Zero-error attack against coherent-one-way quantum key distribution

Coherent-one-way (COW) quantum key distribution (QKD) held the promise of distributing secret keys over long distances with a simple experimental setup. Indeed, this scheme is currently used in commercial applications. Surprisingly, however, it has been recently shown that its secret key rate scales at most quadratically with the system's transmittance and, thus, it is not appropriate for long distance QKD transmission. Such pessimistic result was derived by employing a so-called zero-error attack, in which the eavesdropper does not introduce any error, but still the legitimate users of the system cannot distill a secure key. Here, we present a zero-error attack against COW-QKD that is essentially optimal, in the sense that no other attack can restrict further its maximum achievable distance in the absence of errors. This translates into an upper bound on its secret key rate that is more than an order of magnitude lower than previously known upper bounds.


I. INTRODUCTION
Quantum key distribution (QKD) [1,2] is probably the most mature quantum technology today, with QKD networks being deployed worldwide [3][4][5][6]. These networks permit pairs of distant users (say Alice and Bob) to generate information-theoretic secure cryptographic keys, which can be used to achieve perfectly secure communications via the one-time-pad cryptosystem [7].
Until quantum repeaters [8][9][10][11] are experimentally available, QKD networks typically rely on a trusted-node architecture. This is so because channel loss poses strong limitations on the secret key rate that can be achieved with point-to-point QKD. Indeed, this key rate scales at best linearly with the system's transmittance η [12,13], which in fibre-based links decreases exponentially with the distance. Recent years have witnessed a tremendous effort to develop QKD protocols able to deliver such best possible key rate scaling with practical signals.
The most popular solution to achieve a key rate of order O(η) with laser sources is undoubtedly decoy-state QKD [14][15][16], where Alice randomly varies the intensity of the optical pulses she sends to Bob. This scheme has been recently used to distribute secret keys over a world record distance of 421 km with optical fibre [17]. Alternative approaches include QKD with strong reference pulses [18][19][20], and distributed-phase-reference (DPR) QKD. While it has been proven that the key rate of the former scales also linearly with η, for DPR-QKD this has been demonstrated only against restricted types of attacks [21].
The key advantage of DPR-QKD when compared to other solutions is its simple experimental implementation. There are two main protocols: differential-phaseshift (DPS) QKD [22][23][24], and coherent-one-way (COW) QKD [21,[25][26][27]. Long distance implementations of both schemes have been reported recently, over 200 km [24] and 300 km [21], respectively. Remarkably, there are even commercial systems based on COW-QKD [28]. However, despite this significant progress, the security of DPR-QKD has yet to be fully established. For instance, it has been shown that DPS-QKD can offer a key rate of order O(η 3/2 ) in the long distance regime given that the error rate is kept sufficiently small [29,30]. Also, it turns out that a key rate of order almost O(η) is possible when the receiver checks the coherence between randomly chosen incoming signals [31][32][33]. Surprisingly, however, for COW-QKD it has been recently proven that its key rate scales at most quadratically with η [34], which renders this scheme inappropriate for long distance QKD transmission. Indeed, this result matches the scaling of the lower security bound derived in [35].
This pessimistic result was derived by employing a special type of sequential attack [36][37][38][39], which is called a zero-error attack [34,40] because it does not introduce errors. In a sequential attack, the eavesdropper (Eve) first measures out all the signals sent by Alice one-by-one, and then she sends Bob signals which depend on all her measurement results. Importantly, when the measurement statistics observed by Alice and Bob are compatible with a sequential attack, they cannot distill a secret key. This is so because sequential attacks transform the quantum channel into an entanglement breaking channel and, thus, they do not allow Alice and Bob to establish quantum correlations between them [41].
Here, we present a zero-error attack against COW-QKD which is essentially optimal, in the sense that no other attack can restrict further its maximum achievable distance in the absence of errors. That is, the attack introduced below provides the highest possible value of the system's transmittance underneath which COW-QKD is insecure. For example, it can be shown that if Alice and Bob use state-of-the-art devices and the intensity of Alice's signals is similar to that employed in decoy-state QKD, the maximum achievable distance of COW-QKD is only about 22 km. Our findings translate into an upper bound on the secret key rate of COW-QKD that is more than an order of magnitude lower than previously known upper bounds [34,40,42,43].
The paper is structured as follows. In Sec. II we introduce COW-QKD. Then, in Sec. III we present our zeroerror attack against this scheme in detail. This attack uses an unambiguous state discrimination (USD) mea- FIG. 1. Schematics of COW-QKD. Alice sends Bob a random sequence of signals |ϕi , with i = 0, . . . , 2. Bob employs a beamsplitter with transmittance tB to passively distribute the incoming signals between the data and the monitoring lines. The detection events at the data line constitute the raw key, while the monitoring line is used to detect eavesdropping. This is done by means of a Mach-Zehnder interferometer that measures the coherence between adjacent pulses. In the figure, a grey (white) oval represents a coherent (vacuum) state |α (|0 ), IM is an intensity modulator, ∆t is the time delay between subsequent pulses, and D d , DM1 and DM2 are single-photon detectors.
surement [44][45][46], which we introduce in Sec. IV. Next, in Sec. V, we obtain the maximum value of the gain at Bob's side that is achievable with the zero-error attack. This quantity is directly related to the maximum value of the system's transmittance below which COW-QKD is insecure. In Sec. VI, we evaluate the implications of these results on the distance and secret key rate that can be achieved with COW-QKD, and we compare our results with other zero-error attacks. Finally, we discuss possible countermeasures against zero-error attacks in Sec. VII, and conclude the paper with a summary in Sec. VIII. The paper also includes two appendixes with additional calculations.
At the receiving side, Bob uses a beamsplitter of transmittance t B to passively distribute the incoming signals between the data and the monitoring lines. The data line allows him to distinguish the states |ϕ 0 and |ϕ 1 by measuring the time instance in which detector D d provides a detection "click" (see Fig. 1). Precisely, Bob assigns a bit value 0 (1) to a "click" in the first (second) time slot within a signal, while he assigns a random bit value to a double "click". These bits constitute his raw key.
Next, Bob announces over an authenticated classical channel which signals produced a "click" in D d , but he does not reveal the particular time slots in which the detection "clicks" actually occurred. Also, Alice declares if Bob's observed "clicks" correspond to bit states (i.e., to the states |ϕ 0 and |ϕ 1 ) or to decoy signals. The bits associated to the bit states constitute the sifted key. The monitoring line, on the other hand, is used by Bob to measure the coherence between adjacent coherent states |α to detect for eavesdropping. This is achieved with a Mach-Zehnder interferometer followed by two detectors, D M1 and D M2 . This interferometer is such that two adjacent states |α cannot produce a "click" in say detector D M2 .
Errors in the data line are characterized by means of the quantum bit error rate (QBER), while errors in the monitoring line are characterized with the visibilities with s ∈ S = {"d", "01", "0d", "d1", "dd"}. In Eq. (1), p click (D Mi |s) represents the conditional probability that detector D Mi "clicks" given that the two adjacent coherent states |α are situated within a sequence s sent by Alice. For example, a sequence s = "01" represents a bit 1 signal followed by a bit 0 signal (i.e., |ϕ 0 |ϕ 1 ), and the other sequences are defined similarly.

III. ZERO-ERROR ATTACK
The zero-error attack that we introduce below exploits two special properties of Alice's signals. First, they are linearly independent, and, second, they contain the vacuum state, which naturally breaks the coherence between adjacent pulses. Indeed, thanks to these two properties together, it is possible for Eve to perform a sequential attack, based on an USD measurement [44][45][46], which does not introduce any error in the data line nor in the monitoring line and still prevents Alice and Bob from distilling a secure key.
Various zero-error attacks against COW-QKD have been proposed recently in [34,40]. For instance, as already mentioned, the work in [34] uses a particular zeroerror attack to show that the secret key rate of COW-QKD scales at most quadratically with the overall system's transmittance η.
A crucial parameter in a zero-error attack is the maximum value of the gain at Bob's data line for which the attack is actually possible. We shall denote this parameter by G zero . Here, the gain is defined as the probability that Bob observes a detection "click" in his data line per signal state sent by Alice. Precisely, in a zero-error attack Eve first measures out each signal sent by Alice with a USD measurement, and then she essentially resends Bob those signals for which she obtained a successful measurement result. If the measurement outcome is inconclusive, Eve sends Bob vacuum states. This strategy naturally imposes a maximum value of the gain at Bob's data line that is achievable with a zero-error attack due to the inconclusive outcomes provided by Eve's measurement. Note that here we are considering the conservative untrusted device scenario. Therefore, a resent vacuum signal can never cause a detection "click" at Bob's side, as this scenario assumes that the detection efficiency and dark count rate of Bob's detectors can be controlled by Eve. We shall denote the maximum value of G zero among all possible zero-error attacks by G max zero . Next, we introduce a simple zero-error attack against COW-QKD for which G zero can be made arbitrarily close to the optimal value G max zero . As we will show in detail in Sec. VI B, this translates into an upper bound on the secret key rate of COW-QKD that is more than an order of magnitude lower than previous results [34,40].
The key idea of the attack is rather elementary; it goes as follows. First, Eve measures the signals sent by Alice one by one with an optimal USD measurement that maximizes her probability to obtain a conclusive result. This measurement is described in detail in Sec. IV. Let k denote the number of consecutive conclusive measurement results obtained by Eve with her measurement. If k = 0, i.e. when the signal measured by Eve results in an inconclusive output, Eve directly replaces this signal with a vacuum signal |ϕ vac = |0 |0 and sends |ϕ vac to Bob. Moreover, she restarts the counting of the number of consecutive conclusive measurement results again from the next signal on. We note that this latter step is common to all the other cases that we discuss below and we omit it in their description for simplicity.
If k = 1, i.e. when the first signal measured by Eve results in a conclusive output but the following signal results in an inconclusive output, then Eve replaces these two signals with two vacuum signals |ϕ vac , she sends these latter states to Bob.
If 2 ≤ k < M max , i.e. when Eve obtained k consecutive conclusive measurement results and the following signal is an inconclusive output, then she replaces this latter signal with a vacuum state |ϕ vac . Here, M max is a pre-fixed value that Eve can select arbitrarily large. Moreover, Eve looks for the longest sub-block, within the block of k correctly identified signals, which is surrounded by vacuum pulses. Then, she replaces the signals that do not belong to this sub-block with vacuum signals |ϕ vac . Also, she replaces the coherent states |α within the signals that belong to the successful sub-block, with coherent states |β satisfying β α. We note that by selecting β large enough, Eve can guarantee that each signal within the successful sub-block will produce a detection "click" at Bob's side with nearly unit probability. Alternatively, Eve could also replace the coherent states |α with signals that do not contain the vacuum state. However, here we prefer to use coherent states |β just for simplicity. If a block of k signals correctly identified by Eve does not contained a sub-block surrounded by vacuum pulses, then Eve replaces all the signals within the block with vacuum signals. That is, she sends Bob k + 1 vacuum signals |ϕ vac .
Finally, if k = M max , i.e. when Eve obtained M max consecutive conclusive measurement results, then she directly replaces the following signal (i.e., the signal that is located in the position M max + 1) with a vacuum signal |ϕ vac . Moreover, she post-processes the block of M max consecutive conclusive measurement results like in the previous case. That is, she looks for the longest subblock that is surrounded by vacuum pulses within the block, and all signals that do not belong to such subblock are replaced with vacuum signals |ϕ vac . Also, she replaces the coherent states |α within the successful subblock with coherent states |β , and sends the new block of M max + 1 signals to Bob.
It is clear that the attack above is indeed a zero-error attack. Note that the resulting QBER is zero because Eve never misidentifies a signal sent by Alice. Moreover, the attack also preserves the coherence between those original adjacent coherent states |α prepared by Alice and which are resent to Bob by Eve. This guarantees that Bob will obtain V s = 1 for ∀s ∈ S.
What is more, as already mentioned, the gain G zero achieved with the attack above can be made arbitrarily close to G max zero by simply selecting the parameter M max large enough. This is so because, in such regime, all signals which are correctly identified by the optimal USD measurement, and which do not reduce the visibility at Bob's side, actually produce a detection "click" in his data line. Here, it is important to note that, since Alice prepares her signals at random and independently of each other, measuring these signals individually (as it is done in the attack above) is not disadvantageous for Eve when compared to a possible USD strategy based on joint measurements. This is so because, due to the independence of the signals, to unambiguously discriminate a group of signals (from other group of signals) each individual signal has to be discriminated unambiguously. Moreover, in practice, even relatively small values of M max (e.g. M max = 10, which is the value considered in the simulations shown in Sec. VI) are sufficient to basically achieve G max zero . This is due to the fact that, when α is small (as is typically the case in experimental implementations of COW-QKD), the probability that Eve obtains more than M max consecutive conclusive measurement results is essentially negligible even for moderate values of M max .

IV. USD MEASUREMENT
In this section, we now describe Eve's optimal USD measurement, and provide an analytical expression for the maximum probability to obtain a conclusive result, which we shall denote by p c .
Precisely, Eve's measurement contains four measurement operators E j ≥ 0 satisfying Let p j|i = ϕ i | E j |ϕ i denote the conditional probability that Eve obtains the result j given that Alice sent the state |ϕ i . Since we are considering a USD measurement, we have that p j|i = 0 ∀i = j with i, j = 0, 1, 2. Moreover, since Alice's signals |ϕ 0 and |ϕ 1 are sent with the same a priori probability, it can be shown that the optimal USD measurement satisfies p 0|0 = p 1|1 ≡ q s s . These probabilities are illustrated in Table I. We find, therefore, that p c satisfies while the probability to obtain an inconclusive result is simply given by p inc = 1 − p c . In Eq.
(2), we use the values for the probabilities p |ϕi that are given in Sec. II, and we use the notation introduced in Table I for the probabilities p i|i . Now, to obtain the maximum possible value of p c , we follow the techniques introduced in [47]. The result is given by the following Claim.
Proof. The proof of the Claim is provided in Appendix A.
We note that in most experiments [21,27], we have typically that f ≤ 0.15 and |α| 2 ≤ 0.5. This means that the first condition in the Claim is usually satisfied.

V. GAIN Gzero
In this section we calculate G zero for the zero-error attack introduced in Sec. III. As already explained in that section, this parameter represents the maximum value of the gain at Bob's data line that is achievable with Eve's zero-error attack. That is, whenever the observed gain of an experimental implementation of COW-QKD is below G zero , the protocol is insecure [41].
Our starting point is the definition of the gain at Bob's data line, which can be expressed as G = N clicks /N . Here, N clicks is the total number of clicks observed by Bob in his data line, and N is the total number of signals sent by Alice. In the asymptotic limit where N tends to infinity, N clicks can be written as N clicks = (N/N av )N av clicks , where N av denotes the average length of the blocks of signals that Eve sends to Bob, and N av clicks represents the average number of "clicks" observed by Bob in his data line due to these blocks of signals [34,39]. With this notation, one can rewrite the gain as Next, we calculate the parameters N av and N av clicks . Let us start with N av . The a priori probability that Eve sends Bob a block containing k + 1 signals, with k = 2, . . . , M max , in which the first k signals provided Eve with a conclusive measurement result and the last one is a vacuum signal |ϕ vac , is given by with the probability p c having the form of Eq. (2). Similarly, the probability that Eve sends Bob a block with k + 1 vacuum signals |ϕ vac , with k = 0, 1, is given by We find, therefore, that N av can be written as By substituting Eqs. (4)-(5) into Eq. (6) we obtain that Next, we calculate N av clicks . For this, we need to consider only those blocks of signals that Eve sends to Bob containing at least one non-vacuum signal (i.e., a signal |ϕ i with i = 0, 1, 2). This is so because, as already mentioned before, in the untrusted device scenario the vacuum signals |ϕ vac cannot produce a "click" at Bob's side. This means, in particular, that N av clicks can be written as where p s (k) is given by Eq. (4), and p click (k) denotes the average number of "clicks" observed by Bob in his data line when Eve sends him a block containing k + 1 signals, with k = 2, . . . , M max . To calculate this latter quantity, we need to take into account the post-processing step that Eve applies to the blocks of signals before she sends them to Bob. This is what we do in the last part of this section. But before we calculate p click (k), we note that G zero corresponds to the maximum value of G, which happens when we select the maximum probability p c given by Eq. (2). This corresponds to using the parameters q s s and q d s given by the Claim in Sec. IV. From Eqs. (3)-(4)-(7)-(8), we obtain, therefore, that As already mentioned earlier, G zero increases when we increase M max and converges very quickly to G max zero . Indeed, above a certain relatively small value of M max , the improvement is already essentially negligible.

A. Probabilities p click (k)
To calculate p click (k), we shall consider three cases, depending on the measurement result associated to the signal located in the first position of the block. This is illustrated in Fig. 2.
In the calculations below, we will use the conditional probabilities, p(j|c) with j = 0, 1, 2, that Eve obtains a result |ϕ j given that her USD measurement is conclusive. From Table I, together with the a priori probabilities p |ϕj that Alice generates the signals |ϕ i , it is straightforward to show that the probabilities p(j|c) satisfy Obviously, they fulfill 2 j=0 p(j|c) = 1. Depending on the measurement result that Eve obtains for the first signal in a block, we can write p click (k) as follows where the conditional quantities p click (k|j), with j = 0, 1, 2, denote the average number of "clicks" observed by Bob when Eve sends him a block with k + 1 signals in which she observed the signal |ϕ j in the first position of the block. Also, in the second equality within Eq. (11) we use the properties of the conditional probabilities p(j|c).
As already mentioned earlier, to calculate p click (k|j), which we do next, we shall consider, for simplicity, that the intensity |β| 2 of the coherent pulses resent by Eve is sufficiently large such that Bob obtains a detection "click" with basically unit probability. This is implicitly assumed in the calculations that follow.

Average number of "clicks" p click (k|1)
In this case, since the first optical pulse of a signal |ϕ 1 is a vacuum pulse, the longest sub-block situated between vacuum pulses (if there is any) must include this signal |ϕ 1 . This is depicted in Fig. 3. This figure includes as well the number of "clicks" that Bob obtains in his data line for each of the three sub-cases considered in that figure, which depend on the signal found in the k-th position of the block.
Precisely, if the k-th signal is |ϕ 0 , which happens with probability p(0|c), then Eve resends Bob all the k conclusive signals in the block because it starts and ends with vacuum pulses. This means that Bob will obtain 3. Illustration of the three sub-cases that we consider to evaluate p click (k|1). With probability p(0|c) the signal in the k-th position of the block is |ϕ0 . In this scenario, Eve resends Bob all the k conclusive signals, as the block starts and ends with vacuum pulses. The number of "clicks" at Bob's data line is then k, because we assume that the intensity of Eve's signals is large enough such that they produce a detection "click" with basically unit probability and, moreover, double "clicks" within a signal are randomly assigned to single "clicks" by Bob. The other two sub-cases in which the signal in the k-th position of the block is |ϕ1 or |ϕ2 are described in detail in the text. In the figure, large ovals represent signals, while small ovals represent optical pulses within a signal. Moreover, the dashed rectangles indicate the signals |ϕj , with j = 0, 1, 2, that Eve resends to Bob. k detection "clicks", as double "clicks" are randomly assigned by him to single "clicks". On the other hand, if the k-th signal is |ϕ 1 , which happens with probability p(1|c), then Eve resends Bob the first k − 1 conclusive signals in the block because such sub-block has vacuum pulses on its edges. At the same time, she replaces the k-th signal with |ϕ vac . This means that Bob will obtain k − 1 detection "clicks". Finally, if the k-th signal is |ϕ 2 , which happens with probability p(2|c), she replaces that signal with |ϕ vac because, obviously, the longest sub-block situated between vacuum pulses cannot contain such signal. Moreover, in this last scenario Bob will obtain p click (k − 1|1) detection "clicks', as Eve now has a block with |ϕ 1 in its first position, followed by (k − 2)-th signals |ϕ j , with j = 0, 1, 2. Note that when k = 2 we have that p click (k − 1|1) = p click (1|1) = 0 because it is not possible to find a sub-block with at least one signal situated between vacuum pulses.
Putting all together, we obtain the following recursive relation for the expected number of "clicks" p click (k|1) at Bob's side where in the second equality we use the properties of the conditional probabilities p(j|c). After some algebra, and taking into account that p click (1|1) = 0, from Eq. (12) we obtain where p(1|c) is given by Eq. (10).

Average number of "clicks" p click (k|0)
This case is very similar to the previous one, and we omit the details here for simplicity. The different subcases are illustrated in Fig. 3. We find the following recursive relation for the expected number of "clicks" p click (k|0) at Bob's side After some algebra, and taking into account that here p click (1|0) = 0, from Eq. (14) we obtain where p(1|c) is again given by Eq. (10).

Average number of "clicks" p click (k|2)
When the signal located in the first position of a block is |ϕ 2 , Eve always replaces this signal with a vacuum signal |ϕ vac , as |ϕ 2 does not contain a vacuum pulse. Thus, the remaining sub-block has now k − 1 conclusive results, each of which can be a signal |ϕ j with j = 0, 1, 2. This means, therefore, that the average number of "clicks" p click (k|2) coincides with that of a general block with k − 1 consecutive conclusive measurement results. That is, we find that p click (k|2) = p click (k − 1). (16) We have now all the quantities required to evaluate p click (k). Precisely, by combining Eqs. (13)-(15)- (16) with Eq. (11), we obtain the following recursive relation for p click (k), To solve this equation for any k > 2, we need to calculate the starting point of the recursion, that is, p click (2). The quantity p click (2) consists of nine different cases, since each of the two conclusive results can correspond to a state |ϕ j with j = 0, 1, 2. This is depicted in Fig. 5. Whenever one out of the two signals in the block is |ϕ 2 , Eve replaces all signals with vacuum signals |ϕ vac , as she cannot find a sub-block that has vacuum pulses on its borders. In this case, Bob will not observe any detection "click". For the same reason, if the first result of the block is |ϕ 0 and the second one is |ϕ 1 , Eve also replaces these two signals with vacuum signals |ϕ vac . In all the other cases, Eve resends Bob one non-vacuum signal (and, thus, he obtains one detection "click") except Illustration of the nine different cases corresponding to a block with k = 2 consecutive conclusive measurement results, together with the number of "clicks" that Bob will obtain in his data line. For example, in the first case, with probability p(1|c)p(0|c) the signals in the block are |ϕ1 |ϕ0 . This means that Eve cannot extract a sub-block surrounded by vacuum pulses. Therefore, she replaces these signals with two vacuum signals |ϕvac , and the number of "clicks" at Bob's data line is then zero. The other cases are analogous. In the figure, the ovals represent the two optical pulses within a signal.
when the first signal is |ϕ 1 and the second one is |ϕ 0 , in which case she resends him these two signals (and, thus, Bob obtains two detection "clicks"). We find, therefore, that where we have used the fact that p(0|c) = p(1|c). By combining Eq. (17) with Eq. (18), we finally obtain that p click (k) satisfies for any k ≥ 2.

VI. PERFORMANCE EVALUATION
In this section, we evaluate the limitations that the zero-error attack presented in Sec. III imposes on both the maximum distance and secret key rate which might be achievable with COW-QKD. Moreover, we compare our results with other previously introduced zero-error attacks against this scheme.  [21] that use the highest and the lowest intensity value µ = |α| 2 for Alice's signals. The attenuation included in the table only considers the channel loss; the distance corresponds to the fibre length; and p d and ηD are, respectively, the dark count rate and the detection efficiency of Bob's detector in the data line. Moreover, in both experiments f = 0.155, and the transmittance of Bob's beamsplitter is tB = 0.9. log 10 (Gzero) Lzero(km) Zero-error attack in [34]  . Lzero is the distance corresponding to Gzero given the experimental parameters in Table II. That is, no positive secret key rate is posible beyond Lzero.

A. Upper bound on the transmission distance
Here, we first compare the value of the gain G zero of the zero-error attack introduced in Sec. III with that associated to the zero-error attack in [34], which has been shown to provide much tighter upper security bounds for COW-QKD than previous analyses [40,42,43].
For this, we consider, for instance, the most recent implementations of COW-QKD reported in [21]. The experimental parameters are provided in Table II. They correspond to those experiments in [21] which use the highest and the lowest intensity value µ = |α| 2 for Alice's signals.
The result of the comparison is shown in Table III. This table demonstrates that the gain G zero associated to the zero-error attack in this work can be more than an order of magnitude higher than that in [34]. This implies a significant reduction of the maximum achievable distance, which we shall call L zero , that is possible with COW-QKD in the absence of errors. To obtain L zero from G zero we use a typical channel model that is described in Appendix B, and matches the specific experimental parameters given in the tables. For example, as illustrated in Table III, if we consider the experimental implementation over 104 km (203 km) which was claimed to be secure in [21], it turns out that Eve could perform a zero-error attack already at a distance L zero = 47 km (L zero = 38 km) according to this work. We note that the zero-error limit achieved with the attack in [34] was L zero = 120 km (L zero = 105 km). This is a remarkable improvement.
practical applications. To conclude this section, we now consider the maximum achievable distance that would be possible with COW-QKD by utilizing state-of-the-art devices but assuming the use of standard optical fibres with an attenuation coefficient of 0.2 dB/km in the third telecom window. Also, for concreteness, we consider that the intensity of Alice signals is around 0.5, which is similar to the value used for key generation in decoy-state QKD [14][15][16]. The list of experimental parameters is provided in Table IV. In this case, it turns out that L zero is only about 22.60 km.

B. Upper bound on the secret key rate
In this section, we evaluate the simple upper bound on the secret key rate K of COW-QKD obtained in [34] by using the zero-error attack introduced above. The upper bound reads where η = η ch η D is the overall system's transmittance, with η ch being the transmittance of the channel, and µ max (f ) is the maximum allowed intensity for Alice's signals such that Eve's zero-error attack against all signals sent by Alice is not possible. That is, for each value G of the gain at Bob's data line, µ max (f ) is the maximum intensity of Alice's signals that guarantees G zero < G. Note that by increasing the signals' intensity, the success probability p c of Eve's USD measurement increases as well, and, thus, also G zero increases. We denote the maximum intensity by µ max (f ) because it typically depends on f . Actually, Eq. (20) is just a simple upper bound on the probability that Alice sends Bob a signal that encodes a bit value (i.e., |ϕ 0 or |ϕ 1 ) and Bob observes a "click" in his data line, which, obviously, is also an upper bound on the secret key rate. For the numerical simulations, we use the channel model described in Appendix B. Moreover, we consider the best possible scenario for Alice and Bob for key generation, that is, we set the dark count probability of Bob's detectors to zero and assume that t B ≈ 1, which means that almost all the incoming signals go into Bob's data line. If the intensity of Alice's signals is µ max (f ), then the expected gain G at Bob's data line has the form Then, for given η and f , we determine numerically the maximum value of µ max (f ) such that G zero < G. The  [21]. For comparison, this figure includes as well the results in [34] (the stars correspond to the actual data points evaluated in that work and the line is an interpolation), together with the curves for linear and quadratic scaling in η.
result is shown in Fig. 6, which illustrates µ max (f ) as a function of η when f = 0.155 [21]. For comparison, this figure also includes the results obtained in [34]. We can see that µ max (f ) is very limited and decreases quite fast when η decreases. Moreover, the maximum µ max (f ) imposed by the zero-error attack presented in Sec. III is more than an order of magnitude lower than that in [34]. Given f and µ max (f ), we can evaluate the upper bound R upp given by Eq. (20) as a function of η. This is illustrated in Fig. 7. The same improvement observed in µ max (f ) when comparing the zero-error attack above and that in [34] is obviously also present in R upp . Indeed, this quantity now almost overlaps the curve log 10 (η 2 ). Moreover, we note that by setting f smaller than 0.155, R upp moves slightly closer to the log 10 (η 2 ) line, so decreasing f would be basically unnoticeable in Fig. 7.

VII. DISCUSSION
COW-QKD monitors eavesdropping through the error rates observed in the data line and in the monitoring line of Bob's receiver. However, according to zero-errors attacks, this is not sufficient to achieve a good performance. To improve the robustness of COW-QKD against this type of attacks and, thus, increase its achievable key rate and distance, Alice and Bob need to monitor more observables and include this additional information in the security proof.
One possibility would be to modify Bob's receiver such that it can also measure the coherence between nonadjacent pulses, like it has been proposed in [31] for the case of DPS-QKD. Indeed, by doing so Alice and Bob could now avoid that Eve replaces Alice's original signals with vacuum signals |ϕ vac without introducing errors, which is a key feature exploited by zero-error attacks. The main drawback of this approach is, however, that it requires a much more cumbersome receiver, thus the principal advantage of COW-QKD regarding its simple experimental setup would probably vanish.
A second option would be to measure the detection rates of Alice's signals at Bob's side. This has been also suggested in [34,40]. For example, in the zero-error attack introduced in this work, Eve does not resend decoy signals to Bob. This is so because for the typical experimental parameter regime considered in COW-QKD (i.e., when f ≤ 0.15 and |α| 2 ≤ 0.5), Eve's optimal USD measurement corresponds to the first case presented in the Claim in Sec. IV, where q d s = 0. In this sense, the attack in Sec. III represents an extreme case where the detection statistics of the decoy signals are not preserved at all.
Of course, if necessary, one could slightly modify the attack and impose that q d s > 0 to guarantee that Eve resends some decoy signals to Bob. Given that q d s is sufficiently small, it can be shown that the results obtained in such scenario would basically match those presented in this paper. The situation changes, however, if one requires that the detection rates associated to the different signals sent by Alice are similar to the expected values in the absence of Eve (see also [40,43]). Indeed, this would have a big impact on the zero-error attack introduced above. First, the probability that Eve obtains a conclusive measurement result with her USD measurement would now decrease with respect to the optimal solution provided by the Claim. Also, Eve would have to change the post-processing of her measurement results to decide which signals she actually resends to Bob. Note that the current post-processing favours the transmission of bit signals with respect to decoy signals. This is so because bit signals contain a vacuum optical pulse, and thus it is easier for Eve to find sub-blocks of signals surrounded by vacuum pulses if they include bit signals. As a result, one expects that the gain G zero at which a zero-error attack is actually possible would decrease significantly.
A main difficulty of this second approach is, however, how to incorporate the detection rate information in a security proof for COW-QKD. For example, Eve might attack a small fraction of the signals sent by Alice, and thus detecting deviations between the actual detections rates and the expected ones might be challenging in practice. Moreover, we note that this problem could be amplified because of statistical fluctuations. Indeed, since in any practical implementation Alice sends a finite number of signals to Bob, the observed detection rates will naturally deviate from the expected ones even in the absence of Eve, and Eve could try to hide her attack in such deviations.

VIII. CONCLUSION
In this paper, we have proposed a simple, and essentially optimal, zero-error attack against coherent-oneway (COW) quantum key distribution (QKD). In this attack, Eve measures out all the signals sent by Alice one by one by employing an optimal unambiguous state discrimination measurement. Afterwards, she sends Bob all those blocks of signals which do not introduce any error in his data line nor in his monitoring line. Importantly, zero-error attacks are a special type of interceptand-resend attack and, thus, they do not allow the distribution of a secure key.
In doing so, we have obtained upper security bounds on the secret key rate of COW-QKD that are more than an order of magnitude lower than previously known upper bounds. Our attack highlights the fact that only monitoring errors in Bob's data and monitoring lines is not sufficient to achieve a good performance with this protocol.
Since α 1 = α 2 and p |ϕ0 = p |ϕ1 , we have also here that p 0|0 = p 1|1 . By inserting in Eq. (A9) the values of the coefficients α i given by Eq. (A2) and those of the probabilities p |ϕj , we obtain q s s = 1 + e −|α| 2 − e −|α| 2 /2 2f 1 − f , We note, however, that for this solution to be valid, we need that q s s and q d s are non-negative. Since Eq. (A7) is not satisfied, i.e, √ γ > e −|α| 2 /2 , it follows that q d s > 0. Likewise, it is easy to show that q s s ≥ 0 is equivalent to the following condition That is, we find that Eq. (A10) provides the optimal values for q s s and q d s if Eq. (A7) is not satisfied and Eq. (A11) holds.
Finally, let us consider the case where Eqs. (A7) and (A11) do not hold. This scenario can be solved by using a two step procedure [47]. First, one sets, for example, p 0|0 = 0 and reduces the problem to a two-state USD problem. And, second, one infers the solution to the original three-state USD problem based on the solution to such two-state USD problem.
In this reduced problem, we define p 1|1 and p 2|2 as the probabilities that Eve correctly identifies the states |ϕ 1 and |ϕ 2 , respectively. This means that our goal is to maximize the probability p 1|1 p |ϕ 1 + p 2|2 p |ϕ 2 to obtain a conclusive result. Since Eq. (A11) is not satisfied, it can be shown that the following condition holds In this situation, the optimal probabilities for successfully identifying the states |ϕ 1 and |ϕ 2 are given by [47] p 1|1 = 0, This means, in particular, that the optimal probabilities for the original three-state USD problem can be obtained as follows [47] p 1|1 = p 1|1 ϕ 1 |Q|ϕ 1 = 0, where Q = 1 1 − |ϕ 1 ϕ 1 |. Since ϕ 2 |Q|ϕ 2 = 1 − e −|α| 2 , we find that the optimal solution to the original problem is q s s = 0, which again satisfies p 0|0 = p 1|1 . The uniqueness of the solution above is also proven in [47]. This concludes the proof of the Claim in Sec. IV.