Reference frame independent twin field quantum key distribution with source flaws

The trade-off between distance and secret key generation rate remains one of the major challenges in the practical implementation of quantum key distribution (QKD). As a solution, a twin field QKD protocol was proposed by Lucamarini et al (2018) to address this challenge. In this protocol, the achievable secret key rate scales with the square root of channel transmittance and can surpass the secret key capacity for repeaterless QKD. However, the protocol exploits phase to encode information which presents the problem of active stabilization of interferometers. We propose a reference frame independent twin field quantum key distribution (RFITF QKD), which does not require the reference frames’ alignment. Thus, this reduces the complexity of practical QKD systems in achieving active stabilization of phase. Moreover, we employ the loss-tolerant method proposed by Tamaki et al (2014) which allows us to prove the security of the protocol by considering imperfections in the state preparation. Our simulation results show that our proposed protocol can extract a secure key over a transmission distance of l = 505 km, l = 516 km and l = 530 km for deviation of 8.42°, 7.28° and 5.15°, respectively from the desired phase encoding angle. These results demonstrate that despite the state preparation flaws, the key rates achieved are still comparable to the perfect encoding scenario. When our proposed protocol is implemented with an imperfect source, it achieves a transmission distance beyond the secret key capacity bound for repeaterless QKD.


Introduction
Quantum key distribution (QKD) allows two trusted parties, Alice and Bob, to securely share an informationtheoretic secure key guaranteed by quantum physics laws in the presence of an adversary [1]. Since the primitive BB84 QKD protocol [2] great strides have been made both in theory [3][4][5][6][7][8][9][10] and experiments [11][12][13][14][15] to develop quantum technologies for real-life applications. Moreover, some countries have ventured into widening the reach of QKD by developing global quantum networks [16,17]. Despite these advances, several theoretical and experimental challenges remain unresolved [18]. For instance, in practice, QKD protocols rely on trusted devices scenario, an assumption that enables them to attain effective rates, but this also opens the possibility of dangerous side-channel attacks [19]. Other challenges include obtaining reasonable key rates over large distances, high costs associated with deploying QKD technologies, and combining QKD with informationtheoretic cryptographic protocols or algorithms, for instance, AES encryption [18,20,21]. Thus, these challenges make QKD technologies not a viable immediate alternative to conventional cryptography.
To address the problem of detector side-channel attacks, device-independent (DI) QKD protocol was proposed, and its security is based on the violation of Bell inequalities [22]. Unfortunately, the DI-QKD requires loophole-free Bell experiments, which makes it not feasible with current technology. A more practical solution is measurement device-independent (MDI) QKD, which is inherently immune to all side-channel attacks targeting the measurement device and removes all detection-related security loopholes [23]. In the MDI-QKD, two parties Alice and Bob, are linked by an untrusted relay, resulting in a significant increase in the transmission distance compared with the conventional QKD schemes. Despite MDI-QKD overcoming the distance limit and device imperfections, the secret key rates achieved with the protocol are relatively low. Precisely, most QKD schemes produce secret key rates which scale linearly with channel transmittance and are unable to surpass the secret-key capacity (SKC) bound of an optical quantum channel with losses [24]. Recently, a novel QKD that relies on phase randomized twin fields of optical pulses to encode information was developed and can surpass the secret key capacity bound for repeaterless QKD schemes [25]. Similar to MDI-QKD, the possibility of side-channel attacks are removed in this protocol as an untrusted relay connects the communicating parties. The protocol is based on the single-photon interference of optical fields generated with almost identical electromagnetic phases. This single-photon interference at the untrusted relay leads to an improved secret key rate which scales with the square root of channel transmittance. Since the original TF-QKD scheme lacked rigorous security proof, variant TF protocols aimed at proving TF-QKD security have been proposed [26][27][28]. Moreover, the experimental demonstrations of TF-QKD have already been successfully implemented [29][30][31].
In most QKD systems mentioned above, a shared reference frame is required between Alice and Bob. For instance, there is a need to align polarization states in polarization encoding or active stabilization of interferometers in phase encoding protocols. Although it is feasible to share a reference frame between Alice and Bob, it comes at a cost as additional systems required for phase calibration may lead to more information leakage and thus reduce practical systems' performance [32,33]. Fortunately, a reference-frame-independent (RFI) QKD protocol was proposed to address these challenges [34]. Since its inception, outstanding results have been achieved theoretically [35][36][37][38][39][40] and experimentally [41][42][43], thus demonstrating its capability to achieve a higher secure key rate under a varying reference frame.
Ideally, the encoding of light pulses is carried out perfectly without any state preparation flaw (SPF). However, this assumption falls short experimentally due to inherent deficiencies of phase modulators. The problem with SPFs can be addressed by using the Gottesman-Lo-Lutkenhaus-Preskill (GLLP) security analysis [44], but the main drawback is that the approach leads to a low achievable secret key rate and is not robust against channel loss. Tamaki et al (2014) recently proposed a loss-tolerant protocol which is robust against channel losses due to SPFs and capable of attaining key rates comparable to a protocol that assumes perfect encoding [45]. The protocol is resource-efficient as it employs only three states out of the possible four states for BB84 protocol and considers modulation errors due to an imperfect phase modulator. It is conjectured that the protocol can be generalized to the six-state protocol where only four states are required instead of the usual six states.
Therefore, in this work, we investigate the practicality of TF-QKD by employing the loss tolerant protocol to derive the security bounds under the imperfect state preparation. We also study the protocol under reference frame independence condition, eliminating the need for active stabilization of phase. The protocol is implemented with three mutually unbiased bases (X; Y; Z) which are used to encode information. The X and Y bases are used to monitor the eavesdropper's (Eve) knowledge on the key and are allowed to vary slowly in the quantum channel. The Z basis states are naturally well-aligned, and this basis is generally used to generate the final key. Furthermore, we demonstrate that the TF-QKD can be implemented without the alignment of a reference frame and imperfect state preparation but still achieve secret key rates and transmission distances comparable to the original TF-QKD. This paper is arranged according to the following. In section 1, we provide an introduction where we make a brief review of QKD security developments and the motivation of our work. In section 2, we describe the operation of the proposed RFI-TF QKD protocol. This is followed by section 3, where we show details of the security proof for the loss tolerant RFI-TF QKD protocol. In section 4, we discuss our simulation results, and finally, in section 5 we provide concluding remarks about our work. We provide the security proof of our protocol in appendix C, and some technical details relevant to the key rate calculation are presented in the appendixes.

Operation of RFI-TF QKD protocol
We propose a loss tolerant based RFI-TF QKD protocol that uses four signal states from three mutually unbiased bases defined by the Pauli operators, X, Y and Z. This protocol is conjectured to achieve error rates that are similar to the QKD protocol that employs all six states from three bases {Z, X, Y} [45]. The four states are denoted as f ñ = ñ 0 1 | represent vacuum and one photon states, respectively. We begin by describing the protocol implemented with the idealized photon source and then discussing the practical protocol that employs the weak coherent laser source.
Protocol 1 The entanglement-based description of the protocol is as follows: 1. Alice (Bob) starts by preparing the entangled state represents the qubits that remain in Alice and Bob's possession.
2. Alice (Bob) sends signal states a (b) through the insecure quantum channel to the untrusted third party, Charlie.
3. Upon receipt of the pulses, Charlie executes the single-photon Bell state measurement with a symmetric beamsplitter followed by threshold detection in two detectors.
4. Charlie announces the successful events of single-photon Bell state measurement. The two detectors labeled L and R in figure 1 are associated with destructive and constructive interference, respectively. A coincidence detection with a click in L and no click in R indicates a projection into Bell state F ñ = ñ ñ + | | ) while a click in R and no click in L corresponds to projection onto Bell

5.
Following the results' announcement, Alice and Bob measure their qubits in the Z basis with probability p z and choose the complementary bases with probability 1 − p z . Moreover, they post select on the events of the compatible basis to obtain a raw key.
6. Lastly, to ensure that their bit strings match, Bob always flip his qubit for all successful Bell state measurement results in the Z basis and only flip his bit for Bell state measurement result F ñ = ñ ñ -ñ ñ in the complementary bases. In the RFI protocol, the key is obtained from the Z basis where the reference frames linking Alice (Bob) and Charlie are assumed to be well aligned, while in the other measurement bases (X, Y) the frames are allowed to slowly vary by an arbitrary angle β. The allowed deviations in the bases are given by The above protocol can be converted to an equivalent prepare and measure protocol where Alice and Bob measure their qubits A(B) before sending the signal states a(b) to Charlie. In principle, this implies that Alice and Bob directly prepare the signal states a(b), i.e., their qubits measurements herald the formation of signal states. This measurement operation does not change operations results in other steps; thus, the protocol can be alternatively described as follows.
| . Due to imperfections in the phase modulation, the actual states that Alice (Bob) prepares can be described by where r(s) denotes reference (signal) states, μ corresponds to the intensity of pulses and δ represents the deviation from desired encoding angle θ in the actual states. . Therefore, the single-photon part of the coherent states in equation (6) prepared by Alice and Bob can be expressed as where 0 and 1 represent the photon number. From above representation we define ñ ñ = ñ 1 0 0 . Therefore, equation (7) can be equivalently rewritten as Similar expression as above can be obtained for the eigenstates ñ 0 Y | , ñ 1 Y | . If the overall phase factor in equation (8) is ignored, we obtain the following expressions for the four states , (here C denotes the system sent to Charlie) and measure their subsystems in the X basis when Charlie announces the measurement result F ñ + | . The error rate is expressed as ,vir X X denotes the joint probability that Alice and Bob measured ñ j X | and ñ k X | , respectively and Charlie declares the result F ñ + | . In this hypothetical protocol, the state of pulses received by Charlie can be expressed as with s, t ä {1, X, Y, Z}. The parameters n s and n t denote the coefficients of Pauli matrices. Note that the transmission rate of operators can also be determined from the yield of signal states used in the actual protocol.
To evaluate the yield of these states we employ the entanglement description where Alice (Bob) prepares state in the Z basis and likewise the preparation of optical pulses in the complementary bases can be described as a process where Alice (Bob) generates . By using the same method previously described for the yield of virtual states, we obtain the expression for the yield of actual states as , , , with p( j α ) and p(k β ) denoting probabilities for Alice and Bob to measure their subsystems as state jα and kβ, respectively. The states ρ jα and ρ kβ correspond to the four states defined in equations (8) to (12). We demonstrate in appendix A that explicit computation of (17) can lead to the realization of the transmission rate of identity and Pauli operators F + q s t , | . Furthermore, in appendix B we determine the transmission rate of operators from the yield of actual states as defined in equation (19). By combining the results of equations (A.13) and (B.21) we can deduce the yield of virtual states and subsequently obtain the error rate E XX using equation (13).
Indeed, with this formalism of estimating error rate E XX , we have shown that it is possible to obtain the yield of states which have not been sent during the actual protocol such as ,vir X X . The same argument can be used to obtain the yield of states such as F + Y Z

vir
Y Y which are used to obtain error rates E XY , E YX and E YY , respectively. Remarkably, the error rates obtained are exactly the same as the ones achieved for protocol employing two orthonormal states from the X and Y bases. Therefore, additional states, f ñ that are used in the six state protocol seems to be redundant.

Estimation of key generation rate
In our protocol, note that Alice and Bob never reveal their random phase for coherent states prepared in the key (Z) basis. Therefore, the phase randomized coherent states m ñ c e i | prepared by Alice and Bob can be described as which is a classical mixture of photon number states. This means that the photon number channel model [46] holds and tagging method [44] proposed by Gottesman et al (2004) can be employed in our protocol. Therefore, the key generation rate for RFI TF-QKD is given by where q is the sifting factor and in an asymmetric encoding q ∼ 1 for an infinitely large number of signals. The terms m Q Z and m E Z correspond to the gain and quantum bit error rate (QBER) in the Z basis. According to the decoy-state theory, the overall gain is given by [47] The gain for single photon components in the Z basis is expressed as The parameter I E is estimated from the lower bound of C and upper bound on the error rate, E ZZ U 1, from singlephoton contributions as shown in equation (2). The parameter E ZZ U 1, is estimated from the yield of single photons as follows The values Q ν;jαkβ , Q μ;jαkβ are gains obtained on conditional probabilities that Alice and Bob measure the states jα, kβ while Q 0 is the background gain. Finally, the parameter C is computed from the error rates in complementary bases as follows = - These error rates are computed using yields obtained from the virtual protocol, which are evaluated as shown in the previous section.

Simulation of the key rate
We demonstrate the performance of the proposed protocol based on fibre implementation. The simulation formulas for parameters m Q Z and m E Z are given in Appendix D. We set intensity parameters for Alice and Bob at u a,b = 0.6 and v a,b = 0.053. We also assume Charlie uses detectors with efficiency h = 14.5% det and the dark count rate is assumed to be p d = 5 × 10 −7 which is in line with the current technologies [48][49][50]. The channel loss coefficient is α = 0.2dBkm −1 and its transmittance is h = -a 10 ch L 0.1 2 , with L denoting the fibre length. We consider error correction efficiency, f EC = 1.16.
Our simulation results are depicted in figures 2 and 3. In figure 2 the plots were obtained with δ = 0.090, δ = 0.127 and δ = 0.147, which correspond to deviation of 5.15°, 7.28°and 8.42°from the desired phase angle, respectively. For comparison we plotted the curve for δ = 0 which corresponds to perfect encoding scenario. The  characterization of parameter δ is based on its relation to the extinction ratio according to the definition; [51]. The non-zero extinction ratio is mainly due to imperfections in phase modulators and is of order 10 −3 in typical experiments. For this value of extinction ratio, we obtain δ ≈ 0.063, but in our simulation, we chose pessimistic values for estimation of encoding imperfection to demonstrate the capability of beating repeaterless bound with currently available devices. The results demonstrate that despite an increase in encoding flaws, the key rates achieved are still comparable to the perfect encoding scenario. It is also evident that our protocol implemented with an imperfect source still achieves transmission distances that are beyond the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound for repeaterless QKD [24]. We obtain the maximum transmission distance of 505 km, 516 km and 530 km for preparation flaws δ = 0.147, δ = 0.127 and δ = 0.090, respectively. For the purpose of comparison, the curves for original TF QKD [25], Phase matching (PM) QKD [52] and RFI-TF QKD are plotted in figure 3. The results show that the original TF QKD attains maximum transmission distance of 592 km and RFI-TF QKD can reach a maximum secure distance of 516 km. At a distance of 0 km, the key rate for original TF QKD and RFI-TF QKD are 9.10 × 10 −2 and 4.90 × 10 −2 , respectively. The gap between the two curves is so small and almost remains constant when the distance increases. This demonstrates that the performance of RFI-TF QKD is still comparable to the original TF-QKD. It is also evident that PM QKD outperforms our proposed protocol in terms of maximum transmission distance realized. However, at shorter distances, our protocol achieves slightly better key rates compared to the PM QKD. Moreover, the merit of the RFI-TF QKD protocol is that it eliminates the need for alignment of reference frames and active phase stabilization.
Furthermore, we compare our results with some TF QKD schemes available in the literature. More recently, Tamaki et al (2018) proposed a modified version of the original TF QKD, which employs testing mode for monitoring an eavesdropper and the coding mode for key generation [53]. The phase error rate is estimated in their protocol by considering the bias between two bases (coding and testing modes). On the contrary, our protocol exploits the mismatched basis data to determine error rates in complementary bases (X, Y) in order to estimate Eve's information. Also, our protocol employs the GLLP tagging key rate method [44] since Alice and Bob never reveal the phase information in the key basis, and hence their coherent states are regarded as a mixture of photon number states in the Fock space. In contrast, the GLLP tagging model does not hold in protocol by Tamaki et al (2018) since Alice and Bob announces the phase information in the coding mode. Remarkably, our simulation results agree very well with their results. The observed superiority in their results compared to ours may be attributed to a different choice of experimental parameters and the fact that we consider the source flaws in our analysis.
Moreover, we compare our protocol's performance with a TF variant scheme proposed by Lin et al (2018) [54]. The first noticeable difference between this work and ours is in key generation mode. In their protocol, Lin et al (2018) consider phase matching coherent states for key generation purposes, while in our protocol, we exploit vacuum and phase randomized coherent states to extract secure keys. As already stated, our approach enables us to use the traditional BB84 tagging key generation formula since the phase randomized coherent states are regarded as a mixture of photon number states. However, the method is not applicable for scheme in [54]. Moreover, the scheme in [54] employs non phase randomized coherent test states to perform a variation of tomography on the quantum channel to deduce the information leaked to Eve. In our approach, we use the yields of rejected data to estimate the error rates in the X and Y bases which are used to deduce Eve's information. In terms of maximum attainable distances, we observe that our protocol outperforms the scheme proposed in [54]. We obtain a maximum distance of approximately 500 km while a distance of 400 km was achieved for the previous scheme.

Conclusion
We proved the security of the RFI-TF QKD protocol with state preparation flaws. Our results demonstrate that our protocol can overcome the repeaterless PLOB bound. In addition, our protocol is capable of extracting a secure key over a transmission distance of l = 505 km, l = 516 km and l = 530 km for encoding flaws δ = 0.090, δ = 0.127 and δ = 0.147, which corresponds to deviation of 5.15°, 7.28°and 8.42°from the desired phase angle, respectively. The results show that despite the state preparation flaws, the key rates achieved are still comparable to those of perfect encoding scenario. Although our protocol cannot achieve a transmission distance beyond the original TF-QKD protocol, its greatest advantage is that it can be implemented without the alignment of reference frames, eliminating the need for active stabilization of interferometers.

Data availability statement
The data that support the findings of this study are available upon reasonable request from the authors.

Appendix A. Determination of yield for virtual states
This section provides an explicit derivation of the yield for virtual states, which are used to deduce error rates for bounding Eve's information. We demonstrate how to concisely represent the joint probabilities of these states in terms of transmission rate of identity and Pauli operators. The yields for virtual states as defined by equation (15) in the main text are given by Furthermore, if we denote yields as a vector = the joint probabilities can succinctly be written as =

Appendix B. Determination of yield of states used in the actual protocol
We compute the joint probabilities for sending the four states used in the actual protocol and show that by using the transmission rate for these states, one can obtain the yield of virtual states described above and subsequently estimate the error rate E XX . From the actual experiment, we have the following constraints,    ( ) Hence, the vector ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  , and matrix V obtained from vectors . ( ) The above result can be rewritten in terms of the transmission rate vector, q as follows ( ) Combining the above equation with equation (A.13) we can obtain the yield for virtual states from transmission rate of actual states and thus deduce the error rate E XX . r where P jZ 0 , P jZ 1 , P X , . These probabilities are given by }form orthonormal bases. Also, the explicit form of these eigenstates is given by for i, j ä {0, 1}, β ä {X, Y, Z} and N denoting the normalization factor while b n x j and b n z j represent the coefficients of Pauli operators σ x and σ z , respectively. In our security proof, we consider purifications of these mixed states, and that is realized by introducing Alice and Bob's ancilla systems. Thus, we get the following expressions where the index A 1 represents Alice's ancilla system that purifies the state and C corresponds to the system that is sent to Charlie. Similarly, for Bob the purifications are given by Now, to proceed with our analysis, we define the entangled states initially prepared by Alice and Bob by incorporating the purified states. For, Alice these states are expressed as Likewise, Bob prepares the states where A 2 and B 2 in the equations above represent the systems used by Alice and Bob to generate key bits. Recall that in the virtual protocol, as explained in the main text, Alice and Bob prepare the states in equations (C.12) and (C.15) and measure their subsystems A 2 and B 2 in the X basis rather than Z basis. Therefore, to simplify our analysis we rewrite the state (C.12) in the X basis form as |˜( ) that are sent by Alice (Bob) to Charlie. The preparation, selection, and measurement process of these states can be defined in a more compact form as with probabilities given by We now present comprehensive steps of a virtual protocol as follows.

Virtual protocol
Before starting the protocol, Alice and Bob set a fixed number of rounds (say N trials) needed to complete key generation. | defined in equations (C.20) and (C.21), respectively, and send the systems C to Charlie through a quantum channel. They delay their measurements until the announcement by Charlie.
2. Detection announcement. Charlie performs single-photon interference followed by threshold detection in two detectors and announces successful detection results.
3. Measurement and classical communication.
Steps 1-2 are repeated until N trials agreed on by two parties are completed. After that, for the case where Charlie declares detection results F ñ + | , Alice and Bob measure their shield systems ñ c A | , ñ c B | and announce Z (X, Y) basis choice when the results of their measurements is c = 1, 2, 3, 4 (c = 5, 6). This is done to ensure that classical information in the actual protocol is same as virtual protocol.
4. Estimation of the number of phase errors. Alice and Bob use the events c = 3, 4, 5, 6 which correspond to actual states to estimate the number of phase errors.
The virtual protocol described above is equivalent to the actual protocol because quantum states sent by Alice and Bob in two protocols are the same and classical communication by two parties is precisely identical. To elucidate this argument, when Alice and Bob prepare the virtual states (c = 1, 2), they measure their subsystems in the X basis and announce the Z basis instead. The announcement is made in this manner to make the virtual protocol indistinguishable from the actual protocol in which the events (c = 1, 2) are used for key generation, i.e., In these events, Alice and Bob measure their systems in the Z basis and also declares the same basis. Such being the case, both protocols are equivalent from Eve's viewpoint. Now, we present a method used to estimate observed phase errors in N measurements performed by Alice and Bob in their systems c A and c B . We consider coherent attacks where Eve interacts with all signals sent by the two parties and executes a joint measurement after classical communication is completed. For this kind of attack, it suffices to use Azuma's inequality [57] which consider any random variables including correlated ones provided that a Martingale and Bounded difference condition (BDC) are satisfied. Azuma's inequality is described as follows.
A sequence of random variables denoting the expectation value. In addition, observed in the first m trials and ξ j is a Bernoulli random variable. Furthermore, P(ξ j = 1|ξ 0 ,K, ξ j−1 ) is probability of having event ξ j = 1 in the j th run conditioned on the first j − 1 outcomes, ξ 0 ,K, ξ j−1 . It can be easily shown that the random variables in equation (C.34) are Martingale and fulfils BDC Thus, by applying Azuma's inequality we obtain where X (0) = 0. This essentially implies that Now, applying Azuma's inequality to our scenario, from the N trials by Alice and Bob in the virtual protocol, if we consider the j th run of the protocol and once we obtain probability for measuring systems c A and c B for that particular run conditioned on previous measurement outcomes, then we can find actual number of events observed. Precisely, for random variables X c c l A B with l = 1,K,N Azuma's inequality states that where L c c l A B is a random variable that corresponds to the actual number of events during l trials (l=1, K, N). Moreover, x is the probability of Alice and Bob obtaining the values c A and c B in their measurements performed in the j th , conditioned on the previous j − 1 measurement outcomes, ξ j |ξ 0 ,K,ξ j−1 . To determine this conditional probability in the j th run, we use the joint state prepared by Alice and Bob for N trials ( ) represent states prepared by Alice (Bob) in the first j − 1 runs, j th run and the remaining N − j runs, respectively. Let define the evolution of the joint state after Eve's action by where  E C is Eve's unitary transformation on CE and C t C , corresponds to the Kraus operator which acts on system C according to Eve's measurement results on her ancilla. Note that here we denote Charlie's system with index C which essentially corresponds to a joint system constituted by subsystems C A and C B received from Alice and Bob, respectively. Now, taking into consideration measurement outcomes prior to the j th run, we define the joint measurement operator for the j − 1 systems as represents the Kraus operator associated with i th measurement outcome of Alice and Bob ʼs systems sh A , sh B and Charlie's system C. From this joint measurement operation on j − 1 systems, we define the measurement outcomes of j − 1 runs as O j−1 . After Eve's interaction, the joint state of the j th run conditioned on the measurement results of the first j − 1 runs can be expressed as is the Kraus operator acting on the j th system conditioned on the previous measurement outcomes O j−1 , and it is given by The detection probabilities are given by where p 0 , p L and p R denote the probabilities for no click, click in L-detector and click in R-detector, respectively. Taking into consideration the effects caused by dark counts p d , we have that