Security of quantum key distribution with source and detection imperfections

In practice, the device imperfections might introduce deviations from the idealized models used in the security proofs of quantum key distribution (QKD). This requires the refined security analysis for practical QKD. However, in most of previous analysis, the imperfections are individually considered with different models. Here, we derive a security analysis which takes both the source and detection imperfections into account. Particularly, the efficiency mismatch in the detection and a number of flaws in the source (such as, inaccuracy of encoded quantum state, side-channel of source, distinguishable decoy states, Trojan-horse, and so on) are analyzed in a general security model. Then the performance of the QKD system with the devices imperfections is evaluated. Our results present an important step toward the practical security of QKD wit realistic devices.


Introduction
Quantum key distribution (QKD), such as BB84 [1], provides a way to share key between Alice and Bob with information-theoretical security. The unconditional security of QKD have been widely proved in theory [2][3][4] and demonstrated in experiments based on fiber [5][6][7] or free-space [8][9][10]. Some quantum networks based on QKD are also available now [11][12][13]. However, it is well known that the imperfections of practical devices will compensate the security of generated key. In fact, some quantum attacks have been discovered and demonstrated by exploiting these imperfections of practical devices [14][15][16][17][18][19]. Some detail information about the advances of QKD and quantum hacking can be found in recent review papers [20,21].
In order to overcome the gap between theory and practice, two methods, security patch and device-independent QKD, are approached. In the former one, by adopting monitor or taking parameters of practical devices into the security model as many as possible, most of known quantum hacking can be defeated. The later one tries to propose new QKD protocol, in which the security can be proved with just a few of basic assumptions. Three typical device-independent protocols are full device-independent QKD [22,23], measurement-device-independent QKD [24] and semi-device-independent QKD [25].
For BB84 protocol with single photon source (SPS), the key rate are given by Here the key is distilled from Z−basis. If key is generated from both of two bases, equation (1) can be easily expended. δ z b is the bit error in Z-basis, which is directly measured in experiment. δ z p is the phase error in Z-basis. If the QKD system is perfect, δ z p equals with the bit error in X-basis (δ x b ). But, when imperfections are taken into account, δ z p = δ x b , then new method is required to estimate the upper bound of δ z p . In fact, Table 1. The considered imperfections in our model and the required parameters that used to evaluate these imperfections. Alice and Bob can measure the required parameters for practical QKD system in experiment, then evaluate the security of QKD based on our model given in the following sections. The superscript i, j = 1, 2, 3, 4 are the index of four quantum states sent by Alice, which represent z 0 , z 1 , x 0 , x 1 respectively. The subscript of D k,l is the index of different decoy states k and l. And [η 0 (λ k , λ m )] is a matrix with element η 0 (λ k , λ m ) for k, m = 1, 2, . . . . The detail calculation of these security parameters are descried in the main text.

Considered imperfection Required parameter Symbol
Inaccuracy of encoded quantum state Fidelity between practical states |γ i and ideal states |i The intensity of reflected Trojan-horse photon The detection efficiency matrices of two detectors based on different imperfections, many works have been done, such as GLLP's analysis [3], basis-dependent source flaws [4], Trojan-horse [18], decoy state [26][27][28] and distinguishable decoy state [29], leaked source [30], detection mismatch [31,32], weak randomness of basis choice [33], and so on. However, in most of these security analysis, the flaws are considered individually with different models. In this paper, following the GLLP's analysis which is security under collective attack (if the source is independent and identically distributed, it is also security under coherent attack), the security of BB84 protocol with both source and detection imperfections are analyzed. In one model, the efficiency mismatch in detection and almost all of imperfections in source are taken into account together. The considered imperfections and the required parameters to evaluate these imperfections are listed in table 1. The legitimate parties can first measure the required parameters for practical QKD system in experiment, then evaluate the final key rate based on our analysis in following. When source flaws are taken into account, one major problem is that Eve could enhance the source flaws by exploiting the loss of system. Then the phase error is loss-dependent, which will rapidly worse the key rate even the source flaw is very small. In order to improve the key rate, a practical assumption is proposed, in which parts of loss in Bob's site can be carefully calibrated and monitored. In fact, this assumption has been used to secure the single photon detectors (SPDs) [34,35]. Then we discuss the performance of QKD system based on this assumption.

Protocol
The model is shown in figure 1. Alice randomly prepares one of four quantum states |γ β j , here β = Z, X is the basis and j = 0, 1 is the bit. Due to the imperfection of state preparing, |γ β j may do not equal with the standard BB84 state |β j , and they are also distinguishable in other dimensions. Thus, the practical quantum state prepared by Alice should be written as The subscript B means the encoded state sent to Bob. ω β j S is the quantum state leaked to Eve due to the side-channel of source. The index ω includes all side-channels of Alice's quantum state, such as time, wavelength, waveform, Trojan-horse photon, and so on. Note that for simple of discussion, we assume |γ β j is pure in equation (2), but the following analysis can be easily expended to the case of mixed state by introducing an auxiliary system belonging to Eve. Now we consider the entanglement-based protocol according to the practical quantum state of equation (2), in which Alice prepares the following entanglement states in two bases, After the state preparing, Alice measures the auxiliary system A to determine her bit, and sends B (S) to Bob (Eve). Generally speaking, due to the imperfection of source, |ψ Z = |ψ X . And since the system A is virtual, the state β j A and the measurement of Alice are perfect. The imperfect detection can be divided as two parts, a filter (F Z , F X or G BT ) followed by a perfect measurement (M Z or M X ). The key is distilled from Z-basis, and the virtual X measurement is used to estimate the phase error.
When the quantum state ϕ β j BS flies in the quantum channel, Eve can perform collective attack on system B. Due to the existence of detection flaws, Eve also tries to control the click of SPDs by introducing another system T (see figure 1(a)). Generally speaking, Eve's interaction can be described by a set of POVM operators. But due to the existence of flaws in source and detection, Eve's operations may depend on the system S and T. Thus, the POVM elements of Eve should be written as, here i is the index of POVM elements, and t = 1, 2, 3, 4 means z 0 , z 1 , x 0 , x 1 respectively. Then the quantum state shared by Alice, Bob and Eve is given by Here E is Eve's system to perform her collective attack with basis {|i E }. In order to determine Alice's basis, a quantum coin with basis {|0 c , |1 c } is introduced [4]. Then the final entanglement state shared by Alice, Bob, and Eve is given by When Alice and Bob shared the entanglement state above, they randomly measure their quantum state with one of two bases, X or Z. Since Alice's measurements are virtual, thus her performances on system C and A are perfect. But, due to the flaws of detection, Bob's measurements may be controlled by Eve. According to reference [31] (see figure 1(b) for detail), when the detection mismatch is taking into account, Bob's measurement can be divided as two parts, a filter followed by a perfect measurement. The filter operators for actual Z− and X−measurement, and virtual X−measurement are given by Here F 0 and F 1 are detection efficiency matrices of SPDs, which characterize the mismatch of two detectors. C is a virtual filter used to estimate the phase error, which can be constructed by using F 0 and F 1 . Here actual Z-(or X-) measurement means that Alice and Bob share |Ψ Z (or |Ψ X ) given by equation (5), and both Alice and Bob measure their quantum state with Z-basis (or X-basis), which indexes the bit error δ z b (or δ x b ). The virtual X-measurement means that Alice and Bob share |Ψ Z , but both of them measure the quantum state with X-basis, which indexes the phase error δ z p . Since the phase error could not be directly measured in the BB84 protocol, it should be estimated with the measured bit error δ z b and δ x b . According to the model given above, the bit error and phase error can be written as, Here |Ψ 1 Z , |Ψ 2 X and |Ψ 3 Z are the final quantum states when the quantum state from the quantum channel pass through the filter in actual Z measurement, actual X measurement and virtual X measurement, respectively (see part (b) of figure 1). And M z b , M x b and M z p are perfect measurement in Z and X bases. Since the measurement is perfect, M x b = M z p . These parameters can be given by, Furthermore, due to the existence of filter G BT , not all the photons can pass the filter and be detected by Bob, thus the key rate of equation (1) should be rewritten as Here P succ is the probability that Bob successfully performs the virtual X−basis measurement, which is given by

Key rate
According to the model given above, Alice and Bob should maximize the phase error δ z p and minimize the probability P succ to estimate the lower bound of key rate. In other words, the legitimate users should solve the following problem, max ρ E : δ z p , and min Here the constrictions δ z(x) b is the bit error in Z-basis (X-basis), and P ββ ij is the probability that Alice sends the quantum state in β−basis with bit i and Bob successfully detects bit j in β −basis. Note that all of them (δ z b (x) and P ββ ij ) can be directly measured in experiment. In the appendix A, we prove that P β,β i,j can be written as The upscript 'vir' means the virtual measurement in X−basis is performed by Alice and Bob. The parameters required in the equation above are given in appendix A. Z ij and X ij represent the accuracy of encoded quantum state in Z-basis and X-basis, which are given by equations (A13) and (A17). Z p ij is the accuracy of encoded quantum state in virtual X−basis measurement, which is defined by equation (A28). f z 0(1) is a diagonal matrix that represents the fidelity of side-channel state between the given quantum state |ω z 0(1) and all the four quantum state |ω i , which is defined in equations (A11) and (A14). And the definition of f x 0(1) is the same as that of f z 0(1) , which is given by equation (A18). F + j F j is the detection matrix of two detectors (j = 0, 1), and C can be directly calculated by using F + j F j . Then the bit/phase error rate (equation (8)) and the probability that Bob successfully performed the virtual measurement (equation (11)) can be rewritten as . (14d) By solving equation (12) under the given condition equation (14), the lower bound of key rate can be estimated, when SPS is adopted by Alice and Bob. However, due to the unavailability of SPS in practical applications, the weak coherent source is always used. Then, according to the GLLP's analysis [3], the key rate should be rewritten as Here μ is the intensity of signal state. f EC is the efficiency of error correction. Q μ (E b μ ) is the total gain (bit error rate) of signal state. Y μ 1 and δ z,μ p,1 are the yield and phase error rate of single photon pulse from signal state. The phase error rate δ z,μ p,1 should be estimated and maximized with the same method given above (equation (12)), which is given by min Here δ x,μ b,1 , δ z,μ b,1 are the bit error rate of single photon pulse, which can be estimated by the decoy state method [26][27][28], where D μν = 1 2 tr |ρ μ − ρ ν | is the trace distance of different decoy states [29], which shows the distinguishability of signal state and decoy state. And Here η cal Bob is the calibrated transmittance of Bob's system. In the worst case, the transmittance of Bob's system is unknown, η cal Bob = 1. But if the transmittance of Bob's optical devices η Bob and detection efficiency of SPDs (η d ) are carefully calibrated and monitored, η cal Bob = η Bob × η d .

Simulation and discussion
In this section we evaluate the performance of practical QKD system with potential imperfections in source and detection. Before the simulation, we first discuss the imperfections considered in our model (also see  table 1).

Inaccuracy of encoded state
In practical QKD system, due to the finite extinction ratio of encoder, the prepared quantum states by Alice may different from the ideal states required by the QKD protocol. For example, Alice wants to send a quantum state with polarization H, but the practical quantum state may be √ 1 − δ|H + √ δ|V , here δ = 0 is a small deviation. Generally speaking, the practical quantum states prepared by Alice can be written as |γ z 0 = cos(δ 1 )|z 0 + sin(δ 1 )|z 1 , |γ z 1 = sin(δ 2 )|z 0 + cos(δ 2 )|z 1 , Note that although here we assume the quantum prepared by Alice is pure, our analysis is also valid for the case of mixed state. Since the mixed state can be purified by introducing another system belonging to Eve. Thus, as defined in table 1, the fidelity between practical quantum state and ideal quantum state is given by Here i = 1, 2, 3, 4, and ε i 1 = sin 2 (δ i ) represents the inaccuracy of each practical quantum state.

Distinguishable side-channels
As one of security assumptions, Alice should only modulate her bit and basis information in the encode dimension. But, duo to the imperfection of devices or implementation, the quantum states sent by Alice may be distinguishable in other side-channels, such as time (t), wavelength (λ), waveform (w), mode (m), and so on. Generally speaking, there may be correlation in all of these side-channels, thus the quantum state of side channel should be written as |ω β i (t, λ, w, m, . . .) .
However, in practical situations, it is difficult for the legitimate parties to evaluate the correlation of different side-channels for the practical QKD system in experiment, then it is hard to completely describe the quantum state above. Thus, for simple of simulation, here we assume that each side-channel is independent, then the quantum state can be rewritten as Thus, as defined in table 1, the fidelity between different side-channels is given by Here ε i,j 2 represent the consistency of each quantum state in side-channels.

Trojan-horse
Due to the reflection of optical devices and the finite isolation, Eve could inject strong pulse into Alice's zone, and gets parts of information by analyzing the reflected photon. The four quantum states of reflected Trojan-horse photon can be written as [18] Here μ out is the intensity of reflected Trojan-horse photon. In the simulation, we assume phase-coding is used and the average intensities of all Trojan-horse pulses are the same. For other coding method (polarization, time-bin) and different intensity of Trojan-horse pulse, it is easily to rewrite the quantum state above. Then, as defined in table 1, the fidelity of Trojan-horse pulse is given by out 1 e −2μ out e −2μ out e −2μ out e −2μ out 1 e −4μ out e −2μ out e −2μ out e −4μ out 1

Distinguishable decoy state
Decoy state method has been considered as a standard technology to defeat photon-number dependent attacks when non-single photon source is used. One of important assumptions for decoy state method is that the decoy states are indistinguishable in any dimension excepting the intensity. But, due to the imperfection of implementation, this assumption may be broken in practical system. If the density matrix of decoy state is written as [29] Here ρ k (λ) is the quantum state leaked to Eve to distinguish different decoy states, λ includes all the dimensions that can be measured by Eve. f k (λ) is the probability distribution of decoy states in variable λ.
Then the imperfection of decoy states can be characterized by the trace distance, which is given by

Detection mismatch
The detection mismatch is one of major problems in SPDs, which can be described by the detection efficiency matrices F 0 and F 1 . Generally speaking, duo to the following reasons, it is very difficult to completely characterize the matrices F 0 and F 1 in experiment. (1) There may be many dimensions which can induce the detection mismatch, such as time [36], wavelength [37], polarization [38], and so on. (2) In parts of dimensions, e.g. time, the detection efficiency curve of SPDs follow continuous distribution. Then the dimension of detection matrices is infinite. (3) The matrices F 0 and F 1 may be non-diagonal, since the detector may have non-trivial efficiency responses to signals entangled across the different dimension or variable. Thus, for simple of simulation, here we ignore the correlation of different dimension and variable, and assume the matrices F 0 and F 1 are diagonal. We also only consider two detection variables λ 0 and λ 1 , which means F 0 and F 1 are matrices with dimension two. Here λ 0 and λ 1 can be any variable that control the efficiency of detector, such as time, wavelength, polarization, and son on. Then, F 0 and F 1 can be written as here η m (λ n ) means the detection efficiency of detector m at variable λ n , and m, n = 0, 1.

Numerical simulation
With the definition above, all the required parameters can be rewritten as the function of ε i 1 , ε i,j 2 , ε i,j 3 and ε k,l 4 . For example, Z 00 and Z 10 in equation (A13) can be rewritten as and the fidelity of side channels can be rewritten as Here ε i,j 3 is the total deviation of side-channel and Trojan-horse pulse. The blue lines are the key rate for perfect system. The red lines are the key rate with different imperfections. In the simulation, the value of security parameters is selected based on different experiments [18,36,38,39] which is listed in table 2, and other parameters about the QKD system come from the experiment results of GYS [40]: dark count Y 0 = 1.7 × 10 −6 , the optical error rate e det = 3.3%, the transmittance of Bob's optical system η Bob = 0.045, the loss of fiber 0.21dB km −1 , the efficiency of error correction f EC = 1.22. In the case of WPS, we assume that weak + vacuum decoy state method is used, and the intensity of signal state (decoy state) is set as μ = 0.48 (ν = 0.01) which is optimal under the GYS parameters [41]. The method for simulations is given in appendix B. Here, for simple of simulation, we assume that ε i 1 ≡ ε 1 for all i, ε i,j 2 ≡ ε 2 for all i, j, η 0 (λ 0 ) = η 1 (λ 1 ) = 1 and η 0 (λ 1 ) = η 1 (λ 0 ) = η DM . At the same time, we also assume that only weak + vacuum decoy state method with intensities μ (signal state) and ν (decoy state) is used, thus D k,l = D μ,ν . The value of security parameters is selected based on different experiments [18,36,38,39].

Source Detection
Parameter Furthermore, since the loss of channel and finite detection efficiency of SPDs, Eve could enhance the source flaws by exploiting these kinds of loss. Thus, the inaccuracy of quantum state and consistence of side-channel should be rewritten as where η is the transmittance of system, including the transmittance of channel η c , the transmittance of Bob's optical devices η Bob , and the detection efficiency of Bob's SPDs η d . Generally speaking, Submitting equations (31) and (32) into the model given above, the key rate for both SPS (equation (10)) and WPS (equation (16)) can be estimated, which is shown in figure 2. The results clearly show that the estimated key rate will be rapidly decreased, but communication with distance longer than 100 km is still possible if the maker of the QKD system can make sure the deviation of practical devices is small.
In order to analyze which part, source or detection, is the main factor for the decrease of key rate, the estimated key rate for WPS with only source or detection imperfection is also shown in figure 3. It shows that the decrease of key rate in source is much larger than that of the detection. One of major reasons is that Eve can enhance the source flaws by exploiting the total loss of system, including the channel, the optical device of Bob and detection efficiency of SPDs (see equation (32)). But, in some practical situations, parts of loss can be carefully calibrated and monitored. For example, in some QKD system, only passive optical devices are used by Bob, and the transmittance of these devices is not easy to be changed by Eve (or Bob can locally monitor the transmittance of these optical devices). At the same time, the average detection efficiency of SPDs may also be monitored by Bob. In fact, calibrating and monitoring the detection   (33)), for example, the optical devices and the SPDs. The blue lines are the key rate for perfect QKD system without any practical flaws, and the read lines are the practical key rate with different imperfections of practical devices. The doted blue line shows the fundamental rate-loss bound for the ideal system, such as unit detector efficiencies, zero dark count rates, zero intrinsic error, unit error-correction efficiency, and so on. According to the analysis of reference [42], the linear bound is about − log 2 (1 − η c ). The parameters used in the simulation are the same as that of figure 2 and table 2. efficiency of SPDs have been used to secure the SPDs [34,35]. In other words, equation (32) is a worst case, and it can be improved in some practical situations, thus a reasonable assumption is that With the calibrated transmittance above, the practical key rate can be improved, see figure 4. For example, in the case of WPS with ε 1 = ε 2 = 10 −5 , μ out = 10 −6 , D μν = 10 −5 and η DM = 0.05, the maximal distance of security communication can be increased from about 80 km to 110 km.

Summary
The unconditional security of generated key by QKD will be compensated by the imperfection of practical devices. Many models have been proposed to analyze these imperfections in practical QKD system. But, in most of these models, the imperfection are considered individually. In this paper, we take both the source and detection imperfections into account in one model, then the performance of practical QKD system is evaluated.
In the source parts, our model includes almost all of imperfection of source, such as, inaccuracy of encoded quantum state, distinguishable side-channels of source, distinguishable decoy states, Trojan-horse, and so on. But, when source flaws are taken into account, the key rate will be rapidly reduced. One of major reasons is that Eve could enhance the source flaws by exploiting the loss of system, since the channel is totally controlled by her. Here we discuss a possible way to overcome this problem by introducing a reasonable assumption. It is that the legitimate parties can divide the loss as two parts, untrusted loss (the loss of quantum channel) and trusted loss (the transmittance of Bob's optical devices or the detection efficiency of SPDs). Then if the trusted loss can be carefully calibrated and monitored, the key rate will be improved.
In the detection parts, although the major imperfection (detection mismatch) is considered in our model, there still are many other flaws, such as weak-randomness of basis choice, the backflash of SPDs, and so on. In fact, how to take all of these detection flaws together is still an open question. And we will discuss it in our further work.

Data availability statement
The data that support the findings of this study are available upon reasonable request from the authors.