{]},

(47)

where $Q_{\mu,b_{\omega_{A}},w}^{(\beta\oplus 1)_{X}}$ is the observed rate at which Bob obtains the result $(\beta\oplus 1)_{X}$ conditioned on Alice choosing intensity $\mu$ , basis $\omega_{A}$ and bit $b$ , Bob choosing the $X$ basis, and the round being in $\mathcal{G}_{w}$ . This means that an upper bound on $p_{\textrm{vir}\beta}Y_{\textrm{vir}\beta}^{(\beta\oplus 1)_{X}}$ can be expressed as the SDP

$\displaystyle\!\!\max_{L_{(\beta\oplus 1)_{X}}}\!$	$\displaystyle\Tr[\outerproduct*{\tilde{\lambda}_{\textrm{vir}\beta}}{\tilde{\lambda}_{\textrm{vir}\beta}}L_{(\beta\oplus 1)_{X}}\big{]}$	(48)
s.t.	$\displaystyle\Tr[\hat{V}_{b_{\omega_{A}}}\rho_{\rm model}^{\mu}\hat{V}_{b_{\omega_{A}}}^{\dagger}\!L_{(\beta\oplus 1)_{X}}\big{]}=Q_{\mu,b_{\omega_{A}},w}^{(\beta\oplus 1)_{X}},\,\forall\mu,b,\omega_{A}$
$\displaystyle\;0\leq L_{(\beta\oplus 1)_{X}}\leq\mathbb{I}.$

As before, we need to find a finite-dimensional relaxation of Eq. 48 that we can solve numerically. Let $L_{(\beta\oplus 1)_{X}}^{\star}$ be the operator that maximises the SDP in Eq. 48, and let

{M}_{\rm ph}\coloneqq\outerproduct{0_{X}}{0_{X}}\otimes L_{1_{X}}^{\star}+\outerproduct{1_{X}}{1_{X}}\otimes L_{0_{X}}^{\star}.

(49)

We have that

\begin{gathered}p_{\textrm{vir}0}Y_{\textrm{vir}0}^{1_{X}}+p_{\textrm{vir}1}Y_{\textrm{vir}1}^{0_{X}}\leq\expectationvalue*{L_{1_{X}}^{\star}}{\tilde{\lambda}_{\textrm{vir}0}}+\expectationvalue*{L_{0_{X}}^{\star}}{\tilde{\lambda}_{\textrm{vir}1}}=\expectationvalue*{{M}_{\rm ph}}{\Psi_{Z}},\end{gathered}

(50)

where $\ket*{{\Psi_{Z}}}$ is defined in Eq. 13. Now, let us define the entangled state

\ket*{\Psi^{\prime}_{Z}}=\frac{1}{\sqrt{2}}\left(\ket{0_{Z}}\hat{V}_{0_{Z}}\ket{\lambda_{1}^{\prime\mu_{s}}}+\ket{1_{Z}}\hat{V}_{1_{Z}}\ket{\lambda_{1}^{\prime\mu_{s}}}\right).

(51)

and the unnormalised states

\ket*{\tilde{\lambda}^{\prime}_{\textrm{vir}\beta}}=\innerproduct*{\beta_{X}}{\Psi^{\prime}_{Z}}=\frac{1}{2}(\hat{V}_{0_{Z}}+(-1)^{\beta}\hat{V}_{1_{Z}})\ket*{\lambda_{1}^{\prime\mu_{s}}}.

(52)

We have that

\absolutevalue{\innerproduct*{\Psi^{\prime}_{Z}}{\Psi_{Z}}}^{2}=\absolutevalue{\tfrac{1}{2}\matrixelement{\lambda_{1}^{\prime\mu_{s}}}{\hat{V}_{0Z}^{\dagger}\hat{V}_{0Z}}{\lambda_{1}^{\mu_{s}}}+\tfrac{1}{2}\matrixelement{\lambda_{1}^{\prime\mu_{s}}}{\hat{V}_{1Z}^{\dagger}\hat{V}_{1Z}}{\lambda_{1}^{\mu_{s}}}}^{2}=\absolutevalue{\innerproduct*{\lambda_{1}^{\prime\mu_{s}}}{\lambda_{1}^{\mu_{s}}}}^{2}\geq F_{\textrm{vec},\lambda_{1}}^{\mu_{s}},

(53)

where the inequality is due to Eq. 32. Therefore, applying the bound in Eq. 38, and using the fact that $G_{+}$ is a decreasing function with respect to its second argument,

\expectationvalue*{{M}_{\rm ph}}{\Psi_{Z}}\leq G_{+}\big{(}\expectationvalue*{{M}_{\rm ph}}{\Psi^{\prime}_{Z}},F_{\textrm{vec},\lambda_{1}}^{\mu_{s}}\big{)}.

(54)

On the other hand, we have that

\begin{gathered}\expectationvalue*{{M}_{\rm ph}}{\Psi^{\prime}_{Z}}=\expectationvalue*{L_{1_{X}}^{\star}}{\tilde{\lambda}^{\prime}_{\textrm{vir}0}}+\expectationvalue*{L_{0_{X}}^{\star}}{\tilde{\lambda}^{\prime}_{\textrm{vir}1}}\\ \leq\expectationvalue*{L_{1_{X}}^{\ast\ast}}{\tilde{\lambda}^{\prime}_{\textrm{vir}0}}+\expectationvalue*{L_{0_{X}}^{\ast\ast}}{\tilde{\lambda}^{\prime}_{\textrm{vir}1}}\eqqcolon\tilde{Y}_{\textrm{vir}0}^{\prime 1_{X}}+\tilde{Y}_{\textrm{vir}1}^{\prime 0_{X}},\end{gathered}

(55)

where $\tilde{Y}_{\textrm{vir}\beta}^{\prime(\beta\oplus 1)_{X}}$ is the solution to the following SDP

$\displaystyle\!\!\max_{L_{(\beta\oplus 1)_{X}}}\hskip 3.99994pt$	$\displaystyle\Tr[\outerproduct*{\tilde{\lambda}^{\prime}_{\textrm{vir}\beta}}{\tilde{\lambda}^{\prime}_{\textrm{vir}\beta}}L_{(\beta\oplus 1)_{X}}\big{]}$		(56)
s.t.	$\displaystyle G_{-}(Q_{\mu,b_{\omega_{A}},w}^{(\beta\oplus 1)_{X}},F_{\rm proj}^{\mu})\leq\Tr[\hat{V}_{b_{\omega_{A}}}\rho_{\rm model}^{\prime\mu}\hat{V}_{b_{\omega_{A}}}^{\dagger}L_{(\beta\oplus 1)_{X}}\big{]}\leq G_{+}(Q_{\mu,b_{\omega_{A}},w}^{(\beta\oplus 1)_{X}},F_{\rm proj}^{\mu}),\quad$	$\displaystyle\forall\mu,\omega_{A},b$
$\displaystyle\;0\leq L_{(\beta\oplus 1)_{X}}\leq\mathbb{I};$

and $L_{(\beta\oplus 1)_{X}}^{\ast\ast}$ is the operator that maximises this SDP. In Eq. 56, $\rho_{\rm model}^{\prime\mu}$ is given by Eq. 29, and in the first inequality of Eq. 56, we have used Eqs. 30 and 38. Note that the inequality in Eq. 55 holds because $L_{(\beta\oplus 1)_{X}}^{\ast}$ satisfies the constraints of Eq. 56.

Combining Eqs. 50, 54 and 55, and using the fact that $G_{+}$ is increasing with respect to its first argument, we obtain the bound

p_{\textrm{vir}0}Y_{\textrm{vir}0}^{1_{X}}+p_{\textrm{vir}1}Y_{\textrm{vir}1}^{0_{X}}\leq G_{+}\big{(}\tilde{Y}_{\textrm{vir}0}^{\prime 1_{X}}+\tilde{Y}_{\textrm{vir}1}^{\prime 0_{X}},F_{\textrm{vec},\lambda_{1}}^{\mu_{s}}\big{)}\eqqcolon\tilde{Y}_{\rm ph}^{\rm U}.

(57)

Then, using Eqs. 44 and 57, we finally obtain the bound on the phase-error rate of the $w$ -th sifted subkey,

e^{\lambda_{1},\mu_{s}}_{\textrm{ph},w}\leq\frac{\tilde{Y}_{\rm ph}^{\rm U}}{Y_{\lambda_{1},\mu_{s}}^{Z,w,\textrm{L}}}\eqqcolon e^{\lambda_{1},\mu_{s},\textrm{U}}_{\textrm{ph},w}.

(58)

B.3 Secret-key rate

Putting all together, a lower bound on the fraction of the $w$ -th sifted subkey that can be turned into a secret key is given by

F_{w}\geq q_{\lambda_{1},w}^{\rm L}\big{[}1-h(e_{{\rm ph},w}^{\lambda_{1},\mu_{s},\textrm{U}})\big{]}-fh(E^{Z}_{\mu_{s},w})\coloneqq F_{w}^{\rm L},

(59)

where $E^{Z}_{\mu_{s},w}$ is the error rate conditioned on Alice choosing the intensity $\mu_{s}$ , both users choosing the $Z$ basis, and the round being in $\mathcal{G}_{w}$ ; and a lower bound on the secret-key rate obtainable per emitted $w$ -group pulse is given by

R_{w}\geq p_{\mu_{s}}p_{Z_{A}}p_{Z_{B}}Q_{\mu_{s},w}^{Z}F_{w}^{\rm L}\coloneqq R_{w}^{\rm L}.

(60)

By assuming that $p_{\mu_{s}}$ , $p_{Z_{A}}$ and $p_{Z_{B}}$ all approach one, which is optimal when $N\to\infty$ , and substituting $q_{\lambda_{1},w}^{\rm L}$ by its definition in Eq. 45, we obtain Eq. 17.

For completeness, we note that the procedure presented above can be used to obtain bounds on $q_{\lambda_{n},w}$ and $e_{{\rm ph},w}^{\lambda_{n},\mu_{s}}$ for any $n$ , not just $n=1$ . In fact, a more general lower bound on the fraction of the $w$ -th sifted key that can be turned into a secret key is given by

F_{w}\geq\sum_{n\in\mathcal{N}}q_{\lambda_{n},w}^{\rm L}\big{[}1-h(e_{{\rm ph},w}^{\lambda_{n},\mu_{s},\textrm{U}})\big{]}-fh(E^{Z}_{\mu_{s},w})\coloneqq F_{w}^{\rm L},

(61)

where $\mathcal{N}$ denotes the set of values of $n$ for which one obtained bounds on $q_{\lambda_{n},w}$ and $e_{{\rm ph},w}^{\lambda_{n},\mu_{s}}$ . According to our simulations, by obtaining bounds for $n=0$ , one can obtain a small key-rate improvement in some scenarios (particularly, for low attenuations and relative low values of $q$ ), but we have not found any scenario in which one can obtain a positive key-rate contribution for any $n>1$ . In any case, for simplicity, in our simulations we obtain bounds only for $n=1$ .

B.4 Proof of bounds in Eqs. 30, 31, 32 and 38

Eq. 30

Let $\rho$ be a density matrix, and let $\rho^{\prime}=\frac{\Pi\rho\Pi}{\Tr[\Pi\rho\Pi]}$ , where $\Pi$ is a projector. Then,

\displaystyle F(\rho,\rho^{\prime})=\Tr[\sqrt{\sqrt{\rho}\rho^{\prime}\sqrt{\rho}}]^{2}=\frac{\Tr[\sqrt{\sqrt{\rho}\Pi\rho\Pi\sqrt{\rho}}]^{2}}{\Tr[\Pi\rho\Pi]}=\Tr[\Pi\rho\Pi],

(62)

where in the last equality we have used

\displaystyle\Tr[\sqrt{\sqrt{\rho}\Pi\rho\Pi\sqrt{\rho}}]^{2}=\Tr[\sqrt{\sqrt{\rho}\Pi\sqrt{\rho}\sqrt{\rho}\Pi\sqrt{\rho}}]^{2}=\Tr[\sqrt{\rho}\Pi\sqrt{\rho}]^{2}=\Tr[\Pi\rho\Pi]^{2}.

(63)

Thus, we have that

F(\rho_{\rm model}^{\mu},\rho_{\rm model}^{\prime\mu})=\Tr[\Pi_{M}\rho_{\rm model}^{\mu}\Pi_{M}]=\sum_{n=0}^{M}p^{\prime}_{\lambda_{n}|\mu}\eqqcolon F_{\rm proj}^{\mu}.

(64)

Eq. 31

Using Theorem 2 in Appendix A of Ref. [26], we have that

\absolutevalue{p_{\lambda_{n}|\mu}-p^{\prime}_{\lambda_{n}|\mu}}\leq 2\sqrt{1-\Tr[\Pi_{M}\rho_{\rm model}^{\mu}\Pi_{M}]}=2\sqrt{1-F_{\rm proj}^{\mu}}\eqqcolon\epsilon_{\rm val}^{\mu}.

(65)

Eq. 32

Using Theorem 3 in Appendix A of Ref. [26], we find that

\absolutevalue*{\innerproduct*{\lambda_{n}^{\prime\mu}}{\lambda_{n}^{\mu}}}^{2}\geq 1-\left(\frac{\epsilon_{\rm val}^{\mu}}{\delta_{n}}\right)^{2}\coloneqq F_{\textrm{vec},\lambda_{n}}^{\mu},

(66)

where $\delta_{0}=p^{\prime}_{\lambda_{0}|\mu}-p^{\prime}_{\lambda_{1}|\mu}-\epsilon_{\rm val}^{\mu}$ and for $n>1$ ,

\delta_{n}=\min\{p^{\prime}_{\lambda_{n-1}|\mu}-p^{\prime}_{\lambda_{n}|\mu}-\epsilon_{\rm val}^{\mu},\,p^{\prime}_{\lambda_{n}|\mu}-p^{\prime}_{\lambda_{n+1}|\mu}-\epsilon_{\rm val}^{\mu}\}.

(67)

Eq. 38

We use the following result from Ref. [29]. Let $\ket{u}$ and $\ket{v}$ be two pure states, and let $0\leq E\leq\mathbb{I}$ . Then,

G_{-}\big{(}\expectationvalue*{E}{v},\absolutevalue{\innerproduct{v}{u}}^{2}\big{)}\leq\expectationvalue*{E}{u}\leq G_{+}\big{(}\expectationvalue*{E}{v},\absolutevalue{\innerproduct{v}{u}}^{2}\big{)}

(68)

where

G_{-}(y,z)=\begin{cases}g_{-}(y,z)&\quad\text{if }y>1-z\\ 0&\quad\text{otherwise}\end{cases}\quad\quad\textrm{and}\quad\quad G_{+}(y,z)=\begin{cases}g_{+}(y,z)&\quad\text{if }y<z\\ 1&\quad\text{otherwise}\end{cases}

(69)

with

g_{\pm}(y,z)=y+(1-z)(1-2y)\pm 2\sqrt{z(1-z)y(1-y)}.

(70)

This result can be easily extended to mixed states. Let $\sigma$ and $\sigma^{\prime}$ be any two density matrices acting on some system $S$ , and let $\ket{\sigma}_{S^{\prime}S}$ and $\ket{\sigma^{\prime}}_{S^{\prime}S}$ be purifications of these states satisfying

\absolutevalue{\innerproduct{\sigma^{\prime}}{\sigma}}^{2}=F(\sigma,\sigma^{\prime}),

(71)

which exist due to Uhlmann’s theorem [61]. Then, for any $0\leq M\leq\mathbb{I}_{S}$ , we have that

	$\displaystyle\textrm{Tr}[\sigma M]$	$\displaystyle=\expectationvalue*{\mathbb{I}_{S^{\prime}}\otimes M}{\sigma}$		(72)
	$\displaystyle\textrm{Tr}[\sigma^{\prime}M]$	$\displaystyle=\expectationvalue*{\mathbb{I}_{S^{\prime}}\otimes M}{\sigma^{\prime}}.$		(72)

Substituting $\ket{u}\to\ket{\sigma}_{S^{\prime}S}$ , $\ket{v}\to\ket{\sigma^{\prime}}_{S^{\prime}S}$ and $E\to\mathbb{I}_{S^{\prime}}\otimes M$ in Eq. 68, and then using Eqs. 71 and 72, we obtain Eq. 38, i.e.

G_{-}(\textrm{Tr}[\sigma^{\prime}M],F(\sigma,\sigma^{\prime}))\leq\textrm{Tr}[\sigma M]\leq G_{+}(\textrm{Tr}[\sigma^{\prime}M],F(\sigma,\sigma^{\prime})).

(73)

B.5 On the dimension of the SDPs

To input the SDPs in LABEL:eq:fraction_sdp_finite and 56 into a computer solver, we need to use a matrix representation for the states $\{\rho_{\rm model}^{\prime\mu}\}_{\mu}$ and their eigenvectors; for this, we need to choose a particular orthonormal basis in which to express these states, with the natural choice being $\{\ket{0},...,\ket{M}\}$ . First, we find the expression

\Pi_{M}\rho_{\rm model}^{\mu}\Pi_{M}=q\,\Pi_{M}\rho_{\rm PR}^{\mu}\Pi_{M}+(1-q)\Pi_{M}\outerproduct{\sqrt{\mu}}{\sqrt{\mu}}\Pi_{M}=\sum_{m,m^{\prime}=0}^{M}c_{m,m^{\prime}}^{(\mu)}\outerproduct{m}{m^{\prime}},

(74)

where

\begin{cases}c_{m,m}^{(\mu)}=\frac{\mu^{m}e^{-\mu}}{m!},\\ c_{m,m^{\prime}}^{(\mu)}=(1-q)\frac{\mu^{\frac{m+m^{\prime}}{2}e^{-\mu}}}{\sqrt{m!m^{\prime}!}}\quad m\neq m^{\prime}.\end{cases}

(75)

Then, we numerically find the eigenvalues $\{p^{\prime}_{\lambda_{n}|\mu}\}_{n}$ and eigenvectors $\{\ket*{\lambda_{n}^{\prime\mu}}\}_{n}$ of $\Pi_{M}\rho_{\rm model}^{\mu}\Pi_{M}$ , with the latter expressed in the Fock basis

\ket*{\lambda_{n}^{\prime\mu}}=\sum_{m=0}^{M}\sqrt{c_{m}^{(\lambda_{n}^{\mu})}}\ket{m}.

(76)

Finally, we renormalise Eq. 74 to obtain the expression for $\rho_{\rm model}^{\prime\mu}$ , and substitute everything into the SDPs in LABEL:eq:fraction_sdp_finite and 56.

Note that, while the SDP in LABEL:eq:fraction_sdp_finite does not depend on the encoding operators $\{\hat{V}_{0_{Z}},\hat{V}_{1_{Z}},\hat{V}_{0_{X}},\hat{V}_{1_{X}}\}$ , the SDP in Eq. 56 does depend on the form of these operators. Typically, the output space of these operators has a larger dimension than the input space. For example, in our simulations, for simplicity, we assume that these are ideal $Z$ - and $X$ -basis BB84 operators, whose output space consists of two modes of light and whose action in the Fock basis is²²2Note that Eq. 77 represents ideal $Z$ - and $X$ -basis BB84 operators regardless of the physical degree of freedom used for the encoding. For time-bin encoding, the first ket would represent, say, the early time bin, and the second ket would represent the late time bin; while for polarization encoding, the first ket would represent, say, the horizontally-polarized mode, and the second ket would represent the vertically-polarized mode.
Also, note that it is perhaps more standard to define BB84 encoding operators as unitary, rather than just isometric, by adding an extra input mode initialized in an arbitrary pure state, say $\ket{0}$ , such that the ideal operators become $\hat{V}_{0_{Z}}\ket{m}\ket{0}=\ket{m}\ket{0}$ , $\hat{V}_{1_{Z}}\ket{m}\ket{0}=\ket{0}\ket{m}$ , and so on. However, defining $\{\hat{V}_{0_{Z}},\hat{V}_{1_{Z}},\hat{V}_{0_{X}},\hat{V}_{1_{X}}\}$ as unitary operators with two input and two output modes throughout the manuscript would make many formulas more cumbersome and result in the analysis being less general, since it would no longer cover non-standard encoding operations in which the output encoding space is, say, one or three modes of light, rather than two.

\begin{gathered}\hat{V}_{0_{Z}}\ket{m}=\ket{m}\ket{0},\\ \hat{V}_{1_{Z}}\ket{m}=\ket{0}\ket{m},\\ \hat{V}_{0_{X}}\ket{m}=\sum_{k}\frac{1}{\sqrt{2^{m}}}\sqrt{{m\choose k}}\ket{k}\ket{m-k},\\ \hat{V}_{1_{X}}\ket{m}=\sum_{k}(-1)^{k}\frac{1}{\sqrt{2^{m}}}\sqrt{{m\choose k}}\ket{k}\ket{m-k}.\end{gathered}

(77)

The quantum states in LABEL:eq:fraction_sdp_finite can be expressed in the basis $\{\ket{0},...,\ket{M}\}$ , which contains $M+1$ elements, while the states in Eq. 56 can be expressed in the basis $\{\ket{m}\ket{m^{\prime}}\}_{m+m^{\prime}\leq M}$ , which has $\sum_{k=0}^{M}(k+1)=\frac{(M+2)(M+1)}{2}$ elements. This means that the dimension of the SDP in Eq. 56, and therefore the time it takes to solve it, grows much more rapidly with $M$ . In principle, the tightness of the bounds, and thus the resulting secret-key rate, improves as $M$ grows. However, we have found that one can only obtain very marginal key-rate improvements beyond $M=9$ , and we have chosen this value for our simulations.

APPENDIX C Security of the $w$ -th subkey

In the main text, we have showed that the $w$ -th subkey is secure in the actual protocol if it is secure in the $w$ -th alternative scenario. Here, we give further information on the approach we use to prove the security of the $w$ -th subkey in the $w$ -th alternative scenario, which is based on complementarity [51]. The first step is to define the following virtual protocol, which is indistinguishable from the $w$ -th alternative scenario from the point of view of Eve.

$w$ -th virtual protocol (1a-1c) For every round in $\mathcal{G}_{w}$ , Alice probabilistically chooses a intensity $\mu$ and prepares $\ket{\rho_{\rm model}^{\mu}}=\sum_{n=0}^{\infty}\sqrt{p_{\lambda_{n}|\mu}}\ket{n}_{A_{n}}\ket*{\lambda_{n}^{\mu}}_{B}$ , a purification of the state $\rho_{\rm model}^{\mu}$ given by Eq. 11. Then, she measures her ancilla $A_{n}$ , learning the value of the tag $n$ . For every round in $\mathcal{G}_{\overline{w}}$ , Alice probabilistically chooses a intensity $\mu$ and prepares $\ket{\mu}_{B}$ . (1d) For every round, Alice initialises an ancilla system $A_{b}$ ( $A_{\omega}$ ), associated to her choice of bit (basis). Then, she applies the following encoding operation $\displaystyle\hat{V}_{\rm enc}\ket{0}_{A_{\omega}}\ket{0}_{A_{b}}\ket{\varphi}_{B}=$ $\displaystyle\sqrt{\frac{p_{Z_{A}}}{2}}$ $\displaystyle\ket{0}_{A_{\omega}}$ $\displaystyle(\ket{0}_{A_{b}}$ $\displaystyle\hat{V}_{0_{Z}}\ket{\varphi}_{B}$ $\displaystyle+\ket{1}_{A_{b}}$ $\displaystyle\hat{V}_{1_{Z}}$ $\displaystyle\ket{\varphi}_{B})$ (78) $\displaystyle+$ $\displaystyle\sqrt{\frac{p_{X_{A}}}{2}}$ $\displaystyle\ket{1}_{A_{\omega}}$ $\displaystyle(\ket{0}_{A_{b}}$ $\displaystyle\hat{V}_{0_{X}}\ket{\varphi}_{B}$ $\displaystyle+\ket{1}_{A_{b}}$ $\displaystyle\hat{V}_{1_{X}}$ $\displaystyle\ket{\varphi}_{B}),$ where $\ket{\varphi}_{B}$ refers to any state of system $B$ prepared in the previous step. (2) Bob performs a quantum nondemolition measurement³³3Thanks to Assumption (A8) (basis-independent detection efficiency), Bob’s measurement can be decomposed into a basis-independent nondemolition measurement followed by a two-valued $Z$ or $X$ basis measurement., learning which rounds are detected, and announces this information. (3) For each round, Alice measures her basis ancilla $A_{\omega}$ , learning her choice of basis; while Bob probabilistically chooses a basis. Both users announce the basis information for the detected rounds. The key rounds are the set of detected rounds in which Alice and Bob both chose the $Z$ basis and Alice chose the signal intensity $\mu_{s}$ . The test rounds are the set of detected rounds in which Bob chose the $X$ basis. (4) For the test rounds, Alice measures her bit value ancilla $A_{b}$ in the computational basis, and Bob measures his photonic system in the $X$ basis. They announce and record the outcome of these measurements. (5) For the $w$ -group key rounds, Alice measures her bit value ancilla $A_{b}$ in the $X$ basis, and Bob measures his photonic system in the $X$ basis. Let $\textbf{x}_{a}^{w}$ ( $\textbf{x}_{b}^{w}$ ) be Alice’s (Bob’s) measurement results. We define the phase-error pattern of the $w$ -th sifted key as $\textbf{x}_{w}:=\textbf{x}_{a}^{w}\oplus\textbf{x}_{b}^{w}$ .

To prove the security of the $w$ -th subkey, one simply needs to show that, before the last step of the $w$ -th virtual protocol, Alice and Bob could have defined a candidate set of phase-error patterns $\mathcal{T}_{w}$ of size $\absolutevalue{\mathcal{T}_{w}}\leq 2^{H_{\rm ph}^{w,\textrm{U}}}$ such that $\textrm{Pr}[\textbf{x}_{w}\notin\mathcal{T}_{w}]\to 0$ exponentially fast as $N\to\infty$ . This implies that, if Alice and Bob apply privacy amplification to the $w$ -th sifted subkey, sacrificing slightly more than $H_{\rm ph}^{w,\textrm{U}}$ bits, the final $w$ -th subkey is secret [51]⁴⁴4More precisely, if $\textrm{Pr}[\textbf{x}_{w}\notin\mathcal{T}_{w}]\leq\varepsilon$ , and the users sacrifice at least $H_{\rm ph}^{w,\textrm{U}}-\log_{2}\xi$ bits in PA, then the final $w$ -th subkey is $\epsilon_{s}$ -secret, with $\epsilon_{s}=\sqrt{2}\sqrt{\varepsilon+\xi}$ . In the asymptotic regime where $N\to\infty$ , we can simply assume that the parameters $\varepsilon$ , $\epsilon$ and $\xi$ approach zero.
Also, note that the definition of the candidate set $\mathcal{T}_{w}$ (and the upper bound on its size) depends on the results observed in the $w$ -group test rounds. However, we omit this dependence for notational simplicity..

In the $w$ -th virtual protocol, each bit of the $w$ -th sifted key is tagged by its value of $n$ . Therefore, Alice and Bob can estimate the phase-error rate separately for the bits with different $n$ . In particular, they can simply use the observed $w$ -group test data to obtain an upper bound $e^{\lambda_{1},\mu_{s},\textrm{U}}_{\textrm{ph},w}$ on $e^{\lambda_{1},\mu_{s}}_{\textrm{ph},w}$ , the phase-error rate of the bits for which $n=1$ , such that $\textrm{Pr}[e^{\lambda_{1},\mu_{s}}_{\textrm{ph},w}>e^{\lambda_{1},\mu_{s},\textrm{U}}_{\textrm{ph},w}]\to 0$ as $N\to\infty$ . Let $N_{\rm sift}^{w}$ be the size of the $w$ -th sifted key, and let $q_{\lambda_{1},w}$ be the fraction of its bits such that $n=1$ . By assuming that these bits have at most $q_{\lambda_{1},w}N_{\rm sift}^{w}e^{\lambda_{1},\mu_{s},\textrm{U}}_{\textrm{ph},w}$ phase errors, Alice and Bob can define a candidate set of phase-error patterns $\mathcal{T}_{w}$ of size $\absolutevalue{\mathcal{T}_{w}}\leq 2^{H_{\rm ph}^{w}}$ , where

H_{\rm ph}^{w}=q_{\lambda_{1},w}N_{\rm sift}^{w}h(e^{\lambda_{1},\mu_{s},\textrm{U}}_{\textrm{ph},w})+(1-q_{\lambda_{1},w})N_{\rm sift}^{w},

(79)

such that $\Pr[\textbf{x}_{w}\notin\mathcal{T}_{w}]=\textrm{Pr}[e^{\lambda_{1},\mu_{s}}_{\textrm{ph},w}>e^{\lambda_{1},\mu_{s},\textrm{U}}_{\textrm{ph},w}]$ approaches zero as $N\to\infty$ . This implies that the $w$ -th subkey key is secret if Alice and Bob sacrifice at least $H_{\rm ph}^{w}$ bits in the privacy amplification step.

In the actual protocol, Alice and Bob do not know which bits have a tag $n=1$ , and thus cannot know the value of $q_{\lambda_{1},w}$ . However, they can find a lower bound $q_{\lambda_{1},w}^{\rm L}$ such that $\textrm{Pr}[q_{\lambda_{1},w}<q_{\lambda_{1},w}^{\rm L}]\to 0$ as $N\to\infty$ , and then sacrifice $H_{\rm ph}^{w,{\rm U}}$ bits in the privacy amplification step, where $H_{\rm ph}^{w,{\rm U}}$ is computed by substituting $q_{\lambda_{1},w}$ by $q_{\lambda_{1},w}^{\rm L}$ in Eq. 79. The probability that this bound is incorrect just adds to the overall failure probability of the estimation process. Thus, the problem of proving the secrecy of the $w$ -th subkey is reduced to the problem of obtaining the bounds $q_{\lambda_{1},w}^{\rm L}$ and $e^{\lambda_{1},\mu_{s},\textrm{U}}_{\textrm{ph},w}$ using the $w$ -group test data. In Appendix B, we have shown how to obtain these bounds using semidefinite programming techniques.

Note that Alice and Bob can attempt to estimate the phase-error rate for values of $n$ other than $n=1$ . In this case, the users should sacrifice

H_{\rm ph}^{w,{\rm U}}=\sum_{n\in\mathcal{N}}q_{\lambda_{n},w}^{\rm L}N_{\rm sift}^{w}h(e^{\lambda_{n},\mu_{s},\textrm{U}}_{\textrm{ph},w})+(1-\sum_{n\in\mathcal{N}}q_{\lambda_{n},w}^{\rm L})N_{\rm sift}^{w}

(80)

bits, where $\mathcal{N}$ is the set of values of $n$ for which Alice and Bob obtain bounds $q_{\lambda_{n},w}^{\rm L}$ and $e^{\lambda_{n},\mu_{s},\textrm{U}}_{\textrm{ph},w}$ on, respectively, $q_{\lambda_{n},w}$ and $e^{\lambda_{n},\mu_{s}}_{\textrm{ph},w}$ . As explained in Appendix B, our semidefinite programming approach can be trivially modified to obtain bounds for any $n$ , but in our simulations, for simplicity, we obtain bounds only for $n=1$ .

APPENDIX D Estimation of $q$ under the assumption $l_{c}=1$

Ref. [20] argues that, when using a gain-switched laser, the phase difference $\phi_{d}$ between two consecutive pulses follows a Gaussian distribution, i.e. its PDF is

f_{G}(\phi_{d};\hat{\phi}_{d},\sigma),

(81)

where the central value $\hat{\phi}_{d}$ can be assumed to be fixed throughout the experiment. The standard deviation $\sigma$ , on the other hand, can be estimated by measuring the fringe visibility $V$ of the interference between consecutive pulses using an asymmetric interferometer. In particular, it is shown in Ref. [20] that $V=|\langle e^{i\phi_{d}}\rangle|$ , where

\langle e^{i\phi_{d}}\rangle=\int_{-\infty}^{\infty}d\phi_{d}e^{i\phi_{d}}f_{G}(\phi_{d};\hat{\phi}_{d},\sigma)=\exp[-\sigma^{2}/2]e^{i\hat{\phi}_{d}}.

(82)

This means that $V=\exp[-\sigma^{2}/2]$ , or equivalently

\sigma=\sqrt{2\ln(1/V)}.

(83)

In the above description, the phase difference $\phi_{d}$ follows a Gaussian distribution, and therefore can take any value in $\{-\infty,\infty\}$ . This makes sense from an physical perspective: if we see the phase randomisation as a process that shifts the phase randomly from the central value $\hat{\phi}_{d}$ , one can distinguish a shift by $\pi$ rad from a shift by $3\pi$ rad, the former being in principle more likely than the latter. However, note that, from the point of view of Eve, a pulse with a phase $\phi$ is indistinguishable from a pulse with a phase $\phi+2\pi$ , and so on. Thus, from the perspective of the security proof, the conditional PDF $f(\phi_{i}|\phi_{i-1})$ should be defined for $\phi_{i}\in[0,\,2\pi)$ only, and to compute the probability density on some point $\phi_{i}$ , one should sum the contributions that would fall on $\phi_{i}\pm 2\pi$ , $\phi_{i}\pm 4\pi$ , and so on. Thus, we have that, if the PDF of the physical phase difference between consecutive pulses is given by Eq. 81, the conditional PDF $f(\phi_{i}|\phi_{i-1})$ is given by

f(\phi_{i}|\phi_{i-1})=\sum_{k=-\infty}^{\infty}f_{\rm G}(\phi_{i}+2\pi k;\phi_{i-1}+\hat{\phi}_{d},\sigma)=f_{\rm WG}(\phi_{i};\phi_{i-1}+\hat{\phi}_{d},\sigma),

(84)

where $f_{\rm WG}$ is the PDF of a wrapped Gaussian distribution.

Ref. [20] implicitly assumes that the probability distribution of a given phase depends only on the value of the previous phase, i.e. $l_{c}=1$ , and the same implicit assumption is made in Ref. [21], indicating that this is believed to be a good approximation for many scenarios. Here, we show that, under this assumption, one can estimate the parameter $q$ needed to apply our security proof, which is defined as

\frac{q}{2\pi}=\min_{\phi_{i-1},\phi_{i},\phi_{i+1}}f(\phi_{i}|\phi_{i-1},\phi_{i+1}),

(85)

see Eq. 2. We have that

\begin{gathered}f(\phi_{i}|\phi_{i-1},\phi_{i+1})=\frac{f(\phi_{i-1},\phi_{i},\phi_{i+1})}{f(\phi_{i-1},\phi_{i+1})}=\frac{f(\phi_{i-1})f(\phi_{i}|\phi_{i-1})f(\phi_{i+1}|\phi_{i},\phi_{i-1})}{f(\phi_{i-1})f(\phi_{i+1}|\phi_{i-1})}\\ =\frac{f(\phi_{i}|\phi_{i-1})f(\phi_{i+1}|\phi_{i})}{f(\phi_{i+1}|\phi_{i-1})}=\frac{f_{\rm WG}(\phi_{i};\phi_{i-1}+\hat{\phi}_{d},\sigma)f_{\rm WG}(\phi_{i+1};\phi_{i}+\hat{\phi}_{d},\sigma)}{f(\phi_{i+1}|\phi_{i-1})},\end{gathered}

(86)

where in the second to last step we have used $f(\phi_{i+1}|\phi_{i},\phi_{i-1})=f(\phi_{i+1}|\phi_{i})$ due to $l_{c}=1$ , see Eq. 1; and in the last step we have used Eq. 84. The denominator in Eq. 86 satisfies

	$\displaystyle f(\phi_{i+1}\|\phi_{i-1})=\int_{0}^{2\pi}d\phi_{i}f(\phi_{i}\|\phi_{i-1})f(\phi_{i+1}\|\phi_{i},\phi_{i-1})$
	$\displaystyle=\int_{0}^{2\pi}d\phi_{i}f(\phi_{i}\|\phi_{i-1})f(\phi_{i+1}\|\phi_{i})=\int_{0}^{2\pi}d\phi_{i}f_{\rm WG}(\phi_{i};\phi_{i-1}+\hat{\phi}_{d},\sigma)f_{\rm WG}(\phi_{i+1};\phi_{i}+\hat{\phi}_{d},\sigma)$
	$\displaystyle\stackrel{{\scriptstyle(1)}}{{=}}\int_{0}^{2\pi}d\phi_{i}f_{\rm WG}(\phi_{i};\phi_{i-1}+\hat{\phi}_{d},\sigma)f_{\rm WG}(\phi_{i+1}-\hat{\phi}_{d};\phi_{i},\sigma)$
	$\displaystyle\stackrel{{\scriptstyle(2)}}{{=}}\int_{0}^{2\pi}d\phi_{i}f_{\rm WG}(\phi_{i};\phi^{\prime}_{i-1},\sigma)f_{\rm WG}(\phi^{\prime\prime}_{i+1};\phi_{i},\sigma)$
	$\displaystyle=\sum_{k=-\infty}^{\infty}\int_{0}^{2\pi}d\phi_{i}f_{\rm G}(\phi_{i}+2\pi k;\phi^{\prime}_{i-1},\sigma)f_{\rm WG}(\phi^{\prime\prime}_{i+1};\phi_{i},\sigma)$
	$\displaystyle=\sum_{k=-\infty}^{\infty}\int_{0}^{2\pi}d\phi_{i}f_{\rm G}(\phi_{i}+2\pi k;\phi^{\prime}_{i-1},\sigma)f_{\rm WG}(\phi^{\prime\prime}_{i+1}-2\pi k;\phi_{i},\sigma)$
	$\displaystyle\stackrel{{\scriptstyle(3)}}{{=}}\sum_{k=-\infty}^{\infty}\int_{0}^{2\pi}d\phi_{i}f_{\rm G}(\phi_{i}+2\pi k;\phi^{\prime}_{i-1},\sigma)f_{\rm WG}(\phi^{\prime\prime}_{i+1};\phi_{i}+2\pi k,\sigma)$		(87)
	$\displaystyle=\sum_{k=-\infty}^{\infty}\int_{2\pi k}^{2\pi(k+1)}d\phi_{i}f_{\rm G}(\phi_{i};\phi^{\prime}_{i-1},\sigma)f_{\rm WG}(\phi^{\prime\prime}_{i+1};\phi_{i},\sigma)$
	$\displaystyle=\int_{-\infty}^{\infty}d\phi_{i}f_{\rm G}(\phi_{i};\phi^{\prime}_{i-1},\sigma)f_{\rm WG}(\phi^{\prime\prime}_{i+1};\phi_{i},\sigma)$
	$\displaystyle=\sum_{k=-\infty}^{\infty}\int_{-\infty}^{\infty}d\phi_{i}f_{\rm G}(\phi_{i};\phi^{\prime}_{i-1},\sigma)f_{\rm G}(\phi^{\prime\prime}_{i+1}+2\pi k;\phi_{i},\sigma)$
	$\displaystyle=\sum_{k=-\infty}^{\infty}\int_{-\infty}^{\infty}d\phi_{i}f_{\rm G}(\phi_{i};\phi^{\prime}_{i-1},\sigma)f_{\rm G}(\phi^{\prime\prime}_{i+1}+2\pi k-\phi_{i};0,\sigma)$
	$\displaystyle\stackrel{{\scriptstyle(4)}}{{=}}\sum_{k=-\infty}^{\infty}f_{\rm G}(\phi^{\prime\prime}_{i+1}+2\pi k;\phi^{\prime}_{i-1},\sqrt{2}\sigma)$
	$\displaystyle=f_{\rm WG}(\phi^{\prime\prime}_{i+1};\phi^{\prime}_{i-1},\sqrt{2}\sigma),$

where in (1) and (3) we have used $f_{\rm WG}(x;\mu,\sigma)=f_{\rm WG}(x+a;\mu+a,\sigma)$ ; in (2) we have defined $\phi^{\prime}_{i-1}=\phi_{i-1}+\hat{\phi}_{d}$ and $\phi^{\prime\prime}_{i+1}=\phi_{i+1}-\hat{\phi}_{d}$ ; and in (4) we have used the fact that the convolution between two Gaussian PDFs $f_{G}(x,\mu_{1},\sigma_{1})$ and $f_{G}(x^{\prime},\mu_{2},\sigma_{2})$ is known to be

\int_{-\infty}^{\infty}d\tau f_{G}(\tau;\mu_{2},\sigma_{2})f_{G}(x-\tau;\mu_{1},\sigma_{1})=f_{G}\big{(}x;\mu_{1}+\mu_{2},\sqrt{\sigma_{1}^{2}+\sigma_{2}^{2}}\big{)}.

(88)

Substituting Eq. 87 in Eq. 86, we have that

f(\phi_{i}|\phi_{i-1},\phi_{i+1})=\frac{f_{\rm WG}(\phi_{i};\phi^{\prime}_{i-1},\sigma)f_{\rm WG}(\phi^{\prime\prime}_{i+1};\phi_{i},\sigma)}{f_{\rm WG}(\phi^{\prime\prime}_{i+1};\phi^{\prime}_{i-1},\sqrt{2}\sigma)},

(89)

where we have again used $f_{\rm WG}(x;\mu,\sigma)=f_{\rm WG}(x+a;\mu+a,\sigma)$ and the definition of $\phi^{\prime}_{i-1}$ and $\phi^{\prime\prime}_{i+1}$ . Finally, our desired parameter $q$ in Eq. 85 can be expressed as

\frac{q}{2\pi}=\min_{\phi_{i-1},\phi_{i},\phi_{i+1}}f(\phi_{i}|\phi_{i-1},\phi_{i+1})=\min_{\phi^{\prime}_{i-1},\phi_{i},\phi^{\prime\prime}_{i+1}}\frac{f_{\rm WG}(\phi_{i};\phi^{\prime}_{i-1},\sigma)f_{\rm WG}(\phi^{\prime\prime}_{i+1};\phi_{i},\sigma)}{f_{\rm WG}(\phi^{\prime\prime}_{i+1};\phi^{\prime}_{i-1},\sqrt{2}\sigma)}.

(90)

Ref. [21] has recently reported a fringe visibility of $V=0.0019$ for a practical decoy-state QKD source run at a repetition rate of 5 GHz. Using this value, from Eq. 83, we obtain $\sigma=3.54003$ . Substituting this in Eq. 90 and finding the exact minimum using Mathematica’s Minimize function, we obtain

q=0.992407.

(91)

The minimum occurs when $\phi_{i}=\phi^{\prime}_{i-1}\pm\pi$ and $\phi^{\prime\prime}_{i+1}=\phi^{\prime}_{i-1}$ .

APPENDIX E On the security analysis in Refs. [57, 26]

The security of decoy-state QKD with imperfect phase randomisation has also been recently investigated by Refs. [57, 26]. These works introduced novel and insightful ideas to approach the problem that have been indispensable in the development of our security proof. However, we believe that their overall security analysis contains an important flaw that invalidates its application in the presence of correlations. Here, we summarise the arguments of Refs. [57, 26] and point out what we believe to be the problem. We focus on Ref. [26], where the arguments are elaborated on in much more detail.

E.0.1 Argument

For simplicity, Ref. [26] considers a laser source that emits $N$ pulses with correlated phases and a fixed intensity $\mu$ , whose state is given by

\rho_{\rm laser}^{\mu}=\int d\phi_{1}\ldots d\phi_{N}f(\phi_{1}\ldots\phi_{N})\outerproduct*{\sqrt{\mu}e^{i\phi_{1}}}{\sqrt{\mu}e^{i\phi_{1}}}\otimes\ldots\otimes\outerproduct*{\sqrt{\mu}e^{i\phi_{N}}}{\sqrt{\mu}e^{i\phi_{N}}}.

(92)

One can express the probability distribution as

f(\phi_{1}\ldots\phi_{N})=f(\phi_{1})f(\phi_{2}|\phi_{1})\ldots f(\phi_{N}|\phi_{1}\ldots\phi_{N-1})

(93)

and consider the following bound

\frac{q}{2\pi}\leq\min_{i}\min_{\phi_{1}...\phi_{i}}f(\phi_{i}|\phi_{1}\ldots\phi_{i-1}).

(94)

The argument of Ref. [26] is that, instead of generating $\rho_{\rm laser}^{\mu}$ , Alice could have alternatively generated $N$ copies of the following model state

\rho_{\rm model}^{\mu}=q\,\rho_{\rm PR}^{\mu}+(1-q)\outerproduct{\sqrt{\mu}}{\sqrt{\mu}}

(95)

and then applied a map $\mathcal{E}$ that consists of “ $N$ phase shifters that shift the phase of the $i$ -th laser pulse by $\phi_{i}$ with probability [density] $\frac{f(\phi_{i}|\phi_{1}\ldots\phi_{i-1})-q/2\pi}{1-q}$ ”. In doing so, one obtains “a correlated state from an IID state by applying a map that is correlated; the action of the $i$ -th phase shifter depends on the action of all the ( $i-1$ ) phase shifters before it”. As a result, we have that

\rho_{\rm laser}^{\mu}=\mathcal{E}(\rho_{\rm model}^{\mu\,\otimes N}).

(96)

Importantly, this implies that, to prove the security, one can assume that Alice generates $\rho_{\rm model}^{\mu\,\otimes N}$ rather than $\rho_{\rm laser}^{\mu}$ , since the operation $\mathcal{E}$ can be assumed to be part of Eve’s attack.

E.0.2 Our interpretation of the argument and its problem

Given the phase probability distribution $f(\phi_{1}\ldots\phi_{N})$ , we have that, from the point of view of Eve, these phases could have been selected by Alice using a sequential process: she chooses $\phi_{1}$ according to the PDF $f(\phi_{1})$ , she chooses $\phi_{2}$ according to the conditional PDF $f(\phi_{2}|\phi_{1})$ , and so on, as indicated by Eq. 93. The assumption is that $f(\phi_{i}|\phi_{1}\ldots\phi_{i-1})\geq q/2\pi$ for some $q$ .

Alternatively, Alice could have decided the phase $\phi_{i}$ using the following equivalent process. She flips a biased coin $C_{i}$ that outputs $C_{i}=0$ with probability $q$ . If $C_{i}=0$ , Alice chooses $\phi_{i}^{\rm model}$ according to a uniform distribution on $[0,2\pi)$ . If $C_{i}=1$ , Alice chooses $\phi_{i}^{\rm model}=0$ . Then, Alice chooses $\phi_{i}^{\rm shift}$ according to the conditional PDF

f(\phi_{i}^{\rm shift}|\phi_{1}\ldots\phi_{i-1})=\frac{f(\phi_{i}|\phi_{1}\ldots\phi_{i-1})-q/2\pi}{1-q}.

(97)

Finally, Alice sets $\phi_{i}=\phi_{i}^{\rm model}+\phi_{i}^{\rm shift}$ .

The argument of Ref. [26] seems to be that, since $\phi_{i}^{\rm model}$ is chosen uniformly randomly with probability $q$ , and $\phi_{i}^{\rm model}=0$ with probability $1-q$ , the above process is equivalent to assuming that Alice first generates the state given by Eq. 95 for each of the rounds, and then shifts the phase of the $i$ -th pulse by $\phi_{i}^{\rm shift}$ , according to the conditional PDF in Eq. 97. The action of the combined phase shifts $\phi_{1}^{\rm shift}...\phi_{N}^{\rm shift}$ can be represented as an overall global quantum operation $\mathcal{E}$ , and thus Eq. 96 holds.

However, we believe this argument has the following flaw. In order to apply the $i$ -th phase shift according to the conditional PDF in Eq. 97, one needs to know the previous overall phases $\phi_{1}...\phi_{i-1}$ . These depend not only on the previous $i-1$ phase shifts $\phi_{1}^{\rm shift}...\phi_{i-1}^{\rm shift}$ , but also on the previous $i-1$ model phases $\phi_{1}^{\rm model}...\phi_{i-1}^{\rm model}$ . In the scenario in which Alice simply generates $\rho_{\rm model}^{\mu}$ for each of the rounds, the value of $\phi_{1}^{\rm model}...\phi_{i-1}^{\rm model}$ cannot be perfectly retrieved from the first $(i-1)$ copies of this state, since two coherent states with different phases are not orthogonal, and therefore not perfectly distinguishable. This seems to imply that the operation $\mathcal{E}$ in Eq. 96 does not exist in general.

In contrast, the operation $\mathcal{E}_{w}$ , which is needed in our security proof, is shown to exist in the main text. Importantly, unlike $\mathcal{E}$ in Eq. 96, Eve only needs to know the probability density function $f(\phi_{1}...\phi_{N})$ to apply $\mathcal{E}_{w}$ . She does not need to perform any measurement on the signals emitted by Alice.

E.0.3 Information about the $i$ -th phase is leaked into the following pulses

In addition to the above, the idea of relating how close the $i$ -th pulse is to a perfect PR-WCP by lower bounding the PDF of the $i$ -th phase conditioned on the previous phases seems to have a fundamental problem. Namely, it does not take into account that, in the presence of phase correlations, information about the $i$ -th phase is leaked into the following pulses. To demonstrate this, we show an example in which, using this idea, one could conclude that half of the emissions are perfect PR-WCPs, when this is clearly not the case.

More specifically, as discussed above, the argument of Ref. [26] is that, if for some round $i$ one can obtain a bound

\frac{q_{i}}{2\pi}\leq\min_{\phi_{1}...\phi_{i}}f(\phi_{i}|\phi_{1}\ldots\phi_{i-1}),

(98)

then one could substitute the $i$ -th pulse by the generation of the state

\rho_{\rm model}^{\mu,(i)}=q_{i}\,\rho_{\rm PR}^{\mu}+(1-q_{i})\outerproduct{\sqrt{\mu}}{\sqrt{\mu}},

(99)

followed by a phase shift such that the $i$ -th emitted pulse ends up being identical as in the original scenario. To prove the security, it is useful to consider that the emitted state is the same for all rounds. Thus, Ref. [26] considers instead the bound

q\coloneqq\min_{i}q_{i}.

(100)

and assumes that all emissions are replaced by the generation of the same IID state given by Eq. 95 followed by the appropriate phase shift operation for each pulse.

Now, let us consider a scenario in which Alice has a special source such that:

1.

if $i$ is odd, the emitted pulse has a uniformly distributed phase that is independent of the phases of all previous pulses;
2.

if $i$ is even, the emitted pulse has a phase that is identical to that of the previous odd pulse.

For this scenario, we have that: (1) if $i$ is odd, $q_{i}=1$ and (2) if $i$ is even, $q_{i}=0$ . Thus, the replacement in Eqs. 100 and 95 cannot be directly used to prove the security of this case, since $q=0$ . However, we could instead consider the security of the odd and even pulses separately. Using the argument in Eqs. 98 and 99, we could assume that, in the odd rounds, Alice prepares the PR-WCP

\rho_{\rm model}^{\mu,\textrm{odd}}=\rho_{\rm PR}^{\mu};

(101)

and in the even rounds, she prepares $\rho_{\rm model}^{\mu,\textrm{even}}=\outerproduct*{\sqrt{\mu}}{\sqrt{\mu}}$ . Then, we could simply discard all data obtained in the even rounds, and apply the standard decoy-state method to the data obtained in the odd rounds. In doing so, we could conclude that the secret-key rate obtainable using this source would be half of that obtainable using a source that produces perfect PR-WCPs in all rounds.

However, the argument above has a crucial flaw: it does not take into account the fact that information about the phase of a given odd pulse $i$ is leaked into the following even pulse, and that Eve could in principle learn some of this information and use it to attack the $i$ -th pulse. Thus, from Eve’s point of view, the $i$ -th pulse is not necessarily a PR-WCP even if its distribution is uniform when conditioned on all the previous (but not following) phases. This invalidates the argument in Eqs. 98 and 99, which seems to be at the core of the approach in Ref. [26].

Note that leaked information about the $i$ -th phase is only useful to Eve if she can actually use it to alter the detection statistics of the $i$ -th pulse. To prevent Eve from doing so, one option could be to run the protocol very slowly, such that Alice only emits the ( $i+1$ )-th pulse once Bob has finished his measurement of the $i$ -th pulse. It could be possible that the security bounds derived in Ref. [26] are correct for this scenario. However, if the protocol is run very slowly, one does not expect that it will suffer from phase correlations, since these are mainly a problem in high-speed QKD systems.

References

Lo et al. [2014] H.-K. Lo, M. Curty, and K. Tamaki, Secure quantum key distribution, Nature Photon 8, 595 (2014).
Xu et al. [2020] F. Xu, X. Ma, Q. Zhang, H.-K. Lo, and J.-W. Pan, Secure quantum key distribution with realistic devices, Rev. Mod. Phys. 92, 025002 (2020).
Shor and Preskill [2000] P. W. Shor and J. Preskill, Simple Proof of Security of the BB84 Quantum Key Distribution Protocol, Phys. Rev. Lett. 85, 441 (2000).
Mayers [1996] D. Mayers, Quantum key distribution and string oblivious transfer in noisy channels, in Adv. Cryptol. — CRYPTO 96, edited by N. Koblitz (Springer Berlin Heidelberg, Berlin, Heidelberg, 1996) pp. 343–357.
Bennett and Brassard [1984] C. H. Bennett and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, in Proc. IEEE Int. Conf. Comput. Syst. Signal Process. (1984) pp. 175–179.
Brassard et al. [2000] G. Brassard, N. Lütkenhaus, T. Mor, and B. C. Sanders, Limitations on Practical Quantum Cryptography, Phys. Rev. Lett. 85, 1330 (2000).
Dušek et al. [2000] M. Dušek, M. Jahma, and N. Lütkenhaus, Unambiguous state discrimination in quantum cryptography with weak coherent states, Phys. Rev. A 62, 022306 (2000).
Gottesman et al. [2004] D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, Security of quantum key distribution with imperfect devices, Quantum Inf. Comput. 4, 325 (2004).
Lo and Preskill [2007] H.-K. Lo and J. Preskill, Security of quantum key distribution using weak coherent states with nonrandom phases, Quantum Inf. Comput. 7, 431 (2007).
Hwang [2003] W.-Y. Hwang, Quantum key distribution with high loss: Toward global secure communication, Phys. Rev. Lett. 91, 057901 (2003).
Lo et al. [2005] H.-K. Lo, X. Ma, and K. Chen, Decoy State Quantum Key Distribution, Phys. Rev. Lett. 94, 230504 (2005).
Wang [2005] X.-B. Wang, Beating the Photon-Number-Splitting Attack in Practical Quantum Cryptography, Phys. Rev. Lett. 94, 230503 (2005).
Ma et al. [2005] X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, Practical decoy state for quantum key distribution, Phys. Rev. A 72, 012326 (2005).
Lim et al. [2014] C. C. W. Lim, M. Curty, N. Walenta, F. Xu, and H. Zbinden, Concise security bounds for practical decoy-state quantum key distribution, Phys. Rev. A 89, 022307 (2014).
Yuan et al. [2007] Z. L. Yuan, A. W. Sharpe, and A. J. Shields, Unconditionally secure one-way quantum key distribution using decoy pulses, Appl. Phys. Lett. 90, 011118 (2007).
Dixon et al. [2008] A. R. Dixon, Z. L. Yuan, J. F. Dynes, A. W. Sharpe, and A. J. Shields, Gigahertz decoy quantum key distribution with 1 Mbit/s secure key rate, Opt. Express 16, 18790 (2008).
Liu et al. [2010] Y. Liu, T.-Y. Chen, J. Wang, W.-Q. Cai, X. Wan, L.-K. Chen, J.-H. Wang, S.-B. Liu, H. Liang, L. Yang, C.-Z. Peng, K. Chen, Z.-B. Chen, and J.-W. Pan, Decoy-state quantum key distribution with polarized photons over 200 km, Opt. Express 18, 8587 (2010).
Lucamarini et al. [2013] M. Lucamarini, K. A. Patel, J. F. Dynes, B. Fröhlich, A. W. Sharpe, A. R. Dixon, Z. L. Yuan, R. V. Penty, and A. J. Shields, Efficient decoy-state quantum key distribution with quantified security, Opt. Express 21, 24550 (2013).
Boaron et al. [2018] A. Boaron, G. Boso, D. Rusca, C. Vulliez, C. Autebert, M. Caloz, M. Perrenoud, G. Gras, F. Bussières, M.-J. Li, D. Nolan, A. Martin, and H. Zbinden, Secure Quantum Key Distribution over 421 km of Optical Fiber, Phys. Rev. Lett. 121, 190502 (2018).
Kobayashi et al. [2014] T. Kobayashi, A. Tomita, and A. Okamoto, Evaluation of the phase randomness of a light source in quantum-key-distribution systems with an attenuated laser, Phys. Rev. A 90, 032320 (2014).
Grünenfelder et al. [2020] F. Grünenfelder, A. Boaron, D. Rusca, A. Martin, and H. Zbinden, Performance and security of 5 GHz repetition rate polarization-based quantum key distribution, Appl. Phys. Lett. 117, 144003 (2020).
Zhao et al. [2007] Y. Zhao, B. Qi, and H.-K. Lo, Experimental quantum key distribution with active phase randomization, Appl. Phys. Lett. 90, 044106 (2007).
Cao et al. [2015] Z. Cao, Z. Zhang, H.-K. Lo, and X. Ma, Discrete-phase-randomized coherent state source and its application in quantum key distribution, New J. Phys. 17, 053014 (2015).
Currás-Lorenzo et al. [2021] G. Currás-Lorenzo, L. Wooltorton, and M. Razavi, Twin-Field Quantum Key Distribution with Fully Discrete Phase Randomization, Phys. Rev. Applied 15, 014016 (2021).
Sun et al. [2015] S.-H. Sun, F. Xu, M.-S. Jiang, X.-C. Ma, H.-K. Lo, and L.-M. Liang, Effect of source tampering in the security of quantum cryptography, Phys. Rev. A 92, 022304 (2015).
Nahar [2022] S. Nahar, Decoy-State Quantum Key Distribution with Arbitrary Phase Mixtures and Phase Correlations, Master’s thesis, University of Waterloo (2022).
Nahar et al. [2023] S. Nahar, T. Upadhyaya, and N. Lütkenhaus, Imperfect Phase-Randomisation and Generalised Decoy-State Quantum Key Distribution (2023), arxiv:2304.09401 [quant-ph] .
Wang et al. [2008] X.-B. Wang, C.-Z. Peng, J. Zhang, L. Yang, and J.-W. Pan, General theory of decoy-state quantum cryptography with source errors, Phys. Rev. A 77, 042311 (2008).
Pereira et al. [2020] M. Pereira, G. Kato, A. Mizutani, M. Curty, and K. Tamaki, Quantum key distribution with correlated sources, Sci. Adv. 6, eaaz4487 (2020).
Zapatero et al. [2021] V. Zapatero, Á. Navarrete, K. Tamaki, and M. Curty, Security of quantum key distribution with intensity correlations, Quantum 5, 602 (2021).
Sixto et al. [2022] X. Sixto, V. Zapatero, and M. Curty, Security of Decoy-State Quantum Key Distribution with Correlated Intensity Fluctuations, Phys. Rev. Applied 18, 044069 (2022).
Tamaki et al. [2016] K. Tamaki, M. Curty, and M. Lucamarini, Decoy-state quantum key distribution with a leaky source, New J. Phys. 18, 065008 (2016).
Wang et al. [2018] W. Wang, K. Tamaki, and M. Curty, Finite-key security analysis for quantum key distribution with leaky sources, New J. Phys. 20, 083027 (2018).
Wang et al. [2021] W. Wang, K. Tamaki, and M. Curty, Measurement-device-independent quantum key distribution with leaky sources, Sci Rep 11, 1678 (2021).
Mizutani et al. [2019] A. Mizutani, G. Kato, K. Azuma, M. Curty, R. Ikuta, T. Yamamoto, N. Imoto, H.-K. Lo, and K. Tamaki, Quantum key distribution with setting-choice-independently correlated light sources, Npj Quantum Inf. 5, 8 (2019).
Yoshino et al. [2018] K.-i. Yoshino, M. Fujiwara, K. Nakata, T. Sumiya, T. Sasaki, M. Takeoka, M. Sasaki, A. Tajima, M. Koashi, and A. Tomita, Quantum key distribution with an efficient countermeasure against correlated intensity fluctuations in optical pulses, npj Quantum Inf 4, 1 (2018).
Pereira et al. [2019] M. Pereira, M. Curty, and K. Tamaki, Quantum key distribution with flawed and leaky sources, npj Quantum Inf 5, 62 (2019).
Navarrete et al. [2021] Á. Navarrete, M. Pereira, M. Curty, and K. Tamaki, Practical Quantum Key Distribution That is Secure Against Side Channels, Phys. Rev. Applied 15, 034072 (2021).
Navarrete and Curty [2022] Á. Navarrete and M. Curty, Improved finite-key security analysis of quantum key distribution against Trojan-horse attacks, Quantum Sci. Technol. 7, 035021 (2022).
Fung et al. [2009] C.-H. F. Fung, K. Tamaki, B. Qi, H.-K. Lo, and X. Ma, Security proof of quantum key distribution with detection efficiency mismatch, Quantum Inf. Comput. 9, 131 (2009).
Zhang et al. [2021] Y. Zhang, P. J. Coles, A. Winick, J. Lin, and N. Lütkenhaus, Security proof of practical quantum key distribution with detection-efficiency mismatch, Phys. Rev. Research 3, 013076 (2021).
Jiang et al. [2023] C. Jiang, Z.-W. Yu, X.-L. Hu, and X.-B. Wang, Robust twin-field quantum key distribution through sending or not sending, National Science Review 10, nwac186 (2023).
Mizutani and Kato [2021] A. Mizutani and G. Kato, Security of round-robin differential-phase-shift quantum-key-distribution protocol with correlated light sources, Phys. Rev. A 104, 062611 (2021).
Coles et al. [2016] P. J. Coles, E. M. Metodiev, and N. Lütkenhaus, Numerical approach for unstructured quantum key distribution, Nat Commun 7, 11712 (2016).
Winick et al. [2018] A. Winick, N. Lütkenhaus, and P. J. Coles, Reliable numerical key rates for quantum key distribution, Quantum 2, 77 (2018).
Primaatmaja et al. [2019] I. W. Primaatmaja, E. Lavie, K. T. Goh, C. Wang, and C. C. W. Lim, Versatile security analysis of measurement-device-independent quantum key distribution, Phys. Rev. A 99, 062332 (2019).
Bunandar et al. [2020] D. Bunandar, L. C. G. Govia, H. Krovi, and D. Englund, Numerical finite-key analysis of quantum key distribution, npj Quantum Inf 6, 1 (2020).
George et al. [2021] I. George, J. Lin, and N. Lütkenhaus, Numerical calculations of the finite key rate for general quantum key distribution protocols, Phys. Rev. Research 3, 013274 (2021).
Zhou et al. [2022] H. Zhou, T. Sasaki, and M. Koashi, Numerical method for finite-size security analysis of quantum key distribution, Phys. Rev. Res. 4, 033126 (2022).
Upadhyaya et al. [2021] T. Upadhyaya, T. van Himbeeck, J. Lin, and N. Lütkenhaus, Dimension Reduction in Quantum Key Distribution for Continuous- and Discrete-Variable Protocols, PRX Quantum 2, 020325 (2021).
Koashi [2009] M. Koashi, Simple security proof of quantum key distribution based on complementarity, New J. Phys. 11, 045018 (2009).
Boileau et al. [2005] J.-C. Boileau, K. Tamaki, J. Batuwantudawe, R. Laflamme, and J. M. Renes, Unconditional Security of a Three State Quantum Key Distribution Protocol, Phys. Rev. Lett. 94, 040503 (2005).
Tamaki et al. [2014] K. Tamaki, M. Curty, G. Kato, H.-K. Lo, and K. Azuma, Loss-tolerant quantum cryptography with imperfect sources, Phys. Rev. A 90, 052314 (2014).
Lo et al. [2012] H.-K. Lo, M. Curty, and B. Qi, Measurement-Device-Independent Quantum Key Distribution, Phys. Rev. Lett. 108, 130503 (2012).
Dunjko et al. [2012] V. Dunjko, E. Kashefi, and A. Leverrier, Blind Quantum Computing with Weak Coherent Pulses, Phys. Rev. Lett. 108, 200502 (2012).
Pappa et al. [2014] A. Pappa, P. Jouguet, T. Lawson, A. Chailloux, M. Legré, P. Trinkler, I. Kerenidis, and E. Diamanti, Experimental plug and play quantum coin flipping, Nat Commun 5, 3717 (2014).
Nahar and Lütkenhaus [2021] S. Nahar and N. Lütkenhaus, Quantum key distribution with characterized source defects, in Poster presented at the 11th International Conference on Quantum Cryptography (QCRYPT) (2021).
Renner [2007] R. Renner, Symmetry of large physical systems implies independence of subsystems, Nature Phys 3, 645 (2007).
Renner and Cirac [2009] R. Renner and J. I. Cirac, De Finetti Representation Theorem for Infinite-Dimensional Quantum Systems and Applications to Quantum Cryptography, Phys. Rev. Lett. 102, 110504 (2009).
Nielsen and Chuang [2011] M. A. Nielsen and I. L. Chuang, Quantum Computation and Quantum Information: 10th Anniversary Edition, 10th ed. (Cambridge University Press, USA, 2011).
Uhlmann [1976] A. Uhlmann, The “transition probability” in the state space of a *-algebra, Rep. Math. Phys. 9, 273 (1976).