Sending-or-Not-Sending Twin-Field Quantum Key Distribution with Light Source Monitoring

Twin-field quantum key distribution (TF-QKD) is proposed to achieve a remote key distribution with a maximum secure transmission distance up to over 500 km. Although the security of TF-QKD in its detection part is guaranteed, there are some remaining problems in the source part. The sending-or-not-sending (SNS) protocol is proposed to solve the security problem in the phase post-selection process; however, the light source is still assumed to be an ideal coherent state. This assumption is not satisfied in real-life QKD systems, leading to practical secure issues. In this paper, we discuss the condition that the photon number distribution (PND) of the source is unknown for the SNS protocol, demonstrate that the security analysis is still valid under a source with unknown PND, and show that with light source monitoring, the performance of the SNS protocol can remain almost unchanged.


Introduction
Quantum key distribution (QKD) provides a way for different communication parties to share a set of identical security keys [1,2]. The security of QKD is based on the laws of quantum physics and has been proved theoretically in different ways in the past decades. In addition to security analysis, people have also started to study the performance of QKD and to further improve the performance of real-life QKD systems by proposing new protocols [3][4][5][6][7].
Among all proposed protocols, measurement-device-independent (MDI) protocol is meaningful, since it can make up all the security loopholes in the detection part of QKD systems [8]. MDI protocol has developed rapidly in recent years, with many achievements obtained [9][10][11][12][13][14][15][16][17][18][19]. In theory, the application of the decoy state method [20] has been further studied, and more optimized parameter estimation results are obtained to achieve a better performance [9][10][11]. Besides, different MDI experiment schemes have been proposed [12] and several meaningful experiment achievements, including the field test [13] and the network experiment [14] based on the MDI protocol, have been carried out. Meanwhile, the continuous-variable MDI protocol has also been developed [16][17][18][19]. With the developing of experimental research, the MDI protocol achieved a transmission distance of 404 km in 2016, which was the farthest distance for standard QKD at that time [15].
The transmission distance of QKD has been further increased recently. Based on the MDI protocol, an extraordinary protocol called twin-field quantum key distribution (TF-QKD) was proposed by Lucamarini et al. in 2018, which can increase the transmission distance to over 550 km on standard optical fibers without quantum repeaters [21]. Because of its outstanding advantage in transmission distance, TF-QKD has recently been the subject of a lot of follow-up research [22][23][24][25][26][27][28][29]. Actually, in the original protocol, the phase randomization process will lead to secure issues since the information of random phase is announced to Eve in the post-selection process [30]. In further research, different types of modified TF-QKD protocols have been proposed to improve the incomplete security analysis [22][23][24][25][26]. Through classifying the signals [22], or adding an extra test mode [23], or using a pre-selected global phase [25,26], the security loophole of the post-selected part can be resolved. With the modified protocols, long-distance TF-QKD experiments have already been implemented [28,29]. Recently, an exciting experimental work has shown that the transmission distance for TF-QKD can reach over 500 km in practice [28], showing that TF-type protocols can significantly improve the transmission distance with the currently available technology.
Among those TF-type protocols, the sending-or-not-sending (SNS) protocol proposed by Wang et al. is an effective scheme to combine with the decoy state method to solve the phase randomization problem. In the SNS protocol, there is no post-selection process for the random phases of the signal bits, which are used to generate the final secret keys, thus the problem is avoided [22]. By optimizing the proportion of the sending and not-sending signals, the SNS protocol can still achieve a very long transmission distance.
A remaining problem with the SNS protocol is that the prepared quantum state in the source is assumed to be an ideal coherent state. Actually, the assumption could be broken since the prepared state will deviate from the ideal coherent state due to the non-ideality of the practical laser [31]. Moreover, since the light source structure in the SNS protocol is similar to the BB84 protocol, there will also be an untrusted source problem [32][33][34][35][36] in the source part, causing the photon number distribution (PND) of the light source to be unknown, and the prepared state to no longer be a coherent state.
In this paper, we provide further discussion of the SNS protocol under the unknown PND condition (UPC). By analyzing the form of the prepared state in Eve's view, it is shown that the security analysis in the SNS protocol is still valid without the coherent state assumption, and the final secret key rate can be derived naturally. By applying a light source monitoring (LSM) method proposed previously [37,38], all relevant parameters can be estimated compactly, thus the secret key rate of the SNS protocol under UPC can be obtained. Moreover, it is indicated that the performance of the SNS protocol under UPC can almost keep the same ideal source condition through the numerical simulation.
The paper is organized as follows. In Section 2, we first analyze the security of the SNS protocol under UPC and give the calculation method of the secret key rate for the SNS protocol under UPC, then introduce an LSM method to obtain tight bounds of the parameters needed in calculating the secret key rate. In Section 3, we show the simulation results by applying the LSM method in the SNS protocol under UPC. Finally, we provide conclusion to our work in Section 4.

Security Analysis under UPC
In the SNS protocol [22,27], Alice (Bob) prepares a coherent state with an intensity µ A (µ B ), a random modulated phase δ A (δ B ) and a global phase γ A (γ B ). Only the states where Alice and Bob choose the same intensity (µ A = µ B = µ) will be retained for discussion, thus the joint state sent by Alice and Bob is | . In Eve's view, it has the convex form where |ψ k refers to a joint state with total photon numbers k, and p k (µ) refers to the probability that the joint state contains k photons totally [22]. Specifically, the single-photon part of the state has the form of . (2) |ψ 1 plays an important role during the whole security analysis of the SNS protocol [22]. In fact, the equivalent virtual protocols discussed in the security analysis focus on the single-photon part and the security analysis could remain valid when the phase difference between the two parts of the single state |1 A |0 B and |0 A |1 B remains to be Under UPC, the quantum state prepared by Alice (Bob) is no longer an ideal coherent , but a state with arbitrary PND, which can be written As a result, with the analysis shown in Appendix A, the joint state sent by Alice and Bob can still have the convex form in Eve's view, with the n-photon state and the probability of n-photon Specifically, the single photon part of ρ AB under UPC can be written as with a symmetric condition which is also assumed in the original SNS protocol [22]. This result indicates that the original security analysis can be directly applied to UPC, since the phase difference between |1 A |0 B and |0 A |1 B is still ∆φ, that is, |ψ 1 only has a global phase difference with |ψ 1 in Equation (2).

Secret Key Rate
Unlike the original TF-QKD, the SNS protocol divides all the transmitted light pulses into two categories, which are called signal windows and decoy windows [20,22]. In the signal window (equivalent to Z-basis), Alice (Bob) randomly chooses to send or not send a signal pulse, and the data are used to generate keys. In the decoy window (equivalent to X-basis), Alice (Bob) sends decoy states with different intensities and the data are used to estimate the count rate and phase error rate of the signals' single photon part. In addition, there is a post-selection process for the random phases δ A , δ B to ensure more accurate estimation results, which originates from TF-QKD.
The secret key rate of the SNS protocol has been given as [22,27]: in which is the probability that Alice (Bob) chooses to send out a signal pulse (it can be preset in the protocol), is the binary Shannon entropy function, P L 1 (µ s ) is the lower bound of the probability that a state with intensity µ s sent in signal windows contains single photon, s L 1 and e U 1 refer to the lower bound of the count rate and the upper bound of phase error rate for the single photon part of signals, S Z and E Z refer to the count rate and the bit error rate of the signals. In decoy windows, a three-intensity decoy method with intensities µ d 0 = 0, µ d 1 , µ d 2 and µ d 2 > µ d 1 > 0 is used to estimate s L 1 and e U 1 and the results are obtained as [22] are the probabilities that a state with intensity µ d k sent in decoy windows contains zero, single or two photons, S µ d k , E µ d k are the count rate and bit error rate of a state with intensity µ d k sent in decoy windows.
In the original SNS protocol, the light source is assumed to be able to prepare ideal coherent states [22], thus the PND of the light source satisfies Poisson distribution for each of Alice and Bob, that is, for µ = {µ s , µ d 1 , µ d 2 }, hence the probabilities p n (µ) (n = 0, 1, 2) obtained in Equation (6) can be directly calculated as: When p n (µ) are known, the parameters s L 1 and e U 1 in Equations (10) and (11) can be estimated. In addition, the probability P L 1 (µ s ) is also obtained exactly from Equation (12). With these results, the secret key rate in Equation (9) can eventually be calculated.
However, as mentioned above, the probabilities p n (µ) become unknown under UPC, though the security analysis can be held. Fortunately, as analyzed in Reference [39], the decoy-state method is still valid under UPC when the lower and upper bounds of p n (µ) (n = 0, 1, 2) are obtained, and the results of s L 1 and e U 1 can be rewritten as e ph,U 1 where p L(U) n (µ) refers to the lower (upper) bound of p n (µ). With Equation (6) , p L(U) n (µ) (n = 0, 1, 2) can be obtained as with Equation (8), hence the secret key rate can still be calculated effectively if tight bounds of P n (µ) are obtained.

Parameters Estimation with LSM
The source structure in the SNS protocol is similar to that of the BB84 and MDI protocol, therefore it is possible to apply the LSM scheme proposed in the BB84 and MDI protocol to the SNS protocol to estimate P n (µ). Recently, a new LSM scheme proposed by us in the MDI protocol gives tight bounds of P n (µ) in each of Alice's and Bob's part under UPC [38]. Since the SNS protocol and the MDI protocol have the same structure in the intensity modulation part, the same LSM module can be added to the SNS protocol as shown in Figure 1, and with the extra LSM module, the same results can be obtained in the SNS protocol as follows [38]: and a single photon detector (SPD). By changing the attenuation coefficient of the VOA, various sets of the results on the responding probability of the SPD are obtained, which can be used to estimate P n (µ) effectively. The details of the monitoring scheme have been discussed in Reference [38].
with a condition where η k (k = 0, 1, 2) is the variable attenuation coefficient in the extra LSM module, P µ (η k ) is the probabilities of the single photon detector's (SPD) not responding in the LSM module, and Y 0 is the dark count rate of the SPD. When P n (µ) are estimated with the LSM scheme, the key parameters s L 1 , e U 1 in Equations (14) and (15) can be calculated, and the secret key rate of SNS protocol under UPC is obtained.

Performance with Numerical Simulation
The performance of the original SNS protocol and the SNS protocol with the LSM scheme can be compared with a determined light source condition. Considering an ideal simulation circumstance first [22], the PND of the light source, P n (µ), is assumed to satisfy Equation (12). In this case, the probabilities P µ (η) in the LSM scheme can be simulated as [38] and the estimation results of P n (µ) can be calculated with Equations (17)- (21). Except P µ (η), other parameters used in Equations (9)-(11), (14) and (15), such as S µ d k , E µ d k , S Z , E Z , can be simulated with the same method discussed in the original SNS protocol [22,27], hence the final secret key rate can be calculated.
To compare the performance of the LSM scheme and the original SNS protocol under ideal simulation conditions, the simulation parameters, which are listed in Table 1, are set to be the same as in Reference [22]. Besides, for the LSM scheme, we set the attenuation coefficient as η 0 = 1, η 1 = 0.95, η 2 = 0.9 to obtain tight estimation results of P n (µ); other parameters, including the intensities µ s , µ d 1 , µ d 2 and the sending probability , are optimized at different transmission distances for both the original protocol and the SNS protocol with the LSM scheme. Table 1. Values of parameters used in simulation. α: the fiber loss coefficient (unit: dB/km); Y 0 : the dark count rate of the detector; η D : the detection efficiency; e det : the misalignment error of the QKD system; f : the error correction efficiency.
The simulation results shown in Figure 2 indicate that, with the LSM scheme, the SNS protocol under UPC can have a performance that is almost the same as that of the original protocol with an ideal source. Specifically, both cases have a maximum transmission distance of up to over 800 km, and the difference between the LSM scheme and the ideal source condition is only about 0.5 km. Besides, the difference of the secret key rate between them is only about 1% for a typical distance of 100 km.
. × × Figure 2. The performance of the proposed LSM scheme (red dash curve) compared to original SNS protocol (blue dash curve) with the parameters set as Table 1. The ratios of secret key rate between the LSM scheme and original SNS protocol are about 99.1%, 98.9%, 98.8% at the distance of 100, 300, 500 km, and the maximum transmission distances of the LSM scheme and original SNS protocol are about 806.0 and 806.5 km.
In order to further analyze the practical performance of the SNS protocol and it with the LSM scheme, it is necessary to consider a more practical simulation circumstance. For a real-life QKD system, the PND of the source's signals is not fixed although without Eve's disturbance [31,40,41]. Under this condition, the performance of the original SNS protocol will be degraded even though the security problem of an unknown PND is ignored. Specifically, the signal sent out from the source can be considered as a fluctuated coherent state with a Gaussian-distributed average photon number µ, which has a probability distribution of where µ 0 , σ µ are the mean value and the standard deviation of µ. Without the LSM module, the probabilities P n (µ) can only be estimated by assuming that µ belongs to a confidence interval, that is, hence the results are For the LSM scheme, the probabilities P µ (η) can be simulated as after considering the source fluctuation [36,37], and P n (µ) can be estimated by P µ (η i ) with Equations (17)- (21). The performance of both the original SNS protocol and the original SNS protocol with LSM are simulated under different fluctuation coefficient σ = σ µ /µ 0 . The parameters are changed to be consistent with those in Reference [21] in Table 2 to simulate a more realistic condition, which is close to the practical experimental conditions [28], and , µ s , µ d 1 , µ d 2 are optimized as well. For the original SNS protocol, the confidence levels are set as ε = 1 − 10 −10 , and in the LSM scheme, the attenuation coefficients are set as η 0 = 1, η 1 = 0.95, η 2 = 0.9. The simulation results under the practical simulation condition shown in Figure 3 indicate that the LSM scheme still performs well in practice, as its performance remains almost the same under the fluctuated light source. As a comparison, the performance of the original SNS protocol decreases obviously with a light source fluctuation σ = 1%, and its transmission distance even reduces to less than 500 km when σ = 2%. Since the condition σ > 1% is common in real-life QKD systems [40,41], the LSM scheme will have a better performance compared to the original SNS protocol in practice, although only the fluctuation problem is considered. For the LSM scheme, we consider a small fluctuation condition σ = 1% (black dash curve) and a large fluctuation condition σ = 5% (red dash curve), and the performance between them is still close. For the original protocol, we consider a small fluctuation condition σ = 1% (blue curve) and a relatively large fluctuation condition σ = 2% (yellow curve), since the condition σ = 2% already has an obviously worse performance than σ = 1%.

Conclusions
In summary, we analyze the security of the SNS protocol under UPC, and propose an LSM scheme to solve the unknown PND problem in the source part. An important problem for the SNS protocol is whether its security analysis is still valid without assuming the prepared state is an ideal coherent state. In this paper, we calculate the form of the quantum state sent from Alice and Bob in Eve's view, and show that the single photon part of the state has the same form as the ideal source condition under UPC, thus the security analysis remains valid. We apply the LSM scheme proposed previously to the SNS protocol to estimate the probabilities p n (µ) precisely to eventually obtain a tight bound of the secret key rate. Through simulation, we show that, with the proposed LSM scheme, the performance of the SNS protocol under UPC can be almost the same as that of the original SNS protocol with an ideal source. Moreover, the LSM scheme improves the performance of the SNS protocol when considering source fluctuation, indicating that the SNS protocol can still have a long transmission distance with a fluctuated source in real-life QKD systems.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. The Convex Form of ρ AB under UPC
After the modulation of intensity and phase, the quantum state sent by Alice (Bob) can be written as a state with an arbitrary PND, |ψ A = ∑ k e ik(δ A +γ A ) P k,A (µ)|k A (|ψ B = ∑ k e ik(δ B +γ B ) P k,B (µ)|k B ). Although the exact values of P k,A (µ), P k,B (µ) are totally unknown, the form of the sent state ρ AB in Eve's view can be calculated because of the randomness of the phase δ A , δ B . Actually, similar to the situation of original SNS protocol, the new independent variables δ ± = δ A ± δ B can be introduced as well, and the phase δ + is completely random for Eve [22], thus in Eve's view, the quantum state sent from Alice and Bob is ρ AB = where P(|x ) = |x x| is the density matrix of |x , δ(·) is the Dirac delta function, and The results of Equation (A1) can be written as ρ AB = ∑ n |ψ n (µ) ψ n (µ)|, where |ψ n (µ) has the form of |ψ n (µ) = n ∑ k=0 P k,A (µ)P n−k,B (µ)|k A |n − k B .