Experimental measurement-device-independent type quantum key distribution with flawed and correlated sources

The security of quantum key distribution (QKD) is severely threatened by discrepancies between realistic devices and theoretical assumptions. Recently, a significant framework called the reference technique was proposed to provide security against arbitrary source flaws under current technology such as state preparation flaws, side channels caused by mode dependencies, the Trojan horse atttacks and pulse correlations. Here, we adopt the reference technique to prove security of an efficient four-phase measurement-device-independent QKD using laser pulses against potential source imperfections. We present a characterization of source flaws and connect them to experiments, together with a finite-key analysis against coherent attacks. In addition, we demonstrate the feasibility of our protocol through a proof-of-principle experimental implementation and achieve a secure key rate of 253 bps with a 20 dB channel loss. Compared with previous QKD protocols with imperfect devices, our study considerably improves both the secure key rate and the transmission distance, and shows application potential in the practical deployment of secure QKD with device imperfections.


I. INTRODUCTION
Quantum key distribution (QKD) enables two distant participants, Alice and Bob, to share secure key bits [1,2] for the encryption and decryption of secret communication. Together with the one-time pad algorithm, QKD offers theoretical security for information exchanges based on the laws of quantum mechanics [3,4]. However, for the practical operation of QKD systems, a serious security loophole still exists, which occurs due to the discrepancy between theoretical security assumptions and practical devices. To be precise, a security proof of QKD is established with assumptions on the system devices, which cannot be satisfied for realistic devices because of inherent imperfections and the disturbance of eavesdroppers [5][6][7][8]. This deviation results in more information leakage to eavesdroppers, which cannot be noticed by users [3].
To narrow the discrepancy and further strengthen the security against device flaws, some crucial protocols have been presented, one of which is device-independent QKD, which guarantees the unconditional security of QKD by measuring the violation of Bell's inequality [9]. Although a number of experimental demonstrations of the loophole-free Bell test have been conducted [10][11][12], ex-recent study revealed that Bell nonlocality is insufficient to prove the security of standard device-independent QKD protocols [17] in the large-noise regime.
Recently, an important theoretical study was published to propose a security analysis method for practical QKD against source flaws, which is called the reference technique (RT) [50][51][52]. To be precise, the RT is a parameter estimation technique which can help simplify the estimation of parameters needed for security proof through several reference states. Using the RT method, parameters characterizing typical source flaws, such as state preparation flaws (SPFs) [53], side channels caused by mode dependencies, Trojan horse attacks (THAs), and classical pulse correlations [52], can be estimated to guarantee the security of the actual QKD protocol.
Here, we adopt the RT method to prove the practical security of a four-phase (FP) MDIQKD protocol [54] using coherent light sources against all possible source flaws, including pulse correlations. We apply the setup of phase encoding schemes [54] and the single photon interference introduced in twin-field QKD [24] contributes to improving the key rate of our scheme. In addition, we perform a proof-of-principle experimental implementation of our protocol to demonstrate its feasibility. Specifically, we fully characterize imperfect sources using the state representation in Ref. [51] (the reference state representation) and introduce bounded fidelity to offer a secure key rate by using the RT method. Although bounded fidelity was first introduced in the Gottesman-Lo-Lütkenhaus-Preskill (GLLP) analysis [55,56], the GLLP analysis can be included under the RT method as a special case [51]. We simulated the secure key rate of our protocol and compared it with protocols in Refs. [50] and [46] which are both against source flaws. The simulation results show that both in the ideal scenario and in the scenario with source flaws, the secure key rate of our protocol shows a higher performance than the other two protocols.
We specify the parameters characterizing source flaws in the reference state representation and further relate them to data that can be measured experimentally to help generate a secure key rate in the experiment. Our experimental implementation only requires four-phase (quadrature phase-shift keying [57]) modulation of co-herent states, which avoids intensity modulation correlations [58] and does not require vacuum state preparation. In addition, we conducted a finite-key analysis of our protocol, which is secure against coherent attacks. Considering source flaws, our experiments can achieve a key rate of 253 bps with a 20 dB channel loss, which is a considerable progress compared with previous experimental implementations of QKD protocols with imperfect source and measurement devices [13][14][15][16]. Our study is the first experimental implementation of a QKD protocol using the RT method [43,51], with practical security against currently all possible imperfections in devices. The method we used to build relations between parameters estimated through the RT method and experimental data is also compatible with other potential source imperfections. Our study proves the feasibility of a practical secure QKD using the RT method. The features of our protocol also jointly show possible practicality for the future deployment of secure QKD systems with imperfect devices .

A. Protocol description
A brief schematic of the FP-MDIQKD protocol is shown in Fig. 1. In our QKD system, Alice and Bob send weak coherent state pulses to an untrusted node, Charlie, who performs the interference measurement. For simplicity, we first describe our protocol under the assumption that Alice and Bob are able to prepare perfect optical pulses. Source flaws are thoroughly discussed afterwards. The protocol comprises the following steps: (i) Preparation. In each turn, Alice randomly chooses the X and Y bases with probabilities p x and p y = 1 − p x , respectively. If selecting the X basis, she picks a "key" bit k a x ∈ {0, 1} and generates a weak coherent state pulse |e ik a x π α , where |α| 2 is the intensity of the optical pulse. When choosing the Y basis, she prepares a weak coherent state pulse |e i(k a y + 1 2 )π α according to random bit k a y ∈ {0, 1}. Bob does the same.
(ii) Measurement. Alice and Bob send their optical pulses to an untrusted middle node Charlie through insecure quantum channels. Charlie is expected to perform interference measurements and record the detector that clicks.
Note that Charlie is assumed to apply a 50:50 beam splitter to the incoming two optical pulses, followed by two threshold single-photon detectors, D1 and D2. We assume that D1 (D2) will click when the phase difference between the two incoming optical pulses is zero (π). We assume that Charlie records the situation when one and only one detector clicks as an effective measurement, regardless of the actual clicking results, because Charlie is an untrusted node and his betrayal can be included in the security analysis.
(iii) Sifting. Alice and Bob repeat Steps (i)-(ii) many times. Then, Charlie announces the effective measurements and detection results (whether D1 or D2 clicks). Alice and Bob maintain their corresponding keys and basis choices based on Charlie's announcement. If Charlie claims that D2 clicks, Bob will flip his key bit. Alice and Bob then disclose their basis choices for effective measurements through authenticated classical channels, and further classify their key bits with basis information.
(iv) Parameter estimation. For the retained key bits in the X and Y bases, Alice and Bob obtain the gain. Then, they disclose all key bits under the Y basis to calculate the bit error rate, which is used to set a bound on the phase error rate.
(v) Key distillation. Alice and Bob perform error correction and privacy amplification on the remaining sifted keys under the X basis to distill the final secure key bits.
Evidently, the use of weak coherent state pulses naturally makes it easier for us to characterize the SPFs because theoretically any deviation in intensity and phase modulation between ideal pulses and realistic pulses can be directly shown in the expression of laser pulses. No assumption on dimensions of Hilbert spaces is required. Our protocol further inherits the advantages that the QKD system can be implemented with fixed intensity because a recent study reveals that intensity modulation introduces extra pulse correlations of intensity [58].

B. Key rate of FP-MDIQKD
As depicted in Fig. 1, the setting of two bases can introduce bounded fidelity with imbalance ∆ of a quantum coin [54,55,59]. For simplicity, we only present the main result for key rate estimation because the idea of a quantum coin has been discussed in previous studies [55,56] (see Supplementary Material). Because only key bits under the X basis are used to form secure key bits, the final key rate of our FP-MDIQKD protocol is given by where Q x denotes the gain under the X-basis. E p is the phase error rate under the X-basis. E x b represents the quantum bit error rate under the X basis.
is the binary Shannon entropy function. According to the GLLP analysis and the RT method [51,[54][55][56]59], the phase error rate E p can be bounded by where E y b is the quantum bit error rate in the Y basis and ∆ quantifies the imbalance of Alice's and Bob's quantum coins based on their basis choices. ∆ can be bounded by the fidelity of the two basis-dependent states under the X and Y bases, which is denoted as | Ψ Y |Ψ X |. In the symmetric scenario in which Alice and Bob share basis-dependent states, the simplified relation between ∆ and fidelity is [59] where Q is the total gain. Here, θ ′ , δ X , and δ Y are free variables ranging from 0 to 2π and |Ψ V,δV = ( |Ψ jV is the state that Alice or Bob actually prepares in the implementation under the V basis (V = X or Y) with the bit value j. For the experimental implementation, the calculation of fidelity with imperfect sources can be expressed as where we use ǫ, µ, and θ to characterize pulse correlations, THAs, and side channels caused by mode dependencies, respectively. Here, we consider special cases of THAs and side channels as discussed in the reference state representation [43]. For the THAs, µ is the intensity of the back-reflected light sent by the eavesdroppers. For the side channels, θ is the parameter used to bound the side channels in the polarization space of our protocol in Eq. (8). Note that other potential side channels can also be characterized by additional parameters. For SPFs, we consider only the worst scenario with the maximum deviation in intensity and phase modulation without pulse correlations. |α ′ | 2 represents the realistic intensity modulation of coherent pulses. The maximum deviation ratio can be denoted by the optical power fluctuation ξ and ξ = |α ′ | 2 − |α| 2 /|α| 2 . δ represents the deviation from the ideal phase modulation. Aside from the THAs, the parameters of the side channels and SPFs discussed here can be directly measured in the experiment, which can be seen in our experimental implementation. By contrast, pulse correlations are usually witnessed during experiments in the form of pattern effects [60], which means ǫ cannot be directly derived through experimental measurements. Since our protocol was one FP-MDIQKD with fixed intensity, the pattern effect occurs in the phase modulation, which is denoted as ψ and ψ represents the maximum deviation of the phase modulation caused only by pulse correlations. Here, we derive a formula that relates ǫ to ψ, which can be obtained as We remark that ǫ is the parameter generalizing arbitrarily long-range pulse correlations. In our experiments, we only measure pattern effects happening between nearestneighbor pulses. However, our method can also be easily applied to measure long-range pattern effects when the length of pulse correlations is more than one, as shown in Supplementary Material. For experimental implementation, we provide a finitekey analysis of our protocol based on the method introduced in Ref. [61] and the analysis is secure against coherent attacks. The formula for the number of secure key bits l can be expressed as where n x denotes the number of raw bits under the X basis, which is used to generate the secret key, and leak EC = f H(E x b ) represents the percentage of bits consumed during the error correction. ǫ EC and ǫ PA represent the failure probabilities for the error correction and privacy amplification, respectively.ǭ is the other error probability that measures the accuracy of estimating smooth min-entropy. In addition, statistical fluctuations should be applied to determine the upper bound of the observed phase-error rate E p . Detailed formulas can be found in the Supplementary Material.

C. Characterization of source flaws
We characterized the expression for basis-dependent states in our protocol. First, an ideal scenario is presented. Then, we discuss how to jointly consider different realistic source flaws (SPFs, side channels arising from mode dependencies, THAs and pulse correlations) to describe the basis-dependent states using the reference state representation.

The ideal scenario
In the ideal scenario, Alice and Bob prepare perfect weakly coherent states. The symmetric scenario is another assumption under which the states Alice and Bob prepare are the same. The basis-dependent states are where {|0 X , |1 X } and {|0 Y , |1 Y } are the eigenstates of the Pauli operators σ x and σ y , respectively.

State preparation flaws
When considering SPFs in practical implementations, there is an inherent advantage of using weak coherent pulses as SPFs can be characterized by imperfect intensity and phase modulations on weak coherent pulses [53]. The actual basis-dependent states with SPFs can be expressed as Note that the phase in |α 0 can be regarded as the global phase and does not affect the bounded fidelity of the two bases. Here, we consider a situation with varied basis and bit choices, which have different deviations of intensity and phase modulations, to derive the general expression of the basis-dependent states. For the simulation and experimental implementations, as mentioned before, we only considered the worst scenario with maximum deviations in intensity and phase modulations without pulse correlations.

Side channels caused by mode dependencies
Side channels caused by mode dependencies are common imperfections in a practical QKD system, where the eavesdropper Eve can exploit dimensions other than the encoding dimension to distinguish states that carry the secret. For example, in our protocol, the bits are encoded in phase space, which is the operational space, and Eve can distinguish signals from senders using the polarization information of each state, which is one of the side channels . Here, we consider only the polarization space as the side-channel space, together with a polarization multimode scenario. We express the weak coherent states according to the basis and bit information as follows: where H and V refer to the horizontal and vertical polarization modes, respectively. In addition, we assume that θ 0 = θ 1 = θ 2 = θ 3 = θ, as we consider the worst situation when the maximum deviation of polarization θ occurs for every state. We adopt only states in the horizontal polarization mode to form the secure key rate, and θ can be directly measured through the extinction ratio of polarization. We obtain the basis-dependent states with side channels and SPFs as

Trojan horse attacks
THAs have been recognized as powerful eavesdropping strategies [62,63]. Here, we consider a special THA in which Eve can inject strong light into Alice's and Bob's sites through the quantum channel and obtain the phase modulation information by measuring the light reflected from Alice's and Bob's optical devices. Here, we can assume that the back-reflected strong light Eve sends to Alice's (Bob's) site is a strong coherent pulse: where T ∈ {0 X , 0 Y , 1 X , 1 Y } denotes the bit and basis choices of Alice and Bob and µ is the intensity of Eve's back-reflected light. Here, we apply the model of THAs, in which |ζ T E is a coherent state and |v T E is the vacuum state [43]. For simplicity, we consider the worst scenario in which the overlap is ξ T |ξ T ′ E = 0. When jointly considering the SPFs and side-channel effects, the basisdependent states can be written as

Pulse correlations
Pulse correlation is another security loophole in a practical QKD system [51,52,58,60,64], which is caused by different modulations between coherent pulses and can reveal the modulation information to Eve. Because vacuum state modulation is avoided in this study, it is not necessary to consider the intensity correlation between pulses [58]. However, since our protocol adopts a phase encoding scheme, phase modulation also introduces pulse correlations, which can be observed in our experiments. Fortunately, it has been theoretically demonstrated that classical pulse correlations can be interpreted as side channels [51]. Here we also discuss classical pulse correlations and leave characterization of quantum pulse correlations to be the future study. Furthermore, based on the recent study in Ref. [52], we firstly theoretically present characterization of long-range pulse correlations where the length of correlations is set as l c . Ignoring other source flaws, we express the entangled state of N pulses sent by Alice as ..,N denotes the qubit state representing bit and basis choices of Alice. p t ∈ {p x , p y } is related to basis choices since Alice biasedly chooses states in the X and Y bases. ψ j k |j k−1 C k is the kth state Alice send to Charlie which is affected by long-range pulse correlations. The conclusion in Refs. [51,52] shows that the actual kth state can also be expressed as |Φ A k represents the ideal state which is side channel free and Φ ⊥ A k is the state with side channels, which is orthogonal to |Φ A k . There is no need to derive the spe- To minimize a k means we maximize the pulse correlations which is considered as side channels. We directly derive the relation between the lower bound of a k and parameters characterizing pulse correlations of different lengths through outcomes in Ref. [52] as a k = lc d=1 √ 1 − ǫ d . ǫ d is the parameter characterizing influence of pulse correlations when the length of correlation is d. For simplicity, we introduce one parameter ǫ to generalize the formula of a k , which makes the relation a k = √ 1 − ǫ. For different basis choices of the X and Y bases, the relation remains. Therefore, we can obtain the state-dependent states as removing subscripts j k and introducing subscripts of basis choices to accomodate the GLLP analysis. Here we also consider the worst situation for the senders, where Ψ ⊥ X |Ψ ⊥ Y = 0. In the experiment, we could measure the deviation of phase modulations caused by pulse correlations, which is called the pattern effect [60]. Here, we only recorded the maximum phase deviation of nearestneighbor pulse correlations, which is denoted as ψ. We remark that in our protocol, pulse correlations of different lengths can also be recorded through our method measuring pattern effects. The relation between ǫ and ψ can be built through the following analysis. For simplicity, our discussion is also based on the condition that imperfections other than the pulse correlations are neglected. For example, when the ideal state without any imperfection is |−α , corresponding to bit 1 on the X basis, the phase modulations of this state will be influenced by long-range classical pulse correlations owing to the phase modulation of other pulses. The practical state corresponds to −e iψ α . Similar to the basic idea for finding the reference state, we can write the practical state as where −α|−e iψ α = e (e iψ −1)|α| 2 and there is no need to write down the specific expression of −α ⊥ . The definition of ǫ leads to the formula √ 1 − ǫ = e (e iψ −1)|α| 2 , and we obtain the relation ǫ = 1−e |α| 2 (2cosψ−2) . For other bit and basis choices, it is readily observed that the formula remains the same. In the experimental implementation, we will measure the pattern effect whose values can be seen in Supplementary Material. The pattern effect can be expressed by ψ in the form of sinψ, which means ψ can be derived through measurements of pattern effects. To be precise, for state |α , after phase modulation, the state can be expressed as |α ′ = e i(ψ+θ) |α . Consequently, the interference result of |α ′ and |α is (e iψ ± 1) |α / √ 2. Thus, the deviation of the pulse intensity after interference is sinψ.

The calculation of the basis-dependent states
Here, we need to calculate the analytic formula for the bounded fidelity to estimate the imbalance ∆. The which can be applied to the calculation of joint fidelity | Ψ Y |Ψ X | 2 . For simplicity, we further assumed that δ 1 = δ 2 = δ 3 = δ and α 0 = α 1 = α 2 = α 3 = α ′ , which represent the maximum deviations of the intensity and phase modulations, respectively, as shown in Eq. (3).

D. Experimental implementation
Here, we present a proof-of-principle experimental demonstration of the FP-MDIQKD protocol. The setup is illustrated in Fig. 2. This is a plug-and-play construction consisting of a Sagnac interferometer, similar to the system in Refs. [65,66]. We use the Sagnac loop to stabilize the phase fluctuation of the channel automatically, and all optical fibers maintain polarization.
Optical pulses are generated using a homemade pulsed laser. Pulses with a frequency of 100 MHz have an extinction ratio greater than 30 dB and a pulse width of less than 300 ps. Charlie sends the optical pulses to Alice and Bob. These optical pulses pass through a circulator and are then separated by a 50:50 BS into two identical pulses. The two pulses are phase-modulated by Alice and Bob. Specifically, clockwise (counterclockwise) pulses are modulated by Alice (Bob). In addition, four DWDMs are used as bandpass filters, and four BSs are utilized to monitor the intensity of pulses entering Alice's or Bob's site, with the aim of protecting against attacks from injected pulses. In fact, we did not monitor the intensity and filter pulses during implementation because of resource limitations, which should be addressed for security. However, these processes can be directly added to our system with little influence on the results. Alice (Bob) chooses the X basis with a probability of p x = 90% and the Y basis with a probability of p y = 10%. Note that random numbers are generated by Python's module random and the cycle length is 10000. The radio frequency signals for modulation and clock signals of the experimental system are produced by an arbitrary waveform generator with a sampling rate of 2.5 Gs/s (Tabor Electronics, P2588B).
After the phase modulations, Alice (Bob) send pulses through a variable optical attenuator before the Charlie's beam splitter. The loss between Alice (Bob) and Charlie is adjusted to simulate the loss of the communication channel. Pulses from Alice and Bob interfere at the BS. One output of this BS is detected by a single-photon detector D1 via the circulator, whereas the other output is followed directly by D2. The experimental parameters include the laser wavelength λ = 1550.14 nm, total efficiencies of the optical elements at the detection site, η det1 = 75.3% and η det2 = 86.1%, and detection efficiencies of the two detectors, η D1 = 88.0% and η D2 = 85.5%. η det1 consists of the efficiencies of three main components: the beam splitter, circulator, and polarization controller, whereas η det2 includes the beam splitter and polarization controller. Generally, for D 1 , the total detection efficiency η 1 (considering the loss in Charlie) is 66.3% and the dark count rate p d,1 is 1.6 × 10 −8 (1.5 ns per time window). For D 2 , the detection efficiency η 2 is 73.6% and the dark count rate p d,2 is 2.5 × 10 −8 (1.5 ns per time window).
We measured and quantified four types of source flaws in this system: imperfect intensity modulation, imperfect phase modulation, the extinction ratio of polarization (side channels), and pattern effects (pulse correlation). It should be noted that THAs cannot be quantified in this implementation, which is a flaw in the plug-and-play system, and we set them to 10 −7 [62]. Imperfect intensity modulation is quantified by the optical power fluctuation ξ of the pulses sent, because there is no intensity modulation in this protocol. Imperfect phase modulation can be quantitively characterized by the deviation δ between the actual and expected phases. For side channels θ, we measured the the extinction ratio of polarization tanθ of the pulses when the system was running. The pattern effects were quantified by the interference results of

A. Simulation results
To evaluate the performance of our protocol theoretically and experimentally, we simulate the secure key rates of our protocol in two different scenarios, sharing one precondition that we only conduct simulations in the asymptotic scenario. Specifically, we set the detector efficiency η d = 1 and the dark count rate p d = 10 −8 . The error correction efficiency f was set to 1.16. The simulation results are shown in Fig. 3, respectively.
In the first scenario, shown in Fig. 3a, we only considered the ideal scenario with no source flaws, which means that the parameters characterizing the source flaws can easily be set to zero. For comparison, we also depict the key rates of the two other side-channel-free protocols in Refs. [50] and [46]. The simulation results clearly illustrate that, when the total attenuation approaches 50 dB, only our protocol can generate secret keys. The final key rate of our protocol cannot break the PLOB bound, which results from the pessimistic assumption made in the GLLP analysis, where Eve is assumed to be able to enhance the fidelity decay with the channel losses. For improving the performance of our final key rate, the decoy state method [67][68][69] can be applied, which is the key to overcome the PLOB bound in twin-field-type QKD protocols [70]. However, with the same transmission loss, the key rate of our protocol was approximately one order of magnitude higher than that of the protocol in Ref. [50], and approximately two orders of magnitude higher than that of the protocol in Ref. [46].
In the second scenario, as illustrated in Fig. 3b, we analyzed the security of our protocol compared to that in Ref. [50], which generalizes all the side channels to a single parameter, ǫ. From the formula for the practical secure key rate in Eq. (14), if we only consider the pulse correlation flaws and set the other parameters to zero, ǫ can be converted into the parameter introduced in Ref. [50] , which characterizes general side channels. Based on this, we evaluated the key rate of our protocol for different degrees of general side channels (ǫ = 0, 10 −8 , 10 −7 , 10 −6 , 10 −5 ). In Fig. 3b, when ǫ increases, a decrease in the key rate can be observed both in our study and in the protocol in Ref. [50], and a better performance can be observed in our secret key rate with the same ǫ. The performance of our key rate means the decay of the fidelity causes the lower key rate and the decay of the fidelity means the more deviation between the practical states and the ideal states, which is why we consider the worst case of the fidelity in our theoretical analysis and experimental implementation. Additionally, our protocol can still generate a considerable secret key rate when ǫ = 10 −5 .

B. Experimental results
To demonstrate the advantages of our protocol when considering source flaws, we implemented experiments  [38,39] (black dotted line). An evident improvement in the key rate indicates that our protocol outperformed the other two protocols. (b) We applied the same parameter ǫ as in Ref. [50] to characterize general side channels and depict the performance of secret key rates in both our protocol and the protocol in Ref. [50] for different values of ǫ (0, 10 −8 , 10 −7 , 10 −6 , 10 −5 ) using different colors. Evidently, our protocol (solid lines) outperforms the protocol described in Ref. [50] (dashed lines) with respect to key rate. With ǫ = 10 −5 , the orange solid line can still generate a secure key rate when the total loss is 30 dB, whereas the orange dashed line can barely generate a secure key rate. (c) Considering the experimental results, we depicted the secret key rate when the total number of pulses sent by Alice or Bob N = 10 10 . The filled symbols indicate the experimental results obtained for whether source flaws were considered . The solid lines correspond to the theoretical simulation results for our protocol, under different assumptions.
under three values of channel losses between Alice and Bob: 10, 16, and 20 dB, with the number of pulses sent by Alice (Bob) N = 10 10 , as shown in Fig. 3c. We further performed experiments under channel losses of 30 and 35 dB, with the assumption that the sources are perfect. The shaded area between the blue and red lines shown in Fig. 3c is unsafe and need to be considered seriously. The blue line can be reached by rigorously narrowing the parameters in Eq. (3) to approximately 0. Considering imperfect sources, our protocol can obtain secure key bits when the channel loss is over 20 dB, which means that it can be implemented over 100 km using existing technologies. The key rate of 253 bps we achieved under a channel loss of 20 dB is the best result for the transmission distance and key rate considering both source and detection imperfections. Under 10 dB (∼50 km), the key rate of our protocol is over 90 kbps, whereas under 16 dB (∼80 km), the key rate is over 9 kbps. Regardless of the source flaws, we achieved a key rate of 29.2 bps with a channel loss of 35 dB. Detailed experimental results are presented in Table II. Although we cannot actually demonstrate THAs in our experiment, a recent study focused on resisting THAs, and its creative design of optical power limiters can also be applied in our study against THAs [63]. In addition, despite the fact that optical fibers were not used in the actual implementation and the two users were not separated, as a proof-of-principle demonstration, we focused on the feasibility of our protocol rather than aiming to establish a complete system with all necessary hardware. Combined with the developed phase-locking and phase-tracking technology in the implementation of twin-field QKD [33][34][35][36][37], our protocol containing two independent users can be directly implemented in real optical fibers, which is illustrated in detail in the Supplementary Material.

IV. DISCUSSION AND CONCLUSION
Based on the fact that tremendous progress has been witnessed in the deployment of QKD, practical secure QKD protocols are becoming an important research direction in quantum communication since they are relevant for the practical deployment of QKD. In this study, we adopt the RT method to guarantee security of an FP-MDIQKD protocol using coherent states against realistic flawed sources. We further demonstrate the feasibility of the protocol through a proof-of-principle experimental implementation [24]. For source flaws, we consider SPFs, side channels caused by mode dependencies, THAs, and classical pulse correlations, which typically cover all possible source imperfections that are currently observed in experimental implementations. Although we only consider the special polarization side channel and one special THA, we note that other similar side channels and THAs can also be included in the calculation of fidelity with extra parameters. However, actually, imperfections in side channel space, which are not considered in our state representation and our calculation of fidelity, also have influences on the fidelity and the experimental results, which is a remaining problem for future study. In addition, we offer relations between parameters characterizing source flaws and experimental data, and provide specific implementations in our experiment on how to define and measure these parameters, which can also be compatible to other types of potential source flaws, which means higher practicality of our study in experimental and real-life implementations. In addition, the simula-TABLE II. Summary of experimental data. We tested the key rates for different channel losses. The table shows the number of pulses sent, the expected intensity of pulses µ ′ = |α| 2 , the number of detection events under corresponding bases, the experimental quantum bit error rates under the X basis and Y basis, the number of clicks under the X basis S L X , the key rate R * regardless of source flaws, and the key rate R considering source flaws. tion results show that our protocol generates a higher secure key rate against source flaws than the other QKD protocols in Refs. [50] and [46]). For experimental implementation, we also present a finite-key analysis against coherent attacks.
Furthermore, we experimentally demonstrate our protocol using a plug-and-play system. With perfect sources, our protocol can be demonstrated over 35 dB , which is a considerable improvement in the transmission distance in the realm of practical secure QKD. By removing assumptions of the perfect source and detection site, our protocol can still achieve a key rate of 253 bps with a 20 dB channel loss, which outperforms other experimental implementations of practical secure QKD protocols. Besides, we also achieve key rates of 91.0 and 9.39 kbps at 10 and 16 dB, respectively. The transmission distance of our protocol was constrained using five parameters relevant to imperfect sources. However, these five parameters can be optimized. Thus, the key rate and transmission distance of this protocol can be further improved. First, the measurements of these parameters are limited by the accuracy and precision of the devices. For example, the accuracy of the power meter measuring optical power fluctuations is limited, and the power meter itself has jitters, which may result in larger fluctuations. Additionally, the values of these parameters can be further reduced using available technologies. More accurate phase modulation can be achieved by using more phase modulators, which can avoid nonlinear amplification of radio frequency signals. The extinction ratio of polarization can be further improved by fusing optical fibers or by adding a polarizer at the user's site. With developed technologies, these parameters will be closer to 0. Note that our scheme does not need to resort to immature technologies such as entanglement or single-photon sources, which makes our scheme more practical. Overall, our study further proves the feasibility of secure QKD with arbitrary flawed devices, and holds the potential to be applied to the future deployment of practical secure QKD.

CONFLICT OF INTEREST
The authors declare that they have no conflict of interest. In our four-phase measurement-device-independent QKD protocol, the classical bits can be encoded through phase differences of coherent pulses from Alice and Bob and the setting of the X and Y bases introduces the idea of "quantum coin" where we can introduce ∆ as the imbalance of a quantum coin to bound the information leakage. The imbalance ∆ can be calculated through the bounded fidelity discussed in the GLLP security proof [55,56], which can be naturally extended to the security analysis of the reference technique [51]. In the ideal scenario with no source flaws, Alice's entangled basis-dependent states are expressed as

This study was supported by the Natural Science
where {|0 X , |1 X } are eigenstates of the Pauli operator σ x and {|0 Y , |1 Y } are eigenstates of the Pauli operator σ y . The same equations of Bob's entangled basisdependent states can be obtained in the similar expressions with the system B denoting the virtual qubit space and the system b representing the actual space of coherent pulses. Here, the basis-dependence of Alice's (Bob's) entangled states can be related to an equivalent virtual protocol considering the balance of a quantum coin [55], where Alice (Bob) measures the coin in the Z basis to determine the basis choice. Here the basis-dependent states can be expressed as |Ψ X and |Ψ Y without distinguishing the sender. The joint state can be taken to be where p x and p y separately represent the probabilities of sending states in the X basis and the Y basis. Note that we assume the measurement of the quantum coin will be delayed after Charlie has finished her measurement and eavesdropping. The final key rate of this protocol is where . Q x is the gain in the X basis and E x b means the bit error rate under the X basis. e dx means the misalignment error rate in the X basis of the four-phase measurementdevice-independent QKD system. The total efficiency is η and we use |α| 2 to express the intensity of weak coherent states. E p represents the phase error rate under the X basis, which is bounded by ∆ and the bit error rate in the Y basis E y b . The equation of E y b is similar to that of E x b with its separate misalignment error rate e dy that E y Here for simulation, we just consider the situation that E y b is equal to E x b since we set the misalignment error rates to be 0 without the finite-key analysis. Note that E y b is not rigorously equal to E x b in the practical scenario since e dy evidently differs from e dx in experiment. η = η d × 10 −L/20 , where L (dB) is the total attenuation of the channel. Based on the fact that our protocol considers an biased basis choice, we provide the relation between the phase error rate in the X basis E p and the bit error rate in the Y basis E y b . According to the procedure of our protocol, the simplified entangled state shared by Alice and Bob in two bases can be expressed as where we denote regardless of the measurement result of Charlie. We introduce the error operator by Alice and Bob, E y The phase error rate of the X basis and the bit error rate of the Y basis are defined as where M ab is the Kraus operator corresponding to the announcement of Charlie. Note that the normalization has been assumed. Similar with the method in Ref. [45], we have ab E y AB M ab and use the fact that The fidelity of quantum states can be expressed as Eve can enhance the source flaws by exploiting the loss of channel, which means that we should have the the worst situation ∆ = ∆ ′ /Q [55]. Therefore, we can obtian the relation between E y b and ∆, Appendix B: Finite-key analysis for the experimental implementation Here we provide the specific expression of the finite-key analysis for the experiment of our protocol. The number of final key bits l has been expressed as which is ǫ c − correct and ǫ s − secure, with ǫ s = √ ǫ F + ǫ PA [61]. We directly offer n x through the experiment, together with E X b in the formula of leak EC . Based on Eq. (S7), we have to consider the statistical fluctuation when calculating the bit error rate in the Y basis E Y b and estimating the phase error rate considering eavesdroppers' coherent attacks. Here, we adopt the concentration inequality introduced in Ref. [61,71] to guarantee security against coherent attacks when we bound the deviation between a sum of correlated random variables and its expected value.
Let ξ 1 , ..., ξ n be a sequence of Bernoulli random variables which are dependent and let Λ j = sions in Ref. [61,71], we obtain that for any b ≥ 0 (S9) By equating the right hand of Eq. (S9) to be ǫ F and solving for b, we have that n u=1 Pr(ξ u = 1|ξ 1 , ..., ξ u−1 ) ≤ Λ n + ∆ c , where ∆ c = 1 2 nlnǫ −1 F and each of the bounds in Eq. (S10) fail with probability at most ǫ F . Eq. (S10) is the simple bound of the concentration inequality but it is sufficiently tight for all opponents in our protocol. The concentration inequality [71] here is tighter than the widely applied Azuma's inequality [72] to guarantee security against coherent attacks when random variables are correlated and the encoding bases are not mutually unbiased [61]. Then we will present how to derive the upper bound E p . First, we set n y and m y to be the number of efficient outcomes and the number of bit errors in the Y basis, which is obtained through the experiment. We derive an upper bound of the expectation value of the number of bit errors in the Y basis m * y . The upper bound of the expected bit error rate in the Y basis is E y b * = m * y /n y , which can be used to calculate the upper bound of the expected value of the phase error rate in the X basis E * p . Then the number of phase errors is obtained in the form of m * p = n x E * p . We then estimate the upper bound of the observed number of phase errors in the X basis m p through the concentration inequality. Then E p can be naturally calculated with E p = m p /n x . According to the experimental results, formulas in Eq. (S10) is sufficiently tight for generating considerable final key rate in the finite-key regime so we just introduce the simple bound in Ref. [61]. Without loss of generality, we set ǫ c = ǫ PA = ǫ F = 10 −10 .
Appendix C: Experimental details on derivation of parameters characterizing source flaws

Optical power fluctuation
Imperfect intensity modulation can be quantitively characterized by the fluctuation of optical power over a period of time. We test it by the optical power meter. Due to the limited range of power meter, we divide the fluctuation into two parts, the source fluctuation and the path fluctuation. For the source part, we directly measured the optical power of the laser source with a 40 dB attenuation. The laser source is a homemade pulsed laser and Field Programmable Gate Array (FPGA) is used as the logic control of our laser source and to send laser drive signals. Since the circulator and beam splitters used in the system are fast-axis blocked, changes in polarization bring about fluctuations in intensity. Consequently, we measured the intensity of pulses sent by Alice with an appropriate attenuation to make the intensity around -70 dBm while the phase modulations are carried on. Besides, VOA also causes optical power fluctuation, so we add an additional attenuation each to the measurement of the fluctuation of path and source, which means the intensity of these pulses is lower than the minimum optical power (-103.7 dBm) we sent when considering source flaws. Since the time of conducting one round of QKD is 100 seconds, we denote the difference between the maximum and minimum value of optical power in 100 seconds as the value of fluctuation. As shown in Fig. S1, the upper bound of optical power fluctuation in 1000 seconds is 1.11%, which is the sum of source and path fluctuation.

Phase shift
We quantify the modulation error δ in the source through calibrating Alice's PM, in the plug-and-play QKD system. δ φ is defined as the difference between the actual phase and the expected phase φ. In our protocol, we need to modulate 4 phases φ ∈ {0, π/2, π, 3π/2}. Similar to Ref. [73], only Alice performs phase modulation and Bob sets his own PM at a fixed unmodulated phase 0. Note that the experimental setup here is the same as that used to demonstrate the QKD protocol. Alice and Bob are connected with a one-metre-long polarization maintained fiber. Alice scans the voltages applied to her PM according to the random phase selection in the experiment and the intensity of these pulses is 0.001. Charlie records the clicks for 100 seconds. Based on the phase selection, we can obtain the number of clicks for different phases and these counts are denoted by D φ 1 and D φ 2 . For D 1 , the total detection efficiency η 1 (considering the loss in Charlie) is 66.3% and the dark count rate p d,1 is 1.6 × 10 −8 . For D 2 , the detection efficiency η 2 is 73.6% and the dark count rate p d,2 is 2.5 × 10 −8 . Since the dark count rates of two detectors are at the level of 10 −8 , dark counts have little influence on the computation and are ignored in the computation. The detailed experimental data can be seen in Table S1. The function generator used is P25588B (Tabor Electronics) with 16-bit depth. The electrical drivers used are DR-VE-10-MO (iXblue) and PMs are PM-5S5-10-PFA-UV (Eospace). In our data analysis, we use Hoeffding's inequality [74]. The upper bound of δ φ is given by Eq. (S10). For φ ∈ {π/2, π}, φ 0 = φ and for φ = 3π/2, φ 0 = φ − π. Consequently, The error δ is upper bounded by the case of δ π = 0.062. Note that for statistical analysis, we only choose an appropriate time window without any other data processing, whose length is 2 ns.

Extinction ratio of polarization
Since Eve could distinguish signals from the polarization information of each state, we quantify this situation by measuring the extinction ratio of polarization in the plugand-play system. We put a polarization beam splitter (PBS) at Alice's site to obtain the the extinction ratio of polarization of the pulses Alice sent, which is the ratio of fast-axis optical power to slow-axis optical power. The specific quantum states are shown as (S11) Consequently, we denote the extinction ratio of polarization of pulses as tanθ. We decrease the attenuation and the optical power of pulses in the Sagnac loop is about -20 dBm. We use a power meter to measure the optical power at both ports of the PBS. We measured the optical power once every 100 ms and tested it for 1000 seconds. As shown in Fig. S3, the blue points mean the ratio of slow-axis to fast-axis and the minimum value is still over 26.5 dB. As we only need 100 seconds to perform a round of measurement, the ratio can be easily maintained above 26.5 dB.

Pattern effect
Practical electro-optic modulators and electrical drivers are band limited, which results in state correlation between the optical pulses as well as intensity fluctuation of individual pulses. Pulse correlation is particularly critical for the security since current security analysis usually assumes independent and identically distributed pulses. In this experiment, we do not need to modulate different intensities and we only need to quantify the phase correlation. The experimental structure is same as that used for measuring phase shift. Here we only consider the influences of pattern effects limited to the adjacent pulses [60]. Consequently, for four phases, sixteen patterns exist. We quantified the phase correlation by measuring the intensities under different patterns. Bob's PM is set at an unmodulated phase 0 and Alice modulates each pattern with equal probability. The modulated pulses and unmodulated pulses interfere at BS and the results are measured by D1 and D2 with detection efficiencies of 66.3% and 73.6%. Denote phase 0 as S 1 , phase π/2 as S 2 , phase π as S 3 and phase 3π/2 as S 4 . The pattern effects of phase 0 and π/2 are given by D1's detection results while the pattern effects of phase π and 3π/2 are given by D2's detection results. As shown in Table S2, the maximum value, or say sinψ, is 8.54×10 −3 . Note that here we only measured the deviation from average values while theoretically we should measure the largest intensity deviation of individual pulses in each pattern. It is a remaining problem for future study.

Appendix D: Scheme with independent lasers
We extend the plug-and-play system to a scheme with independent lasers in this part. As shown in Fig. S4, this system includes two independent users and an untrusted intermediate node.
The phase-modulated pulses are directly generated employing the idea of optical injection [75,76], which has been proven to effectively remove the need for a phase modulator. Additionally, without multi-intensity modulation, our scheme does not need an intensity modulator. Consequently, Eve cannot get any information about phase modulation and intensity modulation from the backscattered light and thus this scheme can resist Trojan horse attacks. As shown in Fig. S4, Alice's (Bob) We measured the extinction ratio of polarization of Alice's and Bob's pulses by a polarization beam splitter (PBS) for 1000 seconds while our system considering realistic sources, only runs for 100 seconds. Its value is always above 26.5 dB.
laser source is made up with a phase-preparation laser (PP-Laser) and a pulse-generation laser (PG-Laser). Two laser diodes are connected with an optical circulator. PP-Laser acts as a master laser and PG-Laser acts as a slave laser. PP-Laser is always biased over its threshold to generate continuous-wave light. PG-Laser is gain-switched corresponding with modulation signals applied to PP-Laser for avoiding side effects and sends pulses inheriting the phase prepared by PP-Laser. By introducing perturbations in the driving signal of PP-   We summarized the optical element transmittance in Table S3. The optical elements include the polarization controllers (PCs), circulator (CIR), and the beam splitter (BS). The results are given for each output (D1/D2) as appropriate. The experimental results are summarized in Table S4, the total pulses sent in the experiment N, the phase error rate regardless the source flaws E * P , the phase error rate considering the source flaws E P , the number of detected pulses is labeled as "Detected-AB (Di)", where "A" ("B") means an A (B) phase was added on the pulses by Alice (Bob) and detected by Di, i ∈ {1, 2}. For 30 dB and 35 dB, the key rates are 0 and E P = 50%.