Security of the Decoy-State BB84 Protocol with Imperfect State Preparation

Abstract

The quantum key distribution (QKD) allows two remote users to share a common information-theoretic secure secret key. In order to guarantee the security of a practical QKD implementation, the physical system has to be fully characterized and all deviations from the ideal protocol due to various imperfections of realistic devices have to be taken into account in the security proof. In this work, we study the security of the efficient decoy-state BB84 QKD protocol in the presence of the source flaws, caused by imperfect intensity and polarization modulation. We investigate the non-Poissonian photon-number statistics due to coherent-state intensity fluctuations and the basis-dependence of the source due to non-ideal polarization state preparation. The analysis is supported by the experimental characterization of intensity and phase distributions.

1. Introduction

The BB84 protocol [1] of quantum key distribution (QKD) between two distant parties, Alice and Bob, is based on the preparation and measurement of qubits in two bases (e.g., the computational Z-basis and the Hadamard X-basis), rotated relative to each other on the Bloch sphere by an angle of $\pi /2$. Any practical realization of the protocol inevitably introduces misalignments in the quantum state preparation and in the alignment of the measurement bases compared to the ideal ones, thus opening loopholes for information leakage to a potential eavesdropper (Eve). In particular, the preparation misalignments lead to the basis-dependence of the source that can allow Eve to distinguish the bases and attack two basis states separately. In the earliest security proof by Mayers [2], the source is assumed to be perfect. The simplified proof by Koashi and Preskill [3] allows the source to be uncharacterized but basis-independent. The proofs by Lo and Chau [4], Shor and Preskill [5] and Koashi [6] are all based on the phase error correction and assume the basis choice to be unknown to Eve. The phase error is a hypothetical error in the equivalent virtual entanglement-based protocol if the qubits of the EPR pair were measured on a complementary basis. It is well known that for an ideal source, the phase and bit error rates in two bases are equal in the asymptotic limit; that is, $E_Z^{\mathrm{phase}}=E_X^{\mathrm{bit}}$. However, if the source is basis-dependent, one cannot simply use one basis information to estimate the other. Thus, in this approach, the correct phase error rate estimation, taking into account the finite-key-size effects, is crucial for security analysis of the protocol with state preparation misalignments.

Further analysis by Gottesman et al. (referred to as GLLP) [7] proves the BB84 security for practical implementation of the QKD protocol when Alice’s and Bob’s devices are flawed. However, the GLLP approach is too conservative, it assumes the worst-case scenario when Eve can enhance the state preparation flaws by exploiting the channel loss. For this reason, the so-called loss-tolerant QKD protocol was proposed by Tamaki et al. [8], demonstrated experimentally [9,10] and later on developed in Refs. [11,12,13,14,15,16,17]. This three-state BB84-like protocol is based on the complementarity approach [6] and uses the bases mismatch events information. Considering the imperfect phase/polarization modulation, it is demonstrated that the key rate is dramatically improved, although the phase error rate estimation technique is quite complicated.

The original BB84 protocol was described using the qubits encoded into the polarization states of a single photon. In practice, the single-photon source is approximated by weak coherent pulses generated by a highly attenuated laser. There is a non-zero probability for such a coherent state to contain multiple photons that can be exploited by Eve performing the photon-number-splitting (PNS) attack [18,19]. The invention and further development of the decoy-state method [20,21,22,23] solves this problem by introducing extra states of different intensity (mean photon number per pulse) and significantly improves the GLLP bound on the maximum secure transmission distance. For a complete formal security proof of the decoy-state method see, e.g., Ref. [24]. Due to inaccuracies of realistic intensity modulation, the intensities of the signal and decoy states can vary from pulse to pulse and, hence, cannot be considered constant parameters of the protocol. It can open another potential loophole and allow Eve to improve her attack strategy.

Another well-known loophole of the leaky source is the Trojan-horse attack (THA) in which Eve injects bright light pulses into Alice’s device and then measures the back-reflected light in order to extract information about Alice’s state preparation like the basis choice and the intensity setting in the decoy-state QKD protocol. The information leakage from Alice’s IM and PM during THA is studied in Refs. [25,26,27,28,29]. The THA on the loss-tolerant protocol is investigated in Refs. [13,14,16,17] but only for the case of single-photon source.

In this work, we consider the most widely used two-decoy-state BB84 [23] with polarization encoding and focus on two types of source flaws—the fluctuating coherent-state intensities and the polarization misalignment due to Alice’s imperfect intensity and phase modulators. We assemble a simplified optical scheme for quantum state preparation that mimics the features of realistic commercial QKD devices and extract the intensity/phase distributions from laboratory test measurements. We study the non-Poissonian photon-number statistics following Refs. [30,31,32] in order to take into account the fluctuating signal and decoy pulse intensities. In contrast to the model-independent analysis in [30,31], we do not rely on the knowledge of upper/lower bounds on intensities but determine the intensity probability distributions directly from the experiment. We extend this research and also investigate the imperfect encoding state preparation. Using the idea of fully-passive source [33], we compute the averaged density matrices and apply the imbalanced quantum coin approach [7] to estimate the phase error rate. In particular, it is demonstrated that for our setup the encoding inaccuracies can lead to the key rate reduction not exceeding 50% for channel losses up to 20 dB (equivalent to transmission distances up to 100 km), and the critical transmission distance can reach ∼120 km. Since our experimental analysis is made for illustrative purposes only, we believe that the modulation precision and data analysis can be further improved, and the key rate bound can be increased. Provided with a complete set of explicit formulas, our framework can be applied to any practical QKD system with a characterized source that implements not the loss-tolerant but the usual decoy-state BB84 protocol.

This paper is organized as follows. In Section 2, we investigate the non-Poissonian photon-number statistics of weak coherent states and estimate the effect of pulse intensity fluctuations on the secret key rate. In Section 3, we study the polarization distributions and bound the phase error rate for the QKD protocol with a realistic phase modulator. The main conclusions are given in Section 4.

2. Intensity Fluctuations

2.1. Experimental Setup

In this work, we investigate the efficient BB84 protocol [34] with non-optimized basis choice probabilities of $p_X=0.9$ and $p_Y=0.1$ in which the X-basis is used for the secret key distillation while the Y-basis is used for the phase error rate estimation. In order to counteract the PNS attack, we apply the three-intensity decoy-state technique [21,23]: the signal state of intensity $\mu$ is used for the secret key generation, and two decoy states of intensities ${\nu }_1$ and ${\nu }_2$ are used for the single-photon yield and bit error rate estimation. For simplicity, we choose the reasonable values of $\mu \sim 0.3$, ${\nu }_1\sim 0.1$ and ${\nu }_2\sim {10}^{-3}$ which turn out to be close to the optimal ones for a wide range of transmission distances. The states are randomly generated with the probabilities of $p_{\mu }=0.5$ and $p_{{\nu }_{1,2}}=0.25$.

Our experimental setup for preparing and monitoring Alice’s quantum states of given intensity $\alpha \in \{\mu ,{\nu }_1,{\nu }_2\}$ and polarization is presented in Figure 1. The pulses with an average optical power of approximately 2 mW are emitted by a DFB laser operating at 1550 nm wavelength. First, the relative classical pulse intensity ${\mathcal{I}}_{\alpha }$ is adjusted by the intensity modulator (IM) by applying an appropriate voltage $V_{\alpha }$ on the modulation electrodes such that ${\mathcal{I}}_{{\nu }_{1,2}}/{\mathcal{I}}_{\mu }={\nu }_{1,2}/\mu$ with ${\mathcal{I}}_{\mu }$ chosen to be larger than half of the maximum output intensity. Then, the polarization state is chosen by applying one of the four voltages $V_i$ on the phase modulator (PM). Finally, the classical pulses are attenuated to the required weak coherent-state level with the variable optical attenuator (VOA).

The IM output intensity ${\mathcal{I}}_{\alpha }$ is the result of the interference of two waves, propagating via two paths of the Mach–Zehnder interferometer with different optical path lengths. This difference is created by varying the optical index in the waveguide active layer of each path with an electric field between the modulation electrodes. The IM is designed to have equal arms and thus balanced optical paths. However, there is always some imbalance, caused by the change of the refractive index of the optical mode of the waveguide due to possible variations of temperature (thermo-optic and pyroelectric effects), optical power in the waveguide (photorefractive effect) or mechanical stress (strain-optic effect). As a result, a time-dependent phase (and consequently ${\mathcal{I}}_{\alpha }$) drift is induced. In order to compensate for this drift, the time-averaged power is measured by the power meter (PwM) and tuned by the proportional–integral–derivative (PID) controller to the initial value by applying the relevant voltage $V_{\mathrm{bias}}$ to the bias electrodes. All these effects together with the limiting resolution of control voltage circuits and the laser noise cause some fluctuations in the output intensities.

In order to quantify the intensity fluctuations, we connect a classical photodetector (Thorlabs RXM40AF) directly to the IM output and record the voltage oscillograms. Following Ref. [35], we remove the noise by applying a filtering technique based on the singular-value-decomposition. In Figure 2, we present the obtained probability density function (PDF) of ${\mathcal{I}}_{\alpha }$ normalized by the total PM+BS+VOA attenuation. As evidenced by good agreement with the data, a regular Gaussian PDF given by Equation (1), is the right choice of function to parametrize the intensity fluctuations:

$$G(\alpha ,{\overline{\alpha }}_i,{\sigma }_{{\alpha }_i})=\frac{1}{\sqrt{2\pi }{\sigma }_{{\alpha }_i}}{e}^{-\frac{{(\alpha -{\overline{\alpha }}_i)}^2}{2{\sigma }_{{\alpha }_i}^2}},$$

(1)

where ${\overline{\alpha }}_i$ are the mean values and ${\sigma }_{{\alpha }_i}$ are the standard deviations, with the best-fit values tabulated on the right of the plot in Figure 2.

2.2. Non-Poissonian Photon-Number Statistics

The single-photon source is often approximated by a weak coherent-state source, realized in practice as strongly attenuated laser radiation. The emitted phase-randomized state is described as a mixture of Fock states,

$${\rho }_{\alpha }=\sum _{n=0}^{\infty }{P}_{n|\alpha }|n\rangle \langle n|=\sum _{n=0}^{\infty }{e}^{-\alpha }\frac{{\alpha }^n}{n!}|n\rangle \langle n|,$$

(2)

where the photon number follows the Poisson distribution $P_{n|\alpha }$ with mean photon number $\alpha$. Note that usually in the literature $\alpha$ is assumed to be a constant parameter that does not vary during the QKD session. However, in a realistic experimental setup, the intensity parameter is a fluctuating variable as discussed in the previous subsection.

It is known that the assumption of Poissonian photon-number statistics is not really necessary for the decoy-state BB84 protocol—one can derive the generalized security bounds for any arbitrary $P_{n|\alpha }$ distribution. The first detailed model-independent analysis of the source errors in the photon-number space is provided by Wang et al. in Refs. [30,31]. The authors derive the generalized conservative bounds on the single-photon component’s yield and QBER in terms of arbitrary upper/lower bounds on $P_{n|\alpha }$. In this work, we closely follow the theoretical approach of [30,31] but do not use the bounded $P_{n|\alpha }$ that rely on the knowledge of allowed intervals $[{\alpha }_{min},{\alpha }_{max}]$ for the coherent state source. Instead, we assume ${\rho }_{\alpha }$ of every single pulse to be Poissonian but with random normally-distributed parameter $\alpha$. Thus, the n-photon state probability is modified as follows,

$$P_{n|\alpha }=\frac{{\int }_0^{\infty }{e}^{-\alpha }\frac{{\alpha }^n}{n!}G(\alpha ,\overline{\alpha },{\sigma }_{\alpha })d\alpha }{{\int }_0^{\infty }G(\alpha ,\overline{\alpha },{\sigma }_{\alpha })d\alpha },$$

(3)

where we integrate only the positive intensity values that have physical meaning.

The experimentally measured gain—the probability that an emitted pulse of intensity $\alpha$ is detected by Bob—can be expressed as

$$Q_{\alpha }=\sum _{n=0}^{\infty }{P}_{n|\alpha }{\mathcal{Y}}_n,$$

(4)

where the yield ${\mathcal{Y}}_n$ is the conditional probability of a detection event (click) on Bob’s side, given that Alice sends out an n-photon state. The key idea of the decoy-state method is that since Eve cannot distinguish the $|n\rangle$ states of signal pulse from those of decoy pulse, the yields ${\left\{{\mathcal{Y}}_n\right\}}_{n=0}^{\infty }$ must be equal for signal and decoy states [20]. However, this indistinguishability assumption may not hold in practice. In Ref. [36], the authors consider an imperfect source with passive side channels, which can partially distinguish signal and decoy states from a mismatch in such degrees of freedom as time and frequency domains. In this work, we neglect the impact of such side channels and focus only on the intensity fluctuations.

Taking into account the finite-statistics effects, the generalized lower bounds on the zero-photon and single-photon yields are determined by (for more details see Appendix A)

$${\mathcal{Y}}_0^l=max\left\{\frac{Q_{{\nu }_2}^l{P}_{1|{\nu }_1}-Q_{{\nu }_1}^u{P}_{1|{\nu }_2}}{P_{0|{\nu }_2}{P}_{1|{\nu }_1}-P_{0|{\nu }_1}{P}_{1|{\nu }_2}},0\right\},$$

(5)

$${\mathcal{Y}}_1^l=\frac{{\displaystyle Q_{{\nu }_1}^l{P}_{0|{\nu }_2}-Q_{{\nu }_2}^u{P}_{0|{\nu }_1}-\frac{P_{2|{\nu }_1}{P}_{0|{\nu }_2}-P_{2|{\nu }_2}{P}_{0|{\nu }_1}}{P_{2|\mu }}\left(Q_{\mu }^u-P_{0|\mu }{\mathcal{Y}}_0^l\right)}}{{\displaystyle P_{0|{\nu }_2}{P}_{1|{\nu }_1}-P_{0|{\nu }_1}{P}_{1|{\nu }_2}-\frac{P_{2|{\nu }_1}{P}_{0|{\nu }_2}-P_{2|{\nu }_2}{P}_{0|{\nu }_1}}{P_{2|\mu }}{P}_{1|\mu }}}.$$

(6)

where $Q_{\alpha }^{u,l}$ are the upper/lower bounds on the $Q_{\alpha }$-estimators given by Equation (A13). For brevity, here, we omit the basis index of $Q_{\alpha }^{u,l}$ and ${\mathcal{Y}}_{0,1}^l$.

To investigate the effect of non-Poissonian statistics on the privacy amplification, in Figure 3 we plot the simulated ratio of the secret over verified key lengths, ${\ell }_{\sec }/{\ell }_{\mathrm{ver}}$, as a function of transmission distances for the scenarios of perfect (Poissonian statistics with $P_{n|\alpha }=e^{-\overline{\alpha }}{\overline{\alpha }}^n/n!$) and imperfect (non-Poissonian statistics with $P_{n|\alpha }$ defined by Equation (3)) intensity modulation. The verified key is the error-corrected sifted key that passed the subsequent hash-tag verification. The secret key length formula is given in Appendix B. Here, we assume the photon source to be basis-independent (${\Delta }^{\prime }=0$ in Equation (A16)). One can see from the plot that, surprisingly, the imperfect preparation provides a better key rate than the perfect one for the entire distance range. The reason is the following: due to rather wide distribution of ${\nu }_2$ relative to its mean value, the probability of the single-photon component of ${\rho }_{{\nu }_2}$ turns out to be enhanced several times with respect to the ideal Poissonian source with the mean photon number ${\overline{\nu }}_2$; as a consequence, the term $P_{0|{\nu }_1}{P}_{1|{\nu }_2}$ in the denominator of Equation (6) becomes non-negligible, which, in turn, increases ${\mathcal{Y}}_1^l$ and, hence, ${\ell }_{\sec }$. One could naively think that increasing ${\sigma }_{{\nu }_2}$ would improve ${\ell }_{\sec }$ even more; however, this would lead to the violation of the required condition (A2) starting from some value of n, making the ${\mathcal{Y}}_0$-estimation (A1) incorrect. Increasing ${\sigma }_{{\nu }_2}$, e.g., by 5 times would violate (A2) for $n\ge 12$. In order to avoid the overestimation of the single-photon and multi-photon contributions to ${\rho }_{{\nu }_2}$ due to the noise, we propose to set $P_{0|{\nu }_2}=1$ and $P_{n\ge 1|{\nu }_2}=0$ (i.e., ${\nu }_2\equiv 0$), which provides a more conservative evaluation of ${\ell }_{\sec }$ (see the green curve in Figure 3). In this case, the secret key turns out to be more than 95% of the key generated with an ideal IM, for any distance up to 100 km.

To conclude this section, we make a comparison with the model-independent approach of Wang et al. [30,31]. The single-photon gain is given by Equation (43) in Ref. [31] which can be written in our notations as

$$Q_1^l=P_{1|\mu }^l{\mathcal{Y}}_1^l=P_{1|\mu }^l\frac{{\displaystyle Q_{{\nu }_1}^l{P}_{2|\mu }^l-Q_{\mu }^u{P}_{2|{\nu }_1}^u-\left(P_{2|\mu }^l{P}_{0|{\nu }_1}^u-P_{2|{\nu }_1}^u{P}_{0|\mu }^l\right)\frac{Q_{{\nu }_2}^u}{P_{0|{\nu }_2}^l}}}{P_{2|\mu }^l{P}_{1|{\nu }_1}^u-P_{2|{\nu }_1}^u{P}_{1|\mu }^l},$$

(7)

with bounded probabilities for coherent states defined as

$$P_{n|\alpha }^{u\left(l\right)}=\left\{\begin{array}{cc}{e}^{-{\alpha }^{l\left(u\right)}},\hfill & n=0\hfill \\ \frac{({\alpha }^{u\left(l\right)}{)}^n}{n!}{e}^{-{\alpha }^{u\left(l\right)}},\hfill & n=1,2\hfill \end{array}\right.$$

(8)

Using the experimental intensity distributions in Figure 2 we determine ${\alpha }^{u,l}$ as

$${\alpha }^{u\left(l\right)}=\overline{\alpha }\pm z_{1-\epsilon }{\sigma }_{\alpha },Pr(\alpha \le {\alpha }^l)=Pr(\alpha \ge {\alpha }^u)=\epsilon ,$$

(9)

where $z_{1-\epsilon }$ is the normal distribution quantile,

$$z_{1-\epsilon }={\Phi }^{-1}(1-\epsilon )=\sqrt{2}{\mathrm{erf}}^{-1}(1-2\epsilon ).$$

(10)

For illustration, the red curve in Figure 3 represents the normalized secret key length (A11) computed with $Q_1^l$ defined by Equation (7) and $z_{1-\epsilon }=1$ ($\epsilon \simeq 0.16$). We find that for $z_{1-\epsilon }\gtrsim 2.3$ ($\epsilon \lesssim 0.011$) the secret key transmission is impossible at any distance. One can clearly see superiority of the proposed method for the particular setup and measurement precision since it provides larger key length and the maximum attainable transmission distance.

3. Phase Fluctuations

3.1. Polarization State Preparation and Basis-Dependence

Any arbitrary polarization state can be described by azimuthal and polar angles $\phi \in [0,2\pi )$ and $\theta \in [0,\pi ]$ on the Bloch sphere,

$$|\psi (\phi ,\theta )\rangle =cos\left(\frac{\theta }{2}\right)|H\rangle +e^{i\phi }sin\left(\frac{\theta }{2}\right)|V\rangle ,$$

(11)

where $|H\rangle$ and $|V\rangle$ denote the horizontal and vertical polarization vectors, aligned with the PM crystal axes. In our setup, the linearly polarized light is injected to PM at a 45${}^{\circ }$ angle to the crystal axes, which corresponds to $\theta =\pi /2$ [37]. In general, the electric field amplitudes along the ordinary and extraordinary axes initially have some phase difference ${\varphi }_0$ without any voltage supply due to the crystal birefringence. The additional random relative phase ${\varphi }_i\in \{0,\pi ,\pi /2,3\pi /2\}$, determining the basis and bit value, is created by applying an appropriate voltage $V_i$ along one of the crystal axes. Thus, the azimuthal angle of the ith state is ${\phi }_i={\varphi }_0+{\varphi }_i$.

In the protocol with perfect state preparation, the qubits are prepared and measured in the elliptical polarization bases $X^{\prime }:\{|{\psi }_1\rangle ,|{\psi }_2\rangle \}$ and $Y^{\prime }:\{|{\psi }_3\rangle ,|{\psi }_4\rangle \}$, obtained by rotating the standard bases $X:\{|D\rangle ,|A\rangle \}$ and $Y:\{|R\rangle ,|L\rangle \}$ around the z-axis by ${\varphi }_0$ (see Figure 4), with the basis vectors in the form of

$$|{\psi }_{1,2}^{\mathrm{perfect}}\rangle =\frac{1}{\sqrt{2}}\left(|H\rangle \pm e^{i{\varphi }_0}|V\rangle \right),|{\psi }_{3,4}^{\mathrm{perfect}}\rangle =\frac{1}{\sqrt{2}}\left(|H\rangle \pm i{e}^{i{\varphi }_0}|V\rangle \right).$$

(12)

Then, Bob performs his measurement in the $X^{\prime }$ and $Y^{\prime }$ bases by randomly applying one of the positive operator-valued measures $\left\{|{\psi }_i^{\mathrm{perfect}}\rangle \langle {\psi }_i^{\mathrm{perfect}}|\right\}$.

However, in practice, the light enters PM not ideally at 45${}^{\circ }$ due to mechanical inaccuracy of connection between the optical components. This error induces a deviation from $\theta =\pi /2$ on the Bloch sphere. The voltage control and, hence, $\left\{{\varphi }_i\right\}$ have some uncertainty as well. As a consequence of all these imperfections, the ideal states (12) float above/below the $xy$-plane and rotate around the z-axis, fluctuating around their average positions. So, the physical states sent to Bob can be written as:

$$|{\psi }_i\rangle =|\psi ({\phi }_i,\theta )\rangle ,$$

(13)

where ${\phi }_i$ is a random variable with some probability distribution while $\theta$ is an a priori unknown that is determined from experiments with some uncertainty. Note that, in general, these states are no longer mutually orthogonal in the corresponding basis and do not lie in the $xy$-plane.

Using the density matrix formalism, the $X^{\prime }$-basis and $Y^{\prime }$-basis states are described by ${\rho }_{X^{\prime }}=\frac{1}{2}(|{\psi }_1\rangle \langle {\psi }_1|+|{\psi }_2\rangle \langle {\psi }_2|)$ and ${\rho }_{Y^{\prime }}=\frac{1}{2}(|{\psi }_3\rangle \langle {\psi }_3|+|{\psi }_4\rangle \langle {\psi }_4|)$ that can be written as

$$\begin{array}{cc}\hfill {\rho }_{X^{\prime }}& =\frac{1}{2}\left(\begin{array}{cc}1+cos\theta & e^{-i\frac{{\phi }_1+{\phi }_2}{2}}cos\left(\frac{{\phi }_1-{\phi }_2}{2}\right)sin\theta \\ e^{i\frac{{\phi }_1+{\phi }_2}{2}}cos\left(\frac{{\phi }_1-{\phi }_2}{2}\right)sin\theta & 1-cos\theta \end{array}\right),\hfill \\ \hfill {\rho }_{Y^{\prime }}& =\frac{1}{2}\left(\begin{array}{cc}1+cos\theta & e^{-i\frac{{\phi }_3+{\phi }_4}{2}}cos\left(\frac{{\phi }_3-{\phi }_4}{2}\right)sin\theta \\ e^{i\frac{{\phi }_3+{\phi }_4}{2}}cos\left(\frac{{\phi }_3-{\phi }_4}{2}\right)sin\theta & 1-cos\theta \end{array}\right).\hfill \end{array}$$

(14)

For the perfectly prepared states (12) ${\rho }_{X^{\prime }}={\rho }_{Y^{\prime }}$, i.e., the photon source is basis-independent. If ${\rho }_{X^{\prime }}\ne {\rho }_{Y^{\prime }}$, one cannot simply estimate the unknown single-photon phase error rate in the $X^{\prime }$-basis $E_1^{\mathrm{ph},X^{\prime }}$ by the measured bit error rate in the $Y^{\prime }$-basis $E_1^{Y^{\prime }}$ (or vice versa). The more state dependence on the basis, the easier for Eve to distinguish the bases and hence the lower secret key rate.

In Ref. [33], dedicated to the fully-passive QKD, the authors consider an equivalent virtual entanglement-based protocol with a source that emits perfectly encoded pure decoy states in the $X,Y$-bases and signal states with mixed polarizations in the Z-basis. It is shown that Alice’s imperfect preparation in the Z-basis is equivalent to the imperfect measurement (i.e., the trusted noise in Alice’s post-processing) and does not affect the amount of privacy amplification. However, the authors make an assumption that the polarization fluctuations in the Z-basis are symmetric on the Bloch sphere. It implies that averaged over angles ${\rho }_Z$ is the fully-mixed state, i.e., ${\overline{\rho }}_H+{\overline{\rho }}_V=\mathbb{I}$ where

$$\begin{array}{cc}\hfill {\overline{\rho }}_H& ={\int }_0^{2\pi }{\int }_0^{\delta \theta }p(\phi ,\theta )|\psi (\phi ,\theta )\rangle \langle \psi (\phi ,\theta )|d\phi d\theta ,\hfill \\ \hfill {\overline{\rho }}_V& ={\int }_0^{2\pi }{\int }_{\pi -\delta \theta }^{\pi }p(\phi ,\theta )|\psi (\phi ,\theta )\rangle \langle \psi (\phi ,\theta )|d\phi d\theta ,\hfill \end{array}$$

(15)

are the mixed states, post-selected within two cones around the z-axis with half-angle $\delta \theta$, with symmetric probability distribution $p(\phi ,\theta )=p(\phi +\pi ,\theta )$.

This approach is not applicable in our case since we do not assume any symmetry of angular probability distributions $\left\{p_i(\phi ,\theta )\right\}$. Nevertheless, we can use one of the ideas of Refs. [33,38]—the replacement of the source of randomly fluctuating pure states $\left\{|{\psi }_i\rangle \right\}$ by an equivalent source emitting the mixed states $\left\{{\overline{\rho }}_i\right\}$,

$${\overline{\rho }}_i={\int }_0^{2\pi }{\int }_0^{\pi }{p}_i(\phi ,\theta )|\psi (\phi ,\theta )\rangle \langle \psi (\phi ,\theta )|d\phi d\theta ,$$

(16)

where $\left\{p_i(\phi ,\theta )\right\}$ are extracted directly from experiment. In this case, the density matrices (14) are substituted for

$${\overline{\rho }}_{X^{\prime }}={\overline{\rho }}_1+{\overline{\rho }}_2,{\overline{\rho }}_{Y^{\prime }}={\overline{\rho }}_3+{\overline{\rho }}_4.$$

(17)

To quantify the discrepancy between $E_1^{\mathrm{ph},X^{\prime }}$ and $E_1^{Y^{\prime }}$, we use the concept of quantum coin, introduced in Ref. [7] in the equivalent virtual entanglement-based protocol in which both Alice and Bob measure in one basis and Alice announces the other basis. Applying the complementarity argument [6] and the Bloch sphere bound [39] to the quantum coin yields the following inequality [40],

$$\sqrt{F({\overline{\rho }}_{X^{\prime }},{\overline{\rho }}_{Y^{\prime }})}\le 1-{\mathcal{Y}}_1+{\mathcal{Y}}_1\left(\sqrt{E_1^{\mathrm{ph},X^{\prime }}{E}_1^{Y^{\prime }}}+\sqrt{(1-E_1^{\mathrm{ph},X^{\prime }})(1-E_1^{Y^{\prime }})}\right),$$

(18)

with ${\mathcal{Y}}_1=({\mathcal{Y}}_1^{X^{\prime }}+{\mathcal{Y}}_1^{Y^{\prime }})/2$ and fidelity F between two states, defined as

$$F({\overline{\rho }}_{X^{\prime }},{\overline{\rho }}_{Y^{\prime }})\equiv {\left[\mathrm{Tr}\left(\sqrt{\sqrt{{\overline{\rho }}_{X^{\prime }}}{\overline{\rho }}_{Y^{\prime }}\sqrt{{\overline{\rho }}_{X^{\prime }}}}\right)\right]}^2.$$

(19)

For $2\times 2$ matrices, it is more convenient to use the simplified form [41],

$$F({\overline{\rho }}_{X^{\prime }},{\overline{\rho }}_{Y^{\prime }})=\mathrm{Tr}\left({\overline{\rho }}_{X^{\prime }}{\overline{\rho }}_{Y^{\prime }}\right)+2\sqrt{det\left({\overline{\rho }}_{X^{\prime }}\right)det\left({\overline{\rho }}_{Y^{\prime }}\right)}.$$

(20)

Solving (18), one obtains the following upper bound on the single-photon phase error rate,

$$E_1^{\mathrm{ph},X^{\prime }}\le E_1^{Y^{\prime }}+4{\Delta }^{\prime }(1-{\Delta }^{\prime })(1-2E_1^{Y^{\prime }})+4(1-2{\Delta }^{\prime })\sqrt{{\Delta }^{\prime }(1-{\Delta }^{\prime })E_1^{Y^{\prime }}(1-E_1^{Y^{\prime }})},$$

(21)

$${\Delta }^{\prime }=\frac{1-\sqrt{F({\overline{\rho }}_{X^{\prime }},{\overline{\rho }}_{Y^{\prime }})}}{2{\mathcal{Y}}_1}=\frac{\Delta }{{\mathcal{Y}}_1},$$

(22)

where the quantity of $\Delta =(1-\sqrt{F})/2$ is usually called the quantum coin imbalance. The lower and upper bounds on ${\mathcal{Y}}_1^{X^{\prime },Y^{\prime }}$ and $E_1^{Y^{\prime }}$ are determined via the decoy-state method and are given by Equations (6) and (A20), respectively. The finite-key-size effects are taken into account in the modified $E_1^{\mathrm{ph},X^{\prime }}$ Formula (A15).

3.2. Experimental Data Analysis

Using the optical scheme shown in Figure 1, we perform a series of polarization state measurements with the fast polarimeter (model PSY-201 by General Photonics). A periodic sequence of repeated constant voltage pulses corresponding to the phase retardation angles of $\{0,\pi /2,\pi ,3\pi /2\}$ is applied to the phase modulator. The time duration of each pulse is $\sim 52\mathsf{\mu }$s. A representative result of such polarization measurements in terms of three-component Stokes vector $(S_1,S_2,S_3)$ is shown in Figure 5. One can see that the data points form a ring that is slightly shifted below the primary $xy$-plane of the Poincaré sphere. The majority of individual data points are grouped into four primary spots that are turned on that ring at an angle of ${\varphi }_0\sim {60}^{\circ }$ around the z-axis of the sphere (see Figure 5, right panel). Sparse points between the primary four dense regions are artifacts of not high enough acquisition rate of the polarimeter.

The typical experimental distributions of azimuthal ($\phi$) and polar ($\theta$) angles,

$$\phi =\mathrm{sgn}\left(S_3\right)arccos\frac{S_2}{\sqrt{S_2^2+S_3^2}},\theta =arccos\frac{S_1}{\sqrt{S_1^2+S_2^2+S_3^2}},$$

(23)

are presented in Figure 6. One can notice that the ${\phi }_i$—distributions are clearly asymmetric; however, the study of this asymmetry origin is beyond the scope of this work. Therefore, first, we make a conservative estimation of $\Delta$ using the model-independent approach: we extract the experimental normalized binned PDFs $p_{{\phi }_i}^{\exp }$ and $p_{\theta }^{\exp }$ from Figure 6 and compute ${\overline{\rho }}_i$ as follows,

$${\overline{\rho }}_i=\sum _{n,m}{p}_{{\phi }_i}^{\exp }\left({\phi }_i^{\mathrm{bin}n}\right)p_{\theta }^{\exp }\left({\theta }^{\mathrm{bin}m}\right)|\psi ({\phi }_i^{\mathrm{bin}n},{\theta }^{\mathrm{bin}m})\rangle \langle \psi ({\phi }_i^{\mathrm{bin}n},{\theta }^{\mathrm{bin}m})|w_{{\phi }_i}{w}_{\theta },$$

(24)

where $x^{\mathrm{bin}n}$ is the center of $n^{\mathrm{th}}$ histogram bin of width $w_x$ of measured x-distribution ($x\in \{{\phi }_i,\theta \}$). Then, for the density matrices computed in this way, we obtain $\Delta =7\times {10}^{-6}$. In Figure 7, we plot the privacy amplification factor ${\ell }_{\sec }/{\ell }_{\mathrm{ver}}$ where ${\ell }_{\sec }$ is determined by Equation (A11) with corrected single-photon phase error rate (21). Here, we assume no intensity fluctuations (i.e., $P_{n|\alpha }=e^{-\overline{\alpha }}{\overline{\alpha }}^n/n!$ and ${\mathcal{Y}}_{0,1}^l$ are determined by Equations (A7) and (A8)). One can see from the plot that the critical distance at which the secret key generation becomes impossible is reduced by approximately 40 km with respect to the perfect phase modulation case. One can also remark that the secret key rate reduction is up to 9 and 47% for the short-distance (up to 50 km) and long-distance (up to 100 km) ranges, respectively.

We assume that increasing the data statistics and improving the measurement procedure with subsequent data post-processing will make the distributions smoother and symmetric. Applying a simple Gaussian model, we obtain for future prospects the following analytical approximation (verified by numerical integration),

$$\begin{array}{cc}\hfill {\overline{\rho }}_i& \simeq {\int }_0^{2\pi }{\int }_0^{\pi }G\left(\phi ,{\overline{\phi }}_i,{\sigma }_{{\phi }_i}\right)G\left(\theta ,\overline{\theta },{\sigma }_{\theta }\right)|\psi (\phi ,\theta )\rangle \langle \psi (\phi ,\theta )|d\phi d\theta \hfill \\ \hfill & \simeq \frac{1}{2}\left(\begin{array}{cc}1+e^{-\frac{{\sigma }_{\theta }^2}{2}}cos\overline{\theta }& e^{-i{\overline{\phi }}_i-\frac{1}{2}({\sigma }_{{\phi }_i}^2+{\sigma }_{\theta }^2)}sin\overline{\theta }\\ e^{i{\overline{\phi }}_i-\frac{1}{2}({\sigma }_{{\phi }_i}^2+{\sigma }_{\theta }^2)}sin\overline{\theta }& 1-e^{-\frac{{\sigma }_{\theta }^2}{2}}cos\overline{\theta }\end{array}\right),\hfill \end{array}$$

(25)

where, for simplicity, we omit the properly defined PDF normalization factors since

$${\int }_0^{x_{max}}G(x,\overline{x},{\sigma }_x)dx=\frac{1}{2}\left[\mathrm{erf}\left(\frac{\overline{x}}{\sqrt{2}\sigma }\right)+\mathrm{erf}\left(\frac{x_{max}-\overline{x}}{\sqrt{2}\sigma }\right)\right]\simeq 1,$$

(26)

if ${\sigma }_x\ll \overline{x}$ and ${\sigma }_x\ll x_{max}-\overline{x}$. For the same reason, we replace the integration limits in (25) by $\pm \infty$ and obtain a very simple analytical matrix expression above. Using the fitted parameter values of $\{{\overline{\phi }}_i,{\sigma }_{{\phi }_i},\overline{\theta },{\sigma }_{\theta }\}$ from Figure 6, we compute the fidelity between ${\overline{\rho }}_{X^{\prime }}$ and ${\overline{\rho }}_{Y^{\prime }}$ (19) and find $\Delta =3\times {10}^{-6}$. One can see from the plot in Figure 7 that the critical distance is reduced by approximately 30 km compared to the ideal modulation case. Also, one can note that for the short(long)-distance range the secret key length is reduced by less than 5 (27)%. These results turn out to be less conservative than those obtained with the model-independent approach, providing better secret key generation rate.

Finally, we also compare with a very conservative estimation of $\Delta$ by finding the minimum of fidelity (i.e., maximum of $\Delta$),

$$\begin{array}{cc}\hfill F_{min}& =\underset{\begin{array}{c}{\phi }_i\in [{\phi }_i^{min},{\phi }_i^{max}]\\ \theta \in [{\theta }^{min},{\theta }^{max}]\end{array}}{min}F({\rho }_{X^{\prime }},{\rho }_{Y^{\prime }})=\underset{\begin{array}{c}{\phi }_i\in [{\phi }_i^{min},{\phi }_i^{max}]\\ \theta \in [{\theta }^{min},{\theta }^{max}]\end{array}}{min}\frac{1}{2}\{1+{cos}^2\theta \hfill \\ \hfill & +cos\left(\frac{{\phi }_1+{\phi }_2-{\phi }_3-{\phi }_4}{2}\right)cos\left(\frac{{\phi }_1-{\phi }_2}{2}\right)cos\left(\frac{{\phi }_3-{\phi }_4}{2}\right){sin}^2\theta \hfill \\ \hfill & +|sin\left(\frac{{\phi }_1-{\phi }_2}{2}\right)sin\left(\frac{{\phi }_3-{\phi }_4}{2}\right)|{sin}^2\theta \},\hfill \end{array}$$

(27)

with ${\rho }_{X^{\prime }}$ and ${\rho }_{Y^{\prime }}$, defined by Equation (14). The minimization ranges are determined from the experimental distributions in Figure 6 as, e.g., 90% confidence intervals. One can show that the minimum is achieved for the values of $\theta$ closest to $\pi /2$ and for at least one of the four combinations of ${\phi }_{1,3}={\phi }_{1,3}^{min(max)}$ and ${\phi }_{2,4}={\phi }_{2,4}^{max(min)}$ since they minimize the last ${sin}^2\theta$-term which is dominant for $\theta \sim \pi /2$ and ${\phi }_{2\left(4\right)}-{\phi }_{1\left(3\right)}\sim \pi$. This yields $F_{min}=0.9975$ and ${\Delta }_{max}=(1-\sqrt{F_{min}})/2=6\times {10}^{-4}$. In this case, the critical transmission distance is limited to 40 km, and the maximum ${\ell }_{\sec }/{\ell }_{\mathrm{ver}}$ ratio is about 0.4 at zero loss. A similar estimation of F and $\Delta$ using the upper-bounded phase modulation errors is made in the GLLP security analysis for the phase-encoding decoy-state BB84 with source flaws in Ref. [9]. For completeness, on the right-hand side of Figure 7 we plot the ${\ell }_{\sec }/{\ell }_{\mathrm{ver}}$ ratio for various $\Delta$-values, from which one can see that $\Delta \lesssim {10}^{-8}$ is required in order to make the basis-dependence effect negligible.

4. Discussion

In this work, we study the security of practical efficient decoy-state BB84 QKD protocol with polarization encoding accounting for the source flaws due to imperfect intensity and phase modulation. Based on our experimental data, we use the normal distribution to describe the non-Poissonian photon-number statistics and derive the generalized bounds on zero/single-photon yields. We find that the effect of intensity fluctuations on the secret key length is less than 5% for any transmission distances up to 100 km. It is also demonstrated that for our experimental setup, the proposed method turns out to be less conservative than the one introduced in Refs. [30,31]. In order to take into account the imperfect polarization state preparation, we apply an idea from the fully-passive source approach [38] and compute the density matrices of mixed states in two polarization bases; then we evaluate the fidelity between them and estimate the upper bound on the phase error rate using the concept of imbalanced quantum coin [6,7,40]. From the analysis of experimental angular distributions, we find that the key length is reduced by less than 9 and 47% for the transmission distances up to 50 and 100 km, respectively. The maximum distance at which the secret key transmission becomes impossible is reduced from 160 km to 120 km when the phase modulation uncertainties are taken into account. The proposed approach of estimating the fidelity between the mixed states turns out to be significantly better than the more conservative evaluation by minimizing the fidelity of pure states (e.g., compare the maximum distance of 120 km versus 40 km). We emphasize that these results are preliminary. The fidelity estimation could be further improved in our future work by (i) enlarging the amount of data for the statistical analysis (we have just ∼2500 data points for each polarization state), (ii) improving the voltage and temperature control, (iii) applying a more advanced post-selection procedure for the polarimeter data, (iv) performing a more sophisticated angular analysis. Although the obtained numerical results are valid only for the particular simple optical layout that mimics a realistic QKD transmitter, the explicit analytical formulas of the present approach can be readily applied to any practical implementation of the widely-used two-decoy-state BB84 QKD protocol with imperfect quantum state preparation augmented with the relevant source characterization data.