Overcoming Intensity Limits for Long-Distance Quantum Key Distribution

Abstract

Quantum Key Distribution (QKD) enables the sharing of cryptographic keys secured by quantum mechanics. The BB84 protocol assumes single-photon sources, but practical systems rely on weak coherent pulses vulnerable to Photon-Number-Splitting (PNS) attacks. The Gottesman–Lo–Lütkenhaus–Preskill (GLLP) framework addresses these imperfections, deriving secure key rate bounds under limited PNS scenarios. The decoy-state protocol further improves performance by refining single-photon yield estimates, but still considers multi-photon states as insecure, thereby limiting intensities and constraining key rate and distance. More recently, finite-key security bounds for decoy-state QKD have been extended to address general attacks, ensuring security against adversaries capable of exploiting arbitrary strategies. In this work, we focus on a specific class of attacks, the generalized PNS attack, and demonstrate that higher pulse intensities can be securely used by employing Bayesian inference to estimate key parameters directly from observed data. By raising the pulse intensity to 10 photons, we achieve a 50-fold increase in key rate and a 62.2% increase in operational range (about 200 km) compared to the decoy-state protocol. Furthermore, we accurately model after-pulsing using a Hidden Markov Model (HMM) and reveal inaccuracies in decoy-state calculations that may produce erroneous key-rate estimates. While this methodology does not address all possible attacks, it provides a new approach to security proofs in QKD by shifting from worst-case assumption analysis to observation-dependent inference, advancing the reach and efficiency of discrete-variable QKD protocols.

1. Introduction

QKD allows two parties, Alice and Bob, to share a secret key secured by quantum mechanics. The BB84 protocol [1] introduced QKD using single-photon polarization states and its unconditional security was proven in [2] via quantum error correction and entanglement purification, assuming ideal single-photon sources. True single-photon sources are hard to implement. Instead, most QKD systems use weak coherent pulses from attenuated lasers, which produce multi-photon states. These enable a Photon-Number-Splitting (PNS) attack [3], where an eavesdropper, commonly referred to as Eve, intercepts some photons and forwards the rest, gaining key information undetected and compromising security.

The GLLP framework [4] addresses this by extending security proofs to imperfect devices and multi-photon pulses. It ensures secure QKD by treating multi-photon pulses as “tagged” and deriving a secure lower bound on the secret key rate that can be extracted from the sifted key:

$$\begin{array}{c}\hfill K\ge max\left((1-\Delta )\left[1-H_2\left(\delta /\left(1-\Delta \right)\right)\right]-H_2\left(\delta \right),0\right),\end{array}$$

(1)

where $\delta$ is the overall error rate, $\Delta$ is the fraction of tagged photons, and $H_2$ is the binary Shannon entropy function.

Building on GLLP’s framework, the decoy-state protocol [5,6,7,8,9] improved key rates and operational ranges by enhancing single-photon yield estimation through random pulse-intensity variations, and it was first successfully demonstrated in [10]. However, while it improves performance, the decoy-state approach relies on conservative assumptions for multi-photon pulses—assuming they are fully compromised—which forces conservative intensity choices, limits maximum transmission distances, and imposes high detector efficiency requirements.

While decoy-state protocols extend BB84, other approaches, like SARG04 and Coherent One-Way (COW), also address PNS attacks. SARG04 [11] uses the original four BB84 states but alters the sifting procedure, improving resilience to multi-photon attacks at the expense of reduced key rates. The COW protocol [12] transmits weak coherent pulses in time-bin sequences and checks their coherence to detect eavesdropping. Although these methods enhance certain security aspects, they generally yield lower key rates and remain more susceptible to side-channel attacks compared to decoy-state protocols.

Despite its improved accuracy in estimating single-photon contributions, the decoy-state protocol still treats multi-photon pulses as insecure. By relying on additional intensity settings, it refines the statistical bounds on single-photon yields, but the need to suppress multi-photon probabilities enforces conservative intensity choices. This limits the maximum transmission distance and demands high detector efficiencies, posing significant experimental challenges for near-term implementations.

Advancements such as those presented in [13] have extended the security analysis by considering more general attack models, thereby further advancing the decoy-state framework. In summary, Ref. [13] broadens the scope of adversarial strategies beyond the conventional decoy approach.

Although previous works have accounted for various device imperfections, the correlations induced by after-pulsing are often overlooked. After-pulsing, where a detector emits spurious clicks following a real detection [14], induces correlations that violate the i.i.d. assumption. A common mitigation strategy is to increase the detector’s dead time, reducing after-pulse probabilities to negligible levels at the expense of lowering the achievable key rate. Even then, neglecting residual after-pulsing can still distort error estimates and weaken QKD security [15].

Twin-Field QKD (TF-QKD) [16] exploits quantum interference at a central node to surpass conventional rate-loss limits. By sending weak coherent pulses from both Alice and Bob to a measurement station, TF-QKD reduces reliance on trusted relays and enables secure key distribution over longer distances with minimal loss.

This work reframes QKD security from worst-case assumptions to a probabilistic inference model. Treating eavesdropper detection as an inference task, we use Bayesian methods to estimate key parameters like $\Delta$ from observed data. This tighter parameter estimation refines the GLLP formula, enabling higher pulse intensities and improving both key rate and operational range.

Instead of limiting source intensity to reduce Eve’s potential interference, we recast her presence as an inference problem. By modeling the QKD protocol as a probability distribution over system parameters and detection outcomes and applying Bayesian inference [17], we directly estimate Eve’s interception rate $\Delta$ from observed data. Notably, our analysis focuses on the generalized PNS attack model—which captures a broader spectrum of adversarial strategies than the conventional PNS attack—rather than the more comprehensive attack model discussed in [13]. This approach eliminates overly conservative assumptions, extends PNS-attack analysis to arbitrary interception scenarios and channel conditions, and enables secure operation at higher pulse intensities when $\Delta$ is negligible.

To account for temporal correlations introduced by detector effects like after-pulsing and device variabilities, we incorporate a Hidden Markov Model (HMM) [18]. This refinement yields more accurate error estimates and facilitates reliable key extraction.

Building on the GLLP framework without imposing intensity constraints, our approach supports greater operational distances, reduces reliance on high-efficiency detectors, and enhances key rates.

The remainder of this paper is organized as follows: Section 2 presents the probabilistic model; Section 3 outlines the Bayesian inference and HMM formulations; Section 4 provides simulation results and comparisons to the decoy-state protocol; Section 5 addresses time complexity; and Section 6 concludes with final remarks and potential future directions.

2. Probabilistic Modeling

To better analyze and secure Quantum Key Distribution (QKD) systems, a deeper understanding of the underlying processes is essential. Realistic devices are subject to various sources of noise and inherent randomness, making it necessary to adopt a probabilistic modeling approach. In this section, we construct a comprehensive probabilistic framework that captures these complexities, accounting for factors such as detector efficiency, dark counts, beam-splitter misalignment, laser intensity, and fiber attenuation. By modeling these random processes, we derive the probabilities of different click events, laying the foundation for a more rigorous security analysis of QKD implementations.

We begin by modeling each component of the QKD setup separately to understand how the distribution of photons evolves as they travel from Alice to Bob. This modular approach enables us to systematically build the complete probability distribution, ensuring that we incorporate all relevant factors that influence the detection process.

Next, we extend our analysis to incorporate eavesdropping scenarios, specifically generalizing the Photon-Number-Splitting (PNS) attack. By introducing Eve’s parameters into our model, we calculate how the probabilities of click events change under various strategies she might employ. This generalization enables us to quantify the security of the QKD system under more realistic and flexible attack models.

Following this, we address the temporal dependencies introduced by after-pulsing. We develop a Hidden Markov Model (HMM) to capture these dependencies and refine our probability estimates accordingly. The HMM framework allows us to model correlations between detection events, which are crucial for accurately assessing the impact of after-pulsing on error rates and key generation.

Finally, we derive the error and gain probabilities from both the independent and identically distributed (i.i.d.) model and the HMM-based model. These probabilities are essential for key rate calculations and form the basis for evaluating the security and performance of the QKD protocol under realistic conditions. By the end of this section, we will have constructed a detailed and adaptable probabilistic model that serves as the foundation for our Bayesian inference and subsequent analysis.

2.1. QKD Components

Accurately modeling the QKD system requires a detailed understanding of the components involved, including detectors, beam splitters, and the interaction with quantum channels. In this section, we construct a probabilistic framework to model the behavior of a QKD system, incorporating various noise sources and potential attack vectors.

2.1.1. Detectors

The detection process in QKD systems can be characterized by the following key probabilities:

• ${\mathit{p}}_{\mathit{a}}$ (After-pulse): probability of a click given a click in the previous detection window.
• ${\mathit{p}}_{\mathit{c}}$ (Efficiency): probability of a click given a single photon.
• ${\mathit{p}}_{\mathit{d}}$ (Dark count): probability of a click in the absence of a photon.
• ${\mathit{p}}_{\mathit{e}}$ (Misalignment): probability of a detection error due to misalignment.

Throughout the paper, we will also use the notation $q=1-p$ for several parameters, for example, $q_c=1-p_c$, $q_d=1-p_d$, and so on.

For detectors $D_0$ and $D_1$, we denote their respective click probabilities as $p_{c_0}$ and $p_{c_1}$, and similarly for dark count and after-pulse probabilities. When n photons reach a detector and each has an independent detection probability, $p_c$, the detected signal photon count, s, is binomially distributed: $s\sim \mathrm{Binomial}(n,p_c)$. Similarly, the occurrence of a dark count follows a Bernoulli distribution with probability $p_d$: $d\sim \mathrm{Bernoulli}\left(p_d\right)$.

These distributions assume independence and fixed probabilities. To overcome this, we will use a Bayesian inference framework, modeling parameters as random variables with priors and updating posteriors based on observed data to incorporate uncertainties. Additionally, a Hidden Markov Model (HMM) will address dependencies between successive detection events, relaxing the independence assumption.

The probability of a click event at the detector, D, can be considered as the combined probability of detecting at least one photon or registering a dark count; see Figure 1. Given these considerations, we present the following lemma, which formalizes the combined click probability at a detector:

Lemma 1.

Given n photons incident on a detector, each detected independently with probability $p_c$, and a dark count probability $p_d$, the detection event D, detecting at least one photon or registering a dark count, follows a Bernoulli distribution:

$$\begin{array}{c}\hfill P(D\mid n,p_c,p_d)=\mathit{Bernoulli}(D\mid p=1-q_d{q}_c^n),\end{array}$$

(2)

where $q_c=1-p_c$ and $q_d=1-p_d$

Proof. 

The detection event D occurs if at least one signal photon is detected or a dark count occurs. Since these are independent events, the probability that neither occurs is:

$$P(D=0\mid n,p_c,p_d)=P(d=0)P(s=0)=q_d{q}_c^n.$$

Therefore, the probability of a detection event is:

$$P(D=1\mid n,p_c,p_d)=1-P(D=0\mid n,p_c,p_d)=1-q_d{q}_c^n.$$

   □

2.1.2. Fiber-Detector

Optical fibers affect the probability of photons arriving at the detector by attenuating their intensity. The attenuation rate $\alpha$ (dB/km) determines the probability $p_f$ of a photon successfully traversing a distance d, given by:

$$\begin{array}{c}\hfill p_f={10}^{-\alpha \frac{d}{10}}.\end{array}$$

(3)

Each photon independently emerges with probability $p_f$, making the number of photons k exiting the fiber, given n entered, follow a binomial distribution: $k\sim \mathrm{Binomial}(n,p_f)$.

Given this model, the probability of a detection event at a detector with efficiency $p_c$ and dark count probability $p_d$, after photons pass through a fiber with loss $p_f$, is derived using the binomial distribution of photons emerging from the fiber and their detection probabilities. This is formally presented in Lemma 2 (see also Figure 2).

Lemma 2.

When n photons pass through a fiber before reaching a detector, the probability of a detection event at the detector, given the fiber transmission probability $p_f$, detector efficiency $p_c$, and dark count probability $p_d$, is equivalent to the probability of a detection event for n photons directly incident on a detector, with its efficiency scaled by the fiber transmission probability. Specifically, this means:

$$\begin{array}{c}\hfill P(D\mid n,p_c,p_d,p_f)=P(D\mid n,p_c·p_f,p_d),\end{array}$$

(4)

where the right-hand side is the detection probability derived in Lemma 1.

Proof. 

Since each photon has a probability $p_f$ of passing through the fiber and reaching the detector, the number of photons k that reach the detector is a binomial random variable:

$$k\sim \mathrm{Binomial}(n,p_f).$$

The probability of a click event at the detector is computed by marginalizing over all possible values of k, summing the probabilities of a click given k, weighted by the probability that exactly k photons reach the detector:

$$P(D=1\mid n,p_c,p_d,p_f)={\displaystyle \sum _{k=0}^n}P(D=1\mid k,p_c,p_d)P(k\mid n,p_f),$$

where:

• $P(D=1\mid k,p_c,p_d)$ is the probability of a click given that k photons reach the detector, as previously derived in Lemma 1.
• $P(k\mid n,p_f)$ is the probability that exactly k photons pass through the fiber, modeled as $\mathrm{Binomial}(k\mid n,p_f)$.

Substituting these into the sum:

$$P(D=1\mid n,p_c,p_d,p_f)={\displaystyle \sum _{k=0}^n}\left(1-q_d{q}_c^k\right)\left(\genfrac{}{}{0pt}{}{n}{k}\right)p_f^k{(1-p_f)}^{n-k}.$$

Expanding and simplifying:

$$P(D=1\mid n,p_c,p_d,p_f)=1-q_d{\displaystyle \sum _{k=0}^n}\left(\genfrac{}{}{0pt}{}{n}{k}\right){\left(q_c{p}_f\right)}^k{\left(1-p_f\right)}^{n-k}.$$

Applying the binomial theorem [19]:

$${\displaystyle \sum _{k=0}^n}\left(\genfrac{}{}{0pt}{}{n}{k}\right)x^k{y}^{n-k}={(x+y)}^n,$$

where $x=q_c{p}_f$ and $y=1-p_f$, we get:

$$\begin{array}{cc}\hfill P(D=1\mid n,p_c,p_d,p_f)& =1-q_d{\left(q_c{p}_f+1-p_f\right)}^n,\hfill \\ \hfill & =1-q_d{\left(1-p_c{p}_f\right)}^n.\hfill \end{array}$$

This matches the form in Lemma 1, where the efficiency is effectively $p_c{p}_f$.    □

2.1.3. Fiber-Beam Splitter

If, after passing through the fiber, the photon stream encounters a beam splitter, each photon is independently directed to one of two paths, labeled 0 and 1, with probabilities $p_0$ and $p_1=1-p_0$, respectively. Then, the number of photons taking the 0 path follows $m_0\sim \mathrm{Binomial}(m,p_0)$, while those taking the 1 path follow $m_1=m-m_0\sim \mathrm{Binomial}(m,p_1)$.

The objective is to derive the distribution of photons $m_i$ directed to detector $D_i$ ($i\in \{0,1\}$) given n photons initially entering the fiber, combining the effects of fiber attenuation and the beam splitter. This is formally presented in Lemma 3 (see also Figure 3).

Lemma 3.

If n photons go through a fiber with a transmission probability $p_f$ and then encounter a beam splitter that directs each photon to path i with probability $p_i$, the number of photons $m_i$ directed towards detector i follows a binomial distribution with a combined success probability of $p_f{p}_i$. Formally, this can be expressed as:

$$\begin{array}{c}\hfill m_i\sim \mathit{Binomial}(n,p_f{p}_i).\end{array}$$

(5)

Proof. 

$m_i$ results from two successive binomial processes: first, the probability of m successes in n trials with probability $p_f$, and then the probability of $m_i$ successes in m trials with probability $p_i$. To find the distribution of $m_i$, we marginalize over the latent variable m:

$$P(m_i\mid n,p_f,p_i)={\displaystyle \sum _{m=m_i}^n}P(m_i\mid m,p_i)P(m\mid n,p_f).$$

The index starts at $m_i$, as $m_i>m$ is not possible. Since $P(m_i\mid m,p_i)$ and $P(m\mid n,p_f)$ are both binomial distributions, we substitute them as follows:

$$\begin{array}{cc}\hfill P(m_i\mid n,p_f,p_i)& ={\displaystyle \sum _{m=m_i}^n}\mathrm{Binomial}(m_i\mid m,p_i)\mathrm{Binomial}(m\mid n,p_f)\hfill \\ \hfill & ={\displaystyle \sum _{m=m_i}^n}\left(\genfrac{}{}{0pt}{}{m}{m_i}\right)p_i^{m_i}{(1-p_i)}^{m-m_i}\left(\genfrac{}{}{0pt}{}{n}{m}\right)p_f^m{(1-p_f)}^{n-m}\hfill \\ \hfill & ={\displaystyle \sum _{m=m_i}^n}\left(\genfrac{}{}{0pt}{}{m}{m_i}\right)p_i^{m_i}{q}_i^{m-m_i}\left(\genfrac{}{}{0pt}{}{n}{m}\right)p_f^m{q}_f^{n-m}\hfill \\ \hfill & ={\displaystyle \sum _{m=m_i}^n}\frac{m!}{m_i!(m-m_i)!}{p}_i^{m_i}{q}_i^{m-m_i}\frac{n!}{m!(n-m)!}{p}_f^m{q}_f^{n-m}\hfill \\ \hfill & =\frac{n!}{m_i!}{p}_i^{m_i}{\displaystyle \sum _{m=m_i}^n}\frac{q_i^{m-m_i}{p}_f^m{q}_f^{n-m}}{(m-m_i)!(n-m)!}.\hfill \end{array}$$

Letting $c=m-m_i$ and $C=n-m_i$, and re-indexing:

$$\begin{array}{cc}\hfill P(m_i\mid n,p_f,p_i)& =\frac{n!}{m_i!}{p}_i^{m_i}{\displaystyle \sum _{c=0}^n}\frac{q_i^c{p}_f^{c+m_i}{q}_f^{C-c}}{c!(C-c)!},\hfill \\ \hfill & =\frac{n!}{m_i!}{p}_i^{m_i}{p}_f^{m_i}{\displaystyle \sum _{c=0}^C}\frac{q_i^c{p}_f^c{q}_f^{C-c}}{c!(C-c)!},\hfill \\ \hfill & =\frac{n!}{m_i!C!}{\left(p_f{p}_i\right)}^{m_i}{\displaystyle \sum _{c=0}^C}\frac{C!}{c!(C-c)!}{\left(q_i{p}_f\right)}^c{q}_f^{C-c},\hfill \\ \hfill & =\frac{n!}{m_i!C!}{\left(p_f{p}_i\right)}^{m_i}{\displaystyle \sum _{c=0}^C}\left(\genfrac{}{}{0pt}{}{C}{c}\right){\left(q_i{p}_f\right)}^c{q}_f^{C-c}.\hfill \end{array}$$

Recognizing the binomial theorem [19]:

$$P(m_i\mid n,p_f,p_i)=\frac{n!}{m_i!C!}{\left(p_f{p}_i\right)}^{m_i}{(q_i{p}_f+q_f)}^C.$$

Simplifying and substituting back:

$$P(m_i\mid n,p_f,p_i)=\left(\genfrac{}{}{0pt}{}{n}{m_i}\right){\left(p_f{p}_i\right)}^{m_i}{(1-p_f{p}_i)}^{n-m_i}.$$

This has the form of the binomial distribution with number of trials $m_i$ and success probability $p_f{p}_i$.    □

2.1.4. Pair of Detectors

In practical BB84 implementations, two detectors are used to distinguish between the detection of a true 0 bit and the absence of photon arrival. Therefore, to fully characterize the detection system, we compute the four joint probabilities of detector outcomes:

• $P^{00}$: The probability of neither detectors clicking.
• $P^{01}$: The probability of only $D_0$ clicking.
• $P^{10}$: The probability of only $D_1$ clicking.
• $P^{11}$: The probability of both detectors clicking.

If we have access to the marginal probabilities for each detector:

$$\begin{array}{cc}\hfill P(D_0=1)& =P^{\ast 1}=P^{01}+P^{11},\hfill \end{array}$$

(6)

$$\begin{array}{cc}\hfill P(D_1=1)& =P^{1\ast }=P^{10}+P^{11},\hfill \end{array}$$

(7)

as well as the union probability:

$$\begin{array}{c}\hfill P(D_0\vee D_1=1)=P^{\vee }=P^{01}+P^{10}+P^{11},\end{array}$$

(8)

we can use these to infer the joint probabilities as follows:

$$\begin{array}{cc}\hfill P^{00}& =1-P^{\vee },\hfill \end{array}$$

(9)

$$\begin{array}{cc}\hfill P^{01}& =P^{\vee }-P^{1\ast },\hfill \end{array}$$

(10)

$$\begin{array}{cc}\hfill P^{10}& =P^{\vee }-P^{\ast 1},\hfill \end{array}$$

(11)

$$\begin{array}{cc}\hfill P^{11}& =P^{\ast 1}+P^{1\ast }-P^{\vee }.\hfill \end{array}$$

(12)

The marginals are straight forward results of previously stated lemmas. From Lemma 3, we showed that the effect of a fiber with loss $p_f$ followed by a beam-splitter path probability $p_i$ is essentially equivalent to a single fiber with a loss of $p_f{p}_i$. Additionally, in Lemma 2, we showed that the effect of a fiber with loss $p_f$ connected to a detector with efficiency $p_c$ is equivalent to a single detector with an efficiency of $p_f{p}_c$. Therefore, we can combine these results and conclude that a fiber connected to a beam splitter that is connected to a detector is equivalent to a single detector with an efficiency of $p_f{p}_i{p}_c$, or more formally:

$$\begin{array}{c}\hfill P(D_i=1\mid n,p_c,p_d,p_f,p_i)=P(D=1\mid n,p_f{p}_i{p}_c,p_d)\end{array}$$

(13)

In the following Lemma, we derive the union probability in order to derive the joint probabilities. A schematic representation of the two-detector system is presented in Figure 4.

Lemma 4.

If n photons encounter a beam splitter that independently directs each photon to one of two paths, $i\in \{0,1\}$, with probabilities $p_0$ and $p_1=1-p_0$, and these paths lead to two detectors, $D_0$ or $D_1$, with click probabilities $p_{c_0}$ and $p_{c_1}$, and dark count probabilities $p_{d_0}$ and $p_{d_1}$, respectively, then the probability of at least one of the detectors clicking is equivalent to the click probability of a single pseudo detector with n photons directly incident on it, where the click probability is $p_c^{\vee }$ and the dark count probability is $p_d^{\vee }$. Formally, this probability is given by:

$$\begin{array}{c}\hfill P(D_0\vee D_1=1\mid n,p_c,p_d,p_0)=P(D=1\mid n,p_c^{\vee },p_d^{\vee }),\end{array}$$

(14)

where

$$\begin{array}{c}\hfill p_c^{\vee }=p_1{p}_{c_1}+p_0{p}_{c_0},p_d^{\vee }=1-q_{d_0}{q}_{d_1},\end{array}$$

(15)

and $P(D=1\mid n,p_c,p_d)$ is as defined in Lemma 1.

Proof. 

To compute the probability that at least one detector, either $D_0$ or $D_1$, registers a click, we sum over all possible numbers of photons k that could be passed to $D_0$ and marginalize over this variable:

$$P(D_0\vee D_1=1\mid n,p_c,p_d,p_0)=\sum _{k=0}^{n}P(D_0\vee D_1=1\mid k,p_c,p_d)\mathrm{Binomial}(k\mid n,p_0).$$

Since after the beam-split, the click events at $D_0$ and $D_1$ become independent, the probability that neither detector clicks is the product of their independent non-click probabilities. Therefore, the probability that at least one detector clicks (the union probability) is:

$$P(D_0\vee D_1=1\mid k,p_c,p_d)=1-P(D_0=0\mid k,p_{c_0},p_{d_0})P(D_1=0\mid n-k,p_{c_1},p_{d_1}).$$

We substitute the non-click probabilities:

$$P(D_0=0\mid k,p_{c_0},p_{d_0})=q_{d_0}{q}_{c_0}^k,P(D_1=0\mid n-k,p_{c_1},p_{d_1})=q_{d_1}{q}_{c_1}^{n-k}.$$

Thus, the probability of a click in either detector is:

$$P(D_0\vee D_1=1\mid n,p_c,p_d,p_0)=\sum _{k=0}^n\left(1-q_{d_0}{q}_{d_1}{q}_{c_0}^k{q}_{c_1}^{n-k}\right)\mathrm{Binomial}(k\mid n,p_0).$$

This can be rewritten by expanding and simplifying as:

$$P(D_0\vee D_1=1\mid n,p_c,p_d,p_0)=1-q_{d_0}{q}_{d_1}\sum _{k=0}^n\left(\genfrac{}{}{0pt}{}{n}{k}\right)\left(p_0{q}_{c_0}^k\right){\left(q_0{q}_{c_1}\right)}^{n-k}.$$

Recognizing the binomial theorem [19]:

$$P(D_0\vee D_1=1\mid n,p_c,p_d,p_0)=1-q_{d_0}{q}_{d_1}{(p_0{q}_{c_0}+q_0{q}_{c_1})}^n.$$

Further simplifying:

$$P(D_0\vee D_1=1\mid n,p_c,p_d,p_0)=1-\underset{1-p_d^{\vee }}{\underbrace{q_{d_0}{q}_{d_1}}}{(1-(\underset{p_c^{\vee }}{\underbrace{p_1{p}_{c_1}+p_0{p}_{c_0}}}))}^n.$$

This has the same form as the probability in Lemma 1, but with the dark count probability defined as $1-q_{d_0}{q}_{d_1}$ and the click probability defined as $p_1{p}_{c_1}+p_0{p}_{c_0}$.    □

2.1.5. Laser-Fiber

In Quantum Key Distribution (QKD) systems, when using a weak coherent laser source with randomized phases, the number of photons emitted by the source follows a Poisson distribution [8]:

$$n\sim \mathrm{Poisson}\left(\lambda \right),$$

where $\lambda$ is the average photon number per pulse, determined by the intensity of the laser source. Since each of the n photons emitted from the laser has an independent probability $p_f$ of passing through the optical fiber, the number of photons m that successfully exit the fiber follows a binomial distribution with parameters n and $p_f$.

To determine the distribution of m given $\lambda$ and $p_f$, we need to account for the combined effect of the Poisson-distributed photon source and the binomial transmission process through the fiber. This relationship is formally described in Lemma 5 and visually illustrated in Figure 5, which shows that the effect of the fiber is to reduce the average number of photons by a factor of $p_f$.

Lemma 5.

If the number of photons n entering a fiber is Poisson-distributed with parameter λ, and each photon has an independent probability $p_f$ of being transmitted through the fiber, then the number of photons m exiting the fiber follows a Poisson distribution with parameter $\lambda p_f$:

$$\begin{array}{c}\hfill P(m\mid \lambda ,p_f)=\mathrm{Poisson}(m\mid \lambda p_f).\end{array}$$

(16)

Proof. 

To derive the distribution of m, we calculate the total probability of m photons exiting by summing over the probabilities of all possible photon counts n that could enter the fiber:

$$\begin{array}{cc}\hfill P(m\mid \lambda ,p_f)& ={\displaystyle \sum _{n=m}^{\infty }}P(m\mid n,p_f)P(n\mid \lambda )\hfill \\ & ={\displaystyle \sum _{n=m}^{\infty }}\mathrm{Binomial}(m\mid n,p_f)\mathrm{Poisson}(n\mid \lambda ),\hfill \end{array}$$

where the indexing is set to start at m, since $\mathrm{Binomial}(m\mid n,p_f)=0\forall m>n$. Expanding the expressions for the binomial and Poisson probabilities:

$$\begin{array}{cc}\hfill P(m\mid \lambda ,p_f)& ={\displaystyle \sum _{n=m}^{\infty }}\frac{n!}{m!(n-m)!}{p}_f^m{q}_f^{n-m}\frac{{\lambda }^n}{n!}{e}^{-\lambda }.\hfill \end{array}$$

Simplifying this expression:

$$\begin{array}{cc}\hfill P(m\mid \lambda ,p_f)& =\frac{p_f^m}{m!}{e}^{-\lambda }{\displaystyle \sum _{n=m}^{\infty }}\frac{{\lambda }^n{q}_f^{n-m}}{(n-m)!}.\hfill \end{array}$$

We define $k=n-m$ and re-index the sum:

$$\begin{array}{cc}\hfill P(m\mid \lambda ,p_f)& =\frac{p_f^m}{m!}{e}^{-\lambda }{\displaystyle \sum _{k=0}^{\infty }}\frac{{\lambda }^{k+m}{q}_f^k}{k!},\hfill \\ & =\frac{p_f^m}{m!}{e}^{-\lambda }{\lambda }^m{\displaystyle \sum _{k=0}^{\infty }}\frac{{\left(\lambda q_f\right)}^k}{k!},\hfill \end{array}$$

Recognizing the power series expansion for the exponential function [20]:

$${\displaystyle \sum _{k=0}^{\infty }}\frac{{\left(\lambda q_f\right)}^k}{k!}=e^{\lambda q_f},$$

the expression simplifies to:

$$P(m\mid \lambda ,p_f)=\frac{{\left(\lambda p_f\right)}^m}{m!}{e}^{-\lambda p_f}.$$

This final form is the Poisson distribution with parameter $\lambda p_f$.    □

2.1.6. Laser-Detector

Consider a scenario where a Poisson-distributed photon stream is directly connected to a detector with efficiency $p_c$ and a dark count probability $p_d$. The objective is to derive the probability of a click event at the detector, considering the stochastic nature of both the photon emission process and the detection. This involves marginalizing over all possible numbers of photons n emitted by the source, weighting each by the probability that n photons cause a detection event. This process is formally presented in Lemma 6 and illustrated in Figure 6.

Lemma 6.

If a Poisson-distributed number of photons with mean λ enters a detector with efficiency $p_c$ and dark count probability $p_d$, then the click event D is Bernoulli distributed as follows:

$$\begin{array}{c}\hfill D\sim \mathit{Bernoulli}\left(p=1-(1-p_d)e^{-p_c\lambda }\right).\end{array}$$

(17)

Proof. 

The probability that the detector registers at least one click, since the processes of incoming photons and dark counts are independent, can be expressed as:

$$P(D=1\mid \lambda ,p_c,p_d)=1-P(d=0\mid p_d)P(s=0\mid \lambda ,p_c).$$

From Lemma 5, we know that if the laser source emits photons following a Poisson distribution with mean $\lambda$, and the signal detection process has efficiency $p_c$, then the number of detected signal photons s is Poisson-distributed with mean $\lambda p_c$. Thus, the probability that no photon is detected is:

$$P(s=0\mid \lambda ,p_c)=\mathrm{Poisson}(s=0\mid \lambda p_c)=e^{-p_c\lambda }.$$

Combining these results, we have:

$$\begin{array}{cc}\hfill P(D=1\mid \lambda ,p_c,p_d)& =1-P(d=0\mid p_d)P(s=0\mid \lambda ,p_c)\hfill \\ & =1-(1-p_d)e^{-p_c\lambda },\hfill \end{array}$$

   □

2.2. PNS Attack

We now model Eve’s interception of the key, considering specific choices of the bit Alice sends (x) and the bases chosen by Alice (a) and Bob (b). The model integrates the effects of the laser source, fiber losses, Eve’s attack vector, misalignment in the optical components, and detector characteristics.

2.2.1. Eavesdropper Assumptions (The Generalized PNS Attack)

In our analysis, we consider a generalized Photon-Number-Splitting (PNS) attack, where Eve has a range of strategic choices that extend beyond the standard assumptions typically made in QKD security models. This model allows Eve to optimize her attack strategy according to a broader set of parameters, providing a more flexible and realistic scenario. Specifically, Eve can choose:

• ${\mathit{d}}_{\mathit{AE}}$ (Distance from Alice): Eve’s interception point is between Alice and Bob, with $0\le d_{AE}\le d_{AB}$, where $d_{AB}$ is their total distance.
• $\Delta$ (Proportion of intercepted pulses): Eve intercepts a fraction $\Delta$ of pulses, $0\le \Delta \le 1$, balancing information gain and detection risk.
• $\mathit{k}$ (Number of intercepted photons): Eve intercepts $k\ge 1$ photons per intercepted pulse.
• ${\mathit{p}}_{\mathit{EB}}$ (Channel efficiency): Eve selects a channel efficiency $0\le p_{EB}\le 1$ to transmit intercepted pulses, simulating legitimate loss to avoid detection.

While many traditional PNS attack models assume that Eve optimizes the channel efficiency $p_{EB}$ to maintain the appearance of normal channel loss, they often implicitly assume some or all of the following:

• Eve intercepts every pulse ($\Delta =1$).
• Eve intercepts immediately after Alice ($d_{AE}=0$).
• Eve intercepts exactly one photon per pulse ($k=1$).

By allowing Eve to vary these parameters beyond just optimizing $p_{EB}$, the generalized PNS attack model captures a broader range of potential eavesdropping strategies, which is crucial for accurately inferring $\Delta$, the proportion of intercepted pulses. Assuming a fixed scenario for $d_{AE}$, k, or $\Delta$ could lead to incorrect inferences about the extent of Eve’s presence. Furthermore, this generalized model enhances the inference on $\Delta$; for instance, if Eve intercepts $k>1$ photons per pulse while the model assumes $k=1$, the model might compensate by predicting a larger $\Delta$ than actually exists. By considering a wider variety of possible attack scenarios, the generalized model provides a more comprehensive understanding of the robustness of QKD protocols and improves the accuracy of security assessments.

2.2.2. PNS Model

To simplify our derivation, we start with a basic scenario where Alice, Eve, and Bob are directly connected, with Bob using a single detector. This simplified model provides a foundational basis that can be extended to more complex and realistic setups using previously derived lemmas. More specifically, a detection setup that includes both a fiber and a detector can be modeled as a single detector with an effective efficiency that accounts for the fiber loss factor (Lemma 2). For setups involving multiple detectors, the beam-splitter probabilities can be integrated into the detection efficiencies (Lemmas 3 and 4). Additionally, a laser source followed by a fiber can be modeled as a source with reduced intensity, scaled by the fiber’s transmission probability (Lemma 5). This modular approach allows us to seamlessly extend the simplified model to more sophisticated real-world configurations without sacrificing analytical rigor.

In this scenario, Alice sends n photons, sampled from a Poisson distribution with parameter $\lambda$, directly to Bob, while Eve intercepts the pulse by capturing up to k photons. If $n<k$, Eve captures all n photons, and Bob receives the remaining photons (see Figure 7). We present a closed-form expression for the probability of Bob’s detector clicking under these conditions in Theorem 1.

Theorem 1.

Consider a QKD setup where Alice’s photon source emits pulses with the number of photons following a Poisson distribution with mean λ. Eve intercepts up to k photons from each pulse. The remaining photons are sent to Bob, who uses a detector characterized by an efficiency $p_c$ and a dark count probability $p_d$. Under these conditions, the detection event D at Bob’s detector is distributed as follows:

$$\begin{array}{c}\hfill P(D\mid \lambda ,p_c,p_d,k)=\mathit{Bernoulli}\left(D\mid p=1-q_d{q}_c^{-k}{e}^{-p_c\lambda }\overline{\gamma }(k,q_c\lambda )-q_d\overline{\Gamma }(k,\lambda )\right),\end{array}$$

(18)

where $q_c=1-p_c$ and $q_d=1-p_d$. $\overline{\Gamma }(s,x)$ and $\overline{\gamma }(s,x)=1-\overline{\Gamma }(s,x)$ are the upper and lower regularized incomplete Gamma functions, respectively [20]. The regularized upper incomplete Gamma function is defined as [20]:

$$\overline{\Gamma }(s,x)=\frac{\Gamma (s,x)}{\Gamma (s,0)},\Gamma (s,x)={\int }_x^{\infty }{t}^{s-1}{e}^{-t}dt.$$

Proof. 

To derive the click probability $P(D=1\mid \lambda ,p_c,p_d,k)$, we consider all possible numbers of photons n that Alice could send, and we marginalize over these photon counts to account for the different scenarios of interception and detection. The total probability is computed as:

$$\begin{array}{cc}\hfill P(D=1\mid \lambda ,p_c,p_d,k)& ={\displaystyle \sum _{n=0}^{\infty }}P(D=1\mid p_c,p_d,n)P(n\mid \lambda ,k).\hfill \end{array}$$

In this expression, the first term represents the click probability given n photons and the detector’s characteristics. For $n<k$, Eve intercepts all photons, leaving none for Bob, so the click probability reduces to the dark count probability $p_d$. For $n\ge k$, Eve intercepts exactly k photons, and the click probability is determined by the remaining $n-k$ photons. Therefore, we can split the summation into two parts based on the value of n:

$$\begin{array}{cc}\hfill P(D=1\mid \lambda ,p_c,p_d,k)& ={\displaystyle \sum _{n=k}^{\infty }}P(D=1\mid p_c,p_d,n-k)P(n\mid \lambda )+p_d{\displaystyle \sum _{n=0}^{k-1}}P(n\mid \lambda ).\hfill \end{array}$$

Expanding this expression, we use the Bernoulli distribution for the click probability, from Lemma 1, and the Poisson distribution for the photon count:

$$\begin{array}{cc}\hfill P(D=1\mid \lambda ,p_c,p_d,k)& ={\displaystyle \sum _{n=k}^{\infty }}\left(1-q_d{q}_c^{n-k}\right)\frac{{\lambda }^n{e}^{-\lambda }}{n!}+p_d{\displaystyle \sum _{n=0}^{k-1}}\frac{{\lambda }^n{e}^{-\lambda }}{n!}.\hfill \end{array}$$

Recognizing that the second summation represents the Cumulative Distribution Function (CDF) of the Poisson distribution, and utilizing the following relationship [20]:

$${\displaystyle \sum _{n=0}^k}\mathrm{Poisson}(n\mid \lambda )=\mathrm{PoissonCDF}(k,\lambda )=\overline{\Gamma }(k+1,\lambda ),$$

we rewrite the expression as:

$$P(D=1\mid \lambda ,p_c,p_d,k)={\displaystyle \sum _{n=k}^{\infty }}\left(1-q_d{q}_c^{n-k}\right)\frac{{\lambda }^n{e}^{-\lambda }}{n!}+p_d\overline{\Gamma }(k,\lambda ).$$

To further simplify, we split the exponential series:

$$\begin{array}{cc}\hfill P(D=1\mid \lambda ,p_c,p_d,k)& ={\displaystyle \sum _{n=k}^{\infty }}\frac{{\lambda }^n{e}^{-\lambda }}{n!}-q_d{\displaystyle \sum _{n=k}^{\infty }}{q}_c^{n-k}\frac{{\lambda }^n{e}^{-\lambda }}{n!}+p_d\overline{\Gamma }(k,\lambda ),\hfill \\ \hfill =& 1-\overline{\Gamma }\left(k,\lambda \right)-q_d{q}_c^{-k}{e}^{-\lambda }{\displaystyle \sum _{n=k}^{\infty }}\frac{{\left(q_c\lambda \right)}^n}{n!}+p_d\overline{\Gamma }\left(k,\lambda \right)\hfill \\ \hfill =& 1-q_d{q}_c^{-k}{e}^{-\lambda }{e}^{q_c\lambda }{\displaystyle \sum _{n=k}^{\infty }}\frac{{\left(q_c\lambda \right)}^n}{n!}{e}^{-q_c\lambda }-\overline{\Gamma }\left(k,\lambda \right)+p_d\overline{\Gamma }\left(k,\lambda \right)\hfill \\ \hfill =& 1-q_d{q}_c^{-k}{e}^{-\lambda +q_c\lambda }\overline{\gamma }\left(k,q_c\lambda \right)-\left(1-p_d\right)\overline{\Gamma }\left(k,\lambda \right)\hfill \\ \hfill =& 1-q_d{q}_c^{-k}{e}^{-p_c\lambda }\overline{\gamma }\left(k,q_c\lambda \right)-q_d\overline{\Gamma }\left(k,\lambda \right).\hfill \end{array}$$

   □

Notably, by utilizing the relationship between the Poisson CDF and the incomplete Gamma function, we extend the domain of k to the non-negative real numbers. This extension is particularly useful when computing gradients later, as k can now be treated as a continuous parameter rather than as a discrete summation index, and the derivatives of the incomplete Gamma functions with respect to it can be derived.

Alice to Eve

According to Lemma 5, the combination of the laser source and the fiber from Alice to Eve can be modeled as a Poisson distribution with a reduced intensity parameter $\lambda p_{AE}$, where $p_{AE}={10}^{-\alpha d_{AE}/10}$, $d_{AE}$ being the distance between Alice and Eve, $\lambda$ representing the average photon number emitted by Alice, and $\alpha$ as the attenuation coefficient in dB/km.

Eve to Bob

If the measured error probability due to misalignment in the beam splitter is $p_e$, the corresponding angular misalignment can be computed as:

$$\begin{array}{c}\hfill {\hat{p}}_e=arcsin\left(\sqrt{p_e}\right).\end{array}$$

(19)

The probability that a photon reaches detector i for specific choices of bit x, and bases a and b, is given by:

$$\begin{array}{c}\hfill p(i\mid x,a,b,p_e)=cos{\left(\frac{\pi }{2}(i+x)-\frac{\pi }{4}(a-b)+{\hat{p}}_e\right)}^2.\end{array}$$

(20)

We can continue modeling the photon transmission through the system by applying Lemmas 2 and 3 to combine the effects of the fiber loss from Eve to Bob, the beam splitter, and the detector into a single detector model with an effective efficiency scaled by both the fiber loss and the beam-splitter path probability. We then state the following corollary derived from Theorem 1:

Corollary 1.

Let θ represent the set of system parameters:

$$\begin{array}{c}\hfill \theta =\{\underset{{\theta }_A}{\underbrace{\lambda ,\alpha ,d_{AB}}},\underset{{\theta }_B}{\underbrace{p_c,p_d,p_e}},\underset{{\theta }_E}{\underbrace{d_{AE},p_{EB},k,\Delta }}\}.\end{array}$$

(21)

The probability of detection at detector $D_i$ for specific choices of bases (a and b), a bit choice (x), intensity (λ), and whether Eve intercepted or not (e), is given by:

$$\begin{array}{c}\hfill P(D_i\mid \theta ,a,b,x,e,\lambda )=P(D\mid \hat{\lambda },p_{c_i},p_{d_i},\hat{k}),\end{array}$$

(22)

where $P(D\mid \hat{\lambda },{\hat{p}}_c,p_{d_i},\hat{k})$ is the probability of detection from Theorem 1, and the adjusted parameters $\hat{\lambda }$, ${\hat{p}}_c$, and $\hat{k}$ are defined as:

$$\begin{array}{cc}\hfill \hat{\lambda }& =\lambda p_{AB}^{(1-e)}{p}_{AE}^e,\hfill \end{array}$$

(23)

$$\begin{array}{cc}\hfill {\hat{p}}_c& =p(i\mid x,a,b,p_e)p_{c_i}{p}_{EB}^e,\hfill \end{array}$$

(24)

$$\begin{array}{cc}\hfill \hat{k}& =ek,\hfill \end{array}$$

(25)

where $p_{AE}={10}^{-\alpha d_{AE}/10}$ and $p_{AB}={10}^{-\alpha d_{AB}/10}$ are the channel efficiencies from Alice to Bob and Alice to Eve, respectively.

2.2.3. All Possible Detection Events

We now have all the necessary components to derive the probabilities of the four joint detection events that Bob can observe, given the set of session parameters, $\theta$, and pulse parameters, namely a, b, x, and e. By deriving the marginal and union probabilities, as discussed in Section 2.1.4, we have:

$$\begin{array}{cc}\hfill {\mathbf{P}}_{abxe\lambda }^{\vee }\left(\theta \right)& =P(D_0\vee D_1=1\mid \theta ,a,b,x,e,\lambda ),\hfill \end{array}$$

(26)

$$\begin{array}{cc}\hfill {\mathbf{P}}_{abxe\lambda }^{\ast 1}\left(\theta \right)& =P(D_0=1\mid \theta ,a,b,x,e,\lambda ),\hfill \end{array}$$

(27)

$$\begin{array}{cc}\hfill {\mathbf{P}}_{abxe\lambda }^{1\ast }\left(\theta \right)& =P(D_1=1\mid \theta ,a,b,x,e,\lambda ),\hfill \end{array}$$

(28)

which can also be expressed as:

$$\begin{array}{cc}\hfill {\mathbf{P}}_{abxe\lambda }^{\vee }\left(\theta \right)& ={\mathbf{P}}_{abxe\lambda }^{11}\left(\theta \right)+{\mathbf{P}}_{abxe\lambda }^{01}\left(\theta \right)+{\mathbf{P}}_{abxe\lambda }^{10}\left(\theta \right),\hfill \end{array}$$

(29)

$$\begin{array}{cc}\hfill {\mathbf{P}}_{abxe\lambda }^{\ast 1}\left(\theta \right)& ={\mathbf{P}}_{abxe\lambda }^{01}\left(\theta \right)+{\mathbf{P}}_{abxe\lambda }^{11}\left(\theta \right),\hfill \end{array}$$

(30)

$$\begin{array}{cc}\hfill {\mathbf{P}}_{abxe\lambda }^{1\ast }\left(\theta \right)& ={\mathbf{P}}_{abxe\lambda }^{10}\left(\theta \right)+{\mathbf{P}}_{abxe\lambda }^{11}\left(\theta \right),\hfill \end{array}$$

(31)

and the joint probabilities can be reconstructed as:

$$\begin{array}{cc}\hfill {\mathbf{P}}_{abxe\lambda }^{00}\left(\theta \right)& =1-{\mathbf{P}}_{abxe\lambda }^{\vee }\left(\theta \right),\hfill \end{array}$$

(32)

$$\begin{array}{cc}\hfill {\mathbf{P}}_{abxe\lambda }^{01}\left(\theta \right)& ={\mathbf{P}}_{abxe\lambda }^{\vee }\left(\theta \right)-{\mathbf{P}}_{abxe\lambda }^{1\ast }\left(\theta \right),\hfill \end{array}$$

(33)

$$\begin{array}{cc}\hfill {\mathbf{P}}_{abxe\lambda }^{10}\left(\theta \right)& ={\mathbf{P}}_{abxe\lambda }^{\vee }\left(\theta \right)-{\mathbf{P}}_{abxe\lambda }^{\ast 1}\left(\theta \right),\hfill \end{array}$$

(34)

$$\begin{array}{cc}\hfill {\mathbf{P}}_{abxe\lambda }^{11}\left(\theta \right)& ={\mathbf{P}}_{abxe\lambda }^{\ast 1}\left(\theta \right)+{\mathbf{P}}_{abxe\lambda }^{1\ast }\left(\theta \right)-{\mathbf{P}}_{abxe\lambda }^{\vee }\left(\theta \right).\hfill \end{array}$$

(35)

From Lemma 4, we know that the union probability for a two-detector system can be modeled as a single detector with adjusted dark count and click probabilities:

$$\begin{array}{cc}\hfill p_d^{\vee }& =1-q_{d_0}{q}_{d_1},\hfill \end{array}$$

(36)

$$\begin{array}{cc}\hfill p_c^{\vee }& =p(1,x,a,b,p_e)p_{c_1}+p(0,x,a,b,p_e)p_{c_0}.\hfill \end{array}$$

(37)

We denote the set of four possible outcomes given the session and pulse parameters as:

$$\begin{array}{c}\hfill {\mathbf{P}}_{abxe\lambda }\left(\theta \right)=\left[{\mathbf{P}}_{abxe\lambda }^{00}\left(\theta \right){\mathbf{P}}_{abxe\lambda }^{01}\left(\theta \right){\mathbf{P}}_{abxe\lambda }^{10}\left(\theta \right){\mathbf{P}}_{abxe\lambda }^{11}\left(\theta \right)\right].\end{array}$$

(38)

2.2.4. Marginalization of Unknowns in the Sifting Phase

For the purpose of inferring the percentage of tagged photons $\Delta$, we rely only on the information available during the sifting phase, specifically, the basis choices a and b marginalize over the variables x and e:

$$\begin{array}{c}\hfill {\mathbf{P}}_{ab\lambda }\left(\theta \right)={\displaystyle \sum _{x\in \{0,1\}}}{\displaystyle \sum _{e\in \{0,1\}}}{\mathbf{P}}_{abxe\lambda }\left(\theta \right)P\left(e\right)P\left(x\right).\end{array}$$

(39)

Assuming that Alice sends the bits with equal probabilities using a quantum random number generator, then $P(x=0)=P(x=1)=\frac{1}{2}$. If Eve tags a pulse with probability $\Delta$, then $P(e=1)=\Delta$ and $P(e=0)=1-\Delta$. Note from Equation (20) that:

$$\begin{array}{c}\hfill p(i\mid x,b,a,p_e)=\left\{\begin{array}{cc}p(i\mid 1-x,a,b,p_e)\hfill & \mathrm{if}a\ne b,\hfill \\ p(i\mid x,a,b,p_e)\hfill & \mathrm{if}a=b.\hfill \end{array}\right.\end{array}$$

(40)

Thus, swapping the basis will either swap the terms of the sum in Equation (39) when $a\ne b$, or it will have no effect when $a=b$. Consequently, the probability only depends on whether the bases matched or not, or more formally:

$$\begin{array}{c}\hfill {\mathbf{P}}_{ab\lambda }\left(\theta \right)={\mathbf{P}}_{ba\lambda }\left(\theta \right).\end{array}$$

(41)

Therefore, for analytical purposes, we can assume Bob always measures in a fixed basis (e.g., $b=1$), while Alice switches her basis with 50% probability. The observed probabilities for $a=b$ and $a\ne b$ will be identical.

In conclusion, for a specific intensity $\lambda$, Bob can observe two distinct probabilities for a given detector i based on whether the bases matched or not:

$$\begin{array}{cc}\hfill {\mathbf{P}}_{m\lambda }\left(\theta \right)& ={\mathbf{P}}_{(a=m)(b=1)\lambda }\left(\theta \right),\hfill \end{array}$$

(42)

where m is a flag to encode whether or not Alice and Bob have matching basis. Finally, the set of probabilities for all possible outcomes is:

$$\begin{array}{c}\hfill {\mathbf{P}}_{\lambda }\left(\theta \right)=\left[{\mathbf{P}}_{(m=0)\lambda }\left(\theta \right)P(m=0){\mathbf{P}}_{(m=1)\lambda }\left(\theta \right)P(m=1)\right],\end{array}$$

(43)

If we assume Alice and Bob switch bases with equal probability, $P(m=0)=P(m=1)=\frac{1}{2}$, this simplifies to:

$$\begin{array}{c}\hfill {\mathbf{P}}_{\lambda }\left(\theta \right)=\left[{\mathbf{P}}_{(m=0)\lambda }\left(\theta \right){\mathbf{P}}_{(m=1)\lambda }\left(\theta \right)\right]/2.\end{array}$$

(44)

2.2.5. Multiple Intensities

Thus far, our probabilistic model has assumed a single intensity $\lambda$ for the session. However, as discussed in Section 2.2.1, Eve can manipulate the channel by choosing a different attenuation rate, allowing her to disguise her presence as normal channel loss. With a single intensity, Eve can select a channel efficiency that minimizes the statistical differences between the click distributions with and without her interference, potentially reducing the distinguishability between $P\left(\theta \right|e=0)$ and $P\left(\theta \right|e=1)$ (e.g., by minimizing the KL divergence between them).

To mitigate this, we must use multiple intensities, ensuring that Eve cannot conceal herself by tuning a single channel efficiency value. By varying the intensities, it becomes more challenging for Eve to simultaneously minimize the statistical differences across all intensity settings, thereby making her presence more detectable.

We adopt a straightforward strategy of selecting equally spaced intensities, using at least four to account for the four unknown parameters in Eve’s potential attack (i.e., $d_{AE}$, $p_{EB}$, k and $\Delta$). The range for the minimum and maximum intensity values is determined using the following heuristics:

• ${\lambda }_{min}$: The lowest intensity where, if Eve intercepts a single photon immediately after Alice, she must use a channel with efficiency $p_{EB}=1$ to avoid detection.
• ${\lambda }_{max}$: The highest intensity that maximizes the proportion of events where $D_0\oplus D_1$ occurs, as cases where both detectors either click or do not click provide no useful information and appear uniformly random from Bob’s perspective.

To reflect the use of multiple intensities, we update our notation as follows:

$$\begin{array}{c}\hfill \mathbf{P}\left(\theta \right)=\left[{\mathbf{P}}_{{\lambda }_1}\left(\theta \right){\mathbf{P}}_{{\lambda }_2}\left(\theta \right)\dots {\mathbf{P}}_{{\lambda }_{N_{\lambda }}}\left(\theta \right)\right]/N_{\lambda },\end{array}$$

(45)

where $N_{\lambda }$ is the number of intensities. In this study, we assume that each intensity is equally likely to be selected. Note that while other protocols discard non-matching bases, we still probabilistically modeled them to utilize their statistics when inferring Eve’s presence (though not for key generation), thus increasing the statistical power to detect eavesdropping.

2.3. After-Pulsing

In real-world QKD systems, photon detectors are affected by after-pulsing, a phenomenon where a click from a prior detection event increases the chance of another click in the next pulse, regardless of whether or not a new photon is actually detected [14]. This effect can introduce correlations between detection events, breaking the independence assumption that would otherwise imply each event is isolated from the others. After-pulsing can be reduced by increasing the detector’s dead time, which lowers the pulse frequency and consequently reduces the key rate. On the other hand, simply neglecting the impact of after-pulsing results in incorrect error rate assessments and inaccurate key rate calculations. Both approaches fail to fully address the complexities introduced by after-pulsing, potentially compromising the security analysis of a QKD system or the key generation rate.

To address this challenge, we employ a Hidden Markov Model (HMM) to rigorously capture the behavior of detectors affected by after-pulsing. This approach improves the accuracy of security analysis and key rate calculations. We treat after-pulsing as an intrinsic property of the detector—unaffected by Eve—analogous to the way we model the dark-count rate. The details of this HMM-based modeling are presented in the following subsections.

2.3.1. Single Detector, Single Probability

Consider a scenario where Alice repeatedly sends identical pulses to Bob, consistently choosing the same bit value x, basis a, and intensity $\lambda$. Bob, on the other hand, measures these pulses in a fixed basis b, with no interference from Eve. The signal will cause the detector to click with probability $p_1$, and, consequently, does not click with probability $p_0=1-p_1$. The detector can then be in one of three internal states, depending on its recent detection history; see Figure 8:

• State $S_0$: No click occurs, at which it remains in this state with probability $p_0$, or transition to the $S_1$ state with probability $p_1$.
• State $S_1$: A click due to either a signal or a dark count. It will then transition to the after-pulse state $S_{\hat{1}}$ with probability q, or with probability $p_0(1-q)$ transition to state $S_0$ or remain in state $S_1$ with probability $p_1(1-q)$.
• State $S_{\hat{1}}$: A click due to an after-pulse effect. This state occurs following a click in the previous detection window (state $S_1$). Then, it transitions to the $S_0$ state with probability $p_0$ or state $S_1$ with probability $p_1$, but it cannot remain in this state.

Hidden Markov Models (HMMs) are characterized by three sets of probabilities:

• Transition matrix ($\mathbf{T}$): Probabilities of transitioning from one hidden state to another (gray arrows in Figure 8).
• Emission matrix ($\mathbf{E}$): Probabilities of observing specific outputs given the current hidden state (black arrows in Figure 8).
• Initial state probabilities ($\mathsf{\pi }$): Represents the probabilities of starting in each hidden state at the beginning of the process (usually assumed uniform or alwayas starts at a specific state).

For the HMM presented in Figure 8, the transition and emission matrix are defined as follows:

$$\mathbf{T}(p,q)=\begin{array}{cccc}& S_0\hfill & S_1\hfill & S_{\widehat{1}}\hfill \\ \begin{array}{c}{S}_0\hfill \\ S_1\hfill \\ S_{\widehat{1}}\hfill \end{array}& \left[\begin{array}{ccc}{p}_0\hfill & p_1\hfill & 0\hfill \\ p_0(1-q)\hfill & p_1(1-q)\hfill & q\hfill \\ p_0\hfill & p_1\hfill & 0\hfill \end{array}\right]\end{array},\mathbf{E}=\begin{array}{ccc}& 0& 1\\ \begin{array}{c}{S}_0\hfill \\ S_1\hfill \\ S_{\widehat{1}}\hfill \end{array}& \left[\begin{array}{cc}1& 0\\ 0& 1\\ 0& 1\end{array}\right]\end{array},$$

(46)

where $p=\left[p_0{p}_1\right]$. The emission matrix $\mathbf{E}$, which represents the probabilities of observing each possible outcome (0 or 1) given the detector’s state, the black arrows in Figure 8, is structured as follows:

We assume a first-order Markov chain (i.e., the next state depends only on the current state) and disallow consecutive after-pulse states. This reflects typical detector behavior; however, the model is flexible: transition probabilities can be adjusted for different after-pulsing dynamics, and higher-order Markov chains can be implemented by expanding the state space [21].

2.3.2. Two Detectors, Single Probability

For a two-detector setup, the click probabilities for each detector combination—namely (00), (01), (10), and (11)—have already been derived in Equation (38) for specific pulse parameters a, b, x, e, and $\lambda$. We denote these probabilities as $p_{00}$, $p_{01}$, $p_{10}$, and $p_{11}$, respectively. Let $q_0$ and $q_1$ represent the after-pulse probabilities for detectors $D_0$ and $D_1$, respectively. We also define the following marginal probabilities:

$$\begin{array}{cc}\hfill p_{\ast 0}& =p_{00}+p_{10},\hfill \end{array}$$

(47)

$$\begin{array}{cc}\hfill p_{\ast 1}& =p_{01}+p_{11},\hfill \end{array}$$

(48)

$$\begin{array}{cc}\hfill p_{0\ast }& =p_{00}+p_{01},\hfill \end{array}$$

(49)

$$\begin{array}{cc}\hfill p_{1\ast }& =p_{10}+p_{11}.\hfill \end{array}$$

(50)

For the after-pulse probabilities, we would need to derive the opposite; we already have access to the marginals, $q_0$ and $q_1$, and we would like to derive the joint distributions. Since the after-pulse triggers are considered independent:

$$\begin{array}{cc}\hfill q_{00}& =(1-q_0)(1-q_1),\hfill \end{array}$$

(51)

$$\begin{array}{cc}\hfill q_{01}& =1-q_{00}-q_1,\hfill \end{array}$$

(52)

$$\begin{array}{cc}\hfill q_{10}& =1-q_{00}-q_0,\hfill \end{array}$$

(53)

$$\begin{array}{cc}\hfill q_{11}& =q_0{q}_1.\hfill \end{array}$$

(54)

In this two-detector scenario, the state and observation spaces expand accordingly. The set of possible states S and observations O are given by:

$$\begin{array}{cc}\hfill S& =\left\{S_{00},S_{01},S_{10},S_{11},S_{0\widehat{1}},S_{\widehat{1}0},S_{1\widehat{1}},S_{\widehat{1}1},S_{\widehat{1}\widehat{1}}\right\},\hfill \end{array}$$

(55)

$$\begin{array}{cc}\hfill O& =\left\{00,01,10,11\right\},\hfill \end{array}$$

(56)

where, for example, $S_{0\widehat{1}}$ denotes the state where detector $D_1$ did not click and detector $D_0$ clicked due to an after-pulse.

The emission matrix $\mathbf{E}$ is constructed to reflect the probabilities of each possible observation given the detector states:

$$\mathbf{E}=\begin{array}{cc}& 00 01 10 11\\ \begin{array}{c}{S}_{00}\hfill \\ S_{01}\hfill \\ S_{10}\hfill \\ S_{11}\hfill \\ S_{0\widehat{1}}\hfill \\ S_{\widehat{1}0}\hfill \\ S_{1\widehat{1}}\hfill \\ S_{\widehat{1}1}\hfill \\ S_{\widehat{1}\widehat{1}}\hfill \end{array}& \left[\begin{array}{cccc}1& 0& 0& 0\\ 0& 1& 0& 0\\ 0& 0& 1& 0\\ 0& 0& 0& 1\\ 0& 1& 0& 0\\ 0& 0& 1& 0\\ 0& 0& 0& 1\\ 0& 0& 0& 1\\ 0& 0& 0& 1\end{array}\right]\end{array}.$$

(57)

Constructing the transition matrix $\mathbf{T}$ is more complex due to the extended state space. The matrix $\mathbf{T}$ captures the transition probabilities between each state, accounting for both the regular transitions and those influenced by after-pulsing effects:

$$\mathbf{T}(p,q)=\left[\begin{array}{cccc}\hfill \left[p_{00}\right.& \hfill p_{01}& \hfill p_{10}& \hfill \left.p_{11}\right]\\ \hfill \left(1-q_0\right)·\left[p_{00}\right.& \hfill p_{01}& \hfill p_{10}& \hfill \left.p_{11}\right]\\ \hfill \left(1-q_1\right)·\left[p_{00}\right.& \hfill p_{01}& \hfill p_{10}& \hfill \left.p_{11}\right]\\ \hfill q_{00}·\left[p_{00}\right.& \hfill p_{01}& \hfill p_{10}& \hfill \left.p_{11}\right]\\ \hfill \left[p_{00}\right.& \hfill p_{01}& \hfill p_{10}& \hfill \left.p_{11}\right]\\ \hfill \left[p_{00}\right.& \hfill p_{01}& \hfill p_{10}& \hfill \left.p_{11}\right]\\ \hfill \left(1-q_1\right)·\left[p_{00}\right.& \hfill p_{01}& \hfill p_{10}& \hfill \left.p_{11}\right]\\ \hfill \left(1-q_0\right)·\left[p_{00}\right.& \hfill p_{01}& \hfill p_{10}& \hfill \left.p_{11}\right]\\ \hfill \left[p_{00}\right.& \hfill p_{01}& \hfill p_{10}& \hfill \left.p_{11}\right]\end{array}\begin{array}{ccccc}[0\hfill & 0\hfill & 0\hfill & 0\hfill & 0]\hfill \\ \left[p_{0\ast }\right.\hfill & 0\hfill & p_{1\ast }\hfill & 0\hfill & 0]\hfill & ·q_0\\ [0\hfill & p_{\ast 0}\hfill & 0\hfill & p_{\ast 1}\hfill & 0]\hfill & ·q_1\\ \left[p_{0\ast }{q}_{01}\right.\hfill & p_{\ast 0}{q}_{10}\hfill & p_{1\ast }{q}_{01}\hfill & p_{\ast 1}{q}_{10}\hfill & \left.q_{11}\right]\hfill \\ [0\hfill & 0\hfill & 0\hfill & 0\hfill & 0]\hfill \\ [0\hfill & 0\hfill & 0\hfill & 0\hfill & 0]\hfill \\ [0\hfill & p_{\ast 0}\hfill & 0\hfill & p_{\ast 1}\hfill & 0]\hfill & ·q_1\\ \left[p_{0\ast }\right.\hfill & 0\hfill & p_{1\ast }\hfill & 0\hfill & 0]\hfill & ·q_0\\ [0\hfill & 0\hfill & 0\hfill & 0\hfill & 0]\hfill \end{array}\right]$$

(58)

where $p=\left[p_{00}{p}_{01}{p}_{01}{p}_{01}\right]$ and $q=\left[q_0{q}_1\right]$. The order of states in both the rows and columns of the transition matrix $\mathbf{T}$ is consistent with the order of the states in the rows of the emission matrix $\mathbf{E}$.

The matrix is organized into sub-blocks to highlight different transitions. The left sub-block represents the transitions without after-pulsing, while the right sub-blocks account for transitions influenced by after-pulsing. For instance, when the system is in state $S_{01}$, second row, there is a $q_0$ probability of transitioning to an after-pulse state, either $S_{0\widehat{1}}$ with probability $p_{0\ast }$ or $S_{1\widehat{1}}$ with probability $p_{1\ast }$. If no after-pulse occurs, the system transitions among states $S_{00}$, $S_{01}$, $S_{10}$, and $S_{11}$ with their respective probabilities $p_{00}$, $p_{01}$, $p_{10}$, and $p_{11}$ but scaled by ($1-q_0$). An illustration for specific sets of p and q is provided in Figure 9.

2.3.3. Two Detectors, Multiple Probabilities

In the previous subsection, we considered the scenario where Bob receives a repeated pulse with fixed parameters (a, b, x, e, and $\lambda$). Under this condition, the behavior of the system could be modeled using a Hidden Markov Model (HMM) with a single transition matrix that corresponds to these fixed parameters.

Now, we consider a more complex scenario where Alice alternates her bit choice x between 0 and 1. Although in QKD protocols this bit switching is typically assumed to be independent and occur with equal probability, we will formulate a more general case. We define the transition probabilities between bit states as follows:

$$\begin{array}{cc}\hfill P(0\mid 0)& =P(x_t=0\mid x_{t-1}=0),\hfill \end{array}$$

(59)

$$\begin{array}{cc}\hfill P(0\mid 1)& =P(x_t=0\mid x_{t-1}=1),\hfill \end{array}$$

(60)

$$\begin{array}{cc}\hfill P(1\mid 0)& =P(x_t=1\mid x_{t-1}=0),\hfill \end{array}$$

(61)

$$\begin{array}{cc}\hfill P(1\mid 1)& =P(x_t=1\mid x_{t-1}=1).\hfill \end{array}$$

(62)

Let ${\mathbf{T}}_0$ and ${\mathbf{T}}_1$ represent the detector dynamics for cases where Alice’s bit x was consistently 0 or 1, respectively. Given this setup, our goal is to construct an HMM that captures the combined dynamics of the system as Alice’s bit choice switches over time. The key is to describe both the intra-mode transitions (transitions within the same bit choice) and inter-mode transitions (transitions between different bit choices), effectively combining the two HMMs (${\mathbf{T}}_0$ and ${\mathbf{T}}_1$) that represent the system’s behavior for $x=0$ and $x=1$ (see Figure 10).

To demonstrate this, consider a generic state $S_{ij}$ representing the detectors’ internal states in a particular mode, either $x=0$ or $x=1$. The mode here indicates which of the two separate HMMs (either ${\mathbf{T}}_0$ or ${\mathbf{T}}_1$) currently governs the transitions.

If the system is in state $S_{ij}$ and mode $x=0$, there are two possible types of transitions:

• Intra-Mode Transition: With probability $P(0\mid 0)$, the bit choice remains $x=0$. The system transitions according to the probabilities defined by the current state’s corresponding entry in ${\mathbf{T}}_0$. For example, the probability of transitioning from $S_{ij}$ in mode 0 to $S_{kl}$ in mode 0 is given by $P(0\mid 0)\times {\mathbf{T}}_0(S_{ij}\to S_{kl})$.
• Inter-Mode Transition: With probability $P(1\mid 0)$, the bit choice switches to $x=1$. The system then transitions according to the probabilities defined by the corresponding entry in ${\mathbf{T}}_1$. For example, the probability of transitioning from $S_{ij}$ in mode 0 to $S_{kl}$ in mode 1 is $P(1\mid 0)\times {\mathbf{T}}_1(S_{ij}\to S_{kl})$.

The analysis is equivalent if the system is in mode $x=1$; however, the intra-mode transitions will involve $P(1\mid 1)$ and the inter-mode transitions will involve $P(0\mid 1)$, transitioning according to either ${\mathbf{T}}_1$ or ${\mathbf{T}}_0$, respectively.

Using this framework, the combined transition matrix $\mathbf{T}$ can be constructed to account for both the detector state transitions and the changes in Alice’s bit choice. This leads to the following block matrix structure:

$$\begin{array}{c}\hfill \mathbf{T}=\left[\begin{array}{cc}P(0\mid 0){\mathbf{T}}_0& P(1\mid 0){\mathbf{T}}_1\\ P(0\mid 1){\mathbf{T}}_0& P(1\mid 1){\mathbf{T}}_1\end{array}\right].\end{array}$$

(63)

The combined transition matrix $\mathbf{T}$ captures all possible transitions from any state $S_{ij}$ in any mode to any state $S_{kl}$ in any mode, encompassing the full dynamic process of the system as it evolves both within and between modes.

2.3.4. Constructing the Full Transition Matrix

This section constructs the full HMM by incorporating transitions for all pulse parameters, such as basis choices (a and b), bit choices (x), the eavesdropping flag (e), and intensity settings ($\lambda$), to fully describe the detection dynamics in a Quantum Key Distribution (QKD) system. The transition matrix is built incrementally, starting with individual components and progressively incorporating all relevant variables.

Intensity-Based Transitions

We begin by constructing the transition matrix for a specific set of pulse parameters. This matrix captures the transition dynamics when Alice and Bob’s bases ($a,b$), Alice’s bit choice (x), the presence or absence of eavesdropping (e), and the photon intensity (${\lambda }_i$) are all fixed:

$$\begin{array}{c}\hfill {\mathbf{T}}_{abxe\lambda }\left(\theta \right)=\mathbf{T}({\mathbf{P}}_{abxe\lambda }\left(\theta \right),p_a).\end{array}$$

(64)

Here, ${\mathbf{P}}_{abxe\lambda }\left(\theta \right)$ represents the click probabilities given the session and pulse parameters, as defined in Equation (38). The vector $p_a=\left[p_{a_0}{p}_{a_1}\right]$ denotes the after-pulse probabilities for detectors $D_0$ and $D_1$, respectively. The parameter set $\theta =\left\{{\theta }_A,{\theta }_B,{\theta }_E\right\}$ includes Alice’s, Bob’s, and Eve’s parameters, where Bob’s parameters are updated to include the after-pulse probabilities:

$$\begin{array}{c}\hfill {\theta }_B=\left\{p_a,p_c,p_d,p_e\right\}.\end{array}$$

(65)

Next, we construct the transition matrix across all possible intensity settings ${\lambda }_i$, using the same approach outlined in Section 2.3.3, by combining the individual matrices ${\mathbf{T}}_{abxe{\lambda }_i}\left(\theta \right)$ for each ${\lambda }_i$. If Alice transitions between the different intensities uniformly and independently, the transition matrix simplifies to the following:

$$\begin{array}{c}\hfill {\mathbf{T}}_{abxe}\left(\theta \right)=\left[\begin{array}{ccc}{\mathbf{T}}_{abxe{\lambda }_1}\left(\theta \right)& \dots & {\mathbf{T}}_{abxe{\lambda }_{N_{\lambda }}}\left(\theta \right)\\ ⋮& \ddots & ⋮\\ {\mathbf{T}}_{abxe{\lambda }_1}\left(\theta \right)& \dots & {\mathbf{T}}_{abxe{\lambda }_{N_{\lambda }}}\left(\theta \right)\end{array}\right]\times \frac{1}{N_{\lambda }}.\end{array}$$

(66)

Eavesdropping Transitions

To incorporate the possibility of eavesdropping, we expand the matrix ${\mathbf{T}}_{abxe}\left(\theta \right)$ to account for scenarios where Eve transitions between intercepting ($e=1$) and not intercepting ($e=0$), with probabilities $\Delta$ and $1-\Delta$, respectively:

$$\begin{array}{c}\hfill {\mathbf{T}}_{abx}\left(\theta \right)=\left[\begin{array}{cc}(1-\Delta ){\mathbf{T}}_{abx(e=0)}\left(\theta \right)& \Delta {\mathbf{T}}_{abx(e=1)}\left(\theta \right)\\ (1-\Delta ){\mathbf{T}}_{abx(e=0)}\left(\theta \right)& \Delta {\mathbf{T}}_{abx(e=1)}\left(\theta \right)\end{array}\right].\end{array}$$

(67)

Bit Choice Transitions

To model transitions associated with Alice’s bit choices, we assume she switches between $x=0$ and $x=1$ with equal probability (50%). The corresponding transition matrix that captures this behavior is given by:

$$\begin{array}{c}\hfill {\mathbf{T}}_{ab}\left(\theta \right)=\left[\begin{array}{cc}{\mathbf{T}}_{ab(x=0)}\left(\theta \right)& {\mathbf{T}}_{ab(x=1)}\left(\theta \right)\\ {\mathbf{T}}_{ab(x=0)}\left(\theta \right)& {\mathbf{T}}_{ab(x=1)}\left(\theta \right)\end{array}\right]\times \frac{1}{2}.\end{array}$$

(68)

Basis Choice Transitions

Similarly, we can construct the transition matrix to account for the basis choices made by Alice (a) and Bob (b), assuming that both choose their bases independently and uniformly, with equal probability for each choice. First by incorporating Bob’s basis transition:

$$\begin{array}{c}\hfill {\mathbf{T}}_a\left(\theta \right)=\left[\begin{array}{cc}{\mathbf{T}}_{a(b=0)}\left(\theta \right)& {\mathbf{T}}_{a(b=1)}\left(\theta \right)\\ {\mathbf{T}}_{a(b=0)}\left(\theta \right)& {\mathbf{T}}_{a(b=1)}\left(\theta \right)\end{array}\right]\times \frac{1}{2},\end{array}$$

(69)

then incorporating Alice’s basis transition:

$$\begin{array}{c}\hfill \mathbf{T}\left(\theta \right)=\left[\begin{array}{cc}{\mathbf{T}}_{(a=0)}\left(\theta \right)& {\mathbf{T}}_{(a=1)}\left(\theta \right)\\ {\mathbf{T}}_{(a=0)}\left(\theta \right)& {\mathbf{T}}_{(a=1)}\left(\theta \right)\end{array}\right]\times \frac{1}{2}.\end{array}$$

(70)

This final matrix $\mathbf{T}\left(\theta \right)$ encapsulates the complete set of transition probabilities, integrating all pulse parameters—basis choices, bit choices, eavesdropping scenarios, and intensity settings—to model the full dynamics of the QKD system.

2.3.5. Extracting the Probabilities of Click Events

The probabilities of different click events in an HMM, denoted as $\widehat{\mathbf{P}}\left(\theta \right)$, are derived by first computing the state probabilities from the transition matrix $\mathbf{T}\left(\theta \right)$ and then mapping these state probabilities to observations using the emission matrix $\mathbf{E}$. The stationary distribution, $\mathbf{v}\left(\theta \right)$, represents the long-term probabilities of visiting each state and satisfies the following equation:

$$\begin{array}{c}\hfill {\mathbf{T}}^{\top }\left(\theta \right)\mathbf{v}\left(\theta \right)=\mathbf{v}\left(\theta \right).\end{array}$$

(71)

This is equivalent to finding the eigenvector corresponding to the eigenvalue of 1. Since the transition matrix $\mathbf{T}\left(\theta \right)$ is aperiodic (states are not revisited at fixed intervals) and irreducible (every state is reachable from any other), the Perron–Frobenius theorem [22,23] shows that this eigenvector exists, is the maximum eigenvector, and is unique. This property guarantees that the system converges to an equilibrium representing its long-term behavior after sufficient transitions, regardless of the initial state [24]. Furthermore, since we are only interested in the eigenvector corresponding to the maximum eigenvalue, we can leverage more efficient decomposition algorithms, such as the Power Method or Krylov subspace methods [25,26].

By normalizing $\mathbf{v}\left(\theta \right)$, we obtain a valid probability distribution over the hidden states:

$$\begin{array}{c}\hfill \overline{\mathbf{v}}\left(\theta \right)=\frac{\mathbf{v}\left(\theta \right)}{{\sum }_i{v}_i\left(\theta \right)}.\end{array}$$

(72)

The vector $\overline{\mathbf{v}}\left(\theta \right)$ has a length of $144\times N_{\lambda }$, corresponding to the number of states ($\left|S\right|=9$) times the possible choices of a, b, x, and e ($=16$) times the number of intensities ($|\Lambda |=N_{\lambda }$). To correctly project the vector $\overline{\mathbf{v}}\left(\theta \right)$ of state probabilities into observable probabilities using the emission matrix $\mathbf{E}$, which is of size $\left|S\right|\times \left|O\right|$, the vector is first “folded” into a matrix $\mathbf{V}\left(\theta \right)$ of size $\left|S\right|\times (16\times N_{\lambda })$. This folding operation is defined by the mapping function:

$$\mathcal{F}(\mathbf{v},m)=\mathbf{V},\mathrm{such}\mathrm{that},$$

$$\begin{array}{c}\hfill \mathcal{F}\left(\mathbf{v}=[v_1,v_2,\dots ,v_n],m\right)\to \mathbf{V}=\left[\begin{array}{cccc}{v}_1& v_{m+1}& \dots & v_{(\frac{n}{m}-1)\times m+1}\\ v_2& v_{m+2}& \dots & v_{(\frac{n}{m}-1)\times m+2}\\ ⋮& ⋮& \ddots & ⋮\\ v_m& v_{2m}& \dots & v_n\end{array}\right],\end{array}$$

(73)

where each column corresponds to a specific pulse configuration, and each row corresponds to one of the HMM states. We then compute the observable probabilities by projecting this folded matrix onto the emission matrix $\mathbf{E}$:

$$\begin{array}{c}\hfill \widehat{\mathbf{P}}\left(\theta \right)={\mathbf{E}}^{\top }\overline{\mathbf{V}}\left(\theta \right),\end{array}$$

(74)

where $\overline{\mathbf{V}}\left(\theta \right)=\mathcal{F}\left(\overline{\mathbf{v}}\left(\theta \right),\left|S\right|\right)$ and $\widehat{\mathbf{P}}\left(\theta \right)$ represents the adjusted probabilities of the observable detection events.

At this point, we have obtained the probabilities of the four possible detection outcomes given any configuration of $(a,b,x,e,\lambda )$. However, Bob only observes a, b, and $\lambda$. Therefore, we can marginalize over the variables x and e by summing over the corresponding columns in $\widehat{\mathbf{P}}\left(\theta \right)$.

We can apply this to x, e and utilize the symmetry in Equation (41) to only focus on whether the basis matched or did not match. This allows us to obtain $\mathbf{P}\left(\theta \right)$, which contains $8N_{\lambda }$ outcomes (corresponding to 4 detection events, 2 cases of matching or non-matching bases, and $N_{\lambda }$ intensity levels).

While this approach provides a complete probabilistic view for analytical purposes, it may not be the most computationally efficient due to the large size of the transition matrix $\mathbf{T}\left(\theta \right)$ and the eigenvalue decomposition required. If we are only interested in ${\mathbf{P}}_{m\lambda }\left(\theta \right)$ instead of ${\mathbf{P}}_{abxe\lambda }\left(\theta \right)$, we can construct a smaller transition matrix directly based on the matching or non-matching cases. This results in a much smaller matrix of size $18N_{\lambda }$, significantly reducing computational complexity.

2.4. Error and Gain Probabilities

To accurately compute the secure-key rate in the QKD protocol, particularly following the Gottesman–Lo–Lütkenhaus–Preskill (GLLP) formula, it is essential to derive the probabilities associated with the gain (probability of a detection events) and erroneous click events (probability of a click at the incorrect detector). Our previous results, encapsulated in the probability vector ${\mathbf{P}}_{abxe\lambda }\left(\theta \right)$, allow us to compute the detection probabilities under various configurations of basis settings, bit choices, intensities, and interception scenarios. By leveraging these configurations, we can rigorously determine the gain and error probabilities required for the secure-key rate calculation, which will be described in the following subsections.

2.4.1. Marginalizing over Eve’s Interception Flag

For each combination of basis settings (a and b), bit choice (x), and intensity ($\lambda$), we first marginalize over the possible states of Eve’s interception flag (e), where $e=1$ represents interception and $e=0$ represents no interception. This marginalization enables us to calculate the effective probabilities ${\mathbf{P}}_{abx\lambda }\left(\theta \right)$ under the influence of Eve’s interception rate $\Delta$:

$$\begin{array}{cc}\hfill {\mathbf{P}}_{abx\lambda }\left(\theta \right)& ={\displaystyle \sum _{e\in \left\{0,1\right\}}}{\mathbf{P}}_{abex\lambda }\left(\theta \right)P\left(e\right),\hfill \\ \hfill & ={\mathbf{P}}_{abx(e=0)\lambda }\left(\theta \right)(1-\Delta )+{\mathbf{P}}_{abx(e=1)\lambda }\left(\theta \right)\Delta .\hfill \end{array}$$

(75)

The resulting vector ${\mathbf{P}}_{abx\lambda }\left(\theta \right)$ comprises four elements corresponding to each detection outcome:

$${\mathbf{P}}_{abx\lambda }\left(\theta \right)=\left[{\mathbf{P}}_{abx\lambda }^{00}\left(\theta \right){\mathbf{P}}_{abx\lambda }^{01}\left(\theta \right){\mathbf{P}}_{abx\lambda }^{10}\left(\theta \right){\mathbf{P}}_{abx\lambda }^{11}\left(\theta \right)\right],$$

(76)

where each element represents the probability of a particular click configuration (e.g., ${\mathbf{P}}_{abx\lambda }^{01}\left(\theta \right)$ represents a click at detector $D_0$ only for a specific bit choice (x), bases configuration (a, n), and intensity $\lambda$).

2.4.2. Gain and Error Probabilities

The gain probability $Q_{abx\lambda }\left(\theta \right)$ for a given bit choice x is obtained by summing the probabilities of the events where only one detector clicks (i.e., single-click events):

$$Q_{abx\lambda }\left(\theta \right)={\mathbf{P}}_{abx\lambda }^{01}\left(\theta \right)+{\mathbf{P}}_{abx\lambda }^{10}\left(\theta \right).$$

(77)

The probability of an erroneous click event, $E{Q}_{abx\lambda }\left(\theta \right)$, where the detector registers an error, depends on the bit choice x. Specifically:

$$\begin{array}{cc}\hfill E{Q}_{ab(x=0)\lambda }\left(\theta \right)& ={\mathbf{P}}_{ab(x=0)\lambda }^{10}\left(\theta \right),\mathrm{for}x=0,\hfill \end{array}$$

(78)

$$\begin{array}{cc}\hfill E{Q}_{ab(x=1)\lambda }\left(\theta \right)& ={\mathbf{P}}_{ab(x=1)\lambda }^{01}\left(\theta \right),\mathrm{for}x=1.\hfill \end{array}$$

(79)

2.4.3. Marginalizing over Bit Choice

To obtain the total click and error probabilities for a given basis configuration and intensity, we marginalize over the bit choice x, assuming Alice’s bit choices are uniformly distributed. This leads to the overall gain $Q_{ab\lambda }\left(\theta \right)$ and error probabilities $E{Q}_{ab\lambda }\left(\theta \right)$ given by:

$$\begin{array}{cc}\hfill Q_{ab\lambda }\left(\theta \right)& =\frac{1}{2}\left(Q_{ab(x=0)\lambda }\left(\theta \right)+Q_{ab(x=1)\lambda }\left(\theta \right)\right),\hfill \end{array}$$

(80)

$$\begin{array}{cc}\hfill E{Q}_{ab\lambda }\left(\theta \right)& =\frac{1}{2}\left(E{Q}_{ab(x=0)\lambda }\left(\theta \right)+E{Q}_{ab(x=1)\lambda }\left(\theta \right)\right).\hfill \end{array}$$

(81)

These expressions represent the probabilities of a signal and an erroneous click under the conditions specified by $\theta$. To further simplify notation, we consider the two distinct cases of basis alignment, where $a=b$ and $a\ne b$. Referring to the symmetry from Equation (41), where ${\mathbf{P}}_{ab\lambda }\left(\theta \right)={\mathbf{P}}_{ba\lambda }\left(\theta \right)$, we redefine the gain and error probabilities in terms of alignment cases:

$$\begin{array}{cc}\hfill Q_{m\lambda }\left(\theta \right)& =Q_{(a=m)(b=1)\lambda }\left(\theta \right),\hfill \end{array}$$

(82)

$$\begin{array}{cc}\hfill E{Q}_{m\lambda }\left(\theta \right)& =E{Q}_{(a=m)(b=1)\lambda }\left(\theta \right),\hfill \end{array}$$

(83)

where $m=1$ denotes matching bases ($a=b$) and $m=0$ denotes non-matching bases ($a\ne b$).

2.4.4. Distribution of Gain and Error Counts

The number of gain clicks, $G_{m\lambda }$, and error clicks, $R_{m\lambda }$, for a specific bases alignment m and intensity $\lambda$ are distributed as follows (assuming i.i.d.):

$$\begin{array}{cc}\hfill G_{m\lambda }& \sim \mathrm{Binomial}\left(N_{m\lambda },Q_{m\lambda }\left(\theta \right)\right),\hfill \end{array}$$

(84)

$$\begin{array}{cc}\hfill R_{m\lambda }& \sim \mathrm{Binomial}\left(N_{m\lambda },E{Q}_{m\lambda }\left(\theta \right)\right),\hfill \end{array}$$

(85)

where $N_{m\lambda }$ is the total number of pulses with basis alignment m and intensity $\lambda$. Here, $G_{m\lambda }$ and $R_{m\lambda }$ are not independent, as the number of error clicks is a subset of the number of gain clicks.

The number of error clicks $R_{m\lambda }$ can be viewed as resulting from sequential binomial sampling. First, the gain clicks $G_{m\lambda }$ are selected from $N_{m\lambda }$ with probability $Q_{m\lambda }\left(\theta \right)$, then $R_{m\lambda }$ is selected from $G_{m\lambda }$ with probability ${\delta }_{m\lambda }\left(\theta \right)$ (the conditional probability of an error given a signal). More formally,

$$R_{m\lambda }\sim \mathrm{Binomial}\left(G_{m\lambda },{\delta }_{m\lambda }\left(\theta \right)\right).$$

(86)

To derive the conditional error probability ${\delta }_{m\lambda }\left(\theta \right)$, we apply Lemma 3, which can be rephrased in terms of two sequential binomial sampling processes. If we first sample $s\sim \mathrm{Binomial}(N,p)$, and then sample $r\sim \mathrm{Binomial}(s,q)$, then $r\sim \mathrm{Binomial}(N,p·q)$

This lemma shows that the effective success probability for sequential binomial sampling is the product of the individual probabilities in each stage. Applying this to $R_{m\lambda }$, we have:

$$R_{m\lambda }\sim \mathrm{Binomial}\left(N_{m\lambda },Q_{m\lambda }\left(\theta \right){\delta }_{m\lambda }\left(\theta \right)\right).$$

(87)

Comparing this with Equation (85), we see that:

$$\begin{array}{cc}\hfill Q_{m\lambda }\left(\theta \right){\delta }_{m\lambda }\left(\theta \right)& =E{Q}_{m\lambda }\left(\theta \right),\hfill \end{array}$$

(88)

$$\begin{array}{cc}\hfill {\delta }_{m\lambda }\left(\theta \right)& =\frac{E{Q}_{m\lambda }\left(\theta \right)}{Q_{m\lambda }\left(\theta \right)}.\hfill \end{array}$$

(89)

We can apply the same principle of sequential binomial sampling to express $G_{m\lambda }$ and $R_{m\lambda }$ distributions in terms of N, the number of session pulses, directly. Since $N_{m\lambda }$ results from first selecting $N_m$ with probability $P\left(m\right)=1/2$ (the probability of bases alignment), then selecting $N_{m\lambda }$ with probability $P\left(\lambda \right)=1/N_{\lambda }$ (assuming uniform intensity selection), we can also express them as:

$$\begin{array}{cc}\hfill G_{m\lambda }& \sim \mathrm{Binomial}\left(N,P\left(m\right)P\left(\lambda \right)Q_{m\lambda }\left(\theta \right)\right),\hfill \end{array}$$

(90)

$$\begin{array}{cc}\hfill R_{m\lambda }& \sim \mathrm{Binomial}\left(N,P\left(m\right)P\left(\lambda \right)E{Q}_{m\lambda }\left(\theta \right)\right).\hfill \end{array}$$

(91)

While ${\delta }_{m\lambda }\left(\theta \right)$ and $Q_{m\lambda }\left(\theta \right)$ are sufficient for secure-key rate calculations, we also derive $\mathbb{E}\left[{\delta }_{m\lambda }\left(\theta \right)\right]$ and $\mathbb{V}\left[{\delta }_{m\lambda }\left(\theta \right)\right]$ to facilitate a robust comparison between theoretical expectations and simulated data. The following lemma provides these values, establishing a basis for evaluating the alignment of our model with empirical results.

Theorem 2.

Let r be a random variable obtained through a two-step sampling process where first $s\sim \mathit{Binomial}(N,p)$ and then, given s, $r\mid s\sim \mathit{Binomial}(s,q)$. Define $\rho =\frac{r}{s}$ when $s>0$. Then, the expected value and variance of ρ are given by:

$$\begin{array}{cc}\hfill \mathbb{E}\left[\rho \right]& =q,\hfill \end{array}$$

(92)

$$\begin{array}{cc}\hfill \mathbb{V}\left[\rho \right]& =q(1-q)\mathbb{E}\left[\frac{1}{s}\right],\hfill \end{array}$$

(93)

where $\mathbb{E}\left[\frac{1}{s}\right]$ is the expected value of the reciprocal of s.

Proof. 

First, compute the expected value $\mathbb{E}\left[\rho \right]$ using the law of total expectation [25]:

$$\mathbb{E}\left[\rho \right]=\mathbb{E}\left[\mathbb{E}\left[\rho \mid s\right]\right].$$

Given s, since $r\mid s\sim \mathrm{Binomial}(s,q)$ and $\rho =\frac{r}{s}$, we have:

$$\begin{array}{c}\hfill \mathbb{E}\left[\rho \mid s\right]=\mathbb{E}\left[\frac{r}{s}\mid s\right]=\frac{1}{s}\mathbb{E}\left[r\mid s\right]=\frac{1}{s}\left(sq\right)=q,\end{array}$$

therefore,

$$\mathbb{E}\left[\rho \right]=\mathbb{E}\left[q\right]=q.$$

The variance $\mathbb{V}\left[\rho \right]$ can be expressed using the law of total variance [25]:

$$\mathbb{V}\left[\rho \right]=\mathbb{E}\left[\mathbb{V}\left[\rho \mid s\right]\right]+\mathbb{V}\left[\mathbb{E}\left[\rho \mid s\right]\right].$$

Given s, the conditional variance is:

$$\begin{array}{c}\hfill \mathbb{V}\left[\rho \mid s\right]=\mathbb{V}\left[\frac{r}{s}\mid s\right]=\frac{1}{s^2}\mathbb{V}\left[r\mid s\right]=\frac{1}{s^2}\left(sq(1-q)\right)=\frac{q(1-q)}{s}.\end{array}$$

Thus,

$$\mathbb{E}\left[\mathbb{V}\left[\rho \mid s\right]\right]=q(1-q)\mathbb{E}\left[\frac{1}{s}\right].$$

Since $\mathbb{E}\left[\rho \mid s\right]=q$ is constant,

$$\mathbb{V}\left[\mathbb{E}\left[\rho \mid s\right]\right]=\mathbb{V}\left[q\right]=0.$$

Combining these results, we obtain:

$$\mathbb{V}\left[\rho \right]=q(1-q)\mathbb{E}\left[\frac{1}{s}\right].$$

   □

Note that the derivation in Theorem 2 assumes $s>0$, ensuring that $\rho =\frac{r}{s}$ is well-defined. For clarity and simplicity, this condition has been omitted from the main expressions, but all expectations and variances are implicitly conditioned on $s>0$. Additionally, $\mathbb{E}\left[\frac{1}{s}\right]$ does not have a closed-form expression for $s\sim \mathrm{Binomial}(N,p)$; however, for large $Np$, it can be approximated as:

$$\mathbb{E}\left[\frac{1}{s}\right]\approx \frac{1}{\mathbb{E}\left[s\right]}=\frac{1}{Np}.$$

This leads to an approximate variance:

$$\mathbb{V}\left[\rho \right]\approx \frac{q(1-q)}{Np}.$$

This approximation holds well when N is large and p is not too small, rendering the probability $P(s=0)$ negligible.

Applying this result to Equations (86) and (90), we obtain the expected value and variance of the error rate $\rho$ for a basis alignment m and intensity $\lambda$ as follows:

$$\begin{array}{cc}\hfill \mathbb{E}\left[\rho \right]& ={\delta }_{m\lambda }\left(\theta \right),\hfill \end{array}$$

(94)

$$\begin{array}{cc}\hfill \mathbb{V}\left[\rho \right]& \approx \frac{{\delta }_{m\lambda }\left(\theta \right)(1-{\delta }_{m\lambda }\left(\theta \right))}{N{Q}_{m\lambda }\left(\theta \right)P\left(m\right)P\left(\lambda \right)}.\hfill \end{array}$$

(95)

Since $\rho \in \left[0,1\right]$, it is natural to model it with a Beta distribution. Using Equation (129), we derive parameters for a Beta distribution that match the expected value and variance in Equations (94) and (95). This allows us to approximate the distribution of the error rate as follows:

$$\begin{array}{c}\hfill P\left(\rho \right)\approx \mathrm{Beta}\left(\rho \mid {\alpha }_{m\lambda }\left(\theta \right),{\beta }_{m\lambda }\left(\theta \right)\right),\end{array}$$

(96)

where ${\alpha }_{m\lambda }\left(\theta \right)$ and ${\beta }_{m\lambda }\left(\theta \right)$ are calculated to ensure that the Beta distribution’s mean and variance align with Equations (94) and (95).

3. Bayesian Inference

In this section, we aim to infer the unknown parameters of the QKD system based on the observed detection events. Recall that the parameter set $\theta =\left\{{\theta }_A,{\theta }_B,{\theta }_E\right\}$ encompasses all aspects of the QKD system, where ${\theta }_A$ represents Alice’s parameters, ${\theta }_B$ represents Bob’s parameters, and ${\theta }_E$ captures Eve’s potential strategies. Let C be the vector of counts for each detection outcome:

$$\begin{array}{cc}\hfill C_m& =\left[C_m^{00}{C}_m^{01}{C}_m^{10}{C}_m^{11}\right],\hfill \\ \hfill C& =\left[C_0{C}_1\right],\hfill \end{array}$$

(97)

where $C_0^{01}$, for example, represents the count of events where $D_0=1$, $D_1=0$, and the bases did not match.

The objective is to infer the unknown parameters associated with Eve, specifically ${\theta }_E=\{d_{AE},p_{EB},k,\Delta \}$, based on observed data C and the known parameters ${\theta }_A$ and ${\theta }_B$. Utilizing Bayes’ theorem, the posterior distribution of Eve’s parameters, given the observed data and known parameters, is formulated as:

$$\begin{array}{cc}\hfill \mathrm{Posterior}({\theta }_E\mid C,N,{\theta }_A,{\theta }_B,{\theta }_P)& =\frac{\mathcal{L}(C\mid N,{\theta }_A,{\theta }_B,{\theta }_E)\mathcal{P}({\theta }_E\mid {\theta }_P)}{\mathcal{M}(C\mid N,{\theta }_A,{\theta }_B,{\theta }_P)},\hfill \end{array}$$

(98)

where

$$\begin{array}{c}\hfill \mathcal{M}(C\mid N,{\theta }_A,{\theta }_B,{\theta }_P)=\int \mathcal{L}(C\mid N,{\theta }_A,{\theta }_B,{\theta }_E)\mathcal{P}({\theta }_E\mid {\theta }_P)d{\theta }_E,\end{array}$$

(99)

where $\mathcal{L}(C\mid N,{\theta }_A,{\theta }_B,{\theta }_E)$ is the likelihood of the data given the parameters, and $\mathcal{P}({\theta }_E\mid {\theta }_P)$ is the prior distribution of Eve’s parameters, with ${\theta }_P$ representing the hyper-parameters of these priors, and $\mathcal{M}(C\mid N,{\theta }_A,{\theta }_B,{\theta }_P)$ is the marginal likelihood (or evidence) that normalizes the posterior distribution.

3.1. Constructing the Likelihood

To apply Bayesian inference, we first need to construct the likelihood function that describes the probability of observing the data given the parameters of the system. This is formally presented in the following theorem:

Theorem 3.

Let Alice emit a Poisson-distributed number of photons with average intensities selected uniformly at random from a set of $N_{\lambda }$ intensities $\{{\lambda }_1,{\lambda }_2,\dots ,{\lambda }_{N_{\lambda }}\}$. For each pulse, Alice randomly selects a basis $a\in \{0,1\}$ with equal probability, and Bob independently measures in a randomly chosen basis $b\in \{0,1\}$, also with equal probability.

Let Eve be positioned at a distance $d_{AE}$ from Alice, potentially intercepting a fraction Δ of the total transmission and capturing k photons from each intercepted pulse. Bob is positioned at a distance $d_{AB}$ from Alice, with fiber attenuation α. Bob uses two detectors characterized by detection efficiencies $p_{c_0}$ and $p_{c_1}$, dark count probabilities $p_{d_0}$ and $p_{d_1}$, and a beam splitter with a misalignment error $p_e$. The detection events are assumed to be independent.

Under these conditions, the vector of counts for the $8N_{\lambda }$ distinct detection outcomes—corresponding to each combination of intensity, basis choices, and detection results—is distributed according to a multinomial distribution:

$$\begin{array}{c}\hfill P(C\mid N,\theta )=Multinomial\left(N,\mathbf{P}\left(\theta \right)\right),\end{array}$$

(100)

where $\mathbf{P}\left(\theta \right)$ is the vector of probabilities for each detection outcome, derived from the set of system parameters $\theta =\{{\theta }_A,{\theta }_B,{\theta }_E\}$ as in Equation (45).

HMM Likelihood

The likelihood of observing a specific sequence of detection events $\mathbf{O}={\left\{O_t\right\}}_{t=1}^N$ given state transition probabilities $\mathbf{T}$, emission probabilities $\mathbf{E}$, and initial state probabilities $\mathsf{\pi }$ can be computed using the forward algorithm [19]:

$$\begin{array}{cc}\hfill L(\mathbf{O}\mid \mathbf{T},\mathbf{E},\mathsf{\pi })& ={\displaystyle \sum _{i=1}^{N_s}}{\alpha }_N\left(i\right),\hfill \end{array}$$

(101)

where $N_s$ is the number of states and the forward probability at time t for state i, ${\alpha }_t\left(i\right)$ is recursively expressed as:

$$\begin{array}{c}\hfill {\alpha }_t\left(i\right)={\mathbf{E}}_{i,O_t}·{\displaystyle \sum _{j=1}^{N_s}}{\mathbf{T}}_{j,i}·{\alpha }_{t-1}\left(j\right),\end{array}$$

(102)

and the initial forward probability

$$\begin{array}{c}\hfill {\alpha }_1\left(i\right)={\mathsf{\pi }}_i{\mathbf{E}}_{i,O_1}.\end{array}$$

(103)

Computing the forward algorithm is computationally intensive and impractical for large N. Additionally, our primary interest lies not in the likelihood of a specific sequence of detection events but in the aggregated counts of detection outcomes over the session.

To address this, we can use the long-term stationary distribution $\widehat{\mathbf{P}}\left(\theta \right)$ as the parameter for the multinomial distribution. Although individual detection events are dependent, the aggregated counts over a large number of trials can be modeled using a multinomial distribution with these adjusted probabilities.

Theorem 4.

Given a Hidden Markov Model (HMM) with an irreducible and an aperiodic state transition matrix $\mathbf{T}\left(\theta \right)$, emission probabilities $\mathbf{E}$, and initial state probabilities $\mathsf{\pi }$, where the system accounts for dependencies induced by after-pulsing, the likelihood function for the aggregated counts C over N trials is formulated as:

$$\begin{array}{c}\hfill P(C\mid N,\theta )=\mathit{Multinomial}(C\mid N,\widehat{\mathbf{P}}\left(\theta \right)),\end{array}$$

(104)

where $\widehat{\mathbf{P}}\left(\theta \right)={\mathbf{E}}^{\top }\overline{\mathbf{v}}\left(\theta \right)$ represents the adjusted probabilities derived from the stationary distribution $\overline{\mathbf{v}}\left(\theta \right)$ of the Markov chain, as in Equation (72).

By replacing the i.i.d. probabilities with the adjusted probabilities from the stationary distribution, we effectively account for the dependencies introduced by after-pulsing. This allows us to use the multinomial likelihood function for the aggregated counts, enabling accurate and computationally efficient inference of the system parameters.

3.2. Constructing the Prior

To construct a robust Bayesian inference framework, it is essential to carefully choose priors for the unknown parameters ${\theta }_E$. The parameters ${\theta }_E=\{d_{AE},p_{EB},k,\Delta \}$ represent Eve’s distance from Alice, the channel efficiency chosen by Eve, the number of photons intercepted per pulse, and the fraction of intercepted pulses, respectively.

3.2.1. Assumptions and Independence

To address the uncertainty surrounding Eve’s strategy, we encode a bias towards worst-case scenarios while incorporating practical constraints. We assume that Eve’s choices are independent of Alice and Bob’s configurations, allowing her to select parameters freely from the allowable domains. Although a strategic Eve might optimize her settings to maximize information gain based on Alice’s and Bob’s choices, modeling such behavior would introduce another exploitable vulnerability. Instead, we take a precautious approach, treating Eve’s parameters as independent, ensuring that she cannot exploit any alignment with Alice and Bob’s configurations.

3.2.2. Priors for Bounded Parameters

The parameters $d_{AE}$, $p_{EB}$, and $\Delta$ are all bounded within specific ranges:

$$\begin{array}{cc}\hfill 0\le d_{AE}& \le d_{AB},\hfill \end{array}$$

(105)

$$\begin{array}{cc}\hfill 0\le p_{EB}& \le 1,\hfill \end{array}$$

(106)

$$\begin{array}{cc}\hfill 0\le \Delta & \le 1.\hfill \end{array}$$

(107)

Let ${\theta }_b$ be a bounded parameter in ${\theta }_E$. For such a parameter, we utilize the Beta distribution due to its flexibility in modeling probabilities over a finite range after rescaling the parameter to the $[0, 1]$ range. Specifically, the prior for ${\theta }_b$:

$$\begin{array}{c}\hfill P({\theta }_b\mid {\vartheta }_b)=\mathrm{Beta}\left(\frac{{\theta }_b-l_b}{u_b-l_b}|{\alpha }_b,{\beta }_b\right)\frac{1}{u_b-l_b},\end{array}$$

(108)

where ${\vartheta }_b=\{{\alpha }_b,{\beta }_b,u_b,l_b\}$ are the hyper-parameters of the prior distribution, namely the shape parameters of the Beta distribution (${\alpha }_b$ and ${\beta }_b$), as well as the upper and lower bound of ${\theta }_b$ ($u_b$ and $l_b$). The scaling factor $\frac{1}{u_b-l_b}$ ensures proper normalization over the interval $[l_b,u_b]$.

3.2.3. Prior for Semi-Bounded Parameters

The parameter k, representing the number of photons intercepted per pulse, is semi-bounded with $k\ge 1$. In Theorem 1, we utilized the incomplete Gamma function to extend the domain of k to the positive real numbers. This extension allows us to treat k as a continuous variable, which is particularly useful for gradient-based optimization or numerical integration techniques and more nuanced probabilistic modeling.

Given this extended domain, we employ a Gamma distribution for k, which is suitable for modeling continuous variables that are bounded below. Although, in this specific setting, there is only one semi-bounded parameter, i.e., k, in preparation for a fully Bayesian approach where we can treat other fixed variables as random variables, we will denote a semi-bounded parameter modeled with a Gamma prior as ${\theta }_g$:

$$\begin{array}{c}\hfill P({\theta }_g\mid {\vartheta }_g)=\mathrm{Gamma}({\theta }_g+l_g\mid {\alpha }_g,{\beta }_g),\end{array}$$

(109)

where ${\vartheta }_g=\{{\alpha }_g,{\beta }_g,u_g,l_g\}$ are the hyper-parameters of the Gamma distribution. In the case of k, the distribution is shifted by $l_g=1$ to ensure alignment with the lower bound $k=1$, reflecting that if Eve intercepts, she must capture at least one photon.

3.2.4. Selection of Prior Parameters

For the bounded parameters, setting $\alpha =\beta =1$ in the Beta distribution yields a uniform distribution, reflecting maximal uncertainty within the given bounds. We apply this uniform distribution to parameters like $p_{EB}$, encoding no prior preference over Eve’s channel efficiency. However, to introduce a cautious bias against Eve’s activity, we set ${\alpha }_{\Delta }=2$ and ${\beta }_{\Delta }=1$, making $\Delta =1$ more likely a priori. This choice implies a precautionary stance, assuming Eve’s presence unless data suggests otherwise.

For the distance parameter $d_{AB}$, we set the prior parameters in the Beta distribution oppositely, with ${\alpha }_{d_{AB}}=1$ and ${\beta }_{d_{AB}}=2$. This encodes the assumption that Eve is more likely to position herself closer to Alice, where the signal intensity is higher, minimizing the efficiency requirements for her alternative channel when intercepting photons.

For the semi-bounded parameter k, setting ${\alpha }_k=1$ in the Gamma distribution places the mode of the distribution at $k=1$. This choice encodes the assumption that, in the absence of data, Eve is most likely to capture the minimum number of photons from an intercepted pulse, which is 1. To provide practical constraints within this framework, we define a useful pseudo upper bound on k:

• $k_{max}$: The maximum number of photons Eve can intercept from a pulse immediately emitted by Alice such that she would require a channel efficiency of $p_{EB}=1$ to avoid detection.

This pseudo upper bound, $k_{max}$, serves as a guideline for setting the rate parameter ${\beta }_k$ of the Gamma distribution. Specifically, ${\beta }_k$ is chosen such that the expected value lies halfway between 1 and $k_{max}$, ensuring that the prior realistically constrains Eve’s capabilities while remaining theoretically unbounded.

3.2.5. Final Formulation of the Prior

Combining the priors for each parameter, the joint prior distribution for Eve’s parameter ${\theta }_E$ is given by:

$$\begin{array}{cc}\hfill \mathcal{P}({\theta }_E\mid {\theta }_P)=& \mathrm{Beta}\left(\frac{d_{AE}}{d_{AB}}|{\alpha }_{d_{AE}},{\beta }_{d_{AE}}\right)\frac{1}{d_{AB}}\times \hfill \\ \hfill & \mathrm{Beta}\left(p_{EB}\mid {\alpha }_{p_{EB}},{\beta }_{p_{EB}}\right)\times \hfill \\ \hfill & \mathrm{Beta}\left(\Delta \mid {\alpha }_{\Delta },{\beta }_{\Delta }\right)\times \hfill \\ \hfill & \mathrm{Gamma}\left(k+1\mid {\alpha }_k,{\beta }_k\right),\hfill \end{array}$$

(110)

and

$$\begin{array}{cc}\hfill {\theta }_P=& \{\mathsf{\alpha },\mathsf{\beta },\mathbf{u},\mathbf{l}\},\hfill \end{array}$$

(111)

$$\begin{array}{cc}\hfill \mathsf{\alpha }=& \{{\alpha }_{d_{AE}},{\alpha }_{p_{EB}},{\alpha }_k,{\alpha }_{\Delta }\},\hfill \end{array}$$

(112)

$$\begin{array}{cc}\hfill \mathsf{\beta }=& \{{\beta }_{d_{AE}},{\beta }_{p_{EB}},{\beta }_k,{\beta }_{\Delta }\},\hfill \end{array}$$

(113)

$$\begin{array}{cc}\hfill \mathbf{u}=& \{d_{AB},1,\infty ,1\},\hfill \end{array}$$

(114)

$$\begin{array}{cc}\hfill \mathbf{l}=& \{0,0,1,0\},\hfill \end{array}$$

(115)

where $\mathbf{u}$ and $\mathbf{l}$ are the upper and lower bounds of the parameters. We store these in the set of priors’ hyper-parameters as they will be used later to un-bound the parameters when constructing the posterior.

3.3. Constructing the Posterior

With the likelihood $\mathcal{L}(C\mid N,{\theta }_A,{\theta }_B,{\theta }_E)$ and prior $\mathcal{P}({\theta }_E\mid {\theta }_P)$ established, the final step is to compute the marginal likelihood $\mathcal{M}(C\mid N,{\theta }_A,{\theta }_B,{\theta }_P)$, as defined in Equation (99), to derive the posterior distribution of Eve’s parameters ${\theta }_E$ conditioned on the system parameters and observed data.

However, due to the complexity of the likelihood function in our model, stemming from the multiple parameters and the interactions modeled within the QKD system, analytically computing this marginal is infeasible. Additionally, an analytical approach might restrict our choice of priors to conjugate priors, which could fail to accurately represent the underlying physics and real-world constraints of the problem.

Methods for Approximating the Posterior

Given the challenges in deriving the posterior analytically, we consider several computational methods. One common approach is Markov Chain Monte Carlo (MCMC) [27,28], which can handle complex, high-dimensional distributions. MCMC methods, such as Metropolis–Hastings [27,28] or Gibbs sampling [29], do not require the posterior to have a specific form, allowing flexible modeling with realistic priors that reflect the physical constraints of the QKD system. Although MCMC converges to the true posterior with sufficient samples, it can be computationally intensive and requires careful tuning and convergence checks [30,31].

Variational Bayes (VB) [25] approximates the posterior by optimizing a simpler, parameterized distribution to minimize KL divergence. This can be more efficient than MCMC, especially with large datasets, but yields only an approximate posterior that depends on the chosen family of distributions. In security-critical QKD applications, where assumptions about the posterior can introduce vulnerabilities, we prefer methods that let the data define the distribution.

Bayesian Quadrature could be used for low-dimensional parameter spaces by modeling the integrand as a Gaussian process [32,33]. Although it may require fewer evaluations than traditional quadrature, it assumes integrand smoothness, which might miss important features in security-critical scenarios. Consequently, like VB, Bayesian Quadrature is less suitable when avoiding assumptions is essential for security.

Given the complexity of our parameter space, we also considered gradient-based numerical integration methods like Hamiltonian Monte Carlo (HMC) [34,35] and its adaptive variant, the No-U-Turn Sampler (NUTS) [36]. We computed gradients for all variables via the incomplete Gamma function, enabling a continuous likelihood function and methods that exploit gradient information to navigate the parameter space more efficiently [37].

Ultimately, we chose Covariance-Adaptive Slice Sampling [38], which incorporates gradient-based adaptation while retaining the robustness of slice sampling. With fewer hyper-parameters, it minimizes manual tuning and enhances reliability while efficiently exploring high-dimensional parameter spaces by adapting to local covariance structure. Our fully Bayesian framework—where any parameter can be switched from fixed to random by assigning a prior—maintains security guarantees in QKD systems by avoiding restrictive modeling assumptions [17].

3.4. From Bounded to Unbounded Variables

To perform effective Bayesian inference, especially using gradient-based numerical integration methods, it is crucial to transform the parameter space so that all variables are unbounded. However, this process is not as straightforward as simply applying a transformation step during posterior computation. Transformations alter the probability distribution non-uniformly, effectively mapping the original distribution into a different space. To ensure that sampling remains consistent with the true posterior, the Probability Density Function (PDF) must be adjusted to account for these changes. This adjustment is achieved through the transform of variables method, which ensures an accurate and mathematically consistent mapping between the original and transformed spaces.

3.4.1. Defining Transformations and Their Inverses

To transform the parameters ${\theta }_E=\{d_{AE},p_{EB},k,\Delta \}$ into an unbounded space and vice versa, we use the sigmoid, $\sigma \left(x\right)$, and logit, ${\sigma }^{-1}\left(x\right)$, transformations for the bounded parameters, and the exponential, $e^x$, and logarithmic, $\log \left(x\right)$, for the semi-bounded.

$$\begin{array}{c}\hfill \sigma \left(x\right)=\frac{1}{1+e^{-x}},{\sigma }^{-1}\left(x\right)=\log \left(\frac{x}{1-x}\right).\end{array}$$

(116)

Let b be the set of bounded parameters modeled with a Beta prior, and g be the set of semi-bounded parameters modeled with a Gamma prior; we define the width $w_b=u_b-l_b$, where $u_b$ and $l_b$ are the parameter’s upper and lower bounds, respectively. The transformation to the unbounded space and its reverse are given by:

$$\begin{array}{c}\hfill {\varphi }_b={\sigma }^{-1}\left(\frac{{\theta }_b-l_b}{w_b}\right),{\theta }_b=\sigma \left({\varphi }_b\right)w_b+l_b,\end{array}$$

(117)

and for the semi-bounded variables,

$$\begin{array}{c}\hfill {\varphi }_g=\log ({\theta }_g-l_g),{\theta }_g=e^{{\varphi }_g}+l_g.\end{array}$$

(118)

More generally, let:

$$\Phi ({\theta }_E,{\theta }_P)={\varphi }_E,$$

(119)

$$\Theta ({\varphi }_E,{\theta }_P)={\theta }_E,$$

(120)

be the two mapping functions that transform the variables from and to different spaces. By applying these transformations, we define the new set of transformed variables ${\varphi }_E=\{{\varphi }_{d_{AE}},{\varphi }_{p_{EB}},{\varphi }_k,{\varphi }_{\Delta }\}$, where each $\varphi$ now lies in the real, unbounded space $\mathbb{R}$.

3.4.2. Jacobian of the Transformation

When transforming variables in a probability distribution, it is essential not only to transform the variables but also to update the Probability Density Function (PDF) accordingly. This is because the original PDF is defined over the original variable space, and a transformation changes the volume element in this space. The transformation can stretch, compress, or otherwise distort the space, altering the relative spacing between points.

To ensure that the transformed PDF correctly reflects the distribution of probabilities over the new variable space, we must incorporate the Jacobian determinant of the transformation. The Jacobian determinant represents the factor by which the volume element changes under the transformation. Mathematically, if we have a transformation $y=g\left(x\right)$ and the original PDF is $f_X\left(x\right)$, the transformed PDF $f_Y\left(y\right)$ is given by [19]:

$$\begin{array}{c}\hfill f_Y\left(y\right)=f_X\left(g^{-1}\left(y\right)\right)\left|\frac{d}{dy}{g}^{-1}\left(y\right)\right|.\end{array}$$

(121)

This ensures that the total probability remains normalized to one after the transformation, preserving the properties of a probability distribution. For multidimensional distributions, it generalizes to finding the determinant of the Jacobian matrix $\mathbf{J}({\varphi }_E,{\theta }_P)$ of the transformation from ${\varphi }_E$ back to ${\theta }_E$:

$$\begin{array}{c}\hfill \mathbf{J}({\varphi }_E,{\theta }_P)=\left[\begin{array}{cccc}\frac{\partial {\theta }_{d_{AE}}}{\partial {\varphi }_{d_{AE}}}& 0& 0& 0\\ 0& \frac{\partial {\theta }_{p_{EB}}}{\partial {\varphi }_{p_{EB}}}& 0& 0\\ 0& 0& \frac{\partial {\theta }_k}{\partial {\varphi }_k}& 0\\ 0& 0& 0& \frac{\partial {\theta }_{\Delta }}{\partial {\varphi }_{\Delta }}\end{array}\right].\end{array}$$

(122)

The individual partial derivatives, using the inverse functions of the transformations, are:

$$\begin{array}{cc}\hfill \frac{\partial {\theta }_b}{\partial {\varphi }_b}& =\frac{\partial }{\partial {\varphi }_b}\left(\sigma \left({\varphi }_b\right)w_b+l_b\right)=\sigma \left({\varphi }_b\right)(1-\sigma \left({\varphi }_b\right))w_b,\hfill \end{array}$$

(123)

$$\begin{array}{cc}\hfill \frac{\partial {\theta }_g}{\partial {\varphi }_g}& =\frac{\partial }{\partial {\varphi }_g}\left(e^{{\varphi }_g}+l_g\right)=e^{{\varphi }_g}.\hfill \end{array}$$

(124)

Considering that $w_{p_{EB}}=w_{\Delta }=1$ and $w_{d_{AE}}=d_{AB}$, the determinant of the Jacobian matrix, $\left|\mathbf{J}({\varphi }_E,{\theta }_P)\right|$, can be expressed as:

$$\begin{array}{cc}\hfill \mathcal{J}({\varphi }_E\mid {\theta }_P)& =\left|\mathbf{J}({\varphi }_E,{\theta }_P)\right|\hfill \\ \hfill & =\sigma \left({\varphi }_{d_{AE}}\right)\left[1-\sigma \left({\varphi }_{d_{AE}}\right)\right]d_{AE}\sigma \left({\varphi }_{p_{EB}}\right)\left[1-\sigma \left({\varphi }_{p_{EB}}\right))\right]\sigma \left({\varphi }_{\Delta }\right)\left[1-\sigma \left({\varphi }_{\Delta }\right)\right]e^{{\varphi }_k}.\hfill \end{array}$$

(125)

3.4.3. Updating the Posterior with the Jacobian

The posterior distribution with respect to the transformed variables ${\varphi }_E$ is given by incorporating the Jacobian determinant to adjust for the change of variables:

$$\begin{array}{c}\hfill \mathrm{Posterior}({\varphi }_E\mid C,N,{\theta }_A,{\theta }_B,{\theta }_P)\propto \mathcal{L}(C\mid N,{\theta }_A,{\theta }_B,\Theta \left({\varphi }_E\right))\mathcal{P}(\Theta \left({\varphi }_E\right)\mid {\theta }_P)\mathcal{J}({\varphi }_E\mid {\theta }_P),\end{array}$$

(126)

where $\mathcal{L}(C\mid N,{\theta }_A,{\theta }_B,\Theta \left({\varphi }_E\right))=\mathrm{Multinomial}\left(C\mid N,\mathbf{P}\left(\left\{{\theta }_A,{\theta }_B,\Theta \left({\varphi }_E\right)\right\}\right)\right)$ is the likelihood as derived in Theorem 3 and $\mathcal{P}(\Theta \left({\varphi }_E\right)\mid {\theta }_P)$ is the prior as in Equation (110), but with ${\theta }_E=\Theta \left({\varphi }_E\right)$.

3.5. From Fixed to Random Variables

Until now, our modeling approach has operated under the assumption that the parameters governing our system are fixed and known, leading to the treatment of detection events as independent and identically distributed (i.i.d.). Under the i.i.d. framework, each detection event is considered independent, and the probability distribution governing these events remains constant over time. However, this assumption of identically distributed data does not align with the inherent stochasticity present in real-world Quantum Key Distribution (QKD) systems, where variables such as the intensity of a laser source or detector efficiencies may vary due to external conditions or device imperfections.

By transitioning from a fixed-parameter model to a Bayesian framework, we allow these parameters to be treated as random variables. This shift introduces prior distributions over the parameters, which are updated as more data become available, reflecting their true variability. As an example, consider the intensity $\lambda$ of a laser source. Instead of assuming that $\lambda$ is fixed and known, we can model it as a random variable with a Gamma prior distribution, Gamma$({\alpha }_{\lambda },{\beta }_{\lambda })$, where ${\alpha }_{\lambda }$ and ${\beta }_{\lambda }$ are the shape and rate parameters of the Gamma distribution, respectively.

To illustrate, suppose the laser’s intensity $\lambda$ has an expected value $\mathbb{E}\left[\lambda \right]$ and a variance $\mathbb{V}\left[\lambda \right]$ based on the laser’s specifications. We can set the parameters of the Gamma prior to match these moments [25]:

$$\begin{array}{c}\hfill \mathbb{E}\left[\lambda \right]=\frac{{\alpha }_{\lambda }}{{\beta }_{\lambda }},\mathbb{V}\left[\lambda \right]=\frac{{\alpha }_{\lambda }}{{\beta }_{\lambda }^2}.\end{array}$$

(127)

Solving these equations for ${\alpha }_{\lambda }$ and ${\beta }_{\lambda }$ gives:

$$\begin{array}{c}\hfill {\alpha }_{\lambda }=\frac{\mathbb{E}{\left[\lambda \right]}^2}{\mathbb{V}\left[\lambda \right]},{\beta }_{\lambda }=\frac{\mathbb{E}\left[\lambda \right]}{\mathbb{V}\left[\lambda \right]}.\end{array}$$

(128)

This formulation provides a prior distribution for $\lambda$ that reflects both its expected value and the uncertainty due to variability, allowing our model to capture the true stochastic nature of the laser intensity. Similarly, for the detector efficiency $p_c$, a Beta distribution $\mathrm{Beta}({\alpha }_{p_c},{\beta }_{p_c})$ can be used as a prior.

Applying the same method to the Beta distribution, the parameters ${\alpha }_{p_c}$ and ${\beta }_{p_c}$ can be derived from the expected value $\mathbb{E}\left[p_c\right]$ and variance $\mathbb{V}\left[p_c\right]$ as [25]:

$$\begin{array}{c}\hfill {\alpha }_{p_c}=\frac{\mathbb{E}{\left[p_c\right]}^2(1-\mathbb{E}\left[p_c\right])}{\mathbb{V}\left[p_c\right]}-\mathbb{E}\left[p_c\right],{\beta }_{p_c}=\frac{\mathbb{E}\left[p_c\right]{(1-\mathbb{E}\left[p_c\right])}^2}{\mathbb{V}\left[p_c\right]}+\mathbb{E}\left[p_c\right]-1.\end{array}$$

(129)

By setting these parameters, we construct a Beta prior distribution for $p_c$ that accurately reflects both the expected efficiency and the uncertainty inherent in the detector’s performance.

By adopting this approach, we move along a spectrum from deterministic models with fixed parameters to fully Bayesian models that account for uncertainties in all parameters. At one extreme, a fixed parameter can be viewed as having a Dirac delta function as its prior [25], reflecting complete certainty about its value. At the other extreme, we have models like those used for Eve’s parameters, where the priors are non-informative or represent maximal uncertainty. In between, partially informative priors, such as those for $\lambda$ and $p_c$, provide a balanced representation that incorporates both prior knowledge and observed data.

An alternative approach is to remodel the likelihood by integrating over the prior distribution of the parameter, thus accounting for its uncertainty directly in the likelihood function. For example, the distribution of photons n from a laser with intensity $\lambda$ could be updated as follows:

$$\begin{array}{c}\hfill P(n\mid {\alpha }_{\lambda },{\beta }_{\lambda })={\int }_0^{\infty }\mathrm{Poisson}(n\mid \lambda )\mathrm{Gamma}(\lambda \mid {\alpha }_{\lambda },{\beta }_{\lambda })d\lambda .\end{array}$$

(130)

This is known to follow a negative binomial distribution with parameters $r={\alpha }_{\lambda }$ (number of successes) and $p=\frac{{\beta }_{\lambda }}{{\beta }_{\lambda }+1}$ (success probability) [39], or more precisely:

$$\begin{array}{cc}\hfill P(n\mid {\alpha }_{\lambda },{\beta }_{\lambda })& =\mathrm{NegativeBinomial}\left(n\mid r={\alpha }_{\lambda },p=\frac{{\beta }_{\lambda }}{{\beta }_{\lambda }+1}\right),\hfill \\ \hfill & =\frac{\Gamma (n+{\alpha }_{\lambda })}{n!\Gamma \left({\alpha }_{\lambda }\right)}{\left(\frac{{\beta }_{\lambda }}{1+{\beta }_{\lambda }}\right)}^{{\alpha }_{\lambda }}{\left(\frac{1}{1+{\beta }_{\lambda }}\right)}^n.\hfill \end{array}$$

(131)

A similar approach can be applied to the p parameter in a binomial distribution. If p is a random variable following a Beta distribution, the probability of observing k successes in n trials with a variable success probability p can be expressed as:

$$\begin{array}{c}\hfill P(k\mid n,{\alpha }_p,{\beta }_p)={\int }_0^1\mathrm{Binomial}(k\mid n,p)\mathrm{Beta}(p\mid {\alpha }_p,{\beta }_p)dp.\end{array}$$

(132)

This scenario is modeled by a Beta-Binomial distribution [25], specifically:

$$\begin{array}{cc}\hfill P(k\mid n,{\alpha }_p,{\beta }_p)& =\mathrm{Beta}\text{-}\mathrm{Binomial}\left(k\mid n,{\alpha }_p,{\beta }_p\right),\hfill \\ \hfill & =\left(\genfrac{}{}{0pt}{}{n}{k}\right)\frac{\mathrm{B}\left(k+{\alpha }_p,n-k+{\beta }_p\right)}{\mathrm{B}\left({\alpha }_p,{\beta }_p\right)},\hfill \end{array}$$

(133)

where $\mathrm{B}(x,y)$ denotes the Beta function:

$$\begin{array}{c}\hfill \mathrm{B}(x,y)=\frac{\Gamma \left(x\right)\Gamma \left(y\right)}{\Gamma (x+y)}\end{array}$$

(134)

Modeling the photon distribution of the laser and the detector’s efficiency in this manner accounts for the uncertainty in the device parameters. However, while this approach is mathematically elegant and can simplify calculations under certain conditions, it constrains the choice of priors and necessitates a comprehensive reformulation of the likelihood function. By contrast, the first approach—placing priors directly on the parameters and updating them through the posterior—offers greater flexibility and allows for more nuanced modeling of the actual dynamics of the physical system. This flexibility is particularly crucial in security-critical applications like QKD, where the accurate modeling of all system components is essential to ensure robustness against potential attacks [40].

With this framework in place, we have moved beyond the assumption of identically distributed detection events by treating key parameters as random variables with their own distributions.

4. Experimental Results

This section presents the validation and performance assessment of the proposed probabilistic framework through a series of simulations and comparisons with the decoy-state protocol. First, we test the accuracy of the probabilistic model (both i.i.d. and HMM) in predicting detection events and errors. Next, we evaluate the error modeling and its alignment with simulated results. The third subsection focuses on the secure key generation rate, highlighting improvements over the decoy-state approach. Finally, we explore the advantages of the Bayesian inference framework, demonstrating its robustness under after-pulsing scenarios (via HMM) and noisy conditions, emphasizing the superiority of the fully Bayesian approach.

4.1. Validation Through Simulation

This section is dedicated to assessing how well the theoretical models developed in this work fit the data generated by simulations. Specifically, we aim to evaluate the extent to which the theoretical model captures the observed behavior under both i.i.d. and Hidden Markov Model (HMM) conditions.

The first subsection focuses on validating the i.i.d. model as formalized in Theorem 3, using data generated by the simulation algorithm described in Algorithm 1. The second subsection examines the HMM model, as formulated in Theorem 4, with data produced according to Algorithm 2. By examining these models in turn, we determine the degree to which each theoretical framework explains the simulated detection events.

To model realistic QKD conditions, we adopted the Gobby–Yuan–Shields (GYS) configuration [41], providing parameterization suitable for real-world applications and establishing a foundation for later comparison with the decoy-state protocol [8]. The main simulation parameters are presented in

Table 1. Parameter configuration for the simulation experiment, grouped by Alice’s parameters (${\theta }_A$), Bob’s parameters (${\theta }_B$), Eve’s parameters (${\theta }_E$), and session parameters (${\theta }_S$).

Parameter Configuration for the Simulation Experiment
${\theta }_A$ (Alice)
Parameter	Description	Value
$\Lambda$	Intensity levels	$\left\{{\lambda }_{min},{\lambda }_{max}\right\}$
$\alpha$	Channel attenuation (dB/km)	0.21
$d_{AB}$	Distance from Alice to Bob (km)	50
${\theta }_B$ (Bob)
Parameter	Description	Value
$p_a$	After-pulse probability	0.1
$p_c$	Detection efficiency	0.045
$p_d$	Dark count probability	$1.7\times {10}^{-6}$
$p_e$	Misalignment probability	0.033
${\theta }_E$ (Eve)
Parameter	Description	Value
$d_{AE}$	Distance from Alice to Eve (km)	10
$\Delta$	Fraction of intercepted pulses	0.2
k	Photons intercepted per pulse	3
$p_{EB}$	Channel efficiency from Eve to Bob (if Eve intercepts)	optimized
${\theta }_S$ (Session)
Parameter	Description	Value
N	Number of pulses per session	10,000
$N_R$	Number of simulation runs	10,000

. Additionally, we introduced variability in detector-specific parameters to test asymmetric scenarios, as shown in

Table 2. Detector-specific values for Bob’s parameters: after-pulse probability $p_a$, detection efficiency $p_c$, and dark count probability $p_d$ for detectors $D_0$ and $D_1$.

Detector-Specific Parameter Adjustments
Parameter	$D_0$	$D_1$
After-pulse probability	$p_{a_0}=p_a\times 0.9$	$p_{a_1}=p_a\times 1.1$
Detection efficiency	$p_{c_0}=p_c\times 0.9$	$p_{c_1}=p_c\times 1.1$
Dark count probability	$p_{d_0}=p_d\times 0.9$	$p_{d_1}=p_d\times 1.1$

. For the i.i.d. test, the after-pulse probability $p_a$ was set to 0. The selected intensities for this experiment correspond to the minimum and maximum values, ${\lambda }_{min}$ and ${\lambda }_{max}$, as described in Section 2.2.5. Each simulation was run 10,000 times with 10,000 pulses per run, ensuring sufficient data for a comprehensive validation of the theoretical predictions.

Algorithm 1 Simulation of QKD detection events under the i.i.d assumption

1: function simulateiid($N,{\theta }_A,{\theta }_B,{\theta }_E$) 2:      $[\Lambda ,\alpha ,d_{AB}]\leftarrow {\theta }_A$ 3:      $[p_{a_0},p_{a_1},p_{c_0},p_{c_1},p_{d_0},p_{d_1},p_e]\leftarrow {\theta }_B$ 4:      $[d_{AE},p_{EB},k,\Delta ]\leftarrow {\theta }_E$ 5:      $p_{AB}\leftarrow {10}^{-\alpha d_{AB}/10}$ 6:      $p_{AE}\leftarrow {10}^{-\alpha d_{AE}/10}$ 7:      $N_{\lambda }\leftarrow |\Lambda |$ 8:      ${\widehat{p}}_e\leftarrow arcsin\left(\sqrt{p_e}\right)$ 9:      Initialize $D_0$, $D_1$, a, b, x, e and e 10:    for $i=1$ to N do 11:         $l\left[i\right]\sim \mathrm{Multinomial}(1,[11\dots 1]/N_{\lambda })$           % Choose random intensities 12:         $x\left[i\right],a\left[i\right],b\left[i\right]\sim \mathrm{Bernoulli}\left(\frac{1}{2}\right)$                    % Alice and Bob choose random bits & bases 13:         $e\left[i\right]\sim \mathrm{Bernoulli}(\Delta )$                                       % Eve chooses random pulses to intercept 14:         $n_a\sim \mathrm{Poisson}(\Lambda \left[l\left[i\right]\right])$                                 % Sample n photons given intensity $l\left[i\right]$ 15:         if $e\left[i\right]==\mathrm{false}$ then 16:             $n_b\sim \mathrm{Binomial}(n_a,p_{AB})$                             % If Eve does not intercept, apply fiber $p_{AB}$ 17:         else 18:             $n_e\sim \mathrm{Binomial}(n_a,p_{AE})$                             % If Eve intercepts, apply fiber $p_{AE}$, 19:             $n_e\leftarrow max(n_e-k,0)$                                 % then grab k photons, 20:             $n_b\sim \mathrm{Binomial}(n_e,p_{EB})$                             % then apply fiber $p_{EB}.$ 21:         end if 22:         $p_0\leftarrow cos{\left(\frac{\pi }{2}x\left[i\right]-\frac{\pi }{4}(a\left[i\right]-b\left[i\right])+{\widehat{p}}_e\right)}^2$     % Compute probability of $D_0$ 23:         $n_0\sim \mathrm{Binomial}(n_b,p_0)$                                  % Photons directed to $D_0$ 24:         $n_1\leftarrow n_b-n_0$                                                % The remaining are directed to $D_1$

25:

26:         for $j=0$ to 1 do                                         % For each detector, 27:             $d_j\sim \mathrm{Bernoulli}\left(p_{d_j}\right)$                                  % Produce a random dark click 28:             $s_j\sim \mathrm{Binomial}(n_j,p_{c_j})$                              % Sample s photons to be detected 29:             $D_j\left[i\right]\leftarrow d_j\vee \left(s_j\ge 1\right)$                               % Click if at least one photon or dark count 30:         end for 31:     end for 32:     return $D_0,D_1,l,a,b,x,e$ 33: end function

Algorithm 2 Simulation of QKD detection events under the HMM assumption

1: function simulateHMM($N,{\theta }_A,{\theta }_B,{\theta }_E$) 2:     $D_0,D_1,l,a,b,x,e\leftarrow {\mathrm{SIMULATE}}_{\mathrm{IID}}\left(N,{\theta }_A,{\theta }_B,{\theta }_E\right)$      % First run an i.i.d. simulation 3:     Initialize $a_0,a_1$                                                        % After-pulses for detectors $D_0$ and $D_1$ 4:     for $i=2$ to N do 5:         for $j=0$ to 1 do 6:              if $D_j[i-1]\wedge \neg a_j[i-1]$ then                       % If previous is a click and not an after-pulse 7:                  $a_j\left[i\right]\sim \mathrm{Bernoulli}\left(p_{a_j}\right)$                                % Set to after-pulse with probability $p_{a_j}$ 8:              end if 9:              $D_j\left[i\right]\leftarrow D_j\left[i\right]\vee a_j\left[i\right]$                                     % Click if a genuine click or an after-pulse 10:         end for 11:     end for 12:     return $D_0,D_1,l,a,b,x,e$ 13: end function

4.1.1. Validation of the i.i.d. Model

According to Theorem 3, the distribution of clicks in the i.i.d. scenario should follow a multinomial distribution with parameters N and $\mathbf{P}\left(\theta \right)$. Here, $\mathbf{P}\left(\theta \right)$ is a probability vector of length $2\times 4\times 2=16$, corresponding to two intensity levels (${\lambda }_{min}$ and ${\lambda }_{max}$), four possible detection outcomes (00, 01, 10, and 11), and two basis configurations (matching and non-matching).

We can infer the distribution for any specific detection scenario—defined by a particular basis alignment, click pattern, and intensity level—by marginalizing over all remaining variables in $\mathbf{P}\left(\theta \right)$. When focusing on a single outcome within a multinomial distribution, the marginal distribution of each individual outcome follows a binomial distribution. More formally,

$$\begin{array}{cc}\hfill \mathrm{If}{c}_{\phantom{i}}& \sim \mathrm{Multinomial}(n,\mathbf{p}),\hfill \\ \hfill \mathrm{then}{c}_i& \sim \mathrm{Binomial}(n,p_i),\hfill \end{array}$$

where i denotes the index of the variable of interest, $c_i$ represents its count, and $p_i$ is the corresponding probability component in the vector $\mathbf{p}$.

Having derived the binomial distribution for each specific case within $\mathbf{P}\left(\theta \right)$, we compare the resulting histograms from simulated data against the theoretical binomial distributions inferred from the marginalized multinomial model. Using the parameters of each binomial distribution, we computed the 99% credible interval to capture the expected range of variation.

The results are reported in Figure 11, where each panel represents a unique combination of intensity level, detection outcome, and basis alignment configuration. In each plot, the normalized histogram of simulated data is shown alongside the theoretical Probability Mass Function (PMF) for the binomial distribution, with the 99% credible interval shaded. This comparison assesses the degree of alignment between theory and data, providing empirical validation of the i.i.d. model under the conditions specified.

In addition to validating the general detection probabilities, we conducted an experiment to assess the accuracy of our theoretical model for the distribution of signal and erroneous clicks. Specifically, we tracked the number of gain clicks $G_{m\lambda }$ and erroneous clicks $R_{m\lambda }$ for each basis alignment configuration m (matching or non-matching) and intensity level $\lambda$.

For each combination of basis alignment and intensity, the histogram of simulated counts for gain clicks $G_{m\lambda }$ and erroneous clicks $R_{m\lambda }$ was compared with the theoretical binomial distributions, as defined in Equations (90) and (91).

The results are reported in Figure 12, where it clearly shows the alignment between the theoretical Probability Mass Functions (PMFs) and the empirical histograms from the simulated data. The 99% confidence intervals derived from the binomial distributions are shaded in each plot, providing a benchmark for the expected range of counts. Observing that the simulated data closely adhere to the theoretical PMF within these confidence intervals further confirms the robustness of our model in capturing both signal and error probabilities for different basis alignments and intensities.

Comparison with the Decoy-State Protocol

As a key difference between the proposed method and the decoy-state protocol, the proposed framework provides the ability to compute the probabilities of individual detection events (00, 01, 10, and 11) for both matching and non-matching bases. In contrast, the decoy-state protocol does not distinguish between these specific detection outcomes. Instead, the decoy-state protocol simplifies the analysis by focusing on aggregated quantities—the gain count (G) and error count (R)—while treating double-click events as both signal and error and restricting its analysis to the matching bases ($a=b$).

Due to these distinctions, a figure equivalent to Figure 11 cannot be generated for the decoy-state protocol, as its authors did not provide theoretical predictions for individual click patterns. However, the decoy-state protocol does give testable theoretical predictions for the number of signal and error clicks under the matching basis case, which can be evaluated. For this experiment, we adjusted the counting to include double-click events in both G and R and restricted the analysis to matching bases ($a=b$). The results of this comparison are presented in Figure 13.

The results in Figure 13 reveal discrepancies between the simulated data and the theoretical predictions of the decoy-state protocol, particularly for the gain counts (G) under the low-intensity level ${\lambda }_1$. These deviations highlight the limitations of the decoy-state protocol in accurately modeling the detection process, as it does not account for the finer distinctions between individual click patterns or non-matching bases. While this analysis focuses on the specific configuration of the matching case, later experiments will demonstrate that such deviations become more significant as intensity decreases.

By comparison, the proposed framework, as demonstrated in Figure 11 and Figure 12, consistently aligns closely with theoretical predictions across a broader range of scenarios. This further underscores the robustness of the proposed method in accurately capturing both the individual detection events and the aggregated signal and error counts, providing a more comprehensive and reliable framework for QKD security analysis.

4.1.2. Validation of the HMM Model

In this subsection, we validate the Hidden Markov Model (HMM) framework, as formalized in Theorem 4. This validation method we employ here mirrors the i.i.d. approach in Section 4.1.1 but incorporates after-pulsing in the simulation by setting $p_a=0.1$ and uses the HMM-based probability vector $\widehat{\mathbf{P}}\left(\theta \right)$ in the likelihood (10% variation between the detectors was employed; see Table 2).

For comparison, we also applied the i.i.d.-based probability vector $\mathbf{P}\left(\theta \right)$ to the same HMM-generated data to assess the extent of deviation when dependencies are present.

Figure 14 and Figure 15 illustrate strong alignment between the simulated HMM data and the theoretical distributions derived from $\widehat{\mathbf{P}}\left(\theta \right)$, supporting the validity of the HMM model under these experimental conditions. In contrast, a clear deviation is shown when the i.i.d. model is applied to the data affected by after-pulsing.

4.2. Error Rate Estimation

To validate the error rate calculations derived from our proposed method and compare them to the decoy-state protocol, we analyze the error rate ${\delta }_{m\lambda }\left(\theta \right)$, as defined in Equation (89). To ensure comparability with the decoy-state protocol, we consider a scenario with symmetric detectors and define a gain as any pulse where either of the detectors registers a click. By applying Lemmas 4 and 6, we simplify the calculations for $Q_{m\lambda }\left(\theta \right)$ and $E{Q}_{m\lambda }\left(\theta \right)$ under the conditions of matching bases, no eavesdropper intervention, and a signal intensity $\mu$. This yields the following expressions for our model:

$$\begin{array}{cc}\hfill Q_{\mu }\left(\theta \right)& =1-{(1-p_d)}^2{e}^{-\mu ·p_{AB}·p_c},\hfill \end{array}$$

(135)

$$\begin{array}{cc}\hfill E{Q}_{\mu }\left(\theta \right)& =1-(1-p_d)e^{-\mu ·p_{AB}·p_c·p_e},\hfill \end{array}$$

(136)

whereas for the decoy-state protocol, the corresponding calculations are given by:

$$\begin{array}{cc}\hfill Q_{\mu }\left(\theta \right)& =p_d+1-e^{-\mu ·p_{AB}·p_c},\hfill \end{array}$$

(137)

$$\begin{array}{cc}\hfill E{Q}_{\mu }\left(\theta \right)& =e_0·p_d+p_e(1-e^{-\mu ·p_{AB}·p_c}),\hfill \end{array}$$

(138)

where $e_0=\frac{1}{2}$, and we omit the subscript $m=1$ for brevity. The decoy-state protocol justified their approximation under the assumption that $p_d$ is small, making it a reasonable simplification for most practical scenarios. However, in a subsequent experiment, we will demonstrate that this approximation can lead to significant errors in certain cases.

For the purpose of this experiment, both the proposed method and the decoy-state protocol treat double-click events as both a gain and an error to enable a one-to-one comparison. While necessary for consistency, double-click events inherently provide no useful information and have an error rate of 50%. The decoy-state protocol, however, assumes an error rate of 100% for double-click events, even when employing more refined calculations. This assumption contradicts fundamental information-theoretic principles, as a 100% error rate corresponds to minimum Shannon entropy, implying more information than a 50% error rate, where entropy is maximized. Consequently, this misrepresentation underestimates the true entropy of the data and leads to an overestimation of the secure-key rate, introducing significant discrepancies in the security analysis.

4.2.1. Simulation Setup and Results

To evaluate the performance of the decoy-state protocol and our proposed method in estimating $\delta$, we conducted simulations using the parameter set from Table 1. To enable a direct comparison with the decoy-state protocol, we configured the detectors symmetrically and set the intensity to $\mu =0.48$ (the optimal intensity for the GYS configuration as per [8]). We also incorporated after-pulse probabilities of 5% and 10% to evaluate their impact on performance. Each session consisted of ${10}^9$ pulses, and the experiment was repeated over various distances between Alice and Bob, ranging from 0 to 150 km in 5 km increments.

For each configuration, we recorded the number of gain and erroneous clicks, treating double-click events as both a signal and an error to maintain consistency with the decoy-state approach. We then calculated the empirical error rates and compared them to the theoretical 99% confidence intervals of the approximate Beta distribution described in Equation (96), whose parameters were derived based on the mean and approximate variance from Theorem 2. While the confidence intervals are approximate, the expected value is derived exactly.

The results are presented in Figure 16, which shows the error rates as a function of distance for various after-pulse probabilities. The shaded regions represent the 99% confidence intervals, while the expected values are depicted as solid lines. The figure highlights the differences between the error rate estimates provided by our method and the decoy-state protocol across different scenarios.

4.2.2. Analysis of Results

The results in Figure 16 clearly illustrate that the error rate increases with distance for all scenarios, with higher after-pulse probabilities exacerbating the increase. The proposed method consistently provides more accurate error rate estimates, as indicated by the alignment of the empirical error rates with the theoretical confidence intervals. In contrast, the decoy-state protocol’s approximation underestimates the error rate, particularly at greater distances and higher after-pulse probabilities.

This discrepancy highlights a significant limitation of the decoy-state protocol’s approximation, which assumes a negligible dark count probability $p_d$. As shown, this assumption becomes increasingly problematic as distance and after-pulse probability increase, leading to overconfident secure-key rate calculations. Our approach, which accounts for these effects more rigorously, provides a more reliable estimate, emphasizing the importance of using accurate error rate models in QKD implementations.

4.3. Secure-Key Rate Comparison

Building on our validation of the theoretical gain and error rates, we now examine the secure-key rates of the proposed protocol in comparison with the decoy-state protocol.

4.3.1. Experimental Setup

For this experiment, we implemented the weak+vacuum decoy-state protocol with intensity parameters $\mu =0.48$, ${\nu }_1=0.05$, and ${\nu }_2=0$ to match the setup detailed in [8]. The experiment was conducted using the GYS configuration with parameters specified in Table 1. Additionally, the detectors were symmetrized to align with the assumptions made in the decoy-state protocol paper. To highlight the advantages of the proposed protocol, we extended the analysis to include three additional intensities: $\mu =1$, $\mu =5$, and $\mu =10$. These intensities were chosen to demonstrate the broader operational range achievable with the proposed method.

It is worth noting that later refinements of the decoy-state, such as [42,43,44], still treat all multi-photon pulses as insecure; by contrast, our observation-based Bayesian framework uses the measured click statistics to bound the actual fraction of compromised multi-photon pulses, thereby establishing an ultimate upper limit that any worst-case decoy analysis cannot surpass. We therefore retain the canonical weak + vacuum variant for familiarity and ease of comparison.

4.3.2. Secure-Key Rate Calculation

The secure-key rate for the decoy-state protocol is calculated as follows (after a slight change of notation from the original paper and omitting the dependency on $\theta$ for brevity):

$$\begin{array}{c}\hfill K_{\mathrm{Decoy}}\ge q·\left\{-Q_{\mu }f\left({\delta }_{\mu }\right)H_2\left({\delta }_{\mu }\right)+Q_1\left[1-H_2\left(e_1\right)\right]\right\},\end{array}$$

(139)

where q is the protocol efficiency, $\frac{1}{2}$ for the BB84 protocol, and $f\left({\delta }_{\mu }\right)$ is the error correction efficiency, set to 1.22 (an upper bound for this experiment [8]). The terms are defined as:

$$\begin{array}{cc}\hfill e_1& =\frac{E{Q}_{{\nu }_1}{e}^{{\nu }_1}-E{Q}_{{\nu }_2}{e}^{{\nu }_2}}{Y_1({\nu }_1-{\nu }_2)},\hfill \end{array}$$

(140)

$$\begin{array}{cc}\hfill Q_1& =Y_1\mu e^{-\mu },\hfill \end{array}$$

(141)

$$\begin{array}{cc}\hfill Y_1& =\frac{\mu }{\mu {\nu }_1-\mu {\nu }_2-{\nu }_1^2+{\nu }_2^2}\left(Q_{{\nu }_1}{e}^{{\nu }_1}-Q_{{\nu }_2}{e}^{{\nu }_2}-({\nu }_1^2-{\nu }_2^2)\frac{Q_{\mu }{e}^{\mu }-Y_0}{{\mu }_2}\right),\hfill \end{array}$$

(142)

$$\begin{array}{cc}\hfill Y_0& =max\left(\frac{{\nu }_1{Q}_{{\nu }_2}{e}^{{\nu }_2}-{\nu }_2{Q}_{{\nu }_1}{e}^{{\nu }_1}}{{\nu }_1-{\nu }_2},0\right).\hfill \end{array}$$

(143)

Furthermore, we recalculated the secure-key rate for the decoy-state protocol using corrected gain and error probabilities. Specifically, we replaced $E{Q}_{\mu }$ and $Q_{\mu }$ in Equations (137) and (138) with the corrected versions in Equations (135) and (136) and proceeded with the secure-key rate calculation as outlined.

For the proposed protocol, the secure-key rate calculation is based on the GLLP formulation, incorporating the signal yield $Q_{\mu }$, the error-correction factor $f\left({\delta }_{\mu }\right)$, and the protocol efficiency q:

$$\begin{array}{c}\hfill K\ge q·Q_{\mu }·\left\{-f\left({\delta }_{\mu }\right)H_2\left({\delta }_{\mu }\right)+\left(1-\Delta \right)\left[1-H_2\left(\frac{{\delta }_{\mu }}{1-\Delta }\right)\right]\right\}.\end{array}$$

(144)

The calculations for the proposed method assume $\Delta =0$, indicating no eavesdropping intervention. This assumption is informed by our previously developed Bayesian framework, which allows for the inference of $\Delta$ from the observed data. Unlike the decoy-state protocol, which relies on an intensity-based approach, the proposed method leverages an observation-based approach, providing greater flexibility in assessing the presence of eavesdropping. For the purpose of this analysis, we present the secure-key rate assuming $\Delta =0$, with the understanding that as the session length increases, the inference of $\Delta =0$ becomes increasingly robust. Thus, the reported secure-key rate reflects the asymptotic behavior under this assumption.

The resulting secure-key rate performance is shown in Figure 17. The figure includes the secure-key rates for the proposed protocol across various intensities, alongside both the original and corrected versions of the decoy-state protocol for direct comparison.

4.3.3. Analysis of Secure-Key Rates

Figure 17 compares the secure-key rates of our proposed protocol against the decoy-state protocol in this asymptotic regime. Under the same intensity setting and across its operational range, our approach achieves a median improvement of about 2.5 times the key generation rate and a 12.44% increase in distance compared to the decoy-state protocol using the same intensity. Moreover, by increasing the pulse intensity to 10 photons per pulse (a cap chosen to ensure numerical precision in the incomplete Gamma function computations), we obtain up to 50 times the key generation rate and a 62.2% increase in operational distance (approximately 200 km).

In addition to increasing key rate, this approach grants access to operational regimes that were previously inaccessible. Moreover, operating at higher intensities enables the use of less sensitive and more cost-effective detectors.

4.4. Testing the Bayesian Framework

In this section, we explore the robustness and accuracy of the Bayesian framework in inferring key system parameters under different modeling assumptions. We conduct two main experiments: one assuming the i.i.d. model and another incorporating the Hidden Markov Model (HMM) to account for after-pulse effects. The aim is to validate the posterior distributions constructed using the Bayesian framework and assess the impact of these modeling choices on the inferred secure-key rates.

4.4.1. Inference of Eve’s Parameters Under the i.i.d. Model

The first experiment focuses on inferring Eve’s parameters, ${\theta }_E=\{d_{AE},p_{EB},k,\Delta \}$, while assuming an i.i.d. model for photon detection events. All other parameters were kept constant as per Table 1. The number of intensity levels was set to eight (twice the number of parameters in ${\theta }_E$), evenly spaced between ${\lambda }_{min}$ and a capped ${\lambda }_{max}=10$, to ensure numerical precision due to limitations in the software’s incomplete function implementation (all computations were performed using Matlab R2024b). The capping avoids potential inaccuracies caused by the function returning identical values for different parameters when the intensity difference exceeds 10, ensuring reliable and precise calculations within the function’s resolution.

We utilized the Shrinking-Rank Slice Sampler (SRSS) [45], a variant of Covariance-Adaptive Slice Sampling [38]. Although the derivation of the gradients is excluded from this paper for brevity, they were computed and are available in our code implementation [46]. The session length was ${10}^9$ pulses, with ${10}^5$ samples drawn and a burn-in of ${10}^3$ iterations. Instead of sampling multiple chains and performing convergence diagnostics, we relied on manual inspection and ensured that our chosen sample size exhibited convergence for this configuration. To minimize the risk of poor starting points, we began with the expected value of the prior, optimized to the Maximum a Posteriori (MAP) estimate using gradient-based optimization techniques, and used this MAP estimate as our initial sample. This approach allowed us to employ a relatively small burn-in size, as the initialization ensured that sampling started from a high-probability region of the posterior.

The posterior distributions for Eve’s parameters are shown in Figure 18. The histograms, along with Kernel Density Estimates (KDEs) normalized as Probability Density Functions (PDFs), illustrate the inferred distributions. The empirical Cumulative Distribution Functions (CDFs) from the KDEs were used to highlight the 99% confidence intervals, with the true parameter values indicated for comparison.

Because the secure-key rate K is a deterministic, one-to-one function of the parameters $(Q_{\mu },{\delta }_{\mu },\Delta )$, every MCMC draw of those parameters can be converted directly into a draw of K. Specifically, for each posterior sample we substitute the triplet into Equation (144) to obtain a single key-rate value; collecting all such values yields the posterior distribution of K, which we analyse separately for each intensity level.

Unlike the decoy-state protocol, which primarily uses the signal intensity ($\mu$) for key generation, our approach ensures that no intensity is wasted. As long as $K>0$ for a given intensity level, it contributes to the secure-key generation, enabling efficient utilization of all pulses and maximizing the extracted key rate. The transformed secure-key rate distributions are depicted in Figure 19.

Analysis of the Inference Results

The results in Figure 18 indicate a high degree of accuracy in inferring Eve’s parameters. The ground truth values lie well within the 99% confidence intervals and close to the empirical mean, demonstrating that the Bayesian framework can reliably capture the underlying parameter distributions. Additionally, the kernel density estimates provide smooth approximations of the posteriors, validating the sampling method’s efficiency. The corresponding secure-key rate distributions in Figure 19 show that, for all intensity levels, the key rates remain consistently above zero, confirming that the proposed method can effectively leverage the full range of intensities for key generation.

4.4.2. Inference of Eve’s Parameters Under the HMM Model

The second experiment incorporates after-pulsing effects into the simulation and uses the Hidden Markov Model (HMM) to capture the resulting temporal correlations. In this setup, the after-pulse probability $p_a$ was set to 0.1, with a 10% variation applied between the two detectors, consistent with the parameters used in Table 2. The experimental configuration and sampling approach remained the same as in the i.i.d. case.

Results for the HMM Model

The posterior distributions for Eve’s parameters under the HMM model are shown in Figure 20. As in the i.i.d. case, the histograms represent sampled values, the solid black lines correspond to Kernel Density Estimates (KDEs), and the shaded regions denote the 99% confidence intervals. The true parameter values are indicated by red vertical lines for reference.

When incorporating after-pulsing effects, the results demonstrate a high level of accuracy in parameter inference, with the ground truth values well-contained within the confidence intervals. This highlights the robustness of the Bayesian framework under the more complex after-pulsing scenario. The inferred distributions show slightly broader confidence intervals compared to the i.i.d. case, reflecting the increased uncertainty introduced by temporal correlations. Despite this, the model effectively captures the true parameter values.

Comparison with the i.i.d. Model

To assess the impact of neglecting after-pulsing, we performed the same experiment under the incorrect i.i.d. assumption while using data generated with Algorithm 2, which incorporates after-pulsing effects. The posterior distributions inferred using the i.i.d. model are shown in Figure 21. The results highlight severe discrepancies between the inferred parameters and their true values, accompanied by unwarranted confidence in these erroneous estimates. Most importantly, $\Delta$—a critical parameter for secure-key rate calculations—is significantly underestimated, with a mean value of 0.0149 compared to the ground truth of 0.2. This underestimation of $\Delta$ is particularly costly, as it leads to overestimated secure-key generation rates, thereby compromising the protocol’s security. The high confidence intervals around these incorrect predictions further underscore the failure of the i.i.d. model to capture the temporal correlations introduced by after-pulsing.

Secure-Key Rate Analysis

We also transformed the inferred posterior distributions into secure-key rate distributions for both the HMM model and the mismatched i.i.d. model. The results are depicted in Figure 22 and Figure 23, respectively. Under the HMM model, the secure-key rates for the first four intensity levels are effectively zero. This behavior differs from the case without after-pulsing, where these intensities still contributed to the key rate. After-pulsing increases the error rate, which, in turn, suppresses secure-key generation for these lower intensities. However, for higher intensity levels, the HMM model effectively leverages as much information as possible, resulting in significantly larger secure-key rates with tight confidence intervals closely centered around the ground truth values.

In contrast, the i.i.d. model applied to data generated with after-pulsing results in highly inaccurate secure-key rate estimates. The key rates were consistently and significantly overestimated. Moreover, the model exhibited unwarranted confidence in these highly inaccurate results.

4.4.3. Testing the Fully Bayesian Model

Building on the previous evaluations, we next tested the proposed approach under a fully Bayesian framework, treating all system parameters as random variables with appropriate priors. The setup follows the same structure as the HMM experiment but incorporates variability in all parameter values.

Experimental Setup

Instead of using fixed parameter values as in Table 1, we introduced randomness to the system parameters by sampling them from distributions with 5% standard deviation around their reported means. For example, if the reported value of $\alpha$ is 0.21, we sampled from a Gamma distribution with parameters chosen to match the reported mean of $0.21$ and standard deviation of $0.042$. For parameters that are bounded, such as probabilities, we sampled from Beta distributions with similarly matching means and standard deviations. The sampled values were assumed fixed for the duration of the session. Priors were chosen to reflect realistic uncertainties: Beta distributions for bounded parameters and Gamma distributions for semi-bounded ones. The priors were designed to have the same means as the reported parameters but with standard deviations doubled to 10%, ensuring a reasonable level of variability. The simulation was run for ${10}^9$ pulses, with the sampling and inference conducted using the same Shrinking-Rank Slice Sampler (SRSS) methodology as in previous experiments. The inferred posterior distributions for the fully Bayesian model are shown in Figure 24, while the secure-key rates derived from these posteriors are presented in Figure 25.

Testing the Fixed-Parameter Assumption

To investigate the impact of incorrectly assuming fixed parameters, we repeated the analysis using data generated from the same randomly sampled parameters but assumed that these parameters were fixed at their expected values during inference. This assumption mirrors the earlier experiments with mismatched models, such as assuming independence when after-pulsing is present. The results for parameter inference under this fixed assumption are depicted in Figure 26, and the corresponding secure-key rate distributions are shown in Figure 27.

Analysis of Results

The results in Figure 24 and Figure 25 demonstrate the effectiveness of the fully Bayesian model in accurately capturing the true distributions of both system parameters and secure-key rates. The posterior distributions align well with the true values, and the confidence intervals are tight, indicating high reliability in the inferred values. Importantly, the secure-key rate distributions remain above zero across all intensity levels, reflecting the model’s capacity to utilize the full range of available data for key generation.

In contrast, Figure 26 and Figure 27 highlight the substantial inaccuracies that arise when assuming fixed parameters during inference. The posterior distributions show significant deviations from the true parameter values, and the secure-key rates are mostly severely overestimated. This underscores the risks of neglecting parameter variability in QKD systems, as such oversimplifications can lead to erroneous security assessments.

These findings highlight the robustness of the fully Bayesian framework in handling parameter uncertainties, providing a reliable foundation for analyzing real-world QKD systems where parameter variability is inevitable.

5. Time Complexity Analysis

In this section, we analyze the computational complexity of evaluating the posterior for both the i.i.d. and Hidden Markov Model (HMM) frameworks. The vector of counts C is assumed to be precomputed and available. Evaluating the posterior involves computing the likelihood function, prior distribution, and Jacobian determinant, as well as their derivatives with respect to the parameters.

5.1. Computational Complexity for the i.i.d. Model

The likelihood function for the i.i.d. model is given by:

$$\begin{array}{c}\hfill \mathcal{L}(C\mid N,\theta )=Multinomial\left(C\mid N,\mathbf{P}\left(\theta \right)\right),\end{array}$$

(145)

where $\mathbf{P}\left(\theta \right)$ is the vector of detection probabilities computed based on the model parameters $\theta$, as in Equation (45).

5.1.1. Function Evaluation

The computational cost for evaluating $\mathbf{P}\left(\theta \right)$ involves calculating detection probabilities for all possible detection outcomes (00, 01, 10, 11) and matching/non-matching cases. The length of $\mathbf{P}\left(\theta \right)$ is therefore $8N_{\lambda }$. Thus, the time complexity for computing the likelihood in the i.i.d. case is:

$$\begin{array}{c}\hfill T_{\mathcal{L}}=\mathcal{O}\left(N_{\lambda }\right).\end{array}$$

(146)

Evaluating the prior distribution $\mathcal{P}(\theta \mid {\theta }_P)$ and the Jacobian determinant involves computations for each of the $N_{\theta }$ parameters:

$$\begin{array}{c}\hfill T_{\mathcal{P}}=\mathcal{O}\left(N_{\theta }\right),T_{\mathcal{J}}=\mathcal{O}\left(N_{\theta }\right).\end{array}$$

(147)

5.1.2. Derivative Evaluations

Computing the derivatives of the likelihood function with respect to each parameter involves calculating the derivatives of $\mathbf{P}\left(\theta \right)$ for each detection probability. This results in $N_{\theta }\times 8N_{\lambda }$ derivative computations. The time complexity for computing the derivatives of the likelihood is therefore:

$$\begin{array}{c}\hfill T_{\partial \mathcal{L}}=\mathcal{O}\left(N_{\theta }{N}_{\lambda }\right).\end{array}$$

(148)

The cost for evaluating the derivative of the prior and the Jacobian is linear in $N_{\theta }$:

$$\begin{array}{c}\hfill T_{\partial \mathcal{P}}=\mathcal{O}\left(N_{\theta }\right),T_{\partial \mathcal{J}}=\mathcal{O}\left(N_{\theta }\right).\end{array}$$

(149)

5.1.3. Total Computational Cost

Let $T_f$ and $T_{\partial f}$ represent the time complexity for evaluating the posterior and its derivatives, respectively. For the i.i.d. model, these complexities are:

$$\begin{array}{cc}\hfill T_f& =T_{\mathcal{L}}+T_{\mathcal{P}}+T_{\mathcal{J}}=\mathcal{O}(N_{\lambda }+2N_{\theta }),\hfill \end{array}$$

(150)

$$\begin{array}{cc}\hfill T_{\partial f}& =T_{\partial \mathcal{L}}+T_{\partial \mathcal{P}}+T_{\partial \mathcal{J}}=\mathcal{O}\left(N_{\theta }{N}_{\lambda }\right).\hfill \end{array}$$

(151)

5.2. Computational Complexity for the HMM Model

In the HMM model, detection events are dependent due to after-pulsing effects. The likelihood function involves computing the stationary distribution of a Markov chain represented by the transition matrix $\mathbf{T}\left(\theta \right)$, with number of states $N_T=2\left|S\right|N_{\lambda }$, then projecting it using the emission matrix $\mathbf{E}$. Since the matrix $\mathbf{T}\left(\theta \right)$ is constructed from the base transition matrix $\mathbf{T}(p,q)$ in Equation (58), the density of the full matrix $\mathbf{T}\left(\theta \right)$ will be the same. Thus, from Equations (46) and (58), we have the following density factors:

$$\begin{array}{c}\hfill {\Omega }_{\mathbf{T}}=\frac{49}{{\left|S\right|}^2}\approx 60.5\%,{\Omega }_{\mathbf{E}}=\frac{9}{\left|S\right|\left|O\right|}=25\%.\end{array}$$

(152)

5.2.1. Function Evaluation

The likelihood function involves computing $\widehat{\mathbf{P}}\left(\theta \right)$ in Equation (74), which has three main steps: (1) constructing the transition matrix $\mathbf{T}\left(\theta \right)$, (2) computing the stationary distribution $\overline{\mathbf{v}}\left(\theta \right)$, and (3) projecting the stationary distribution onto the observable probabilities using the emission matrix $\mathbf{E}$.

Transition Matrix

Constructing $\mathbf{T}\left(\theta \right)$ has a complexity proportional to the number of non-zero elements:

$$\begin{array}{c}\hfill T_{\mathbf{T}\left(\theta \right)}=\mathcal{O}\left({\Omega }_{\mathbf{T}}{N}_T^2\right)=\mathcal{O}\left(N_{\lambda }^2\right).\end{array}$$

(153)

Stationary Distribution

The stationary distribution is computed using an iterative eigenvalue solver, requiring $N_I$ iterations. The complexity is therefore:

$$\begin{array}{c}\hfill T_{\overline{\mathbf{v}}\left(\theta \right)}=\mathcal{O}\left(N_I{\Omega }_{\mathbf{T}}{N}_T^2\right)=\mathcal{O}\left(N_I{N}_{\lambda }^2\right).\end{array}$$

(154)

Emission Projection

Projecting $\overline{\mathbf{v}}\left(\theta \right)$ has a complexity:

$$\begin{array}{c}\hfill T_{{\mathbf{E}}^{\top }\overline{\mathbf{V}}\left(\theta \right)}=\mathcal{O}({\Omega }_{\mathbf{E}}\left|O\right|\left|S\right|N_{\lambda })=\mathcal{O}\left(N_{\lambda }\right).\end{array}$$

(155)

The total time complexity for evaluating the likelihood is:

$$\begin{array}{c}\hfill T_{\widehat{\mathcal{L}}}=T_{\mathbf{T}\left(\theta \right)}+T_{\overline{\mathbf{v}}\left(\theta \right)}+T_{{\mathbf{E}}^{\top }\overline{\mathbf{V}}\left(\theta \right)}=O\left(N_I{N}_{\lambda }^2\right).\end{array}$$

(156)

5.2.2. Derivative Evaluations

Computing the derivatives of the likelihood involves taking the derivatives of the above steps with respect to each parameter, which have the same time complexities:

$$\begin{array}{cc}\hfill T_{\partial \mathbf{T}\left(\theta \right)/\partial {\theta }_i}& =T_{\mathbf{T}\left(\theta \right)},\hfill \end{array}$$

(157)

$$\begin{array}{cc}\hfill T_{\partial \overline{\mathbf{v}}\left(\theta \right)/\partial {\theta }_i}& =T_{\overline{\mathbf{v}}\left(\theta \right)},\hfill \end{array}$$

(158)

$$\begin{array}{cc}\hfill T_{{\mathbf{E}}^{\top }\partial \overline{\mathbf{V}}\left(\theta \right)/\partial {\theta }_i}& =T_{{\mathbf{E}}^{\top }\overline{\mathbf{V}}\left(\theta \right)}.\hfill \end{array}$$

(159)

The total derivative complexity is:

$$\begin{array}{c}\hfill T_{\partial \widehat{\mathcal{L}}}=N_{\theta }\left(T_{\partial \mathbf{T}\left(\theta \right)/\partial {\theta }_i}+T_{\partial \overline{\mathbf{v}}\left(\theta \right)/\partial {\theta }_i}+T_{{\mathbf{E}}^{\top }\partial \overline{\mathbf{V}}\left(\theta \right)/\partial {\theta }_i}\right)=\mathcal{O}\left(N_{\theta }{N}_I{N}_{\lambda }^2\right).\end{array}$$

(160)

5.2.3. Total Computational Cost

Let $T_{\widehat{f}}$ and $T_{\partial \widehat{f}}$ represent the time complexity for evaluating the HMM posterior and its derivatives, respectively. For the i.i.d. model, these complexities are:

$$\begin{array}{cc}\hfill T_{\widehat{f}}& =T_{\widehat{\mathcal{L}}}+T_{\mathcal{P}}+T_{\mathcal{J}}=\mathcal{O}(N_I{N}_{\lambda }^2+2N_{\theta }),\hfill \end{array}$$

(161)

$$\begin{array}{cc}\hfill T_{\partial \widehat{f}}& =T_{\partial \widehat{\mathcal{L}}}+T_{\partial \mathcal{P}}+T_{\partial \mathcal{J}}=\mathcal{O}\left(N_{\theta }{N}_I{N}_{\lambda }^2\right).\hfill \end{array}$$

(162)

5.3. Analysis of Time Complexities

We summarize the computational complexities for both the i.i.d. and HMM models in

Table 3. Summary of computational complexities for evaluating the posterior and its derivatives under the i.i.d. and HMM models (assuming $N\lambda >2N_{\theta }$).

Model	Function Evaluation	Derivative Evaluation
i.i.d.	$\mathcal{O}\left(N_{\lambda }\right)$	$\mathcal{O}\left(N_{\theta }{N}_{\lambda }\right)$
HMM	$\mathcal{O}\left(N_I{N}_{\lambda }^2\right)$	$\mathcal{O}\left(N_{\theta }{N}_I{N}_{\lambda }^2\right)$

(assuming $N_{\lambda }>2N_{\theta }$ as we do in practice). The i.i.d. model exhibits linear scaling with the number of intensity levels $N_{\lambda }$ and the number of parameters $N_{\theta }$ for function evaluation, and scales linearly with their product for derivative computation. In contrast, the HMM model shows a quadratic dependence on $N_T$, the number of states in the Markov chain, which itself is proportional to $N_{\lambda }$.

Analyzing these results, we observe that the HMM model incurs significantly higher computational costs compared to the i.i.d. model. The quadratic dependence on $N_{\lambda }$ in the HMM model arises from the need to compute the stationary distribution and its derivatives. Despite the higher computational complexity, the HMM model captures the dependencies introduced by after-pulsing effects and other temporal correlations in the detection events, which are neglected in the i.i.d. framework.

While the HMM model is computationally more expensive than the i.i.d. model, it enables accurate analysis of QKD systems with detector dependencies and temporal correlations, such as after-pulsing. This approach allows us to assess whether or not after-pulsing significantly impacts error rates and evaluate trade-offs, such as increasing the detector dead time to lower the key rate or accepting additional post-processing time to maintain a higher key rate. Such flexibility ensures tailored solutions based on specific application requirements.

In addition, the added computational effort unlocks the ability to analyze scenarios that traditional methods, like the decoy-state protocol, cannot handle. This framework provides a practical means to push the limits of secure key distribution, such as operating at higher intensities for longer distances. By overcoming the fundamental limitations of existing protocols, this approach prioritizes expanding the boundaries of what is possible in secure key distribution. Once these new limits are achieved, further optimizations can focus on improving efficiency, ensuring that both capability and performance evolve together.

6. Conclusions

We have presented a Bayesian, observation-driven framework for decoy-state DV-QKD that replaces worst-case tail bounds with high-credibility inferences while leaving the GLLP key-rate expression intact. An HMM captures after-pulsing memory, and fully Bayesian parameter updates remove the identical-parameter premise, thereby relaxing the conventional i.i.d. assumption.

Leveraging the full detection statistics at the post-processing level makes the method agnostic to the specific DV-QKD variant and applicable to any implementation that employs decoy states (e.g., [16,47]). This data-driven approach, in turn, yields significantly higher secure-key rates, extends the operational distance, and permits the use of less-efficient, more cost-effective detectors—all without changes to the optical hardware.

Future work will optimize protocol parameters—selecting the intensity set and session length that bound key quantities such as Eve’s interception fraction $\Delta$—and implement the scheme in hardware to validate the theoretical predictions.