Simple security proof of coherent-one-way quantum key distribution

Coherent-one-way quantum key distribution (COW-QKD), which requires a simple experimental setup and has the ability to withstand photon-number-splitting attacks, has been not only experimentally implemented but also commercially applied. However, recent studies have shown that the current COW-QKD system is insecure and can only distribute secret keys safely within 20 km of the optical fiber length. In this study, we propose a practical implementation of COW-QKD by adding a two-pulse vacuum state as a new decoy sequence. This proposal maintains the original experimental setup as well as the simplicity of its implementation. Utilizing detailed observations on the monitoring line to provide an analytical upper bound on the phase error rate, we provide a high-performance COW-QKD asymptotically secure against coherent attacks. This ensures the availability of COW-QKD within 100 km and establishes theoretical foundations for further applications.

Coherent-one-way quantum key distribution (COW-QKD), which requires a simple experimental setup and has the ability to withstand photon-number-splitting attacks, has been not only experimentally implemented but also commercially applied. However, recent studies have shown that the current COW-QKD system is insecure and can only distribute secret keys safely within 20 km of the optical fiber length. In this study, we propose a practical implementation of COW-QKD by adding a two-pulse vacuum state as a new decoy sequence. This proposal maintains the original experimental setup as well as the simplicity of its implementation. Utilizing detailed observations on the monitoring line to provide an analytical upper bound on the phase error rate, we provide a high-performance COW-QKD asymptotically secure against coherent attacks. This ensures the availability of COW-QKD within 100 km and establishes theoretical foundations for further applications.
As a type of distributed-phase-reference protocol, coherent-one-way (COW) QKD [30] has received considerable attention because of its simple and convenient experimental implementation [32][33][34][35][36][37][38][39], which has been deployed in practical quantum communication networks [40,41]. Considering the restricted types of collective attacks [42], the key rate depends linearly on the transmittance η. Additionally, a variant of COW-QKD with a security proof against general attacks was proposed in 2012 [43], and the resulting key rate "appears to" be of order O(η 2 ). To date, all COW-QKD experiments [34,[36][37][38][39], including long-distance experiments * Electronic address: hlyin@nju.edu.cn † Electronic address: zbchen@nju.edu.cn [35,44], still employ the original security proof [42] in which the key rate is of order O(η). These experimental results demonstrate the practicability and potential of COW-QKD. However, the so called "zero-error attack" [45,46] involves eavesdropping without breaking the coherence between adjacent non-vacuum pulses (no bit error). Consequently, COW-QKD is insecure if the key rate scales as O(η); in fact, the given attack restricts the secure key rate scaling to slightly higher than η 2 . Recently, a novel security proof using semidefinite programming techniques [47] showed that the transmission distance of COW-QKD using active basis choice is only 20 km. Thus, extending the secure transmission distance of COW-QKD has become an urgent issue.
In this study, we propose a practical implementation of COW-QKD and provide a security proof with precise phase error rate estimation. This proposal keeps all the experimental equipment of the original version unchanged and maintains its ease of implementation. With detailed observations on the monitoring line, we estimate the upper bound on the phase error rate instead of only checking the coherence between adjacent nonvacuum states. We show that the lower bound of the key rate is 0.005η 2 , while ensuring the security within 100 kilometers. It is worth mentioning that our secure lower bound for the key rate is approximately 10 times higher than the key rate given by the COW-QKD variant in Ref. [43], considering that we effectively evaluated the impact of the vacuum states and provided an analytical expression.
The pulses are then transmitted to the receiver, Bob, through a quantum channel characterized by η. Bob employs an asymmetric beam-splitter with a transmission coefficient t B (passive basis choice) to split the incoming pulses into the data line and the monitoring line. We note that Bob can also use an optical switch (active basis choice) instead of the beam-splitter. On the data line, Bob obtains the raw key by measuring the arrival time of each pair of pulses using detector D T . On the monitoring line, Bob checks the coherence between adjacent nonvacuum pulses by observing the measurement outcome of a Mach-Zehnder interferometer with two detectors, D M0 and D M1 . Information leakage can be detected by broken coherence, which can be reflected by the visibility is the probability that the detector D M0 (D M1 ) clicks. Alice and Bob also use a random subset of data on the data line to test the bit error rate E b . The security proof and secure key rate of COW-QKD are provided based on these two parameters, E b and V [42].
Nevertheless, recent studies introduced the so-called zero-error attack [45,46]. On the one hand, since the signals sent by Alice are linearly independent, Eve can adopt an unambiguous state discrimination measurement to distinguish each signal sent by Alice without introducing error on the data line. On the other hand, the vacuum state in the signals naturally breaks the coherence between adjacent pulses. Taking advantage of this property, Eve can resend to Bob blocked signal sequences that preserve coherence among consecutive non-empty pulses. Thus, all the security proofs of COW-QKD, which rely on coherence analysis, appear to be unreliable.
As shown in figure 1, we propose a practical implementation of COW-QKD by adding a two-pulse vacuum state |0⟩ 2k−1 |0⟩ 2k as decoy sequence 2. When evaluating the secure key rate, Alice no longer estimates the visibility V to quantify leaked information. Instead, she calculates the gains Q Mi 0α , Q Mi α0 , Q Mi αα and Q Mi 00 (i = 0 or 1) to estimate the phase error rate, where the superscript M i represents the clicking detector D Mi on the monitoring line announced by Bob, the subscript refers to the corresponding sequence |0⟩ 2k−1 |α⟩ 2k , |α⟩ 2k−1 |0⟩ 2k , |α⟩ 2k−1 |α⟩ 2k and |0⟩ 2k−1 |0⟩ 2k sent by Alice. Here, we clarify that if multiple detectors click corresponding to every pair of states, Bob regards this event as one of these detectors clicking randomly [48,49].

III. SECURITY ANALYSIS
To provide a security proof for COW-QKD, we introduce a virtual entanglement-based protocol as follows: Here, we redefine the k-th optical modes |0 z ⟩ = |0⟩ 2k−1 |α⟩ 2k and |1 z ⟩ = |α⟩ 2k−1 |0⟩ 2k , where we omit the label k to simplify the presentation. Let |0 x ⟩ = The key rate scales linearly with 0.005η 2 when ea = 0, which is much lower than the upper bound on the secret key rate of order O(η 2 ) given in Refs. [45,46].
are the normalization factors. We introduce an ancillary qubit, where |±z⟩ and |±x⟩ are the eigenstates of the Pauli operators Z and X of the qubit, respectively. Alice prepares K pairs of entangled state where the subscript A denotes the ancillary qubit maintained by Alice, and A ′ represents the optical mode sent to Bob. Alice randomly measures the ancillary qubit in the Z or X basis and then acquires the raw keysZ A from the Z basis andX A from the X basis. Then, she sends optical modes to Bob in an insecure quantum channel. Similar to the practical COW protocol, the optical modes are detected randomly on the data or monitoring line. When observing that the detector D T clicks at the previous moment T 0 (the latter moment T 1 ), Bob records the bit value 0 (1) as the raw key inZ B . In addition, the raw keyX B is obtained by Bob observing the monitoring line. A detector D M0 (D M1 ) click denotes a bit value of 0 (1).
Let H ϵ min Z A |E be the smooth min-entropy characterizing the average probability that Eve guessesZ A correctly using the optimal strategy with access to the correlations stored in her quantum memory [50]. Let h(a) = −a log 2 a−(1−a) log 2 (1−a), and the size ofZ A as n z .X ′ A is the bit string that Alice would have obtained if she had measured in the X basis in virtual protocol, which is actually measured in the Z basis. Therefore, we have a smooth max-entropy H ϵ max X ′ A |B ≤ n z h(E x ) in the asymptotic limit, where E x is the bit error rate in the X basis. By exploiting the uncertainty relation method for smooth entropies [52], the asymptotic secure key rate of the virtual entanglement-based protocol can be expressed as where 1z )/2 is the gain that Alice measures in the Z basis and Bob detects on the data line, and P z is the probability that Alice measures in the Z basis and Bob measures on the data line. Here, f denotes the efficiency of error correction and E z is the bit error rate in the Z basis. Moreover, when using the entropic uncertainty relation, the signals detected by Bob's device should be independent of Alice and Bob's basis choices [53]. This requirement can naturally be satisfied when using active basis choice [43,47], but it needs to be cautiously considered when applying the passive basis choice. Using passive basis choice, Eve can apply classical wavelength attacks [54] to partially control Bob's basis selection and cause weak basis-choice flaws. Nevertheless, the secure key rate decreases only slightly when the wavelength is carefully characterized to minimize this effect [55,56]. Recently, passive basis choice has been widely utilized in various QKD protocols [57][58][59][60][61][62][63]. In this study, using passive basis choice, we assume that the beam-splitter is not controlled by the eavesdropper and use the squashing model [48,49] in the measurement setup.
In fact, the virtual entanglement-based protocol can be converted to an equivalent prepare-and-measure nonclassical protocol, that is, Alice directly prepares optical modes rather than preparing entangled states and measuring the ancillary qubit system. When Alice chooses the Z basis, she directly sends the optical modes |0 z ⟩ and |1 z ⟩ with probability 1/2. If Alice selects the X basis, she directly sends nonclassical optical modes |0 x ⟩ and |1 x ⟩ with probabilities N + /4 and N − /4, respectively.
The above facts can be directly seen from the density matrices of the Z and X bases, which are equal in the nonclassical protocol, that is, Therefore, the bit error rate E z can be obtained directly from the observed gain as follows: where Q Tj wz represents the gain of the event that Alice sends optical mode |w z ⟩ (w = 0 or 1) and Bob obtains a click at the T j (j = 0 or 1) moment on the data line, bit error rate of the X basis is given by where Q Mi w x(z) represents the gain of the event that Alice senda optical mode |w x(z) ⟩ and Bob obtains a click with detector D Mi on the monitoring line. In the second equation, we use the relation N + Q Mi 0x + N − Q Mi 1x = 2 Q Mi 0z + Q Mi 1z , which is obtained using Eqs. (3). Let us now return to the practical COW-QKD protocol. Note that if Alice prepares the encoding sequence |0⟩ 2k−1 |α⟩ 2k or |α⟩ 2k−1 |0⟩ 2k with equal probability, the eavesdropper Eve cannot distinguish this step from the following virtual step: Alice prepares an entangled state |ψ⟩ and measures the ancillary qubit in the Z basis. Consequently, Alice's raw key is identical to Z A . The secret key rate in the asymptotic limit can be written as where Q = Q z and E b = E z are the gain and bit error rate, respectively. The phase error rate E u p is the upper bound on the average error probability [64], which Bob guesses as Alice's bit string X ′ A in the virtual entanglement-based protocol. This is equal to the upper Ref. [43] Ref. [47]   bound on the bit error rate of the X basis in the nonclassical protocol. In practice, Alice does not measure qubits in the X basis, which means that one cannot directly acquire the gains Q M0 0x and Q M1 0x in the nonclassical protocol. However, we can exploit the gains of the other quantum states |α⟩ 2k−1 |α⟩ 2k and |0⟩ 2k−1 |0⟩ 2k which can be directly attained in the COW-QKD protocol to estimate the upper bound Q M1 0x and the lower bound Q M0 0x . The phase error rate E u p can be expressed as where we use the relation for gain between the nonclassical protocol and the COW-QKD protocol, that is, Under collective attacks, we have the upper bound Q M1 0x and lower bound Q M0 0x , using the method described in Refs. [16,65]. The details can be found in Appendix A. Using Azuma's inequality [66], we remark that the security of COW-QKD can be extended against coherent attacks because the estimation of the phase-error rate will yield consistent results in the asymptotic limit. Security against coherent attacks is presented in Appendix B.

IV. NUMERICAL SIMULATION
In our simulation, we assume a dark-count rate of p d = 10 −8 and detection efficiency of η d = 80%. The correction efficiency, f , was set to 1.1. The linear lossy channel is characterized by a transmittance of η = 10 −0.02L . The transmission coefficient t B of the asymmetric beamsplitter is given by the optimization algorithm.
We present the secret key rate of COW-QKD using passive-basis choice with different misalignment errors in figure 2. Compared with η 2 and the Pirandola-Laurenza-Ottaviani-Banchi bound (PLOB bound) [67,68] (R PLOB = − log 2 (1 − η)), the lower bound on the key rate scales is of the order of O(η 2 ), which is consistent with the result in Ref. [45]. The secret key can still be transmitted over 100 km through the optical fiber when misalignment error e a = 0. The secret key rate using active basis choice on the receiving side is also considered. The numerical results of the secret key rate using passive basis choice and active basis choice are presented in figure 3. Figure 3 also presents the upper bound on the phase error rate E u P using active basis choice. In figure 4, we show the key rate of the nonclassical protocol using passive basis choice. Comparing the results of the nonclassical protocol with the decoy-state BB84 protocol [22,23] and the PLOB bound [67,68], we find that the nonclassical protocol also achieves the key rate of order O(η).
Additionally, we compare the COW-QKD of this study with the variants of COW-QKD [43,47] in figure 5. The variant in Ref. [43] is considered in the case where all different 3-signal blocks (including 6 optical pulses) share the same phase and Bob applies the active basis choice setup. The variant in Ref. [47] is considered in the case where the decoy sequence keeps the original setting as |α⟩ 2k−1 |α⟩ 2k . In figure 5, the dark count rate p d is set to 10 −7 and the detection efficiency η d is set to 99%. The results reveal that the lower bound on the key rate for the COW-QKD using passive basis choice and active basis choice are both tighter than the result given by the variant in Ref. [43]. The secure key distribution in this work also achieves a longer transmittance distance compared with the variant in Ref. [47]. We also almost maintain the original setting of the COW protocol. Table I summarizes the performance of this study with the variants of the COW-QKD protocol [43,47]. The asymptotic security of all these COW-typed QKD protocols has been proven against coherent attacks. Compared with this work, the variant of COW-QKD in Ref. [43] also extends the secure key distribution over 90 km using active basis choice; however, it changed the original protocol a lot (coding with m-signal blocks). The variant in Ref. [47] almost maintains the setting of the original COW protocol as in this work. However, its secret keys can only be distributed within 20 km using active basis choice (Here, we consider the variant protocol in Ref. [47], maintaining the original COW-QKD decoy sequence |α⟩ 2k−1 |α⟩ 2k ). Our work using passive basis choice also shows good performance, which is presented in parentheses.

V. CONCLUSION
In this study, we provide an asymptotic security proof for the practical implementation of COW-QKD under coherent attacks and derive the lower bound on the secure key rate. The security proof no longer relies on coherence between adjacent pulses to detect eavesdrop-ping. Instead, we sort the observed quantities to estimate the upper bound on the phase error rate. Our result is tighter than the lower bound on the key rate of the variant COW-QKD [43] because we calculate the component of the vacuum states more carefully. Maintaining all current experimental apparatus and techniques, we extend the secure key distribution to 100 km, which paves the way for the secure implementation of COW-QKD.

Acknowledgments
We thank Charles Ci Wen Lim, Nicolas Gisin, and Ignatius William Primaatmaja for enlightening the discussions and making the security proof of this work more rigorous. We thank Amine Iggidr for helping us find and correct an incorrect expression c5 given in appendix A of the previous version. We gratefully acknowledge support from National Natural Science Foun Here, we first consider the case in which Bob applies a passive basis choice to distribute incoming pulses into the data and monitoring lines. The gain of the state |ϕ⟩ heralded by detector D Mi (i = 0 or 1) clicking can be given by whereM i is the Kraus operator corresponding to detector D Mi . In the nonclassical protocol, the gains of the states |0 z ⟩ and |1 z ⟩ detected by detector D Mi on the monitoring line, that is, Q Mi 0z and Q Mi 1z , can be written as where the parameters c2 In the COW protocol, because the nonclassical state |0 x ⟩ cannot be acquired, we cannot directly estimate the gain Q Mi 0x = ⟨0 x |M + iM i |0 x ⟩. We express |0 x ⟩ using the states |0, 0⟩, |α, α⟩, and |β, β⟩ as follows: where the state |β⟩ = (|α⟩ − e −µ/2 |0⟩)/ √ 1 − e −µ denotes the normalized non-vacuum part of the state |α⟩. The pairs of states |0, 0⟩ and |α, α⟩ correspond to decoy sequences sent by Alice. Thus, we can rewrite the gain Q Mi 0x as where, |ϕ l ⟩ , |ϕ k ⟩ ∈ {|0, 0⟩ , |α, α⟩ , |β, β⟩}, s l , and s k are the corresponding state coefficients in Eq. (A2). By utilizing the Cauchy inequality [16,65], we have that Combining this result with the limit 0 ≤ ⟨β, β|M + iM i |β, β⟩ ≤ 1, the upper bound for Q M1 0x and the lower bound for Q M0 0x can be expressed as Here, the gains of state |α⟩ 2k−1 |α⟩ 2k on the monitoring line are Q M0 αα = (1 − p d ) Here, we extend the security of COW-QKD against coherent attacks. We consider a process in which a pair of states is sent at two time points, 2k − 1 and 2k (k = 1, 2, . . . , K) as one round, and the entire process of the COW protocol is performed by repeating this round K times. Following a similar security analysis as in the main text, we assume an equivalent prepare-andmeasure nonclassical protocol. Let the Kraus operator M l i correspond to the announcement of detector D Mi associated with the l-th round (l = 1, 2, . . . , K). We denote the probability of the event that Alice decides to send the nonclassical optical mode |0 x ⟩ as p 0x . For any arbitrary small quantity ϵ ≥ 0, according to Azuma's inequality [66], we have that corresponds to the probability that the nonclassical optical mode |0 x ⟩ is detected by the detector D Mi on the monitoring line associated with the l-th round. N l,Mi 0x , as an observed quantity, is the actual num-ber of events that the nonclassical optical mode |0 x ⟩ sent by Alice is detected by the detector D Mi on the monitoring line. When K tends to infinity in the asymptotic limit, we can deduce from Eq. (B1) that Here, Q l,Mi 0x satisfies Eq. (A5), and all gains of the COW-QKD protocol in Eq. (A5) are associated with the l-th round (which corresponds to the condition of the security proof against collective attacks). Combining this result with the upper bound on the phase error rate derived from Eq. (7) in the main text, we find that the estimation result of the phase error rate is consistent in the asymptotic limit when considering collective and coherent attacks. Thus, the asymptotic security of COW-QKD against coherent attacks is proven.