Upper Bounds for the Security of two Distributed-Phase Reference Protocols of Quantum Cryptography (Coherent-One-Way and Differential-Phase-Shift)

The Differential-Phase-Shift (DPS) and the Coherent-One-Way (COW) are among the most practical protocols for quantum cryptography, and are therefore the object of fast-paced experimental developments. The assessment of their security is also a challenge for theorists: the existing tools, that allow to prove security against the most general attacks, do not apply to these two protocols in any straightforward way. We present new upper bounds for their security in the limit of large distances ($d \gtrsim 50$km with typical values in optical fibers) by considering a large class of collective attacks, namely those in which the adversary attaches ancillary quantum systems to each pulse or to each pair of pulses. We introduce also two modified versions of the COW protocol, which may prove more robust than the original one.


Introduction
Over recent years quantum cryptography has evolved from niche physics to a technology that could revolutionize the science of secrecy. The basic idea, as formulated by Bennett and Brassard in 1984 (BB84), was based on the use of individual qubits [1], quickly 'translated' to individual photons. Given the lack of convenient single photon sources, most experiments use instead weak laser pulses. However, it was then realized that such sources sometimes emit multiphoton pulses and are thus in danger of photon-number-splitting (PNS) attacks [2]. The cheap counter-measure to PNS attacks is to reduce further the intensity of the weak laser pulses, but this solution leads to secret bit rates that scale quadratically with the quantum channel transmission coefficient, r ∝ t 2 . Hwang [3] found an elegant way out of this drawback, suggesting using more than one intensity. This method, called decoy state implementation, allows one to achieve a linear secret key rate, as for the historical single-qubit protocols [4].
The BB84 protocol in all its implementations, several variations thereof-two-state [5], six-state [6], SARG04 [7], protocols using higher-dimensional systems [8], etc-and all the corresponding entanglement-based versions [9], share a common feature: they all send quantum symbols one by one. However, convenient telecom laser sources emit either a continuous train of pulses (mode-locked lasers), or a continuous wave (cw) that can be formatted by an intensity modulator into trains of pulses. This observation led to new protocols for efficient quantum key distribution (QKD) like the differential-phase-shift (DPS) [10,11] and the coherent-one-way (COW) [12,13] protocols. In both protocols a continuous train of weak laser pulses is sent from 3 the sender, Alice, to the receiver, Bob. In the DPS protocol the intensity of the pulses is constant, but the phase modulated. In the COW protocol, the phases of all pulses are constant, but their intensity modulated. The DPS and the COW protocols are so-called distributed-phase-reference protocols: the intervention of an adversary, Eve, is monitored by measuring the coherence between successive non-empty pulses. Both protocols are robust against PNS attacks, because these can be detected [13,14]; security has also been studied against individual attacks [13,15] and more recently against some form of intercept-resend attacks based on unambiguous state discrimination [16]- [18]. However, security against the most general attacks is still elusive: the tools that have been developed in the last decade to tackle this cannot be applied in any straightforward way, because both protocols move away from the symbol-per-symbol type of coding.
The purpose of this paper is to analyze the security of the COW and the DPS protocols against a large class of collective attacks in the long distance regime (i.e. when the transmission coefficient t is small). This study leads also to defining variants of the COW protocol, which make it more robust while keeping its simplicity.
The paper is structured as follows. In section 2, we recall the COW and DPS protocols, as well as some notions of security bounds. In section 3, we present the bound for security against a beam-splitting attack (BSA) treated as a collective attack. In section 4, we study a family of attacks that generalize the BSA by introducing errors. The basic idea is that the adversary, Eve, attaches ancillary quantum systems to each pulse or to each pair of pulses. For these attacks, bounds for security are provided in the limits of large distances, typically d 50 km. These upper bounds on the secret key rates scale linearly with t.

Definitions and tools
The source, on Alice's side, produces weak coherent pulses. A non-empty pulse is written |α , its mean photon number µ = |α| 2 . The transmission coefficient of the quantum channel connecting Alice and Bob is t, the efficiency of Bob's photon counters is η; we neglect the effects of dark counts and dead times of the detectors. Accordingly, in the absence of Eve, when Alice sends |α , Bob receives | √ tα and has a probability 1 − e −µtη (≈ µtη in the limit µt 1) of detecting a photon.

The COW and DPS codings
In the COW protocol, each bit is coded in a sequence of one non-empty and one empty pulse: the bit value 0 is coded in the sequence |α |0 , the bit value 1 in the sequence |0 |α . These two states are not orthogonal because of the vacuum component, and can be unambiguously discriminated in an optimal way by just measuring the time of arrival. This is the very simple data line, in which the raw key is created. The quantum bit error rate (QBER) Q is, as usual, the probability that Bob accepts the wrong value of the bit: in physical terms, this means that Bob has got a detection in a time slot in which Alice has sent an empty pulse. To estimate the loss of coherence in the channel (and thence Eve's information), a fraction of the light is sent into a monitoring line, consisting of an unbalanced interferometer. The phase between the two arms is chosen so that two consecutive non-empty pulses sent by Alice should always interfere constructively in one output port (and be detected with probability p D 0 > 0) and destructively 4 in the other one ( p D 1 = 0). The departure from this ideal situation is measured by the visibility V = p D 0 − p D 1 p D 0 + p D 1 of the interference pattern observed for two consecutive non-empty pulses. Note that there is no a priori relation between Q and V .
In the DPS protocol, Alice produces a sequence of coherent states of the same intensity . . . |e iϕ k−1 α |e iϕ k α |e iϕ k+1 α . . . , where each phase can be set at ϕ = 0 or ϕ = π . The bits are coded in the difference between two successive phases: b k = 0 if e iϕ k = e iϕ k+1 and b k = 1, otherwise. These two cases can be unambiguously discriminated using an unbalanced interferometer. The same interferometer provides the information about the lack of coherence in the channel, used to estimate Eve's information. Contrary to what happens for COW, the QBER Q and the visibility V of the interference pattern are tightly related in DPS through the relation Q = 1−V 2 .

Three versions of COW
In the original version of COW, the pairing of the pulses is known in advance; in addition to sending the two sequences that code for a bit value, Alice should also send decoy sequences |α |α with probability f in order to prevent a subtle form of PNS attacks. Such sequences do not code for a bit value: therefore, if they give rise to a detection in the data line, this event must be eliminated in sifting. Throughout this paper we will set f ≈ 0: in fact, all the bounds for security that we are going to use are valid only in the asymptotic limit of infinitely long keys, in which case an arbitrarily small amount of events is sufficient to produce meaningful statistics. Along with this original version, we introduce and study here two modified versions of COW, in which the pairing of the pulses is not known a priori by Bob, nor Eve. Alice and Bob's devices are the same as in the original version: Alice sends a train of empty or non-empty pulses; Bob measures the time of arrival on his data line and checks the coherence of successive non-empty pulses on his monitoring line. Only after the transmission does Alice announce the pairings publicly; the bit is accepted if Bob has got one and only one detection in the data line corresponding to that pair of pulses. Given this, the two versions differ in the possible choices of pulses to be paired.
In COWm1, Alice still pairs consecutive pulses: this makes it the closest analog to DPS. If she wants to use (almost) all the pulses, she will still send sequences |α |0 or |0 |α , and sometimes introduce an unused pulse. In COWm2, Alice is allowed to pair any two pulses; obviously, all the pulses are used. There is no simple version of DPS that would be analog to COWm2, because in order to pair arbitrary pulses in DPS, Bob should arbitrarily change the unbalance in the interferometer 3 .
Note that many other variants of COW can be imagined, as we mention in appendix A.

Secret key rates
We consider from now on that the two values 0 and 1 are equally probable both in Alice's and in Bob's list; since this can be obtained by public communication, there is no loss in generality in this assumption. As said, the bound for security against the most general attack by an eavesdropper has been elusive to date for both COW and DPS. In this paper, we are concerned with specific attacks, which of course define only upper bounds for security (i.e. it is guaranteed that one cannot obtain larger rates). In the family of attacks that we consider, Eve interacts with the pulses one-by-one or two-by-two, always with the same strategy. She is allowed to keep her ancillae in a quantum memory, and to extract the largest possible information out of them after Alice and Bob have run the classical post-processing. Therefore, we will compute the bound for security against collective attacks (as in most QKD studies to date, we compute this bound for the asymptotic case of an infinitely long raw key). Both for COW and DPS, Alice and Bob should choose µ such that the secret key rate is maximized. We performed this one-parameter optimization numerically. Figure 1 shows the optimal choice for the intensity µ = µ opt and the corresponding secret key rates for the COW and the DPS protocols.
One notices that the two protocols show similar behaviors against BSA. The optimal choice of µ is approximately twice as large for COW as it is for DPS; since in COW one pulse out of two is empty, the number of photons per bit is thus approximately the same. As for the secret key rates obtained for the respective µ opt , they are very similar, within a factor of two. The question 7 of whether one protocol performs better than the other one, does not have a clear-cut answer: other practical issues should be taken into consideration. For instance, we did not consider for COW the fraction of the signal that should be sent through Bob's monitoring line, which will not contribute to the key. We did not consider the losses in Bob's interferometer either: in DPS, they will decrease the secret key rates, while in COW, they will not alter the key rates. A more complete analysis should therefore lead to different factors before the given key rates, and the factor of two that appears here between the two protocols is not meaningful in itself.
In the limit of large distances µt 1 (typically, for d 50 km 5 ), the secret key rates under a BSA become linear in tη (r = r 0 tη), and the µ opt tend to a constant value (dashed lines on figure 1). Specifically: for COW, µ opt → 0.4583 and r 0 ≈ 0.0714; for DPS, µ opt → 0.2808 and r 0 ≈ 0.1182. Note that the attacks presented in the next section of this paper shall be studied only in this limit, due to their complexity, and will coincide with the asymptotic limits for BSA when Q = 0 and V = 1.

Collective attacks with Q 0, V 1
In both COW and DPS, bits are coded in the relation between two successive pulses. In the study of upper bounds, a natural class of attacks is therefore the one in which Eve attacks coherently pairs of successive pulses. These we call 'two-pulse attacks' (2PA). In general, they are defined by with the only constraint that the transformation must be unitary. This class is clearly too large to be parametrized efficiently. However, in the limit of large distances µt 1, multi-photon components on Bob's side are supposed to be negligible; and Bob will have to check, through the statistics of his detection rates (singles, double-clicks in two detectors, etc), that this is indeed the case. In view of this, we restrict our study to the case where, for any two-pulse signal sent by Alice, Bob's Hilbert space consists only of the three orthogonal states |00 (no photon), |10 (one photon at time k − 1) and |01 (one photon at time k).
In this section, 2PA are studied on COW (4.1), on COWm1 (4.2) and on DPS (4.4). On COWm2, since there is no preferred pairing at all, we shall rather study 'one-pulse attacks', 1PA (4.3). The resulting upper bounds will be computed numerically and compared (4.5). Unless stated otherwise, pure and mixed quantum states are normalized (in the limit µt 1) in all that follows.

Original COW coding: two-pulse attacks
In the original COW protocol, the pairing of the pulses sent by Alice is publicly known. When Eve attacks the pulses two-by-two, we suppose that she does it according to the same pairing. The three sequences that Alice can send (bit 0, bit 1 and decoy sequence) 8 are modified by Eve's intervention as where |v jk E ( j, k ∈ {0, µ}) are the states that Eve attaches to the vacuum part of the signal, while | p 10 jk E and | p 01 jk E are the states that Eve attaches to the 1-photon part of the signal. While we have left Eve's states free (up to some constraints to be described soon), we have fixed the probability amplitude of each term. These amplitudes are motivated by the expected behavior of an imperfect intensity modulator on Alice's side, which would prepare pulses of intensity (1 − Q)µ and Qµ instead of perfectly modulated intensities µ and 0. In this case, for each bit sequence sent by Alice we still have an average probability µt that a photon arrives at Bob; in a fraction 1 − Q of these cases, it arrives at the correct time, in the other cases it arrives at the wrong time, whence Q is indeed the QBER. Again, Bob has to check that the multi-photon components are negligible.
The relations between Eve's states are constrained by the requirement that the transformation must be unitary, and by the results of the parameter estimation (i.e. by the values of the visibilities). The requirement of unitarity reads (recall that we work in the limit µt The visibility in COW is measured only conditioned to the fact that Alice has sent two consecutive non-empty pulses. There are five such cases: the case of decoy sequences (two non-empty pulses in the same pair) and the four two-pair sequences (x, y) = (0µ, µ0), (µµ, µ0), (0µ, µµ) and (µµ, µµ). The corresponding visibilities after Eve's intervention are As an example, consider V µµ . When Alice sends a decoy sequence | √ µ, √ µ , a detection in the interferometer at the correct timing should reveal the coherence between |10 and |01 . After Eve's intervention, the action of the interferometer (non-normalized) reads The probability that the photon going to Bob is detected by detector D 0 (resp D 1 ) of the interferometer is proportional to (11). The visibilities V x y are computed in a similar way, considering that the interference across the pairing is due to the coherence between |01 |00 and |00 |10 . In the present study, we suppose that Alice and Bob check that all these visibilities are the same:

Eve's information.
The task is to compute the information that Eve obtains when she performs the attack (9). For each bit detected by Bob, if Eve is interested in Alice's bit, her information is the Holevo quantity χ AE computed for ρ A=0 These are formal expressions, whose value has to be optimized under the constraints (10) and (14). Now, none of the constraints (10)-(12) on Eve's states involves | p 10 0µ and | p 01 µ0 . Eve can, therefore choose these two states freely, and the best choice is obviously to take them orthogonal to one another and to all her other states, in order to distinguish those cases perfectly. In this case, , that we write explicitly as In particular, Eve has all the information on Alice's and Bob's bit when she introduces an error. So finally, the Devetak-Winter bound for 2PA on COW in the limit µt 1 reads Note that r 0 does not depend on tη: the long-distance upper bound that we obtain is linear in t.

COWm1 coding: two-pulse attacks
4.2.1. Eve's attack. We now consider the first modified version of the COW protocol (COWm1). In this version, the coding still implies pairs of consecutive pulses, but the pairing is decided by Alice and Bob a posteriori. Thus, during the exchange of quantum signals, Eve does not know which pulses she should attack together: half of the times, her 2PA will therefore be applied on pulses that are not going to be paired to form a bit. In particular, now all four sequences of two consecutive pulses are possible: the transformation (9) must be complemented with a fourth line where the choice of probability amplitude is dictated by the same considerations as above. The requirement of unitarity consists of (10) and of the three additional constraints The computation of the loss of visibility is identical to the case of the original COW, leading to (11) and (12); as for that case, we shall impose (14). Note that the states | p 10 0µ , | p 01 µ0 , | p 10 00 , | p 01 00 do not enter in any of the constraints, and can therefore be chosen orthogonal to each other and to all other states.

Eve's information.
When it comes to computing Eve's information, two cases have to be treated separately: The two pulses that code a bit have been attacked together by Eve. In this case, the computation of Eve's information is the same for the original COW protocol (4.1), so χ (2) AE = χ (2) BE is given by (15).
The two pulses that code a bit have not been attacked together by Eve. To study this case, we must consider four pulses. Writing j, k, j , k ∈ {0, 1} and neglecting as usual the twophoton terms, the transformation reads The terms that we left out do not contribute, for we focus on the case where Bob detects a photon in one of the two middle time-slots and pairs precisely those slots. Moreover, a posteriori it is decided that pulses j and k form a bit a, i.e. Alice must have used j = 1 − k = a. Depending on the sequence sent by Alice and on the bit detected by Bob, Eve's (unnormalized) state is thus Eve's (now normalized) states conditioned on Alice's or on Bob's bit become ρ B=b As it happened for COW, ρ 1,0 E 4 and ρ 0,1 E 4 are orthogonal to one another and to the other two mixtures; therefore χ (4) . On average, each of these two cases happens with probability 1 2 , so χ AE = χ BE is given by The Devetak-Winter bound for 2PA on COWm1 in the limit µt 1 reads where |v 0/µ E are the states that Eve attaches to the vacuum part of the signal, while | p 0/µ E are the states that Eve attaches to the 1-photon part of the signal. The probability amplitudes are fixed according to the same physical considerations done for COW and COWm1. The requirement of unitarity reads The loss of visibility introduced by Eve's intervention is computed along the same lines as in 4.1. Suppose Alice sends a sequence | √ µ, √ µ : in the limit µt 1, where we neglect the 2-photon terms, Eve's intervention leads to None of these constraints involves | p 0 , that can therefore be chosen orthogonal to all other states of Eve.

Eve's information.
On any pair of pulses that define a bit, Eve's intervention has the product structure For each bit detected by Bob, if Eve is interested in Alice's bit, her information is the Holevo quantity χ AE computed for ρ A=0 Since |v µ , p 0 and | p 0 , v µ are orthogonal to one another and to the other states | p µ , v 0 and |v 0 , p µ , we have χ AE = χ BE given by So finally, the Devetak-Winter bound for 1PA on COWm2 in the limit µt 1 reads

DPS coding: two-pulse attacks
We turn now to the DPS protocol and derive an upper bound for security considering 2PA. The formalism is analog to the one described for the COWm1 protocol in section 4.2, so we go fast through many details. The main differences are of course those related to the protocol: the different coding of bits, and the link between Q and V .

Eve's attack.
We suppose that Eve attaches her probe to two successive pulses sent by Alice. Four two-pulse sequences are possible: with σ, ω ∈ {+, −}, Eve's intervention reads where |v σ ω E are the states that Eve attaches to the vacuum part of the signal, while | p 10 σ ω E and | p 01 σ ω E are the states that Eve attaches to the 1-photon part of the signal (as before, Bob shall check that the multi-photon components are negligible). The transformation leads to the expected detection rate µtη for each pulse. The constraint of unitarity reads The visibilities can now be computed for all possible sequences, since there are no empty pulses. Formally, the expressions depend on which sequence of pulses was sent, and on whether the two pulses that interfere belong to a same or to different sequences according to the pairing chosen by Eve. The resulting visibilities are V σ ω,σ ω = Re v σ ω | p 01 σ ω p 10 σ ω |v σ ω .

Eve's information.
As happened for COWm1, when it comes to computing Eve's information, two cases have to be treated separately: The two pulses that contribute to the detected event have been attacked together by Eve. The evolution in Bob's interferometer is σ |10 B | p 10 σ ω (non-normalized). Writing ρ A={σ ω},B=b    . Eve's information for this case 1 is then Case 2. The two pulses that contribute to the detected event have not been attacked together by Eve. Then, we have to study the four-pulse sequence, in which the bit has been produced by the interference of pulses number two and three. The evolution in Bob's interferometer is ω|0100 σ ω (non-normalized). Writing ρ A={σ ω,σ ω },B=b  . Eve's information for this case 2 is then Each of the two cases happens with probability 1 2 . Therefore, Eve's average information is For the versions of COW, some of Eve's states could be immediately chosen as being orthogonal to all the other ones; there is no such simplification here. The Devetak-Winter bound for 2PA on DPS in the limit µt 1 reads

Numerical optimization and comparison
In the previous subsections, we have derived upper bounds for the secret key rate of COW (16), COWm1 (27), COWm2 (33) and DPS (43) in the limit µt 1 of large distances. In this limit, all these bounds scale linearly with losses: r = r 0 tη, where only the constant factor r 0 depends on the protocol. Incidentally, we remind that for COWm1 and COWm2 we have supposed that Alice makes the pairings; if Bob makes them, the rates given above for these protocols should be divided by 2.
At this point, we want to evaluate these bounds. This involves a double optimization: first, for a fixed value of µ, one has to find the strategy that maximizes Eve's information; then, one has to find the value of µ that maximizes r -in our case, r 0 . The details on how the optimizations over Eve's strategies were performed, are given in appendices B-E. For COW and COWm2, these optimizations could be performed analytically, and we give the analytical expressions for Eve's optimal states. For COWm1, the optimization was performed numerically, but we could find an analytical expression for Eve's states, in which there remain only three parameters to optimize. For DPS, only numerical optimizations could be performed. The second optimization (over µ) could only be done numerically in all cases.
The results of the optimizations are shown in figure 2 for the four protocols, as a function of V , and in the case Q = 0 for all versions of COW. The effect of the QBER in the COW protocols is shown in figures B.1, C.1 and D.1.
As expected, when V = 1 and Q = 0, the attacks under study coincide for all protocols with the asymptotic limits for BSA. As was the case for BSA, one notices similar behaviors for the COW and the DPS protocols, at least for high visibilities: the secret key rates (or the factors r 0 ) are again very similar, within a factor of two. Again, we cannot conclude that one   protocol performs better than the other one. The choice of which protocol to run should be motivated by various practical reasons that we did not consider here. Still, and as expected, the modified versions of COW provide better bounds than the original COW: Eve's attack is less efficient when Eve does not know how Alice and Bob will choose the pairing of the pulses. Finally, in order to get the secret key rates for a given distance, one just has to multiply the factor r 0 by tη. We show as an example in figure 3 the rates that we get for each protocol in the case of V = 0.98 (and still Q = 0 for COW and its variations), compared to BSA.

Conclusion
We have provided new upper bounds for the security of the COW (the original and two modified versions) and the DPS protocols, in the limit of large distances. In all cases, the secret key rate goes as r ≈ r 0 tη and therefore scales linearly with the transmission t of the channel; also, all the values of r 0 are similar, within a factor of two for high visibilities. Hence, at least given our present-day knowledge, the choice between any of these protocols should be dictated by practical reasons rather than by security concerns.
The two modified versions COWm1 and COWm2, introduced in a very natural way in the context of this paper, may also prove very useful in the future to find the bound for security against the most general attack by the eavesdropper. Indeed, intuition suggests that the random a posteriori choice of the pairing may provide the symmetry argument, which would allow to use the exponential De Finetti theorem [21].
In practice, the main drawback of this basic protocol is the large error rate. In fact, while I AB can in principle be extracted by error correction (which we have supposed everywhere in this paper), real codes do not reach this bound and become very inefficient if the error rate is large. In other words, it is better to try and have fewer, better correlated signals, than to keep a lot of poorly correlated ones. One possibility to reduce this error rate is to include a sifting step: Bob would announce his qµtη fraction of time slots where he got a click on his data line, along with another fraction f 0 where he had no click. In this case, the sifting rate reduces to r s = qµtη + f 0 , but the fraction of errors to be corrected is also reduced. Depending on the practical efficiency of the error correction, one can try to optimize f 0 .
When dealing with such a Z-channel, a way to symmetrize the errors is to code the logical bits into two physical symbols: '0'; → µ0, '1' → 0µ. In this prospect, the original coding of COW appears very naturally. Contrary to the previous version, there are no more errors due to the losses (Bob only keeps the cases where he had one detection), and in the absence of dark counts and of Eve I AB = 1, and r = r s .
In the original version of COW, the pairs of pulses defining each classical bit are predefined. Alice sends pairs µ0 or 0µ, along with some decoy sequences µµ (and possibly also sequences 00). When the fraction of decoy sequences is negligible, the sifting rate is r s = 1 2 µtη. A first possible variant of this original COW corresponds to COWm1, where Alice still sends sequences µ0 or 0µ, but sometimes she introduces an unused pulse, so that the bit separations are not known in advance by Eve. Again, if the fraction of unused pulses is negligible, the sifting rate is r s = 1 2 µtη. Another variant would be that Alice sends a completely random train of pulses |0 and | √ µ . She then pairs consecutive pulses a posteriori. Here we lose a factor 1 2 in the sifting rate (r s = 1 4 µtη) because of the sequences 00 and µµ that Alice sometimes pairs together, but the security might be easier to analyze.
In the previous two variants, one can also imagine that the pairs are not necessarily composed of successive pulses (such as in COWm2 for instance). This might be more robust against Eve's attacks, but this necessitates a large amount of information to be sent from Alice to Bob for the key reconciliation.
Also, one can imagine that it is Bob who chooses the pairing: when he gets a detection, he announces two time-slots (successive or not), and Alice checks that they correspond to a sequence µ0 or 0µ. Since Bob has approximately a probability 1 2 to announce two time-slots that correspond to a sequence µµ instead, the sifting rate in this case is r s ≈ 1 4 µtη. Finally, one can imagine that Alice and Bob use other (longer) sequences of pulses | √ µ and |0 to encode their classical bits (or dits). All previous variations, whether the way the pulses are grouped is defined a priori or a posteriori, by Alice or by Bob, whether they group successive pulses or not, also apply to this more general variant.
for the four two-pair sequences (x, y) = (0µ, µ0), (µµ, µ0), (0µ, µµ) and (µµ, µµ). We notice that the states | p 10 µ0 and | p 01 0µ , whose overlap fully defines Eve's information, are related to the states |v µ0 and |v 0µ through (B.2), specifically So, we focus at first only on finding four states |v µ0 , |v 0µ , | p 10 µ0 and | p 01 0µ that satisfy (B.3) and such that | p 01 0µ | p 10 µ0 | is minimal. Later, we shall check that we can find states |v µµ , | p 10 µµ , and | p 01 µµ in order to satisfy all the constraints (recall that the states | p 01 µ0 and | p 10 0µ are chosen to be orthogonal to all other states).

B.1. Parametrization of Eve's states
First, let's choose the first two basis vectors such that the states |v µ0 and |v 0µ read Let's also define |v ⊥ j as the orthogonal state to |v j , in the same two-dimensional (2D) subspace: We must have (B.3). Now, if v 0µ | p 01 0µ p 10 µ0 |v µ0 / ∈ R, then Eve could just add a global phase to | p 10 µ0 for instance, and increase V without changing her information. This implies that Eve's maximal information compatible with V is obtained when the above quantity is real. Then we can write, for some factor λ ∈ [V , 1/V ] and some phaseφ ∈ R: v µ0 | p 10 µ0 = √ λV e iφ and v 0µ | p 01 0µ = √ V /λe iφ . But since the phaseφ does not play any role in Eve's information (which depends only on | p 01 0µ | p 10 µ0 |), we can without loss of generality set it to 0. In conclusion, | p 10 µ0 and | p 01 0µ are of the form where |w 0 and |w 1 are any states orthogonal to both |v µ0 and |v 0µ and θ 0 , θ 1 , φ 0 and φ 1 are free parameters.
Having maximized Eve's information, one can run the one-parameter optimization over the pulse intensity µ. The optimal choice µ opt and the corresponding value of r 0 are plotted in figure B.1, as a function of V and for different values of Q.
We still have to check that we can find states |v µµ , | p 10 µµ and | p 01 µµ that satisfy all the constraints. This is indeed the case. For instance, we complete the previous basis with a third orthogonal vector and choose 1+γ . The fact that the minimum of | p 01 0µ | p 10 µ0 | can be reached without using the constraints that involve the sequence (µ, µ) means that the presence of decoy sequences does not increase the security of COW against 2PA.
Note finally that if γ 2 0µ | p 10 µ0 = 0, in which case Eve can perfectly discriminate the two states: she has the full information on Alice and Bob's bit. Therefore, γ > 2 √ V (1 − V ) and V > 1/2 are necessary conditions for Alice and Bob to establish a secret key.

C.1. Parametrization of Eve's states
We write the states |v jk as These states satisfy the constraints (B.1) and (C.1). We still have four states to consider, | p 10 µ0 , | p 01 0µ , | p 10 µµ and | p 01 µµ (recall that the states | p 01 µ0 , | p 10 0µ , | p 10 µµ and | p 01 µµ have already been chosen orthogonal to all other states). Therefore, Eve's states under consideration live in general in an 8D space. We have performed the numerical optimization over the most general choice of the four | p states that satisfied the constraints (B.2).
Having maximized Eve's information, one can run the one-parameter optimization over the pulse intensity µ. The optimal choice µ opt and the corresponding value of r 0 are plotted in figure C.1.

Appendix D. Optimization of 1PA on COWm2
We have to maximize χ COWm2 (32), i.e. to minimize | v 0 | p µ |, submitted to the constraints The state | p 0 was already chosen to be orthogonal to the three other states; we have therefore to work in a 3D Hilbert space. Without loss of generality, we choose the following parametrization, which ensures automatically that the constraints are satisfied: actually the phaseφ does not play any role, and we set it to be 0. So, for a given V and a given µ, Eve's states are parametrized by θ and φ.
For e −µ 1 − V , Eve can choose φ = 0 and cos θ = e −µ 1−e −µ V 1−V , which gives v 0 | p µ = 0: in this case, Eve has full information on Alice and Bob's bit. A necessary condition for Alice and Bob to have secret bits is therefore to choose µ such that e −µ > 1 − V . In this case, one can easily show that the minimum overlap is obtained by setting θ = φ = 0.
Having maximized Eve's information, one can run the one-parameter optimization over the pulse intensity µ. The optimal choice µ opt and the corresponding value of r 0 are plotted in figure D.1.

Appendix E. Optimization of 1PA and 2PA on DPS
As mentioned in the main text, the optimization of Eve's information for a 2PA on DPS is more complicated than the one for COW, because we could not find any evident simplification and had therefore to start from the general formal expressions. For this reason, we find it useful to sketch first the study of 1PA on DPS-if only to show that our optimization on the 2PA yields indeed a more strict bound. so that (E.2) is satisfied. Let's also define |v ⊥ σ as the orthogonal state to |v σ , in the subspace spanned by {|v + , |v − }: The constraint (E.4) on the visibility implies that | p σ can be written as | p σ = √ V |v σ − √ 1 − V |w σ , where |w σ is any (4-D) state orthogonal to |v σ ; this can be further decomposed as |w σ = cos θ σ e iφ σ |v ⊥ σ + sin θ σ |w σ for some states |w σ orthogonal to both |v + and |v − . Finally, we choose the last two vectors of the basis such that |w + and |w − read In summary, for a given V and a given µ, we are left without loss of generality with the six free parameters θ + , θ − , θ, φ + , φ − and φ that define Results of the optimization. The optimization over the six free parameters was performed numerically. We find that Eve's optimal states have real coefficients (the parameters φ ± , φ can be chosen to be 0), and also that θ + = −θ − . Once we fix this, there remains only two free parameters to optimize.
Having maximized Eve's information, one can run the one-parameter optimization over the pulse intensity µ. The optimal choice µ opt and the corresponding value of r 0 are plotted in figure E.1, along with the results for 2PA. In the case V = 1, this attack reduces to the BSA; in all other cases, the optimal 1PA is manifestly less powerful than the best 2PA we have found.
Note that after optimization, we find χ AE χ BE : Eve knows less about Alice's bit than about Bob's.