Phase-Matching Quantum Key Distribution with Discrete Phase Randomization

The twin-field quantum key distribution (TF-QKD) protocol and its variations have been proposed to overcome the linear Pirandola–Laurenza–Ottaviani–Banchi (PLOB) bound. One variation called phase-matching QKD (PM-QKD) protocol employs discrete phase randomization and the phase post-compensation technique to improve the key rate quadratically. However, the discrete phase randomization opens a loophole to threaten the actual security. In this paper, we first introduce the unambiguous state discrimination (USD) measurement and the photon-number-splitting (PNS) attack against PM-QKD with imperfect phase randomization. Then, we prove the rigorous security of decoy state PM-QKD with discrete phase randomization. Simulation results show that, considering the intrinsic bit error rate and sifting factor, there is an optimal discrete phase randomization value to guarantee security and performance. Furthermore, as the number of discrete phase randomization increases, the key rate of adopting vacuum and one decoy state approaches infinite decoy states, the key rate between discrete phase randomization and continuous phase randomization is almost the same.

All of these variant TF-QKD protocols have their own advantages. The no-phase-postselection TF-QKD (NPP-TF-QKD) protocol [5,6] provides better key rate performance in closer-to-mid distance, but it needs phase locking and pre-phase feedback in the experiment, so it is hard to implement [5,6,21]. The sending-or-not-sending TF-QKD (SNS-TF-QKD) protocol [10] can tolerate large misalignment errors and provide better performance in long distance [10,21]. The phase-matching QKD (PM-QKD) protocol [8] has no phase locking with phase slices and employs a phase post-compensation technique, so it can be easily experimentally implemented without pre-phase feedback [13,21].
In reality, the decoy state method is adopted to ensure the security of imperfect single photon source [22][23][24][25] in the actual QKD system. An important theoretical premise and assumption of the method is that the global phase of coherent sources should be continuously randomized [26][27][28]. However, perfect phase randomization is very difficult to achieve. In an actual experiment, there are two means to randomize the global phase. One means is to turn the laser on and off by controlling the current, but it is not suitable for PM-QKD with the phase post-compensation technique-the reason for this is that we do not know the precise phase slices. Moreover, experiments show that residual phase correlations may exist between adjacent pulses [29]. The other one is to actively modulate the phase of coherent sources controlled by a phase modulator with a true random number generator; this method is suitable for PM-QKD, but the phase randomization is not continuous. Thus, neither of these two means satisfy the assumption of the decoy state method, which may introduce a potential loophole that threatens the security of the actual protocol [30]. Then, the unambiguous state discrimination (USD) measurement [31] and the photon-numbersplitting (PNS) attack [32] can be used against the imperfect phase randomization.
An earlier security analysis of discrete phase randomization appears in the decoy state Bennet- Brassard-1984 (BB84) in Reference [33], which points out, when the number of discrete phase values is larger, that the performance of discrete phase randomization is close to that of continuous phase randomization, and the number is said to be ten [33]. Similar security analysis methods are used for several other protocols, the measurementdevice-independent (MDI) QKD in Reference [34], the NPP-TF-QKD in References [35,36], the SNS-TF-QKD in Reference [37], the PM-QKD in Reference [38]. Therein, Reference [38] uses a different security poof method with Reference [8], and there is no in-depth formula derivation in the decoy state PM-QKD with discrete phase randomization. In this paper, we focus on these discrete global phase randomization issues in the PM-QKD protocol [39], study a concrete attack against PM-QKD with imperfect phase randomization, apply the decoy-state method to derive the single photon yield formula to exhibit performance of the key rate and compare the yield difference of continuous phase randomization with discrete phase randomization.
The paper is arranged as follows: in Section 2, we review the PM-QKD protocol in detail, based on the security analysis of symmetric-encoding PM-QKD, we estimate the overall phase error rate. In Section 3, we show a concrete attack against PM-QKD with imperfect phase randomization. In Section 4, we show how to apply the decoy-state method to obtain the upper bound of the phase-flip error rate with discrete phase randomization; moreover, the yield difference between continuous and discrete phase randomization is also studied in this section. The numerical simulation results are shown in Section 5, and then we conclude in Section 6.

The Protocol of PM-QKD
We employ the attenuated laser as a single photon source, which is regarded as the coherent state. When the coherent state is randomized by continuous phase, it is equivalent to the Fock state, with the photon number distribution as In this section, we review the PM-QKD protocol, and without considering the security effects of discrete phase randomization, Equation (1) is used for formula derivation.

Protocol Description
The implementation process of the PM-QKD is similar to Reference [39].

•
State preparation. In each round, the coherent state √ α A e i(πκ A + 2π D d A ) is prepared by Alice, the intensity α A ∈ {µ A , ν A , ω A }, where µ A is she signal state, ν A is the decoy state, ω A is the vacuum state, the random key bit κ A ∈ {0, 1}, the discrete phase randomization number d A is randomly chosen from {0, 1, · · · , D − 1}, D is the number of maximum discrete phase that is modulated by Alice, for simplicity, assume D is an even number. Similarly, Bob prepares the coherent state Measurement. Alice and Bob send their quantum states to Charlie with transmittances η A and η B , Charlie performs an interference measurement with a beam splitter and records which detector (L or R) clicks. • Announcement. The detection result is announced by Charlie for each round; the intensity settings α A , α B and phase numbers d A , d B are also announced by Alice and Bob. • Sifting. After that, the phase post-compensation method is used by Charlie to calculate and then Charlie announces the phase match pairs. Assume the phase compensation d δ ∈ {0, 1, · · · D/2 − 1}, only one of the two detectors clicks is the successful detection.
If the left detector clicks and |d A − d B − d δ | mod D = 0, Alice and Bob keep κ A and κ B as the raw key. If the right detector clicks and |d , for simplicity, we discard the phase mismatch pairs. • Parameter estimation. Alice and Bob estimate the information leakage from the raw data that they have kept. • Key generation. After reconciling the corresponding key string to perform error correction, Alice and Bob use privacy amplification to produce the final keys.

Phase Error Estimation
The security analysis of asymptotic case is considered, so there are no statistical fluctuations. The analysis method of the phase error rate that we use comes from [39], which is an important new viewpoint of QKD security, establishing the relationship between the symmetric encoding and privacy with the standard phase-error-correction approach [40], and we summarize briefly as follows.
If the joint state ρ AB is a pure of even or odd state, the symmetric encoding PM-QKD protocol is perfectly private, the phase error rate E ph = 0, if the joint state ρ AB is a mixture of even and odd state, ρ AB = P odd ρ odd + P even ρ even , the phase error rate E ph = 0, the effective detection ratios of odd and even components of signal state are estimated by [39] where Q µ = P odd|µ Y odd|µ + P even|µ Y even|µ is the total gain of mixture signal state ρ AB . Y odd|µ and Y even|µ are the yield of odd signal state ρ odd and even signal state ρ even , respectively. P odd|µ and P odd|µ are the signal state probability of odd and even photon numbers. The overall phase error rate comes from the even components, which is estimated by [39] where P even|µ is given by the above section, Q µ is given by the experiment results, the important task is to estimate the parameter Y even|µ . For simplicity, we use phase match pairs and discard phase mismatch pairs, so the upper bound of phase error rate comes from the signal state bounded by According to the above discussion, we get the final secure key rate by where Q µ is the total gain of the signal state, E ph is the phase error rate of the signal state, E µ is the bit error rate of the signal state, f is the error correction efficiency, is the binary entropy function.

Attack PM-QKD with Imperfect Phase Randomization
Considering the extreme case that Eve knows, the exact phases of the signal and decoy states without phase randomization, the PM-QKD protocol will have a serious security loophole. Due to the signal state and the decoy state not being orthogonal, Eve can use USD measurement to distinguish the signal state and the decoy state with the probability q < 1. The optimal success probability [41] of USD measurement on each For the sake of simplicity, we neglect the dark count and the misalignment error, and only consider the channel loss. Without attacking, the gains of the signal state and decoy state are where η is the channel loss. Under the PNS attack, the gains of the signal state and decoy state are where Z µ j and Z v j represent the probability that Eve forwards j photons to the signal state and the decoy state, with j as the sum of the photons on both sides.
The simplified upper key rate under the PNS attack is bounded by The lower key rate of the simplified Equation (5) is bounded by Combining the USD measurement with PNS attack, the security of final key rate without the phase randomized system is vulnerable. We can optimize Z µ j to let R l PM > R u , especially for long distance communication, due to channel loss is large enough, we can block single photon and release multiple photons. Then, the key rate will be higher than the secure key rate, and information will leak out. Hence, Eve's goal is to minimize R u .
It is worth noting that the attack scheme of USD measurement and PNS attack, which requires the quantum non-demolition measurement [42] about the photon numbers, the lossless channel and the ability of controlling detector efficiency, all of these are beyond the current technology. Ma adopts the beam splitting (BS) attack [43] in Reference [8]. We briefly present his results as follows.
Ma [8] points out, under the BS attack, that the probability of successfully distinguishing the states is P suc = 1 − e −(1−η)µ . The simplified key rate of PM-QKD is lower bounded by Ma [8] supposes that the photon number channel model exists in PM-QKD, then Gottesman-Lo-Lutkenhaus-Preskill (GLLP) [26] analysis can be used to obtain the formula where Q 1|µ is the gain of the single photon signal state, E ph 1|µ is the phase error rate. Due to the yield being Y j = 1 − (1 − η) j , the simplified GLLP key rate is lower bounded by Final results show that, when η is smaller than a certain value, the GLLP formula cannot hold under the BS attack, so the photon number channel model is invalid. Fortunately, the PM formula can defend against BS attack; the precondition is that the intensity must be weaker.

The PM-QKD with Discrete Phase Modulation of Coherent State Sources
In this section, we introduce the security analysis of discrete phase randomized PM-QKD. Then, we apply the decoy-state method to derive the single photon yield formula. Finally, we compare the yield difference between continuous phase randomization and discrete phase randomization.

Coherent State with Discrete Phase Randomization
For the coherent state with discrete phase randomization, the joint state of Alice and Bob of PM-QKD is as follows where Considering the simple case, d δ = 0, then |d A − d B | = 0 or |d A − d B | = D/2. Now, the density matrix can be written as where In our security analysis with discrete phase randomization, we modify the final secure key rate Equation (5) to where the upper bound of phase error rate E D ph comes from the signal state bounded by Q µ . The bit error rate E µ and the gain Q µ remain the same.

The Decoy-State Method
In discrete phase randomized PM-QKD, we estimate the yield Y D 1|µ of the single-photon signal state. We use the vacuum and one decoy state, which is similar to the BB84 decoy state analysis [24].
We know that, in the security proof of the decoy state method with continuous phase randomization, there is an important assumption Y j|signal = Y j|decoy (16) However, it is not strict in the condition of discrete phase randomization, Y D j|signal = Y D j|decoy ; the reason lies in Consider the properties of trace distance; we need to estimate the difference of yields for different intensities as [33] (lD+j)! , that is the fidelity of λ D j|µ and λ D j|v .
The estimation of the yield Y D 1|µ is similar to continuous phase randomization. The equation can be written as We have Entropy 2021, 23, 508

The Yield Difference between Continuous and Discrete Phase Randomization
To compare the yield difference of continuous phase randomization and discrete phase randomization, the density matrix of the continuous phase randomization can be written as where the general Poisson distribution P j|α is given by Equation (1), In the ideal case, D → ∞, the fidelity F C,D j|α between |j AB and λ D j|α AB should be the same. In the security analysis, the fidelity F C,D j|α between |j AB and λ D j|α AB is bounded by which is related to the intensity α, photon number j and discrete phase numbers D. Therefore, the yield difference is bounded by

Numerical Results
Let's suppose the transmittances between Alice/Bob and Charlie are η A = η B = η f , the detection efficiency of detectors is η d , after the channel and detection losses, η = η f η d , the detection click probabilities are given by (25) where P α (L)/P α (R) and P α (L)/P α (R) are the detection click probabilities of the L/R click and no L/R click, φ AB is the phase mismatch between Alice and Bob.
Due to the discrete phase randomization, we can obtain D phase slices. Although we keep the phase match pairs and discard all of the others, there is still an intrinsic bit error rate [4], E D = D 2π 2π/D 0 sin 2 φ AB 2 dφ AB . Significantly, this is very different from BB84 protocol with the global phase mismatch value φ AB = 0. When we use discrete phase randomization, we must consider the intrinsic bit error rate, which will deeply affect the bit error rate and phase error rate. The error gain can be given by We can derive the total gain Q α as The bit error rate of signal states is given by The simulate parameters are listed in Table 1. In the key rate versus the transmission distance of the finite decoy states PM protocol with a different number of phase values, as shown in Figure 1, the PLOB bound is plotted for comparison. The smaller D, the lower the key rate; the reason is that the smaller the D, the larger the intrinsic bit error rate. D = 8 can break the PLOB bound, and meanwhile, we can find that there is an optimal D = 10, which can guarantee better performance. With the increase of D, the key rate will become lower due to the sifting factor 2/D. Hence, in an actual experiment of PM-QKD, we must find the suitable discrete phases value to guarantee security and performance. When D → ∞, the key rate will tend to 0; we do not present it here.
Moreover, we compare the performance of PM-QKD with discrete phase randomization between infinite decoy states and vacuum and one decoy state. As depicted in Figure 2, when we adopt vacuum and one decoy state and small D, the key rate exhibits poor performance. As D increases, the key rate of adopting vacuum and one decoy state approaches infinite decoy states. Combining the conclusion of Figure 1, we find that the discrete phase D = 10 still maintains good security and performance when the finite decoy states are implemented.  Due to there being a sifting factor 2/D, we know that when D → ∞, the key rate will tend to 0. In order to compare the key rate between continuous phase randomization and discrete phase randomization, we first compare the fidelity between |j AB and λ D j|α AB , as shown in Figure 3a. The fidelity varies slightly with the intensity. With the increase of D, the fidelity gradually approaches 1. Therefore, when D is too small, the method of continuous phase randomization is not suitable; we cannot ignore the safety effect of discrete phase randomization.
Then, considering finite decoy states, the key rate between continuous phase randomization and discrete phase randomization has been studied in Figure 3b. As D increases, the performance of a key rate between discrete phase randomization and continuous phase randomization is almost the same. This is consistent with the conclusion in Figure 3a.  The key rate versus the transmission distance of the PM-QKD with a different number of discrete phase values. The solid line represents the coherent state with continuous phase randomization; the dash line represents the coherent state with discrete phase randomization.

Conclusions
In this paper, we introduce the USD measurement and PNS attack against PM-QKD with imperfect phase randomization, and simultaneously, we deeply study the security of discrete phase randomization PM-QKD protocol with a decoy state in the asymptotic case. Our simulation results show that, as D increases, the key rate of adopting vacuum and one decoy state approaches infinite decoy states, and furthermore, the performance of key rate between discrete phase randomization and continuous phase randomization is almost the same. We also find that due to the intrinsic bit error rate and sifting factor, there is an optimal discrete phase randomization value to guarantee security and performance. Therefore, for the actual PM-QKD system, we should better adopt the suitable discrete phase randomization value to apply.
Author Contributions: X.Z. carried out numerical simulation and wrote the paper; Y.W. and W.B. assisted in discussing the research topic; M.J. contributed to attack; X.Z. and Y.L. derived the formulas; H.L. and C.Z. discussed the PM-QKD protocol. All authors participated in revising and all authors have read and agreed to the published version of the manuscript.