Finite-key analysis for twin-field quantum key distribution based on generalized operator dominance condition

Quantum key distribution (QKD) can help two distant peers to share secret key bits, whose security is guaranteed by the law of physics. In practice, the secret key rate of a QKD protocol is always lowered with the increasing of channel distance, which severely limits the applications of QKD. Recently, twin-field (TF) QKD has been proposed and intensively studied, since it can beat the rate-distance limit and greatly increase the achievable distance of QKD. Remarkalebly, K. Maeda et. al. proposed a simple finite-key analysis for TF-QKD based on operator dominance condition. Although they showed that their method is sufficient to beat the rate-distance limit, their operator dominance condition is not general, i.e. it can be only applied in three decoy states scenarios, which implies that its key rate cannot be increased by introducing more decoy states, and also cannot reach the asymptotic bound even in case of preparing infinite decoy states and optical pulses. Here, to bridge this gap, we propose an improved finite-key analysis of TF-QKD through devising new operator dominance condition. We show that by adding the number of decoy states, the secret key rate can be furtherly improved and approach the asymptotic bound. Our theory can be directly used in TF-QKD experiment to obtain higher secret key rate. Our results can be directly used in experiments to obtain higher key rates.


Introduction
Quantum key distribution (QKD) [1,2] provides two distant parties (Alice and Bob) a secret string of random bits against any eavesdropper (Eve), who may have unlimited power of computing but is just assumed to obey the law of quantum mechanics [3,4].During last three decades, QKD has been developed rapidly both in theory and experiment.In theory, the security of QKD is thoroughly analyzed [3], while a variety of novel protocols, e.g.decoy states [5][6][7] and measurement-device-independent (MDI) protocol [8], are proposed.In experiment, it is on the way to a wide range of QKD networks [9,10], even a satellite-to-ground quantum key distribution has been realized [11].Among all these above mentioned QKD protocols and experiments, there are some fundamental limits [12,13] on the secret key rate versus channel distance.For instance, Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound R −log 2 (1 − η) [13] gives the precise limit on the secret key rate R under a given channel transmittance η for any repeaterless QKD protocols.
To surpass the PLOB bound, a possible way is to introduce at least one middle node in the protocol.However, this is not a sufficient condition, i.e. the original MDI-QKD protocol does have a middle node but is still unable to beat the PLOB bound.Indeed, some extensions of MDI-QKD can improve its rate scaling from η to √ η by either using quantum memories [14,15] or quantum non-demolition measurement [16].Albeit these setups can be considered to be the simplest examples of quantum repeaters [17,18] which are the ultimate solution to trust-free long-distance quantum communications [19], quantum memories or quantum non-demolition measurement is quite challenging at present.
In Refs.[23][24][25], authors independently proposed a variant of TF-QKD featuring simpler process and higher key rate, since phase postselection is removed.For simplicity, we call this protocol No-phase-post selection(NPP) TF-QKD in the remainder of the paper.The original papers on NPP-TFQKD [23][24][25] gave security proof based on different methods, but a finite-key analysis was missing.Later, some proofs of NPP-TFQKD on finite-key scenario are proposed [32,33].Remarkably, K.Maeda et.al. proposed a simple finite-key analysis for NPP-TFQKD based on operator dominance condition [32].Their method is sufficient to beat the rate-distance limit when the amount of pulses in the signal mode sent by Alice and Bob reaches 10 12 , which is much smaller than the result obtained in Ref. [33].However, their operator dominance condition is not general which can be only applied in three decoy states scenarios.Hence, one cannot increase its key rate by introducing more decoy states.In this work, inspired by the idea of operator inequality, we propose another operator inequality condition which can be applied to any number of decoy states scenarios.This leads to a higher key rate than that of [32].In section I, we briefly review the flow of NPP-TFQKD and the idea of using operator dominance condition to analyze its security, then propose a new operator inequality.In section II, we present a new operator inequality and a virtual protocol whose security is naturally based on the proposed operator inequality.In section III, we convert the virtual protocol into an actual protocol which is practical in real-life, and a simulation in finite-key case is given then.Finally a conclusion is present.

operator dominance condition and virtual protocol
The flow of NPP-TFQKD is sketched in Fig 1 .In order to share security key, Alice and Bob both send optical pulses to Charlie, who controls the untrusted central station.Both of Alice and Bob randomly switch among code mode and test mode independently.They use code mode to share keys and test mode to estimate the potential information leakage.
In the code mode, Alice and Bob randomly applying 0 or π phase shifting to the weak coherent state | √ µ .Then they send the pulses to Charlie who measures and announces whether these two quantum states are in-phase or anti-phase when the detection is successful.Bob flips his bit when anti-phase was announced.By this way, they can share random bits.In the test mode, both of the senders randomize the optical phase θ and switch among several intensities {µ 0 , µ 1 , µ 2 , µ 3 , • • • , µ k }.They use these phase-randomized coherent states to monitor the amount of information leakage.There are two ways to estimate and generate secret key bits.The first way is to directly calculate Eve's information which is limited by Holevo bound, just like Refs.[26,33].The other way is calculating the phase error in an equivalent protocol where Alice and Bob introduce auxiliary qubits A and B, just like Refs [23,25,32].It seems that the latter one is better when finite-key effect is considered.Thus, we follow the latter way and introduce the virtual protocol used here.
Alice and Bob's procedure in each trial of the code mode is equivalently implemented by preparing the following joint quantum state where {|0 , |1 } denotes the qubit in Z basis, and C A (C B ) denotes the optical pulse sent by Alice(Bob).Alice and Bob retain the pairs of A and B in case of Charlie announcing a successful detection.When the number of successful detection is sufficiently large, Alice and Bob measure the qubits A and B in the Z basis to collect sifted key bits.In order to know the information leakage, we have to estimate the phase error rate in Z basis which is equal to the bit error rate in X basis instead of Z basis.This corresponds to the pair in either state 2} denote the qubit in X basis.Hence, the key point is that how we estimate the bit error rate if Alice and Bob virtually measure the retained pairs of A and B with X basis.Supposing that Alice and Bob make the X basis measurement before sending out the optical pulses, we can rewrite the joint quantum state as where of even photon numbers, and the state numbers.After tracing out the qubits A and B, we can find that Here p even = c 2 + + c 2 − = e −2µ cosh 2µ and the quantum state ρ even reads where p odd = 1 − p even and the quantum state ρ odd reads Evidently, if Alice and Bob are able to prepare ρ even and ρ odd , the security of NPP-TFQKD will be completely equivalent to the original MDI-QKD with single photon source, and then some previous security analyses in finite-key case can be adapted conveniently.However, ρ even and ρ odd are non-classical optical pulses, which are impossible to prepare with off-the-shelf devices.The essential contribution of Ref. [32] is finding an efficient way to approximate ρ even just by using some phase-randomized coherent states.Specifically, they proposed an operator dominance condition which reads Here, n!m! |n n| ⊗ |m m| corresponds to the joint quantum state in case of Alice and Bob both preparing phase-randomized weak coherent pulses with mean photon-number µ, and the corresponding probability is p 2 .This operator inequality implies that Alice and Bob's joint phase-randomized weak coherent state can be reinterpreted as a mixture of ρ even , weak coherent states with a different intensity, and some "junk" states.Hence, it's possible to bound the yield of ρ even just through preparing phase-randomized weak coherent states with three intensities.However, this inequality is not tight and cannot improved by introducing 4 or more intensities.
Intuitively, ρ even is just related to the Fock states whose the total photon-number emitted by Alice and Bob is even, thus it is reasonable to devise operator dominance condition with just these even photon-number states.Based on this consideration, we propose another operator dominance condition which reads where the quantum state τ µ,even = ∞ k=0 2k j=0 Alice and Bob's joint phase-randomized weak coherent state with all odd total photon number states eliminated.The proof of this operator inequality is given in Appendix A.
To analyze the security of NPP-TFQKD with the proposed operator inequality, we employ the following virtual protocol, whose security can be proved by Eq (4) easily.
Step 2: Alice and Bob repeat Step 1 for N tot times.
Step 3: Charlie receives the incoming pairs of optical pulses, and announces whether the phase difference was successfully detected for each pair he received.For successful detection, he also announces it was in-phase or anti-phase.
Step 4: Let γ c be the number of detected rounds for which both Alice and Bob select label "code".Alice concatenates the random key bits for the γ c rounds to define her sifted key.Bob defines his sifted key in the same way except that he flips all the bits for the rounds in which Charlie declared anti-phase detection.Let γ 0,even , γ 0,odd , γ 1,even , γ 1,odd , γ 2,even , γ 2,odd be the number of detected rounds for which both Alice and Bob send the quantum states τ µ 0 ,even , τ µ 0 ,odd , τ µ 1 ,even , τ µ 1 ,odd , τ µ 2 ,even , τ µ 2 ,odd .Let γ sum,even = γ 0,even + γ 1,even .
Step 5: Alice announces H EC bits of syndrome of a error correction code for her sifted key to perform key reconcilation.Bob reconciles his sifted key accordingly.Alice and Bob verify the correction by comparing ζ bits univer sal 2 hashing [34] Step 6: They apply the privacy amplification to obtain final keys of length where the function h and ζ is related to the security parameter of secret key bits.The function f (γ sum,even , γ 2,even ) is essential for the security, since it gives an upper bound of detection number for Alice and Bob virtually prepare p even ρ even in the γ c sifted key generations rounds.Its definition will be introduced below.Define γ c,even is the exact detection number for Alice and Bob virtually preparing p even ρ even in the γ c sifted key generations rounds, then γ c,even /γ c is just the phase error rate of sifted key bits.We construct a function f subjected to Prob{γ c,even ≤ f (γ sum,even , γ 2,even )} ≥ 1 − , which means that f bounds γ c,even with a failure probability .According to Ref. [3], we will know that this formula implies that the virtual protocol is sec -secure where the security parameter . Now, we start to construct the function f (γ sum,even , γ 2,even ).Since Eq.( 4) holds, we can safely suppose that (p 2 0 + p 2 1 )τ sum,even = Γτ µ 2 ,even + Λρ even + ∆ρ junk , where We can immediately observe γ sum,even , as it is the number of detection rounds that Alice and Bob prepare the state τ sum,even , i.e. τ µ 0 ,even or τ µ 1 ,even .Besides, since τ sum,even is a mixture of τ µ 2 ,even , ρ even and ρ junk , γ sum,even is the sum of the numbers of detection rounds for components τ µ 2 ,even , ρ even , and ρ junk , namely γ 2 ,even , γ c ,even , γ junk .Evidently, γ 2 ,even is a Bernoulli sampling from a population with γ 2 ,even + γ 2,even , since τ µ 2 ,even shares the same density matrix for the rounds that Alice and Bob choose the label "2 even ".Similarly, γ c,even is a Bernoulli sampling from a population with γ c,even + γ c ,even .Since we know the value of γ sum,even and γ 2,even , by the use of Chernoff bound, we get an lower bound on γ 2 ,even with a failure probability 2 .Then, the fact that γ sum,even = γ 2 ,even + γ c ,even + γ junk leads to an upper bound on γ c ,even .Finally, by using Chernoff bound again, we get an upper bound on γ c,even with a failure probability less than .The upper bound reads f (γ sum,even , γ 2,even ) = +ν(γ sum,even , γ 2,even ) −log( /2)), where ν(γ sum,even , γ 2,even ) The upper bound f (γ sum,even , γ 2,even ) satisfies Prob γ c,even ≤ f (γ sum,even , γ 2,even ) ≥ 1 − , which implies that the virtual protocol is sec -secure and sec = √ 2

Actual protocol
We have proved the security of virtual protocol in the last section.However, the above virtual protocol is not practical, since Alice and Bob can never prepare the quantum state τ µ,even and τ µ,odd in practice.Fortunately, what we care about are the yields of τ µ,even and τ µ,odd , and we note that the phase randomized coherent state τ µ consists of τ µ,even and τ µ,odd .This implies that one can bound γ sum,even and γ 2,even by the idea of decoy states [5][6][7], albeit we cannot deterministically prepare τ µ,even .Inspired by this consideration, we convert the virtual protocol to an actual protocol below.
. . ."k": She(He) sends a phase-randomized weak coherent state with intensity µ k to Charlie.
Step 2: Alice and Bob repeat Steps 1 for N tot times.
Step 3: Charlie receives the incoming pairs of optical pulses, and announces whether the phase difference was successfully detected for each pair he received.For successful detections, he also announces it was in-phase or anti-phase.
Step 4: Alice and Bob disclose their label choices.Let γ c be the number of detected rounds for which both Alice and Bob select label "code".Alice concatenates the random key bits for the γ c rounds to define her sifted key.Bob defines his sifted key in the same way except that he flips all the bits for the rounds in which Charlie declared anti-phase detections.Let γ i j be the number of detected rounds for which Alice choose the label "i" and Bob choose the label "j".
Step 5: Alice announces H EC bits of syndrome of a error correction code for her sifted key to perform key reconcilation.Bob reconciles his sifted key accordingly.Alice and Bob verify the correction by comparing ζ bits univer sal 2 hashing [34] Step 6: They apply the privacy amplification to obtain final keys of length where γ sum,even denotes the upper bound on γ even and γ 2,even denotes the lower bound on γ 2,even .Evidently, Eq.( 11) is the same as Eq.( 5) except that f (γ sum,even , γ 2,even ) is replaced by f (γ sum,even , γ 2,even ).Since f (γ sum,even , γ 2,even ) ≥ f (γ sum,even , γ 2,even ), the condition holds if both γ sum,even and γ 2,even are correctly estimated.Furtherly defining an extra failure probability of estimation of γ 2,even and γ sum,even as ε err , we conclude that the security parameter of the actual protocol sec = √ 2 and = + ε err .We note that in some security proofs of QKD protocols, virtual protocol is completely as same as the actual protocol in terms of key bit and EveâĂŹs system.Indeed, we argue that this condition has been met in our proof.Note that in the virtual protocol defined in the main text, to evaluate X-basis error rate, Alice and Bob prepare τ µ 0 ,even , τ µ 0 ,odd , τ µ 1 ,even , τ µ 1 ,odd , τ µ 2 ,even , τ µ 2 ,odd with probabilities p 2 0 p µ 0 ,even , p 2 0 p µ 0 ,odd , p 2 1 p µ 1 ,even , p 2 1 p µ 1 ,odd , p 2 2 p µ 2 ,even , p 2 2 p µ 2 ,even ,respectively.For instance, recall that p µ 1 ,even τ µ 1 ,even + p µ 1 ,odd τ µ 1 ,odd = τ µ 0 ,which means that virtual protocol can be viewed as preparing phase-randomized coherent state τ µ 0 .As a result we could describe the virtual protocol in an equivalent way, i.e. protocol2, which is Alice and Bob preparing τ µ 0 , τ µ 1 , τ µ 2 with probabilities p 2 0 , p 2 1 , p 2 2 respectively.From the view of Eve, there is no difference between virtual protocol and protocol2.And Alice and BobâĂŹs key bits are also same because the code modes in virtual protocol and protocol2.The only challenge is that Alice and Bob cannot directly observe the clicks of τ µ 0 ,even , τ µ 0 ,odd , τ µ 1 ,even , τ µ 1 ,odd , τ µ 2 ,even , τ µ 2 ,odd in the protocol2.
Fortunately, we can resort to decoy states, i.e. introducingτ µ 3 , τ µ 4 , • • • Note that by far we do not assume that p 2 c + p 2 0 + p 2 1 + p 2 2 = 1.Thus we could assume Alice and Bob additionally prepare τ µ 3 , τ µ 4 , • • • with probabilities p 2 3 , p 2 4 , • • • in above virtual protocol and protocol2.Now, the protocol2 here is just the actual protocol defined in the main text.Introducing τ µ 3 , τ µ 4 , • • • is obviously useless in the virtual protocol, then we return to the virtual protocol defined in the main text.
To calculate the final key length, a simple method of computing Γ and Λ from (p 0 , p 1 , µ, µ 0 , µ 1 , µ 2 ) is given in Appendix A. What's more, using linear program, one can get γ sum,even and γ 2,even with a failure probability no larger than ε err .For simplicity, we just consider how to calculate γ sum,even and γ 2,even in the case of four test states whose intensities are {µ 0 , µ 1 , µ 2 , µ 3 }.
The method of computing γ sum,even and γ 2,even with linear programming is showed below.Indeed the variable γ sum,even can be written as and the variable γ 2,even can be written as where the variable N µµ j,2k−j denote the number of detected events in which the users sent (j,2k-j) photons and both selected intensity µ.For estimating the upper bound of γ sum,even , we divide this variable into two parts according to the value of k.As for the part where k ≤ 2, which can be denoted as 2 k=0 2k j=0 (N µ 0 µ 0 j,2k−j + N µ 1 µ 1 j,2k−j ) ,its bound can be calculated with the method in Ref. [35] Clearly, variables N , one can get its upper bound using linear programming listed in the Supplementary Note 2 of Ref. [35].As for the part k ≥ 3, We use the Eq(34) in Ref. [36] to get the upper bound of it from the the expected number of As for the estimation of the lower bound of γ 2,even , we also divide it into two parts according to the value of k, for the part where k ≤ 2, we get its lower with the same method as that of γ sum,even , for the part where k ≥ 3, we set its lower bound as 0. we denote the total failure probability of estimation of γ sum,even and γ 2,even as ε err = 2.60e − 20.
Based on the method given above, we simulate the secret key rate G/N tot as a function of distance L between Alice and Bob when the total number of test states is four.The parameters used in simulation are listed below.We set the intensity µ 0 =5e-4 in the test mode and the parameters (µ 1 , µ 2 , µ 3 , p c , p 0 , p 1 , p 2 , p 3 ) are optimized for each distance.The simulate result is listed in table II.Note that we set ζ =32 which makes the protocol is cor = 2 −32 -cor, while setting ζ = 2 −69 , = 2 −69 and ε err = 2.60e − 20 make the protocol is sct = √ 2 ( + ε err ) + 2 −ζ -sct.Finally, all these parameters make the protocol to be sec = cor + sct = 4.6084e − 10-sec.For comparison, we also simulate the secret key rate of Ref. [32]  As shown in table II and III,those key rates in red in table II is higher than those in table III which show that the secret key rates of our protocol are obviously higher than those of Ref. [32], if the pulse number N tot is larger than 10 13 or the channel distance is short (typically shorter than 200km), which corresponds to the cases that the length of sifted key bits is large.The main reason for this is that we need more test states and linear program to estimate more parameters than the the case in Ref. [32], which leads to our method is more sensitive to statistical fluctuations.

conclusion
Inspired by the idea of operator dominance condition, we propose a generalized operator inequality.Unlike the original one which is only applicable in three decoy states case, the proposed method allows that Alice and Bob use any number of decoy states in the test mode to improve the secret Table 3.The secret key rate (per pulse) computed by the method in Ref. [32].
key rate.Additionally, since the proposed operator inequality consists of even photon-number states, a more effective approximate of the quantum state ρ even is made.As a result, higher secret key rate in TF-QKD is obtained in both infinite and finite key regions with considerable key length.Our method can be directly adapted implementations of TF-QKD.

Fig. 1 .
Fig. 1.Illustration of NPP-TFQKD protocol, Alice and Bob generate their raw key from the rounds in which they both select the code mode and Charlie declares a successful detection .They encode their key bits in the phase of their coherent states.When the coherent states are in-phase (anti-phase), Charlie's 50:50 beam splitter interference should cause a click in left(right) detector.Theses phase-randomized coherent states in the test mode are only used to monitor the amount of leak.
"1 odd ": Alice and Bob send a joint quantum state τ µ 1 ,odd to Charlie."2 even ": Alice and Bob send a joint quantum state τ µ 2 ,even to Charlie."2 odd ": Alice and Bob send a joint quantum state τ µ 2 ,odd to Charlie.

Table 1 .
with the same parameters, and present the result in table III.List of parameters uesd in the numerical simulations.Here, e m is lossindependent misalignment error.p d is dark counting probability.ξ is fiber loss.η d denotes detection efficiency.f is error-correction efficiency.sec show that actual protocol is sec -secure

Table 2 .
The secret key rate (per pulse) computed by our method.The key rates in red are higher than the corresponding ones in TableIII.