Weak Randomness Analysis of Measurement-Device-Independent Quantum Key Distribution with Finite Resources

Abstract

The ideal quantum key distribution (QKD) protocol requires perfect random numbers for bit encoding and basis selecting. Perfect randomness is of great significance to the practical QKD system. However, due to the imperfection of practical quantum devices, an eavesdropper (Eve) may acquire some random numbers, thus affecting the security of practical systems. In this paper, we analyze the effects of the weak randomness in the measurement-device-independent QKD (MDI-QKD) with finite resources. We analytically derive concise formulas for estimating the lower bound of the single-photon yield and the upper bound of the phase error rate in the case of the weak randomness. The simulation demonstrates that the final secret key rate of MDI-QKD with finite resources is sensitive to state preparation, even with a small proportion of weak randomness, the secure key rate has a noticeable fluctuation. Therefore, the weak randomness of the state preparation may bring additional security risks. In order to ensure the practical security of the QKD system, we are supposed to strengthen the protection of state preparation devices.

1. Introduction

Theoretically, the quantum key distribution (QKD) can provide unconditional security for confidential communications of two legitimate parties, Alice and Bob [1]. Unfortunately, because of the imperfection of the practical system, many quantum attacks may take advantage of the loopholes introduced by imperfect devices [2,3,4], such as the wavelength attack [5], the detector control attack [6,7], the Trojan horse attack [8,9]. Actually, such kinds of attack methods have been experimentally demonstrated on QKD systems and cannot be ignored in terms of practical security.

In order to overcome the practical QKD system security threat, proposing new protocols and security patching have been two main solutions. Lo et al. proposed [10] the measurement-device-independent QKD (MDI-QKD) protocol, which is immune to all detector channel attacks without making any security assumptions about the quantum devices. Recently, twin-field QKD (TF-QKD) [11] and the asynchronous MDI-QKD [12] have been proposed, respectively. Their key rate can exceed the Pirandola–Laurenza–Ottaviani–Banchi (PLOB) bound [13]. Both MDI-QKD and TF-QKD have made significant progress in term of theory and experiment [14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32]. Although MDI-QKD and TF-QKD can resist all attacks on quantum state measurement devices, Eve may shift their target to quantum state preparation devices [33,34,35,36,37,38].

It has been hypothesized that Eve may control imperfect quantum state preparation devices so that bit encoding and measurement basis selection may be nonrandomly modulated in a practical QKD system [39]. Because of the quantum state preparation vulnerability of the weak randomness, a security evaluation of the weak randomness is of great significance in the practical QKD system. Based on this practical security threat, Li et al. proposed [40] a weak randomness model of the BB84 protocol. Under the model, the quantum states which Alice prepared are divided into two parts: the random part and the non-random part where the non-random part may be controlled by Eve to acquire more information. Zhang et al. [41] also analyzed reference-frame-independent QKD (RFI-QKD) security under the impact of the weak randomness, and briefly discussed the RFI-MDI-QKD under weak randomness.

In this paper, we will analyze the effects of weak randomness in vacuum + weak decoy-state MDI-QKD with finite resources [42,43,44,45,46] based on the universally composable framework. Here, we will present a tight security analysis in MDI-QKD with finite resources. In analyzing the weak randomness in MDI-QKD, we assume that the quantum states prepared by both Alice and Bob could be controlled by Eve with a certain probability [47], but Eve does not necessarily have the same abilities to control Alice or Bob. We also suppose that the quantum states prepared by both Alice and Bob are controlled by hidden variables $\lambda$ and $\delta$ from Eve, where $\lambda$ determines the quantum states prepared by Alice, $\delta$ determines the quantum states prepared by Bob. The non-random probability of quantum states prepared by Alice is $p_1$, and the random probability is $1-p_1$. The non-random probability of quantum states prepared by Bob is $p_2$, and the random probability is $1-p_2$. When $p_1=1$ or $p_2=1$, it shows that Eve can obtain all the information, that is, $R=0$. When $p_1=p_2=0$, it indicates that Eve cannot directly acquire information, so the security can be assured. When $0<p_1<1,0<p_2<1$, the weak randomness model could be applied to estimate the amount of the leaked information obtained by Eve. From the experimental parameters, we deduce that the weak randomness of the state preparation has threatened the security of MDI-QKD, and MDI-QKD with finite resources has extremely strict requirements of state preparation. We should put forward higher requirements of state preparation randomness to ensure the practical security of the QKD system.

The rest of paper is organized as follows: we describe a practical vacuum + weak decoy-state MDI-QKD protocol with biased basis choice in Section 2. In Section 3, we present the weak randomness analysis for the protocol with finite resources and deduce concise formulas of bounding the yield and the bit error rate for the single-photon events. The numerical simulations are shown in Section 4 and the conclusion is summarized in Section 5.

2. Protocol Description

In a practical QKD system, we usually choose the weak coherent state source, which contains the vacuum state, the single photon state and the multiphoton state, instead of the single photon source. We focus on the vacuum + weak decoy-state MDI-QKD, and the description of the protocol is presented as follows [48]:

• Preparation: Alice and Bob randomly modulate the intensities ${\alpha }_a\in \mathrm{A}=\left\{{\mu }_a,v_a,0\right\}$ and ${\beta }_b\in \mathrm{B}=\left\{{\mu }_b,v_b,0\right\}$ with probability of $p_{{\mu }_a},p_{v_a},p_{0_a}=1-p_{{\mu }_a}-p_{v_a}$ and $p_{{\mu }_b},p_{v_b},p_{0_b}=1-p_{{\mu }_b}-p_{v_b}$, respectively. Where ${\mu }_{a\left(b\right)}$ is the signal state intensity, $v_{a\left(b\right)}$ is the decoy state intensity, 0 is the vacuum state. For signal states, Alice and Bob only choose the Z basis. For decoy states, Alice and Bob randomly choose a bit value from $\left\{0,1\right\}$, and select Z basis and X basis in probability of $p_z$ and $1-p_z$, respectively. Finally, they prepared a phase randomized, weak coherent pulse based on the selected value and send it to Charlie via a quantum channel.
• Measurement and alignment: Charlie performs Bell state measurements (BSM) of pulses from Alice and Bob, and then publishes the measurements to Alcie and Bob. Both parties conduct basis alignment in open channel and compare their intensity: ${\mu }_a\left(v_a\right),{\mu }_b\left(v_b\right)$. They retain correct measurement results and discard mismatched measurement results. At this time, the number of pulses successfully detected in the Z basis and X basis are $n_{ab}^Z$ and $n_{ab}^X$, and the subscript indicates the intensity combinations chosen by Alice and Bob: $\left\{{\mu }_a{\mu }_b,{\mu }_a{v}_b,v_a{\mu }_b,v_a{v}_b,{\mu }_{a}0,v_{a}0,0{\mu }_b,0v_b\right\}$.
• Parameter estimation: Firstly, Alice and Bob calculate the number of bit error in X basis $m_{ab}^X$. Second, they calculate the number of successful measurement results corresponding to the single photon pulse in Z basis $s_{11}^Z$ and the number of phase error $c_{11}^Z$. Finally, they calculate the phase error rate in Z basis $e_{ph}=c_{11}^Z/s_{11}^Z\le {\tilde{e}}_{ph}$, where ${\tilde{e}}_{ph}$ refers to the phase bit error rate which needs to be met. Execution continues if complied, otherwise the agreement will be terminated.
• Post-processing: Alice and Bob perform error correction, and the process consumes information at most as $lea{k}_{EC}$ bits. They also use hash functions to perform error verification to ensure that both parties get the same key, and it requires consumption information of ${log}_2\frac{2}{{\epsilon }_{cor}}$ bits, where ${\epsilon }_{cor}$ is the probability of passing the error verification process for the key pairs $(X_A,X_B)$. In the end, after the two parties perform the secret amplification operation, the key pairs are obtained by Alice is $S_A$, and the key pairs obtained by Bob is $S_B$.

3. Security Analysis

3.1. Security Bound

We first introduce the universally composable framework:

Definition 1

([42]). If the key pairs $(S_A,S_B)$ generated by Alice and Bob satisfy the following conditions, the protocol is said to be ε-secure:

• $Correctness$. If the probability of keys $S_A$, $S_B$ being not identical is maximal ${\epsilon }_{cor}$, the keys are said to be ${\epsilon }_{cor}$-correct:

  $$Pr(S_A\ne S_B)\le {\epsilon }_{cor},$$
• $Screcy$. The keys $S_A$, $S_B$ are said to be ${\epsilon }_{sec}$-secure with respect to the Eve holding a quantum system E if:

  $$\frac{1}{2}{p}_{abort}∥{\rho }_{AE}-{\rho }_U\otimes {\rho }_E∥\le {\epsilon }_{sec},$$

  $$\frac{1}{2}{p}_{abort}∥{\rho }_{BE}-{\rho }_U\otimes {\rho }_E∥\le {\epsilon }_{sec}.$$

  where $p_{abort}$ denotes the probability of protocol failure aborted, ${\rho }_{AE}\left({\rho }_{BE}\right)$ denotes the classical-quantum states of the system for Alice (Bob) and system E, and ${\rho }_U$ denotes the fully mixed state on $S_A$ or $S_B$.

The entropic uncertainty relation to establish a bound on the smooth min-entropy of the raw key conditioned on Eve’s information based on the composable security definition has been extended to the case with finite resources [43]. Here, we do the finite-key analysis based on the composable framework. The length of $\epsilon$-secure keys in the Z basis is presented as follows [45]:

$$\ell \ge s_0^Z+s_{11}^{Z,L}\left[1-H\left(e_{ph}^U\right)\right]-lea{k}_{EC}-6{log}_2\frac{21}{{\epsilon }_{sec}}-{log}_2\frac{2}{{\epsilon }_{cor}}.$$

(1)

with ${\epsilon }_{cor}$-correct and ${\epsilon }_{sec}$-secure, where $s_0^Z$ refers to the number of measurement events when one party sends a vacuum state and Charlie obtains a successful BSM. $s_{11}^Z$ and $e_{ph}^U$ are the lower bound of the single photon count rate and the upper bound of the phase error rate in Z basis, respectively. $H\left(x\right)=-{log}_{2}x-(1-x){log}_2(1-x)$ is the binary entropy function, and $lea{k}_{EC}$ is the number of bits consumed in the post-processing step.

3.2. Parameter Estimation

First of all, we consider the state preparation stage with weak randomness, supposing that Alice and Bob prepare binary set of bits S and T, respectively, to randomly encode the bit and select the basis. We apply $\left|S\right|,\left|T\right|$ representing the number of elements of the set S and T, respectively. Due to the imperfection of the quantum devices, a part of the set S and T can be mastered by Eve. For the set of quantum states prepared by Alice, which is consisted of random part $S_1$ and non-random part $S_2$. For the set of quantum states prepared by Bob, which is consisted of random part $T_1$ and non-random part $T_2$. This assumption is reasonable by considering two cases: the first one is that the random number generator devices may be imperfect so that part of the random numbers may be leaked to Eve. The second one is that the imperfect state modulation may be prepared by different laser diodes from Alice and Bob, which can be partly distinguished by observing the properties of the spectrum, timing sequence. We define the probability of non-random parameter at Alice as $p_1=\frac{|S_2|}{\left|S\right|}$, the probability of non-random parameter at Bob as $p_2=\frac{|T_2|}{\left|T\right|}$. In a practical QKD system, we cannot guarantee the attack capabilities of Eve against Alice is the same as Bob, so we cannot ensure $p_1=p_2$. For the weak randomness condition, quantum states prepared by Alice and Bob in the practical system could be expressed as follows:

$${\rho }_{Alice}^{\prime }=\frac{p_1}{2}\sum _{\alpha =0,1}\left|\alpha \right.〉{\left.〈\alpha \right|}_{Alice}\otimes \left|\alpha \right.〉{\left.〈\alpha \right|}_{Eve}+(1-p_1){\rho }_{Alice}\otimes \left|2\right.〉{\left.〈2\right|}_{Eve},$$

(2)

$${\rho }_{Bob}^{\prime }=\frac{p_2}{2}\sum _{\beta =0,1}\left|\beta \right.〉{\left.〈\beta \right|}_{Bob}\otimes \left|\beta \right.〉{\left.〈\beta \right|}_{Eve}+(1-p_2){\rho }_{Bob}\otimes \left|2\right.〉{\left.〈2\right|}_{Eve}.$$

(3)

where the quantum states prepared by Alice and Bob can be divided into two parts: the first term on the right-hand side of Equations (2) and (3) denote that the quantum states are prepared from a non-random set, the second term denote that the quantum states are prepared from a random set. The auxiliary quantum state of Eve is related to the system of Alice (Bob). For the system of Alice, if the auxiliary quantum state of Eve is $\left|\alpha \right.〉{\left.〈\alpha \right|}_{Eve}$, it indicates that Eve can obtain the key of Alice $\alpha$. For the system of Bob, if the auxiliary quantum state of Eve is $\left|\beta \right.〉{\left.〈\beta \right|}_{Eve}$, it indicates that Eve can obtain the key of Bob $\beta$. For the system of Alice and Bob, if the auxiliary quantum state of Eve is $\left|2\right.〉{\left.〈2\right|}_{Eve}$, it indicates that Alice and Bob prepared the perfect BB84 quantum states ${\rho }_{Alice}$ and ${\rho }_{Bob}$, and Eve cannot distinguish different encoding states at this point. Eve can distinguish random part $S_1$ and non-random part $S_2$ of Alice by observing auxiliary quantum states (and the random part $T_1$ and non-random part $T_2$ of Bob). The practical QKD system requires completely true random numbers for preparing quantum states. However, the weak randomness of practical QKD systems is universal because of the imperfection of quantum devices.

Note that the weak coherent state source encoding can be supposed to be a special non-random encoding case in the practical MDI-QKD system, where the quantum states from non-random part can be detected by exploiting the photon number splitting(PNS) attack. If the mean photon number of the weak coherent source is $\mu$, the probability of non-random is the probability of multiphoton $p_{1\left(2\right)}$. Actually, the PNS attack can be detected by applying the decoy-state method. However, because of the device variances, the weak randomness attack cannot be detected by utilizing the decoy-state method.

Under the weak randomness model, Eve wants to acquire more information so we can assume that Eve only performs a certain probability attenuation operation on the quantum states of the random part, and does not perform on the quantum states of the non-random part. Then we can suppose that the final bit error only come from the random part, and the non-random part does not produce the bit error. Based on the attenuation operation, the nonrandom probability in Charlie’s side can be amplified by considering the signal loss so that the maximal transmission distance may be decreased seriously. Moreover, because of the attenuation operation of the attacker, the single photon successful gain under Z basis is reduced, and the bit error rate under X basis is doubled, so the length of the final security key may be significantly reduced. The specific parameters are estimated as follows:

Firstly, let $s_{nm}^Z$ be the total numbers of successful detection events Charlie obtains when Alice and Bob prepare n-photon states and m-photon states in Z basis, and $n^Z$ be the total numbers of events when quantum states are prepared by Alice and Bob in Z basis and are successfully detected by Charlie. For $\left\{{\mu }_a{\mu }_b,{\mu }_a{v}_b,v_a{\mu }_b,v_a{v}_b,{\mu }_{a}0,v_{a}0,0{\mu }_b,0v_b\right\}$, the expected value of $n_{ab}^Z$ can be expressed as:

$${\overline{n}}_{ab}^Z=\sum _{n,m=0}^{\infty }{p}_{ab|nm}^Z{s}_{nm}^Z,$$

(4)

where $p_{ab|nm}^Z$ is the conditional probabilities that Alice and Bob prepared n-photon states and m-photon states in Z basis with intensity $\left\{{\mu }_a{\mu }_b,{\mu }_a{v}_b,v_a{\mu }_b,v_a{v}_b,{\mu }_{a}0,v_{a}0,0{\mu }_b,0v_b\right\}$. Based on Bayes’ rule, it can be expressed as:

$$p_{ab|nm}^Z=\frac{p_{ab}^Z}{{\tau }_{ab}^Z}{p}_{a|n}{p}_{b|m}.$$

(5)

where ${\tau }_{ab}^Z=\sum p_{ab}^Z\frac{e^{-a-b}{a}^n{b}^m}{n!m!}$ is the probability of Alice and Bob prepared n-photon states and m-photon states in Z basis, and $p_{ab}^Z$ is the probability of Alice and Bob modulate the intensity ${\alpha }_a$ and ${\beta }_b$ in Z basis. $p_{a|n}$ and $p_{b|m}$ is the photon number distributions of Alice and Bob, respectively.

Subsequently, for the case of weak randomness model, the probability of quantum states prepared by Alice with non-randomness is $p_1$, and the probability of quantum states prepared by Bob with non-randomness is $p_2$. The probability of single-photon states prepared by both parties with randomness state is ${\tau }_{11}(1-p_1)(1-p_2)$, and the probability with non-randomness is ${\tau }_{11}(1-(1-p_1)(1-p_2))={\tau }_{11}(p_1+p_2-p_1{p}_2)$. The probability with randomness when only one party prepares a single photon state is ${\tau }_{01}(1-p_1)(1-p_2)$, the probability with non-randomness is ${\tau }_{01}(1-(1-p_1)(1-p_2))={\tau }_{01}(p_1+p_2-p_1{p}_2)$. In a practical quantum system, Eve may attenuate the quantum states prepared by Alice and Bob. Considering the weak randomness attenuation, signal loss may happen in random set $S_1\left(T_1\right)$, but all quantum states prepared in non-random set $S_2\left(T_2\right)$ arrive to Charlie without signal loss. The probability of signal loss both two parties prepare and send single photon state in random set under Z basis is:

$$p_{loss}^Z=\frac{s_{11}^Z-{\tau }_{11}^Z(p_1+p_2-p_1{p}_2)N}{N-(p_1+p_2-p_1{p}_2)N},$$

(6)

the proportion of quantum states arriving at Charlie with non-randomness is:

$$p_{non-rand}^Z=\frac{{\tau }_{11}^Z(p_1+p_2-p_1{p}_2)N}{s_{11}^Z},$$

(7)

the proportion of quantum states arriving at Charlie with randomness is:

$$p_{rand}^Z=\frac{s_{11}^Z-{\tau }_{11}^Z(p_1+p_2-p_1{p}_2)N}{s_{11}^Z},$$

(8)

where N is the total number of transmitting signals.

Considering independent event conditions, we exploit $Chernoff$ bound [49] to perform finite-size key analysis on MDI-QKD. For the finite sample sizes, the number of practical measurement events can be satisfied [48]:

$$\left|{\overline{n}}_{ab}^Z-n_{ab}^Z\right|\le \delta \left(n_{ab}^Z,{\epsilon }_1\right),$$

(9)

with probability at least $1-2{\epsilon }_1$, where $\delta \left(x,y\right)\in \left[-\Delta ,\hat{\Delta }\right]$, with $\Delta =\sqrt{2xln\left(16y^{-4}\right)}$ and $\hat{\Delta }=\sqrt{2xln\left(y^{-3/2}\right)}$.

Additionally, let $s_{nm}^X$ be the total numbers of Charlie acquiring the successful detection events when Alice and Bob prepare n-photon states and m-photon states in X basis, and $v_{nm}^X$ be the corresponding number of bit error. $m_{ab}^X$ is the total amounts of bit error when Alice sends states in X basis and $m_{ab}^X=\sum _{n,m=0}{v}_{nm}^X$. For $\left\{{\mu }_a{\mu }_b,{\mu }_a{v}_b,v_a{\mu }_b,v_a{v}_b,{\mu }_{a}0,v_{a}0,0{\mu }_b,0v_b\right\}$, the expected numbers of bit error $m_{ab}^X$ can be expressed as:

$${\overline{m}}_{ab}^X=\sum _{n,m=0}^{\infty }{p}_{ab|nm}^X{v}_{nm}^X,$$

(10)

where $p_{ab|nm}^X$ is the conditional probabilities that Alice and Bob prepare n-photon states and m-photon states in X basis with $\left\{{\mu }_a{\mu }_b,{\mu }_a{v}_b,v_a{\mu }_b,v_a{v}_b,{\mu }_{a}0,v_{a}0,0{\mu }_b,0v_b\right\}$. Based on Bayes’ rule, it can be expressed as:

$$p_{ab|nm}^X=\frac{p_{ab}^X}{{\tau }_{ab}^X}{p}_{a|n}{p}_{b|m}.$$

(11)

where ${\tau }_{ab}^X=\sum p_{ab}^X\frac{e^{-a-b}{a}^n{b}^m}{n!m!}$ the probability of Alice prepare n-photon states and Bob and m-photon states in X basis. $p_{ab}^X$ is the probability that Alice and Bob modulate the intensity ${\mu }_a$ and ${\beta }_b$ in X basis, and $p_{a|n}$ and $p_{b|m}$ is the photon number distributions of Alice and Bob, respectively.

Similarly, within the independent event conditions, for the finite sample sizes, the ${\overline{m}}_{ab}^X$ under the $chernoff$ bound can be satisfied [48]:

$$\left|{\overline{m}}_{ab}^X-m_{ab}^X\right|\le \delta \left(m_{ab}^X,{\epsilon }_2\right),$$

(12)

with probability at least $1-2{\epsilon }_2$, where $\delta \left(x,y\right)\in \left[-\Delta ,\hat{\Delta }\right]$, with $\Delta =\sqrt{2xln\left(16y^{-4}\right)}$ and $\hat{\Delta }=\sqrt{2xln\left(y^{-3/2}\right)}$.

Actually, the probability of signal loss both two parties prepare and send single photon state in random set under X basis is:

$$p_{loss}^X=\frac{s_{11}^X-{\tau }_{11}^X(p_1+p_2-p_1{p}_2)N}{N-(p_1+p_2-p_1{p}_2)N},$$

(13)

the proportion of quantum states arriving at Charlie with non-randomness is:

$$p_{non-rand}^X=\frac{{\tau }_{11}^X(p_1+p_2-p_1{p}_2)N}{s_{11}^X},$$

(14)

the proportion of quantum states arriving at Charlie with randomness is:

$$p_{rand}^X=\frac{s_{11}^X-{\tau }_{11}^X(p_1+p_2-p_1{p}_2)N}{s_{11}^X}.$$

(15)

Note that, only the single-photon pulses from the random set can be used to generate secret keys. In analyzing the impacts of weak randomness, the number of single photon sent by both parties in Z basis which cannot generate secret keys is as follows:

$${\tilde{s}}_{11}^Z={\tau }_{11}^Z(1-p_1)(1-p_2)N,$$

(16)

the number of single photon sent by both parties which can generate secret keys satisfies:

$$s_{11}^{\prime }\ge s_{11}^{Z,L}-{\tilde{s}}_{11}^Z,,$$

(17)

the lower bound of the number of single photons sent by one party in Z basis which cannot generate secret keys is as follows:

$${\tilde{s}}_0^Z={\tau }_{01}^Z(1-p_1)(1-p_2)N,$$

(18)

the number of single photon sent by one party which can generate secret keys satisfies:

$$s_0^{\prime }\ge s_0^Z-{\tilde{s}}_0^Z.,$$

(19)

where the lower bound of the successful counts of the single photon sent by two parties in Z basis $s_{11}^{Z,L}$ satisfies [50]:

$$\begin{array}{cc}\hfill s_{11}^{Z,L}\ge & [\left(p_{1|v_a}{p}_{2|{\mu }_a}{p}_{1|v_b}{p}_{2|{\mu }_b}-p_{2|v_a}{p}_{1|{\mu }_a}{p}_{2|v_b}{p}_{1|{\mu }_b}\right)N_{v_a{v}_b}^Z-p_{1|v_b}{p}_{2|v_b}(p_{1|v_a}{p}_{2|{\mu }_a}-p_{2|v_a}{p}_{1|{\mu }_a})N_{v_a{\mu }_b}^Z\hfill \\ \hfill & -p_{1|v_a}{p}_{2|v_a}(p_{1|v_b}{p}_{2|{\mu }_b}-p_{2|v_b}{p}_{1|{\mu }_b})N_{{\mu }_a{v}_b}^Z]\times \frac{{\tau }_{11}^Z}{p_{1|v_a}{p}_{1|v_b}(p_{1|v_a}{p}_{2|{\mu }_a}-p_{2|v_a}{p}_{1|{\mu }_a})(p_{1|v_b}{p}_{2|{\mu }_b}-p_{2|v_b}{p}_{1|{\mu }_b})},\hfill \end{array}$$

(20)

the number of successful counts of the single photon sent by one party in Z basis satisfies:

$$s_0^Z=e^{-{\mu }_a}{n}_{0{\mu }_b}^Z+e^{-v_a}{n}_{0{\mu }_b}^Z+e^{-{\mu }_a}{n}_{0v_b}^Z+e^{-v_a}{n}_{0v_b}^Z,$$

(21)

where

$$N_{v_a{v}_b}^Z=\frac{n_{v_a{v}_b}^{Z,L}}{p_{v_a}{p}_{v_b}{p}_Z}-\frac{p_{0|v_a}{n}_{0v_b}^{Z,U}}{p_{0_a}{p}_{v_b}{p}_Z}-\frac{p_{0|v_b}{n}_{v_{a}0}^{Z,U}}{p_{v_a}{p}_{0_b}{p}_Z}+\frac{p_{0|v_a}{p}_{0|v_b}{n}_{00}^{Z,L}}{p_{0_a}{p}_{0_b}},$$

(22)

$$N_{v_a{\mu }_b}^Z=\frac{n_{v_a{\mu }_b}^{Z,U}}{p_{v_a}{p}_{v_b}{p}_Z}-\frac{p_{0|v_a}{n}_{0{\mu }_b}^{Z,L}}{p_{0_a}{p}_{{\mu }_b}{p}_Z}-\frac{p_{0|{\mu }_b}{n}_{v_{a}0}^{Z,L}}{p_{v_a}{p}_{0_b}{p}_Z}+\frac{p_{0|v_a}{p}_{0|{\mu }_b}{n}_{00}^{Z,U}}{p_{0_a}{p}_{{}_{0b}}},$$

(23)

$$N_{{\mu }_a{v}_b}^Z=\frac{n_{{\mu }_a{v}_b}^{Z,U}}{p_{{\mu }_a}{p}_{v_b}{p}_Z}-\frac{p_{0|{\mu }_a}{n}_{0v_b}^{Z,L}}{p_{0_a}{p}_{v_b}{p}_Z}-\frac{p_{0|v_b}{n}_{{\mu }_{a}0}^{Z,L}}{p_{{\mu }_a}{p}_{0_b}{p}_Z}+\frac{p_{0|{\mu }_a}{p}_{0|{\mu }_b}{n}_{00}^{Z,U}}{p_{0_a}{p}_{{}_{0b}}}.$$

(24)

in the same way, we deduce the lower bound $n_{{}_{ab}}^{Z,L}$ and upper bound $n_{{}_{ab}}^{Z,U}$ of $n_{{}_{ab}}^Z$ by applying the $Chernoff$ bound.

Under the weak randomness condition, due to the attenuation operation of the attacker on the quantum channel, the probability of non-randomness in Charlie increases, so the bit error rate in X basis satisfies:

$$e_b^{\prime }=e_b^X\frac{Y_{11}^X}{Y_{11}^X-(p_1+p_2-p_1{p}_2)},$$

(25)

where $Y_{11}^X$ is the number of single photons yield in the X basis, it satisfies [50]:

$$\begin{array}{cc}\hfill Y_{11}^X=& [\left(p_{1|v_a}{p}_{2|{\mu }_a}{p}_{1|v_b}{p}_{2|{\mu }_b}-p_{2|v_a}{p}_{1|{\mu }_a}{p}_{2|v_b}{p}_{1|{\mu }_b}\right)N_{v_a{v}_b}^X-p_{1|v_b}{p}_{2|v_b}(p_{1|v_a}{p}_{2|{\mu }_a}-p_{2|v_a}{p}_{1|{\mu }_a})N_{v_a{\mu }_b}^X\hfill \\ \hfill & -p_{1|v_a}{p}_{2|v_a}(p_{1|v_b}{p}_{2|{\mu }_b}-p_{2|v_b}{p}_{1|{\mu }_b})N_{{\mu }_a{v}_b}^X]\times \frac{1}{p_{1|v_a}{p}_{1|v_b}(p_{1|v_a}{p}_{2|{\mu }_a}-p_{2|v_a}{p}_{1|{\mu }_a})(p_{1|v_b}{p}_{2|{\mu }_b}-p_{2|v_b}{p}_{1|{\mu }_b})},\hfill \end{array}$$

(26)

in fact, the bit error rate in X basis without weak randomness is:

$$e_b^X=\frac{v_{11}^{X,U}}{s_{11}^{X,L}},$$

(27)

the upper bound of the number of single photon bit error in X basis satisfies:

$$v_{11}^{X,U}\le \frac{{\tau }_{11}^X{M}_{v_a{v}_b}^X}{p_{1|v_a}{p}_{1|v_b}},$$

(28)

where

$$M_{v_a{v}_b}^X=\frac{m_{v_a{v}_b}^{X,U}}{p_{v_a}{p}_{v_b}{p}_X}-\frac{p_{0|v_a}{m}_{0v_b}^{X,L}}{p_{0_a}{p}_{v_b}{p}_X}-\frac{p_{0|v_b}{m}_{v_{a}0}^{X,L}}{p_{v_a}{p}_{0_b}{p}_X}+\frac{p_{0|v_a}{p}_{0|v_b}{n}_{00}^{x,U}}{p_{0_a}{p}_{0_b}}.$$

(29)

here, $m_{{}_{ab}}^{X,L}$ and $m_{{}_{ab}}^{X,U}$ is the lower and upper bound of $m_{{}_{ab}}^X$, respectively, and they can be obtained by the $Chernoff$ bound.

When Alice and Bob prepare single photon states in X basis, exploiting the same calculation methods we can acquire the total numbers of successful detection events Charlie obtains in X basis $s_{11}^X$ comparable to the total number of successful detection events Charlie obtains in the Z basis $s_{11}^Z$.

In asymptotic conditions, we can assume that the phase bit error rate in Z basis is equal to the bit error rate in X basis, that is, $e_{ph}=e_b^X$. However, under the condition of the finite length of the key, there is a deviation between $e_{ph}$ and ${e^{\prime }}_b$. We suppose the deviation between the two is $\theta$. Exploiting the random sampling method of Fung et al. [51], we can estimate the phase error rate of the single photon events:

$$Pr(e_{ph}\ge {e^{\prime }}_b+\theta )\le \frac{\sqrt{s_{11}^{X,L}+s_{11}^{Z,L}}}{\sqrt{{e^{\prime }}_b(1-{e^{\prime }}_b)s_{11}^{X,L}{s}_{11}^{Z,L}}}{2}^{-(s_{11}^{X,L}+s_{11}^{Z,L})\sigma \left(\theta \right)},$$

(30)

where

$$\sigma \left(\theta \right)=H(e_b^{\prime }+\theta -\frac{s_{11}^{X,L}}{s_{11}^{X,L}+s_{11}^{Z,L}}\theta )-(1-\frac{s_{11}^{X,L}}{s_{11}^{X,L}+s_{11}^{Z,L}})H(e_b^{\prime }+\theta )-\frac{s_{11}^{X,L}}{s_{11}^{X,L}+s_{11}^{Z,L}}H(e_b^{\prime }),$$

(31)

for a given probability of failure ${\epsilon }_{sec}$:

$${\epsilon }_{sec}=\frac{\sqrt{s_{11}^{X,L}+s_{11}^{Z,L}}}{\sqrt{e_b^{\prime }(1-e_b^{\prime })s_{11}^{X,L}{s}_{11}^{Z,L}}}{2}^{-(s_{11}^{X,L}+s_{11}^{Z,L})\sigma \left(\theta \right)},$$

(32)

it can be calculated from $\theta =g({\epsilon }_{sec},e_b^{\prime },s_{11}^{X,L},s_{11}^{Z,L})$, where

$$g(a,b,c,d)=\sqrt{\frac{(c+d)(1-b)b}{cdln2}{log}_2\left(\frac{c+d}{cd(1-b)b}\frac{{21}^2}{a^2}\right)},$$

(33)

the upper bound of the phase error rate of the single-photon events in Z basis $e_{ph}$ can be expressed as:

$$e_{ph}^U\le e_b^{\prime }+g({\epsilon }_{sec},e_b^{\prime },s_{11}^{X,L},s_{11}^{Z,L}),$$

(34)

According to Equations (17), (19) and (34), we can calculate the length of final security key of the decoy-state MDI-QKD protocol with the weak randomness:

$${\ell }^{\prime }\ge s_0^{\prime }+s_{11}^{\prime }\left[1-H\left(e_{ph}^U\right)\right]-lea{k}_{EC}-6{log}_2\frac{21}{{\epsilon }_{sec}}-{log}_2\frac{2}{{\epsilon }_{cor}}.$$

(35)

4. Numerical Simulations and Discussions

In this section, we numerically simulate the performance of effects of weak randomness on MDI-QKD with finite resources. We consider a fiber-based channel model and experimental parameters from [44], and define $\alpha$ = 0.2 (dm/km) as the fiber loss coefficient, ${\eta }_d=0.145$ as the detection efficiency of the relay Charlie, and $p_d=6\times {10}^{-7}$ as the dark count for detectors. L is the length of fiber between Charlie and Alice (Bob). The security bound is fixed to $\epsilon ={10}^{-10}$, and $f=1.16$ is the efficiency of error correction. $R = \ell /\phantom{\ell N}N$ is the secret key rate, where N is the total number of transmitting signals sent by Alice. The numerical parameters are listed in

Table 1. List of experimental parameters applied in the numerical simulation in the following table: $\alpha$ (dm/km) is the loss coefficient of the fiber, f is the efficiency of error correction, ${\eta }_d$ is the efficiency for the Charlie-side detector, $e_d$ is the optical misalignment error rate, $p_d$ is the dark count for detectors, and $\epsilon$ is the predetermined security bound.

$\mathit{\alpha }$	f	${\mathit{\eta }}_{\mathit{d}}$	${\mathit{e}}_{\mathit{d}}$	${\mathit{p}}_{\mathit{d}}$	$\mathit{\epsilon }$
$0.2$	$1.16$	$0.145$	$0.015$	$6\times {10}^{-7}$	${10}^{-10}$

.

Firstly, we analyze the effects of weak randomness existing only one party (Alice or Bob) in Figure 1, where we suppose Alice and Bob are symmetrical in the practical QKD system. Here, we assume $p_2=0$ which means that Eve just masters the randomness information of Alice. $p_1=0,{10}^{-x}(x=6,5,4,3)$ means that Eve has different abilities of mastering the randomness information of Alice. As shown in Figure 1, the dashed lines from right to left are obtained for different weak randomness parameters $p_1=0,{10}^{-x}(x=6,5,4,3)$ with the fixed finite number of total pulses $N={10}^{15}$. We can deduce that although Eve just masters the randomness information of one party when $N={10}^{15}$, the generation of the security key rate will be seriously affected, and the security key is no longer being generated when $p_1\ge {10}^{-3}$. Particularly, when the parameter of weak randomness $p_1$ rises from 0 to ${10}^{-3}$, the achievable transmission distance declines from 182 km to 36 km.

Actually, compared with the general BB84 protocol, the MDI-QKD protocol is more vulnerable to the weak randomness of state preparation. The reason is that both of Alice and Bob perform the state preparation operation, which is different from BB84 protocol where just Alice performs the state preparation operation. In the practical MDI-QKD system, the possibility of the random number for bit encoding and basis selecting leaked to Eve may be greater because of the imperfection of the quantum devices.

Moreover, considering the practical MDI-QKD system with finite resources, we divide the weak randomness model into two cases. The first one is that the signal states and the decoy states may be modulated with the same laser diode by Alice and Bob so that both of the signal states and decoy states in Alice and Bob will be modulated with the same non-random probability $p_1$ and $p_2$. The second one is that the signal states and the decoy states may be modulated with the different laser diode by Alice and Bob. The signal states and the decoy states which are prepared by Alice and Bob are supposed to be distinguished with the nonrandom probability $p_1$ and $p_2$ and the different signal states cannot be distinguished. If the signal states can be distinguished from the decoy states, Eve can exploit the PNS attack without detection. If the signal states cannot be distinguished from the decoy states, Eve can attenuate the states in the quantum channel.

In order to perform a better simulation, we then study the effects of weak randomness for different finite number of total pulses N. We define $p_1=p_2={10}^{-6}$ as the secret key rate with weak randomness influence and $p_1=p_2=0$ as the secure key rate without weak randomness influence. The effects of weak randomness for the secure key rate with different $N={10}^x(x=13,14,15,16)$ are shown in Figure 2. Corresponding simulation results are shown in Figure 2, the solid lines from left to right are obtained for different total numbers of transmitting signals $N={10}^x(x=13,14,15,16)$ with the fixed weak randomness parameters $p_1=p_2=0$ and the dashed lines from left to right are obtained for different finite number of total pulses $N={10}^x(x=13,14,15,16)$ with the fixed weak randomness parameters $p_1=p_2={10}^{-6}$. We can find that even though the weak randomness parameter is obtained as small as ${10}^{-6}$, it will significantly affect the generation of the security key rate, which means that even small proportions of weak randomness can bring Eve a lot of information. As illustrated in Figure 2, because of Eve’s attenuation operation, the greater the total numbers of transmitting signals, the greater the reduction of the secure transmission distance. The achievable transmission distance declines $17.89\%$, $15.38\%$, $10.97\%$, $5.88\%$ when $N={10}^{16},{10}^{15},{10}^{14},{10}^{13}$, respectively.

Apparently, with the number of total pulse increases, so does the number of quantum states which may be attenuated. Eve may obtain more information due to the relation between the expected values and the observed values for the case with different modulated states in the practical QKD system. In this case, the number of modulated states distinguished by Eve may increase which leads to more leakage of the security key information so we are supposed to control the number of total pulses within a rational range rather than arbitrarily choosing.

To further research the effects of the weak randomness for different N, we consider the secure key rate for $N={10}^{15},{10}^{16}$ with different weak randomness parameters $p_1=p_2=0,{10}^{-x}(x=6,5,4,3)$ in Figure 3. As illustrated in Figure 3, the solid lines from right to left are obtained for different weak randomness parameters $p_1=p_2=0,{10}^{-x}(x=6,5,4,3)$ with the fixed finite number of total pulses $N={10}^{16}$ and the dashed lines from right to left are obtained for different weak randomness parameters $p_1=p_2=0,{10}^{-x}(x=6,5,4,3)$ with the fixed finite number of total pulses $N={10}^{15}$. We can discover that the security key rate of two different N lines are approximately asymptotic when the weak randomness parameters $p_1=p_2\ge {10}^{-5}$, which means that the influence of the weak randomness on final security key rate is stronger than the finite number of total pulses. The security key rate of two different N lines are not asymptotic when the weak randomness parameters $p_1=p_2\le {10}^{-6}$, which means that the influence of the weak randomness on the final security key rate is weaker than the finite number of total pulses.

From the above simulation results, we can deduce that the weak randomness has a non-negligible effect on the secret key rate of the MDI-QKD with finite resources, even though the weak randomness parameter is small. Moreover, the effects of the weak randomness on final security key rate may perform differently for the different finite number of total pulses.

5. Conclusions

In conclusion, we analyze the effects of weak randomness on the security key rate of MDI-QKD with finite resources, and demonstrate that MDI-QKD has high security demand of quantum state preparation. The MDI-QKD system generates fewer security keys and the achievable transmission distance declines from 182 km to 36 km when just one party exists the weak randomness $p_1$ which rises from 0 to ${10}^{-3}$. The system can no longer generate a security key when $p_1\left(p_2\right)\ge {10}^{-3}$. Considering the condition of finite resources, even though the weak randomness parameter is obtained as small as ${10}^{-6}$ or ${10}^{-5}$, it will significantly affect the generation of the security key rate, which means that even small proportions of weak randomness can bring Eve a lot of information. Additionally, because of Eve’s attenuation operation, the greater the total numbers of transmitting signals, the greater the reduction of the secure transmission distance where the achievable transmission distance declines $17.89\%$, $15.38\%$, $10.97\%$, $5.88\%$ for $N={10}^{16},{10}^{15},{10}^{14},{10}^{13}$. Moreover, the influence of the weak randomness on the final security key rate is stronger than the total numbers of transmitting signals when $p_1,p_2\ge {10}^{-5}$, and the influence of the weak randomness on the final security key rate is weaker than total numbers of transmitting signals when $p_1,p_2\le {10}^{-6}$.

Finally, we conclude that the practical decoy-state MDI-QKD system requires strict randomness in the state preparation. In order to avoid the weak randomness loopholes, two aspects can be seriously considered in the practical MDI-QKD system: the first one is to protect the true random numbers from information leakage to Eve, and the another one is that the state modulation apparatus are supposed to be carefully designed so that different modulated quantum states in the side of both Alice and Bob cannot be distinguished in all degrees of freedom. For example, the narrow spectral filter and the time filter can be applied in the practical experiment to reduce the distinguishability.