Security of the Decoy-State BB84 Protocol with Imperfect State Preparation

The quantum key distribution (QKD) allows two remote users to share a common information-theoretic secure secret key. In order to guarantee the security of a practical QKD implementation, the physical system has to be fully characterized and all deviations from the ideal protocol due to various imperfections of realistic devices have to be taken into account in the security proof. In this work, we study the security of the efficient decoy-state BB84 QKD protocol in the presence of the source flaws, caused by imperfect intensity and polarization modulation. We investigate the non-Poissonian photon-number statistics due to coherent-state intensity fluctuations and the basis-dependence of the source due to non-ideal polarization state preparation. The analysis is supported by the experimental characterization of intensity and phase distributions.


Introduction
The BB84 protocol [1] of quantum key distribution (QKD) between two distant parties, Alice and Bob, is based on the preparation and measurement of qubits in two bases (e.g., the computational Z-basis and the Hadamard X-basis), rotated relative to each other on the Bloch sphere by an angle of π/2.Any practical realization of the protocol inevitably introduces misalignments in the quantum state preparation and in the alignment of the measurement bases compared to the ideal ones, thus opening loopholes for information leakage to a potential eavesdropper (Eve).In particular, the preparation misalignments lead to the basis-dependence of the source that can allow Eve to distinguish the bases and attack two basis states separately.In the earliest security proof by Mayers [2], the source is assumed to be perfect.The simplified proof by Koashi and Preskill [3] allows the source to be uncharacterized but basis-independent.The proofs by Lo and Chau [4], Shor and Preskill [5] and Koashi [6] are all based on the phase error correction and assume the basis choice to be unknown to Eve.The phase error is a hypothetical error in the equivalent virtual entanglement-based protocol if the qubits of the EPR pair were measured in the complementary basis.It is well known that for an ideal source the phase and bit error rates in two bases are equal in the asymptotic limit, that is E phase Z = E bit X .However, if the source is basis-dependent, one cannot simply use one basis information to estimate the other.Thus, in this approach, the correct phase error rate estimation, taking into account the finite-key-size effects, is crucial for security analysis of the protocol with state preparation misalignments.
Further analysis by Gottesman et al. (referred to as GLLP) [7] proves the BB84 security for practical implementation of the QKD protocol when Alice's and Bob's devices are flawed.However, the GLLP approach is too conservative, it assumes the worst-case scenario when Eve can enhance the state preparation flaws by exploiting the channel loss.For this reason, the so-called loss-tolerant QKD protocol was proposed by Tamaki et al. [8], demonstrated experimentally [9,10] and later on developed in Refs.[11][12][13][14][15][16][17].This three-state BB84-like protocol is based on the complementarity approach [6] and uses the bases mismatch events information.Considering the imperfect phase/polarization modulation, it is demonstrated that the key rate is dramatically improved, although the phase error rate estimation technique is quite complicated.
The original BB84 protocol was described using the qubits encoded into the polarization states of a single photon.In practice, the single-photon source is approximated by weak coherent pulses generated by a highly attenuated laser.There is a non-zero probability for such coherent state to contain multiple photons that can be exploited by Eve performing the photon-number-splitting (PNS) attack [18,19].The invention and further development of the decoy-state method [20][21][22][23] solves this problem by introducing extra states of different intensity (mean photon number per pulse) and significantly improves the GLLP bound on the maximum secure transmission distance.For a complete formal security proof of the decoy state method see, e.g., Ref. [24].Due to inaccuracies of realistic intensity modulation, the intensities of the signal and decoy states can vary from pulse to pulse and, hence, cannot be considered as constant parameters of the protocol.It can open another potential loophole and allow Eve to improve her attack strategy.
Another well known loophole of the leaky source is the Trojan-horse attack (THA) in which Eve injects bright light pulses into Alice's device and then measures the back-reflected light in order to extract information about Alice's state preparation like the basis choice and the intensity setting in the decoy-state QKD protocol.The information leakage from Alice's modulators during THA is studied in Refs.[25][26][27][28][29].The THA on the loss-tolerant protocol is investigated in Refs.[13,14,16,17] but only for the case of a single-photon source.
In this report we consider the most widely used two-decoy-state BB84 [23] with polarization encoding and focus on two types of source flaws -the fluctuating coherent-state intensities and the polarization misalignment due to Alice's imperfect intensity and phase modulators.We assemble a simplified optical scheme for quantum state preparation that mimics the features of realistic commercial QKD devices and extract the intensity/phase distributions from laboratory test measurements.We study the non-Poissonian photon-number statistics following Refs.[30][31][32] in order to take into account the fluctuating signal and decoy pulse intensities.In contrast to the model-independent analysis in [30,31], we do not rely on the knowledge of upper/lower bounds on intensities, but determine the intensity probability distributions directly from experiment.We extend this research and investigate also the imperfect encoding state preparation.Using the idea of fully-passive source [33], we compute the averaged density matrices and apply the imbalanced quantum coin approach [7] to estimate the phase error rate.In particular, it is demonstrated for our setup that the encoding inaccuracies can lead to the key rate reduction of less than 50% for channel losses up to 20 dB (equivalent to transmission distances up to 100 km), and the critical transmission distance can reach ∼120 km.Since our experimental analysis is made for illustrative purposes only, we assume that the modulation precision and data analysis can be further improved, and the key rate bound can be increased.Provided with a complete set of explicit formulas, our framework can be applied to any practical QKD system with the characterized source that implements not the loss-tolerant but the usual decoy-state BB84 protocol.
This paper is organized as follows.In Section 2, we investigate the non-Poissonian photon-number statistics of weak coherent states and estimate the effect of pulse intensity fluctuations on the secret key rate.In Section 3, we study the polarization distributions and bound the phase error rate for the QKD protocol with realistic phase modulator.The main conclusions are given in Section 4.

Intensity fluctuations 2.1 Experimental setup
In this report, we investigate the efficient BB84 protocol [34] with non-optimized basis choice probabilities of p X = 0.9 and p Y = 0.1 in which the X-basis is used for the secret key distillation while the Y -basis is used for the phase error rate estimation.In order to counteract the PNS attack, we apply the three-intensity decoy-state technique [21,23]: the signal state of intensity µ is used for the secret key generation, and two decoy states of intensities ν 1 and ν 2 are used for the singlephoton yield and bit error rate estimation.For simplicity, we choose the reasonable values of µ ∼ 0.3, ν 1 ∼ 0.1 and ν 2 ∼ 10 −3 which turn out to be close to the optimal ones for a wide range of transmission distances.The states are randomly generated with the probabilities of p µ = 0.5 and p ν 1,2 = 0.25.
Our experimental setup for preparing and monitoring Alice's quantum states of given intensity α ∈ {µ, ν 1 , ν 2 } and polarization is presented in Fig. 1.The pulses with an average optical power of approximately 2 mW are emitted by a DFB laser operating at 1550 nm wavelength.First, the relative classical pulse intensity I α is adjusted by the intensity modulator (IM) by applying an appropriate voltage V α on the modulation electrodes such that I ν 1,2 /I µ = ν 1,2 /µ with I µ chosen to be larger than half of the maximum output intensity.Then the polarization state is chosen by applying one of the four voltages V i on the phase modulator (PM).Finally, the classical pulses are attenuated to the required weak coherent-state level with the variable optical attenuator (VOA).
The IM output intensity I α is the result of the interference of two waves, propagating via two paths of the Mach-Zehnder interferometer with different optical path length.This difference is created by varying the optical index in the waveguide active layer of each path with electric field between the modulation electrodes.The IM is designed to have equal arms and thus balanced optical paths.However, there is always some imbalance, caused by the change of the refractive index of the optical mode of the waveguide due to possible variations of temperature (thermo-optic and pyroelectric effects), optical power in the waveguide (photorefractive effect) or mechanical stress (strain-optic effect).As a result, a time-dependent phase (and consequently I α ) drift is induced.In order to compensate this drift, the time-averaged power is measured by the power meter (PwM) and tuned by the proportional-integral-derivative (PID) controller to the initial value by applying the relevant voltage V bias to the bias electrodes.All these effects together with the limiting resolution of control voltage circuits and the laser noise cause some fluctuations of the output intensities.
In order to quantify the intensity fluctuations, we connect a classical photodetector (Thorlabs RXM40AF) directly to the IM output and record the voltage oscillograms.Following Ref. [35], we remove the noise by applying filtering technique based on the singular-value-decomposition.In Fig. 2, we present the obtained probability density function (PDF) of I α normalized by the total PM+BS+VOA attenuation.As evidenced by good agreement with the data, a regular Gaussian PDF given by Eq. ( 1), is the right choice of function to parametrize the intensity fluctuations : where α i are the mean values and σ α i are the standard deviations, with the best-fit values tabulated on the right of the plot in Fig. 2.

Non-Poissonian photon-number statistics
The single-photon source is often approximated by a weak coherent-state source, realized in practice as strongly attenuated laser radiation.The emitted phaserandomized state is described as a mixture of Fock states, where the photon number follows the Poisson distribution P n|α with mean photon number α.Note that usually in the literature α is assumed to be a constant parameter that does not vary during the QKD session.However, in realistic experimental setup the intensity parameter is a fluctuating variable as discussed in the previous subsection.
It is known that the assumption of Poissonian photon-number statistics is not really necessary for the decoy-state BB84 protocol -one can derive the generalized security bounds for any arbitrary P n|α distribution.The first detailed modelindependent analysis of the source errors in the photon-number space is provided by Wang et al. in Refs.[30,31].The authors derive the generalized conservative bounds on the single-photon component's yield and QBER in terms of arbitrary upper/lower bounds on P n|α .In this report, we closely follow the theoretical approach of [30,31] but do not use the bounded P n|α that rely on the knowledge of allowed intervals [α min , α max ] for the coherent state source.Instead we assume ρ α of every single pulse to be Poissonian but with random normally-distributed parameter α.Thus, the n-photon state probability is modified as follows, where we integrate only over the positive intensity values that have physical meaning.The experimentally measured gain -the probability that an emitted pulse of intensity α is detected by Bob -can be expressed as where the yield Y n is the conditional probability of a detection event (click) on Bob's side, given that Alice sends out an n-photon state.The key idea of the decoy-state method is that since Eve cannot distinguish the |n⟩ states of signal pulse from those of decoy pulse, the yields {Y n } ∞ n=0 must be equal for signal and decoy states [20].However, this assumption of indistinguishability may not hold in practice.In Ref. [36], the authors consider an imperfect source with passive side channels in the time and frequency domains which may allow Eve to partially distinguish signal and decoy states from the mismatches in the corresponding degrees of freedom.In this report, we neglect the impact of such side channels on the QKD system performance and focus only on the intensity fluctuations.
Taking into account the finite-statistics effects, the generalized lower bounds on the zero-photon and single-photon yields are determined by (for more details see Appendix A) where Q u,l α are the upper/lower bounds on the Q α -estimators given by Eq. (40).For brevity, here we omit the basis index of Q u,l α and Y l 0,1 .To investigate the effect of non-Poissonian statistics on the privacy amplification, in Fig. 3 we plot the simulated ratio of the secret over verified key lengths, ℓ sec /ℓ ver , as a function of transmission distances for the scenarios of perfect (Poissonian statistics with P n|α = e −α α n /n!) and imperfect (non-Poissonian statistics with P n|α defined by Eq. ( 3)) intensity modulation.The verified key is the error-corrected sifted key that passed the subsequent hash-tag verification.The secret key length formula is given in Appendix B.Here we assume the photon source to be basis-independent (∆ ′ = 0 in Eq. ( 43)).One can see from the plot that, surprisingly, the imperfect preparation provides a better key rate than the perfect one for the entire distance range.The reason is the following: due to rather wide distribution of ν 2 relative to its mean value, the probability of the single-photon component of ρ ν 2 turns out to be enhanced several times with respect to the ideal Poissonian source with the mean photon number ν 2 ; as a consequence, the term P 0|ν 1 P 1|ν 2 in the denominator of Eq. ( 6) becomes non-negligible, which, in turn, increases Y l 1 and, hence, ℓ sec .One Figure 3: The simulated secret key length ℓ sec , normalized to the verified key length ℓ ver , for the scenarios of perfect (µ, ν 1 , ν 2 are constant) and imperfect (µ, ν 1 , ν 2 fluctuate following the normal distribution) pulse intensity modulation.The red curve represents the result of the method introduced by Wang et al. in [30,31] with the intensities bounded with their ±1σ uncertainties.
could naively think that increasing σ ν 2 would improve ℓ sec even more, however, this would lead to the violation of the required condition (29) starting from some value of n, making the Y 0 -estimation (28) incorrect.Increasing σ ν 2 , e.g., by 5 times would violate (29) for n ≥ 12.In order to avoid the overestimation of the single-photon and multi-photon contributions to ρ ν 2 due to the noise, we propose to set P n|ν 2 = δ n0 (i.e.ν 2 ≡ 0 and ρ ν 2 = |0⟩⟨0|) which provides a more conservative evaluation of ℓ sec (see the green curve in Fig. 3).In this case the secret key turns out to be more than 95% of the key generated with an ideal IM, for any distance up to 100 km.
To conclude this section, we make a comparison with the model-independent approach of Wang et al. [30,31].Their expression for the single-photon gain, given by Eq. ( 43) in Ref. [31], can be re-written in our notations as with the bounded probabilities for coherent states defined as Using the experimental intensity distributions shown in Fig. 2, we determine α u,l as where z 1−ε is the normal distribution quantile, For illustration, the red curve in Fig. 3 represents the normalized secret key length (38) computed with Q l 1 defined by Eq. ( 7) and z 1−ε = 1 (ε ≃ 0.16).We find that for z 1−ε ≳ 2.3 (ε ≲ 0.011) the secret key transmission is impossible at any distance.The wrong estimation of at least one bound on P n|α in (7) would make the evaluation of Q l 1 and, hence, ℓ sec incorrect.Therefore, such failure probability of 1 − (1 − ε) 5 ≈ 5ε has to be taken into account in the total tolerable failure probability ε decoy which is set to be 10 −12 (see Appendix B).Apparently, such high confidence level cannot be achieved with the current values of σ α .Thus, one can clearly see superiority of the proposed method for the particular setup and measurement precision since it provides both longer secret keys and the maximum attainable transmission distances.

Polarization state preparation and basis-dependence
Any arbitrary polarization state can be described by azimuthal and polar angles φ ∈ [0, 2π) and θ ∈ [0, π] on the Bloch sphere, where |H⟩ and |V ⟩ denote the horizontal and vertical polarization vectors, aligned with the PM crystal axes.In our setup, the linearly polarized light is injected to PM at a 45 • angle to the crystal axes which corresponds to θ = π/2 [37].In general, the electric field amplitudes along the ordinary and extraordinary axes initially have some phase difference ϕ 0 without any voltage supply due to the crystal birefringence.
The additional random relative phase ϕ i ∈ {0, π, π/2, 3π/2}, determining the basis and bit value, is created by applying an appropriate voltage V i along one of the crystal axes.Thus, the azimuthal angle of the i th state is φ i = ϕ 0 + ϕ i .
In the protocol with perfect state preparation, the qubits are prepared and measured in the elliptical polarization bases X ′ : {|ψ 1 ⟩ , |ψ 2 ⟩} and Y ′ : {|ψ 3 ⟩ , |ψ 4 ⟩}, obtained by rotating the standard bases X : {|D⟩ , |A⟩} and Y : {|R⟩ , |L⟩} around the z-axis by ϕ 0 (see Fig. 4), with the basis vectors in the form of Then Bob performs his measurement in the X ′ and Y ′ bases by randomly applying one of the positive operator-valued measures {|ψ perfect i ⟩⟨ψ perfect i |}.However, in practice, the light enters PM not ideally at 45 • due to mechanical inaccuracy of connection between the optical components.This error induces a deviation from θ = π/2 on the Bloch sphere.The voltage control and, hence, {ϕ i } have some uncertainty as well.As a consequence of all these imperfections, the ideal states (12) float above/below the xy-plane and rotate around the z-axis, fluctuating around their average positions.So the physical states sent to Bob can be written as where φ i is a random variable with some probability distribution while θ is an a priori unknown that is determined from experiments with some uncertainty.Note that, in general, these states are no longer mutually orthogonal in the corresponding basis and do not lie in the xy-plane.(12), while the realistic states (13) are schematically depicted as solid angle surface areas.
Using the density matrix formalism, the X ′ -basis and Y ′ -basis states are described by ρ For the perfectly prepared states (12) ρ X ′ = ρ Y ′ , i.e. the photon source is basisindependent.If ρ X ′ ̸ = ρ Y ′ one cannot simply estimate the unknown single-photon phase error rate in the X ′ -basis E ph,X ′ 1 by the measured bit error rate in the Y ′ -basis E Y ′ 1 (or vice versa).The more state dependence on the basis, the easier for Eve to distinguish the bases and hence the lower secret key rate.
In Ref. [33], dedicated to the fully-passive QKD, the authors consider an equivalent virtual entanglement-based protocol with a source that emits perfectly encoded pure decoy states in the X, Y -bases and signal states with mixed polarizations in the Z-basis.It is shown that Alice's imperfect preparation in the Z-basis is equivalent to the imperfect measurement (i.e. the trusted noise in Alice's post-processing) and does not affect the amount of privacy amplification.However, the authors make an assumption that the polarization fluctuations in the Z-basis are symmetric on the Bloch sphere.It implies that averaged over angles ρ Z is the fully-mixed state, i.e. ρ H + ρ V = I where are the mixed states, post-selected within two cones around the z-axis with halfangle δθ, with symmetric probability distribution p(φ, θ) = p(φ + π, θ).This approach is not applicable in our case since we do not assume any symmetry of angular probability distributions {p i (φ, θ)}.Nevertheless, we can use one of the ideas of Refs.[33], [38] -the replacement of the source of randomly fluctuating pure states {|ψ i ⟩} by an equivalent source emitting the mixed states {ρ i }, where {p i (φ, θ)} are extracted directly from experiment.In this case, the density matrices ( 14) are substituted for To quantify the discrepancy between E ph,X ′ 1 and E Y ′ 1 , we use the concept of quantum coin, introduced in Ref. [7] in the equivalent virtual entanglement-based protocol in which both Alice and Bob measure in one basis and Alice announces the other basis.Applying the complementarity argument [6] and the Bloch sphere bound [39] to the quantum coin yields the following inequality [40], with )/2 and fidelity F between two states, defined as For 2 × 2 matrices it is more convenient to use the simplified form [41], Solving (18), one obtains the following upper bound on the single-photon phase error rate, where the quantity of ∆ = (1 − √ F )/2 is usually called the quantum coin imbalance.

The lower and upper bounds on
1 are determined via decoy-state method and are given by Eqs. ( 6) and (47), respectively.The finite-key-size effects are taken into account in the modified E ph,X ′ 1 formula (42).

Experimental data analysis
Using the optical scheme shown in Fig. 1, we perform a series of polarization state measurements with the fast polarimeter (model PSY-201 by General Photonics).A periodic sequence of repeated constant voltage pulses corresponding to the phase retardation angles of {0, π/2, π, 3π/2} is applied to the phase modulator.The time duration of each pulse is ∼ 52 µs.A representative result of such polarization measurements in terms of three-component Stokes vector (S 1 , S 2 , S 3 ) is shown in Fig. 5.
One can see that the data points form a ring which is slightly shifted below the primary xy-plane of the Poincaré sphere.The majority of individual data points are grouped into four primary spots that are turned on that ring at an angle of ϕ 0 ∼ 60 • around the z-axis of the sphere (see Fig. 5, right panel).Sparse points between the primary four dense regions are artifacts of not high enough acquisition rate of the polarimeter.The typical experimental distributions of azimuthal (φ) and polar (θ) angles, are presented in Fig. 6.One can notice that the φ i -distributions are clearly asymmetric, however, the study of this asymmetry origin is beyond the scope of this report.Therefore, first, we make a conservative estimation of ∆ using the modelindependent approach: we extract the experimental normalized binned PDFs p exp φ i and p exp θ from Fig. 6 and compute ρ i as follows, where x bin n is the center of n th histogram bin of width w x of measured x-distribution (x ∈ {φ i , θ}).Then for the density matrices computed in this way we obtain ∆ = 7 × 10 −6 .In Fig. 7 we plot the privacy amplification factor ℓ sec /ℓ ver where ℓ sec is determined by Eq. ( 38) with corrected single-photon phase error rate (21).Here we assume no intensity fluctuations (i.e.P n|α = e −α α n /n! and Y l 0,1 are determined by Eqs.(34), (35)).One can see from the plot that that the critical distance at which the secret key generation becomes impossible is reduced by approximately 40 km with respect to the perfect phase modulation case.One can also remark that the  secret key rate reduction is up to 9 and 47% for the short-distance (up to 50 km) and long-distance (up to 100 km) ranges, respectively.
We assume that increasing the data statistics and improving the measurement procedure with subsequent data post-processing will make the distributions smoother and symmetric.Applying a simple Gaussian model, we obtain for future prospects the following analytical approximation (verified by numerical integration), where for simplicity we omit the properly defined PDF normalization factors since  if σ x ≪ x and σ x ≪ x max − x.For the same reason, we replace the integration limits in ( 25) by ±∞ and obtain a very simple analytical matrix expression above.Using the fitted parameter values of {φ i , σ φ i , θ, σ θ } from Fig. 6, we compute the fidelity between ρ X ′ and ρ Y ′ (19) and find ∆ = 3 × 10 −6 .One can see from the plot in Fig. 7 that the critical distance is reduced by approximately 30 km compared to the ideal modulation case.Also one can note that for the short(long)-distance range the secret key length is reduced by less than 5(27)%.These results turn out to be less conservative than those obtained with the model-independent approach, providing better secret key generation rate.Finally, we also compare with a very conservative estimation of ∆ by finding the minimum of fidelity (i.e.maximum of ∆), with ρ X ′ and ρ Y ′ , defined by Eq. ( 14).The minimization ranges are determined from the experimental distributions in Fig. 6 as, e.g., 90% confidence intervals.One can show that the minimum is achieved for the values of θ closest to π/2 and for at least one of the four combinations of since they minimize the last sin 2 θ-term which is dominant for θ ∼ π/2 and φ 2(4) − φ 1(3) ∼ π.This yields F min = 0.9975 and ∆ max = (1 − √ F min )/2 = 6 × 10 −4 .In this case the critical transmission distance is limited to 40 km and the maximum ℓ sec /ℓ ver ratio is about 0.4 at zero loss.A similar estimation of F and ∆ using the upperbounded phase modulation errors is made in the GLLP security analysis for the phase-encoding decoy-state BB84 with source flaws [9].For completeness, on the right-hand side of Fig. 7 we plot the ℓ sec /ℓ ver ratio for various ∆-values, from which one can see that ∆ ≲ 10 −8 is required in order to make the basis-dependence effect negligible.

Conclusions
In this report, we study the security of practical efficient decoy-state BB84 QKD protocol with polarization encoding accounting for the source flaws due to imperfect intensity and phase modulation.Based on our experimental data, we use the normal distribution to describe the non-Poissonian photon-number statistics and derive the generalized bounds on zero/single-photon yields.We find that the effect of intensity fluctuations on the secret key length is less than 5% for any transmission distances up to 100 km.It is also demonstrated that for our experimental setup the proposed method turns out to be less conservative than the one introduced in Refs.[30,31].In order to take into account the imperfect polarization state preparation, we apply an idea from the fully-passive source approach [38] and compute the density matrices of mixed states in two polarization bases; then we evaluate the fidelity between them and estimate the upper bound on the phase error rate using the concept of imbalanced quantum coin [6,7,40].From the analysis of experimental angular distributions we find that the key length is reduced by less than 9 and 47% for the transmission distances up to 50 and 100 km, respectively.If the phase modulation uncertainties are taken into account, the ultimate key transmission distance reduces from 160 km to 120 km.The method of estimating the fidelity between the mixed states turns out to be significantly better than the more conservative evaluation from minimizing the fidelity of pure states (e.g., the maximum distance of 120 km versus 40 km).We emphasize that these results are preliminary.The fidelity estimation could be further improved in our future work by (i) enlarging the amount of data for the statistical analysis (we have just ∼2500 data points for each polarization state), (ii) improving the voltage and temperature control, (iii) applying a more advanced post-selection procedure for the polarimeter data, (iv) performing a more sophisticated angular analysis.Although the obtained numerical results are valid only for the particular simple optical layout that mimics a realistic QKD transmitter, the explicit analytical formulas of the present approach can be readily applied to any practical implementation of the widely-used two-decoy-state BB84 QKD protocol with imperfect quantum state preparation augmented with the relevant source characterization data.

Appendix B Secret key length
We consider the efficient BB84 protocol [34] with the basis choice probabilities of p X = 0.9 and p Y = 0.1, in which the X-basis is used for the secret key distillation while the Y -basis is used for the phase error estimation.Since the simultaneous rotation of the bases around the z-axis does not affect the security, here for simplicity we use the notation {X, Y } instead of physical {X ′ , Y ′ }.The length of the secret key is estimated as follows [42,43], where the first and the last terms represent the privacy amplification step and are determined by m X,l 1 -the lower bound on the number of bits in the verified key of length ℓ X ver obtained from signal single-photon pulses, E ph,X,u 1 -the upper bound on the single-photon phase error rate in the X-basis, and ε pa = 10 −12 -the tolerable failure probability for the privacy amplification step.The h 2 -function is the standard Shannon binary entropy.The second term in (38) is the amount of information about the sifted key leaked to Eve during the error correction and verification steps, that can be parametrized as where ℓ X sift is the sifted key length, ÊX µ is the signal quantum bit error rate (QBER), determined during the error correction step, f ec ≥ 1 is the error correction code inefficiency, and ℓ hash is the verification hash-tag length.Usually in the literature f ec ∼ 1.2 is assumed, however, for realistic codes it can be significantly higher for low QBER.Therefore, we extract the f ec (E µ )-dependence of the low-density paritycheck (LDPC) codes from Ref. [44] (see the upper-left SEC plot in Fig. 3 in [44]).
The finite-key-size effects and statistical fluctuations are taken into account in our analysis.According to the central limit theorem, the binomial distributions of ) can be well approximated by the normal distribution.The upper and lower bounds on Q X α and m X 1 are evaluated using the Wald confidence interval [42], where N X α and M X α are the total counts (before sifting) of transmitted and detected pulses of given intensity, respectively.
It is well known that for the basis-independent source (ρ X = ρ Y ) in the asymptotic limit (N α → ∞) the phase error rate in the X-basis is equal to the bit error rate in the Y -basis.If ρ X ̸ = ρ Y and the data samples are finite, the phase error bound receives two corrections, where the basis-dependence correction Θ coin is parametrized in terms of the effective quantum coin imbalance ∆ ′ [40], and Θ stat takes into account different sizes of two random data samples and statistical fluctuations and is determined by numerical solution of the following equation [43], As pointed out in Ref. [42], in general, one cannot use binomial distribution for QBER since if Eve performs a coherent attack, the errors in different positions in the key cannot be treated as independent events.Therefore, the upper bound on the single-photon bit error rate is estimated differently compared to Ref. [43], where the number of bit errors, obtained from the zero-photon pulses due to background events, is distributed as m Y 0 ∼ Bi(N Y µ , p Y P 0|µ Y Y 0 /2) and lower bounded by Since the Y -basis is used only for parameter estimation, the signal QBER ÊY µ is computed directly from public disclosure of the sifted keys generated in the Y -basis.All other quantities in the Y -basis are computed the same way as in the X-basis with replacement ℓ X ver → ℓ Y sift in Eq. ( 41).One can count 14 statistical confidence bounds in total that are required to compute ℓ X sec .Therefore, in order to have the estimation (38) satisfied with the probability not less than 1 − ε decoy , one has to set the failure probability of each bound ε = ε decoy /14.We set ε decoy = 10 −12 .For completeness, taking into account also the verification failure probability ε ver (e.g., using the ϵ-universal polynomial hashing, ε ver ≤ 2 × 10 −11 for ℓ sift ≃ 10 6 and ℓ hash = 50 [45]), the overall (in)security parameter of the entire QKD system is equal to ε tot = ε decoy + ε ver + ε pa .
For the numerical simulation of Qα and Êα , we use the simplest theoretical model from Ref. [23], with the single-photon detector quantum efficiency of η = 10% and dark count probability of p dc = 10 −6 , photon transmission probability of t = 10 −(βL+3)/10 determined by Bob's internal loss of 3 dB and quantum channel loss coefficient β ≃ 0.2 dB/km, and optical misalignment error of p opt = 1%.For the statistical analysis, we set where we take the X-basis sifted key block length of ℓ X sift = 1.36 × 10 6 [44].We also neglect the error correction and verification failure probabilities and set ℓ X ver = ℓ X sift .

Figure 1 :
Figure 1: The optical scheme of weak coherent state preparation of given intensity and polarization: Light source -DFB laser, IM -intensity modulator Optilab IMP-1550-10-PM, PM -phase modulator IXblue MPZ-LN-10, BS -beamsplitter with the split ratio of 1:99, PwM -power meter Thorlabs PM100USB+S154C, VOA -electronic variable optical attenuator.The cyan line denotes polarization-maintaining optical fiber.The connector to PM is rotated by 45 • angle with respect to the PM crystal axes.

Figure 2 :
Figure 2: The measured probability density function of pulse intensity (mean photon number per pulse).The signal (µ) and two decoy (ν 1,2 ) states are generated randomly with the probabilities of p µ = 0.5 and p ν 1,2 = 0.25 respectively.The non-physical negative values of the vacuum decoy peak are caused by photodetector noise.

Figure 4 :
Figure4: Alice's output polarization states on the Bloch sphere.The blue and orange dots mark the perfectly prepared states(12), while the realistic states(13) are schematically depicted as solid angle surface areas.

2 Figure 5 :
Figure 5: The measured polarization states (13) on the Poincaré sphere, made in the Stokes parameter coordinates (S 1 , S 2 , S 3 ).The plot on the right shows the zoomed equatorial area of the sphere.The red circle is the best fit circle given 3D points.

Figure 6 :
Figure 6: The experimental angular distributions, obtained from the spherical coordinates of the data points on the Poincaré sphere in Fig. 4.

Figure 7 :
Figure 7: Left: The simulated secret key length ℓ sec , normalized to the verified key length ℓ ver , for scenarios of perfect and imperfect phase modulation.The orange solid(dashed) line corresponds to the fitted Gaussian (experimental binned) probability density function of angular distributions.Right: The simulated ℓ sec /ℓ ver ratio for various values of quantum coin imbalance ∆.