Sending or Not-Sending Twin-Field Quantum Key Distribution with Flawed and Leaky Sources

Twin-field quantum key distribution (TF-QKD) has attracted considerable attention and developed rapidly due to its ability to surpass the fundamental rate-distance limit of QKD. However, the device imperfections may compromise its practical implementations. The goal of this paper is to make it robust against the state preparation flaws (SPFs) and side channels at the light source. We adopt the sending or not-sending (SNS) TF-QKD protocol to accommodate the SPFs and multiple optical modes in the emitted states. We analyze that the flaws of the phase modulation can be overcome by regarding the deviation of the phase as phase noise and eliminating it with the post-selection of phase. To overcome the side channels, we extend the generalized loss-tolerant (GLT) method to the four-intensity decoy-state SNS protocol. Remarkably, by decomposing of the two-mode single-photon states, the phase error rate can be estimated with only four parameters. The practical security of the SNS protocol with flawed and leaky source can be guaranteed. Our results might constitute a crucial step towards guaranteeing the practical implementation of the SNS protocol.


I. INTRODUCTION
Quantum key distribution (QKD) allows two distant parties, Alice and Bob, to share secret keys securely in the presence of an eavesdropper, Eve, by harnessing the laws of physics [1][2][3].Combined with one-time pad, Alice and Bob can achieve unconditionally secure private communication.Notable progress has been made to improve performance, such as the communication distance and secret key rate, and bridge the gap between the idealized device models assumed in security proofs and the functioning of realistic devices in practical systems.
The measurement-device-independent (MDI) QKD [4] can remove both known and unknown security loopholes, or so-called side channels, in the measurement unit perfectly which shift the focus of quantum attacks to the source.Photon-number-splitting (PNS) attack [5,6], the major threat at source since single-photon source is not available at present and weak laser light are widely used in practical QKD systems, has been overcome by the decoy-state method [7,8].Combining these two methods, the decoy-state MDI-QKD equipped with some security patches performs well with imperfect single-photon sources.However, the key rate and communication distance are two implementation bottlenecks.To exceed the linear scale of key rate [9,10], twin-field QKD (TF-QKD) was proposed by Lucamarini et al. [11] whose key rate scales linearly with square-root of the channel transmittance η by harnessing single-photon interference over long distance.Though the security is not completed and the security loophole is caused by the later announcement of the phase information [12], then many variants of TF-QKD [12][13][14][15][16][17] have been proposed to deal with this security loophole and each has its advantages.Many effects have been considered in real-life implementation to accelerate its application, including finite key effects, the number of states with different intensities, the phase slice of appropriate and asymmetric transmission distance, etc. [18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34].Meanwhile, several experiments of TF-QKD have been completed in laboratory and field to demonstrate its ability to overcome the rate-distance limit [35][36][37][38][39][40][41][42].
However, the physical implementations of TF-QKD protocols with side channels remains to be further researched at present.Since TF-QKD retains the MDI characteristic, we should just focus on light source.Ideally, it is assumed that the sending devices are placed in a protected laboratory, and can prepare and encode quantum states correctly.Unfortunately, these conditions are not met in practical systems, and state preparation flaws (SPFs) and leakage may be induced from imperfect devices or Eve's disturbance.A small imperfection at source does not necessarily mean a small impact on the secret key rate, because Eve could enhance such imperfection by exploiting channel loss.Therefore, Eve can steal secret information actively by performing Trojan-horse attack [43][44][45][46][47][48][49][50][51][52][53][54][55] on modulators, lasers or attenuators and so on, or passively by harnessing the SPFs and leakage caused by imperfect devices [5,6,[56][57][58][59].
In those QKD protocols with imperfect single-photon sources, the decoy-state method is vital and employed to monitor the channel eavesdropping whose security is based on the fact that Eve could not distinguish between decoy and signal states.In practice, however, it does not with the behavior of the real apparatuses or Eve's disturbance.For instance, the probability distributions of signal states and decoy states do not overlap in time domain totally with pump-current modulation [58].Besides, signal states and decoy states can be distinguished with external intensity modulation in frequency domain when Eve applying wavelength-selected photon-numbersplitting attack actively in 'plug-and-play' systems [46].This loophole is introduced by decoy-state method and caused by the imperfections of modulators and modulation voltage.As the decoy-state method is employed in TF-QKD protocols, it is of significance to analyze its practical security in this aspect.
In this paper, we concentrate on the sending or notsending (SNS) TF-QKD protocol [12] with actively oddparity pairing (AOPP) method and finite-key effects taken into consideration [20,21], and propose a complete and undetected eavesdropping attack, named passive frequency shift attack, which can take advantage of the most general side channels in frequency domain and can be extended to other cases with distinguishable decoy states.In Sec.II, we recap the frequency shift of intensity modulators (IMs) and test experimentally the spectral distribution of signal pulses with external modulation method which shows a side channel in frequency domain.In Sec.III, we propose a passive frequency shift attack on SNS protocol and analyze its adverse impact by giving the formula of upper bound of secure key rate and comparing it with the lower bound of secret key rate under Alice and Bob's estimation with consideration of AOPP method and finite-key effects.In Sec.IV, we present our simulation results.Last, we give some discussion about the countermeasure of side channels in Sec.V and conclude in Sec.VI.

II. FREQUENCY SHIFT OF INTENSITY MODULATORS
In this section, we will recap the frequency shift of IMs and test experimentally to show a side channel in frequency domain.
LiNbO 3 -based EOIMs work by the principle of interference, controlled by modulating the optical phase.The incoming light is coupled into a waveguide and then split into two paths of a Mach-Zehnder interferometer equally and interfere at an output coupler.The two arms made of lithium niobate will induce a phase change when applying voltages.Accordingly, the intensity and phase of output light will be modulated after interference depending on the applied electrical voltages.Assuming voltages V 1 (t) and V 2 (t) are applied to two arms separately with the input field of intensity E 0 and frequency ω 0 , the output field can be written as [46] where ∆ϕ(t) = [γV 1 (t) + ϕ 1 − γV 2 (t) − ϕ 2 ]/2 and ϕ(t) = [γV 1 (t) + ϕ 1 + γV 2 (t) + ϕ 2 ]/2, γ = π/V π is the voltageto-phase conversion cofficients for two arms, and ϕ 1 and ϕ 2 are the static phases which we will omit for simplicity.
Here, V π is half-wave voltage that is required to change the phase in one modulator arm by π radians.The output intensity is given by where ) and P 0 is the input optical power.The phase maintains and intensity is determined by Eq. 2 on condition that the two modulator arms are driven by the same amount, but in opposite directions (i.e.V 1 (t) = −V 2 (t)), which is known as balanced driving or push-pull operation.When V (t) is constant we will get pure intensity modulation without frequency shift.However, once V (t) is not a constant any more, something unexpected will arise to the output field.Specifically, frequency shift will be induced as we can see, for example, if V 1 (t) = −V 2 (t) = V 0 + kt, the output field can be expressed as [46] From Eq. 3, we can see a frequency shift of the light pulses with ±ω m = ±γk compared with the original ω 0 , where k is the slope of modulation voltage.Moreover, the frequency shift of the output field will be more confusing when the modulation voltages are more complicated in practical systems.We can analyze the spectrum of the output field using the fast Fourier transform method.
To evaluate the frequency shift of different intensity pulses, we test it in principle.Optical pulses with 1 ns pulse width are produced with a constant intensity from a laser diode (Keysight 8164B) first, modulated by an IM driven by an arbitrary waveform generator (Keysight M9505A) and measured by an optical spectrum analyzer (Yokogawa AQ637D) last.Note that the measurement is taken before the fixed attenuation as implemented in actual systems since the probability of emitting pulses at the single-photon level follows the same distribution.Fig. 1 illustrates the wavelength spectrum of three states with intensity ratio taken from the SNS experiment [39] as 0.1: 0.384: 0.447 (µ a = 0.1, µ b = 0.384, µ z = 0.447).And the normalized intensity probability distributions are shown in Fig. 2 to distinguish the difference.
Obviously, the states modulated by IMs of different intensities do not overlap totally in frequency domain.The distinction of signal states (also strong decoy states) and weak decoy states is evident as expected because the amplitude of modulation voltages of signal and strong decoy states are higher which will induce more frequency shift, and thus the peaks of the signal and strong decoy states are lower than weak decoy states.More precisely, the normalized probability of weak decoy states is higher than signal and strong decoy states between 1550.112nm and 1550.131nm.There are also slight differences between signal and strong decoy states.The difference will be bigger when narrowing pulses or the line width as TF-QKD requires, or when the intensity difference of the different states becomes larger.On this foundation, Eve can apply a passive frequency shift attack by harnessing this side channel.

III. PASSIVE FREQUENCY SHIFT ATTACK ON SNS PROTOCOL
In this section, we propose a passive frequency shift attack scheme on practical SNS TF-QKD systems by exploiting the side channels in frequency domain and analyze its adverse impact by fiving the formula of upper bound of secure key rate with consideration of AOPP method and finite-key effects.But we note that this attack can be applied with other side channels except in frequency domain.
In fact, the signal pulses (including signal states and decoy states) and reference pulses must be modulated with a stable continuous-wave laser source with external modulation method so as to estimate and compensate phase noise in those TF-QKD protocols which need post-phase compensation, such as SNS TF-QKD [12] and phase-matching (PM) TF-QKD [13].Even if the synchronization can not be controlled by Eve unlike discussed in Ref. [46,47], the probability distributions of signal states and decoy states may do not overlap inevitably in frequency domain.
In the 4 intensity SNS TF-QKD protocol (see Appendix A for details), Alice and Bob need to modulate the continuous light to 5 different intensities, the maximum intensity pulses are used as phase reference pulses, the minimum as vacuum states, while others as signal states, weak and strong decoy states.In practical SNS systems [38,39], three IMs are used to modulate these 5 different pulses to ensure that the output signal intensities are in agreement with the theoretical requirements and the reference detections are high enough for phase compensation.There will be side channels in frequency domain inevitably.In what follows, we introduce the passive frequency shift attack.Suppose Eve intercepts all signal pulses at Alice and Bob's output ports where the signal pulses haven't been attenuated by channels, and then distinguishes signal and decoy states with a wavelength division multiplexer (WDM) and three single-photon detectors (SPDs) as illustrated in Fig. 3. Set internals T α properly, where α ∈ {z, a, b}, according to the wavelength spectrum of different states to distinguish the states with intensity µ α but may fail with a certain probability.Theoretically, T α can be set as the union of two symmetric intervals according to Eq. 3.
Suppose the four ports of WDM 1, 2, 3 and 4 can export photons with frequency located in T z , T a , T b and others.The light path selector S1 (S2) is controlled by SPD1 (SPD1 and SPD2).Denote as 1 or 0 when SPD (i.e.SPD1, SPD2 or SPD3) clicks or not, and 1 or 0 when the light path selector (i.e.S1 or S2) selects the up or down path.Then we set S1= SPD1, S2= SPD1 ∨ SPD2. ( Note that only one SPD at most will click under this principle.According to the response of SPDs, set the total transmittance as η z , η a , η b or η k when SPD1, SPD2, SPD3 clicks or none of them click, respectively.In this  process, Eve could get partial raw key bits after Alice (Bob) announces their signal and decoy windows, which can be understood in this way that Eve can conclude their key bits as 1 (0) when SPD1 ∨ SPD2 ∨ SPD3 = 1 in Z windows.There is no bit-flip error between Alice (Bob) and Eve because Eve can intercepts photons at output ports without stray photons.Only the raw bits are secure in Z windows when SPD1 ∨ SPD2 ∨ SPD3 = 0 on both sides.On the one hand, once Eve detects photons successfully on one side, the bit is either the same or a bit-flip error with the other side which will be revealed in the error correction step (and pre-error correction process when AOPP is performed).On the other hand, the bits are balanced (i.e.random for Eve) in one-detector heralded events with SPD1∨SPD2∨SPD3 = 0 which means the raw bits are secure in these windows.Though Eve could not distinguish the decoy states and signal states without errors, once the transmittance of signal and decoy states differ from others, the decoy-state method may not estimate the count rate and phase-flip error rate of single-photon states correctly.When the actual secure key rate is lower than the estimated one, the final secret string is insecure partially.
We emphasize that this attack will not introduce unnecessary errors as the beam splitting and measurement by Eve can be seen as a loss and the rest of the pulses are coherent states with no phase noise.What is more, Eve could control errors completely expect the inherent errors of the protocol through channels, superconducting nanowire single-photon detectors (SNSPDs) and classic information he announces.In the following, we will analyze the negative effect of this passive frequency shift attack.
Consider the most general case, we assume that the envelope of wavelength spectrum can be written as f β (λ), where β ∈ {z, a, b}.The wavelength spectrum of signal states and decoy states could not totally overlap.By setting the internals T α properly, Eve can distinguish the decoy states and siganl states with errors.The propor-tion of state µ β in internals T α can be shown as where α, β ∈ {z, a, b}.Which one detector will click obeys a certain probability distribution.Therefore, the states of intensity µ β would be transformed with one of four different transmittance Ω β = {η βz , η βa , η βb , η βk } with a finite probability, where Here, the attenuation coefficient comes from Eve's interfection and detection, and the total transmittance can be controlled by Eve completely which means that Eve is allowed to use a lower-loss or even lossless channel and perfect detectors with 100% detection efficiency and no dark count, and could select internals freely to obtain a satisfactory results.For states with intensity µ β , the probability of being transmitted with η βγ ∈ Ω β , γ ∈ M = {z, a, b, k} can be shown as where µ β|α = µ β r β|α .Here, e −µ β|α is the probatility of zero photon in internals T α with intensity µ β .Since TF-QKD protocols are proposed for the implementation of long optical fiber communications, Eve's best target is to acquire more percentage of keys by minimizing η k as far as possible while maintaining the key rate and communication distance under Alice and Bob's estimation.When the communication distance is long enough, Eve may steal all secret key bits.
There are two key rates matter: the lower bound of secret key rate under Alice and Bob's estimation R e and the upper bound of real secure key rate R u .Note that Alice and Bob could not estimate R e correctly under this attack since it is impossible to pick out the decoy states that have undergone the same operation as the signal states, i.e. the decoy-state method does not work properly.When AOPP method is performed with partial bits leaked to Eve, Bob only chooses odd-parity bit pairs and they will keep the second bit if Alice's bits pairs are odd, too.In this process, Eve's information on raw bits does not reduce as the parity information is public.Therefore, the upper bound of secure key rate R u can be shown as where n 1,sec is the upper bound of single photons which can be used to distill secure key bits and e in is the inherent phase-flip error rate (i.e. the lower bound of untagged bits) determined by the number of phase slices M .These two parameters will be discussed in Appendix B.
This attack can be applied as long as the wavelength spectrum distributions of signal and decoy states are different.The effect of this attack varies based on the discernibility of different states.However, this attack can be extended to other imperfections with distinguishable decoy states, like the polarization, temporal shape, etc. by replacing the WDM with appropriate devices.We numerically simulate the behaviour of SNS protocol under passive frequency shift attack in this section.There are nine parameters obtained by statistic in practical systems before AOPP, including n αβ , n R ∆ + , n L ∆ − , n t and E z , where n t = n sig + n err is the length of raw keys, αβ ∈ S = {vv, va, av, vb, bv}.Here, E z = n err /n t , n sig and n err is the number of right and wrong raw bits, respectively.Under passive frequency shift attack, the parameters can be simulated as discussed in Appendix C. The promotion to AOPP is trival as the attack is not applied.
For simulation purposes, the experimental parameters listed in Tables I and II are taken according to the SNS experiment [39] with a little modification.Then we simulate the normal secret key rate without frequency shift attack, the key rate under Alice and Bob's estimation and the upper bound of secure key rate under frequency shift attack with AOPP and finite-key effects by selecting five groups of reasonable parameters about r β|α listed in Tables III following the principle that the difference between signal states (strong decoy states) and weak decoy states is significant while small between signal and strong decoy states.
In Fig. 4, the estimated key rate R e under passive frequency shift attack represented by the solid line is the same as that without attack which means this attack will not be detected by Alice and Bob with the list of experimental parameters in Table I, II and III.In comparison, the dashed lines represent the upper bound of secure key rates R u under frequency shift attack.Denote the the upper bound of secure key rate under parameters in Group i (Gi) in Table III as R ui , where i ∈ {1, 2, 3, 4, 5}.Compared R u1 with R u2 , we can find that the difference between weak decoy states and signal states (strong decoy states) affects the effects of attack significantly i.e. the communication distance is limited from 472 km to 368 km when the difference changes from 10 times to 20 times.The negative effects will be more greater when r z|a : r a|a : r b|a is constant but the absolute values increase by comparing R u2 with R u3 .The secure distance will be limited to shorter when the difference becomes larger by contrasting R u2 and R u4 .Besides, Alice and Bob could not distribute keys when Eve can distinguish weak decoy states correctly with parameters of Group 5. On the one hand, if Alice and Bob attach importance r z|z r a|z r b|z r z|a r a|a r b|a r z|b r a|b r b|b G1 0.01 0.008 0.01 0.01 0.1 0.01 0.01 0.008 0.01 G2 0.01 0.008 0.01 0.005 0.1 0.005 0.01 0.008 0.01 G3 0.01 0.008 0.01 0.01 0.2 0.01 0.01 0.008 0.01 G4 0.01 0.005 0.01 0.005 0.2 0.005 0.01 0.005 0.01 G5 0.01 0.008 0.01 0 0.1 0 0.01 0.008 0.01 to these side channels and know Eve's action, this attack will limit the communication distance.Note that the distance and key rate will be more pessimistic since the key rates R ui is only the upper bound.Otherwise, the secret key bits will be insecure over long distance especially.For example, the key bits are all insecure when the estimated key rate is 10 −8 per pulse at 479 km (an acceptable value at long distance).
In this attack, we have assumed that Eve intercepts photons in the order of T z , T a and T b , but we find there is no obvious difference when changing this order through numerical simulations which can be understood in this way that only the photons are secure with SPD1∨SPD2∨ SPD3 = 0, i.e.only the pulses that are not detected by Eve in all internals T α are secured, or there will be no difference in any order when r α|β = 0 with α = β.

V. DISCUSSION
This eavesdropping attack proposed above is a passive attack harnessing the side channels and hard to be detected.To guarantee security in practical systems with side channels, the first potential way is to improve experimental techniques or modulation methods to restrain side channels but may be unavoidable when one is closed, but another appears.The second alternative is to develop mathematical models in theory to maximize the secure key rates under attacks, like the loss-tolerant method [61][62][63][64][65] but needs an accurate characterization of real apparatuses.It may be an ongoing search for side channels to guarantee the practical security of QKD systems.

VI. CONCLUSION
The goal of QKD at present is to provide long-distance and high-speed key distribution, which will induce side channels inevitably.Increasing repetition rate and narrowing pulses to improve speed will make the pulses complex and distinguishable, like the frequency, polarization, temporal shape, and so on.Any small imperfections may be exploited and enhanced utilizing channel loss by Eve, especially at long distance.Therefore, it is necessary to pay more attenuation to the practical security of TF-QKD systems.
In this paper, we have investigated and tested the side channels with external modulation which is required in those TF-QKD protocols with post-phase compensation, like SNS TF-QKD [12] and PM TF-QKD [13].Based on this, we propose a complete and undetected eavesdropping attack named passive frequency shift attack on SNS protocol which can be applied once there are differences between different states in frequency domain and can be extended to other imperfections with distinguishable decoy states.Normally, Alice and Bob could estimate the lower bound of secret key rate correctly no matter what Eve does.But this estimation is not accurate once Eve's operation on signal and decoy states is different which may cause insecure bits when the upper bound of secure key rate is lower than the estimated lower one.According to the numerical results, Eve can get full information about the secret key bits at long distance if Alice and Bob neglect this distinguishability.For example, the key bits are all insecure when the estimated key rate is 10 −8 per pulse at 479 km under the five selected groups of parameters.As there is a variety of potentially exploitable loopholes at source, our results emphasize the practical security of the light source.It is a constant search to build hardened implementations of practical QKD systems.We make a review of the SNS protocol and the key rate formula with AOPP method and finite-key effects [12,20,21] in this section.

ACKNOWLEDGMENTS
(1) Preparation and measurement.At any time window i, Alice (Bob) randomly determines whether it is a signal window or a decoy window with probabilities p z and p x = 1 − p z .If it is a signal window, Alice (Bob) sends a phase-randomized coherent state with intensity µ z and denotes it as 1 (0), or a vacuum state |0 and denotes it as 0 ( 1 (2) Different types of time windows.Suppose Alice and Bob repeat the above process N times, then they announce their signal windows and decoy windows through public channels.If both Alice and Bob determine a signal window, it is a Z window.And the effective events in Z windows are defined as one-detector heralded events no matter which detector clicks.Alice and Bob will get two raw n t -bit strings Z A and Z B according to effective events in Z windows.Note that the phase-randomized coherent state of intensity µ is equivalent to a probabilistic mixture of different photon-number states ∞ k=0 e −µ µ k k! |k k|.Therefore, we can define Z 1 windows as a subset of Z windows when only one party determines to send and she (he) actually sends a single-photon state |1 .The bits from effective Z 1 windows are regarded as untagged bits by the tagged model [66].Then the intensity of pulses would be announced to each other expect the intensity in Z windows.If both commit to a decoy window, it is an X window.Alice and Bob also announce their phase information θ A , θ B when they choose the same intensity µ a in an X window denoted as an X a window.And if only one detector clicks in X a windows with phases satisfying it is an effective event in X a windows.All effective events in X a windows can be divided into two subsets as C ∆ + and C ∆ − according Eq.A1 and Eq.A2, respectively.And the number of events in C ∆ + and C ∆ − can be defined as N ∆ + and N ∆ − .Here, ϕ AB is set properly to obtain a satisfactory key rate which will be different over time due to phase drift and can be obtained with reference pulses.
In the following, we will omit the phase drift without loss of generality and set ϕ AB = 0.
(3) Parameter estimation.They can estimate parameters, including the bit-flip error rate of the raw bits E Z , the lower bound of untagged bits n 1 (or the lower bound of the counting rate s 1 equivalently) and the upper bound of the phase-flip error rate of untagged bits e ph 1 .The bit-flip error rate E Z can be obtained by error test, s 1 and e ph 1 can be estimated with decoy state method as follows. Denote , where ρ a and ρ b are density operators of the phase-randomized coherent states used in X windows in which the phase is not announced.Let N αβ be the number of intsnces Alice sends state ρ α and Bob sends state ρ β and n αβ be the number of corresponding one-detector heralded events, where αβ ∈ S = {vv, va, av, vb, bv}.Thus, the counting rate can be defined as S αβ = n αβ /N αβ .And s 1 can be estimated with decoy-state method as [18,67] Therefore e ph 1 can be estimated with decoy-state method as [12,18] e ph 1 ≤ (4) Key rate formula.With these quantities, the final key length can be expressed as [12,68] where N f is the number of final bits, H is the binary entropy function, and f is the error correction efficiency factor.
(5) AOPP method.AOPP method [20,21] is a preerror correction process on raw strings Z A and Z B proposed to improve the direct tranmission key rate.In AOPP method, Bob randomly select two unequal bits as pairs and will obtain n p = min(n t0 , n t1 ) pairs, where n t0 (n t1 ) is the number of bits 0 (1) in raw string Z B .There will be only two types of pairs can be survived when Alice make exactly the same or opposite decision as Bob for two bits, and denote the number as n vd or n cc , respectively.Therefore, the bit error after AOPP is shown as The lower bound of the number of untagged bits is where n 0 1 and n 1 1 is the lower bound of untagged bits when they make the opposite decision and obtain bits 0 and 1, correspondingly.And the phase-flip error rate changed into e ph 1

= 2e ph
1 (1 − e ph 1 ).Besides, finite-key effects should be considered in practical systems using Chernoff bound [69,70] and the parameters can be estimated as n 1 = ϕ L (n 1 ) and e ph 1 = ϕ U (n 1 e ph 1 )/n 1 .Finally, the improved key length can be shown as [20,21,68] Appendix B: Details of the upper bound of secure key rate To obtain the upper bound of secure key rate, we should consider the ideal situation, i.e. the upper bound of the number of secure single photons and the lower bound of phase-flip error rate without finite-key effects.
Ideally, the single photons which could be used to distill secure key bits (i.e. the upper bound of secure untagged bits) after AOPP can be shown as where In the rest, we will analyze this inherent phase-flip error rate from the perspective of virtual protocol.In the virtual protocol [12], Alice and Bob will prepare an extended state

FIG. 3 .
FIG. 3. Schematic of the passive frequency shift attack.PM: phase modulator, IM: intensity modulator, ATT: attenuator, WDM: wavelength division multiplexer, SPD: single-photon detector, S: light path selector, BS: beam splitter, SNSPD: superconducting nanowire single-photon detectors.The light path selector S1 (S2) is controlled by SPD1 (SPD1 and SPD2) and Bob's device is the same as Alice's which we have omitted in figure.
This work is supported by National Key Research and Development Program of China (Grant No. 2020YFA0309702) and National Natural Science Foundation of China (Grants N0. 61605248, No. 61675235 and No. 61505261).
Appendix A: SNS TF-QKD protocol ) with probabilities p z1 = 1 − p z0 and p z0 , seperately.If it is a decoy window, Alice (Bob) sends a phase-randomized coherent state | √ µ a e iθ A , | √ µ b e iθ A or |0 (| √ µ a e iθ B , | √ µ b e iθ B or |0 ) with probabilities p a , p b and p v = 1 − p a − p b , where µ a < µ b .The third party, Chrelie, renamed as Eve is supposed to perform interferometic measurements on the incoming pulses and announce the results.
) Denote the bit-flip errors in C ∆ + (C ∆ − ) as the effective events when the right (left) detector clicks and its total number as n R ∆ + (n L ∆ − ).The bit-flip error rate in C ∆ = C ∆ + C ∆ − can be shown as

TABLE I .
List of experimental parameters.Here, γ is the fiber loss coefficient (dB/km), η d is the detection efficiency of detectors, e d is the misalignment-error probability, fEC is the error correction inefficiency, ξ is the failure probability of statiscal fluctuations analysis, p d is the dark count rate and M is the number of phase slices.The estimated lower bound of secret key rate Re and upper bound of real secure key rates Rui in logarithmic scale versus tranmission distance (between Alice and Bob) under passive frequency shift attack, where i ∈ {1, 2, 3, 4, 5}, with experimental parameters listed in TableI, II and III.The solid line corresponds to the etimated key rate Re which is the same as that without attack, while the dashed lines represent the upper bound of real secure key rate Rui.And the real secure key rate Ru5 not shown in the figure is identically 0.

TABLE II .
List of experimental parameters about intensity and probability Alice and Bob select.

TABLE III .
Five groups of the proportion r β|α of state µ β in internals Tα.