Finite-Key Analysis for Quantum Key Distribution with Discrete-Phase Randomization

Abstract

Quantum key distribution (QKD) allows two remote parties to share information-theoretic secret keys. Many QKD protocols assume the phase of encoding state can be continuous randomized from 0 to $2\pi$, which, however, may be questionable in the experiment. This is particularly the case in the recently proposed twin-field (TF) QKD, which has received a lot of attention since it can increase the key rate significantly and even beat some theoretical rate-loss limits. As an intuitive solution, one may introduce discrete-phase randomization instead of continuous randomization. However, a security proof for a QKD protocol with discrete-phase randomization in the finite-key region is still missing. Here, we develop a technique based on conjugate measurement and quantum state distinguishment to analyze the security in this case. Our results show that TF-QKD with a reasonable number of discrete random phases, e.g., 8 phases from $\{0,\pi /4,\pi /2,\dots ,7\pi /4\}$, can achieve satisfactory performance. On the other hand, we find the finite-size effects become more notable than before, which implies that more pulses should be emit in this case. More importantly, as a the first proof for TF-QKD with discrete-phase randomization in the finite-key region, our method is also applicable in other QKD protocols.

1. Introduction

Quantum key distribution (QKD) [1,2],one of the most successful and mature applications in quantum information science, allows for two legitimate parties (Alice and Bob) to share information-theoretic secret keys. In theory, its security has been proved [3,4,5], while experiments towards a higher key rate [6] and longer achievable distance [7,8,9,10] have been demonstrated. Still, some large scale QKD networks are emerging [11,12,13,14]. However, owing to the inherent photon-loss in the channel, it meets a vital bottleneck that limits the communication distance and key generation rate. Specifically, some fundamental rate-loss limits [15,16] impose a restriction on any point-to-point QKD without repeaters. More precisely, the key rate R is bounded by the channel transmission probability $\eta$ with the linear PLOB bound $R=-{log}_2(1-\eta )$ [16]. Delightfully, M.Lucamarini et al. made a breakthrough by proposing twin-field (TF) QKD in 2018. The essential idea of TF-QKD is in code mode extracting the key bit from a single-photon click event of the measurement station located in the middle of channel, which happens with a probability proportional to $\sqrt{\eta }$; thus, surpassing the linear PLOB bound becomes possible, and a so-called phase-error rate may be estimated in decoy mode [17,18,19] to monitor security. Driven by this, several TF-type QKD protocols [20,21,22,23,24,25,26] were proposed later to complete security proofs and improve performance. Based on these protocols, experimentalists also made great efforts to realize TF-QKD [27,28,29,30,31,32,33,34,35].

Since TF-QKD inherits measurement-device-independent (MDI)-QKD’s [36] merit that is immune to all side-channel attacks to measurement devices and all measurement-device imperfections [37,38], one does not need to take the detection loopholes into account within the TF-type QKD system. In spite of this, the security issues of the state preparation in TF-QKD must be carefully considered. In practice, the laser source of TF-QKD is usually a continuous source emitting coherent states with a fixed phase. Meanwhile, continuous phase-randomization from 0 to $\pi$ is required in the TF-QKD. More specifically, this continuous phase-randomization is assumed in both the code and test modes in Refs. [21,23,26], or at least in the test mode in Refs. [22,24,39]. To fulfill this requirement, Alice and Bob must randomize the global phase continuously and uniformly. Unluckily, two ways to achieve phase randomization introduce different problems in the experiment. Passive randomization will lead to phase correlations between adjacent pulses [40,41], while active randomization can only randomize the phase over discrete set of values.

To bridge this gap between theory and experiment, two works that analyzed the security of fully discrete-phase randomization TF-QKD protocol have been proposed [42,43,44] in these days. However, a security proof in the finite-key region is still missing. Hence, one natural question is that whether TF-QKD with fully discrete-phase randomization can work well non-asymptotically. This work affirms that it can.

In this paper, we analyze the security of TF-QKD protocol with fully discrete randomization in a finite-key region. Interestingly, our analysis leads to comparable performance with the continuous one. Since taking the discrete phase into account, our results make the TF-QKD more practical and can be applied to the future TF-QKD experiment. More importantly, some techniques proposed here, e.g., Lemma A1 (introduced later), can be utilized to analyze the security of other QKD protocols with discrete-phase randomization.

This work is organized as follows. In Section 2, we give a description of the TF-QKD protocol with fully discrete-phase randomization, and the sketch of the security proof is given in Section 3. Note that the proof is detailed in Appendix A. In Section 4, by the numerical simulation, we show this protocol can still beat the linear PLOB bound [16] and has satisfactory performance. Finally, a conclusion is given in Section 5.

2. Protocol Description

Indeed, the protocol analyzed here has been depicted in Ref. [43]. For ease of understanding, we illustrate the protocol as follows.

Step 1: Alice (Bob) chooses a label from $\{“\mu ”,“0”,“\nu ”\}$ with probabilities $P_{\mu },P_O,P_{\nu }$, according to the label she (he) chooses, she (he) takes one of the following actions:

$“\mu ”$: she (he) randomly picks an integer $l_{A_c}$ ($l_{B_c}$) from $\{0,1,\cdots ,M-1\}$ with equal probability $\frac{1}{M}$ where M is an even integer. This means that the phase 2$\pi$ is divided into M parts. Then, she (he) randomly chooses a key bit $k_a$$\left(k_b\right)$ where $k_a\left(k_b\right)\in \left\{0,1\right\}$. Finally, she (he) sends a pulse with a coherent state $|e^{i(\frac{l_{Ac}}{M}2\pi +\pi k_a)}\sqrt{\mu }⟩$($|e^{i(\frac{l_{B_c}}{M}2\pi +\pi k_b)}\sqrt{\mu }⟩$ ).

$“0”$: she (he) sends the vacumm state.

$“\nu ”$: she (he) randomly picks an integer $l_{A_c}$ and $l_{B_c}$ from $\{0,1,\cdots ,M-1\}$ with equal probability $\frac{1}{M}$ where M is an even integer. This means that the phase 2$\pi$ is divided into M parts. Then, she (he) sends a pulse with a coherent state $|e^{i\frac{l_{Ac}}{M}2\pi }\sqrt{\mu }⟩$($|e^{i\frac{l_{Bc}}{M}2\pi }\sqrt{\mu }⟩$ ).

The first case is called code mode, while the other cases are decoy mode.

Step 2: Alice and Bob repeat Step 1 in total of $N_{tot}$ times.

Step 3: After receiving $N_{tot}$ pairs of pulses from Alice and Bob, interfering each pair at a beamsplitter and measuring the two outputs with his single photon detectors (SPDs), an honest Eve announces whether or not each measurement is successful. Here, ’successful’ means only one SPD (left SPD or right SPD) clicks in the corresponding measurement, and if so, Eve reports the specific SPD clicked.

Step 4: For those rounds Eve announcing successful click, Alice and Bob announce the intensities they chose as well as the values of $l_{A_c}$ and $l_{B_c}$. Then, Alice and Bob only retain those successful rounds in which the intensities of the coherent state they sent are same while the in-phase ($l_{A_c}=l_{B_c}$) or anti-phase ($|l_{A_c}-l_{B_c}|=M/2$) condition is also met. Let $n_{2\beta }^{+}$($n_{2\beta }^{-}$) be the number of the retained rounds when both Alice and Bob chose the same intensity $\beta$ of the coherent state and the in-phase (anti-phase) is also met. Note that we assume $l_{A_c}=l_{B_c}=0$ always holds in the case of $\beta =0$. Alice and Bob generate their sifted keys from $n_{2\mu }=n_{2\mu }^{+}+n_{2\mu }^{-}$ retained rounds in code mode, thus the length of sifted key bits $n_{bit}=n_{2\mu }$. Note that if it is an in-phase (anti-phase) round with right (left) SPD clicking, Bob may flip his corresponding sifted key bit.

Step 5: With all of the quantities $n_{2\beta }=n_{2\beta }^{+}+n_{2\beta }^{-}$, Alice and Bob use linear programming to obtain an upper bound on the number of phase errors(defined later) $n_{ph}^U$ with a failure probability no more than $\epsilon$; then, they can calculate the upper bound $e_{ph}^U=n_{ph}^U/n_{bit}$.

Step 6: Step 6 consists of error correction and privacy amplification.

Step 6a: Alice sends $H_{EC}$ bits of syndrome information of her sifted key bits to Bob through an authenticated public channel. Then, Bob uses it to correct errors in his sifted keys. Alice and Bob calculate a hash of their error-corrected keys with a random universal hash function and check whether they are equal. If equal, they continue to the next step; otherwise, they abort the protocol.

Step 6b: Alice and Bob apply the privacy amplification to obtain their final secret keys. If the length of their secret key satisfies $l=n_{bit}(1-h\left(e_{ph}^U\right))-H_{EC}-{log}_2\frac{2}{{ϵ}_{cor}}-{log}_2\frac{1}{4{ϵ}_{PA}^2}$ where $h(·)$ denotes the binary Shannon entropy, this protocol must be ${ϵ}_{cor}$-correct and ${ϵ}_{sec}$-secret with ${ϵ}_{sec}=\sqrt{\epsilon }+{ϵ}_{PA}$. Here, ${ϵ}_{cor}$(${ϵ}_{sec}$) represents the protocol is correct (secret) with a failure probability no more than ${ϵ}_{cor}\left({ϵ}_{sec}\right)$. Hence, the total security parameter is ${ϵ}_{tol}$-secure where ${ϵ}_{tol}={ϵ}_{cor}+{ϵ}_{sec}$. It is elaborated thoroughly in the widely-used universally composable security framework [45,46].

3. Security Proof

In this section, we present the security proof of this protocol. The main task of the security proof is to bound the information Eve holds. To accomplish this task, one can calculate a so-called phase-error rate. Firstly, we construct an equivalent virtual protocol, in which Alice and Bob prepare some entangled states between local states and traveling states, but traveling states must have the same density matrices as actual protocol in the channel. The sifted key bits can be seen as the outputs of measurement with Z-basis on local states made by Alice and Bob; then, the so-called phase-error rate is defined as the error rate for the outputs of measurement with the X-basis made by them. According to the complementarity argument [47], the phase-error rate can be used to bound Eve’s information on the sifted keys. In the following, we give the virtual protocol and show how to bound the phase-error rate.

3.1. Equivalent Virtual Protocol

In our virtual protocol, Alice generates secret keys from the code mode in which she prepares the state

$$\begin{array}{c}\hfill {|\psi ⟩}_{\mu ,A_{c}Aa}=\sum _{l=0}^{M-1}\frac{1}{\sqrt{M}}{|l⟩}_{A_c}(\frac{1}{\sqrt{2}}{(|0⟩}_A|e^{i\frac{2\pi }{M}l}\sqrt{\mu }{⟩}_a+{|1⟩}_A|-e^{i\frac{2\pi }{M}l}\sqrt{\mu }{⟩}_a\left)\right),\end{array}$$

(1)

where $A_c$ and A are the local quantum systems in Alice’s side, and a is the traveling quantum state Alice sent to Eve. Similarly, Bob prepares ${|\psi ⟩}_{\mu ,B_{c}Bb}$ defined analogously to ${|\psi ⟩}_{\mu ,A_{c}Aa}$. Obviously, Alice (Bob) measures $A\left(B\right)$ with Z-basis to obtain sifted key, i.e., ${|0⟩}_A$ for bit 0 and ${|1⟩}_A$ for bit 1. In order to obtain the phase-error rate, they measure $A,B$ in X-basis $\{|+⟩,|-⟩\}$ after Eve’s attack. As for the test mode, we assume Alice prepares the following states

$$\begin{array}{cc}\hfill {|\psi ⟩}_{0,A_{c}Aa}& ={|0⟩}_{A_c}{|0⟩}_A{|0⟩}_a,\hfill \\ \hfill {|\psi ⟩}_{\nu ,A_{c}Aa}& =\sum _{l=0}^{M-1}\frac{1}{\sqrt{M}}{|l⟩}_{A_c}{|0⟩}_A|e^{i\frac{2\pi }{M}l}\sqrt{\nu }{⟩}_a.\hfill \\ \hfill \end{array}$$

(2)

here, the local states of $A_c$ are encoded in photon-number states, and Alice can measure $A_c$’s photon-number to learn the phase of sent states.

Finally, we can describe the process of state preparation above with a single state, namely,

$$\begin{array}{c}\hfill {|\psi ⟩}_{A_s{A}_{c}Aa}=\sqrt{p_{\mu }}{|0⟩}_{A_s}{|\psi ⟩}_{\mu ,A_{c}Aa}+\sqrt{p_O}{|1⟩}_{A_s}{|\psi ⟩}_{0,A_{c}Aa}+\sqrt{p_{\nu }}{|2⟩}_{A_s}{|\psi ⟩}_{\nu ,A_{c}Aa}\end{array}$$

(3)

where Alice’s additional local ancilla $A_s$ is in the photon number states. Similarly, Bob can prepare ${|\psi ⟩}_{B_s{B}_{c}Bb}$ defined analogously to ${|\psi ⟩}_{A_s{A}_{c}Aa}$. Though Alice (Bob) may measure $A_s$($B_s$),$A_c\left(B_c\right)$, and A(B) after or before Eve announcing her measurement results, Alice (Bob) must announce the measurement results after Eve’s announcement then post-select the successful rounds. The following is a detailed illustration of our equivalent virtual protocol.

Step 1:

Alice and Bob prepare a gigantic quantum state $|\mathsf{\Phi }⟩={|\varphi ⟩}^{\otimes N_{tot}}={(|\psi ⟩}_{A_s{A}_{c}Aa}\otimes {|\psi ⟩}_{B_s{B}_{c}Bb}{)}^{\otimes N_{tot}}$ and send all subsystems a and b to Eve through an insecure quantum channel.

Step 2:

After performing an arbitrary quantum operation on all subsystems a and b from Alice and Bob, Eve announces whether it has a successful click (only one of her SPDs clicks) or not for each round. For a successful round, Eve continues to announce whether the left SPD clicks or the right SPD clicks. We use $\mathcal{M}$($\overline{\mathcal{M}}$) to denote the set of successful (unsuccessful) rounds.

Step 3:

For those rounds in which Eve announces success, Alice and Bob jointly measure the subsystem $A_c$($B_c$) and $A_s\left(B_s\right)$ in the photon-number basis to learn whether the intensities of the coherent state they send are same or not and whether it is in-phase or anti-phase. Then, they only retain those rounds where in-phase or anti-phase is met, and they choose the same intensities. Let ${\mathcal{M}}_s$ denote the set of those retained rounds, while ${\mathcal{M}}_f$ denotes those rounds that are in $\mathcal{M}$ but not in ${\mathcal{M}}_s$.

Step 4:

For these rounds in ${\mathcal{M}}_s$, Alice (Bob) measures the subsystem $A_c{A}_s$($B_c{B}_s$) in Fock basis to learn the phase and intensity of the coherent states she (he) sent. If the result of $A_s$($B_s$) is in state ${|0⟩}_{A_s}$(${|0⟩}_{B_s}$), she (he) measures subsystems A(B) in the Z basis to decide her (his) sifted key, respectively; otherwise, she (he) measures subsystem A(B) in the Z basis but does not incorporate these measurement outcomes in her (his) sifted key.

Step 5 to Step 6:

Let $n_{2\beta }$ be the number of rounds in ${\mathcal{M}}_s$ satisfying that both Alice and Bob chose the intensity $\beta$. With parameters $n_{2\beta }$, perform the same operations as Step 5 to Step 6, respectively, in the actual protocol given in Section 2.

3.2. Estimation of Phase-Error Rate

The essential of security proof is to estimate the upper-bound of the phase-error rate $e_{ph}$ of the sifted keys, i.e., how many same or different outcomes Alice and Bob have if they measure A and B with X-basis hypothetically in the rounds where sifted keys are generated. Specifically, in our protocol, we define the number of the same outcomes they have as $n_{ph}$, i.e., the number of phase-error events. Provided that $e_{ph}=n_{ph}/n_{2\mu }$ is bounded, one can generate the final secret key with an appropriate ${ϵ}_{tol}$ value as given in Step6.b of the actual protocol.

A detailed proof for how to estimate $n_{ph}$ is present in Appendix A. Here, a sketch of this proof is given.

Though analyzing the equivalent protocol, it is proven that if Alice and Bob both chose intensity $\beta$, and in-phase or anti-phase is also met, they actually prepare a mixture ${\tau }_{2\beta }$, which consists of component ${\tau }_{j|2\beta },j=0,1,...,M-1$. Moreover, each phase-error event is a click by some particular components of that mixture ${\tau }_{2\beta }$, i.e., ${\tau }_{j|2\beta },j=0,2,...,M-2$. These results imply that

$$\begin{array}{cc}\hfill n_{2\mu }=& {\sum }_{j=0}^M{n}_{j|2\mu },\\ \hfill n_{2\nu }=& {\sum }_{j=0}^M{n}_{j|2\nu },\\ \hfill n_{ph}=& {\sum }_{j=0,j\in {\mathcal{N}}_0}^{M-2}{n}_{j|2\mu },\end{array}$$

(4)

where $n_{j|2\beta }$ denotes the number of rounds in ${\mathcal{M}}_s$, in which Alice and Bob both chose intensity $\beta$, but ${\tau }_{2\beta }$ is actually ${\tau }_{j|2\beta }$. Meanwhile, ${\mathcal{N}}_0$ is the set of even numbers. Now, the hypothetical value $n_{ph}$ is related to some experimentally observed values. However, just with these equations it is difficult to bound $n_{ph}$ tightly since $n_{j|2\beta }$ cannot be known directly.

On the other hand, both ${\tau }_{j|2\mu }$ and ${\tau }_{j|2\nu }$ are very close to Fock-state $|j⟩⟨j|$. Accordingly, it is intuitive to consider if there are constraints on the gap between $n_{j|2\mu }$ and $n_{j|2\nu }$. Then, we developed Lemma A1 (see Appendix A for details) to bound the gap between the yields of two distinct quantum states in a non-asymptotic situation. Applying this lemma, we obtained a series of constraints on $n_{j|2\mu }$ and $n_{j|2\nu }$. Finally, combined with Equation (4), an analytical upper bound of $n_{ph}$ (given in the end of the Appendix A) was calculated to find the upper bound of phase-error rate $e_{ph}^U=n_{ph}^U/n_{2\mu }$.

4. Numerical Simulation

In this section, we simulate the final secret key rate with the parameters listed in Table 1.

Table 1. List of parameters uesd in the numerical simulations. Here, $e_m$ is loss-independent misalignment error rate due to optical imperfect interference, $p_d$ is dark counting probability for each SPD, $\xi$ is fiber loss constant, ${\eta }_d$ denotes detection efficiency of each SPD, f is error-correction inefficiency, and ${ϵ}_{tol}$ denotes the total security coefficient.

${\mathit{e}}_{\mathit{m}}$	${\mathit{p}}_{\mathit{d}}$	$\mathit{\xi }$ (dB/km)	${\mathit{\eta }}_{\mathit{d}}$	f	${\mathit{ϵ}}_{\mathit{tol}}$
0.03	$1\times {10}^{-8}$	0.2	0.3	1.1	$4.6566\times {10}^{-10}$

It is reasonable to simulate the experimentally observed values $n_{2\mu }$, $n_{2\nu }$ and $n_0$ with their mean values. Let $Q_{corr|2\beta }$ be the probability of only one click from left (right) SPD when both Alice and Bob prepare coherent states with intensity $\beta$ and a phase difference of 0 ($\pi$), and $Q_{err|2\beta }$ be the probability of only one click from left (right) SPD when both Alice and Bob prepare coherent states with intensity $\beta$ and phase difference of $\pi$ (0). Then, we have

$$\begin{array}{c}\hfill Q_{corr|2\beta }=(1-(1-p_d)e^{-2\eta (1-e_m)\beta })e^{-2\eta e_m\beta }(1-p_d),\\ \hfill Q_{err|2\beta }=(1-(1-p_d)e^{-2\eta e_m\beta })e^{-2\eta (1-e_m)\beta }(1-p_d),\end{array}$$

(5)

where $\eta ={10}^{\frac{-0.2L}{20}}$ and L is the channel distance between Alice and Bob. Accordingly, in the simulation, we assume $n_{2\beta }=N_{tot}{P}_{\beta }^{2}2(Q_{corr|2\beta }+Q_{err|2\beta })/M$ for $\beta =\mu ,\nu$. Note that $n_0=N_{tot}{P}_O^2(Q_{corr|0}+Q_{err|0})$, $n_{bit}=n_{2\mu }$ and $e_{bit}=Q_{err|2\mu }/(Q_{corr|2\mu }+Q_{err|2\mu })$. With these values, setting $M=8$ and the failure probability of estimating phase error $\epsilon =(6M+12){\epsilon }_a=4\times {10}^{-20}$, one can obtain the upper-bound of phase-error rate $e_{ph}^U$ by the linear programming given by (A41) in Appendix A. Moreover, the amount of $H_{EC}$ is $H_{EC}=N_{bit}fh\left(e_{bit}\right)$, ${ϵ}_{cor}=1\times {10}^{-10}$, and ${ϵ}_{PA}=1.6566\times {10}^{-10}$, which leads to a secret key of length $l=n_{bit}(1-h\left(e_{ph}^U\right))-H_{EC}-{log}_2\frac{2}{{ϵ}_{cor}}-{log}_2\frac{1}{4{ϵ}_{PA}^2}$ with ${ϵ}_{sec}={ϵ}_{PA}+\sqrt{\epsilon }$ and the total security parameter ${ϵ}_{tol}={ϵ}_{cor}+{ϵ}_{sec}=4.6566\times {10}^{-10}$.

Finally, we numerically optimize the intensities and corresponding probabilities to maximize l in the cases of the total number of pulses is $N_{tot}=1\times {10}^{17},1\times {10}^{14},1\times {10}^{13},1\times {10}^{12}$. Note that because this numerical problem is very time-comsuming, these intensities and probabilities are not optimized at each distance. Additionally, we use some typical parameters instead. The simulate results ($l/N_{tot}$ v.s. L) are illustrated below.

As Figure 1 shows, we obtain considerable secret key rates when the total number of pulses is ${10}^{12}$, ${10}^{13}$, ${10}^{14}$ or ${10}^{17}$. Through numerical simulations, it is confirmed that TF-QKD with discrete-phase randomization has satisfactory performance. On the other hand, it is verified that finite-size effects become more notable here compared with the original protocol with continuous phase randomization; it seems that one has to prepare ${10}^{17}$ pulses to surpass the PLOB linear bound. This is because the statistical fluctuations in Lemma A1 are proportional to the square root of the total number of emitting pulse $N_{tot}$, which leads to alarge phase-error rate $e_{ph}$ when $n_{bit}$ is not sufficiently large.

Figure 1. Secret key rate ($l/N_{tot}$) of fully discrete TF-QKD [43]. In this figure, the key rate corresponding to the total number of pulses $N_{tot}$ is $1\times {10}^{12},1\times {10}^{13},1\times {10}^{14},1\times {10}^{17}$, plotted above. Note that we set $M=8$ in the simulation.

5. Conclusions

In real setups of TF-QKD, continuous randomization is usually realized by actively adding a random signal to a phase modulator. On the other hand, random numbers are generated discretely in most schemes. Therefore, TF-QKD with discrete-phase randomization is more practical. It is necessary to analyze the security of TF-QKD with discrete-phase randomization. Based on conjugate measurement, the security proof of a QKD protocol is to estimate the phase-error rate. Then in case of discrete-phase randomization, a critical step is knowing how to bound the gap between yields of two distinct but very close quantum states in a non-asymptotic situation. To achieve this goal, Lemma A1 is developed to find the upper bound of this gap. With the help of Lemma 1, linear programming is proposed to calculate the phase-error rate, and the key length is then straightforward. Through numerical simulations, it is confirmed that TF-QKD with discrete-phase randomization has satisfactory performance. On the other hand, we also find that more pulses should be prepared to alleviate the finite-size effects than previous protocol.

Moreover, it is worth noting that Lemma A1 is quite useful in a variety of scenarios, not just in the security proof of TF-QKD. For instance, if one considers the BB84 with discrete-phase randomization [48], the Lemma A1 can be utilized to bound the yield of single photon state, so then it is not difficult to give a relevant security proof. To summarize, we give the first security proof for TF-QKD with finite discrete-phase randomization in non-asymptotic scenarios. Although the proof is tailored for TF-QKD, the framework of this proof, i.e. Lemma A1, can be adapted in other protocols.

Appendix A.1. Formula for the Number of Phase-Error Events

In this section, we show how to obtain the relation between the hypothetical phase-error events and some experimental observations.

The main result obtained here is that each key bit is a successful click from a mixed state of ${\tau }_{j|2\mu },j=0,1,...,M-1$ prepared by Alice and Bob. More importantly, the number of phase-error events among these key bits corresponds to ${\tau }_{j|2\mu },j=0,2,...,M-2$. Therefore, if we denote the length of the raw key by $n_{bit}=n_{2\mu }$ and the number of successful clicks of ${\tau }_{j|2\mu }$ by $n_{j|2\mu }$, $n_{bit}=n_{2\mu }={\sum }_{j=0}^{M-1}{n}_{j|2\mu }$, the number of phase-error events $n_{ph}={\sum }_{j=0,j\in {\mathcal{N}}_0}^{M-2}{n}_{j|2\mu }$ must hold, where ${\mathcal{N}}_0$ is the set of even integers. Next, a proof is present to show how to obtain this result.

Following the symbols in [49], let us consider the evolution of the gigantic quantum state $|\mathsf{\Phi }⟩={|\varphi ⟩}^{\otimes N_{tot}}={(|\psi ⟩}_{A_s{A}_{c}Aa}\otimes {|\psi ⟩}_{B_s{B}_{c}Bb}{)}^{\otimes N_{tot}}$ sent to Eve. After Step 2, where Eve performs her measurement on the subsystem $ab$, the initial quantum state is transformed to ${\widehat{M}}_{eve}|\mathsf{\Phi }⟩$, where ${\widehat{M}}_{eve}$ denotes the measurement operator of Eve. After measurement, Eve announces whether the measurement outcome is successful or not for each round. Hence, we reorder the quantum state as $|\mathsf{\Phi }⟩={|\varphi ⟩}^{\otimes M}{|\varphi ⟩}^{\otimes \overline{M}}$, where $M\left(\overline{M}\right)$ denotes the successful (unsuccessful) rounds. Then, in Step 3 of the virtual protocol, using measurement operators $\{{\widehat{O}}_s={(|00⟩}_{A_s{B}_s}⟨00|+{|11⟩}_{A_s{B}_s}⟨11|+{|22⟩}_{A_s{B}_s}⟨22|)\otimes {\sum }_{l=0}^{M-1}{(|l,l⟩}_{A_c{B}_c}⟨l,l|+{|l,(l+M/2)modM⟩}_{A_c{B}_c}⟨l,(l+M/2)modM|),{\widehat{O}}_d=\widehat{I}-{\widehat{O}}_s\}$, Alice and Bob measure the subsystem $A_s{A}_c$ and $B_s{B}_c$ for those rounds that are announced successful in Step 2 and retain the trials in which $A_s{A}_c$ and $B_s{B}_c$ are collapsed into ${\widehat{O}}_s$ as the final successful rounds. Hence, we reorder $|\mathsf{\Phi }⟩={|\varphi ⟩}^{\otimes M_s}{|\varphi ⟩}^{\otimes M_f}{|\varphi ⟩}^{\otimes \overline{M}}$ where $M_s$($M_f$) denotes the successful(unsuccessful) rounds finally. Before they measure the subsystem $AB$ to generate their sifted key in Step 3, the unnormalized quantum state is given by

$$\begin{array}{c}\hfill {\widehat{O}}_s^{M_s}{\widehat{O}}_d^{M_f}{\widehat{I}}^{\otimes \overline{M}}{\widehat{M}}_{eve}|\mathsf{\Phi }⟩={\widehat{M}}_{eve}{\widehat{O}}_s^{\otimes M_s}{\widehat{O}}_d^{\otimes M_f}{\widehat{I}}^{\otimes \overline{M}}|\mathsf{\Phi }⟩={\widehat{M}}_{eve}({\widehat{O}}_s|\varphi ⟩{)}^{\otimes M_s}({\widehat{O}}_f|\varphi ⟩{{)}^{\otimes M_f}(|\varphi ⟩)}^{\otimes \overline{M}}\end{array}$$

(A1)

Next, in Step 4, Alice and Bob measure the subsystem $A_s,B_s$$A_c,B_c$ and $A,B$ for all rounds in ${\mathcal{M}}_s$, one by one. We use $\alpha \in \{1,\cdots ,M_s\}$ to denote the different rounds in ${\mathcal{M}}_s$ and ${\xi }_{\alpha }$ to denote the measurement outcome of the $\alpha$-th subsystem. What is more, ${\widehat{M}}_{\alpha }$ is used to denote the associated operator. Hence, the unnormalized state before the measurement of the $\alpha$-th rounds in ${\mathcal{M}}_s$ is

$$\begin{array}{c}\hfill |{\mathsf{\Phi }}_{\alpha }⟩={\widehat{M}}_{eve}({\otimes }_{l=1}^{\alpha -1}{\widehat{M}}_l|\varphi ⟩)({\widehat{O}}_s|\varphi ⟩)({\widehat{O}}_s|\varphi ⟩{)}^{\otimes M_s-\alpha }({\widehat{O}}_f|\varphi ⟩{{)}^{\otimes M_f}(|\varphi ⟩)}^{\otimes \overline{M}}.\end{array}$$

(A2)

because we are only interested in the reduced state of the $\alpha$-th round in ${\mathcal{M}}_s$, we trace out the other rounds which we denote by $\overline{\alpha }$ and obtain

$$\begin{array}{c}\hfill {\widehat{\sigma }}_{\alpha }=T{r}_{\overline{\alpha }}\left[|{\mathsf{\Phi }}_{\alpha }⟩⟨|{\mathsf{\Phi }}_{\alpha }|\right]=\sum _{\overrightarrow{\overline{\alpha }}}⟨\overrightarrow{\overline{\alpha }}|{\mathsf{\Phi }}_{\alpha }⟩⟨{\mathsf{\Phi }}_{\alpha }|\overrightarrow{\overline{\alpha }}⟩=\sum _{\overrightarrow{\overline{\alpha }}}{\widehat{M}}_{\overrightarrow{\overline{\alpha }}}{\widehat{O}}_s|\varphi ⟩⟨\varphi |{\widehat{O}}_s^{†}{\widehat{M}}_{\overrightarrow{\overline{\alpha }}}^{†}\end{array}$$

(A3)

where

$$\begin{array}{c}\hfill {\widehat{M}}_{\overrightarrow{\overline{\alpha }}}=⟨\overrightarrow{\overline{\alpha }}|{\widehat{M}}_{eve}|\left({\otimes }_{l=1}^{\alpha -1}{\widehat{M}}_l({\widehat{O}}_s|\varphi ⟩\right)({\widehat{O}}_s|\varphi ⟩{)}^{\otimes M_s-\alpha }({\widehat{O}}_f|\varphi ⟩{{)}^{\otimes M_f}(|\varphi ⟩)}^{\otimes \overline{M}}.\end{array}$$

(A4)

and the quantum states $\{|\overrightarrow{\overline{\alpha }}⟩\}$ represent the basis for the subsystems $A_s,B_s,A_c,B_c,A,B,a,b$ of all rounds in the protocol except the $\alpha$-th round in ${\mathcal{M}}_s$.

Next, to derive the number of phase error, we expand the quantum state ${\widehat{O}}_s|\varphi ⟩$ as

$$\begin{array}{c}\hfill {\widehat{O}}_s|\varphi ⟩=p_{\mu }{|00⟩}_{A_s{B}_s}{|\varphi ⟩}_{\mu }+p_O{|11⟩}_{A_s{B}_s}{|\varphi ⟩}_0+p_{\nu }{|22⟩}_{A_s{B}_s}{|\varphi ⟩}_{\nu }\end{array}$$

(A5)

where

$$\begin{array}{cc}\hfill & {|\varphi ⟩}_{\mu }\\ \hfill =& {\sum }_{l=0}^{M-1}\frac{1}{M}{[{(|ll⟩}_{A_c{B}_c}\frac{1}{2}{(|0⟩}_A|e^{i\frac{2\pi }{M}l}\sqrt{\mu }⟩}_a+{|1⟩}_A|-e^{i\frac{2\pi }{M}l}\sqrt{\mu }{⟩}_a{)(|0⟩}_B|e^{i\frac{2\pi }{M}l}\sqrt{\mu }{⟩}_b+{|1⟩}_B|-e^{i\frac{2\pi }{M}l}\sqrt{\mu }{⟩}_b\left)\right)\\ & +{(|l,(l+\frac{M}{2})modM⟩}_{A_c{B}_c}\frac{1}{2}{(|0⟩}_A|e^{i\frac{2\pi }{M}l}\sqrt{\mu }{⟩}_a+{|1⟩}_A|-e^{i\frac{2\pi }{M}l}\sqrt{\mu }{⟩}_a){(|0⟩}_B|-e^{i\frac{2\pi }{M}l}\sqrt{\mu }{⟩}_b+{|1⟩}_B|e^{i\frac{2\pi }{M}l}\sqrt{\mu }{⟩}_b\left)\right)\left)\right],\end{array}$$

$$\begin{array}{c}\hfill {|\varphi ⟩}_0={|00⟩}_{A_c{B}_c}{|00⟩}_{AB}{|00⟩}_{ab}\end{array}$$

(A6)

and

$$\begin{array}{cc}& {|\varphi ⟩}_{\nu }\\ \hfill =& {\sum }_{l=0}^{M-1}\frac{1}{M}{[{(|ll⟩}_{A_c{B}_c}{(|00⟩}_{AB}|e^{i\frac{2\pi }{M}l}\sqrt{\nu }⟩}_a|e^{i\frac{2\pi }{M}l}\sqrt{\nu }{⟩}_b)+{(|l,(l+\frac{M}{2})modM⟩}_{A_c{B}_c}{|00⟩}_{AB}{(|e^{i\frac{2\pi }{M}l}\sqrt{\nu }⟩}_a|-e^{i\frac{2\pi }{M}l}\sqrt{\nu }{⟩}_b\left)\right)].\end{array}$$

(A7)

To summarize, each key bit can be viewed as an event in which Eve announces a successful click conditioned by Alice and prepares ${|\varphi ⟩}_{\mu }$ and measures $AB$ with Z-basis. Since the measurement on $AB$ made by Alice and Bob can be delayed after Eve’s announcement of a successful click, the phase error can be estimated by Alice and Bob measuring $AB$ with X-basis rather than Z-basis. To obtain the phase error of this part, we rewrite ${|\varphi ⟩}_{\mu }$ under X-bases of $AB$ as

$$\begin{array}{c}\hfill {|\varphi ⟩}_{\mu }=\sum _{l=0}^{M-1}\frac{1}{M}{(|ll⟩}_{A_c{B}_c}{|\psi ⟩}_{\mu ,AaBb}^l+|l,(l+\frac{M}{2}){modM⟩}_{A_c{B}_c}|{\psi }^{\prime }{⟩}_{\mu ,AaBb}^l)\end{array}$$

(A8)

where

$$\begin{array}{cc}\hfill & {|\psi ⟩}_{\mu ,AaBb}^l\hfill \\ \hfill =& \frac{1}{2}{(|00⟩}_{AB}|e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|e^{i{\theta }_l}\sqrt{\mu }{⟩}_b+{|01⟩}_{AB}|e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_b)\hfill \\ \hfill +& \frac{1}{2}{(|10⟩}_{AB}|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|e^{i{\theta }_l}\sqrt{\mu }{⟩}_b+{|11⟩}_{AB}|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_b)\hfill \\ \hfill =& \frac{1}{4}{|++⟩}_{AB}{(|e^{i{\theta }_l}\sqrt{\mu }⟩}_a|e^{i{\theta }_l}\sqrt{\mu }{⟩}_b+|e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_b+|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|e^{i{\theta }_l}\sqrt{\mu }{⟩}_b+|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_b)\hfill \\ \hfill +& \frac{1}{4}{|--⟩}_{AB}{(|e^{i{\theta }_l}\sqrt{\mu }⟩}_a|e^{i{\theta }_l}\sqrt{\mu }{⟩}_b-|e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_b-|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|e^{i{\theta }_l}\sqrt{\mu }{⟩}_b+|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_b)\hfill \\ \hfill +& \frac{1}{4}{|+-⟩}_{AB}(\cdots )+\frac{1}{4}{|-+⟩}_{AB}(\cdots )),\hfill \end{array}$$

(A9)

$$\begin{array}{cc}\hfill & |{\psi }^{\prime }{⟩}_{\mu ,AaBb}^l\hfill \\ \hfill =& \frac{1}{2}{(|00⟩}_{AB}|e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_b+{|01⟩}_{AB}|e^{i{\theta }_l}\sqrt{\mu }{⟩}_a{|e^{i{\theta }_l}\sqrt{\mu }⟩}_b\hfill \\ \hfill +& \frac{1}{2}{|10⟩}_{AB}|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_b+{|11⟩}_{AB}|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|e^{i{\theta }_l}\sqrt{\mu }{⟩}_b)\hfill \\ \hfill =& \frac{1}{4}{|++⟩}_{AB}{(|e^{i{\theta }_l}\sqrt{\mu }⟩}_a|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_b+|e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|e^{i{\theta }_l}\sqrt{\mu }{⟩}_b+|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_b+|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|e^{i{\theta }_l}\sqrt{\mu }{⟩}_b)\hfill \\ \hfill +& \frac{1}{4}{|--⟩}_{AB}{(|e^{i{\theta }_l}\sqrt{\mu }⟩}_a|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_b-|e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|e^{i{\theta }_l}\sqrt{\mu }{⟩}_b-|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_b+|-e^{i{\theta }_l}\sqrt{\mu }{⟩}_a|e^{i{\theta }_l}\sqrt{\mu }{⟩}_b)\hfill \\ \hfill +& \frac{1}{4}{|+-⟩}_{AB}(\cdots )+\frac{1}{4}{|-+⟩}_{AB}(\cdots )),\hfill \end{array}$$

(A10)

and ${\theta }_l=\frac{l}{M}2\pi$. For the purpose of clarification, we define some quantum states below:

$$\begin{array}{c}\hfill |e^{i\theta }\sqrt{2\mu }{⟩}_{ab}=\sum _{j=0}^{\infty }{e}^{ij\theta }\sqrt{P_{j|2\mu }}{|j⟩}_{ab}\end{array}$$

(A11)

and

$$\begin{array}{c}\hfill |e^{i\theta }\sqrt{2\mu }{⟩}_{ab,even}=\frac{|e^{i\theta }\sqrt{\mu }{⟩}_a|e^{i\theta }\sqrt{\mu }{⟩}_b+|-e^{i\theta }\sqrt{\mu }{⟩}_a{|-e^{i\theta }\sqrt{\mu }⟩}_b}{2}=\sum _{j\in {\mathcal{N}}_0}{e}^{ij\theta }\sqrt{P_{j|2\mu }}{|j⟩}_{ab},\end{array}$$

(A12)

where ${|j⟩}_{ab}={\sum }_{i=0}^j\sqrt{\frac{j!}{2^{j}i!(j-i)!}}{|i⟩}_a{|j-i⟩}_b$ and ${\mathcal{N}}_0$ is the set of even numbers. Indeed, $|j⟩$ is a quantum state satisfying that the total photon-number of a and b is j. Moreover, another similar quantum state is defined below:

$$\begin{array}{c}\hfill |e^{i\theta }\sqrt{2\mu }{⟩}_{ab}^{\prime }=\sum _{j=0}^{\infty }{e}^{ij\theta }\sqrt{P_{j|2\mu }}{|j⟩}_{ab}^{\prime }\end{array}$$

(A13)

and

$$\begin{array}{c}\hfill |e^{i\theta }\sqrt{2\mu }{⟩}_{ab}^{\prime }=\frac{|e^{i\theta }\sqrt{\mu }{⟩}_a|-e^{i\theta }\sqrt{\mu }{⟩}_b+|-e^{i\theta }\sqrt{\mu }{⟩}_a{|e^{i\theta }\sqrt{\mu }⟩}_b}{2}=\sum _{j\in {\mathcal{N}}_0}{e}^{ij\theta }\sqrt{P_{j|2\mu }}{|j⟩}_{ab}^{\prime }\end{array}$$

(A14)

where ${|j⟩}_{ab,even}^{\prime }={\sum }_{i=0}^j{(-1)}^i\sqrt{\frac{j!}{2^{j}i!(j-i)!}}{|i⟩}_a{|j-i⟩}_b$. With these definitions, we can write the quantum states ${|\psi ⟩}_{\mu ,AaBb}^l$ and $|{\psi }^{\prime }{⟩}_{\mu ,AaBb}^l$ in a more simplified way, namely

$$\begin{array}{cc}\hfill {|\psi ⟩}_{\mu ,AaBb}^l=& \frac{1}{2}{(|++⟩}_{AB}{(|e^{i{\theta }_l}\sqrt{2\mu }⟩}_{ab,even}+|e^{i{\theta }_l}\sqrt{2\mu }{⟩}_{ab,even}^{\prime }{)+|--⟩}_{AB}{(|e^{i{\theta }_l}\sqrt{2\mu }⟩}_{ab,even}-|e^{i{\theta }_l}\sqrt{2\mu }{⟩}_{ab,even}^{\prime })\hfill \\ \hfill & {+|+-⟩}_{AB}{(\cdots )+|-+⟩}_{AB}(\cdots ))\hfill \end{array}$$

(A15)

and

$$\begin{array}{cc}\hfill |{\psi }^{\prime }{⟩}_{\mu ,AaBb}^l=& \frac{1}{2}{(|++⟩}_{AB}{(|e^{i{\theta }_l}\sqrt{2\mu }⟩}_{ab,even}+|e^{i{\theta }_l}\sqrt{2\mu }{⟩}_{ab,even}^{\prime }{)-|--⟩}_{AB}{(|e^{i{\theta }_l}\sqrt{2\mu }⟩}_{ab,even}-|e^{i{\theta }_l}\sqrt{2\mu }{⟩}_{ab,even}^{\prime })\hfill \\ \hfill & {+|+-⟩}_{AB}{(\cdots )+|-+⟩}_{AB}(\cdots ))\hfill \end{array}$$

(A16)

obviously, the measurement outcome of ${|++⟩}_{AB}$ and ${|--⟩}_{AB}$ can be defined as phase-error event. Recall the whole density matrix ${|\varphi ⟩}_{\mu }⟨\varphi |$ given in Equation (A8); we can obtain the $ab$ part corresponding to the phase-error event,

$$\begin{array}{cc}\hfill {\widehat{\rho }}_{\mu ,ph}=& {⟨++|}_{AB}t{r}_{A_c{B}_c}{(|\varphi ⟩}_{\mu }{⟨\varphi |)|++⟩}_{AB}{+⟨--|}_{AB}t{r}_{A_c{B}_c}{(|\varphi ⟩}_{\mu }⟨\varphi |){|--⟩}_{AB}\hfill \\ \hfill =& \sum _{l=0}^{M-1}{⟨ll|}_{A_c{B}_c}{(⟨++|}_{AB}+⟨--{|}_{AB}){|\varphi ⟩}_{\mu }⟨\varphi |{(|++⟩}_{AB}{+|--⟩}_{AB}{)|ll⟩}_{A_c{B}_c}\hfill \\ \hfill +& {⟨l,(l+M/2)modM|}_{A_c{B}_c}{(⟨++|}_{AB}+⟨--{|}_{AB}){|\varphi ⟩}_{\mu }⟨\varphi |{(|++⟩}_{AB}{+|--⟩}_{AB})|l,(l+M/2){modM⟩}_{A_c{B}_c}\hfill \\ \hfill =& \sum _{l=0}^{M-1}\frac{1}{M^2}{(|e^{i{\theta }_l}\sqrt{2\mu }⟩}_{ab}⟨e^{i{\theta }_l}\sqrt{2\mu }|+|e^{i{\theta }_l}\sqrt{2\mu }{⟩}_{ab}^{\prime }⟨e^{i{\theta }_l}\sqrt{2\mu }|)\hfill \end{array}$$

(A17)

according to Equations (2.5)–(2.7) of Ref [48], ${\widehat{\rho }}_{\mu ,ph}$ can be rewritten as

$$\begin{array}{cc}\hfill {\widehat{\rho }}_{\mu ,ph}=& \frac{2}{M}{\sum }_{j=0,j\in {\mathcal{N}}_0}^{M-2}{\tilde{P}}_{j|2\mu }{(\frac{1}{2}|{\tilde{j}}_{2\mu }⟩}_{ab}⟨{\tilde{j}}_{2\mu }|+\frac{1}{2}{|{\tilde{j}}_{2\mu }⟩}_{ab}^{\prime }⟨{\tilde{j}}_{2\mu }|)\\ \hfill =& \frac{2}{M}{\sum }_{j=0,j\in {\mathcal{N}}_0}^{M-2}{\tilde{P}}_{j|2\mu }{\tau }_{j|2\mu },\end{array}$$

(A18)

where ${\tilde{P}}_{j|2\mu }={\sum }_{n=0}^{\infty }{P}_{j+Mn|2\mu }$, $P_{j|2\mu }$ is the the probability of finding j photons in a Poisson source with mean photon-number $2\mu$, $|{\tilde{j}}_{2\mu }⟩={\sum }_{n=0}^{\infty }\frac{\sqrt{P_{j+Mn|2\mu }}}{\sqrt{{\tilde{P}}_{j|2\mu }}}{|j+Mn⟩}_{ab}$ and $|{\tilde{j}}_{2\mu }{⟩}^{\prime }={\sum }_{n=0}^{\infty }\frac{\sqrt{P_{j+Mn|2\mu }}}{\sqrt{{\tilde{P}}_{j|2\mu }}}{|j+Mn⟩}_{ab}^{\prime }$, and ${\tau }_{j|2\mu }=\frac{1}{2}|{\tilde{j}}_{2\mu }{⟩}_{ab}⟨{\tilde{j}}_{2\mu }|+\frac{1}{2}|{\tilde{j}}_{2\mu }{⟩}_{ab}^{\prime }⟨{\tilde{j}}_{2\mu }|$.

For ease of understanding, we can easily interpret the formula of ${\widehat{\rho }}_{\mu ,ph}$. It is easy to see that ${\widehat{\rho }}_{\mu ,ph}$ is a mixture of ${\tau }_{j|2\mu }$, which consists of photon-number state ${|j+Mn⟩}_{ab},n=0,1,2,...$, and the probability of finding $j+Mn$ photons is proportional to $P_{j+Mn|2\mu }$. Let ${\tau }_{even|2\mu }$ be the normalized ${\widehat{\rho }}_{\mu ,ph}$; then, a phase-error event for a key bit is equivalent to a successful click announced by Eve on the condition that a mixture ${\tau }_{even|2\mu }={\sum }_{j=0,j\in {\mathcal{N}}_0}^{M-2}{\tilde{P}}_{j|2\mu }{\tau }_{j|2\mu }/$$P_{even|2\mu }$ prepared by Alice and Bob, and the probability of preparing such a mixture is obviously $P_{\mu }^2{P}_{even|2\mu }2/M$.

To find a way to estimate the number of phase errors, we can give the density matrices Alice and Bob prepared in code mode and decoy mode. If we trace out $AB{A}_c{B}_c$ of the quantum state ${|\varphi ⟩}_{\mu }⟨\varphi |$, i.e., regardless of whether the measurement outcome on $AB$ is phase error or not, we have

$$\begin{array}{cc}\hfill {\widehat{\rho }}_{\mu }=& T{r}_{AB{A}_c{B}_c}{(|\varphi ⟩}_{\mu }⟨\varphi |)\\ \hfill =& \frac{2}{M}{\sum }_{j=0}^{M-1}{\tilde{P}}_{j|2\mu }(\frac{1}{2}|{\tilde{j}}_{2\mu }⟩⟨{\tilde{j}}_{2\mu }|+\frac{1}{2}{|{\tilde{j}}_{2\mu }⟩}^{\prime }⟨{\tilde{j}}_{2\mu }|)\\ \hfill =& \frac{2}{M}{\sum }_{j=0}^{M-1}{\tilde{P}}_{j|2\mu }{\tau }_{j|2\mu }.\end{array}$$

(A19)

we define ${\tau }_{2\mu }={\sum }_{j=0}^{M-1}{\tilde{P}}_{j|2\mu }{\tau }_{j|2\mu }$ as the normalized ${\widehat{\rho }}_{\mu }$. The generation of a key bit is equivalent to a successful click announced by Eve conditioned on the premise that a mixture ${\tau }_{2\mu }={\sum }_{j=0}^{M-1}{\tilde{P}}_{j|2\mu }{\tau }_{j|2\mu }$ is prepared by Alice and Bob, and the probability of preparing such a mixture is obviously $P_{\mu }^{2}2/M$.

Now we are approaching a main result of above derivations. In the $N_{tot}$ rounds, Alice and Bob prepare ${\tau }_{2\mu }$ with the probability $P_{\mu }^{2}2/M$; the number of its successful rounds is denoted by $n_{2\mu }$. Of course, the key bits are generated in these rounds, thus $n_{2\mu }=n_{bit}$. Since ${\tau }_{2\mu }$ is a mixture of ${\tau }_{j|2\mu },j=0,1...,,M-1$, the $n_{2\mu }$ successful clicks are the sum of clicks by ${\tau }_{j|2\mu },j=0,1,...,M-1$. Then, $n_{2\mu }={\sum }_{j=0}^{M-1}{n}_{j|2\mu }$ holds evidently, in which $n_{j|2\mu }$ is the number of successful clicks by ${\tau }_{j|2\mu }$. Recall that the phase errors for these events are from clicks by ${\tau }_{even|2\mu }$; one can assert that the number of phase-error events $n_{ph}={\sum }_{j=0,j\in {\mathcal{N}}_0}^{M-2}{n}_{j|2\mu }$ must hold. This is a main result we have so far.

Appendix A.2. The Upper Bound of the Number of Phase-Error Events

We have proved that $n_{ph}={\sum }_{j=0,j\in {\mathcal{N}}_0}^{M-2}{n}_{j|2\mu }$ with the constraint $n_{2\mu }={\sum }_{j=0}^{M-1}{n}_{j|2\mu }$. Obviously, this is not sufficient for estimating $n_{ph}$ tightly. Here, we resort to decoy states to obtain more constraints to bound $n_{ph}$.

Similarly with the analysis of clicks by ${\widehat{\rho }}_{\mu }=T{r}_{AB{A}_c{B}_c}{(|\varphi ⟩}_{\mu }⟨\varphi |)$, a successful click from decoy mode with intensity $\nu$ means that Alice and Bob prepare

$$\begin{array}{cc}\hfill {\widehat{\rho }}_{\nu }=& T{r}_{AB{A}_c{B}_c}{(|\varphi ⟩}_{\nu }⟨\varphi |)\\ \hfill =& \frac{2}{M}{\sum }_{j=0}^{M-1}{\tilde{P}}_{j|2\nu }(\frac{1}{2}|{\tilde{j}}_{2\nu }⟩⟨{\tilde{j}}_{2\nu }|+\frac{1}{2}{|{\tilde{j}}_{2\nu }⟩}^{\prime }⟨{\tilde{j}}_{2\nu }|)\\ \hfill =& \frac{2}{M}{\sum }_{j=0}^{M-1}{\tilde{P}}_{j|2\nu }{\tau }_{j|2\nu }.\end{array}$$

(A20)

accordingly, we also have $n_{2\nu }={\sum }_{j=0}^{M-1}{n}_{j|2\nu }$. Here, $n_{2\nu }$ and $n_{j|2\nu }$ are defined analogously to $n_{2\mu }$ and $n_{j|2\mu }$, respectively. Intuitively, $n_{j|2\mu }$ and $n_{j|2\mu }$ are the numbers of successful clicks for ${\tau }_{j|2\mu }$ and ${\tau }_{j|2\nu }$ respectively. Typically, $\mu <\nu <<1$ is satisfied; then both ${\tau }_{j|2\mu }$ and ${\tau }_{j|2\nu }$ are very close to the photon-number state ${|j⟩}_{ab}$. This implies that the gap between $n_{j|2\mu }$ and $n_{j|2\nu }$ can be bounded, and then we may estimate $n_{ph}={\sum }_{j=0,j\in {\mathcal{N}}_0}^{M-2}{n}_{j|2\mu }$. Indeed, with the result in appendix B of ref [48], the gap between $n_{j|2\mu }$ and $n_{j|2\nu }$ in the asymptotic case can be obtained. Here, we develop Lemma A1 to bound this gap in finite-key situations.

Lemma A1.

If Alice prepares $N_{tot}$ pairs of particles A and B with the quantum state ${({\sum }_i\sqrt{P_i}|i⟩}_A|{\varphi }_i{⟩}_B)$${}^{\otimes N_{tot}}$ where $⟨i|j⟩={\delta }_{ij},|⟨{\varphi }_i|{\varphi }_j⟩|=F_{ij}$ and she sends the B part in each pair to Eve. For every round, Eve announces if the measurement is successful or unsuccessful, which is denoted by $M=1$ or $M=0$, respectively. Then, Alice measures the subsystem A with projectors $\{|i⟩⟨i|,i=0,1,2,...\}$ to which quantum state she sent for the pairs that Eve announced $M=1$. Let $n_i$ denote the number of yields for the quantum state $|i⟩$. If $P_i>P_j$, we have that the constraints between $n_i$ and $n_j$, say,

$$\begin{array}{c}\hfill |\frac{P_j}{P_i}{n}_i-n_j|\le N_1\sqrt{1-F_{ij}^2}+2\delta (N_1,\frac{1+\sqrt{1-F_{ij}^2}}{2},{\epsilon }_0^2)-2\delta (N_2-n_i-n_j,\frac{1}{2},{\epsilon }_0)+\delta (n_i,\frac{P_j}{P_i},{\epsilon }_2)\end{array}$$

(A21)

holds with a failure probability $2{\epsilon }_0+2{\epsilon }_1+2{\epsilon }_2$, where

$$\begin{array}{cc}\hfill \delta (x,y,z)=& \sqrt{3xyln\left(\frac{1}{z}\right)}\\ \hfill N_1=& 2P_j{N}_{tot}+\delta (N_{tot},2P_j,{\epsilon }_1)\\ \hfill N_2=& 2P_j{N}_{tot}-\delta (N_{tot},2P_j,{\epsilon }_1)\end{array}$$

(A22)

Proof. 

Since we are only interested in the statistics of $n_i$ and $n_j$, it is not restrictive to rewrite the quantum state ${({\sum }_i\sqrt{P_i}|i⟩}_A|{\varphi }_i{{⟩}_B)}^{\otimes N_{tot}}$ as

$$\begin{array}{c}\hfill (\sum _i\sqrt{P_i}|i{⟩}_A|{\varphi }_i{⟩}_B{)}^{\otimes N_{tot}}={\{\sqrt{P_i-P_j}|i^{\prime }⟩}_A|{\varphi }_i{⟩}_B+\sqrt{2P_j}\frac{1}{\sqrt{2}}{(|i^{{}^{″}}⟩}_A|{\varphi }_i{⟩}_B+{|j⟩}_A|{\varphi }_j{⟩}_B{)+\dots \}}^{\otimes N_{tot}}.\end{array}$$

(A23)

Here, we virtually define $\sqrt{P_i}{|i⟩}_A=\sqrt{P_i-P_j}|i^{\prime }{⟩}_A+\sqrt{P_j}{|i^{″}⟩}_A$ and ${⟨i^{\prime }|i^{″}⟩}_A=0$, which do not change the density matrix of B; thus, have no impact on Eve’s operation and statistics of $n_i$ and $n_j$. Let $n_{i^{\prime }}$($n_{i^{″}}$) denote the number of detection for the quantum state $|i^{\prime }{⟩}_A$($|i^{″}{⟩}_A$) when Eve announces a successful measurement. Apparently, we know that $n_i=n_{i^{\prime }}+n_{i^{″}}$.

Let us focus on the state ${\{\sqrt{2P_j}\frac{1}{\sqrt{2}}{(|i^{{}^{″}}⟩}_A|{\varphi }_i⟩}_B+{|j⟩}_A|{\varphi }_j{⟩}_B{\left)\right\}}^{\otimes N_{tot}}$, by which the relation between $n_{i^{″}}$ and $n_j$ can be analyzed. The essential idea is reinterpreting the detection of B to a game of Eve guessing which states $|{\varphi }_i{⟩}_B$ or $|{\varphi }_j{⟩}_B$ Alice prepared for all of the $N_{tot}$ trials. Specifically, we consider a virtual experiment illustrated below.

Alice prepares the quantum state ${\{\sqrt{2P_j}\frac{1}{\sqrt{2}}{(|i^{{}^{″}}⟩}_A|{\varphi }_i⟩}_B+{|j⟩}_A|{\varphi }_j{⟩}_B{\left)\right\}}^{\otimes N_{tot}}$; then, she sends the B part to Eve. Eve measures each B she received. If she obtains a successful measurement, she will announce $M=1$. Otherwise, she will announce $M=0$. Up to now, there is no difference from the previous protocol. A critical step is that for any trial that Eve announces $M=0$, Alice flips corresponding M with probability $\frac{1}{2}$. Finally, Alice measures all partials A locally. It is obvious that if Alice prepares two quantum states $|{\varphi }_i⟩$ and $|{\varphi }_j⟩$ at random, the maximal probability of Eve guessing correctly which state is prepared is $\frac{1+\sqrt{1-F_{ij}^2}}{2}$ where $F_{ij}=|⟨{\varphi }_i|{\varphi }_j⟩|$. With the flip operation, we can apply this maximal probability to our analysis below. In this case, we reinterpret that $M=1$ ($M=0$) means that Eve guessed the quantum state Alice prepared is $|{\varphi }_i⟩$ ($|{\varphi }_j⟩$), which justifies the lossless assumption. Note that this does not compromise security because as an adversary, Eve can guess in this way. In other words, we can now treat this virtual experiment as a game where Eve tries to guess whether Alice is preparing $|{\varphi }_i⟩$ or $|{\varphi }_j⟩$. For each of all the trials in such a game, it is well known that Eve’s maximal probability of guessing correctly is $\frac{1+\sqrt{1-F_{ij}^2}}{2}$. Now, we are ready to find the relation between $n_{i^{″}}$ and $n_j$ by calculating how many trials in which Eve’s guessing is correct. First, $n_{i^{″}}$ means that announcing $M=1$ at first and Alice also preparing $|{\varphi }_i{⟩}_B$, which of course leads to guessing correctly. Then, let $N_{i^{″}}$($N_j$) denote Alice preparing the state $|{\varphi }_i⟩$($|{\varphi }_j⟩$), which implies that $N_{i^{″}}+N_j\approx N_{tot}2P_j$. As a result, there are $(N_{i^{″}}+N_j-n_{i^{″}}-n_j)$ trials in which Eve announces $M=0$ at first and then a random flipping operation on M follows; for every such trial, the probability of guessing correctly is obviously $1/2$. Further considering the potential statistical fluctuations made by the random flipping, with a failure probability of ${\epsilon }_1^{\prime }$, the number of Eve guessing correctly in the $N_{i^{″}}+N_j$ trials is no larger than

$$\begin{array}{c}\hfill n_{i^{″}}+\frac{1}{2}(N_{i^{″}}-n_{i^{″}})+\frac{1}{2}(N_j-n_j)+\overline{{\delta }_1},\end{array}$$

(A24)

where $\overline{{\delta }_1}=\delta (N_{i^{″}}+N_j-n_{i^{″}}-n_j,\frac{1}{2},{\epsilon }_1^{\prime })$ is the upper bound of the statistical fluctuation made by the random flipping of the $(N_{i^{″}}+N_j-n_{i^{″}}-n_j)$ trials. We let ${\epsilon }_1^{\prime }$ be the probability of the amount of successful detection of quantum state $|i^{″}⟩$ reach $n_{i^{″}}$. Hence the probability that we get the quantity denoted by Equarion (A24) is ${\epsilon }_1^{{}^{\prime }2}$. On the other hand, in the $N_{i^{″}}+N_j$ trials of guessing $|{\varphi }_i⟩$ and $|{\varphi }_j⟩$ prepared by Alice at random, the probability of Eve guessing correctly is no larger than $\frac{1+\sqrt{1-F_{ij}^2}}{2}$ [50], because the fidelity of $|{\varphi }_i⟩$ and $|{\varphi }_j⟩$ is $F_{ij}$, Hence, one can assert that when ${\epsilon }_1^{{}^{\prime }2}\le {\epsilon }_0^2$, In this case, we let ${\epsilon }_1^{\prime }={\epsilon }_0$. Hence, one can assert that with a failure probability ${\epsilon }_0$,

$$\begin{array}{c}\hfill \frac{n_{i^{″}}-n_j}{2}+\frac{N_{i^{″}}+N_j}{2}+\overline{{\delta }_1}\le (N_{i^{″}}+N_j)\frac{1+\sqrt{1-F_{ij}^2}}{2}+\overline{{\delta }_2}\end{array}$$

(A25)

holds, where $\overline{{\delta }_2}=\delta (N_{i^{″}}+N_j,\frac{1+\sqrt{1-F_{ij}^2}}{2},{\epsilon }_0^2)$ is the upper bound of the statistical fluctuation when Eve’s guessing probability for each trial achieves the upper-bound $\frac{1+\sqrt{1-F_{ij}^2}}{2}$. Note that because in such a guessing game, conditioned on other trials, the probability of guessing correctly for any fixed trial cannot be larger than $\frac{1+\sqrt{1-F_{ij}^2}}{2}$, this lemma is applied to any attack. Furthermore, the probability of guessing correctly reaches its maximum, which equals a constant; then, the assumpution of iid holds and the Bernoulli distribution is applied to this case. However, since it is hard to calculate the statistical fluctuation, we use the Chernoff bound ${\delta }_2$ to approximate it [51].

According to Equation (A25), we can obtain an upper bound of $n_{i^{″}}-n_j$ with a failure probability ${\epsilon }_0$, say

$$\begin{array}{c}\hfill n_{i^{″}}-n_j\le (N_{i^{″}}+N_j)\sqrt{1-F_{ij}^2}+2\delta (N_{i^{″}}+N_j,\frac{1+\sqrt{1-F_{ij}^2}}{2},{\epsilon }_0^2)-2\delta (N_{i^{″}}+N_j-n_{i^{″}}-n_j,\frac{1}{2},{\epsilon }_0).\end{array}$$

(A26)

similarly, if we redefine the guessing correctly as $M=1$ corresponding to $|{\varphi }_j⟩$ and $M=0$ corresponding to $|{\varphi }_i⟩$, we have that

$$\begin{array}{c}\hfill n_j-n_i^{″}\le (N_{i^{″}}+N_j)\sqrt{1-F_{ij}^2}+2\delta (N_{i^{″}}+N_j,\frac{1+\sqrt{1-F_{ij}^2}}{2},{\epsilon }_0^2)-2\delta (N_{i^{″}}+N_j-n_{i^{″}}-n_j,\frac{1}{2},{\epsilon }_0).\end{array}$$

(A27)

combining Equation (A26) and Equation (A27), we are clear that

$$\begin{array}{c}\hfill |n_i^{″}-n_j|\le (N_{i^{″}}+N_j)\sqrt{1-F_{ij}^2}+2\delta (N_{i^{″}}+N_j,\frac{1+\sqrt{1-F_{ij}^2}}{2},{\epsilon }_0^2)-2\delta (N_{i^{″}}+N_j-n_{i^{″}}-n_j,\frac{1}{2},{\epsilon }_0)\end{array}$$

(A28)

holds with a failure probability $2{\epsilon }_0$.

For simplicity’s sake, we enlarge the R.H.S of Equation (A28). Concretely, we replace $2\delta (N_{i^{″}}+N_j-n_{i^{″}}-n_j,\frac{1}{2},{\epsilon }_0^2)$ by $2\delta (N_{i^{″}}+N_j-n_i-n_j,\frac{1}{2},{\epsilon }_0^2)$ in Equation (A28), say

$$\begin{array}{c}\hfill |n_{i^{″}}-n_j|\le (N_{i^{″}}+N_j)\sqrt{1-F_{ij}^2}+2\delta (N_{i^{″}}+N_j,\frac{1+\sqrt{1-F_{ij}^2}}{2},{\epsilon }_0^2)-2\delta (N_{i^{″}}+N_j-n_i-n_j,\frac{1}{2},{\epsilon }_0).\end{array}$$

(A29)

note that these bounds of statistical fluctuations can be derived by the Chernoff bound [52].

Similarly, because of the probability that Alice sends the quantum state $\frac{1}{\sqrt{2}}{(|i^{{}^{″}}⟩}_A|{\varphi }_i{⟩}_B+{|j⟩}_A|{\varphi }_j{⟩}_B)$ is $2P_j$, using the well-known Chernoff bound [52], we know that

$$\begin{array}{c}\hfill 2N_{tot}{P}_j-\delta (N_{tot},2P_j,{\epsilon }_1)\le N_{i^{″}}+N_j\le 2N_{tot}{P}_j+\delta (N_{tot},2P_j,{\epsilon }_1)\end{array}$$

(A30)

Combing Equation (A29) and Equation (A30), we know that

$$\begin{array}{c}\hfill |n_{i^{″}}-n_j|\le N_1\sqrt{1-F_{ij}^2}+2\delta (N_1,\frac{1+\sqrt{1-F_{ij}^2}}{2},{\epsilon }_0^2)-2\delta (N_2-n_i-n_j,\frac{1}{2},{\epsilon }_0)\end{array}$$

(A31)

holds with a failure probability $2{\epsilon }_0+2{\epsilon }_1$, where $N_1=2N_{tot}{P}_j+\delta (N_{tot},2P_j,{\epsilon }_1)$ and $N_2=2N_{tot}{P}_j-\delta (N_{tot},2P_j,{\epsilon }_1)$

Finally, to derive the relation between $n_i$ and $n_j$, we have to consider the relations between $n_i$ and $n_{i^{″}}$. It is easy to know that $n_{i^{″}}=\frac{P_j}{P_i}{n}_i$ on average since there is no way for Eve to distinguish $|i^{\prime }⟩$ and $|i^{″}⟩$. Hence, using the Chernoff bound [52] again, we know that

$$\begin{array}{c}\hfill \frac{P_j}{P_i}{n}_i-\delta (n_i,\frac{P_j}{P_i},{\epsilon }_2)\le n_{i^{″}}\le \frac{P_j}{P_i}{n}_i+\delta (n_i,\frac{P_j}{P_i},{\epsilon }_2)\end{array}$$

(A32)

combining Equation (A31) and Equation (A32), we can obtain the inequality Equation (A21).

In conclusion, we complete the proof. □

With Lemma A1, we can derive the constrains between $n_{i|2\mu }$ and $n_{j|2\nu }$. Since Alice and Bob send the quantum state ${\tau }_{j|2\mu }$ (${\tau }_{j|2\nu }$ ) with the probability $\frac{2P_{\mu }^2}{M}{\tilde{P}}_{j|2\mu }$($\frac{2P_{\nu }^2}{M}{\tilde{P}}_{j|2\nu }$) and the fidelity between them is $F_{\mu \nu }^j={\sum }_{n=0}^{\infty }\frac{\sqrt{P_{j+Mn|2\mu }}\sqrt{P_{j+Mn|2\nu }}}{\sqrt{{\tilde{P}}_{j|2\mu }{\tilde{P}}_{j|2\nu }}}$. By Lemma A1, we can obtain the relation between $n_{j|2\mu }$ and $n_{j|2\nu }$ which reads

$$\begin{array}{c}\hfill |C_{j|2\mu }{n}_{j|2\mu }-C_{j|2\nu }{n}_{j|2\nu }|\le {▵}_{\mu \nu }^j.\end{array}$$

(A33)

We let $P_1=\frac{2P_{\mu }^2}{M}{\tilde{P}}_{j|2\mu }$ and $P_2=\frac{2P_{\nu }^2}{M}{\tilde{P}}_{j|2\nu }$. If $P_1>P_2$, we have $C_{j|2\mu }=\frac{P_2}{P_1}$,$C_{j|2\nu }=1$ and

$$\begin{array}{c}\hfill {▵}_{\mu \nu }^j=N_1\sqrt{1-{\left(F_{\mu \nu }^j\right)}^2}+2\delta (N_1,\frac{1+\sqrt{1-{\left(F_{\mu \nu }^j\right)}^2}}{2},{\epsilon }_0^2)-2\delta (N_2-n_{j|2\mu }-n_{j|2\nu },\frac{1}{2},{\epsilon }_0)+\delta (n_{j|2\mu },\frac{P_2}{P_1},{\epsilon }_2)\end{array}$$

(A34)

where $N_1=2N_{tot}{P}_2+\delta (N_{tot},2P_2,{\epsilon }_1)$ and $N_2=2N_{tot}{P}_2-\delta (N_{tot},2P_2,{\epsilon }_1)$

If $P_1<P_2$, we have that $C_{j|2\nu }=\frac{P_1}{P_2}$,$C_{j|2\mu }=1$ and

$$\begin{array}{c}\hfill {▵}_{\mu \nu }^j=N_1\sqrt{1-{\left(F_{\mu \nu }^j\right)}^2}+2\delta (N_1,\frac{1+\sqrt{1-{\left(F_{\mu \nu }^j\right)}^2}}{2},{\epsilon }_0^2)-2\delta (N_2-n_{j|2\mu }-n_{j|2\nu },\frac{1}{2},{\epsilon }_0)+\delta (n_{j|2\nu },\frac{P_1}{P_2},{\epsilon }_2)\end{array}$$

(A35)

where $N_1=2N_{tot}{P}_1+\delta (N_{tot},2P_1,{\epsilon }_1)$ and $N_2=2N_{tot}{P}_1-\delta (N_{tot},2P_1,{\epsilon }_1)$

One can know that the constraints Equations (A34) and (A35) are nonlinear because of the $n_{j|2\mu }$ in $\delta (n_{j|2\mu },\frac{P_2}{P_1},{\epsilon }_2)$ or $n_{j|2\nu }$ in $\delta (n_{j|2\nu },\frac{P_1}{P_2},{\epsilon }_2)$. To keep the linearity of these constraints for ease of numerical calculations, we replace $n_{j|2\mu }$ with $n_{2\mu }$ and replace $n_{j|2\nu }$ with $n_{2\nu }$ in ${▵}_{\mu \nu }^j$. That is to say, without compromising the security, we replace Equation (A34) by

$$\begin{array}{c}\hfill {▵}_{\mu \nu }^j=N_1\sqrt{1-{\left(F_{\mu \nu }^j\right)}^2}+2\delta (N_1,\frac{1+\sqrt{1-{\left(F_{\mu \nu }^j\right)}^2}}{2},{\epsilon }_0^2)-2\delta (N_2-n_{2\mu }-n_{2\nu },\frac{1}{2},{\epsilon }_0)+\delta (n_{2\mu },\frac{P_2}{P_1},{\epsilon }_2)\end{array}$$

(A36)

and replace Equation (A35) by

$$\begin{array}{c}\hfill {▵}_{\mu \nu }^j=N_1\sqrt{1-{\left(F_{\mu \nu }^j\right)}^2}+2\delta (N_1,\frac{1+\sqrt{1-{\left(F_{\mu \nu }^j\right)}^2}}{2},{\epsilon }_0^2)-2\delta (N_2-n_{2\mu }-n_{2\nu },\frac{1}{2},{\epsilon }_0)+\delta (n_{2\nu },\frac{P_1}{P_2},{\epsilon }_2)\end{array}$$

(A37)

moreover, recalling Alice and Bob may both choose intensity 0 and obtain the corresponding number of successful clicks $n_0$, we have two additional constraints between $n_0$ and $n_{0|2\mu },n_{0|2\nu }$ which reads

$$\begin{array}{c}\hfill |C_{0,\mu }{n}_0-C_{2\mu }^0{n}_{0|2\mu }|\le {▵}_{0\mu }^0\\ \hfill |C_{0,\nu }{n}_0-C_{2\nu }^0{n}_{0|2\nu }|\le {▵}_{0\nu }^0\end{array}$$

(A38)

since the probability of both Alice and Bob sending the quantum state $|0⟩⟨0|$ is $P_O^2$ and the fidelity between $|0⟩⟨0|$ and $\frac{1}{2}|{\tilde{0}}_{2\mu }⟩⟨{\tilde{0}}_{2\mu }|+\frac{1}{2}|{\tilde{0}}_{2\mu }{⟩}^{\prime }⟨{\tilde{0}}_{2\mu }|$ ($\frac{1}{2}|{\tilde{0}}_{2\nu }⟩⟨{\tilde{0}}_{2\nu }|+\frac{1}{2}|{\tilde{0}}_{2\nu }{⟩}^{\prime }⟨{\tilde{0}}_{2\nu }|$ ) is $F_{\mu 0}^0=\frac{P_{0|2\mu }}{{\tilde{P}}_{0|2\mu }}$($F_{\nu 0}^0=\frac{P_{0|2\nu }}{{\tilde{P}}_{0|2\nu }}$), we can obtain the coefficients of these two constraints according to Lemma A1. For simplicity’s sake’s sake, we let $P_1=P_O^2$ and $P_2=\frac{2P_{\mu }^2{\tilde{P}}_{0|2\mu }}{M}$; then, if $P_1>P_2$, we have $C_{0,\mu }=\frac{P_2}{P_1},C_{2\mu }^0=1$ and

$$\begin{array}{c}\hfill {▵}_{0\mu }^0=N_1\sqrt{1-{\left(F_{\mu 0}^0\right)}^2}+2\delta (N_1,\frac{1+\sqrt{1-{\left(F_{\mu 0}^0\right)}^2}}{2},{\epsilon }_0^2)-2\delta (N_2-n_{2\mu }-n_0,\frac{1}{2},{\epsilon }_0)+\delta (n_0,\frac{P_2}{P_1},{\epsilon }_2)\end{array}$$

where $N_1=2N_{tot}{P}_2+\delta \left(N_{tot},2P_2,{\epsilon }_1\right)$ and $N_2=2N_{tot}{P}_2-\delta \left(N_{tot},2P_2,{\epsilon }_1\right)$; otherwise, we have $C_{0,\mu }=1,C_{2\mu }^0=\frac{P_1}{P_2}$ and $C_{0,\mu }=\frac{P_2}{P_1},C_{2\mu }^0=1$ and

$$\begin{array}{c}\hfill {▵}_{0\mu }^0=N_1\sqrt{1-{\left(F_{\mu 0}^0\right)}^2}+2\delta (N_1,\frac{1+\sqrt{1-{\left(F_{\mu 0}^0\right)}^2}}{2},{\epsilon }_0^2)-2\delta (N_2-n_{2\mu }-n_0,\frac{1}{2},{\epsilon }_0)+\delta (n_{2\mu },\frac{P_1}{P_2},{\epsilon }_2)\end{array}$$

(A39)

where $N_1=2N_{tot}{P}_1+\delta \left(N_{tot},2P_1,{\epsilon }_1\right)$ and $N_2=2N_{tot}{P}_1-\delta \left(N_{tot},2P_1,{\epsilon }_1\right)$.

Similarly, we let $P_1=P_O^2$ and $P_2=\frac{2P_{\nu }^2{\tilde{P}}_{0|2\nu }}{M}$; then, if $P_1>P_2$, we have $C_{0,\nu }=\frac{P_2}{P_1},C_{2\nu }^0=1$ and

$$\begin{array}{c}\hfill {▵}_{0\nu }^0=N_1\sqrt{1-{\left(F_{\nu 0}^0\right)}^2}+2\delta (N_1,\frac{1+\sqrt{1-{\left(F_{\nu 0}^0\right)}^2}}{2},{\epsilon }_0^2)-2\delta (N_2-n_{2\nu }-n_0,\frac{1}{2},{\epsilon }_0)+\delta (n_0,\frac{P_2}{P_1},{\epsilon }_2)\end{array}$$

where $N_1=2N_{tot}{P}_2+\delta \left(N_{tot},2P_2,{\epsilon }_1\right)$ and $N_2=2N_{tot}{P}_2-\delta \left(N_{tot},2P_2,{\epsilon }_1\right)$; otherwise, we have $C_{0,\nu }=1,C_{2\nu }^0=\frac{P_1}{P_2}$ and $C_{0,\nu }=\frac{P_2}{P_1},C_{2\nu }^0=1$ and

$$\begin{array}{c}\hfill {▵}_{0\nu }^0=N_1\sqrt{1-{\left(F_{\nu 0}^0\right)}^2}+2\delta (N_1,\frac{1+\sqrt{1-{\left(F_{\nu 0}^0\right)}^2}}{2},{\epsilon }_0^2)-2\delta (N_2-n_{2\nu }-n_0,\frac{1}{2},{\epsilon }_0)+\delta (n_{2\nu },\frac{P_1}{P_2},{\epsilon }_2)\end{array}$$

(A40)

where $N_1=2N_{tot}{P}_1+\delta \left(N_{tot},2P_1,{\epsilon }_1\right)$ and $N_2=2N_{tot}{P}_1-\delta \left(N_{tot},2P_1,{\epsilon }_1\right)$.

Now the gaps between $n_{j|2\mu }$ v.s. $n_{j|2\nu }$, $n_{0|2\mu }$ v.s. $n_0$, and $n_{0|2\nu }$ v.s. $n_0$ have been given. To bound $n_{ph}$, we can now resort to linear programming below:

$$\begin{array}{cc}\hfill max& n_{ph}=\sum _{j=0,j\in {\mathcal{N}}_0}^{M-2}{n}_{j|2\mu }\hfill \\ \hfill s.t.& \sum _{j=0}^{M-1}{n}_{j|2\mu }=n_{2\mu }\hfill \\ & \sum _{j=0}^{M-1}{n}_{j|2\nu }=n_{2\nu }\hfill \\ & |C_{0,\mu }{n}_0-C_{2\mu }^0{n}_{0|2\mu }|\le {▵}_{0\mu }^0\hfill \\ & |C_{0,\nu }{n}_0-C_{2\nu }^0{n}_{0|2\nu }|\le {▵}_{0\nu }^0\hfill \\ & |C_{j|2\mu }{n}_{j|2\mu }-C_{j|2\nu }{n}_{j|2\nu }|\le {▵}_{\mu \nu }^j.\hfill \end{array}$$

(A41)

For ease of calculation, in all these constraints we let ${\epsilon }_0={\epsilon }_1={\epsilon }_2={\epsilon }_a$; then, the total failure probability that we obtain the bound ${▵}_{\mu \nu }^j$ is $6{\epsilon }_a$. Meanwhile, the failure probability that we obtain the last two bounds on is $2{\epsilon }_a$. Hence, the total failure probability of all these constraints is $6(M+2){\epsilon }_a$. To conclude, with the help of the linear programming in Equation (A41), one can calculate the upper-bound of $n_{ph}$.

For simplicity’s sake, we give the analytical solution of this linear programming below. We divide $n_{ph}$ into two parts, say

$$\begin{array}{c}\hfill n_{ph}=n_{0|2\mu }+\sum _{j=2,4,6}{n}_{j|2\mu }.\end{array}$$

(A42)

according to the inequality $|C_{0,\mu }{n}_0-C_{2\mu }^0{n}_{0|2\mu }|\le {▵}_{0\mu }^0$, we can obtain that the bounds of $n_{0|2\mu }$ are

$$\begin{array}{c}\hfill \overline{n_{0|2\mu }}=\frac{C_{0,\mu }{n}_0+{▵}_{0\mu }^0}{C_{2\mu }^0},\end{array}$$

(A43)

$$\begin{array}{c}\hfill \underline{n_{0|2\mu }}=\frac{C_{0,\mu }{n}_0-{▵}_{0\mu }^0}{C_{2\mu }^0}.\end{array}$$

(A44)

similarly, with the inequality $|C_{0,\nu }{n}_0-C_{2\nu }^0{n}_{0|2\nu }|\le {▵}_{0\nu }^0$, we have the bounds of $n_{0|2\nu }$, i.e.,

$$\begin{array}{c}\hfill \overline{n_{0|2\nu }}=\frac{C_{0,\nu }{n}_0+{▵}_{0\nu }^0}{C_{2\nu }^0},\end{array}$$

(A45)

$$\begin{array}{c}\hfill \underline{n_{0|2\nu }}=\frac{C_{0,\nu }{n}_0-{▵}_{0\nu }^0}{C_{2\nu }^0}.\end{array}$$

(A46)

besides the bound $\overline{n_{0|2\mu }}$, we need to calculate the upper bound of ${\sum }_{j=2,4,6}{n}_{j|2\mu }$ which we derive below. If we set $\mu >\nu$ and $P_{\mu }>P_{\nu }$, according to Equation A33, we have

$$\begin{array}{cc}\hfill C_{j|2\mu }=& \frac{P_{\nu }^2{\tilde{P}}_{j|2\nu }}{P_{\mu }^2{\tilde{P}}_{j|2\mu }},\\ \hfill C_{j|2\nu }=& 1,\end{array}$$

(A47)

for $j\ge 1$. Hence, $n_{j|2\nu }\le \frac{P_{\nu }^2{\tilde{P}}_{j|2\nu }}{P_{\mu }^2{\tilde{P}}_{j|2\mu }}{n}_{j|2\mu }+{▵}_{\mu \nu }^j$ where $j\ge 1$ hold. Then, combing with the equality $n_{2\nu }={\sum }_{j=0}^M{n}_{j|2\nu }$, we have

$$\begin{array}{c}\hfill \sum _{j=1,3,5,7}\frac{P_{\nu }^2{\tilde{P}}_{j|2\nu }}{P_{\mu }^2{\tilde{P}}_{j|2\mu }}{n}_{j|2\mu }+\sum _{j=2,4,6}\frac{P_{\nu }^2{\tilde{P}}_{j|2\nu }}{P_{\mu }^2{\tilde{P}}_{j|2\mu }}{n}_{j|2\mu }\ge n_{2\nu }-\sum _{j=1}^7{▵}_{\mu \nu }^j-\overline{n_{0|2\nu }}.\end{array}$$

(A48)

It is easy to prove that

$$\begin{array}{c}\hfill \frac{P_{\nu }^2{\tilde{P}}_{j|2\nu }}{P_{\mu }^2{\tilde{P}}_{j|2\mu }}\ge \frac{P_{\nu }^2{\tilde{P}}_{j+1|2\nu }}{P_{\mu }^2{\tilde{P}}_{j+1|2\mu }}\end{array}$$

(A49)

for $j\ge 1$ holds in the case of $\mu >\nu$ and $P_{\mu }>P_{\nu }$. Consequently, we can know that

$$\begin{array}{c}\hfill \frac{P_{\nu }^2{\tilde{P}}_{1|2\nu }}{P_{\mu }^2{\tilde{P}}_{1|2\mu }}\left(\sum _{j=1,3,5,7}{n}_{j|2\mu }\right)+\frac{P_{\nu }^2{\tilde{P}}_{2|2\nu }}{P_{\mu }^2{\tilde{P}}_{2|2\mu }}\left(\sum _{j=2,4,6}{n}_{j|2\mu }\right)\ge n_{2\nu }-\sum _{j=1}^7{▵}_{\mu \nu }^j-\overline{n_{0|2\nu }}.\end{array}$$

(A50)

Finally, combing with the equality ${\sum }_{j=0}^{M-1}{n}_{j|2\mu }=n_{2\mu }$, Equations (A43) and (A45), we obtain the upper bound given by

$$\begin{array}{c}\hfill \sum _{j=2,4,6}{n}_{j|2\mu }\le \frac{\frac{P_{\nu }^2{\tilde{P}}_{1|2\nu }}{P_{\mu }^2{\tilde{P}}_{1|2\mu }}{n}_{2\mu }-n_{2\nu }+{\sum }_{j=1}^7{▵}_{\mu \nu }^j+\frac{C_{0,\nu }{n}_0+{▵}_{0\nu }^0}{C_{2\nu }^0}-\frac{C_{0,\mu }{n}_0-{▵}_{0\mu }^0}{C_{2\mu }^0}\frac{P_{\nu }^2{\tilde{P}}_{1|2\nu }}{P_{\mu }^2{\tilde{P}}_{1|2\mu }}}{\frac{P_{\nu }^2{\tilde{P}}_{1|2\nu }}{P_{\mu }^2{\tilde{P}}_{1|2\mu }}-\frac{P_{\nu }^2{\tilde{P}}_{2|2\nu }}{P_{\mu }^2{\tilde{P}}_{2|2\mu }}}.\end{array}$$

(A51)

Finally, we have the upper bound of $n_{ph}$, say

$$\begin{array}{c}\hfill n_{ph}^U=\frac{\frac{P_{\nu }^2{\tilde{P}}_{1|2\nu }}{P_{\mu }^2{\tilde{P}}_{1|2\mu }}{n}_{2\mu }-n_{2\nu }+{\sum }_{j=1}^7{▵}_{\mu \nu }^j+\frac{C_{0,\nu }{n}_0+{▵}_{0\nu }^0}{C_{2\nu }^0}-\frac{C_{0,\mu }{n}_0-{▵}_{0\mu }^0}{C_{2\mu }^0}\frac{P_{\nu }^2{\tilde{P}}_{1|2\nu }}{P_{\mu }^2{\tilde{P}}_{1|2\mu }}}{\frac{P_{\nu }^2{\tilde{P}}_{1|2\nu }}{P_{\mu }^2{\tilde{P}}_{1|2\mu }}-\frac{P_{\nu }^2{\tilde{P}}_{2|2\nu }}{P_{\mu }^2{\tilde{P}}_{2|2\mu }}}+\frac{C_{0,\mu }{n}_0+{▵}_{0\mu }^0}{C_{2\mu }^0}.\end{array}$$

(A52)