Practical issues of twin-field quantum key distribution

Twin-field quantum key distribution(TF-QKD) protocol and its variants, such as phase-matching QKD, sending-or-not-sending QKD and no phase post-selection TF-QKD(NPP-TFQKD), are very promising for long-distance applications. However, there are still some gaps between theory and practice in these protocols. Concretely, a finite-key size analysis is still missing, and the intensity fluctuations are not taken into account. To address the finite-key size effect, we first give the key rate of NPP-TFQKD against collective attack in finite-key size region and then prove it can be against coherent attack. To deal with the intensity fluctuations, we present an analytical formula of 4-intensity decoy state NPP-TFQKD and a practical intensity fluctuation model. Finally, through detailed simulations, we show NPP-TFQKD can still keep its superiority of high key rate and long achievable distance.


Introduction
Quantum key distribution(QKD) [1,2] is one of the most mature applications among the emerging quantum technologies. It allows two remote users, called Alice and Bob, to share random secret keys even if there is an eavesdropper, Eve [3][4][5]. Due to the loss of channel, both the key rate and achievable distance of QKD are limited. Although increasing the secret key rate(SKR) and achievable distance are essentially significant for the real applications of QKD, the theorists proved there are some limits on the improvement of SKR [6,7]. In particular, for the channel of transmittance η, the linear bound [7], i.e.
However, there are still some gaps between theory and implementation of TF-QKD. In [12][13][14], asymptotic SKR of NPP-TFQKD is proposed, but the SKR in finite-key region is not given. On the other hand, the key-size in a practical implementation is always finite, thus a framework to deal with the finite-key size effect in TF-QKD is indispensable.
Another problem we will discuss is a potential security loophole of TF-QKD and its variants. Although the [8][9][10][11][12][13][14] have proved the TF-QKD and its variants are information-theoretically secure even with unstrusted measurement device just like the original measurement-device-independent protocol [19][20][21][22], the imperfections of laser source may spoil the security. One of the intractable loopholes of source is the intensity fluctuation [23][24][25]. In this work, we also propose a countermeasure to tackle the internsity fluctuation of NPP-TFQKD. A key step of our method is proposing the analytical formulas to deal with the 4-intensity decoy states in NPP-TFQKD. In the original NPP-TFQKD [12], one must use linear programing to solve linear equations of decoy states [26][27][28][29][30]. Compared with linear programing, analytical formula has superiorities on some special situations. More importantly, the proposed analytical formulas are particularly convinient to be incorporated to our intensity fluctuation. Another key step of our method is introducing a new intensity fluctuation model in finite-key size regime. The model makes TF-QKD robuster to intensity fluctuation.
The rest of this paper is organized as followoing. Firstly, In section 2, we briefly review the procedure of NPP-TFQKD protocol. In section 3, we analyze the finite-key size effect of NPP-TFQKD, give the SKR formula against coherent attack and evaluate the performance of TF-QKD in finite-key regime. In section 4, the analytical formulas for 4-intensity decoy state method are given. Then we introduce the intensity fluctuation model and its countermeasure. Finally, a complete simulation which takes into account both the finite-key size effects and the intensity fluctuations is presented.

Protocol definition
The setup of NPP-TFQKD [12] protocol is illustrated in figure 1 and the procedure is as following: State preparation: this step will be repeated by N trials. In each trial, Alice(Bob) chooses code mode or decoy mode with probabilities P c and P d =1−P c respectively, sends corresponding quantum state to untrusted Charlie.
When code mode is selected, Alice(Bob) prepares a phase-locked weak coherent pulse(WCP) where the plus or minus of the quantum state depends on the bit value of Alice(Bob)ʼs random key of this trial.
When decoy mode is selected, Alice(Bob) prepares a phase randomized WCP, whose intensity ν a (ν b ) is randomly choosen from a pre-decided set. Alice(Bob) actually prepares a mixed state since the randomized phase in the decoy mode will never be publicly announced. For instance, the density matrix of Alice's WCP in decoy mode can be denoted as: n a n 0 a a where | ñ n is the Fock state. Measurement: for each trial of the state preparation step, the untrusted Charlie must publicly announce a single click of his single photon detector(SPD) 'SPD-L' or 'SPD-R' or non-click meassage. Note that Charlie is untrusted, thus he is not necessarily to make the measurement shown in figure 1.
Sifting: Alice and Bob publicly announce which trials are code mode and which are decoy mode. For the trials they both choose code mode and Charlie announce 'SPD-L' or 'SPD-R' clicked, Alice and Bob will retain this key bit. According to Charlie's measurement result, Bob may decide to flip his key bit or not. After this step, Alice and Bob generate sifted key bit string Z and ¢ Z respectively. Error correction: Alice sends λ EC =nfH(E c ) bits of classical error correction data to Bob. Here is the Shannon entropy, Figure 1. In Alice and Bob's side, The laser-modules can prepare initial phase locked weak coherent pulses with the help of the phaselocking module belongs to Charlie [16]. The phase-modulators(PM) are apply to encode key bits in code mode and randomize the phase of WCPs in decoy mode. E c is the error rate of sifted key bits and f1 denotes error correction efficiency. Depending on the error correction data and ¢ Z , Bob obtains an estimatedẐ of Z. Next, by applying universal 2 hash fuction, Alice sends l =  log EV 2 1 EC bits of error verification information to Bob. If the error verification fails, they output an empty string and abort the protocol. Otherwise, they assume the error correction sucesses and = ¢ Z Z . Parameter estimation and privacy amplification: Alice and Bob accumulate data to estimate gain Q c of trials that they both choose code mode, gains Q xy of trials they choose decoy mode with intensity x and y respectively. With these parameters and λ EC , λ EV , Alice and Bob perform privacy amplification, say, apply a random universal 2 hash function to Z andẐ respectively to generate l sec -length secure bit string S and ¢ S respectively. The SKR per pulse is defined as R=l sec /N.

Finite-key analysis of NPP-TFQKD
Previous work [12][13][14] of NPP-TFQKD are based on the asymptotic situation. However, since it is impossible for Alice and Bob to send infinite pulses to generate their secure key in reality, the finite-key size effect [31][32][33][34] must be taken into account. In this section, we first extend the asymptoic SKR formula of [12] to non-asymptotic one against collective attack. Then based on the postselection technique developed in [31], a formula against coherent attack is present.
3.1. Security definition and SKR against collective attack As discussed above, in the end of NPP-TFQKD, Alice and Bob obtain a pair of bit string S and ¢ S respectively. Ideally, the bit strings are secure and applicable to any cryptosystem if two fundamental conditions are met, namely correctness and secrecy. The correctness is, in simple terms, = ¢ S S , which is guarantted by the error verification. The secrecy requires Eve's system E is decoupled from Alice's key S, which is met when denotes the uniform mixture of all possible value of S; {| } ñ s denotes the orthonormal basis of Alice's key S; ρ E is Eve's the density matrix and r E s is Eve's the density matrix of Eve's system conditioned that Alice's key S is in the state | ñ s . Clearly, Alice's key S is completely unknown to Eve in this ideal case. However, in finite-key size regime, the ideal condition, namely, equation (2), usually cannot be perfectly met. In [35], a composable security criterion is proposed. This criterion introduces secure parameters to describe some small probabilities of the keys S and ¢ S varing from the ideal case. The protocol is ò EC -correct if ( ) ¹ ¢   P S S EC , i.e. the probability of ¹ ¢ S S is less than ò EC . Similarly, the protocol is ò PA -secret if where the symbol ·   1 denotes trace norm of a matrix. In general, if a protocol is ò-secure, ò EC +ò PA ò must hold. To meet this criterion, with the same manner of [32], the SKR formula of NPP-TFQKD against collective is given by is the size of sifted key bits, I AE is the upperbound of Eve's information on the sifted key bit if she launches collective attack, l = EC , ò PA accounts for the probability of failure of privacy amplification, and ò s measures the accuracy of the estimating the smooth min-entropy [32]. As shown in [12], the estimation of I AE against collectice attack depends on some experimentally observed parameters including the gains Q c and Q xy . When the number of trials is finite, the expectations of these gains may vary from the experimentally observed values due to statistical fluctuations. Thus, another secure parameter ò PE [34] characterizing the probablilty that parameter estimation fails must be taken into account. For instance, consider a set of i.i.d. random variables X 1 X 2 ...X N (X i ä{0, 1}), the observed frequency of bit 1 is usually not equal to its expectation E(X), provided N is finite. To solve this problem, we apply large deviation theory, specifically, the Chernoff bound to estimate a confidence interval of X according to the obeserved value. In NPP-TFQKD, we can apply Chernoff bound [34,36,37] to estimate expected value Q c and Q xy through the observed gainsQ c andQ xy with a failure probability ò PE . We take Q xy as an example: , and ( ) ( ) = f x x 2 ln 1 . The N xy denotes the total number of trials which Alice and Bob select decoy mode with intensity x and y.
The upper and lower bound of Q xy are: In [2], the I AE is bounded by Y nm and Q c . We estimated upper and lower bound of Y nm by linear programming, whose constraints are: As introduced in [12], There are 10 different Q xy in equation (6), thus there are 20 constraints in total. When fluctuation analyses are applied, the Q xy should be replaced with its worst-case in equation (6). The equation ( By applying the new constraints, we can estimate secure + Y nm and -Y nm in non-asymptotic scenario. With these + Y nm , -Y nm and + Q c , -Q c , an estimation of I AE with acceptable failure probability (11ò PE ) can be obtained. Finally, Alice and Bob generate NR col bits secret key against collective attack with ò col -security. Obviousely, ò col is not exceeding the sum of failure probabilities of error verification, privacy amplification, accuracy of smooth min-entropy and parameters estimation, say Now we have introduced how to generate ò col -security keys against collective attack in NPP-TFQKD with finitekey effect. Next, we discuss how to obtain ò coh -security keys against coherent attack.

Countermeasure of coherent attack
There are two ways to deal with security under coherent attack in finite-key scenarios. One way is to use uncertainty relation for smooth entropies [38,39] or complementarity relation [40]. In this context, collective attack is not assumed, thus the data used in parameter estimation can be arbitrarily correlated. The other way, which we follow here, is to firstly assume collective attack (i.i.d.) then convert its security to be against coherent attack. In real-life, the i.i.d. assumption may be not satisfied. Fortunately, [31] has proved that one can always assume i.i.d. in the security proof (including parameter estimation) to get a key rate against collective attack, then calculate a key rate against coherent attack. In this work, we introduce the following corollary from the theorem 1 of [31] to tackle coherent attack in finite-key region.
Corollary. The key rate R coh against coherent attack could be given by while the key is ò coh -secure and Proof. The proof is based on the theorem 1 of [31] and very similar proofs can be found in [31] and the appendix B of [32]. We denote   ,   , and  are the Hilbert space of Alice's ancilla A, Bob's ancilla B and Clarlie's message M respectively. Without compriomising the security, Charlie's messgage M (click or not) can be treated as a quantum stated shared by Alice and Bob. The NPP-TFQKD protocol using equation (3) to generate keys could be viewed as a map  tranforming A, B and M into keys S and ¢ S (| | | | = ¢ = S S NR col ) respectively. Let  be a hypothecal map tranforming imperfect keys S and ¢ S into perfect ones and define , s  is the pure state shared by Alice, Bob and Eve induced by any collective attack, and ( ) m s  is the Haar measure on the pure state s  .
Next, we consider Eve may control another ancilla R to obtain the purification Through controlling ancilla R, Eve's min-entropy on sifted key is decreased at most ( 1 log 1 2 2 bits. To meet the security, Alice and Bob may perform protocol ¢  , in which privacy amplification shortens the sifted key into Finally, we apply the theorem 1 of [31] and obtain is any state shared by Alice, Bob and Eve, this inequality clearly shows that the protocol ¢  is -secure for any coherent attack. Substituting d=8, we end the proof. According to the corollary, if Alice and Bob want to generate ò coh -secure keys against any attack, they will calculate the parameter ò col with equation (10), and generate keys with equations (9), (3) and (8).
Before proceeding, we review the logic of our proof and clarify why the difference between code mode and decoy mode does not compromise the security. In the analysis of collective attack, one can assume the quantum system shared by Alice, Bob and Eve is collective, i.e. Eve always treats each code round or decoy round with an identical operation, which implies that the parameter estimation can safely assume the statistical parameters corresponding to a same measurement are i.i.d for any round. In other words, the distinguishability between code states and decoy states has no effects on the parameter estimation in the context of collective attack, provided the security proof against collective attack has considered the fact that the emitted states used for key generation and the ones for testing are not exactly the same. Indeed, the [12] has considered this issue, namely, the security proof is suitable for all collective attacks. Consequently, parameter estimation with random sampling and its security parameter ò PE are applicable when only collective attack is taken into account. Of course, analysis against collective attack is not sufficient in the finite-key region. Fortunately, based on the [31,32], security proof of a discrete-variable QKD protocol against collective attack can be expanded into a proof against coherenet attack (note that this theory only applies in permutation-invariant protocols, and evidently this is the case in TF-QKD by treating measurement message M as a part of quantum system). Following this technique, we proved that the security of coherent attack with ò coh -secure can be obtained from collective attack Note that ¢  is the overall security parameter against collective attack, and thus includes the security parameter of parameter estimation in the context of collective attack. Recall that we have clarified random sampling is relevent if collective attack is considered.
To evaluate the performance of NPP-TFQKD in finite-key region, simulations in fiber channel are performed here. The experimental parameters such as dark count rate, detection efficiency are listed in table 1.
In addition to fixed parameters in table 1, there are some parameters should be optimized to maximize the SKR. There are 10 parameters should be optimized in total. The first set is decoy intensities μ, ν and ω. The second set is probabilities of modes and intensities. P c denote probabilities of choosing code mode and m P d n P d w P d denote probabilities of choosing decoy mode with intensity μ, ν, ω. It worth noting that probabilities of vacuum The number of pulses they both select code mode is NP c 2 and they select decoy mode with intensity x and y respectively is NP P  [42,43] is not guaranteed, we choose particle swarm optimization algorithm(PSO) which can optimize the non-smooth function and non-convex function [44] to search the best  v to maximize the R coh .
The results of the simulations are illustrated in figures 2 and 3. In figure 2, we simulate the SKR as a function of distance between Alice and Bob while the pulses number N is fixed to be 10 12 , 10 13 , 10 14 . In figure 3, we simulate the SKR as a function of N while the distance is fixed to be 50, 100 and 150 km. The results show that compared with asymptotic situation, the protocol still works well in non-asymptotic situations and the linear bound is still overcomed when N10 12 . Some optimal parameters and SKRs are listed in table 2.

NPP-TFQKD with both large random intensity fluctuation and finite-key size effect
Except for finite-key size effect, a ubiquitous loophole in practical QKD system is intensity fluctuation [23][24][25].
When applying decoy state technique, accurate intensity values are required to ensure the correct estimation of Y nm [12]. The uncertain intensities bring uncertain Poisson distribution of photon numbers in linear programming equations [12,33], which leads to incorrect estimation of Y nm and may allow Eve to perform sophisticated attacks. Unfortunately, it is very difficult to control the intensity of WCP exactly in practical QKD system since noise, time jitter, problem of modulation and other imperfections of devices. In this section, we discuss the NPP-TFQKD with large random intensity fluctuation in finite-key size regime, where the 'random' means that the distribution of the intensity fluctuation can be arbitrary. The main contribution of this section is that we present a countermeasure of both large random intensity fluctuation and finite-key size effect of NPP-TFQKD. Since the Poisson distribution , where x is the intensity of WCP, is not certain anymore, we   present a new method to estimate p n x± which denote, respectively, upper and lower bound of p n x and replace p n x by its worst case in our analytical formula. The analytical formula is presented to estimate Y nm and is introduced in the next subsection. It worth noting that, by measuring the average intensity and upper and lower bound of fluctuation, our method can estimate tighter  p n x , which helps to improve the SKR in large random intensity fluctuation scenario.

Analytical formula of 4-intensity decoy state method of NPP-TFQKD
Before proposing the intensity fluctuation model of NPP-TFQKD, we will introduce our analytical formula of 4-intensity decoy state method. In 'Parameter estimation and privacy amplification' step, the n-photon yield can be estimated by linear programming or analytical formula [29,30]. However, the analytical formula of NPP-TFQKD is not given. In our countermeasure of imperfect WCP source loophole in next section, the analytical formula is needed. To make the NPP-TFQKD more practical, the analytical formula of 4-intensity decoy state method is proposed.
where μ c (m ¢ c ) is the Alice's (Bob's) intensity of the code mode. To estimate the upper bound of I AE , we have to estimate the upper bound of q 00 , q 10 , q 01 , q 20 , q 02 , q 11 and lower bound of = + + + + + q q q q q q q sum 00 10 01 20 02 11 . The upper and lower bound of Y nm can be estimated by applying linear programming [12,33] whose constraints are joint of: where 0Y nm 1. Noting that these p n x depend on the intensity x, it's obvious that the p n x in equation (11) are uncertain and the linear programming will be not valid any more if we cannot control intensities exactly. Intuitively, we can still get secure bound of key rate if we correctly replace coefficients p n x by its upper and lower bound in analytical formula. Thus we present an analytical formula before building the fluctuation model.
We will use superscript or subscript + ' ' and -' 'to express, respectively, upper and lower bound of a variable. We denote Alice's (Bob's) intensity in decoy mode by μ, ν, ω (μ′, n¢, w¢) and o where μ>ν>ω>o (m n w ¢ > ¢ > ¢ > o) and o is the vacuum state. Alice's (Bob's) intensity of code mode is denoted by μ c (m ¢ c ). It is worth noting that, μ c (m ¢ c ) should be the same as one of μ, ν or ω (m¢, n¢ or w¢). To make our formula more clear, we denote m p n , n p n and w p n ( m¢ p n , n¢ p n and w¢ p n ) by, respectively, a n , b n and c n ( ¢ a n , ¢ b n and ¢ c n ). Here we will demonstrate how to estimate n-photon yield by analytical formulas as follows. The details are showed in appendix.
Estimation of q 00 : = m m ¢ q p p Q oo 00 0 0 c c . Upper bound of q 10 and q 01 : . Upper bound of q 20 and q 02 : The lower bound of q sum is

Estimation of average intensity
In this subsection, we briefly introduce the simple tomography technique proposed by [24]. Based on this work, we propose a large random intensity fluctuation model in finite-key size regime. As illustrated in figure 4, Alice (Bob) should firstly produce a WCP with intensity 2x when she(he) actually wants x. Before sending the WCP to Charlie, she (he) splits it by a 50:50 BS. One of the pulse is sent to Charlie and the other one is measured by a local low dark-count SPD whose detection efficiency is η. After sending N x xintensity WCPs, the local detector's count number is n x and then x denotes the observed n x . The dark count is ignored since it's orders of magnitude lower than light count. Because of the random fluctuations, whenever Alice (Bob) wants to modulate intensity x, she (he) actually modulates wherex is the average intensity and the instantaneous fluctuation δ i is an unknow value. Mathematically, the click rate h x is: As proof in [24], the upper and lower bound ofx is:¯( However, this conclusion in [24] cannot be used in non-asymptotic situations directly. Here we apply large deviation theory to make the method met practice.
Noting that the distribution of intensity fluctuation is not independent identically distributed in most cases, we choose Azuma's inequality [45][46][47] rather than Chernoff bound to estimate the confidence interval of h x . The upper and lower bound of h x is: where the ò h is secure parameter of estimation. Then the bound of the average intensity is corrected as¯( 4.3. Model of NPP-TFQKD with both intensity fluctuation and finite-key size effect In this subsection, we will propose our countermeasure model. When we want sent x-intensity WCP, we actually prepare¯( where δ + =max{δ i } and δ − =min{δ i }. With definitions above, the density matrix of the source with fluctuation can be describe by: Thus the p n x is re-written as: By applying Taylor expansion to equation (24), we obtain: , The + a n anda n is the upper and lower bound of a n . The upper and lower bound of (¯) d m f , n i can be obtained by optimization algorithms.
Espacially, when n=0 e . 28 0 0 0 0 The  b n and  c n in the analytical formula can be obtained similarly. However, without introduction of average intensity, when n1: The difference between introducing average intensity or not is showed in figure 5, it indicates that the introduction of average intensity can significantly tighten the bound.
The simulation of NPP-TFQKD with both large random intensity fluctuation and finite-key size effect is shown in figure 6. The experimental parameters are listed in table 1 and the secure parameter of Azuma's inequality in equation (21), namely, ò h is fixed to 10 −10 . To emphasize the countermeasure of intensity fluctuation, we simulate the SKR as a function of distance for different intensity fluctuation range. Similar to the optimization introduced in section 3, we maxmize SKR by using PSO  where η lc and p d lc are, respectively, the detection eficient and dark count rate of the local SPD. In our simulation, η lc =10% and =p 10 d lc 7 . The optimal parameters are listed in table 3. The simulation result in figure 6 indicates that by applying our countermeasure model, the large random intensity fluctuation has very limited influence on the performance of NPP-TFQKD.

Discussion
In this article, we have discussed some practical issues of NPP-TFQKD based on [12]. We firstly analyzed the issue of finite-key size effect and solve this problem by applying post-selection technique for quantum channels Figure 6. Non-asymptotic secret key rate in logarithmic scale as a function of distance between Alice and Bob for different fluctuations and pulses number (δ ± =±0%: blue, δ ± =±20%: red, δ ± =±50%: yellow. N=10 14 : solid lines, N=10 13 : dash lines, N=10 12 : dash-dot lines). The green dot line denotes linear bound [7]. Table 3. Some optimal parameters when finite-key size effect and intensity fluctuation are taken into consider.  [31] and using Chernoff Bound to estimate al fluctuations of observed values. The simulation shows that NPP-TFQKD works well in non-asymptotic situations. Another contribution of this work is we propose a countermeasure of intensity fluctuation. We introduce an analytical formula of decoy state method to meet the needs of our fluctuation model. Then we propose our intensity fluctuation model to deal with large random intensity fluctuation problem in the source side. Our model is practical since it doesn't contain any assumption about distribution of fluctuation. It only need average intensity and fluctuation range, which can be measured by local detectors. Our simulation results suggest that by applying our method,the non-asymptotic SKR can still break the linear bound even if the large random intensity fluctuation is taken into account.
Some work have discussed the TF-QKD with coherent attack, we briefly discuss them here.
The [9] is the earliest work mentioned coherent attack which we can find. This work independly proposed a very similar idea with [12]. The [9] also proposed that by applying Azuma inequality, their proof is against coherent attack. However, they do not give a detailed quantitative analysis on coherent attack in finite-key region.
Indeed, Azuma inequality is a general tool to deal with coherent attack and finite-key effects. However, since Azuma inequality converges slowly with the number of rounds, we conjecture this technique may be a not good solution.
Another work [48] is based on sending-or-not-sending QKD. By applying entropic uncertainty relations method [38,39], the key rate of sending-or-not-sending QKD against coherent attack is proposed. Their method is a powerful way to deal with coherent attack and finite-key effects, but seems to be not applicable in NPP-TFQKD.
From the view of performance, the sending-or-not-sending QKD features its robustness against large misalignment error and finite-key effects. It seems that NPP-TFQKD is more sensitive to finite-key effects. However, when the misalignment error is small and key size is large, NPP-TFQKD may perform better.
It worth noting that, in order to simplify the simulation, we suppose that all experimental parameters are symmetric, namely, parameters such as dark count rate, detection efficiency, distance to Charlie, misalignment and intensity fluctuation of Alice and Bob are same. However, the experimental setups are usually asymmetric. It is an open question that how to optimize intensity and probability parameters to efficiently maximize the secure key rate. Reference [49] is a recently published work about the asymmetric sending-or-not-sending QKD.
Another open question is if the vacuum state o can be removed or replace by other intensities. In our simulation, we set vacuum state to estimate + Y 00 tighter. However, the IM in a real implementation has a finite extinction ratio, it would be very challenging to obtain approximate vacuum state. The [50] demonstrates an approach to generate stable and high extinction ratio light pulses with an extinction ratio >80 dB by cascading two IM, which can attenuate coherent pulse to approximate vacuum state. It is worth to study if the vacuum state can be removed to make the protocol more practically useful.
Note added-Recently, we found that [51,52] discussed the finite-key size effect and [53,54] discussed the security of TF-QKD under intensity fluctuation.

Appendix. Proof of analytical formula
Before introduce our analytical formula, we should introduce some important conclusions. The first improtant conclusion is: where xy and mn. The details can be found in [29,30]. The next is: Upper bound of q 01 and q 10 : We take + q 10 as an example. The proof of + q 01 is similar. We define = - . A.46 A.50 The + q 20 is:   Then we estimate theq t 2 , namely, theq 11 . Similar to the estimation of + q 01 , we define: By applying above equations, we obtain an inequation set: ⎧ .
A.59 Solving the equation (A.59), we obtain: a a b b b b a a , A . 6 0