Tight finite-key analysis for mode-pairing quantum key distribution

Ze-Hao Wang Zhen-Qiang Yin [email protected] Shuang Wang [email protected] CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei, Anhui 230026, China CAS Center for Excellence in Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei, Anhui 230026, China Hefei National Laboratory, University of Science and Technology of China, Hefei 230088, China Rong Wang Department of Physics, University of Hong Kong, Pokfulam Road, Hong Kong SAR, China Feng-Yu Lu Wei Chen De-Yong He Guang-Can Guo Zheng-Fu Han CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei, Anhui 230026, China CAS Center for Excellence in Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei, Anhui 230026, China Hefei National Laboratory, University of Science and Technology of China, Hefei 230088, China

Abstract

Mode-pairing quantum key distribution (MP-QKD) is a potential protocol that is not only immune to all possible detector side channel attacks, but also breaks the repeaterless rate-transmittance bound without needing global phase locking. Here we analyze the finite-key effect for the MP-QKD protocol with rigorous security proof against general attacks. Moreover, we propose a six-state MP-QKD protocol and analyze its finite-key effect. The results show that the original protocol can break the repeaterless rate-transmittance bound with a typical finite number of pulses in practice. And our six-state protocol can improve the secret key rate significantly in long distance cases.

INTRODUCTION

Quantum key distribution (QKD) Bennett and Brassard (1984); Ekert (1991), whose security is guaranteed by the physical law of quantum mechanics, can share private keys between two authorized partners, Alice and Bob. Such keys can encrypt further communications between Alice and Bob by combining the one-time pad, which has been proven to be information-theoretically secure Shannon (1949); Molotkov (2006).

However, in practical implementations, the imperfections of practical equipments will create some security loopholes. An eavesdropper, Eve, can steal key information without introducing any signal disturbance by taking advantage of these loopholes. A close examination of hacking strategies indicates that most loopholes exist in the detection part of QKD systems Makarov et al. (2006); Zhao et al. (2008); Fung et al. (2007); Xu et al. (2010); Lydersen et al. (2010); Gerhardt et al. (2011); Qian et al. (2018); Wei et al. (2019). Considering this situation, measurement-device-independent QKD (MDI-QKD) Lo et al. (2012) (see also Braunstein and Pirandola (2012)) protocol is proposed, which can remove all loopholes on the vulnerable detection side. Various theory improvements Ma and Razavi (2012); Yu et al. (2013); Xu et al. (2014); Curty et al. (2014); Yin et al. (2014a, b); Yu et al. (2015); Wang and Wang (2014); Zhou et al. (2016); Lu et al. (2020); Hu et al. (2021); Jiang et al. (2021); Lu et al. (2022) and experiments Liu et al. (2013); Wang et al. (2015); Yin et al. (2016); Comandar et al. (2016); Wang et al. (2017); Fan-Yuan et al. (2022) are achieved in recent years.

Besides the security, high performance and long transmission distance are the eternal pursuits in the research of QKD. However, because of the inevitable transmission loss in the channel, the MDI-QKD and the other QKD protocols which are point-to-point schemes are upper bounded by the secret key capacity of repeaterless QKD Pirandola et al. (2009); Takeoka et al. (2014); Pirandola et al. (2017). The PLOB (Pirandola, Laurenza, Ottaviani, and Banchi) bound Pirandola et al. (2017), for example, restricts the secret key rate $R\leq-\log_{2}(1-\eta)$ , where $\eta$ is the total channel transmittance between Alice and Bob. This bound is approximately a linear function of $\eta$ , $R\sim O(\eta)$ . For breaking this restriction, an interesting work named twin-field QKD (TF-QKD) was proposed Lucamarini et al. (2018), whose secret key rate $R\sim O(\sqrt{\eta})$ . Moreover, it is an MDI-like protocol that is immune to all detection attacks. Subsequently, many variants of TF-QKD are proposed Ma et al. (2018); Wang et al. (2018); Curty et al. (2019); Cui et al. (2019); Wang et al. (2020), such as sending-or-not-sending QKD (SNS-QKD) Wang et al. (2018), phase-matching QKD (PM-QKD) Ma et al. (2018) and no phase post-selection QKD (NPP-QKD) Cui et al. (2019). Because of their high performance, they have attracted much attention and remarkable progress has been made not just in the theory Maeda et al. (2019); Jiang et al. (2019); Lu et al. (2019); Xu et al. (2020); Zeng et al. (2020); Currás-Lorenzo et al. (2021), but also in the experimental implementations Minder et al. (2019); Zhong et al. (2019); Wang et al. (2019); Liu et al. (2019); Fang et al. (2020); Chen et al. (2020); Liu et al. (2021); Chen et al. (2021); Clivati et al. (2022); Pittaluga et al. (2021); Chen et al. (2022); Wang et al. (2022). However, because TF-type QKD depends on stable interference between coherent states, phase-tracking is needed for compensating the phase fluctuation on the channels while phase-locking is needed for locking the frequency and phase of Alice and Bob’s lasers. These challenging techniques significantly increase the complexity of experimental systems and may bring extra noise.

Recently, two works named asynchronous-MDI-QKD Xie et al. (2022) and mode-pairing QKD (MP-QKD) Zeng et al. (2022) are proposed almost simultaneously. Surprisingly, while their quantum state preparation and measurement are almost the same as the time-bin-phase coding MDI-QKD Ma and Razavi (2012), the key rate can be increased dramatically just by defining the key bit differently in post processing step. As a result, beating the PLOB bound becomes possible even without the help of phase-locking and phase-tracking.

For ease of understanding, let’s review the MP-QKD in a simple way. Similar with the time-bin-phase coding MDI-QKD Ma and Razavi (2012), in each round, Alice and Bob send weak coherent pulses with different intensities and phases to Charlie. Then, after Charlie announces each round leads to a single click or not by his interference measurement, Alice and Bob may pair two clicked pulses to a key generation event provided the timing interval of the two paired pulses is smaller than the coherent time of the lasers. Note that this pairing step is missing in the time-bin-phase coding MDI-QKD Ma and Razavi (2012), where only two adjacent and clicked optical pulses, i.e. coincidence detection, can be used to generate key bit, thus its key rate must be proportional to the channel transmittance $\eta$ . Indeed, this subtle pairing strategy leads to a dramatic increment of the key rate.

Although an elegant security proof for MP-QKD has been given in Ref. Zeng et al. (2022), its security and performance in non-asymptotic situations are still unknown. Here, we show a finite-key analysis of the MP-QKD protocol. Our analysis applies to coherent attack and satisfies the definition of composable security, namely the secret keys are perfect keys except a failure probability no larger than $\varepsilon_{\rm{\rm{tol}}}$ . It’s confirmed that PLOB bound can be surpassed in MP-QKD with a moderate number of optical pulses, typically $10^{13}$ . Moreover, we propose a six-state MP-QKD protocol that can improve the secret key rate, and show its performance in the finite-key regions. Our results can be directly applied in future practical experiments of MP-QKD.

RESULTS

Original protocol

Here we consider a three-intensity decoy-state scheme Zeng et al. (2022). In this scheme, Alice randomly sends the phase-randomized coherent pulses to Charlie. The intensities of the pulses are chosen from $\{\mu_{a},\nu_{a},o\}$ $(\mu_{a}>\nu_{a}>o=0)$ with probabilities $p_{\mu_{a}}$ , $p_{\nu_{a}}$ and $p_{o}$ , respectively. Bob takes a similar operation to distribute the pulses. According to the effective detection events announced by Charlie, Alice and Bob take the postprocessing to obtain the secret keys. The schematic diagram is illustrated in Fig. 1. And a detailed description of the scheme is presented as follows.

Refer to caption — Figure 1: Schematic diagram of the MP-QKD protocol. Alice (Bob) prepares weak coherent pulses with random intensities chosen from $\{\mu_{a},\nu_{a},o\}$ ( $\{\mu_{b},\nu_{b},o\}$ ) and random phases $\theta^{i}_{a}\in[0,2\pi)$ ( $\theta^{i}_{b}\in[0,2\pi)$ ), then they send them to an untrusted measurement site, Charlie. According to the effective detection events announced by Charlie, Alice and Bob take the postprocessing to obtain the secret keys. IM, intensity modulation; PM, phase modulation; BS, beam splitter.

1.State preparation. The first two steps are repeated by Alice and Bob for $N$ rounds to obtain sufficient data. In the $i$ -th round ( $i\in$ $\{1,2,...,N\}$ ), Alice prepares a coherent state $|\sqrt{k^{i}_{a}}\exp({\rm{i}}\theta^{i}_{a})\rangle$ with probability $p_{k_{a}}$ , where the intensity $k^{i}_{a}$ is chosen randomly from the set $\{\mu_{a},\nu_{a},o\}$ ( $\mu_{a}>\nu_{a}>o=0$ ) and the phase $\theta^{i}_{a}$ is chosen uniformly from $[0,2\pi)$ . Similarly, Bob chooses $k^{i}_{b}$ and $\theta^{i}_{b}$ then prepares a weak coherent state $|\sqrt{k^{i}_{b}}\exp({\rm{i}}\theta^{i}_{b})\rangle$ .

2.Measurement. Alice and Bob send two pulses $|\sqrt{k^{i}_{a}}\exp({\rm{i}}\theta^{i}_{a})\rangle$ and $|\sqrt{k^{i}_{b}}\exp({\rm{i}}\theta^{i}_{b})\rangle$ to Charlie for interference measurement. After the measurement, Charlie announces the detection results of detectors L and R. If only detector L or R clicks, $C^{i}=1$ . And $C^{i}=0$ for the other cases.

3.Mode pairing. For all rounds with effective detection ( $C^{i}=1$ ), Alice and Bob employ a strategy to group two effective detection events as a pair. The specific pairing strategy is shown as follows:

Considering that when the time interval between adjacent pulses becomes too large, the key information suffers from phase fluctuation. Alice and Bob define a maximal pairing interval $l$ before the pairing, which denotes the maximal interval pulse number in an effective event pair. $l$ can be estimated by multiplying the laser coherence time by the system repetition rate in practically. Alice (Bob) calculates the interval between the first and second effective detection event. If the interval is less than or equal to $l$ , she (he) records an effective event pair $P_{a(b)}^{i_{1},j_{1}}=\{k^{i_{1}}_{a(b)},k^{j_{1}}_{a(b)},\theta^{i_{1}}_{a(b)},\theta^{j_{1}}_{a(b)}\}$ , where $i_{1}$ and $j_{1}$ are the round numbers of the first and the second effective detection event, then considers the interval between the third and the fourth effective detection event. Otherwise, the first effective detection event is dropped, then she (he) considers the interval between the second and the third. Until the last effective detection event, she (he) completes the mode pairing. A flow chart of Alice’s pairing strategy is presented in Fig. 2.

4.Basis sifting. Based on the intensities of two grouped rounds, Alice (Bob) labels the ’basis’ of each $P_{a(b)}^{i,j}$ as:

(a) $Z$ -basis: if one of the intensities $k^{i}_{a(b)}$ and $k^{j}_{a(b)}$ is 0 and the other is nonzero;

(b) $X$ -basis: if $k^{i}_{a(b)}=k^{j}_{a(b)}\neq 0$ ;

(d) ’discard’: if $0\neq k^{i}_{a(b)}\neq k^{j}_{a(b)}\neq 0$ .

Table 1: Alice and Bob’s bases assignment.

	$\mu_{a(b)}$	$\nu_{a(b)}$	$o$
$\mu_{a(b)}$	$X$ -basis	’discard’	$Z$ -basis
$\nu_{a(b)}$	’discard’	$X$ -basis	$Z$ -basis
$o$	$Z$ -basis	$Z$ -basis	’0’-basis

	$Z$ -basis	$X$ -basis	’0’-basis
$Z$ -basis	$Z$ -pair	’discard’	$Z$ -pair
$X$ -basis	’discard’	$X$ -pair	$X$ -pair
’0’-basis	$Z$ -pair	$X$ -pair	’0’-pair

	$r_{a}=0,r_{b}=0$	$r_{a}=1,r_{b}=1$
	$r_{b}$	$\kappa_{b}$	$r_{b}$	$\kappa_{b}$
$\|\delta_{a}-\delta_{b}\|\leq\Delta$	no	no	no	no
	$r_{a}=0,r_{b}=1$	$r_{a}=1,r_{b}=0$
	$r_{b}$	$\kappa_{b}$	$r_{b}$	$\kappa_{b}$
$\delta_{b}-\delta_{a}\geq\pi/2-\Delta$	flip	flip	flip	no
$\delta_{a}-\delta_{b}\geq\pi/2-\Delta$	flip	no	flip	flip

$p_{d}$	$\eta_{d}$	$\alpha$	$f$	$\varepsilon_{\rm{tol}}$	$e_{d}^{Z}$	$e_{d}^{X}$
$1\times 10^{-8}$	$70\%$	$0.2$	$1.1$	$1\times 10^{-10}$	$0.5\%$	$5\%$

Supplemental Note A: Security analysis

Outline of the proof

For ease of understanding, we show the outline of our proof first, which can show the core of this analysis. Let’s assume $\rho_{AB}$ is a two-particle system, where $A$ and $B$ are controlled by Alice and Bob respectively. $A$ is spanned by two-qubit states $|01\rangle_{A}$ and $|01\rangle_{A}$ . $B$ is defined similarly. Let’s further define unitary operation $U^{\delta_{a}}_{A}|01\rangle_{A}=|01\rangle_{A}$ , $U^{\delta_{a}}_{A}|10\rangle_{A}=e^{i\delta_{a}}|10\rangle_{A}$ . $U^{\delta_{b}}_{B}$ is for qubit $B$ and defined analogously with $U^{\delta_{a}}_{A}$ . Then we consider a protocol, in which Alice and Bob make Z-basis measurement on A and B to form key bit $Z_{A}$ and $Z_{B}$ after Alice and Bob applying $U^{\delta_{a}}_{A}$ and $U^{\delta_{b}}_{B}$ with probability mass function $p(\delta_{a},\delta_{b})$ . This is equivalent to saying that $\rho^{\prime}_{AB}=\int_{\delta_{a}}\int_{\delta_{b}}{\rm{d}\delta_{a}\rm{d}\delta_{b}}p(\delta_{a},\delta_{b})U^{\delta_{b}}_{B}U^{\delta_{a}}_{A}\rho_{AB}U^{-\delta_{b}}_{B}U^{-\delta_{a}}_{A}$ are considered as their system. To evaluate the conditional entropy $H(Z_{A}|E)$ in which $E$ is ancilla of Eve, it’s of course that we can consider $Z_{A}$ is the outcome of Z-basis measurement on $\rho_{AB}$ rather than $\rho^{\prime}_{AB}$ . This is because the phases $\delta_{a}$ and $\delta_{b}$ have no physical effects on the $Z_{A}$ and $E$ , the details are shown in the specific proof. In this view, we can just consider $\rho_{AB}$ , and ignore the phases $\delta_{a}$ and $\delta_{b}$ if we only want to characterize $H(Z_{A}|E)$ . Noting that the conjugate $X$ -basis measurement is also made on $\rho_{AB}$ now. It’s well known that $H(Z_{A}|E)$ can be bounded by $1-H(X_{A}|X_{B})$ , where $X_{A}$ and $X_{B}$ is the outcome of X-basis ( $\frac{|0\rangle+|1\rangle}{\sqrt{2}}$ , $\frac{|0\rangle-|1\rangle}{\sqrt{2}}$ ) measurement on $\rho_{AB}$ and the error rate between $X_{A}$ and $X_{B}$ is called phase error rate.

Nevertheless, we can go further by following the logic in last paragraph. It’s not restricted to assume $Z_{A}$ is measured on $\rho^{\prime\prime}_{AB}=\int_{\delta_{a}}\int_{\delta_{b}}q(\delta_{a},\delta_{b})U^{\delta_{b}}_{B}U^{\delta_{a}}_{A}\rho_{AB}U^{-\delta_{b}}_{B}U^{-\delta_{a}}_{A}$ rather than ${\rho_{AB}}$ , and phase error rate is of course defined to $\rho^{\prime\prime}_{AB}$ accordingly. Here, $q(\delta_{a},\delta_{b})$ is another probability mass function, which we can define to make it related to an experimentally observable value. The key point here is that $q(\delta_{a},\delta_{b})$ can be adjusted as we wish, since any $q(\delta_{a},\delta_{b})$ makes no difference for the Z-basis measurement. The freedom of defining $q(\delta_{a},\delta_{b})$ can help us list variant expressions of phase error rate, and then find appropriate one in some particular protocol.

Further, let’s apply above considerations in MP-QKD protocol. $\rho_{AA^{\prime}BB^{\prime}}$ is a compound system for two adjacent rounds with successful detections i-th and j-th. $A$ is spanned by two-qubit states $|00\rangle_{A}$ , $|01\rangle_{A}$ , $|10\rangle_{A}$ and $|11\rangle_{A}$ . $B$ is defined similarly. $A^{\prime}$ and $B^{\prime}$ are quantum registers recording the phases $\delta_{a}$ and $\delta_{b}$ . Alice and Bob first measure $AB$ to decide if they are both in the Hilbert space spanned by $|01\rangle$ and $|10\rangle$ . If so, this pair is a Z-pair and Z-basis measurement is followed to form key bit. We are interested in the phase error rate of a Z-pair, which are defined by the outcome of hypothetical X-basis ( $\frac{|0\rangle+|1\rangle}{\sqrt{2}}$ , $\frac{|0\rangle-|1\rangle}{\sqrt{2}}$ ) measurement on a Z-pair. Noting that following the logic in last paragraphs, we have the freedom to redefine the distribution $q(\delta_{a},\delta_{b})$ of $|\delta_{a}\rangle_{A^{\prime}}$ and $|\delta_{b}\rangle_{B^{\prime}}$ in $\rho_{AA^{\prime}BB^{\prime}}$ to find some appropriate expression of phase error rate. If Alice and Bob find $AB$ are both $|11\rangle$ , then also $|\delta_{a}-\delta_{b}|<\Delta$ or $|\delta_{a}-\delta_{b}|>\pi-\Delta$ holds by measuring $A^{\prime}$ and $B^{\prime}$ , this pair is an X-pair. Then Alice and Bob will calculate the bit error rate of this X-pair following some instructions. We proved that: 1. the ratio of probabilities for a pair happening to be a Z-pair or X-pair is fixed and cannot be affected by Eve; 2. By setting $q(\delta_{a},\delta_{b})$ satisfying $|\delta_{a}-\delta_{b}|<\Delta$ or $|\delta_{a}-\delta_{b}|>\pi-\Delta$ . the phase error rate of a Z-pair just equals to the error rate of an X-pair. The two points guarantee that for any Z-pair, we have a fixed probability to test its phase error rate. The phase error rate is not directly measurable on $AB$ , but it must equal to the bit error rate by measuring $A^{\prime}B^{\prime}$ .

Original protocol

In this section, we analyze the security of the original MP-QKD protocol. For simplicity, we omit the decoy state here, Alice and Bob prepare quantum states $\ket{0}$ and $\ket{\sqrt{\mu}e^{{\rm{i}}\theta}}$ with the probability $p_{0}$ and $p_{1}$ respectively. The phase $\theta$ of the quantum states are uniformly randomly chosen from $[0,2\pi)$ . In the entanglement-based protocol, Alice and Bob prepare entangled states in each round,

	$\displaystyle\ket{\Psi}_{AA^{\prime}a}=\sqrt{p_{0}}\ket{0}_{A}\int_{0}^{2\pi}\frac{{\rm{d}}\theta}{\sqrt{2\pi}}\ket{\theta}_{A^{\prime}}\ket{0}_{a}+\sqrt{p_{1}}\ket{1}_{A}\int_{0}^{2\pi}\frac{{\rm{d}}\theta}{\sqrt{2\pi}}\ket{\theta}_{A^{\prime}}\ket{\sqrt{\mu}e^{{\rm{i}}\theta}}_{a},$		(9)
	$\displaystyle\ket{\Psi}_{BB^{\prime}b}=\sqrt{p_{0}}\ket{0}_{B}\int_{0}^{2\pi}\frac{{\rm{d}}\theta}{\sqrt{2\pi}}\ket{\theta}_{B^{\prime}}\ket{0}_{b}+\sqrt{p_{1}}\ket{1}_{B}\int_{0}^{2\pi}\frac{{\rm{d}}\theta}{\sqrt{2\pi}}\ket{\theta}_{B^{\prime}}\ket{\sqrt{\mu}e^{{\rm{i}}\theta}}_{b},$		(9)

where $A(B)$ and $A^{\prime}(B^{\prime})$ are auxiliary quantum systems that are employed to store the intensity and random phase information, respectively. For the different values of $\theta$ , the quantum states $|\theta\rangle$ are orthogonal, $\langle\theta|\theta^{\prime}\rangle=\delta(\theta-\theta^{\prime})$ . Here we assume that the $i$ -th round and the $j$ -th round are two adjacent events with successful detection, which are recorded as $P^{i,j}$ . The joint state of Alice can be written as

$\displaystyle\ket{\Psi}^{i,j}_{AA^{\prime}a}$	$\displaystyle=p_{0}\|00\rangle_{A_{i}A_{j}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}_{a}}{\sqrt{2\pi}}\|\theta^{i}_{a}\rangle_{A^{\prime}_{i}}\|0\rangle_{a_{i}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{j}_{a}}{\sqrt{2\pi}}\|\theta^{j}_{a}\rangle_{A^{\prime}_{j}}\|0\rangle_{a_{j}}$	(10)
	$\displaystyle+\sqrt{p_{0}p_{1}}\|01\rangle_{A_{i}A_{j}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}_{a}}{\sqrt{2\pi}}\|\theta^{i}_{a}\rangle_{A^{\prime}_{i}}\|0\rangle_{a_{i}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{j}_{a}}{\sqrt{2\pi}}\|\theta^{j}_{a}\rangle_{A^{\prime}_{j}}\|\sqrt{\mu}e^{{\rm{i}}\theta^{j}_{a}}\rangle_{a_{j}}$
	$\displaystyle+\sqrt{p_{0}p_{1}}\|10\rangle_{A_{i}A_{j}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}_{a}}{\sqrt{2\pi}}\|\theta^{i}_{a}\rangle_{A^{\prime}_{i}}\|\sqrt{\mu}e^{{\rm{i}}\theta^{i}_{a}}\rangle_{a_{i}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{j}_{a}}{\sqrt{2\pi}}\|\theta^{j}_{a}\rangle_{A^{\prime}_{j}}\|0\rangle_{a_{j}}$
	$\displaystyle+p_{1}\|11\rangle_{A_{i}A_{j}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}_{a}}{\sqrt{2\pi}}\|\theta^{i}_{a}\rangle_{A^{\prime}_{i}}\|\sqrt{\mu}e^{{\rm{i}}\theta^{i}_{a}}\rangle_{a_{i}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{j}_{a}}{\sqrt{2\pi}}\|\theta^{j}_{a}\rangle_{A^{\prime}_{j}}\|\sqrt{\mu}e^{{\rm{i}}\theta^{j}_{a}}\rangle_{a_{j}}.$

The joint state of Bob is given in a similar way. When $A_{i}A_{j}$ collapses into the subspace spanned by $|01\rangle_{A_{i}A_{j}}$ and $|10\rangle_{A_{i}A_{j}}$ , Alice is sure that $Z$ -basis is chosen. $|11\rangle_{A_{i}A_{j}}$ means this pair is $X$ -basis preparation.

In the $Z$ -basis $P^{i,j}_{a(b)}$ , the intensities are $\{0,\mu\}$ or $\{\mu,0\}$ . Here we define $\theta^{j}_{a(b)}:=\theta^{i}_{a(b)}+\delta_{a(b)}$ , the $Z$ -basis preparation of Alice’s joint state can be written as

$\displaystyle\|\Psi_{Z}\rangle_{AA^{\prime}a}^{i,j}=$	$\displaystyle\sqrt{p_{0}p_{1}}\|01\rangle_{A_{i}A_{j}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}_{a}}{\sqrt{2\pi}}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{a}}{\sqrt{2\pi}}\|\theta^{i}_{a}\rangle_{A^{\prime}_{i}}\|0\rangle_{a_{i}}\|\delta_{a}\rangle_{A^{\prime}_{j}}\|\sqrt{\mu}e^{{\rm{i}}(\theta^{i}_{a}+\delta_{a})}\rangle_{a_{j}}$	(11)
	$\displaystyle+\sqrt{p_{0}p_{1}}\|10\rangle_{A_{i}A_{j}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}_{a}}{\sqrt{2\pi}}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{a}}{\sqrt{2\pi}}\|\theta^{i}_{a}\rangle_{A^{\prime}_{i}}\|\sqrt{\mu}e^{{\rm{i}}\theta^{i}_{a}}\rangle_{a_{i}}\|\delta_{a}\rangle_{A^{\prime}_{j}}\|0\rangle_{a_{j}}$
$\displaystyle=$	$\displaystyle\sqrt{p_{0}p_{1}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}_{a}}{\sqrt{2\pi}}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{a}}{\sqrt{2\pi}}\|\theta^{i}_{a}\rangle_{A^{\prime}_{i}}\|\delta_{a}\rangle_{A^{\prime}_{j}}$
	$\displaystyle\sum_{n=0}^{\infty}\sqrt{p_{n\|\mu}}e^{{\rm{i}}n\theta^{i}_{a}}(e^{{\rm{i}}n\delta_{a}}\|01\rangle_{A_{i}A_{j}}\|0\rangle_{a_{i}}\|n\rangle_{a_{j}}+\|10\rangle_{A_{i}A_{j}}\|n\rangle_{a_{i}}\|0\rangle_{a_{j}}),$

where $n$ is the number of the photon, and $p_{n|\mu}=\frac{e^{-\mu}\mu^{n}}{n!}$ is the probability of the Poisson distribution.

First, we trace the auxiliary $A^{\prime}_{i}$ , the density matrix of Alice’s $Z$ -basis preparation can be written as

$\displaystyle\rho_{a,Z}^{i,j}=$	$\displaystyle\text{Tr}_{A^{\prime}_{i}}(\|\Psi_{Z}\rangle\langle\Psi_{Z}\|^{i,j}_{AA^{\prime}a})$	(12)
$\displaystyle=$	$\displaystyle p_{0}p_{1}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{a}}{\sqrt{2\pi}}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta^{\prime}_{a}}{\sqrt{2\pi}}\|\delta_{a}\rangle\langle\delta^{\prime}_{a}\|_{A^{\prime}_{j}}\sum_{n=0}^{\infty}p_{n\|\mu}(e^{{\rm{i}}n\delta_{a}}\|01\rangle_{A_{i}A_{j}}\|0\rangle_{a_{i}}\|n\rangle_{a_{j}}+\|10\rangle_{A_{i}A_{j}}\|n\rangle_{a_{i}}\|0\rangle_{a_{j}})$
	$\displaystyle\times(e^{{\rm{i}}n\delta^{\prime}_{a}}\langle 01\|_{A_{i}A_{j}}\langle 0\|_{a_{i}}\langle n\|_{a_{j}}+\langle 10\|_{A_{i}A_{j}}\langle n\|_{a_{i}}\langle 0\|_{a_{j}})$
$\displaystyle=$	$\displaystyle 2p_{0}p_{1}p_{1\|\mu}\bm{\mathcal{P}}\left[\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{a}}{\sqrt{2\pi}}\|\delta_{a}\rangle\frac{\|01\rangle_{A_{i}A_{j}}\|01\rangle_{a_{i}a_{j}}+e^{-{\rm{i}}\delta_{a}}\|10\rangle_{A_{i}A_{j}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]+{\rm{Part_{\rm{zm}}}},$

where $\bm{\mathcal{P}}[|\cdot\rangle]=|\cdot\rangle\langle\cdot|$ , and ${\rm{Part_{\rm{zm}}}}$ is the mixture components of the zero-photon and multiple-photon in $a_{i}a_{j}$ . Because the system $A^{\prime}_{j}$ is measured and announced in the subsequent steps, the single-photon component of the density matrix can be simplified as a classical-quantum state, i.e.

\displaystyle\rho_{a,Z_{1}}^{i,j}=2p_{0}p_{1}p_{1|\mu}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{a}}{2\pi}|\delta_{a}\rangle\langle\delta_{a}|_{A_{j}^{\prime}}\bm{\mathcal{P}}\left[\frac{|01\rangle_{A_{i}A_{j}}|01\rangle_{a_{i}a_{j}}+e^{-i\delta_{a}}|10\rangle_{A_{i}A_{j}}|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right].

(13)

Actually, when Alice takes the $\hat{Z}_{A}$ measurement on $A_{i}A_{j}$ , whose eigenstates are $|01\rangle_{A_{i}A_{j}}$ and $|10\rangle_{A_{i}A_{j}}$ , to the density matrix $\rho_{a,Z_{1}}^{i,j}$ , the phase $\delta_{a}$ plays no roles in the results of the measurement and Eve’s potential system. Therefore, it’s not restrictive to introduce a unitary operation $U_{A}^{\delta_{a}}$ to the auxiliaries $A_{i},A_{j}$ before the $\hat{Z}_{A}$ measurement, defined by $U_{A}^{\delta_{a}}|01\rangle_{A_{i}A_{j}}=|01\rangle_{A_{i}A_{j}}$ , $U_{A}^{\delta_{a}}|10\rangle_{A_{i}A_{j}}=e^{i\delta_{a}}|10\rangle_{A_{i}A_{j}}$ . This operation can keep the specific form of send states $a_{i}$ and $a_{j}$ . The density matrix can be simplified as

\displaystyle\rho_{a,Z_{1}}^{i,j}=2p_{0}p_{1}p_{1|\mu}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{a}}{2\pi}|\delta_{a}\rangle\langle\delta_{a}|_{A_{j}^{\prime}}\bm{\mathcal{P}}\left[\frac{|01\rangle_{A_{i}A_{j}}|01\rangle_{a_{i}a_{j}}+|10\rangle_{A_{i}A_{j}}|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right].

(14)

Then we consider the single-photon component of the joint density matrix of Alice and Bob, given by

	$\displaystyle\rho_{Z_{1}}^{i,j}=$	$\displaystyle 4p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{a}}{2\pi}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{b}}{2\pi}\|\delta_{a}\delta_{b}\rangle\langle\delta_{a}\delta_{b}\|_{A_{j}^{\prime}B_{j}^{\prime}}$		(15)
		$\displaystyle\otimes\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{A_{i}A_{j}}\|01\rangle_{a_{i}a_{j}}+\|10\rangle_{A_{i}A_{j}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]\otimes\bm{\mathcal{P}}\left[\frac{\|01\rangle_{B_{i}B_{j}}\|01\rangle_{b_{i}b_{j}}+\|10\rangle_{B_{i}B_{j}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E},$		(15)

where $\hat{M}_{E}$ is an element in a set of POVM measurements made by Eve, with outputs $C^{i}=C^{j}=1$ . It should be noted that $\hat{M}_{E}$ operates on the systems $a_{i}$ , $a_{j}$ , $b_{i}$ , and $b_{j}$ which are sent to Charlie. Here we just care about the reduced density matrix of $i$ -th and $j$ -th round. For different $i$ and $j$ , $\hat{M}_{E}$ might be different and relate to other rounds, $\hat{M}_{E}^{i,j}$ is a more suitable symbol. For simplicity, we omitted the superscript here. In the subsequent proof, we can see that the specific form of $\hat{M}_{E}^{i,j}$ is needless. For the $Z$ -basis preparation, the systems $A_{i}A_{j}a_{i}a_{j}$ and $B_{i}B_{j}b_{i}b_{j}$ are independent of the values $\delta_{a}$ and $\delta_{b}$ , which are never announced. So, we can trace the auxiliaries $A^{\prime}_{j}B^{\prime}_{j}$ for simplicity. We have

	$\displaystyle\tilde{\rho}_{Z_{1}}^{i,j}=$	$\displaystyle\Tr_{A^{\prime}_{j}B^{\prime}_{j}}\left(\rho_{Z_{1}}^{i,j}\right)$		(16)
	$\displaystyle=$	$\displaystyle 4p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{A_{i}A_{j}}\|01\rangle_{a_{i}a_{j}}+\|10\rangle_{A_{i}A_{j}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]\otimes\bm{\mathcal{P}}\left[\frac{\|01\rangle_{B_{i}B_{j}}\|01\rangle_{b_{i}b_{j}}+\|10\rangle_{B_{i}B_{j}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}.$		(16)

For obtaining the single-photon phase error rate of the $Z$ -basis preparation, we define two measurements $\hat{X}_{A}$ and $\hat{X}_{B}$ , whose eigenstates are

\displaystyle|X_{A}^{+(-)}\rangle_{A_{i}A_{j}}:=\frac{|01\rangle_{A_{i}A_{j}}\pm|10\rangle_{A_{i}A_{j}}}{\sqrt{2}},|X_{B}^{+(-)}\rangle_{B_{i}B_{j}}:=\frac{|01\rangle_{B_{i}B_{j}}\pm|10\rangle_{B_{i}B_{j}}}{\sqrt{2}},

(17)

respectively. The joint density matrix can be revised by these eigenstates,

	$\displaystyle\tilde{\rho}_{Z_{1}}^{i,j}=$	$\displaystyle 4p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{1}{\sqrt{2}}\left(\|X_{A}^{+}\rangle_{A_{i}A_{j}}\frac{\|01\rangle_{a_{i}a_{j}}+\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}+\|X_{A}^{-}\rangle_{A_{i}A_{j}}\frac{\|01\rangle_{a_{i}a_{j}}-\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right)\right]$		(18)
		$\displaystyle\otimes\bm{\mathcal{P}}\left[\frac{1}{\sqrt{2}}\left(\|X_{B}^{+}\rangle_{B_{i}B_{j}}\frac{\|01\rangle_{b_{i}b_{j}}+\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}+\|X_{B}^{-}\rangle_{B_{i}B_{j}}\frac{\|01\rangle_{b_{i}b_{j}}-\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right)\right]\hat{M}^{\dagger}_{E}.$		(18)

The probability of projection into $|X_{A}^{+}\rangle_{A_{i}A_{j}}|X_{B}^{+}\rangle_{B_{i}B_{j}}$ can be given by

	$\displaystyle{\rm{Pr}}(\|X_{A}^{+}\rangle_{A_{i}A_{j}}\|X_{B}^{+}\rangle_{B_{i}B_{j}})=$	$\displaystyle\Tr{\langle X_{A}^{+}\|_{A_{i}A_{j}}\langle X_{B}^{+}\|_{B_{i}B_{j}}\tilde{\rho}_{Z_{1}}^{i,j}\|X_{A}^{+}\rangle_{A_{i}A_{j}}\|X_{B}^{+}\rangle_{B_{i}B_{j}}}$		(19)
	$\displaystyle=$	$\displaystyle p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}+\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\otimes\frac{\|01\rangle_{b_{i}b_{j}}+\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}.$		(19)

Similarly,

$\displaystyle{\rm{Pr}}(\|X_{A}^{+}\rangle_{A_{i}A_{j}}\|X_{B}^{-}\rangle_{B_{i}B_{j}})=$	$\displaystyle p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}+\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\otimes\frac{\|01\rangle_{b_{i}b_{j}}-\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\},$	(20)
$\displaystyle{\rm{Pr}}(\|X_{A}^{-}\rangle_{A_{i}A_{j}}\|X_{B}^{+}\rangle_{B_{i}B_{j}})=$	$\displaystyle p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}-\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\otimes\frac{\|01\rangle_{b_{i}b_{j}}+\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\},$
$\displaystyle{\rm{Pr}}(\|X_{A}^{-}\rangle_{A_{i}A_{j}}X_{B}^{-}\rangle_{B_{i}B_{j}})=$	$\displaystyle p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}-\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\otimes\frac{\|01\rangle_{b_{i}b_{j}}-\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}.$

Moreover,

	$\displaystyle\left[\Pr(\|X_{A}^{+}\rangle\|X_{B}^{+}\rangle)+\Pr(\|X_{A}^{+}\rangle\|X_{B}^{-}\rangle)+\Pr(\|X_{A}^{-}\rangle\|X_{B}^{+}\rangle)+\Pr(\|X_{A}^{-}\rangle\|X_{B}^{-}\rangle)\right]_{A_{i}A_{j},B_{i}B_{j}}$	(21)
$\displaystyle=$	$\displaystyle p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}\Tr\left\{\hat{M}_{E}\left\{\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}+\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]+\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}-\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]\right\}\right.$
	$\displaystyle\left.\otimes\left\{\bm{\mathcal{P}}\left[\frac{\|01\rangle_{b_{i}b_{j}}+\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]+\bm{\mathcal{P}}\left[\frac{\|01\rangle_{b_{i}b_{j}}-\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\right\}\hat{M}^{\dagger}_{E}\right\}$
$\displaystyle=$	$\displaystyle\Tr\tilde{\rho}_{Z_{1}}^{i,j}.$

In this way, the single-photon phase error rate of $Z$ -basis preparation can be obtained by

$\displaystyle e_{Z_{1}}^{\rm{ph}}(\tilde{\rho}_{Z_{1}}^{i,j})=$	$\displaystyle\frac{{\rm{Pr}}(\|X_{A}^{+}\rangle_{A_{i}A_{j}}\|X_{B}^{-}\rangle_{B_{i}B_{j}})+{\rm{Pr}}(\|X_{A}^{-}\rangle_{A_{i}A_{j}}\|X_{B}^{+}\rangle_{B_{i}B_{j}})}{\left[\Pr(\|X_{A}^{+}\rangle\|X_{B}^{+}\rangle)+\Pr(\|X_{A}^{+}\rangle\|X_{B}^{-}\rangle)+\Pr(\|X_{A}^{-}\rangle\|X_{B}^{+}\rangle)+\Pr(\|X_{A}^{-}\rangle\|X_{B}^{-}\rangle)\right]_{A_{i}A_{j},B_{i}B_{j}}}$	(22)
$\displaystyle=$	$\displaystyle\frac{p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}}{\Tr\tilde{\rho}_{Z_{1}}^{i,j}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}+\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\otimes\frac{\|01\rangle_{b_{i}b_{j}}-\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}$
$\displaystyle+$	$\displaystyle\frac{p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}}{\Tr\tilde{\rho}_{Z_{1}}^{i,j}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}-\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\otimes\frac{\|01\rangle_{b_{i}b_{j}}+\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}.$

The security proof focuses on how to estimate this phase error rate. To solve this problem, we resort to $X$ -pair preparation. In $X$ -basis $P_{a(b)}^{i,j}$ , the intensities is $\{\mu,\mu\}$ . For the case that Alice prepares $X$ -basis, the joint states of Alice can be written as

\displaystyle|\Psi_{X}\rangle_{AA^{\prime}a}^{i,j}=p_{1}|11\rangle_{A_{i}A_{j}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}_{a}}{\sqrt{2\pi}}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{a}}{\sqrt{2\pi}}|\theta_{a}^{i}\rangle_{A^{\prime}_{i}}|\delta_{a}\rangle_{A^{\prime}_{j}}|\sqrt{\mu}e^{{\rm{i}}\theta_{a}^{i}}\rangle_{a_{i}}|\sqrt{\mu}e^{{\rm{i}}(\theta_{a}^{i}+\delta_{a})}\rangle_{a_{j}}.

(23)

Just like the operation we did to the $Z$ -basis preparation, the auxiliary $A^{\prime}_{i}$ is traced first, the density matrix of Alice’s $X$ -basis preparation can be written as

$\displaystyle\rho_{a,X}^{i,j}=$	$\displaystyle\Tr_{A^{\prime}_{i}}\left(\|\Psi_{X}\rangle\langle\Psi_{X}\|^{i,j}_{AA^{\prime}a}\right)$	(24)
$\displaystyle=$	$\displaystyle p_{1}^{2}\|11\rangle\langle 11\|_{A_{i}A_{j}}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{a}}{\sqrt{2\pi}}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta^{\prime}_{a}}{\sqrt{2\pi}}\|\delta_{a}\rangle\langle\delta^{\prime}_{a}\|_{A^{\prime}_{j}}\sum_{n_{1}+n_{2}=m_{1}+m_{2}}\sqrt{p_{n_{1}\|\mu}p_{n_{2}\|\mu}p_{m_{1}\|\mu}p_{m_{2}\|\mu}}e^{{\rm{i}}{(n_{2}\delta_{a}-m_{2}\delta^{\prime}_{a})}}\|n_{1}n_{2}\rangle_{a_{i}a_{j}}\langle m_{1}m_{2}\|$
$\displaystyle=$	$\displaystyle p_{1}^{2}\|11\rangle\langle 11\|_{A_{i}A_{j}}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{a}}{\sqrt{2\pi}}\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta^{\prime}_{a}}{\sqrt{2\pi}}\|\delta_{a}\rangle\langle\delta^{\prime}_{a}\|_{A^{\prime}_{j}}\{p_{1\|\mu}p_{0\|\mu}(\|01\rangle_{a_{i}a_{j}}+e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}})(\langle 01\|_{a_{i}a_{j}}+e^{{\rm{i}}\delta^{\prime}_{a}}\langle 10\|_{a_{i}a_{j}})\}+{\rm{Part_{\rm{zm}}}}$
$\displaystyle=$	$\displaystyle p_{1}^{2}p_{1\|2\mu}\|11\rangle\langle 11\|_{A_{i}A_{j}}\bm{\mathcal{P}}\left[\int_{-\pi}^{\pi}\frac{{\rm{d}}\delta_{a}}{\sqrt{2\pi}}\|\delta_{a}\rangle_{A^{\prime}_{j}}\frac{\|01\rangle_{a_{i}a_{j}}+e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]+{\rm{Part_{\rm{zm}}}}$
$\displaystyle=$	$\displaystyle p_{1}^{2}p_{1\|2\mu}\|11\rangle\langle 11\|_{A_{i}A_{j}}\bm{\mathcal{P}}\left[\int_{0}^{\pi}\frac{{\rm{d}}\delta_{a}}{\sqrt{2\pi}}\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\frac{\|01\rangle_{a_{i}a_{j}}+e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}+\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\frac{\|01\rangle_{a_{i}a_{j}}-e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right)\right]$
	$\displaystyle+{\rm{Part_{\rm{zm}}}},$

where $\delta_{a}^{+}=\delta_{a}$ and $\delta_{a}^{-}=\delta_{a}+\pi$ . Indeed $|\delta_{a}^{+}\rangle$ $(|\delta_{a}^{-}\rangle)$ corresponds to logical bit $0$ $(1)$ with $\delta_{a}$ in $X$ -basis. For example, in the original protocol, if Alice finds the phase difference between the $i$ -th and $j$ -th pulse is $8\pi/7$ , this is equivalent to that his measurement result of $A^{\prime}_{j}$ is $|\delta_{a}^{-}\rangle$ (logical bit $1$ ) with $\delta_{a}=\pi/7$ in the entanglement-based protocol.

The density matrix of Bob preparing $X$ -basis is the same. Then we consider the single-photon component of the joint density matrix of Alice and Bob,

$\displaystyle\rho_{X_{1}}^{i,j}=$	$\displaystyle p_{1}^{4}p_{1\|2\mu}^{2}\bm{\mathcal{P}}[\|11\rangle_{A_{i}A_{j}}\|11\rangle_{B_{i}B_{j}}]$	(25)
	$\displaystyle\times\hat{M}_{E}\bm{\mathcal{P}}\left[\int_{0}^{\pi}\frac{{\rm{d}}\delta_{a}}{\sqrt{2\pi}}\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\frac{\|01\rangle_{a_{i}a_{j}}+e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}+\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\frac{\|01\rangle_{a_{i}a_{j}}-e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right)\right]$
	$\displaystyle\otimes\bm{\mathcal{P}}\left[\int_{0}^{\pi}\frac{{\rm{d}}\delta_{b}}{\sqrt{2\pi}}\left(\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\frac{\|01\rangle_{b_{i}b_{j}}+e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}+\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\frac{\|01\rangle_{b_{i}b_{j}}-e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right)\right]\hat{M}^{\dagger}_{E}.$

Here we define two measurements $\hat{X}^{\delta_{a}}_{A^{\prime}}$ and $\hat{X}^{\delta_{b}}_{B^{\prime}}$ , whose eigenstates are $|\delta_{a}^{\pm}\rangle_{A^{\prime}_{j}}$ and $|\delta_{b}^{\pm}\rangle_{B^{\prime}_{j}}$ , respectively. The preparation of quantum states can be regarded as Alice and Bob taking the above measurements to the auxiliaries $A^{\prime}_{j}$ and $B^{\prime}_{j}$ . The joint probability that $C^{i}=C^{j}=1$ , Alice and Bob prepare the single-photon component of X-pair and the measurement results are $|\delta_{a}^{+}\rangle_{A_{j}^{\prime}}$ and $|\delta_{b}^{+}\rangle_{B_{j}^{\prime}}$ is

	$\displaystyle{\rm{Pr}}\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)=$	$\displaystyle\Tr{\langle\delta_{a}^{+}\|_{A^{\prime}_{j}}\langle\delta_{b}^{+}\|_{B^{\prime}_{j}}\rho_{X_{1}}^{i,j}\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}}$		(26)
	$\displaystyle=$	$\displaystyle\frac{p_{1}^{4}p_{1\|2\mu}^{2}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}}{4\pi^{2}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{(\|01\rangle_{a_{i}a_{j}}+e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}})}{\sqrt{2}}\otimes\frac{(\|01\rangle_{b_{i}b_{j}}+e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}})}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}.$		(26)

Similarly,

$\displaystyle{\rm{Pr}}\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)=$	$\displaystyle\frac{p_{1}^{4}p_{1\|2\mu}^{2}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}}{4\pi^{2}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{(\|01\rangle_{a_{i}a_{j}}+e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}})}{\sqrt{2}}\otimes\frac{(\|01\rangle_{b_{i}b_{j}}-e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}})}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\},$	(27)
$\displaystyle{\rm{Pr}}\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)=$	$\displaystyle\frac{p_{1}^{4}p_{1\|2\mu}^{2}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}}{4\pi^{2}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{(\|01\rangle_{a_{i}a_{j}}-e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}})}{\sqrt{2}}\otimes\frac{(\|01\rangle_{b_{i}b_{j}}+e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}})}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\},$
$\displaystyle{\rm{Pr}}\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)=$	$\displaystyle\frac{p_{1}^{4}p_{1\|2\mu}^{2}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}}{4\pi^{2}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{(\|01\rangle_{a_{i}a_{j}}-e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}})}{\sqrt{2}}\otimes\frac{(\|01\rangle_{b_{i}b_{j}}-e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}})}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}.$

For obtaining single-photon bit error rate with $\delta_{a}$ and $\delta_{b}$ , the sum of ${\rm{Pr}}\left(|\delta_{a}^{\pm}\rangle_{A^{\prime}_{j}}|\delta_{b}^{\pm}\rangle_{B^{\prime}_{j}}\right)$ is needed, which is given by

$\displaystyle{\rm{Pr}}(\delta_{a}\delta_{b})=$	$\displaystyle{\rm{Pr}}\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)+{\rm{Pr}}\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)+{\rm{Pr}}\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)+{\rm{Pr}}\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)$	(28)
$\displaystyle=$	$\displaystyle\frac{p_{1}^{4}p_{1\|2\mu}^{2}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}}{4\pi^{2}}\Tr\left\{\hat{M}_{E}\left\{\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}+e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]+\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}-e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]\right\}\right.$
	$\displaystyle\otimes\left.\left\{\bm{\mathcal{P}}\left[\frac{\|01\rangle_{b_{i}b_{j}}+e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]+\bm{\mathcal{P}}\left[\frac{\|01\rangle_{b_{i}b_{j}}-e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\right\}\hat{M}^{\dagger}_{E}\right\}$
$\displaystyle=$	$\displaystyle\frac{p_{1}^{4}p_{1\|2\mu}^{2}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}}{4\pi^{2}}\Tr\left\{\hat{M}_{E}\left(\frac{\|01\rangle_{a_{i}a_{j}}\langle 01\|}{2}+\frac{\|10\rangle_{a_{i}a_{j}}\langle 10\|}{2}\right)\right.\otimes\left.\left(\frac{\|01\rangle_{b_{i}b_{j}}\langle 01\|}{2}+\frac{\|10\rangle_{b_{i}b_{j}}\langle 10\|}{2}\right)\hat{M}^{\dagger}_{E}\right\}$
$\displaystyle=$	$\displaystyle\frac{p_{1}^{4}p_{1\|2\mu}^{2}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}}{4\pi^{2}}\Tr\left\{\hat{M}_{E}\left\{\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}+\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]+\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}-\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]\right\}\right.$
	$\displaystyle\otimes\left.\left\{\bm{\mathcal{P}}\left[\frac{\|01\rangle_{b_{i}b_{j}}+\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]+\bm{\mathcal{P}}\left[\frac{\|01\rangle_{b_{i}b_{j}}-\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\right\}\hat{M}^{\dagger}_{E}\right\}.$

Moreover,

$\displaystyle\Tr\rho_{X_{1}}^{i,j}=$	$\displaystyle p_{1}^{4}p_{1\|2\mu}^{2}\int_{0}^{\pi}\frac{{\rm{d}}\delta_{a}}{2\pi}\int_{0}^{\pi}\frac{{\rm{d}}\delta_{b}}{2\pi}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\frac{\|01\rangle_{a_{i}a_{j}}+e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}+\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\frac{\|01\rangle_{a_{i}a_{j}}-e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]\right.$	(29)
	$\displaystyle\otimes\left.\bm{\mathcal{P}}\left[\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\frac{\|01\rangle_{b_{i}b_{j}}+e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}+\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\frac{\|01\rangle_{b_{i}b_{j}}-e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}$
$\displaystyle=$	$\displaystyle p_{1}^{4}p_{1\|2\mu}^{2}\int_{0}^{\pi}\frac{{\rm{d}}\delta_{a}}{2\pi}\int_{0}^{\pi}\frac{{\rm{d}}\delta_{b}}{2\pi}\Tr\left\{\hat{M}_{E}\left\{\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}+e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]+\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}-e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]\right\}\right.$
	$\displaystyle\otimes\left.\left\{\bm{\mathcal{P}}\left[\frac{\|01\rangle_{b_{i}b_{j}}+e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]+\bm{\mathcal{P}}\left[\frac{\|01\rangle_{b_{i}b_{j}}-e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\right\}\hat{M}^{\dagger}_{E}\right\}$
$\displaystyle=$	$\displaystyle p_{1}^{4}p_{1\|2\mu}^{2}\int_{0}^{\pi}\frac{{\rm{d}}\delta_{a}}{2\pi}\int_{0}^{\pi}\frac{{\rm{d}}\delta_{b}}{2\pi}\Tr\left\{\hat{M}_{E}\left\{\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}+\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]+\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}-\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]\right\}\right.$
	$\displaystyle\otimes\left.\left\{\bm{\mathcal{P}}\left[\frac{\|01\rangle_{b_{i}b_{j}}+\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]+\bm{\mathcal{P}}\left[\frac{\|01\rangle_{b_{i}b_{j}}-\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\right\}\hat{M}^{\dagger}_{E}\right\}$
$\displaystyle=$	$\displaystyle\frac{p_{1}^{4}p_{1\|2\mu}^{2}}{4}\Tr\left\{\hat{M}_{E}\left\{\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}+\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]+\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}-\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]\right\}\right.$
	$\displaystyle\otimes\left.\left\{\bm{\mathcal{P}}\left[\frac{\|01\rangle_{b_{i}b_{j}}+\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]+\bm{\mathcal{P}}\left[\frac{\|01\rangle_{b_{i}b_{j}}-\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\right\}\hat{M}^{\dagger}_{E}\right\}.$

Then it’s clear that

\Pr\left(\delta_{a}\delta_{b}\right)=\frac{{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}}{\pi^{2}}\Tr\rho_{X_{1}}^{i,j},

(30)

which means that Eve’s attacks cannot depend on the phases $\delta_{a}$ and $\delta_{b}$ , i.e. $\Pr\left(\delta_{a}\delta_{b}\right)$ does not depend on the phases $\delta_{a}$ and $\delta_{b}$ .

Actually, in the key mapping step, Bob keeps his logical bit if $|\delta_{a}-\delta_{b}|\leq\Delta$ , flips his logical bit if $|\delta_{a}-\delta_{b}|\geq\pi-\Delta$ . And he keeps his logical bit if Charlie’s clicks are (L,L) or (R,R), flips his logical bit if (L,R) or (R,L). In the entanglement-based protocol, Bob operates his auxiliary $B^{\prime}_{j}$ to implement this reverse. For X-pair preparation, the single-photon bit error rate under the condition Alice and Bob obtained the results $\delta_{a}$ and $\delta_{b}$ ( $\delta_{a(b)}\in[0,\pi)$ , $|\delta_{a}-\delta_{b}|\leq\Delta$ ) is

$\displaystyle e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})=$	$\displaystyle\frac{{\rm{Pr}}\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)+{\rm{Pr}}\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)}{\Pr(\delta_{a}\delta_{b})}$	(31)
$\displaystyle=$	$\displaystyle\frac{p_{1}^{4}p_{1\|2\mu}^{2}}{4\Tr\rho_{X_{1}}^{(i,j)}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}+e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\otimes\frac{\|01\rangle_{b_{i}b_{j}}-e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}$
$\displaystyle+$	$\displaystyle\frac{p_{1}^{4}p_{1\|2\mu}^{2}}{4\Tr\rho_{X_{1}}^{(i,j)}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}-e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\otimes\frac{\|01\rangle_{b_{i}b_{j}}+e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}.$

And the single-photon bit error rate of X-pair preparation under the condition Alice and Bob obtained the results $\delta_{a}$ and $\delta_{b}$ ( $\delta_{a(b)}\in[0,\pi)$ , $|\delta_{a}-\delta_{b}|\geq\pi-\Delta$ ) is

\displaystyle e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})=

\displaystyle\frac{{\rm{Pr}}\left(|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)+{\rm{Pr}}\left(|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)}{\Pr(\delta_{a}\delta_{b})}

(32)

With the relation $\Tr\rho_{X_{1}}^{i,j}/\Tr\tilde{\rho}_{Z_{1}}^{i,j}=p_{1}^{2}\exp(-2\mu)/p_{0}^{2}$ and $e_{Z_{1}}^{\rm{ph}}$ given in Eq.(22), it’s easy to verify that

\displaystyle e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})=\left\{\begin{array}[]{lc}e_{Z_{1}}^{\rm{ph}}(U^{-\delta_{a}}_{A}U^{-\delta_{b}}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{\delta_{b}}_{B}U^{\delta_{a}}_{A}),&|\delta_{a}-\delta_{b}|\leq\Delta\vspace{1ex}\\ e_{Z_{1}}^{\rm{ph}}(U^{-\delta_{a}}_{A}U^{-(\delta_{b}+\pi)}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{(\delta_{b}+\pi)}_{B}U^{\delta_{a}}_{A}),&|\delta_{a}-\delta_{b}|\geq\pi-\Delta,\\ \end{array}\right.

(33)

where $U_{A}^{-\delta_{a}}|01\rangle_{A_{i}A_{j}}=|01\rangle_{A_{i}A_{j}}$ , $U_{A}^{-\delta_{a}}|10\rangle_{A_{i}A_{j}}=e^{-{\rm{i}}\delta_{a}}|10\rangle_{A_{i}A_{j}}$ are applied to Alice’s local qubits, $U^{-\delta_{b}}_{B}$ is similar. This observation confirms that any $e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})$ corresponds to the phase error rate for key bits generated by $\hat{Z}_{A}\hat{Z}_{B}$ measurement on the density matrix $U^{-\delta_{a}}_{A}U^{-\delta_{b}}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{\delta_{b}}_{B}U^{\delta_{a}}_{A}$ or $U^{-\delta_{a}}_{A}U^{-(\delta_{b}+\pi)}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{(\delta_{b}+\pi)}_{B}U^{\delta_{a}}_{A}$ . On the other hand, applying $U^{-\delta_{a}}_{A}U^{-\delta_{b}}_{B}(U^{-\delta_{a}}_{A}U^{-(\delta_{b}+\pi)}_{B})$ or not will not change the distribution of the $\hat{Z}_{A}\hat{Z}_{B}$ measurement and potential information leakage to Eve. Hence, without compromising security, the phase error rate $e_{Z_{1}}^{\rm{ph}}$ can be assumed to be any $e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})$ or its mean value of some domains of $\delta_{a},\delta_{b}$ .

Actually, we just calculate $e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})$ satisfying $|\delta_{a}-\delta_{b}|\leq\Delta$ or $|\delta_{a}-\delta_{b}|\geq\pi-\Delta$ in the $X$ -pair preparation. This probability is

$\displaystyle q_{X_{1}}=$	$\displaystyle\int_{0}^{\Delta}\int_{0}^{\delta_{a}+\Delta}{\rm{Pr}}\left(\delta_{a}\delta_{b}\right)+\int_{0}^{\Delta}\int_{\delta_{a}+\pi-\Delta}^{\pi}{\rm{Pr}}\left(\delta_{a}\delta_{b}\right)+\int_{\pi-\Delta}^{\pi}\int_{\delta_{a}-\Delta}^{\pi}{\rm{Pr}}\left(\delta_{a}\delta_{b}\right)$	(34)
	$\displaystyle+\int_{\pi-\Delta}^{\pi}\int_{0}^{\Delta-\pi+\delta_{a}}{\rm{Pr}}\left(\delta_{a}\delta_{b}\right)+\int_{\Delta}^{\pi-\Delta}\int_{\delta_{a}-\Delta}^{\delta_{a}+\Delta}{\rm{Pr}}\left(\delta_{a}\delta_{b}\right)$
$\displaystyle=$	$\displaystyle\frac{2\Delta}{\pi}\Tr\rho_{X_{1}}^{i,j}.$

It should be noted that ${\rm{Pr}}\left(\delta_{a}\delta_{b}\right)$ is independent of $\delta_{a}$ and $\delta_{b}$ . And we come to the main conclusion:

$\displaystyle e_{Z_{1}}^{\rm{ph}}=e_{X_{1}}^{\rm{bit}}=$	$\displaystyle\frac{1}{q_{X_{1}}}\Bigg{[}\int_{0}^{\Delta}\int_{0}^{\delta_{a}+\Delta}{\rm{Pr}}\left(\delta_{a}\delta_{b}\right)e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})+\int_{0}^{\Delta}\int_{\delta_{a}+\pi-\Delta}^{\pi}{\rm{Pr}}\left(\delta_{a}\delta_{b}\right)e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})$	(35)
	$\displaystyle+\int_{\pi-\Delta}^{\pi}\int_{\delta_{a}-\Delta}^{\pi}{\rm{Pr}}\left(\delta_{a}\delta_{b}\right)e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})+\int_{\pi-\Delta}^{\pi}\int_{0}^{\Delta-\pi+\delta_{a}}{\rm{Pr}}\left(\delta_{a}\delta_{b}\right)e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})$
	$\displaystyle+\int_{\Delta}^{\pi-\Delta}\int_{\delta_{a}-\Delta}^{\delta_{a}+\Delta}{\rm{Pr}}\left(\delta_{a}\delta_{b}\right)e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})\Bigg{]}$
$\displaystyle=$	$\displaystyle\frac{1}{2\Delta\pi}\Bigg{[}\int_{0}^{\Delta}\int_{0}^{\delta_{a}+\Delta}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})+\int_{0}^{\Delta}\int_{\delta_{a}+\pi-\Delta}^{\pi}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})$
	$\displaystyle+\int_{\pi-\Delta}^{\pi}\int_{\delta_{a}-\Delta}^{\pi}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})+\int_{\pi-\Delta}^{\pi}\int_{0}^{\Delta-\pi+\delta_{a}}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})$
	$\displaystyle+\int_{\Delta}^{\pi-\Delta}\int_{\delta_{a}-\Delta}^{\delta_{a}+\Delta}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}e_{X_{1}}^{\rm{bit}}(\delta_{a},\delta_{b})\Bigg{]}.$

In the above proof, we just analyze the relation of $i$ -th and $j$ -th rounds, we prove that the phase error rate for any individual single-photon $Z$ -pair $P^{i,j}$ must be equal to the error rate if single-photon $P^{i,j}$ happens to be $X$ -pair. However, it can be expanded to all rounds. It is clear that, for each pairs, this conclusion is satisfied, and the sum of all rounds is also satisfies. In non-asymptotic cases, the phase error rate for the raw key string $\mathbf{Z}_{1}$ is sampled by the error rate between $\mathbf{X}_{1}$ and $\mathbf{X}_{1}^{\prime}$ , where $\mathbf{X}_{1}$ and $\mathbf{X}_{1}^{\prime}$ represent the key strings obtained from single-photon events in $\mathcal{X}$ . To summarize, $e_{X_{1}}^{\rm{bit}}$ is a random sampling without replacement for $e_{Z_{1}}^{\rm{ph}}$ .

Then we employ the entropic uncertainty relation for smooth entropies Tomamichel and Renner (2011) to get the length of the secret keys. The auxiliary of Eve after error correction is denoted as $E^{\prime}$ . Due to the quantum leftover hash lemma Renner (2008); Tomamichel et al. (2011), a $\varepsilon_{\rm{sec}}$ -secret key of length $l_{o}$ can be extracted from the bit string $\mathbf{Z}$ by applying privacy amplification with two-universal hashing,

\displaystyle 2\varepsilon+\frac{1}{2}\sqrt{2^{l_{o}-H_{\rm{min}}^{\varepsilon}(\mathbf{Z}|E^{\prime})}}\leq\varepsilon_{\rm{sec}},

(36)

where $H_{\rm{min}}^{\varepsilon}(\mathbf{Z}|E^{\prime})$ is the conditional smooth min-entropy, which is employed to quantify the average probability that Eve guesses $\mathbf{Z}$ correctly with $E^{\prime}$ . In the error-correction step, $\lambda_{\rm{EC}}+\log_{2}(2/\varepsilon_{\rm{cor}})$ bits are published. By employing a chain-rule inequality for smooth entropies Vitanov et al. (2013),

\displaystyle H_{\rm{min}}^{\varepsilon}(\mathbf{Z}|E^{\prime})\geq H_{\rm{min}}^{\varepsilon}(\mathbf{Z}|E)-\lambda_{\rm{EC}}-\log_{2}\frac{2}{\varepsilon_{\rm{cor}}},

(37)

where $E$ is the auxiliary of Eve before error correction. Moreover, $\mathbf{Z}$ can be decomposed into $\mathbf{Z}_{1}\mathbf{Z}_{\rm{zm}}$ , which are the corresponding bit strings due to the single-photon and the other events. We have

\displaystyle H_{\rm{min}}^{\varepsilon}(\mathbf{Z}|E)\geq H_{\rm{min}}^{\overline{\varepsilon}}(\mathbf{Z}_{1}|\mathbf{Z}_{\rm{zm}}E)+H_{\rm{min}}^{\varepsilon^{\prime}}(\mathbf{Z}_{\rm{zm}}|E)-2\log_{2}\frac{\sqrt{2}}{\hat{\varepsilon}},

(38)

where $\varepsilon=2\overline{\varepsilon}+\varepsilon^{\prime}+\hat{\varepsilon}$ and $H_{\rm{min}}^{\varepsilon^{\prime}}(\mathbf{Z}_{\rm{zm}}|E)\geq 0$ . We can set $\varepsilon^{\prime}=0$ without compromising security. Here the single-photon component prepared in the $Z$ -basis and $X$ -basis are mutually unbiased obviously. We employed the string $\mathbf{X}_{1}(\mathbf{X}_{1}^{\prime})$ to denote Alice (Bob) would have obtained if they had measured in the $X$ -basis instead of $Z$ -basis. By employing the uncertainty relation of smooth min- and max-entropy, we have

\displaystyle H_{\rm{min}}^{\overline{\varepsilon}}(\mathbf{Z}_{1}|\mathbf{Z}_{\rm{zm}}E)\geq n_{Z_{1}}^{\rm{L}}-H_{\rm{max}}^{\overline{\varepsilon}}(\mathbf{X}_{1}|\mathbf{X}_{1}^{\prime}),

(39)

where $n_{Z_{1}}^{\rm{L}}$ is the lower bound of the length of $\mathbf{Z_{1}}$ . And we denote $e_{Z_{1}}^{\rm{ph}}=(\mathbf{X}_{1}\oplus\mathbf{X}_{1}^{\prime})/n_{Z_{1}}^{\rm{L}}$ , which is the phase error rate of $n_{Z_{1}}^{\rm{L}}$ under the $Z$ -basis measurement or the bit error rate of $n_{Z_{1}}^{\rm{L}}$ under the $X$ -basis measurement. Actually, $e_{Z_{1}}^{\rm{ph}}$ cannot directly observe. As is proved in the above, $\langle e_{Z_{1}}^{\rm{ph}}\rangle=\langle e_{X_{1}}^{\rm{bit}}\rangle$ , $\langle\cdot\rangle$ is employed to denote the expected value. So, $e_{Z_{1}}^{\rm{ph},U}$ in $n_{Z_{1}}^{\rm{L}}$ can be bounded by $\langle e_{X_{1}}^{\rm{bit}}\rangle$ through Chernoff-Bound, where $e_{Z_{1}}^{{\rm{ph},U}}$ is the estimated value of $e_{Z_{1}}^{\rm{ph}}$ . If the probability that $e_{Z_{1}}^{\rm{ph}}\geq e_{Z_{1}}^{{\rm{ph},U}}$ is no larger than $\overline{\varepsilon}^{2}$ ,

H_{\rm{max}}^{\overline{\varepsilon}}(\mathbf{X}_{1}|\mathbf{X}_{1}^{\prime})\leq n_{Z_{1}}^{\rm{L}}h(e_{Z_{1}}^{{\rm{ph},U}}).

(40)

If we choose $\varepsilon_{\rm{sec}}=2(\hat{\varepsilon}+2\overline{\varepsilon})+\varepsilon_{\rm{PA}}$ , where $\overline{\varepsilon}=\sqrt{\varepsilon_{e}+\varepsilon_{1}}$ , $\varepsilon_{1}$ is the probability that the real value of the number of single-photon bits is smaller than $n_{Z_{1}}^{\rm{L}}$ , and $\varepsilon_{e}$ is the probability that the real value of the phase error rate of single-photon component in $n_{Z_{1}}^{\rm{L}}$ is bigger than $e_{Z_{1}}^{\rm{ph},U}$ , $\varepsilon_{\rm{PA}}$ is the failure probability of privacy amplification. We have

\displaystyle l_{o}\leq n_{Z_{1}}^{\rm{L}}\left[1-h(e_{Z_{1}}^{\rm{ph},U})\right]-{\lambda_{\rm{EC}}}-\log_{2}\frac{2}{\varepsilon_{\rm{cor}}}-2\log_{2}\frac{1}{\sqrt{2}\hat{\varepsilon}\varepsilon_{\rm{PA}}}.

(41)

Six-state protocol

In this section, we analyze the security of the six-state MP-QKD protocol. Similar to the analysis of the original protocol, we omit the decoy state for simplicity. The single-photon component of the joint density matrix of $Z$ -pair preparation is the same as the original MP-QKD protocol,

\displaystyle\tilde{\rho}_{Z_{1}}^{i,j}=4p_{0}^{2}p_{1}^{2}p_{1|\mu}^{2}\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{|01\rangle_{A_{i}A_{j}}|01\rangle_{a_{i}a_{j}}+|10\rangle_{A_{i}A_{j}}|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\right]\otimes\bm{\mathcal{P}}\left[\frac{|01\rangle_{B_{i}B_{j}}|01\rangle_{b_{i}b_{j}}+|10\rangle_{B_{i}B_{j}}|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}.

(42)

If Alice and Bob take $\hat{X}_{A}$ and $\hat{X}_{B}$ measurements, whose eigenstates are

\displaystyle|X_{A}^{+(-)}\rangle_{A_{i}A_{j}}:=\frac{|01\rangle_{A_{i}A_{j}}\pm|10\rangle_{A_{i}A_{j}}}{\sqrt{2}},|X_{B}^{+(-)}\rangle_{B_{i}B_{j}}:=\frac{|01\rangle_{B_{i}B_{j}}\pm|10\rangle_{B_{i}B_{j}}}{\sqrt{2}},

(43)

respectively. The single-photon bit error rate of $Z$ -pair preparation under these measurements is

$\displaystyle e_{Z_{1}}^{X}(\tilde{\rho}_{Z_{1}}^{i,j})=$	$\displaystyle\frac{{\rm{Pr}}(\|X_{A}^{+}\rangle_{A_{i}A_{j}}\|X_{B}^{-}\rangle_{B_{i}B_{j}})+{\rm{Pr}}(\|X_{A}^{-}\rangle_{A_{i}A_{j}}\|X_{B}^{+}\rangle_{B_{i}B_{j}})}{\left[\Pr(\|X_{A}^{+}\rangle\|X_{B}^{+}\rangle)+\Pr(\|X_{A}^{+}\rangle\|X_{B}^{-}\rangle)+\Pr(\|X_{A}^{-}\rangle\|X_{B}^{+}\rangle)+\Pr(\|X_{A}^{-}\rangle\|X_{B}^{-}\rangle)\right]_{A_{i}A_{j},B_{i}B_{j}}}$	(44)
$\displaystyle=$	$\displaystyle\frac{p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}}{\Tr\tilde{\rho}_{Z_{1}}^{i,j}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}+\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\otimes\frac{\|01\rangle_{b_{i}b_{j}}-\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}$
$\displaystyle+$	$\displaystyle\frac{p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}}{\Tr\tilde{\rho}_{Z_{1}}^{i,j}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}-\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\otimes\frac{\|01\rangle_{b_{i}b_{j}}+\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}.$

And if Alice and Bob take $\hat{Y}_{A}$ and $\hat{Y}_{B}$ measurements, whose eigenstates are

\displaystyle|Y_{A}^{+(-)}\rangle_{A_{i}A_{j}}:=\frac{|01\rangle_{A_{i}A_{j}}\pm{\rm{i}}|10\rangle_{A_{i}A_{j}}}{\sqrt{2}},|Y_{B}^{+(-)}\rangle_{B_{i}B_{j}}:=\frac{|01\rangle_{B_{i}B_{j}}\pm{\rm{i}}|10\rangle_{B_{i}B_{j}}}{\sqrt{2}},

(45)

respectively. The single-photon bit error rate of $Z$ -pair preparation under these measurements is

$\displaystyle e_{Z_{1}}^{Y}(\tilde{\rho}_{Z_{1}}^{i,j})=$	$\displaystyle\frac{{\rm{Pr}}(\|Y_{A}^{+}\rangle_{A_{i}A_{j}}\|Y_{B}^{-}\rangle_{B_{i}B_{j}})+{\rm{Pr}}(\|Y_{A}^{-}\rangle_{A_{i}A_{j}}\|Y_{B}^{+}\rangle_{B_{i}B_{j}})}{\left[\Pr(\|Y_{A}^{+}\rangle\|Y_{B}^{+}\rangle)+\Pr(\|Y_{A}^{+}\rangle\|Y_{B}^{-}\rangle)+\Pr(\|Y_{A}^{-}\rangle\|Y_{B}^{+}\rangle)+\Pr(\|Y_{A}^{-}\rangle\|Y_{B}^{-}\rangle)\right]_{A_{i}A_{j},B_{i}B_{j}}}$	(46)
$\displaystyle=$	$\displaystyle\frac{p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}}{\Tr\tilde{\rho}_{Z_{1}}^{i,j}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}-{\rm{i}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\otimes\frac{\|01\rangle_{b_{i}b_{j}}+{\rm{i}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}$
$\displaystyle+$	$\displaystyle\frac{p_{0}^{2}p_{1}^{2}p_{1\|\mu}^{2}}{\Tr\tilde{\rho}_{Z_{1}}^{i,j}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\frac{\|01\rangle_{a_{i}a_{j}}+{\rm{i}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}}\otimes\frac{\|01\rangle_{b_{i}b_{j}}-{\rm{i}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}\right]\hat{M}^{\dagger}_{E}\right\}.$

In the original MP-QKD protocol, if the intensities of $P^{i,j}$ are $\{\mu,\mu\}$ , Alice and Bob label the basis as $X$ , and they discard the events satisfying $\Delta<|\delta_{a}-\delta_{b}|<\pi-\Delta$ , where $\delta_{a},\delta_{b}\in[0,\pi)$ . In the six-state protocol, when the intensities of $P^{i,j}$ are $\{\mu,\mu\}$ , Alice and Bob label the basis of the pairs as $X$ or $Y$ according to the value $r_{a}$ and $r_{b}$ , $X$ -basis if $r_{a(b)}=0$ and $Y$ -basis if $r_{a(b)}=1$ . And they discard the events satisfying $\Delta<|\delta_{a}-\delta_{b}|<\pi/2-\Delta$ , where $\delta_{a},\delta_{b}\in[0,\pi/2)$ .

In the $X$ - or $Y$ -basis preparation of the six-state protocol, the single-photon component of the joint density matrix can be written as

$\displaystyle\rho_{T_{1}}^{i,j}=$	$\displaystyle p_{1}^{4}p_{1\|2\mu}^{2}\bm{\mathcal{P}}\left[\|11\rangle_{A_{i}A_{j}}\|11\rangle_{B_{i}B_{j}}\right]$	(47)
	$\displaystyle\times\hat{M}_{E}\bm{\mathcal{P}}\left[\int_{0}^{\frac{\pi}{2}}\frac{\sqrt{2}{\rm{d}}\delta_{a}}{\sqrt{\pi}}\left(\frac{\|\delta_{a}^{+}\rangle\|\chi_{\delta_{a}}^{+}\rangle}{2}+\frac{\|\delta_{a}^{+{\rm{i}}}\rangle\|\chi_{\delta_{a}}^{+{\rm{i}}}\rangle}{2}+\frac{\|\delta_{a}^{-}\rangle\|\chi_{\delta_{a}}^{-}\rangle}{2}+\frac{\|\delta_{a}^{-{\rm{i}}}\rangle\|\chi_{\delta_{a}}^{-{\rm{i}}}\rangle}{2}\right)_{A^{\prime}_{j},a_{i}a_{j}}\right]$
	$\displaystyle\otimes\bm{\mathcal{P}}\left[\int_{0}^{\frac{\pi}{2}}\frac{\sqrt{2}{\rm{d}}\delta_{b}}{\sqrt{\pi}}\left(\frac{\|\delta_{b}^{+}\rangle\|\chi_{\delta_{b}}^{+}\rangle}{2}+\frac{\|\delta_{b}^{+{\rm{i}}}\rangle\|\chi_{\delta_{b}}^{+{\rm{i}}}\rangle}{2}+\frac{\|\delta_{b}^{-}\rangle\|\chi_{\delta_{b}}^{-}\rangle}{2}+\frac{\|\delta_{b}^{-{\rm{i}}}\rangle\|\chi_{\delta_{b}}^{-{\rm{i}}}\rangle}{2}\right)_{B^{\prime}_{j},b_{i}b_{j}}\right]\hat{M}_{E}^{\dagger},$

where $\delta_{a}^{+}=\delta_{a}$ , $\delta_{a}^{+{\rm{i}}}=\delta_{a}+\pi/2$ , $\delta_{a}^{-}=\delta_{a}+\pi$ , and $\delta_{a}^{-{\rm{i}}}=\delta_{a}+3\pi/2$ . Actually, $|\delta_{a}^{+}\rangle_{A_{j}^{\prime}}$ $(|\delta_{a}^{-}\rangle_{A_{j}^{\prime}})$ corresponds to logical bit 0(1) with $\delta_{a}$ in the $X$ -basis. And $|\delta_{a}^{+{\rm{i}}}\rangle_{A_{j}^{\prime}}$ $(|\delta_{a}^{-{\rm{i}}}\rangle_{A_{j}^{\prime}})$ corresponds to logical bit 0(1) with $\delta_{a}$ in the $Y$ -basis. For example, in the six-state protocol, if Alice finds the phase difference between the $i$ -th and $j$ -th pulse is $3\pi/4$ , this is equivalent to that his measurement result of $A^{\prime}_{j}$ is $|\delta_{a}^{+{\rm{i}}}\rangle_{A_{j}^{\prime}}$ (logical bit 0 in $Y$ -basis) with $\delta_{a}=\pi/4$ in the entanglement-based protocol. The definitions of $|\delta_{b}^{\pm}\rangle_{B_{j}^{\prime}}$ and $|\delta_{b}^{\pm{\rm{i}}}\rangle_{B_{j}^{\prime}}$ are similar. And

		$\displaystyle\|\chi_{\delta_{a}}^{+(-)}\rangle_{a_{i}a_{j}}=\frac{\|01\rangle_{a_{i}a_{j}}\pm e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}},\|\chi_{\delta_{a}}^{+{\rm{i}}(-{\rm{i}})}\rangle_{a_{i}a_{j}}=\frac{\|01\rangle_{a_{i}a_{j}}\pm{\rm{i}}e^{-{\rm{i}}\delta_{a}}\|10\rangle_{a_{i}a_{j}}}{\sqrt{2}},$		(48)
		$\displaystyle\|\chi_{\delta_{b}}^{+(-)}\rangle_{b_{i}b_{j}}=\frac{\|01\rangle_{b_{i}b_{j}}\pm e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}},\|\chi_{\delta_{b}}^{+{\rm{i}}(-{\rm{i}})}\rangle_{b_{i}b_{j}}=\frac{\|01\rangle_{b_{i}b_{j}}\pm{\rm{i}}e^{-{\rm{i}}\delta_{b}}\|10\rangle_{b_{i}b_{j}}}{\sqrt{2}}.$		(48)

The probability of Alice and Bob obtaining the measurement results $|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}$ and $|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}$ is

	$\displaystyle\Pr\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)=$	$\displaystyle\Tr{\langle\delta_{a}^{+}\|_{A^{\prime}_{j}}\langle\delta_{b}^{-}\|_{B^{\prime}_{j}}\rho_{T_{1}}^{i,j}\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}}$		(49)
	$\displaystyle=$	$\displaystyle\frac{p_{1}^{4}p_{1\|2\mu}^{2}{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}}{4\pi^{2}}\Tr\left\{\hat{M}_{E}\bm{\mathcal{P}}\left[\|\chi_{\delta_{a}}^{+}\rangle_{a_{i}a_{j}}\|\chi_{\delta_{b}}^{-}\rangle_{b_{i}b_{j}}\right]\hat{M}^{\dagger}_{E}\right\}.$		(49)

The probabilities of obtaining the other measurement results are similar.

In the key mapping step of the six-state protocol, Bob decides whether to reverse his basis and logical bit according to the relation between $\delta_{a}$ , $\delta_{b}$ and Charlie’s clicks. If $|\delta_{a}-\delta_{b}|\leq\Delta$ , Bob keeps his basis and logical bit; if $\delta_{b}-\delta_{a}\geq\pi/2-\Delta$ and the bases of Alice and Bob are $X$ - and $Y$ -basis, Bob reverses his basis and his logical bit; if $\delta_{b}-\delta_{a}\geq\pi/2-\Delta$ and the bases of two users are $Y$ - and $X$ -basis, Bob only reverses his basis; if $\delta_{a}-\delta_{b}\geq\pi/2-\Delta$ and the bases of two users are $Y$ - and $X$ -basis, Bob reverses his basis and his logical bit; and if $\delta_{a}-\delta_{b}\geq\pi/2-\Delta$ and the bases of two users are $X$ - and $Y$ -basis, Bob only reverses his basis. In the entanglement-based protocol, Bob implements this operation by changing the classical information of $B^{\prime}_{j}$ after the measurement.

After the reverse operation, the yield of the $X$ -pair preparation

$\displaystyle q_{X_{1}}=$	$\displaystyle\int_{0}^{\Delta}\int_{0}^{\delta_{a}+\Delta}{\rm{Pr}}\left(\delta_{a}^{X}\delta_{b}^{X}\right)+\int_{\Delta}^{\frac{\pi}{2}-\Delta}\int_{\delta_{a}-\Delta}^{\delta_{a}+\Delta}{\rm{Pr}}\left(\delta_{a}^{X}\delta_{b}^{X}\right)+\int_{\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\int_{\delta_{a}-\Delta}^{\frac{\pi}{2}}{\rm{Pr}}\left(\delta_{a}^{X}\delta_{b}^{X}\right)$	(50)
	$\displaystyle+\int_{0}^{\Delta}\int_{\delta_{a}+\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}{\rm{Pr}}\left(\delta_{a}^{X}\delta_{b}^{Y}\right)+\int_{\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\int_{0}^{\delta_{a}+\Delta-\frac{\pi}{2}}{\rm{Pr}}\left(\delta_{a}^{X}\delta_{b}^{Y}\right)$
$\displaystyle=$	$\displaystyle\frac{\Delta}{\pi}\Tr\rho_{T_{1}}^{i,j},$

where

$\displaystyle{\rm{Pr}}(\delta_{a}^{X}\delta_{b}^{X})=$	$\displaystyle{\rm{Pr}}\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)+{\rm{Pr}}\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)+{\rm{Pr}}\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)+{\rm{Pr}}\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)$	(51)
$\displaystyle=$	$\displaystyle\frac{{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}}{\pi^{2}}\Tr\rho_{T_{1}}^{i,j}.$
$\displaystyle{\rm{Pr}}(\delta_{a}^{X}\delta_{b}^{Y})=$	$\displaystyle{\rm{Pr}}\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)+{\rm{Pr}}\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)+{\rm{Pr}}\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)+{\rm{Pr}}\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)$
$\displaystyle=$	$\displaystyle\frac{{\rm{d}}\delta_{a}{\rm{d}}\delta_{b}}{\pi^{2}}\Tr\rho_{T_{1}}^{i,j}.$

And the single-photon bit error rate of $X$ -pair preparation is

$\displaystyle e_{X_{1}}^{\rm{bit}}=$	$\displaystyle\frac{1}{q_{X_{1}}}\left\{\int_{0}^{\Delta}\int_{0}^{\delta_{a}+\Delta}\left[\Pr\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)+\Pr\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)\right]\right.$	(52)
	$\displaystyle+\int_{\Delta}^{\frac{\pi}{2}-\Delta}\int_{\delta_{a}-\Delta}^{\delta_{a}+\Delta}\left[\Pr\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)+\Pr\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)\right]$
	$\displaystyle+\int_{\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\int_{\delta_{a}-\Delta}^{\frac{\pi}{2}}\left[\Pr\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)+\Pr\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)\right]$
	$\displaystyle+\int_{0}^{\Delta}\int_{\delta_{a}+\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\left[\Pr\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)+\Pr\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)\right]$
	$\displaystyle\left.+\int_{\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\int_{0}^{\delta_{a}+\Delta-\frac{\pi}{2}}\left[\Pr\left(\|\delta_{a}^{+}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)+\Pr\left(\|\delta_{a}^{-}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)\right]\right\}.$

As is proved in the original protocol, it’s not restrictive to introduce unitary operations $U^{\delta_{a}}_{A}$ , $U^{\delta_{b}}_{B}$ to the joint density matrix of the $Z$ -pair preparation. We come to the main conclusion of the six-state protocol:

$\displaystyle e_{Z_{1}}^{X}=$	$\displaystyle\frac{1}{q_{X_{1}}}\left\{\int_{0}^{\Delta}\int_{0}^{\delta_{a}+\Delta}\Pr\left(\delta_{a}^{X}\delta_{b}^{X}\right)e_{Z}^{X}\left(U^{-\delta_{a}}_{A}U^{-\delta_{b}}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{\delta_{b}}_{B}U^{\delta_{a}}_{A}\right)\right.+\int_{\Delta}^{\frac{\pi}{2}-\Delta}\int_{\delta_{a}-\Delta}^{\delta_{a}+\Delta}\Pr\left(\delta_{a}^{X}\delta_{b}^{X}\right)e_{Z}^{X}\left(U^{-\delta_{a}}_{A}U^{-\delta_{b}}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{\delta_{b}}_{B}U^{\delta_{a}}_{A}\right)$	(53)
	$\displaystyle+\int_{\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\int_{\delta_{a}-\Delta}^{\frac{\pi}{2}}\Pr\left(\delta_{a}^{X}\delta_{b}^{X}\right)e_{Z}^{X}\left(U^{-\delta_{a}}_{A}U^{-\delta_{b}}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{\delta_{b}}_{B}U^{\delta_{a}}_{A}\right)+\int_{0}^{\Delta}\int_{\delta_{a}+\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\Pr\left(\delta_{a}^{X}\delta_{b}^{Y}\right)e_{Z}^{X}\left(U^{-\delta_{a}}_{A}U^{-(\delta_{b}-\frac{\pi}{2})}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{(\delta_{b}-\frac{\pi}{2})}_{B}U^{\delta_{a}}_{A}\right)$
	$\displaystyle\left.+\int_{\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\int_{0}^{\delta_{a}+\Delta-\frac{\pi}{2}}\Pr\left(\delta_{a}^{X}\delta_{b}^{Y}\right)e_{Z}^{X}\left(U^{-\delta_{a}}_{A}U^{-(\delta_{b}+\frac{\pi}{2})}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{(\delta_{b}+\frac{\pi}{2})}_{B}U^{\delta_{a}}_{A}\right)\right\}$
$\displaystyle=$	$\displaystyle e_{X_{1}}^{\rm{bit}}.$

Similarly,

$\displaystyle q_{Y_{1}}=$	$\displaystyle\int_{0}^{\Delta}\int_{0}^{\delta_{a}+\Delta}{\rm{Pr}}\left(\delta_{a}^{Y}\delta_{b}^{Y}\right)+\int_{\Delta}^{\frac{\pi}{2}-\Delta}\int_{\delta_{a}-\Delta}^{\delta_{a}+\Delta}{\rm{Pr}}\left(\delta_{a}^{Y}\delta_{b}^{Y}\right)+\int_{\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\int_{\delta_{a}-\Delta}^{\frac{\pi}{2}}{\rm{Pr}}\left(\delta_{a}^{Y}\delta_{b}^{Y}\right)$	(54)
	$\displaystyle+\int_{0}^{\Delta}\int_{\delta_{a}+\pi-\Delta}^{\frac{\pi}{2}}{\rm{Pr}}\left(\delta_{a}^{Y}\delta_{b}^{X}\right)+\int_{\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\int_{0}^{\delta_{a}+\Delta-\frac{\pi}{2}}{\rm{Pr}}\left(\delta_{a}^{Y}\delta_{b}^{X}\right)$
$\displaystyle=$	$\displaystyle\frac{\Delta}{\pi}\Tr\rho_{T_{1}}^{i,j},$

and

$\displaystyle e_{Z_{1}}^{Y}=$	$\displaystyle\frac{1}{q_{Y_{1}}}\left\{\int_{0}^{\Delta}\int_{0}^{\delta_{a}+\Delta}\left[\Pr\left(\|\delta_{a}^{+{\rm{i}}}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)+\Pr\left(\|\delta_{a}^{-{\rm{i}}}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)\right]\right.$	(55)
	$\displaystyle+\int_{\Delta}^{\frac{\pi}{2}-\Delta}\int_{\delta_{a}-\Delta}^{\delta_{a}+\Delta}\left[\Pr\left(\|\delta_{a}^{+{\rm{i}}}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)+\Pr\left(\|\delta_{a}^{-{\rm{i}}}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)\right]$
	$\displaystyle+\int_{\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\int_{\delta_{a}-\Delta}^{\frac{\pi}{2}}\left[\Pr\left(\|\delta_{A}^{+{\rm{i}}}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)+\Pr\left(\|\delta_{a}^{-{\rm{i}}}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+{\rm{i}}}\rangle_{B^{\prime}_{j}}\right)\right]$
	$\displaystyle+\int_{0}^{\Delta}\int_{\delta_{a}+\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\left[\Pr\left(\|\delta_{a}^{+{\rm{i}}}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)+\Pr\left(\|\delta_{a}^{-{\rm{i}}}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)\right]$
	$\displaystyle\left.+\int_{\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\int_{0}^{\delta_{a}+\Delta-\frac{\pi}{2}}\left[\Pr\left(\|\delta_{a}^{+{\rm{i}}}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{+}\rangle_{B^{\prime}_{j}}\right)+\Pr\left(\|\delta_{a}^{-{\rm{i}}}\rangle_{A^{\prime}_{j}}\|\delta_{b}^{-}\rangle_{B^{\prime}_{j}}\right)\right]\right\}$
$\displaystyle=$	$\displaystyle\frac{1}{q_{Y_{1}}}\left\{\int_{0}^{\Delta}\int_{0}^{\delta_{a}+\Delta}\Pr\left(\delta_{a}^{Y}\delta_{b}^{Y}\right)e_{Z}^{Y}\left(U^{-\delta_{a}}_{A}U^{-\delta_{b}}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{\delta_{b}}_{B}U^{\delta_{a}}_{A}\right)\right.$
	$\displaystyle+\int_{\Delta}^{\frac{\pi}{2}-\Delta}\int_{\delta_{a}-\Delta}^{\delta_{a}+\Delta}\Pr\left(\delta_{a}^{Y}\delta_{b}^{Y}\right)e_{Z}^{Y}\left(U^{-\delta_{a}}_{A}U^{-\delta_{b}}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{\delta_{b}}_{B}U^{\delta_{a}}_{A}\right)$
	$\displaystyle+\int_{\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\int_{\delta_{a}-\Delta}^{\frac{\pi}{2}}\Pr\left(\delta_{a}^{Y}\delta_{b}^{Y}\right)e_{Z}^{Y}\left(U^{-\delta_{a}}_{A}U^{-\delta_{b}}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{\delta_{b}}_{B}U^{\delta_{a}}_{A}\right)$
	$\displaystyle+\int_{0}^{\Delta}\int_{\delta_{a}+\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\Pr\left(\delta_{a}^{Y}\delta_{b}^{X}\right)e_{Z}^{Y}\left(U^{-\delta_{a}}_{A}U^{-(\delta_{b}-\frac{\pi}{2})}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{(\delta_{b}-\frac{\pi}{2})}_{B}U^{\delta_{a}}_{A}\right)$
	$\displaystyle\left.+\int_{\frac{\pi}{2}-\Delta}^{\frac{\pi}{2}}\int_{0}^{\delta_{a}+\Delta-\frac{\pi}{2}}\Pr\left(\delta_{a}^{Y}\delta_{b}^{X}\right)e_{Z}^{Y}\left(U^{-\delta_{a}}_{A}U^{-(\delta_{b}+\frac{\pi}{2})}_{B}\tilde{\rho}_{Z_{1}}^{i,j}U^{(\delta_{b}+\frac{\pi}{2})}_{B}U^{\delta_{a}}_{A}\right)\right\}$
$\displaystyle=$	$\displaystyle e_{Y_{1}}^{\rm{bit}}.$

To summarize, $e_{X_{1}}^{\rm{bit}}$ and $e_{Y_{1}}^{\rm{bit}}$ is a random sampling without replacement for $e_{Z_{1}}^{X}$ and $e_{Z_{1}}^{Y}$ .

Just like the analysis of the original protocol, by employing the the quantum leftover hash lemma, the chain rules, and the uncertainty relation of smooth min- and max-entropy,

		$\displaystyle 2\varepsilon+\frac{1}{2}\sqrt{2^{l_{s}-H_{\rm{min}}^{\varepsilon}(\mathbf{Z}\|E^{\prime})}}\leq\varepsilon_{\rm{sec}},$		(56)
		$\displaystyle H_{\rm{min}}^{\varepsilon}(\mathbf{Z}\|E^{\prime})\geq H_{\rm{min}}^{\overline{\varepsilon}}(\mathbf{Z}_{1}\|\mathbf{Z}_{\rm{zm}}E)-2\log_{2}\frac{\sqrt{2}}{\hat{\varepsilon}}-{\lambda_{\rm{EC}}}-\log_{2}\frac{2}{\varepsilon_{\rm{cor}}},$
		$\displaystyle H_{\rm{min}}^{\overline{\varepsilon}}(\mathbf{Z}_{1}\|\mathbf{Z}_{\rm{zm}}E)\geq n_{Z_{1}}^{\rm{L}}\left[1-e_{Z_{1}}^{\rm{bit,U}}\right]\left[1-h\left(\frac{1-\frac{1}{2}\left(e_{Z_{1}}^{\rm{bit,U}}+\left(e_{X_{1}}^{\rm{bit}}+e_{Y_{1}}^{\rm{bit}}\right)^{\rm{U}}\right)}{1-e_{Z_{1}}^{\rm{bit,U}}}\right)\right],$

where $\varepsilon=2\overline{\varepsilon}+\hat{\varepsilon}$ and $\overline{\varepsilon}=\sqrt{1-(1-\varepsilon_{1}-\varepsilon_{e}^{\prime})(1-\varepsilon_{1}-\varepsilon_{e}^{\prime\prime})}$ . The inequation of $H_{\rm{min}}^{\bar{\varepsilon}}(\mathbf{Z}_{1}|\mathbf{Z}_{\rm{zm}}E)$ is got by the method which is shown in Appendix A of Ref. Wang et al. (2021). Then the secret key length can be given by

	$\displaystyle l_{s}\leq$	$\displaystyle n_{Z_{1}}^{\rm{L}}\left[1-e_{Z_{1}}^{\rm{bit,U}}\right]\left[1-h\left(\frac{1-\frac{1}{2}\left(e_{Z_{1}}^{\rm{bit,U}}+\left(e_{X_{1}}^{\rm{bit}}+e_{Y_{1}}^{\rm{bit}}\right)^{\rm{U}}\right)}{1-e_{Z_{1}}^{\rm{bit,U}}}\right)\right]$		(57)
		$\displaystyle-{\lambda_{\rm{EC}}}-\log_{2}\frac{2}{\varepsilon_{\rm{cor}}}-2\log_{2}{\frac{1}{\sqrt{2}\hat{\varepsilon}\varepsilon_{\rm{PA}}}},$		(57)

where $\varepsilon_{\rm{sec}}=2\hat{\varepsilon}+4\overline{\varepsilon}+\varepsilon_{\rm{PA}}$ .

Supplementary Note B: Simulation of observed values

For simulating the secret key rate without doing an experiment, we employ a theoretical model to simulate the observed values of the experiment, which include the effective detection number and bit error number of different intensities. Without loss of generality, we assume that the properties of Charlie’s two detectors are the same. As is defined in the main text, $k^{i}_{a}$ and $k^{i}_{b}$ are Alice and Bob’s preparation intensities of the $i$ -th round, $k^{i}_{a}\in\{\mu_{a},\nu_{a},o\}$ , $k^{i}_{b}\in\{\mu_{b},\nu_{b},o\}$ . $k={(k^{i}_{a}+k^{j}_{a},k^{i}_{b}+k^{j}_{b})}$ is the group of the intensities in the $i$ -th round and $j$ -th round, $k_{a}=k^{i}_{a}+k^{j}_{a}$ , and $k_{b}=k^{i}_{b}+k^{j}_{b}$ .

In the $i$ -th round, the response probability of only L or R detector can be given by Ma and Razavi (2012); Xie et al. (2022)

	$\displaystyle q_{k^{i}_{a}k^{i}_{b}}^{L,\theta^{i}}$	$\displaystyle=(1-p_{d})e^{-\frac{k^{i}_{a}\eta_{a}+k^{i}_{b}\eta_{b}}{2}}\left[e^{\sqrt{k^{i}_{a}\eta_{a}k^{i}_{b}\eta_{b}}\cos\theta^{i}}-(1-p_{d})e^{-\frac{k^{i}_{a}\eta_{a}+k^{i}_{b}\eta_{b}}{2}}\right],$		(58)
	$\displaystyle q_{k^{i}_{a}k^{i}_{b}}^{R,\theta^{i}}$	$\displaystyle=(1-p_{d})e^{-\frac{k^{i}_{a}\eta_{a}+k^{i}_{b}\eta_{b}}{2}}\left[e^{-\sqrt{k^{i}_{a}\eta_{a}k^{i}_{b}\eta_{b}}\cos\theta^{i}}-(1-p_{d})e^{-\frac{k^{i}_{a}\eta_{a}+k^{i}_{b}\eta_{b}}{2}}\right],$		(58)

where $\theta^{i}=\theta^{i}_{a}-\theta^{i}_{b}$ , $p_{d}$ is the dark count rate, $\eta_{a}=\eta_{d}10^{-\alpha L_{a}/10}$ and $\eta_{b}=\eta_{d}10^{-\alpha L_{b}/10}$ are the overall efficiency of Alice and Bob, $\eta_{d}$ is the detector efficiency, $\alpha$ is the attenuation coefficient of the fiber, and $L_{a}$ , $L_{b}$ are the distances between Alice, Bob and Charlie. For simplicity, we define $y=(1-p_{d})\exp(-(k^{i}_{a}\eta_{a}+k^{i}_{b}\eta_{b})/2)$ and $\omega=\sqrt{k^{i}_{a}\eta_{a}k^{i}_{b}\eta_{b}}$ . The responsive probability can be revised as

	$\displaystyle q_{k^{i}_{a}k^{i}_{b}}^{L,\theta^{i}}$	$\displaystyle=y\left[e^{\omega\cos\theta^{i}}-y\right],$		(59)
	$\displaystyle q_{k^{i}_{a}k^{i}_{b}}^{R,\theta^{i}}$	$\displaystyle=y\left[e^{-\omega\cos\theta^{i}}-y\right],$		(59)

As is defined in the main text, $C^{i}$ is the response of the $i$ -th round, $C^{i}=0$ is the invalid event and $C^{i}=1$ is the effective event. The average response probability during each round, $p$ , can be given by a weighted average of conditional probability,

\displaystyle p=

\displaystyle{\rm{Pr}}(C^{i}=1)=\sum_{k^{i}_{a}k^{i}_{b}}p_{k^{i}_{a}}p_{k^{i}_{b}}{\rm{Pr}}(C^{i}=1|k^{i}_{a}k^{i}_{b}),

(60)

where the conditional probability ${\rm{Pr}}(C^{i}=1|k^{i}_{a}k^{i}_{b})$ can be given by

\displaystyle{\rm{Pr}}(C^{i}=1|k^{i}_{a}k^{i}_{b})

\displaystyle=\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}}{2\pi}\left(q_{k^{i}_{a}k^{i}_{b}}^{L,\theta^{i}}+q_{k^{i}_{a}k^{i}_{b}}^{R,\theta^{i}}\right)=2y[I_{0}(\omega)-y].

(61)

$I_{0}(x)$ represents the zero-order modified Bessel function of the first kind. For a small value of $x$ , we can take the first-order approximation $I_{0}(x)\approx 1+x^{2}/4$ .

Considering the specific grouping strategy in this paper, the expected pair number generated during each round can be given by

r_{p}(p,l)=\left[\frac{1}{p[1-(1-p)^{l}]}+\frac{1}{p}\right],

(62)

where $p$ is the average response probability during each round and $l$ is the maximal pairing interval. The specific calculation is shown in Ref. Zeng et al. (2022).

In the $Z$ -pair and ’0’-pair, the number of the effective detections can be given by

$\displaystyle n_{Z}^{k}$	$\displaystyle=Nr_{p}\sum_{(k^{i}_{a}+k^{j}_{a},k^{i}_{b}+k^{j}_{b})=k}{\rm{Pr}}(k^{i}_{a}k^{j}_{a}k^{i}_{b}k^{j}_{b}\|C^{i}=C^{j}=1)$	(63)
	$\displaystyle=Nr_{p}\sum_{(k^{i}_{a}+k^{j}_{a},k^{i}_{b}+k^{j}_{b})=k}\frac{{\rm{Pr}}(k^{i}_{a}k^{i}_{b})}{{\rm{Pr}}(C^{i}=1)}{\rm{Pr}}(C^{i}=1\|k^{i}_{a}k^{i}_{b})\frac{{\rm{Pr}}(k^{j}_{a}k^{j}_{b})}{{\rm{Pr}}(C^{j}=1)}{\rm{Pr}}(C^{j}=1\|k^{j}_{a}k^{j}_{b})$
	$\displaystyle=\frac{Nr_{p}}{p^{2}}\sum_{(k^{i}_{a}+k^{j}_{a},k^{i}_{b}+k^{j}_{b})=k}{\rm{Pr}}(k^{i}_{a}k^{i}_{b}k^{j}_{a}k^{j}_{b}){\rm{Pr}}(C^{i}=1\|k^{i}_{a}k^{i}_{b}){\rm{Pr}}(C^{j}=1\|k^{j}_{a}k^{j}_{b}),$

where $k\in\{(\mu_{A},\mu_{B}),(\mu_{A},\nu_{B}),(\mu_{A},0),(\nu_{A},\mu_{B}),(\nu_{A},\nu_{B}),(\nu_{A},0),(0,\mu_{B}),(0,\nu_{B}),(0,0)\}$ and ${\rm{Pr}}(k^{i}_{a}k^{i}_{b}k^{j}_{a}k^{j}_{b})=p_{k^{i}_{a}}p_{k^{i}_{b}}p_{k^{j}_{a}}p_{k^{j}_{b}}$ . Then we consider the error effective detections. For $k\in\{(\mu_{A},0),(\nu_{A},0),(0,\mu_{B}),(0,\nu_{B}),(0,0)\}$ , the number of the error effective detections without considering $e_{d}^{Z}$ is $m_{Z}^{k,0}=n_{Z}^{k}/2$ , where $e_{d}^{Z}$ is the misalignment-error of the $Z$ -pair. And for $k\in\{(\mu_{A},\mu_{B}),(\mu_{A},\nu_{B}),(\nu_{A},\mu_{B}),(\nu_{A},\nu_{B})\}$ , the number of the error effective detections without considering $e_{d}^{Z}$ is

$\displaystyle m_{Z}^{k,0}$	$\displaystyle=Nr_{p}\left[{\rm{Pr}}(k^{i}_{a}=k^{i}_{b}=0\|C^{i}=C^{j}=1)+{\rm{Pr}}(k^{j}_{a}=k^{j}_{b}=0\|C^{i}=C^{j}=1)\right]$	(64)
	$\displaystyle=\frac{Nr_{p}}{p^{2}}\sum_{\begin{subarray}{c}k^{i}_{a}=k^{i}_{b}=0,\\ (k^{i}_{a}+k^{j}_{a},k^{i}_{b}+k^{j}_{b})=k\end{subarray}}{\rm{Pr}}(k^{i}_{a}k^{i}_{b}k^{j}_{a}k^{j}_{b}){\rm{Pr}}(C^{i}=1\|k^{i}_{a}k^{i}_{b}){\rm{Pr}}(C^{j}=1\|k^{j}_{a}k^{j}_{b})$
	$\displaystyle+\frac{Nr_{p}}{p^{2}}\sum_{\begin{subarray}{c}k^{j}_{a}=k^{j}_{b}=0,\\ (k^{i}_{a}+k^{j}_{a},k^{i}_{b}+k^{j}_{b})=k\end{subarray}}{\rm{Pr}}(k^{i}_{a}k^{i}_{b}k^{j}_{a}k^{j}_{b}){\rm{Pr}}(C^{i}=1\|k^{i}_{a}k^{i}_{b}){\rm{Pr}}(C^{j}=1\|k^{j}_{a}k^{j}_{b}).$

And when we take $e_{d}^{Z}$ into consideration,

\displaystyle m_{Z}^{k}

\displaystyle=(1-e_{d}^{Z})m_{Z}^{k,0}+e_{d}^{Z}(n_{Z}^{k}-m_{Z}^{k,0}).

(65)

In the $X$ -pair of the original protocol, the number of the effective detections before phase postselection can be given by

\displaystyle n_{X}^{k,all}

\displaystyle=\frac{Nr_{p}}{p^{2}}{\rm{Pr}}(k^{i}_{a}k^{i}_{b}k^{j}_{a}k^{j}_{b}){\rm{Pr}}(C^{i}=1|k^{i}_{a}k^{i}_{b}){\rm{Pr}}(C^{j}=1|k^{j}_{a}k^{j}_{b}),

(66)

where $k\in\{(2\mu_{A},2\mu_{B}),(2\mu_{A},2\nu_{B}),(2\mu_{A},0),(2\nu_{A},2\mu_{B}),(2\nu_{A},2\nu_{B}),(2\nu_{A},0),(0,2\mu_{B}),(0,2\nu_{B})\}$ .

In the key mapping step, Alice and Bob take the phase postselection to $\delta_{a}$ and $\delta_{b}$ . For the events that $k_{a}=0$ or $k_{b}=0$ ( $k\in\{(2\mu_{A},0),(2\nu_{A},0),(0,2\mu_{B}),(0,2\nu_{B})\}$ ), they retain all the data pairs, the number of the reversed effective detections is $n_{X}^{k}=n_{X}^{k,all}$ , $m_{X}^{k,0}=n_{X}^{k,all}/2$ . And for the other events, the number of the reversed effective detections is

$\displaystyle n_{X}^{k}=$	$\displaystyle n_{X}^{k,all}\frac{\int_{0}^{2\pi}{\rm{d}}\theta^{i}\int_{-\Delta}^{\Delta}{\rm{d}}\delta\left(q_{k^{i}_{a}k^{i}_{b}}^{L,\theta^{i}}+q_{k^{i}_{a}k^{i}_{b}}^{R,\theta^{i}}\right)\left(q_{k^{j}_{a}k^{j}_{b}}^{L,\theta^{i}+\delta}+q_{k^{j}_{a}k^{j}_{b}}^{R,\theta^{i}+\delta}\right)}{\int_{0}^{2\pi}{\rm{d}}\theta^{i}\int_{0}^{2\pi}{\rm{d}}\delta\left(q_{k^{i}_{a}k^{i}_{b}}^{L,\theta^{i}}+q_{k^{i}_{a}k^{i}_{b}}^{R,\theta^{i}}\right)\left(q_{k^{j}_{a}k^{j}_{b}}^{L,\theta^{i}+\delta}+q_{k^{j}_{a}k^{j}_{b}}^{R,\theta^{i}+\delta}\right)}$	(67)
	$\displaystyle+n_{X}^{k,all}\frac{\int_{0}^{2\pi}{\rm{d}}\theta^{i}\int_{\pi-\Delta}^{\pi+\Delta}{\rm{d}}\delta\left(q_{k^{i}_{a}k^{i}_{b}}^{L,\theta^{i}}+q_{k^{i}_{a}k^{i}_{b}}^{R,\theta^{i}}\right)\left(q_{k^{j}_{a}k^{j}_{b}}^{L,\theta^{i}+\delta}+q_{k^{j}_{a}k^{j}_{b}}^{R,\theta^{i}+\delta}\right)}{\int_{0}^{2\pi}{\rm{d}}\theta^{i}\int_{0}^{2\pi}{\rm{d}}\delta\left(q_{k^{i}_{a}k^{i}_{b}}^{L,\theta^{i}}+q_{k^{i}_{a}k^{i}_{b}}^{R,\theta^{i}}\right)\left(q_{k^{j}_{a}k^{j}_{b}}^{L,\theta^{i}+\delta}+q_{k^{j}_{a}k^{j}_{b}}^{R,\theta^{i}+\delta}\right)}$
$\displaystyle=$	$\displaystyle\frac{Nr_{p}}{p^{2}}\frac{2\Delta}{\pi}{\rm{Pr}}(k^{i}_{a}k^{i}_{b}k^{j}_{a}k^{j}_{b})$
	$\displaystyle\times\left[y^{2}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}}{2\pi}\int_{-\Delta}^{\Delta}\frac{{\rm{d}}\delta}{2\Delta}\left(e^{\omega\cos\theta^{i}}+e^{-\omega\cos\theta^{i}}\right)\left(e^{\omega\cos(\theta^{i}+\delta)}+e^{-\omega\cos(\theta^{i}+\delta)}\right)-8y^{3}I_{0}(\omega)+4y^{4}\right],$

where $\theta^{i}=\theta^{i}_{a}-\theta^{i}_{b}$ , $\delta=\delta_{a}-\delta_{b}$ . The quantity without considering $e_{d}^{X}$ can be given by

	$\displaystyle m_{X}^{k,0}$	$\displaystyle=\frac{Nr_{p}}{p^{2}}\frac{2\Delta}{\pi}{\rm{Pr}}(k^{i}_{a}k^{i}_{b}k^{j}_{a}k^{j}_{b})\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}}{2\pi}\int_{-\Delta}^{\Delta}\frac{{\rm{d}}\delta}{2\Delta}(q_{k^{j}_{a}k^{j}_{b}}^{L,\theta^{i}}q_{k^{j}_{a}k^{j}_{b}}^{R,\theta^{i}+\delta}+q_{k^{j}_{a}k^{j}_{b}}^{R,\theta^{i}}q_{k^{j}_{a}k^{j}_{b}}^{L,\theta^{i}+\delta})$		(68)
		$\displaystyle=\frac{Nr_{p}}{p^{2}}\frac{2\Delta}{\pi}{\rm{Pr}}(k^{i}_{a}k^{i}_{b}k^{j}_{a}k^{j}_{b})\left[y^{2}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}}{2\pi}\int_{-\Delta}^{\Delta}\frac{{\rm{d}}\delta}{2\Delta}\left(e^{\omega\left(\cos\theta^{i}-\cos(\theta^{i}+\delta)\right)}+e^{-\omega\left(\cos\theta^{i}-\cos(\theta^{i}+\delta)\right)}\right)-4y^{3}I_{0}(\omega)+2y^{4}\right].$		(68)

When we take $e_{d}^{X}$ into consideration,

\displaystyle m_{X}^{k}

\displaystyle=(1-e_{d}^{X})m_{X}^{k,0}+e_{d}^{X}(n_{X}^{k}-m_{X}^{k,0}).

(69)

The simulations of the $X$ - and $Y$ -pair of the six-state protocol are in the same way. However, in the six-state protocol, we divided the original protocol’s $X$ -pair into two pairs, the number of the reversed error effective detections of $X$ -pair ( $Y$ -pair), $\overline{m}_{X(Y)}^{k}$ , are half of $m_{X}^{k}$ .

Supplementary Note C: Simulation formulas

In this section, we show the specific formulas which are employed to get the secret key length. In the $i$ -th round, Alice and Bob prepare weak coherent states $|\sqrt{k^{i}_{a}}\exp({\rm{i}}\theta^{i}_{a})\rangle$ and $|\sqrt{k^{i}_{b}}\exp({\rm{i}}\theta^{i}_{b})\rangle$ . After the mode pairing, basis sifting and key mapping steps, the basis, the key bit and the alignment angle of different pairs are determined. As is proof in the Ref. Zeng et al. (2022), the traditional decoy-state formulas for MDI-QKD can be employed directly by introducing the ’gain’ and ’yield’. It should be noted that the ’gain’ and ’yield’ are analogous values to the MDI’s gain and yield, but not the real gain and yield of MP-QKD. In this study, we analyze the secret key length by employing joint constraints Yu et al. (2015).

Original MP-QKD protocol

The lower bound of the single-photon effective detection number and the upper bound of phase error rate of the single-photon components in the raw key, which are denoted as $n_{Z_{1}}^{\rm{L}}$ and $e_{Z_{1}}^{\rm{ph},U}$ , is needed for obtaining the secret key length. Actually, the expected values of the ’yield’ and the phase error rate of the single-photon components in the raw key satisfy

\displaystyle\langle y_{Z_{1}}\rangle=\langle y_{X_{1}}\rangle,\langle e_{Z_{1}}^{\rm{ph}}\rangle=\langle e_{X_{1}}^{\rm{bit}}\rangle,

(70)

where $\langle y_{X_{1}}\rangle$ is the expected value of the ’yield’ of the $X$ -pair, and $\langle e_{X_{1}}^{\rm{bit}}\rangle$ is the expected value of the single-photon bit error rate in the $X$ -pair Jiang et al. (2021). So, we can estimate $n_{Z_{1}}^{\rm{L}}$ by employing $\langle y_{Z_{1}}\rangle$ , $e_{Z_{1}}^{\rm{ph},U}$ by employing $\langle e_{X_{1}}^{\rm{bit}}\rangle$ with the Chernoff bound

		$\displaystyle n_{Z_{1}}^{\rm{L}}=O^{\rm{L}}({\sum_{\begin{subarray}{c}k_{a}\in\{\mu_{a},\nu_{a}\},\\ k_{b}\in\{\mu_{b},\nu_{b}\}\end{subarray}}N_{Z}^{k}k_{a}k_{b}e^{(-k_{a}-k_{b})}\langle y_{Z_{1}}\rangle^{\rm{L}},\xi_{y}}),$		(71)
		$\displaystyle e_{Z_{1}}^{\rm{ph},U}=O^{\rm{U}}({n_{Z_{1}}^{\rm{L}}\langle e_{X_{1}}^{\rm{bit}}\rangle^{\rm{U}},\xi_{e}})/n_{Z_{1}}^{\rm{L}},$		(71)

where $N_{Z}^{k}=\frac{N}{2}\sum_{k}{\rm{Pr}}(k^{i}_{a}k^{i}_{b}k^{j}_{a}k^{j}_{b})$ . It should be noted that $N_{Z}^{k}$ is the expected number of pairs with $k$ . $O^{\rm{L}}(E,\xi)$ and $O^{\rm{U}}(E,\xi)$ are defined in Supplementary Note E. For obtaining the bound of expected values $\langle y_{Z_{1}}\rangle$ and $\langle e_{X_{1}}^{\rm{bit}}\rangle$ , we employ the decoy-state formulas which are shown in Ref. Yu et al. (2015); Lu et al. (2020). $a_{n}$ , $a^{\prime}_{n}$ , $b_{n}$ , and $b^{\prime}_{n}$ are employed to denote poisson distribution probabilities of intensities $\nu_{a}$ , $\mu_{a}$ , $\nu_{b}$ , and $\mu_{b}$ ,

\displaystyle a_{n}=\frac{\nu_{a}^{n}e^{-\nu_{a}}}{n!},a_{n}^{\prime}=\frac{\mu_{a}^{n}e^{-\mu_{a}}}{n!},b_{n}=\frac{\nu_{b}^{n}e^{-\nu_{b}}}{n!},b_{n}^{\prime}=\frac{\mu_{b}^{n}e^{-\mu_{b}}}{n!},

(72)

respectively. If $\frac{a_{1}^{\prime}b_{2}^{\prime}}{a_{1}b_{2}}\leq\frac{a_{2}^{\prime}b_{1}^{\prime}}{a_{2}b_{1}}$ , the lower bound of $\langle y_{Z_{1}}\rangle$ can be estimated by

\displaystyle\langle y_{Z_{1}}\rangle^{\rm{L}}=\frac{Y_{+}^{\rm{L}}-Y_{-}^{\rm{U}}}{a_{1}a_{1}^{\prime}\tilde{b}_{12}},

(73)

where $\tilde{b}_{12}=b_{1}b_{2}^{\prime}-b_{1}^{\prime}b_{2}$ , and

	$\displaystyle Y_{+}^{\rm{L}}$	$\displaystyle=\rm{min}:\frac{a_{1}^{\prime}b_{2}^{\prime}}{N_{Z}^{(\nu,\nu)}}\langle n_{Z}^{(\nu,\nu)}\rangle+\frac{a_{1}b_{2}a_{0}^{\prime}}{N_{Z}^{(0,\mu)}}\langle n_{Z}^{(0,\mu)}\rangle+\frac{a_{1}b_{2}b_{0}^{\prime}}{N_{Z}^{(\mu,0)}}\langle n_{Z}^{(\mu,0)}\rangle+\frac{a_{1}^{\prime}b_{2}^{\prime}a_{0}b_{0}-a_{1}b_{2}a_{0}^{\prime}b_{0}^{\prime}}{N_{Z}^{(0,0)}}\langle n_{Z}^{(0,0)}\rangle,$		(74)
	$\displaystyle Y_{-}^{\rm{U}}$	$\displaystyle=\rm{max}:\frac{a_{1}b_{2}}{N_{Z}^{(\mu,\mu)}}\langle n_{Z}^{(\mu,\mu)}\rangle+\frac{a_{1}^{\prime}b_{2}^{\prime}a_{0}}{N_{Z}^{(0,\nu)}}\langle n_{Z}^{(0,\nu)}\rangle+\frac{a_{1}^{\prime}b_{2}^{\prime}b_{0}}{N_{Z}^{(\nu,0)}}\langle n_{Z}^{(\nu,0)}\rangle.$		(74)

Here we employ the method of joint study to obtain $Y_{+}^{\rm{L}}$ and $Y_{-}^{\rm{U}}$ , which is proposed in Ref. Yu et al. (2015). The core of this method is to use joint constraints between different measured values to limit the influence of statistical fluctuations. For example, $Y_{+}^{\rm{L}}$ can be simply written as $\rm{min}:\gamma_{1}g_{1}+\gamma_{2}g_{2}+\gamma_{3}g_{3}+\gamma_{4}g_{4}$ , where $\gamma_{i}(i\in\{1,2,3,4\})$ is the coefficient behind the expected values, and $g_{i}(i\in\{1,2,3,4\})$ is the expected value of measured values. In the method of joint study, we not only employ the Chernoff Bound to estimate the lower bound of $g_{i}$ , but also employ $g_{i}+g_{i^{\prime}}(i\neq i^{\prime},i,i^{\prime}\in\{1,2,3,4\})$ , $g_{i}+g_{i^{\prime}}+g_{i^{\prime\prime}}(i\neq i^{\prime}\neq i^{\prime\prime},i,i^{\prime},i^{\prime\prime}\in\{1,2,3,4\})$ and $g_{1}+g_{2}+g_{3}+g_{4}$ to bound the lower bound of $Y_{+}^{\rm{L}}$ . Here different $g_{i}$ are seen as a same event. The specific descriptions are shown in Supplementary Note D. For simplicity, $Y_{+}^{\rm{L}}$ and $Y_{-}^{\rm{U}}$ are rewrote as

	$\displaystyle Y_{+}^{\rm{L}}$	$\displaystyle={F}^{\rm{L}}\left(\frac{a_{1}^{\prime}b_{2}^{\prime}}{N_{Z}^{(\nu,\nu)}},\frac{a_{1}b_{2}a_{0}^{\prime}}{N_{Z}^{(0,\mu)}},\frac{a_{1}b_{2}b_{0}^{\prime}}{N_{Z}^{(\mu,0)}},\frac{a_{1}^{\prime}b_{2}^{\prime}a_{0}b_{0}-a_{1}b_{2}a_{0}^{\prime}b_{0}^{\prime}}{N_{Z}^{(0,0)}},n_{Z}^{(\nu,\nu)},n_{Z}^{(0,\mu)},n_{Z}^{(\mu,0)},n_{Z}^{(0,0)},\xi_{y_{1}},\xi_{y_{2}},\xi_{y_{3}},\xi_{y_{4}}\right),$		(75)
	$\displaystyle Y_{-}^{\rm{U}}$	$\displaystyle={F}^{\rm{U}}\left(\frac{a_{1}b_{2}}{N_{Z}^{(\mu,\mu)}},\frac{a_{1}^{\prime}b_{2}^{\prime}a_{0}}{N_{Z}^{(0,\nu)}},\frac{a_{1}^{\prime}b_{2}^{\prime}b_{0}}{N_{Z}^{(\nu,0)}},0,n_{Z}^{(\mu,\mu)},n_{Z}^{(0,\nu)},n_{Z}^{(\nu,0)},0,\xi_{y_{5}},\xi_{y_{6}},\xi_{y_{7}},0\right).$		(75)

The functions ${F}^{\rm{L}}(\cdot)$ and ${F}^{\rm{U}}(\cdot)$ are analyzed by employing joint constraints with the Chernoff bound, which is shown in Supplementary Note D. In the case of $\frac{a_{1}^{\prime}b_{2}^{\prime}}{a_{1}b_{2}}>\frac{a_{2}^{\prime}b_{1}^{\prime}}{a_{2}b_{1}}$ , the lower bound of $\langle y_{Z_{1}}\rangle$ can be obtained by making the exchange between $a_{n}$ and $b_{n}$ , and the exchange between $a_{n}^{\prime}$ and $b_{n}^{\prime}$ , for $n=1,2$ .

Moreover, the upper bound of $\langle e_{X_{1}}^{\rm{bit}}\rangle$ satisfies

\displaystyle\langle e_{X_{1}}^{\rm{bit}}\rangle^{\rm{U}}=\frac{T_{+}^{\rm{U}}-T_{-}^{\rm{L}}}{a_{1}b_{1}\langle y_{Z_{1}}\rangle^{\rm{L}}},

(76)

where

	$\displaystyle T_{+}^{\rm{U}}=$	$\displaystyle{F}^{\rm{L}}\left(\frac{1}{N_{X}^{(2\nu,2\nu)}},\frac{a_{0}b_{0}}{N_{X}^{(0,0)}},0,0,\right.\left.m_{X}^{(2\nu,2\nu)},m_{X}^{(0,0)},0,0,\xi_{e_{1}},\xi_{e_{2}},0,0\right),$		(77)
	$\displaystyle T_{-}^{\rm{L}}=$	$\displaystyle{F}^{\rm{U}}\left(\frac{a_{0}}{N_{X}^{(0,2\nu)}},\frac{b_{0}}{N_{X}^{(2\nu,0)}},0,0,\right.\left.m_{X}^{(0,2\nu)},m_{X}^{(2\nu,0)},0,0,\xi_{e_{3}},\xi_{e_{4}},0,0\right).$		(77)

Here $N_{X}^{(2\nu,2\nu)}=\frac{N\Delta}{\pi}p_{\nu}^{4}$ , $N_{X}^{(0,2\nu)}=N_{X}^{(2\nu,0)}=\frac{N}{2}p_{\nu}^{2}p_{o}^{2}$ , and $N_{X}^{(0,0)}=\frac{N}{2}p_{o}^{4}$ .

In the universally composable framework, $\varepsilon_{1}$ is the probability that the real value of the number of single-photon bits is smaller than $n_{Z_{1}}^{\rm{L}}$ , and $\varepsilon_{e}$ is the probability that the real value of the phase error rate of single-photon component in $n_{Z}^{\rm{L}}$ is bigger than $e_{Z_{1}}^{\rm{ph},U}$ . With the calculation method above, the failure probability of the estimation of $n_{Z_{1}}^{\rm{L}}$ and $e_{Z_{1}}^{\rm{ph},U}$ are

	$\displaystyle\varepsilon_{1}=$	$\displaystyle\xi_{y}+\xi_{y_{1}}+\xi_{y_{2}}+\xi_{y_{3}}+\xi_{y_{4}}+\xi_{y_{5}}+\xi_{y_{6}}+\xi_{y_{7}},$		(78)
	$\displaystyle\varepsilon_{e}=$	$\displaystyle\xi_{e}+\xi_{e_{1}}+\xi_{e_{2}}+\xi_{e_{3}}+\xi_{e_{4}}.$		(78)

Six-state MP-QKD protocol

For the six-state MP-QKD protocol, we need $n_{Z_{1}}^{\rm{L}}$ , $e_{Z_{1}}^{\rm{bit,U}}$ , and $(e_{X_{1}}^{\rm{bit}}+e_{Y_{1}}^{\rm{bit}})^{\rm{U}}$ to obtain the secret key length. $e_{Z_{1}}^{\rm{bit,U}}$ is the upper bound of the bit error rate in the single-photon component of the raw key. $(e_{X_{1}}^{\rm{bit}}+e_{Y_{1}}^{\rm{bit}})^{\rm{U}}$ is the upper bound of the sum of the bit error rate if Alice and Bob measure the single-photon component of the raw key in $\hat{X}$ and $\hat{Y}$ .

The upper bound of $\langle e_{Z_{1}}^{\rm{bit}}\rangle$ satisfies

\displaystyle\langle e_{Z_{1}}^{\rm{bit}}\rangle^{\rm{U}}=\frac{T_{+}^{{}^{\prime}\rm{U}}-T_{-}^{{}^{\prime}\rm{L}}}{a_{1}b_{1}\langle y_{Z_{1}}\rangle^{\rm{L}}},

(79)

where

	$\displaystyle T_{+}^{{}^{\prime}\rm{U}}=$	$\displaystyle{F}^{\rm{L}}\left(\frac{1}{N_{Z}^{(\nu,\nu)}},\frac{a_{0}b_{0}}{N_{Z}^{(0,0)}},0,0,\right.\left.m_{Z}^{(\nu,\nu)},m_{Z}^{(0,0)},0,0,\xi^{\prime}_{e_{1}},\xi^{\prime}_{e_{2}},0,0\right),$		(80)
	$\displaystyle T_{-}^{{}^{\prime}\rm{L}}=$	$\displaystyle{F}^{\rm{U}}\left(\frac{a_{0}}{N_{Z}^{(0,2\nu)}},\frac{b_{0}}{N_{Z}^{(2\nu,0)}},0,0,\right.\left.m_{Z}^{(0,\nu)},m_{Z}^{(\nu,0)},0,0,\xi^{\prime}_{e_{3}},\xi^{\prime}_{e_{4}},0,0\right).$		(80)

The upper bound of $\langle e_{X_{1}}^{\rm{bit}}+e_{Y_{1}}^{\rm{bit}}\rangle$ is

\displaystyle\langle e_{X_{1}}^{\rm{bit}}+e_{Y_{1}}^{\rm{bit}}\rangle^{\rm{U}}=\frac{T_{+}^{{}^{\prime}\rm{U}}-T_{-}^{{}^{\prime}\rm{L}}}{a_{1}b_{1}\langle y_{Z_{1}}\rangle^{\rm{L}}},

(81)

where

	$\displaystyle T_{+}^{{}^{\prime}\rm{U}}$	$\displaystyle={F}^{\rm{L}}\left(\frac{1}{\overline{N}_{X}^{(2\nu,2\nu)}},\frac{a_{0}b_{0}}{\overline{N}_{X}^{(0,0)}},0,0,\right.\left.\overline{m}_{X}^{(2\nu,2\nu)}+\overline{m}_{Y}^{(2\nu,2\nu)},\overline{m}_{X}^{(0,0)}+\overline{m}_{Y}^{(0,0)},0,0,\xi^{\prime\prime}_{e_{1}},\xi^{\prime\prime}_{e_{2}},0,0\right),$		(82)
	$\displaystyle T_{-}^{{}^{\prime}\rm{L}}$	$\displaystyle={F}^{\rm{U}}\left(\frac{a_{0}}{\overline{N}_{X}^{(0,2\nu)}},\frac{b_{0}}{\overline{N}_{X}^{(2\nu,0)}},0,0,\right.\left.\overline{m}_{X}^{(0,2\nu)}+\overline{m}_{Y}^{(0,2\nu)},\overline{m}_{X}^{(2\nu,0)}+\overline{m}_{Y}^{(0,2\nu)},0,0,\xi^{\prime\prime}_{e_{3}},\xi^{\prime\prime}_{e_{4}},0,0\right),$		(82)

Here $\overline{N}_{X}^{k}=\frac{N_{X}^{k}}{2}\left(k\in\{(2\nu,2\nu),(2\nu,0),(0,2\nu),(0,0)\}\right)$ .

Then we can get $e_{Z_{1}}^{\rm{bit,U}}$ , and $(e_{X_{1}}^{\rm{bit}}+e_{Y_{1}}^{\rm{bit}})^{\rm{U}}$ by Chernoff bound,

		$\displaystyle e_{Z_{1}}^{\rm{bit,U}}=O^{\rm{U}}({n_{Z_{1}}^{\rm{L}}\langle e_{Z_{1}}^{\rm{bit}}\rangle^{\rm{U}},\xi^{\prime}_{e}})/n_{Z_{1}}^{\rm{L}},$		(83)
		$\displaystyle(e_{X_{1}}^{\rm{bit}}+e_{Y_{1}}^{\rm{bit}})^{\rm{U}}=O^{\rm{U}}({n_{Z_{1}}^{\rm{L}}\langle e_{X_{1}}^{\rm{bit}}+e_{Y_{1}}^{\rm{bit}}\rangle^{\rm{U}},\xi^{\prime\prime}_{e}})/n_{Z_{1}}^{\rm{L}}.$		(83)

In the universally composable framework, $\varepsilon^{\prime}_{e}$ is the probability that the real value of the bit error rate of single-photon component in $n_{Z_{1}}^{\rm{L}}$ under $Z$ -pair measurement is bigger than $e_{Z_{1}}^{\rm{bit,U}}$ . $\varepsilon^{\prime\prime}_{e}$ is the probability that if Alice and Bob take $X$ -pair measurement and $Y$ -pair measurement to $n_{Z_{1}}^{\rm{L}}$ , the real value of the sum of bit error rate is bigger than $\left(e_{X_{1}}^{\rm{bit}}+e_{Y_{1}}^{\rm{bit}}\right)^{\rm{U}}$ . With the calculation method above, the failure probability of the estimation of $e_{Z_{1}}^{\rm{bit,U}}$ and $\left(e_{X_{1}}^{\rm{bit}}+e_{Y_{1}}^{\rm{bit}}\right)^{\rm{U}}$ are

	$\displaystyle\varepsilon^{\prime}_{e}=$	$\displaystyle\xi^{\prime}_{e}+\xi^{\prime}_{e_{1}}+\xi^{\prime}_{e_{2}}+\xi^{\prime}_{e_{3}}+\xi^{\prime}_{e_{4}},$		(84)
	$\displaystyle\varepsilon^{\prime\prime}_{e}=$	$\displaystyle\xi^{\prime\prime}_{e}+\xi^{\prime\prime}_{e_{1}}+\xi^{\prime\prime}_{e_{2}}+\xi^{\prime\prime}_{e_{3}}+\xi^{\prime\prime}_{e_{4}}.$		(84)

Supplementary Note D: Analytic results of joint constraints

Here we give the analytic results of joint constraints, which can be write into function ${F}^{\rm{L}}$ and ${F}^{\rm{U}}$ . The problem of obtaining the minimum value of function $F$ can be abstracted into

$\displaystyle\min\limits_{g_{1},g_{2},g_{3},g_{4}}$	$\displaystyle F=\gamma_{1}g_{1}+\gamma_{2}g_{2}+\gamma_{3}g_{3}+\gamma_{4}g_{4},$	(85)
$\displaystyle s.t.$	$\displaystyle g_{1}\geq E^{\rm{L}}(\widetilde{g_{1}},\xi_{1}),$
	$\displaystyle g_{2}\geq E^{\rm{L}}(\widetilde{g_{2}},\xi_{1}),$
	$\displaystyle g_{3}\geq E^{\rm{L}}(\widetilde{g_{3}},\xi_{1}),$
	$\displaystyle g_{4}\geq E^{\rm{L}}(\widetilde{g_{4}},\xi_{1}),$
	$\displaystyle g_{1}+g_{2}\geq E^{\rm{L}}(\widetilde{g_{1}}+\widetilde{g_{2}},\xi_{2}),$
	$\displaystyle g_{1}+g_{3}\geq E^{\rm{L}}(\widetilde{g_{1}}+\widetilde{g_{3}},\xi_{2}),$
	$\displaystyle g_{1}+g_{4}\geq E^{\rm{L}}(\widetilde{g_{1}}+\widetilde{g_{4}},\xi_{2}),$
	$\displaystyle g_{2}+g_{3}\geq E^{\rm{L}}(\widetilde{g_{2}}+\widetilde{g_{3}},\xi_{2}),$
	$\displaystyle g_{2}+g_{4}\geq E^{\rm{L}}(\widetilde{g_{2}}+\widetilde{g_{4}},\xi_{2}),$
	$\displaystyle g_{3}+g_{4}\geq E^{\rm{L}}(\widetilde{g_{3}}+\widetilde{g_{4}},\xi_{2}),$
	$\displaystyle g_{1}+g_{2}+g_{3}\geq E^{\rm{L}}(\widetilde{g_{1}}+\widetilde{g_{2}}+\widetilde{g_{3}},\xi_{3}),$
	$\displaystyle g_{1}+g_{2}+g_{4}\geq E^{\rm{L}}(\widetilde{g_{1}}+\widetilde{g_{2}}+\widetilde{g_{4}},\xi_{3}),$
	$\displaystyle g_{2}+g_{3}+g_{4}\geq E^{\rm{L}}(\widetilde{g_{2}}+\widetilde{g_{3}}+\widetilde{g_{4}},\xi_{3}),$
	$\displaystyle g_{1}+g_{2}+g_{3}+g_{4}\geq E^{\rm{L}}(\widetilde{g_{1}}+\widetilde{g_{2}}+\widetilde{g_{3}}+\widetilde{g_{4}},\xi_{3}),$

where $\gamma_{1},\gamma_{2},\gamma_{3},\gamma_{4},g_{1},g_{2},g_{3},g_{4},\widetilde{g_{1}},\widetilde{g_{2}},\widetilde{g_{3}},\widetilde{g_{4}}$ all are positive and $E^{\rm{L}}(O,\xi)$ is Chernoff bound which is presented in Supplementary Note E. In this paper, $\gamma_{1}$ , $\gamma_{2}$ , $\gamma_{3}$ , and $\gamma_{4}$ are coefficients. $g_{1}$ , $g_{2}$ , $g_{3}$ , and $g_{4}$ are the expected values of $\widetilde{g_{1}}$ , $\widetilde{g_{2}}$ , $\widetilde{g_{3}}$ , and $\widetilde{g_{4}}$ which are measured in experiments, respectively.

We rearrange $\{\gamma_{1},\gamma_{2},\gamma_{3},\gamma_{4}\}$ in the ascending order, the new sequence is denoted by $\{\gamma_{1}^{\prime},\gamma_{2}^{\prime},\gamma_{3}^{\prime},\gamma_{4}^{\prime}\}$ , $\{\widetilde{g_{1}}^{\prime},\widetilde{g_{2}}^{\prime},\widetilde{g_{3}}^{\prime},\widetilde{g_{4}}^{\prime}\}$ as the corresponding rearrange of $\{\widetilde{g_{1}},\widetilde{g_{2}},\widetilde{g_{3}},\widetilde{g_{4}}\}$ according to the ascending order of $\{\gamma_{1},\gamma_{2},\gamma_{3},\gamma_{4}\}$ . In this way, the lower bound of ${F}$ can be wrote as:

$\displaystyle{F}^{\rm{L}}$	$\displaystyle(\gamma_{1},\gamma_{2},\gamma_{3},\gamma_{4},\widetilde{g_{1}},\widetilde{g_{2}},\widetilde{g_{3}},\widetilde{g_{4}},\xi_{1},\xi_{2},\xi_{3},\xi_{4})$	(86)
$\displaystyle=$	$\displaystyle\gamma_{1}^{\prime}E^{\rm{L}}(\widetilde{g_{1}}^{\prime}+\widetilde{g_{2}}^{\prime}+\widetilde{g_{3}}^{\prime}+\widetilde{g_{4}}^{\prime},\xi_{4})+(\gamma_{2}^{\prime}-\gamma_{1}^{\prime})E^{\rm{L}}(\widetilde{g_{2}}^{\prime}+\widetilde{g_{3}}^{\prime}+\widetilde{g_{4}}^{\prime},\xi_{3})$
	$\displaystyle+(\gamma_{3}^{\prime}-\gamma_{2}^{\prime})E^{\rm{L}}(\widetilde{g_{3}}^{\prime}+\widetilde{g_{4}}^{\prime},\xi_{2})+(\gamma_{4}^{\prime}-\gamma_{3}^{\prime})E^{\rm{L}}(\widetilde{g_{4}}^{\prime},\xi_{1}).$

And if we want to get the upper bound of ${F}$ , we can just replace $E^{\rm{L}}(O,\xi)$ by $E^{\rm{U}}(O,\xi)$ :

$\displaystyle{F}^{\rm{U}}$	$\displaystyle(\gamma_{1},\gamma_{2},\gamma_{3},\gamma_{4},\widetilde{g_{1}},\widetilde{g_{2}},\widetilde{g_{3}},\widetilde{g_{4}},\xi_{1},\xi_{2},\xi_{3},\xi_{4})$	(87)
$\displaystyle=$	$\displaystyle\gamma_{1}^{\prime}E^{\rm{U}}(\widetilde{g_{1}}^{\prime}+\widetilde{g_{2}}^{\prime}+\widetilde{g_{3}}^{\prime}+\widetilde{g_{4}}^{\prime},\xi_{4})+(\gamma_{2}^{\prime}-\gamma_{1}^{\prime})E^{\rm{U}}(\widetilde{g_{2}}^{\prime}+\widetilde{g_{3}}^{\prime}+\widetilde{g_{4}}^{\prime},\xi_{3})$
	$\displaystyle+(\gamma_{3}^{\prime}-\gamma_{2}^{\prime})E^{\rm{U}}(\widetilde{g_{3}}^{\prime}+\widetilde{g_{4}}^{\prime},\xi_{2})+(\gamma_{4}^{\prime}-\gamma_{3}^{\prime})E^{\rm{U}}(\widetilde{g_{4}}^{\prime},\xi_{1}).$

Supplementary Note E: Chernoff bound

The Chernoff bound is useful in estimating the expected values from their observed values or estimating the observed values from their expected values. Let $X_{1},X_{2},...,X_{n}$ be a set of independent Bernoulli random samples (it can be in different distribution), and let $X=\sum_{i=1}^{n}X_{i}$ . The observed value of $X$ which denotes $O$ is unknown and its expected value $E$ is known. In this situation, we have

	$\displaystyle O^{\rm{L}}(E,\xi)=[1-\delta_{1}(E,\xi)]E,$		(88)
	$\displaystyle O^{\rm{U}}(E,\xi)=[1+\delta_{2}(E,\xi)]E,$		(89)

where $\delta_{1}(E,\xi)$ and $\delta_{2}(E,\xi)$ can be got by solving the following equations:

	$\displaystyle\left(\frac{e^{-\delta_{1}}}{(1-\delta_{1})^{1-\delta_{1}}}\right)^{E}=\xi,$		(90)
	$\displaystyle\left(\frac{e^{\delta_{2}}}{(1+\delta_{2})^{1+\delta_{2}}}\right)^{E}=\xi,$		(91)

where $\xi$ is the failure probability.

When the expected value $E$ is unknown and its observed value $O$ is known, we have

	$\displaystyle E^{\rm{L}}(O,\xi)=\frac{O}{1+\delta_{1}^{\prime}(O,\xi)},$		(92)
	$\displaystyle E^{\rm{U}}(O,\xi)=\frac{O}{1-\delta_{2}^{\prime}(O,\xi)},$		(93)

where $\delta_{1}^{\prime}(O,\xi)$ and $\delta_{2}^{\prime}(O,\xi)$ can be got by solving the following equations:

	$\displaystyle\left(\frac{e^{\delta_{1}^{\prime}}}{(1+\delta_{1}^{\prime})^{1+\delta_{1}^{\prime}}}\right)^{\frac{O}{1+\delta_{1}^{\prime}}}=\xi,$		(94)
	$\displaystyle\left(\frac{e^{-\delta_{2}^{\prime}}}{(1-\delta_{2}^{\prime})^{1-\delta_{2}^{\prime}}}\right)^{\frac{O}{1-\delta_{2}^{\prime}}}=\xi.$		(95)

DATA AVAILABILITY

The data that support the findings of this study are available from the corresponding author upon reasonable request.

CODE AVAILABILITY

Source codes of the plots are available from the corresponding authors on request.

ACKNOWLEDGEMENTS

This work has been supported by the National Key Research and Development Program of China (Grant No. 2020YFA0309802), the National Natural Science Foundation of China (Grant Nos. 62171424, 61961136004, 62105318, 62271463), China Postdoctoral Science Foundation (2021M693098, 2022M723064), Prospect and Key Core Technology Projects of Jiangsu provincial key R & D Program (BE2022071), the Fundamental Research Funds for the Central Universities.

COMPETING INTERESTS

The authors declare that they have no competing interests.

AUTHOR CONTRIBUTIONS

Zhen-Qiang Yin, Rong Wang, Ze-Hao Wang conceived the basic idea of the security proof. Zhen-Qiang Yin and Ze-Hao Wang finished the details of the security proof. Ze-Hao Wang performed the numerical simulations. All the authors contributed to discussing the main ideas of the security proof, checking the validity of the results, and writing the paper.

REFERENCES

References

Bennett and Brassard (1984) C. H. Bennett and G. Brassard, “Quantum cryptography: public key distribution and coin tossing,” in Conf. on Computers, Systems and Signal Processing (Bangalore, 1984) p. 175.
Ekert (1991) Artur K Ekert, “Quantum cryptography based on bell’s theorem,” Physical review letters 67, 661 (1991).
Shannon (1949) Claude E Shannon, “Communication theory of secrecy systems,” The Bell system technical journal 28, 656–715 (1949).
Molotkov (2006) S. N. Molotkov, “Conferences and symposia: Quantum cryptography and v a kotel’nikov’s one-time key and sampling theorems,” Physics-Uspekhi (2006).
Makarov et al. (2006) V. Makarov, A. Anisimov, and J. Skaar, “Effects of detector efficiency mismatch on security of quantum cryptosystems,” Physical Review A 74, 022313 (2006).
Zhao et al. (2008) Yi Zhao, Chi Hang Fred Fung, Bing Qi, Christine Chen, and Hoi-Kwong Lo, “Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems,” Physical Review A 78, 042333 (2008).
Fung et al. (2007) Chi-Hang Fred Fung, Bing Qi, Kiyoshi Tamaki, and Hoi-Kwong Lo, “Phase-remapping attack in practical quantum-key-distribution systems,” Physical Review A 75, 032314 (2007).
Xu et al. (2010) F. Xu, B. Qi, and H. Lo, “Experimental demonstration of phase-remapping attack in a practical quantum key distribution system,” New Journal of Physics 12, 113026 (2010).
Lydersen et al. (2010) L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nature Photonics 4, 686–689 (2010).
Gerhardt et al. (2011) I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of a perfect eavesdropper on a quantum cryptography system.” Nature communications 2, 349 (2011).
Qian et al. (2018) Yong-Jun Qian, De-Yong He, Shuang Wang, Wei Chen, Zhen-Qiang Yin, Guang-Can Guo, and Zheng-Fu Han, “Hacking the quantum key distribution system by exploiting the avalanche-transition region of single-photon detectors,” Physical Review Applied 10, 064062 (2018).
Wei et al. (2019) Kejin Wei, Weijun Zhang, Yan-Lin Tang, Lixing You, and Feihu Xu, “Implementation security of quantum key distribution due to polarization-dependent efficiency mismatch,” Physical Review A 100, 022325 (2019).
Lo et al. (2012) Hoi-Kwong Lo, Marcos Curty, and Bing Qi, “Measurement-device-independent quantum key distribution,” Physical review letters 108, 130503 (2012).
Braunstein and Pirandola (2012) Samuel L Braunstein and Stefano Pirandola, “Side-channel-free quantum key distribution,” Physical review letters 108, 130502 (2012).
Ma and Razavi (2012) Xiongfeng Ma and Mohsen Razavi, “Alternative schemes for measurement-device-independent quantum key distribution,” Physical Review A 86, 062319 (2012).
Yu et al. (2013) Zong-Wen Yu, Yi-Heng Zhou, and Xiang-Bin Wang, “Three-intensity decoy-state method for measurement-device-independent quantum key distribution,” Physical Review A 88, 062339 (2013).
Xu et al. (2014) Feihu Xu, He Xu, and Hoi-Kwong Lo, “Protocol choice and parameter optimization in decoy-state measurement-device-independent quantum key distribution,” Physical Review A 89, 052333 (2014).
Curty et al. (2014) Marcos Curty, Feihu Xu, Wei Cui, Charles Ci Wen Lim, Kiyoshi Tamaki, and Hoi-Kwong Lo, “Finite-key analysis for measurement-device-independent quantum key distribution,” Nature communications 5, 1–7 (2014).
Yin et al. (2014a) Zhen-Qiang Yin, Chi-Hang Fred Fung, Xiongfeng Ma, Chun-Mei Zhang, Hong-Wei Li, Wei Chen, Shuang Wang, Guang-Can Guo, and Zheng-Fu Han, “Mismatched-basis statistics enable quantum key distribution with uncharacterized qubit sources,” Physical Review A 90, 052319 (2014a).
Yin et al. (2014b) Zhen-Qiang Yin, Shuang Wang, Wei Chen, Hong-Wei Li, Guang-Can Guo, and Zheng-Fu Han, “Reference-free-independent quantum key distribution immune to detector side channel attacks,” Quantum information processing 13, 1237–1244 (2014b).
Yu et al. (2015) Zong-Wen Yu, Yi-Heng Zhou, and Xiang-Bin Wang, “Statistical fluctuation analysis for measurement-device-independent quantum key distribution with three-intensity decoy-state method,” Physical Review A 91, 032318 (2015).
Wang and Wang (2014) Qin Wang and Xiang-Bin Wang, “Simulating of the measurement-device independent quantum key distribution with phase randomized general sources,” Scientific reports 4, 1–7 (2014).
Zhou et al. (2016) Yi-Heng Zhou, Zong-Wen Yu, and Xiang-Bin Wang, “Making the decoy-state measurement-device-independent quantum key distribution practically useful,” Physical Review A 93, 042324 (2016).
Lu et al. (2020) Feng-Yu Lu, Zhen-Qiang Yin, Guan-Jie Fan-Yuan, Rong Wang, Hang Liu, Shuang Wang, Wei Chen, De-Yong He, Wei Huang, Bing-Jie Xu, Guang-Can Guo, and Zheng-Fu Han, “Efficient decoy states for the reference-frame-independent measurement-device-independent quantum key distribution,” Physical Review A 101, 052318 (2020).
Hu et al. (2021) Xiao-Long Hu, Cong Jiang, Zong-Wen Yu, and Xiang-Bin Wang, “Practical long-distance measurement-device-independent quantum key distribution by four-intensity protocol,” Advanced Quantum Technologies 4, 2100069 (2021).
Jiang et al. (2021) Cong Jiang, Zong-Wen Yu, Xiao-Long Hu, and Xiang-Bin Wang, “Higher key rate of measurement-device-independent quantum key distribution through joint data processing,” Physical Review A 103, 012402 (2021).
Lu et al. (2022) Feng-Yu Lu, Ze-Hao Wang, Zhen-Qiang Yin, Shuang Wang, Rong Wang, Guan-Jie Fan-Yuan, Xiao-Juan Huang, De-Yong He, Wei Chen, Zheng Zhou, Guang-Can Guo, and Zheng-Fu Han, “Unbalanced-basis-misalignment-tolerant measurement-device-independent quantum key distribution,” Optica 9, 886–893 (2022).
Liu et al. (2013) Yang Liu, Teng-Yun Chen, Liu-Jun Wang, Hao Liang, Guo-Liang Shentu, Jian Wang, Ke Cui, Hua-Lei Yin, Nai-Le Liu, Li Li, Xiongfeng Ma, Jason S. Pelc, M. M. Fejer, Cheng-Zhi Peng, Qiang Zhang, and Jian-Wei Pan, “Experimental measurement-device-independent quantum key distribution,” Physical review letters 111, 130502 (2013).
Wang et al. (2015) Chao Wang, Xiao-Tian Song, Zhen-Qiang Yin, Shuang Wang, Wei Chen, Chun-Mei Zhang, Guang-Can Guo, and Zheng-Fu Han, “Phase-reference-free experiment of measurement-device-independent quantum key distribution,” Physical review letters 115, 160502 (2015).
Yin et al. (2016) Hua-Lei Yin, Teng-Yun Chen, Zong-Wen Yu, Hui Liu, Li-Xing You, Yi-Heng Zhou, Si-Jing Chen, Yingqiu Mao, Ming-Qi Huang, Wei-Jun Zhang, Hao Chen, Ming Jun Li, Daniel Nolan, Fei Zhou, Xiao Jiang, Zhen Wang, Qiang Zhang, Xiang-Bin Wang, and Jian-Wei Pan, “Measurement-device-independent quantum key distribution over a 404 km optical fiber,” Physical review letters 117, 190501 (2016).
Comandar et al. (2016) LC Comandar, M Lucamarini, B Fröhlich, JF Dynes, AW Sharpe, SW-B Tam, ZL Yuan, RV Penty, and AJ Shields, “Quantum key distribution without detector vulnerabilities using optically seeded lasers,” Nature Photonics 10, 312–315 (2016).
Wang et al. (2017) Chao Wang, Zhen-Qiang Yin, Shuang Wang, Wei Chen, Guang-Can Guo, and Zheng-Fu Han, “Measurement-device-independent quantum key distribution robust against environmental disturbances,” Optica 4, 1016–1023 (2017).
Fan-Yuan et al. (2022) Guan-Jie Fan-Yuan, Feng-Yu Lu, Shuang Wang, Zhen-Qiang Yin, De-Yong He, Wei Chen, Zheng Zhou, Ze-Hao Wang, Jun Teng, Guang-Can Guo, and Zheng-Fu Han, “Robust and adaptable quantum key distribution network without trusted nodes,” Optica 9, 812–823 (2022).
Pirandola et al. (2009) Stefano Pirandola, Raul García-Patrón, Samuel L. Braunstein, and Seth Lloyd, “Direct and reverse secret-key capacities of a quantum channel,” Phys. Rev. Lett. 102, 050503 (2009).
Takeoka et al. (2014) Masahiro Takeoka, Saikat Guha, and Mark M Wilde, “Fundamental rate-loss tradeoff for optical quantum key distribution,” Nature communications 5, 1–7 (2014).
Pirandola et al. (2017) Stefano Pirandola, Riccardo Laurenza, Carlo Ottaviani, and Leonardo Banchi, “Fundamental limits of repeaterless quantum communications,” Nature communications 8, 1–15 (2017).
Lucamarini et al. (2018) Marco Lucamarini, Zhiliang L Yuan, James F Dynes, and Andrew J Shields, “Overcoming the rate–distance limit of quantum key distribution without quantum repeaters,” Nature 557, 400–403 (2018).
Ma et al. (2018) Xiongfeng Ma, Pei Zeng, and Hongyi Zhou, “Phase-matching quantum key distribution,” Physical Review X 8, 031043 (2018).
Wang et al. (2018) Xiang-Bin Wang, Zong-Wen Yu, and Xiao-Long Hu, “Twin-field quantum key distribution with large misalignment error,” Physical Review A 98, 062323 (2018).
Curty et al. (2019) Marcos Curty, Koji Azuma, and Hoi-Kwong Lo, “Simple security proof of twin-field type quantum key distribution protocol,” npj Quantum Information 5, 1–6 (2019).
Cui et al. (2019) Chaohan Cui, Zhen-Qiang Yin, Rong Wang, Wei Chen, Shuang Wang, Guang-Can Guo, and Zheng-Fu Han, “Twin-field quantum key distribution without phase postselection,” Physical Review Applied 11, 034053 (2019).
Wang et al. (2020) Rong Wang, Zhen-Qiang Yin, Feng-Yu Lu, Shuang Wang, Wei Chen, Chun-Mei Zhang, Wei Huang, Bing-Jie Xu, Guang-Can Guo, and Zheng-Fu Han, “Optimized protocol for twin-field quantum key distribution,” Communications Physics 3, 1–7 (2020).
Maeda et al. (2019) Kento Maeda, Toshihiko Sasaki, and Masato Koashi, “Repeaterless quantum key distribution with efficient finite-key analysis overcoming the rate-distance limit,” Nature communications 10, 1–8 (2019).
Jiang et al. (2019) Cong Jiang, Zong-Wen Yu, Xiao-Long Hu, and Xiang-Bin Wang, “Unconditional security of sending or not sending twin-field quantum key distribution with finite pulses,” Physical Review Applied 12, 024061 (2019).
Lu et al. (2019) Feng-Yu Lu, Zhen-Qiang Yin, Rong Wang, Guan-Jie Fan-Yuan, Shuang Wang, De-Yong He, Wei Chen, Wei Huang, Bing-Jie Xu, Guang-Can Guo, and Zheng-Fu Han, “Practical issues of twin-field quantum key distribution,” New Journal of Physics 21, 123030 (2019).
Xu et al. (2020) Hai Xu, Zong-Wen Yu, Cong Jiang, Xiao-Long Hu, and Xiang-Bin Wang, “Sending-or-not-sending twin-field quantum key distribution: Breaking the direct transmission key rate,” Physical Review A 101, 042330 (2020).
Zeng et al. (2020) Pei Zeng, Weijie Wu, and Xiongfeng Ma, “Symmetry-protected privacy: beating the rate-distance linear bound over a noisy channel,” Physical Review Applied 13, 064013 (2020).
Currás-Lorenzo et al. (2021) Guillermo Currás-Lorenzo, Álvaro Navarrete, Koji Azuma, Go Kato, Marcos Curty, and Mohsen Razavi, “Tight finite-key security for twin-field quantum key distribution,” npj Quantum Information 7, 1–9 (2021).
Minder et al. (2019) Mariella Minder, Mirko Pittaluga, George Lloyd Roberts, Marco Lucamarini, JF Dynes, ZL Yuan, and Andrew J Shields, “Experimental quantum key distribution beyond the repeaterless secret key capacity,” Nature Photonics 13, 334–338 (2019).
Zhong et al. (2019) Xiaoqing Zhong, Jianyong Hu, Marcos Curty, Li Qian, and Hoi-Kwong Lo, “Proof-of-principle experimental demonstration of twin-field type quantum key distribution,” Physical Review Letters 123, 100506 (2019).
Wang et al. (2019) Shuang Wang, De-Yong He, Zhen-Qiang Yin, Feng-Yu Lu, Chao-Han Cui, Wei Chen, Zheng Zhou, Guang-Can Guo, and Zheng-Fu Han, “Beating the fundamental rate-distance limit in a proof-of-principle quantum key distribution system,” Physical Review X 9, 021046 (2019).
Liu et al. (2019) Yang Liu, Zong-Wen Yu, Weijun Zhang, Jian-Yu Guan, Jiu-Peng Chen, Chi Zhang, Xiao-Long Hu, Hao Li, Cong Jiang, Jin Lin, Teng-Yun Chen, Lixing You, Zhen Wang, Xiang-Bin Wang, Qiang Zhang, and Jian-Wei Pan, “Experimental twin-field quantum key distribution through sending or not sending,” Physical Review Letters 123, 100505 (2019).
Fang et al. (2020) Xiao-Tian Fang, Pei Zeng, Hui Liu, Mi Zou, Weijie Wu, Yan-Lin Tang, Ying-Jie Sheng, Yao Xiang, Weijun Zhang, Hao Li, Zhen Wang, Lixing You, Ming-Jun Li, Hao Chen, Yu-Ao Chen, Qiang Zhang, Cheng-Zhi Peng, Xiongfeng Ma, Teng-Yun Chen, and Jian-Wei Pan, “Implementation of quantum key distribution surpassing the linear rate-transmittance bound,” Nature Photonics 14, 422–425 (2020).
Chen et al. (2020) Jiu-Peng Chen, Chi Zhang, Yang Liu, Cong Jiang, Weijun Zhang, Xiao-Long Hu, Jian-Yu Guan, Zong-Wen Yu, Hai Xu, Jin Lin, Ming-Jun Li, Hao Chen, Hao Li, Lixing You, Zhen Wang, Xiang-Bin Wang, Qiang Zhang, and Jian-Wei Pan, “Sending-or-not-sending with independent lasers: Secure twin-field quantum key distribution over 509 km,” Physical review letters 124, 070501 (2020).
Liu et al. (2021) Hui Liu, Cong Jiang, Hao-Tao Zhu, Mi Zou, Zong-Wen Yu, Xiao-Long Hu, Hai Xu, Shizhao Ma, Zhiyong Han, Jiu-Peng Chen, Yunqi Dai, Shi-Biao Tang, Weijun Zhang, Hao Li, Lixing You, Zhen Wang, Yong Hua, Hongkun Hu, Hongbo Zhang, Fei Zhou, Qiang Zhang, Xiang-Bin Wang, Teng-Yun Chen, and Jian-Wei Pan, “Field test of twin-field quantum key distribution through sending-or-not-sending over 428 km,” Physical Review Letters 126, 250502 (2021).
Chen et al. (2021) Jiu-Peng Chen, Chi Zhang, Yang Liu, Cong Jiang, Wei-Jun Zhang, Zhi-Yong Han, Shi-Zhao Ma, Xiao-Long Hu, Yu-Huai Li, Hui Liu, Fei Zhou, Hai-Feng Jiang, Teng-Yun Chen, Hao Li, Li-Xing You, Zhen Wang, Xiang-Bin Wang, Qiang Zhang, and Jian-Wei Pan, “Twin-field quantum key distribution over a 511 km optical fibre linking two distant metropolitan areas,” Nature Photonics 15, 570–575 (2021).
Clivati et al. (2022) Cecilia Clivati, Alice Meda, Simone Donadello, Salvatore Virzì, Marco Genovese, Filippo Levi, Alberto Mura, Mirko Pittaluga, Zhiliang Yuan, Andrew J Shields, Marco Lucamarini, Ivo Pietro Degiovanni, and Davide Calonico, “Coherent phase transfer for real-world twin-field quantum key distribution,” Nature Communications 13, 1–9 (2022).
Pittaluga et al. (2021) Mirko Pittaluga, Mariella Minder, Marco Lucamarini, Mirko Sanzaro, Robert I Woodward, Ming-Jun Li, Zhiliang Yuan, and Andrew J Shields, “600-km repeater-like quantum communications with dual-band stabilization,” Nature Photonics 15, 530–535 (2021).
Chen et al. (2022) Jiu-Peng Chen, Chi Zhang, Yang Liu, Cong Jiang, Dong-Feng Zhao, Wei-Jun Zhang, Fa-Xi Chen, Hao Li, Li-Xing You, Zhen Wang, Yang Chen, Xiang-Bin Wang, Qiang Zhang, and Jian-Wei Pan, “Quantum key distribution over 658 km fiber with distributed vibration sensing,” Physical Review Letters 128, 180502 (2022).
Wang et al. (2022) Shuang Wang, Zhen-Qiang Yin, De-Yong He, Wei Chen, Rui-Qiang Wang, Peng Ye, Yao Zhou, Guan-Jie Fan-Yuan, Fang-Xiang Wang, Yong-Gang Zhu, Pavel V Morozov, Alexander V Divochiy, Zheng Zhou, Guang-Can Guo, and Zheng-Fu Han, “Twin-field quantum key distribution over 830-km fibre,” Nature Photonics , 1–8 (2022).
Xie et al. (2022) Yuan-Mei Xie, Yu-Shuo Lu, Chen-Xun Weng, Xiao-Yu Cao, Zhao-Ying Jia, Yu Bao, Yang Wang, Yao Fu, Hua-Lei Yin, and Zeng-Bing Chen, “Breaking the rate-loss bound of quantum key distribution with asynchronous two-photon interference,” PRX Quantum 3, 020315 (2022).
Zeng et al. (2022) Pei Zeng, Hongyi Zhou, Weijie Wu, and Xiongfeng Ma, “Mode-pairing quantum key distribution,” Nature Communications 13, 1–11 (2022).
Renner (2008) Renato Renner, “Security of quantum key distribution,” International Journal of Quantum Information 6, 1–127 (2008).
Zhu et al. (2023) Hao-Tao Zhu, Yizhi Huang, Hui Liu, Pei Zeng, Mi Zou, Yunqi Dai, Shibiao Tang, Hao Li, Lixing You, Zhen Wang, Yu-Ao Chen, Xiongfeng Ma, Teng-Yun Chen, and Jian-Wei Pan, “Experimental mode-pairing measurement-device-independent quantum key distribution without global phase locking,” Phys. Rev. Lett. 130, 030801 (2023).
Zhou et al. (2022) Lai Zhou, Jinping Lin, Yuan-Mei Xie, Yu-Shuo Lu, Yumang Jing, Hua-Lei Yin, and Zhiliang Yuan, “Experimental quantum communication overcomes the rate-loss limit without global phase tracking,” arXiv preprint arXiv:2212.14190 (2022).
Cao et al. (2015) Zhu Cao, Zhen Zhang, Hoi-Kwong Lo, and Xiongfeng Ma, “Discrete-phase-randomized coherent state source and its application in quantum key distribution,” New Journal of Physics 17, 053014 (2015).
Laing et al. (2010) Anthony Laing, Valerio Scarani, John G Rarity, and Jeremy L O’Brien, “Reference-frame-independent quantum key distribution,” Physical Review A 82, 012304 (2010).
Tamaki et al. (2014) Kiyoshi Tamaki, Marcos Curty, Go Kato, Hoi-Kwong Lo, and Koji Azuma, “Loss-tolerant quantum cryptography with imperfect sources,” Physical Review A 90, 052314 (2014).
Watanabe et al. (2008) Shun Watanabe, Ryutaroh Matsumoto, and Tomohiko Uyematsu, “Tomography increases key rates of quantum-key-distribution protocols,” Phys. Rev. A 78, 042316 (2008).
Müller-Quade and Renner (2009) Jörn Müller-Quade and Renato Renner, “Composability in quantum cryptography,” New Journal of Physics 11, 085006 (2009).
Tomamichel et al. (2011) Marco Tomamichel, Christian Schaffner, Adam Smith, and Renato Renner, “Leftover hashing against quantum side information,” IEEE Transactions on Information Theory 57, 5524–5535 (2011).
Konig et al. (2009) Robert Konig, Renato Renner, and Christian Schaffner, “The operational meaning of min- and max-entropy,” IEEE Transactions on Information Theory 55, 4337–4347 (2009).
Vitanov et al. (2013) Alexander Vitanov, Frederic Dupuis, Marco Tomamichel, and Renato Renner, “Chain rules for smooth min-and max-entropies,” IEEE Transactions on Information Theory 59, 2603–2612 (2013).
Tomamichel and Renner (2011) Marco Tomamichel and Renato Renner, “Uncertainty relation for smooth entropies,” Physical review letters 106, 110506 (2011).
Wang et al. (2021) Rong Wang, Zhen-Qiang Yin, Hang Liu, Shuang Wang, Wei Chen, Guang-Can Guo, and Zheng-Fu Han, “Tight finite-key analysis for generalized high-dimensional quantum key distribution,” Physical Review Research 3, 023019 (2021).

	$\displaystyle l_{o}\leq$	$\displaystyle n_{Z_{1}}^{\rm{L}}\left[1-h(e_{Z_{1}}^{\rm{ph,U}})\right]-{\lambda_{\rm{EC}}}$		(1)
		$\displaystyle-\log_{2}\frac{2}{\varepsilon_{\rm{cor}}}-2\log_{2}\frac{1}{\sqrt{2}\hat{\varepsilon}\varepsilon_{\rm{PA}}},$		(1)

$\displaystyle l_{s}\leq$	$\displaystyle n_{Z_{1}}^{\rm{L}}\left(1-e_{Z_{1}}^{\rm{bit,U}}\right)$	(2)
	$\displaystyle\times\left[1-h\left(\frac{1-\frac{1}{2}\left(e_{Z_{1}}^{\rm{bit,U}}+\left(e_{X_{1}}^{\rm{bit}}+e_{Y_{1}}^{\rm{bit}}\right)^{\rm{U}}\right)}{1-e_{Z_{1}}^{\rm{bit,U}}}\right)\right]$
	$\displaystyle-{\lambda_{\rm{EC}}}-\log_{2}\frac{2}{\varepsilon_{\rm{cor}}}-2\log_{2}{\frac{1}{\sqrt{2}\hat{\varepsilon}\varepsilon_{\rm{PA}}}},$

	$\displaystyle H_{\rm{min}}^{\overline{\varepsilon}}(\mathbf{Z}_{1}\|\mathbf{Z}_{\rm{zm}}E)\geq$	$\displaystyle n_{Z_{1}}^{\rm{L}}-H_{\rm{max}}^{\overline{\varepsilon}}(\mathbf{X}_{1}\|\mathbf{X}_{1}^{\prime})$		(6)
	$\displaystyle\geq$	$\displaystyle n_{Z_{1}}^{\rm{L}}\left(1-H_{2}(e_{Z_{1}}^{\rm{ph,U}})\right),$		(6)

	$\displaystyle l_{o}\leq$	$\displaystyle n_{Z_{1}}^{\rm{L}}\left[1-h(e_{Z_{1}}^{\rm{ph,U}})\right]-{\rm{\lambda_{EC}}}$		(8)
		$\displaystyle-\log_{2}\frac{2}{\varepsilon_{\rm{cor}}}-2\log_{2}\frac{1}{\sqrt{2}\hat{\varepsilon}\varepsilon_{\rm{PA}}},$		(8)

$\displaystyle\ket{\Psi}^{i,j}_{AA^{\prime}a}$	$\displaystyle=p_{0}\|00\rangle_{A_{i}A_{j}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}_{a}}{\sqrt{2\pi}}\|\theta^{i}_{a}\rangle_{A^{\prime}_{i}}\|0\rangle_{a_{i}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{j}_{a}}{\sqrt{2\pi}}\|\theta^{j}_{a}\rangle_{A^{\prime}_{j}}\|0\rangle_{a_{j}}$	(10)
	$\displaystyle+\sqrt{p_{0}p_{1}}\|01\rangle_{A_{i}A_{j}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}_{a}}{\sqrt{2\pi}}\|\theta^{i}_{a}\rangle_{A^{\prime}_{i}}\|0\rangle_{a_{i}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{j}_{a}}{\sqrt{2\pi}}\|\theta^{j}_{a}\rangle_{A^{\prime}_{j}}\|\sqrt{\mu}e^{{\rm{i}}\theta^{j}_{a}}\rangle_{a_{j}}$
	$\displaystyle+\sqrt{p_{0}p_{1}}\|10\rangle_{A_{i}A_{j}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}_{a}}{\sqrt{2\pi}}\|\theta^{i}_{a}\rangle_{A^{\prime}_{i}}\|\sqrt{\mu}e^{{\rm{i}}\theta^{i}_{a}}\rangle_{a_{i}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{j}_{a}}{\sqrt{2\pi}}\|\theta^{j}_{a}\rangle_{A^{\prime}_{j}}\|0\rangle_{a_{j}}$
	$\displaystyle+p_{1}\|11\rangle_{A_{i}A_{j}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{i}_{a}}{\sqrt{2\pi}}\|\theta^{i}_{a}\rangle_{A^{\prime}_{i}}\|\sqrt{\mu}e^{{\rm{i}}\theta^{i}_{a}}\rangle_{a_{i}}\int_{0}^{2\pi}\frac{{\rm{d}}\theta^{j}_{a}}{\sqrt{2\pi}}\|\theta^{j}_{a}\rangle_{A^{\prime}_{j}}\|\sqrt{\mu}e^{{\rm{i}}\theta^{j}_{a}}\rangle_{a_{j}}.$