Dual-phase-modulated plug-and-play measurement-device-independent continuous-variable quantum key distribution

We suggest an improved plug-and-play measurement-device-independent (MDI) continuous-variable quantum key distribution (CVQKD) via the dual-phase modulation (DPM), aiming to solve an implementation problem with no extra performance penalty. The synchronous loophole of different lasers from Alice and Bob can be elegantly eliminated in the plug-and-play configuration, which gives birth to the convenient implementation when comparing to the Gaussian-modulated coherent-state protocol. While the local oscillator (LO) can be locally generated by the trusted part Charlie, the LO-aimed attacks can be accurately detected in the data post-processing. We derive the security bounds of the DPM-based MDI-CVQKD against optimal Gaussian collective attacks. Taking the finite-size effect into account, the secret key rate can be increased due to the fact that almost all raw keys of the MDI-CVQKD system can be fully exploited for the final secret key generation without sacrificing raw keys in parameter estimation. Moreover, we give an experimental concept of the proposed scheme which can be deemed guideline for final implementation.


Introduction
Quantum key distribution (QKD) [1,2] is a branch of quantum cryptography, whose goal is to provide an elegant way to allow two remote legitimate partners (Alice and Bob) to generate a random secure key with unconditional security [3,4] over insecure quantum and classical channels.There are two approaches to implement QKD, i.e., discrete-variable (DV) QKD [5,6] and continuous-variable (CV) QKD [7][8][9][10].In DVQKD, the polarization states of a single photon are usually exploited to transmit the information of key bits, whereas in CVQKD, the sender, Alice, usually encodes key bits in the quadratures ( x and p) of the optical field with Gaussian modulation [11], and the receiver, Bob, can restore the secret key bits through high-speed and high-efficiency homodyne or heterodyne detection techniques [12].
Currently, the CVQKD protocol has been implemented through the established standard telecommunication facilities, which is more convenient and practical than its DVQKD counterpart.However, there is usually an assumption that devices are perfect and cannot be eavesdropped by the third untrusted party, and consequently doubts about the immaculate CVQKD system have been raised.An ideal model of CVQKD is not enough for the security analysis of the practical CVQKD system.For example, there is no need to consider the effect of local oscillator (LO) in ideal models but it is necessary to take it into account in the practical CVQKD system, since eavesdroppers may exploit the transmitted LO to launch practical attacks such as wavelength attacks [13,14], saturation attacks [15], calibration attacks [16], and LO fluctuation attacks [17].Furthermore, the imperfections of detectors can be maliciously exploited, which make the CVQKD system vulnerable to various attacks.To remove all existing and yet-to-be-discovered detector side channels, measurement-device-independent (MDI) QKD was proposed [18][19][20].It offers an immense security advantage over standard security proofs and has the power to double the secure distance [19].
So far, much progress has been made in MDI-DVQKD [21][22][23][24][25] and MDI-CVQKD [26][27][28][29].In a MDI-CVQKD protocol, both Alice and Bob are senders while an untrusted third party Charlie is introduced to realize Bell measurements.Such measurement results will be used by Alice and Bob in post-processing to generate the secure keys.MDI-CVQKD has become an important research limelight since it has many practical advantages, especially for a metropolitan QKD network [30].Subsequently, C. Lupo et al. presented the composable security proof of MDI-CVQKD against coherent attacks [31].However, the theoretical feasibility does not usually mean its experimental implement although its theoretical security has been proven.In the other words, the implementation of MDI-CVQKD at present may be impractical.For example, a strong light (LO) with weak signal light is required for realizing the practical CVQKD [32].Because these two lights have to be precisely interfered in homodyne or heterodyne detector, the synchronization of the two beams is crucial to implement CVQKD communication.While this problem magnifies doubly in MDI-CVQKD with two senders Alice and Bob, it renders MDI-CVQKD hard to implement stably.Moreover, the Gaussian-modulated coherent states are prepared for Alice and Bob with symmetrical modulation, which is usually implemented by applying an amplify modulator (AM) and a phase modulator (PM).Unfortunately, most of the widely used AMs, e.g.LiNbO 3 modulators, are polarization sensitive and features a polarizer, which means the part of light cannot be transmitted if its orientation is not aligned correctly [33].As a result, the performance of the practical MDI-CVQKD system will be degenerated.
To solve the above-mentioned problems, in this paper, we suggest a plug-and-play (PP) scheme for MDI-CVQKD via the dual-phase modulation (DPM).In particular, the proposed scheme waives the necessity of propagation of the LO through the insecure quantum channels from Alice's and Bob's sides.Instead, the real LO is generated from the same laser of quantum signal at Charlie's side, and thus it avoids the problems of synchronization of different lasers as well as the LO-aimed attacks.Moreover, the reference of two signals can be guaranteed identically and the polarization drifts can be compensated automatically since only one laser is needed for the PP DPM-based MDI-CVQKD.Meanwhile, a polarization-insensitive dual-phase modulation strategy is adopted to Alice's and Bob's sides respectively which shows the experimental feasibility of preparing Gaussian states.We derive the security bounds against optimal Gaussian collective attacks, which shows that the proposed scheme works equivalently to symmetrically modulated Gaussian-state MDI-CVQKD protocols.When taking into account the finite-size effect almost all raw keys generated by the proposed scheme can be used for final secret key generation, without sacrificing any raw keys in parameter estimation.
This paper is structured as follows.In Sec.II, we describe the traditional MDI-CVQKD protocol, and subsequently propose the PP DPM-based MDI-CVQKD.In Sec.III, we focus on the security analysis with numerical simulation in asymptotic limit and finite-size regime.Finally, conclusions are drawn in Sec.IV.

The PP DPM-based MDI-CVQKD protocol
To make the derivation of the PP DPM-based MDI-CVQKD protocol self-contained, we illustrate the characteristics of the MDI-CVQKD protocol and then extend it to the PP DPM-based MDI-CVQKD protocol.

Characteristics of the MDI-CVQKD protocol
In the MDI-CVQKD protocol, the side-channel attacks can be eliminated since one does not need to make any assumption on the measurement device.As shown in Fig. 1.(a), two lasers are adopted to Alice's and Bob's side respectively, where each side modulates information independently using AM and PM.After that, the two Gaussian-modulated pulses are sent to Charlie who measures the incoming modes with Bell state measurement (BSM).In particular, the prepare-and-measure model of MDI-CVQKD protocol can be described as follows.Step 1. Alice randomly prepares a coherent state with complex amplitudes α = (x A + ip A )/2 and Bob randomly prepares another coherent state with complex amplitudes β = (x B + ip B )/2, where the local variables X = (x A , p A ) and Y = (x B , p B ) are Gaussian distributed with variances V A and V B , respectively.Then Alice and Bob send their coherent states to Charlie.
Step 2. After receiving the transmitted coherent states, Charlie performs BSM-based detections.The coherent states are interfered and measured by the homodyne detectors, and the measurement results described as variable Z with complex value γ = (x Z + ip Z )/2 are announced by Charlie.
Step 3. When Alice and Bob receive Charlie's measurement results, they can estimate the covariance matrix Γ XY Z of the tripartite state ρ XY Z , which can be used for the security analysis [11,34,35].
Step 4. Alice and Bob modify their data as X = (x A , p A ) and Y = (x B , p B ), where Here k is the amplification coefficient related to channel loss, and the variables X and Y represent the local raw keys of Alice and Bob, respectively.
Step 5. Alice and Bob use an authenticated public channel to finish the error correction and privacy amplification, and finally generate the identical secret key.
The prepare-and-measure model is usually easy to apply, while considering its security, the prepare-and-measure model is equivalent to the corresponding entanglement-based model for convenient security analysis [36].As shown in Fig. 2, Alice and Bob first prepare two-mode squeezed vacuum state [Einstein-Podolsky-Rosen (EPR) state] respectively.Each sender keeps one mode A 1 (or B 1 ) and sends another mode A 2 (or B 2 ) to the third party (Charlie) through the untrusted quantum channel.An eavesdropper, says Eve, may replace the quantum channel between the two senders and Charlie with her own quantum channel to launch the entangling cloner attacks, which has been proven to be one kind of the optimal Gaussian collective attack [37,38]  Alice and Bob respectively generate EPR pairs and send them to the third party Charlie through the untrusted quantum channel.Charlie measures the incoming modes using BSM and subsequently sends the measurement result back to Alice and Bob.ε is excess noise and η is the transmittance of the quantum channel.

Design of the PP MDI-CVQKD protocol
The plug-and-play (PP) MDI-CVQKD protocol can be designed on the basis of the traditional MDI-CVQKD protocol by putting the laser at Charlie's side instead of applying two lasers at Alice's and Bob's sides.As shown in Fig. 1(b), the data-processing is almost similar, but slightly different from that of the traditional MDI-CVQKD protocol.Firstly, Charlie sends strong coherent light to Alice and Bob through a 50:50 beam splitter.Each splited light is transmitted through an optical fiber, and then reflected by a faraday mirror (FM) of Alice (or Bob).An AM and a PM are adopted at each side to encode information using Gaussian modulation.Then, the light is sent back to Charlie, and then BSM and data post-processing are followed to generate the secret keys.
The PP MDI-CVQKD protocol has several remarkable features.It is similar to the traditional MDI-CVQKD because the signal sent from Charlie to Alice and Bob does not contain any Gaussian-modulated information, and hence the useful information is only available in the trusted parts.In addition, the mode matching issue such as the problem of synchronization can be solved since the lights of Alice and Bob are generated from the same laser so that the spectral modes of the pulses are identical.From the viewpoint of its experimental implementation, the polarization drift during the optical fiber transmission can be automatically compensated.
It is necessary to show the effect of the PP configuration on the security of the realistic MDI-CVQKD.The security against any detector side channel attacks is guaranteed since the PP configuration does not disturb the measurement setup of the MDI-CVQKD.Moreover, one does not need to transmit LO through the untrusted channel, but can generate LO locally at Charlie's side, which eliminates all LO-aimed attacks in the security analysis.

Design of the PP DPM-based MDI-CVQKD protocol
So far, the Gaussian-modulated CVQKD protocols, including the Gaussian quantum state, Gaussian operation and Gaussian measurement, are experimentally feasible and simple for the mathematical description [30].As a result, the traditional CVQKD protocols are usually based on Gaussian modulation except some discretely-modulated CVQKD protocols [39][40][41].Theoretically, the Gaussian quantum state can be prepared by using AM and PM.Unfortunately, most of the widely used AMs, e.g.LiNbO 3 modulators, are polarization sensitive and features a polarizer, where the part of light cannot be transmitted if its orientation is not aligned correctly [33], resulting in the degenerated performance in practice.To solve this problem, we suggest the PP DPM-based MDI-CVQKD protocol, aiming to eliminate the negative effect of AMs in the MDI-CVQKD system.
As shown in Fig. 1(c), the PP DPM-based MDI-CVQKD protocol can be designed from the PP MDI-CVQKD protocol by replacing AM to an extra fiber link with a PM and a FM at Alice's and Bob's sides.This architecture totally removes AMs so that one does not need to consider its practical problem in the experimental implementation.In what follows, we show that the PP DPM-based MDI-CVQKD protocol is equivalent to the Gaussian-modulated MDI-CVQKD protocol.
Generally, the Jones matrix of a Faraday mirror can be expressed by When the input signal reaches FM and reflects back [42], the complete Jones matrix of the rotated element can be expressed by where δ is the rotation angle between the reference basis and the eigenmode basis of the birefringence medium, while ϕ o and ϕ e are the propagation phases of ordinary and extraordinary rays, respectively.T(±δ) are the Jones matrices of birefringence medium when the signal goes forward and backward of the single-mode delay lines, which can be given by Since the PP DPM-based MDI-CVQKD protocol can be constructively symmetric, we consider Alice's data-processing for simplicity.The transformation matrices of the dual-phase modulation scheme can be given by [33] where ς A1 and ς A2 are the equivalent attenuation coefficient of PM A1 and PM A2 , ϕ A1 and ϕ A2 are electronically modulated phases of PM A1 and PM A2 .Suppose the input Jones vector is Alice in , the output of dual-phase modulation Alice out after a round trip can be expressed as In an ideal dual-phase modulation system with perfect optical components, one can get the same insertion loss in the two arms.Namely we have ς ≈ ς A1 ≈ ς A2 , and then the output of dual-phase modulation can be simplify as Similarly, the output of dual-phase modulation at Bob's side can be given by According to Eq.( 8) and Eq.( 9), we find that the Gaussian modulation can be implemented by both senders using two polarization-independent PMs instead of a polarization-dependent AM and PM.Therefore, the PP DPM-based MDI-CVQKD protocol is equivalent to the Gaussian-modulated MDI-CVQKD protocol, leading to the convenient experimental implementation in efficiency.

Security Analysis
In this section, we analyze the security of the PP DPM-based MDI-CVQKD protocol in both asymptotic case [43] and finite-size regime [44,45].We find that almost all raw keys generated by the proposed scheme can be used for the final secret key generation when considering the finite-size effect.As shown in Fig. (3), we depicts the entanglement-based model of the PP DPM-based MDI-CVQKD protocol.Since only one laser is used for preparing coherent states at Charlie's side instead of adopting two separate lasers at each remote side, the source can be modeled by using two EPR pairs at Charlie's side.After Alice and Bob respectively displace their incoming modes (A 1 and B 1 ) according to the BSM results that are publicly announced by Charlie, mode A 2 and mode B 2 have the certain correlation.Providing that mode A 2 and mode B 2 come from the same EPR pair, it is similar to the CVQKD protocol with an entangled source in the middle [46,47].

Asymptotic security of PP DPM-based MDI-CVQKD protocol
We assume that Eve performs the collective Gaussian attack strategy, which is the best attack under the direct and reverse reconciliation protocols [37,38].In particular, Eve prepares her ancillary system in a product state for Alice's and Bob's side, and the ancilla mode of each side interacts individually with a single pulse sent to Alice and Bob respectively.The combined state reads Eve then launches the entangling cloner attack.Specifically, Eve replaces the channel with transmittance T and excess noise referred to the input χ by preparing the ancilla |E i of variance W i (i = 1, 2) and a beam splitter of transmittance T. The value W i can be tuned to match the noise of the real channel χ = (1 − T)/T + ε.Note that for the PP DPM-based MDI-CVQKD protocol, both sides of Alice and Bob are symmetric, i.e., T = T 1 = T 2 .After that, Eve keeps one mode E i1 of |E i and injects the other mode E i2 into the unused port of each beam splitter and thus acquires the output mode E i3 .After repeating this process for each pulse, Eve stores her ancilla modes, E i1 and E i3 , in quantum memories.Finally, Eve measures the exact quadrature on E i1 and E i3 after Charlie reveals the BSM results.According to the above-mentioned situation, the lower bound of the asymptotic secret key rate under the collective attack strategy can be given by where β is the reconciliation efficiency, I(A : B) is the Shannon mutual information between Alice and Bob, and χ E is the Holevo bound of Eve's information [48].Assuming that Alice and Bob have perfect heterodyne detectors, the covariance matrix of the Gaussian state ρ G AB can be given by where I and σ z represent diag(1, 1) and diag(1, −1), respectively, V is the variance of mode A and mode B, W i = T i χ i /(1 − T i ) with the added noise referred to the input χ i = (1 − T i )/T i + ε.Therefore, Alice and Bob's mutual information can be calculated as As the proposed protocol is symmetric, the orientation of reconciliation would not have affect on the performance of the protocol, and thus we only consider the calculation of asymptotic security key rate in direct reconciliation (the identical result can be obtained in reverse reconciliation).The mutual information between Alice and Eve can be expressed as Due to the fact that Eve can provide a purification of Alice and Bob's density matrix, we obtain S(E) = S(AB), which is a function of the symplectic eigenvalues λ 1,2 of Γ G AB given by where G(x) = (x + 1)log 2 (x + 1) − xlog 2 x is the Von Neumann entropy and the symplectic eigenvalues λ 1,2 are calculated as with ∆ = a 2 + b 2 − 2c 2 and D = ab − c 2 .After Alice performs heterodyne detection over mode A, the system BE is pure.This gives where the symplectic eigenvalue λ 3 = b − c 2 /(a + 1).See [49] for the detailed derivations.As a comparison, we also plot the asymptotic secret key rate of the traditional MDI-CVQKD protocol [27].We find that the performances of both protocols are similar except for a few minor discrepancies, i.e. the slight differences in maximal secret key rate and maximal transmission distance.It shows that the PP DPM-based MDI-CVQKD protocol features the same security level as the traditional MDI-CVQKD protocol.It is worth noticing that the aim of this scheme is not to improve the performance of the MDI-CVQKD protocol, but to show the feasibility and substitutability of the MDI-CVQKD protocol in experimental implementation.As a result, we only consider the symmetric case of MDI-CVQKD protocol, i.e., L AC = L BC , regardless of the asymmetric one, although the latter case can largely improve the transmission distance of the MDI-CVQKD protocol [26,27].

Security of the PP DPM-based MDI-CVQKD protocol in finite-size regime
The above asymptotic security proof is based on an assumption that one considers the security of a protocol in asymptotic limit of infinitely many signals that are transmitted between Alice and Bob.However, it is unpractical for implementations.Fortunately, a security framework of finite-size for the CVQKD protocols has been proposed in [50].In this framework, the raw key is no longer infinite and one needs to use part of it to estimate the parameters of the communication channel.However, it would introduce a tradeoff between the final secret key rate and the accuracy of parameter estimation step in the finite-size regime.Very recently, [51] shows that this problem can be solved in traditional MDI-CVQKD protocol.We, here, extend it to the proposed PP DPM-based MDI-CVQKD protocol and give the detailed security proof in finite-size regime.
An important procedure of data post-processing is parameter estimation, aiming to acquire the information of quantum channel such as transmissivity and excess noise, which are relevant for estimating the security of the CVQKD protocol.In general, local information without classical communication is not sufficient for parameter estimation, and the only way for obtaining the precise result of parameter estimation is to sacrifice part of raw key.However, the more raw key data are used for parameter estimation, the lower is the final secret key rate.In fact, the estimation of the covariance matrix Γ XY Z of the tripartite state ρ XY Z could be done locally by Alice or Bob without using part of the raw key.In particular, the covariance matrix Γ XY Z can be expressed as where is the empirical covariance matrix of (x Z , p Z ), and are the correlation items.
Since the proposed protocol is based on the MDI-CVQKD structure, where Alice and Bob modulate coherent states using the DPM scheme and do not perform any measurement at their own side, the variances of x A , p A , x B and p B can be known locally by Alice and Bob.After Charlie announces the measurement result γ = (x Z + ip Z )/2, Alice computes the empirical correlations of the matrix c X Z , namely x A x Z , x A p Z , p A x Z and p A p Z .Similarly, Bob can obtain the empirical correlations of the matrix c Y Z .As a result, all the entries of the covariance matrix Γ XY Z can be calculated locally by Alice and Bob without any extra communication.Finally, the covariance matrix Γ G AB of the Gaussian state ρ G AB can be achieved by exploiting the relations Eq. ( 1).Note that the amplification coefficient k has to be well selected to optimalize the conditional displacements in both Alice's and Bob's sides [27,51].
Based on the derived covariance matrix Γ G AB , the performance of the PP DPM-based MDI-CVQKD protocol can be estimated by Alice or Bob in finite-size regime.Specifically, the secret key rate calculated by taking finite-size effect into account is expressed as [50] where β and I(A : B) are as the same as the afore-mentioned definitions, PE is the failure probability of parameter estimation and the parameter ∆(n) is related to the security of the privacy amplification given by where ¯ is a smoothing parameter, P A is the failure probability of privacy amplification, and H is the Hilbert space corresponding to the raw key.Since the raw key is usually encoded on binary bits, we have dimH = 2.We denote N the total exchanged signals and n the number of signals that is used for sharing key between Alice and Bob.Note that in the conventional calculation the remained m = N − n signals are used for parameter estimation so that the values are usually set to be m = n = 1 2 N.However, as we pointed above, the remained signals can be neglected since parameter estimation can be locally performed without extra information.Therefore, the signals that are used for estimating can be exploited for transporting more secret keys.That is to say, almost all raw keys can be used for the final secret key generation without parameter estimation using part of them, leading to the increased secret key rate of the MDI-CVQKD protocol.In fact, Alice and Bob still need to share the entries of the estimated covariance matrix, which contain an amount of raw keys.Fortunately, that amount is negligible as the secret key is very long.As a result, the value can be set to n ≈ N.
In the conventional finite-size case (needing to sacrifice part of raw keys), S P E needs to be calculated in parameter estimation procedure where one can find a covariance matrix E minimizing the secret key rate with a probability of 1 − PE .It can be calculated by m couples of correlated variables (x i , y i ) i=1•••m given by where t = √ η and σ 2 = 1 + ηε are compatible with m sampled data except with probability PE /2.The maximum-likelihood estimators t and σ2 respectively has the follow distributions where t and σ 2 are the authentic values of the parameters.In order to maximize the value of the Holevo information obtained by Eve with the statistics except with probability PE , the value of t min (the lower bound of t) and σ 2 max (the upper bound of σ 2 ) in the limit of m must be computed, namely where z P E /2 is such that 1 − erf(z P E /2 / √ 2)/2 = PE /2 and erf is the error function defined as The above-mentioned error probabilities can be set to ¯ = PE = P A = 10 10 .Finally, one can derive the secret key rate using the derived bounds t min and σ 2 max .Actually, we do not need to estimate the secret key rate of the PP DPM-based MDI-CVQKD protocol like above, but would directly calculate it by the locally obtained covariance matrix Γ XY Z without complicated estimation process.This is feasible since the correlations between Alice's and Bob's raw keys are post-selected by the relay so that the public variable Z contains all the information about the correlations between Alice and Bob [51].
Fig. 5 shows the performance of the PP DPM-based MDI-CVQKD protocol with almost all raw keys are used for generating the final secret key (solid lines) comparing with conventional finite-size calculation (dashed lines).We find that for each block, especially for the small-length block, the maximal transmission distance can be extended by directly calculating the locally obtained covariance matrix, since part of raw key data that should be used for parameter estimation now is used for generating more final secret keys, giving birth to the increased secret key rate of the MDI-CVQKD protocol using conventional finite-size calculation.
We note that the CVQKD protocols has been recently proved to be secure against collective attacks in a composable security framework [52], which is the enhancement of security based on uncertainty of the finite-size effect so that one can obtain the tightest secure bound of the protocol by considering each data-processing step in the CVQKD system [53].We do not give the detailed proof of the composable security for MDI-based CVQKD protocols here, but it is reasonable to believe that the performance of the proposed protocol can be improved either since the conventional proof of composable security also needs to sacrifice part of raw keys for parameter estimation.

Discussion and conclusion
So far we have illustrate the characteristics of the PP DPM-based MDI-CVQKD protocol.As for its practical implementations, we demonstrate its setup shown in Fig. 6.Charlie generates a series of strong pulses using continuous-wave (CW) laser.These pulses are splitted into two portions with an intensity ratio of 99:1, a fraction (1%, red line) of which is used to carry signals while another fraction (99%, blue line) is used as a locally generated LO.The signals are divided into two branches by the PBS and then sent to Alice and Bob respectively.For both Alice and Bob, after being reflected by FM 1 , the signals are modulated by the DPM scheme and reversely sent back to Charlie.The incoming modulated signals, subsequently, are interfered with respective local LOs, aiming to calibrate the incoming signals and monitor its variance in real time.Finally, the yielded signals from Alice and Bob are used for the BSM.
There are several remarks on the proposed protocol for its implementation.First of all, all LOaimed attacks e.g.wavelength attacks, saturation attacks, calibration attacks and LO fluctuation attacks, can be well defended due to fact that the LO is locally generated by the trusted part Charlie.Secondly, the synchronization problem of Alice and Bob is eliminated because both signal and LO come from the same laser.Thirdly, the reference of two signals can be guaranteed identically and the polarization drifts can be compensated automatically since only one laser is required for the proposed scheme.Moreover, there is no need to use the traditional LiNbO 3 modulators by applying DPM scheme, which takes advantage of the polarization-insensitive properties of phase modulators so that the coherent-state preparation would not be affected by the polarization drifts of the fiber channel.In conclusion, we have suggested the design of the PP DPM-based MDI-CVQKD with no extra performance penalty.The proposed scheme waives the necessity of propagation of LO through the insecure quantum channels.Because a real local LO can be generated from the same laser of quantum signal at Charlie's side, it avoids the problems of synchronization of different lasers as well as the LO-aimed attacks.Moreover, the reference of two signals can be guaranteed identically and the polarization drifts can be compensated automatically since only one laser is required for the proposed scheme.Meanwhile, a polarization-insensitive dualphase modulation strategy is adopted to Alice's and Bob's sides respectively, which shows the experimental feasibility of preparing Gaussian states.We derive the security bounds against optimal Gaussian collective attacks.It shows that the proposed scheme works equivalently to symmetrically modulated Gaussian-state MDI-CVQKD protocols.Since almost entire raw keys generated by the proposed scheme can be used for final secret key generation when considering the finite-size effect, the secret key rates of MDI-CVQKD in finite-size regime can be increased.Moreover, an experimental concept of the proposed scheme, which can be deemed guideline for final implementation, is demonstrated.In terms of possible future research, we will give the concrete experimental implementation of the PP DPM-based MDI-CVQKD protocol.

Fig. 1 .
Fig. 1.Schematic diagrams of (a) traditional MDI-CVQKD protocol.Alice and Bob prepare coherent states independently, and send them to Charlie for Bell state measurement.(b) PP MDI-CVQKD protocol.Charlie initially launches pulses to Alice and Bob, and then Alice and Bob reflect back the pulses to Charlie after Gaussian modulation.(c) PP DPM-based MDI-CVQKD protocol.Charlie still initially launches pulses to Alice and Bob, Alice and Bob respectively use dual-phase-modulation strategy to encode the information and subsequently send the pulses back to Charlie.AM, Amplitude modulator; PM, Phase modulator; FM, Faraday mirror; BS, Beam splitter; BSM, Bell state measurement.
. The incoming modes A 3 and B 3 are received by Charlie and subsequently interfered at a beam spiltter (BS) with two output modes A 4 and B 4 .Then both the x-quadrature of A 4 and the p-quadrature of B 4 are measured by homodyne detectors, and the measurement result γ = (x Z + ip Z )/2 are announced by Charlie.After receiving Charlie's measurement results, Alice and Bob respectively displace their own mode A 1 (or B 1 ) by operations DA (γ) and DB (γ).Finally, the yielded modes A and B are measured by heterodyne detectors to generate the raw key {X, Y }.

Fig. 2 .
Fig. 2. Entanglement-based model of MDI-CVQKD protocol with entangling cloner attacks.Alice and Bob respectively generate EPR pairs and send them to the third party Charlie through the untrusted quantum channel.Charlie measures the incoming modes using BSM and subsequently sends the measurement result back to Alice and Bob.ε is excess noise and η is the transmittance of the quantum channel.

Fig. 3 .
Fig. 3. Entanglement-based model of PP DPM-based MDI-CVQKD protocol with entangling cloner attacks.Charlie prepares two EPR pairs and sends one mode of each to Alice and Bob through the untrusted quantum channel, respectively.Alice and Bob displace the incoming modes according to the public BSM result and subsequently measure them with respective heterodyne detections.

Fig. 4 .
Fig. 4. The performance of MDI-CVQKD protocols.Blue solid line and red dashed line denote the asymptotic secret key rate and the tolerable excess noise of the proposed PP DPM-based MDI-CVQKD protocol as a function of transmission distance from Alice to Bob, respectively.As a comparison, blue dotted line denotes the asymptotic secret key rate of traditional MDI-CVQKD protocol in [27].The simulation parameters are set as follows: modulation variance is V = 20, reconciliation efficiency is β = 95% and excess noise for blue solid line is ε = 0.001.

Fig. ( 4 )
Fig.(4) shows the performance of the PP DPM-based MDI-CVQKD protocol in asymptotic case.As a comparison, we also plot the asymptotic secret key rate of the traditional MDI-CVQKD protocol[27].We find that the performances of both protocols are similar except for a few minor discrepancies, i.e. the slight differences in maximal secret key rate and maximal transmission distance.It shows that the PP DPM-based MDI-CVQKD protocol features the same security level as the traditional MDI-CVQKD protocol.It is worth noticing that the aim of this scheme is not to improve the performance of the MDI-CVQKD protocol, but to show the feasibility and substitutability of the MDI-CVQKD protocol in experimental implementation.As a result, we only consider the symmetric case of MDI-CVQKD protocol, i.e., L AC = L BC , regardless of the asymmetric one, although the latter case can largely improve the transmission distance of the MDI-CVQKD protocol[26,27].

Fig. 5 .
Fig. 5. Finite-size secret key rate of the proposed PP DPM-based MDI-CVQKD protocol as a function of transmission distance.Solid lines show the secret key rate generated from almost all raw keys (N = n), dashed lines show the secret key rate using conventional finite-size calculation (N = 2n).From left to right, both lines correspond to block lengths of N = 10 4 , 10 5 , 10 6 , 10 7 and 10 8 .The parameters are set as same as Fig. 4.