Unbalanced-basis-misalignment tolerant measurement-device-independent quantum key distribution

Measurement-device-independent quantum key distribution (MDIQKD) is a revolutionary protocol since it is physically immune to all attacks on the detection side. However, the protocol still keeps the strict assumptions on the source side that the four BB84-states must be perfectly prepared to ensure security. Some protocols release part of the assumptions in the encoding system to keep the practical security, but the performance would be dramatically reduced. In this work, we present a MDIQKD protocol that requires less knowledge of encoding system to combat the troublesome modulation errors and fluctuations. We have also experimentally demonstrated the protocol. The result indicates the high-performance and good security for its practical applications. Besides, its robustness and flexibility exhibit a good value for complex scenarios such as the QKD networks.


INTRODUCTION
Quantum key distribution(QKD) [1] allows two remote users, called Alice and Bob, to share secret random keys because of the information-theoretical security guaranteed by principles of quantum physics [2][3][4][5][6], even if there is an eavesdropper, Eve. Unfortunately, practical QKD systems still suffer from troublesome attacks [7][8][9][10][11] rooted in the gaps between theoretical models and practical setups. The device-independent quantum key distribution (DIQKD) [12] is intrinsically immune to all side-channel attacks but not practically usable due to its exorbitant demand for the detection efficiency and channel loss. As an alternative, some protocols [13,14] are proposed to remove all side-channels on the vulnerable detection side. The measurement-deviceindependent quantum key distribution (MDIQKD) [14] is naturally immunes to all detection-side-channel attacks [7][8][9] while maintaining a comparable performance [15,16] to the regular prepare-and-measure QKD systems. The MDIQKD has received extensive attention since it is a perfect balance between security and practicality.
The good properties of the MDIQKD have aroused widespread interest in recent years [15][16][17][18][19][20][21][22][23][24][25][26]. However, a fly in the ointment is that the security of the MDIQKD relies on an assumption that Alice and Bob can fully control their source side and perfectly prepare the four ideal BB84 states [1,27], which still impedes the unconditional security and hinders the practical application. In practical systems, the preparation of the four states usually relies on the accurate modulation [15,16,[28][29][30][31], which is still a great challenge due to the unbalanced path-loss of interferormeters [27], the limited precision of modulation signals, insufficient system bandwidth, errors in calibration, and impacts of environments [32][33][34][35]. When the prepared states in MDIQKD are non-ideal BB84 states, the users can not accurately estimate the information leakage anymore since the important security assumption that "the density matrices of Z and X base should be indistinguishable" is broken. Indeed, the encoders can be calibrated in advance, but the cumbersome calibrations would unavoidably increase the experimental difficulty. Besides, it may introduce additional loopholes [36].
Some security proofs [27,[37][38][39][40][41][42][43][44][45][46][47][48][49] successfully remove part of the demands in the coding system and greatly improve the practical security of the MDIQKD. However, some of them over-pessimistically estimate the information-leakage bound so that the protocol performance would dramatically decrease with the misalignment [27,[38][39][40][41]. Some other proofs require additional informations about the maximum misalignment [42,43,49] or previously characterizing the states [46][47][48], which may increase the experimental complexity. To promote the practical application, in this work, we propose a MDIQKD whose source-side restrictions are greatly reduced. In this protocol, the users prepare a general Z basis and a "simplified X basis" that could be "unbalanced", which is common scenarios in practical time-bin phase coding systems. The protocol has an invariable high-performance against the X-basis imbalances, and maintains its security even if the phase reference frame between the two users is misaligned [50,51], the prepared states of the "X basis" are mixed states, and the prepared states of the Z basis are also misaligned.
In this work, we first introduce our protocol with the ideal single-photon sources. After that, an improved analysis is proposed for the scenarios that the states in the Z basis are not pure. To make our protocol practically useful with the existing weak coherent sources, the decoy-state method [52][53][54] are also designed and a jointstudy method [55][56][57] against the statistical fluctuation [58][59][60][61][62] is proposed. Finally, we built a time-bin phase coding MDIQKD system to experimentally demonstrate this protocol in the non-asymptotic cases. The 25 MHz system ran continuously for accumulating sufficient data in several scenarios with different imbalances. The results indicate that the protocol can tolerate large imbalances and confirm its security and feasibility for simplifying the experimental system, which would be promising for practical application and network scenarios. The details of security proofs against the collective attack and the parameter estimations can be found in Supplemental Material.

SINGLE-PHOTON PROTOCOL
In the original MDIQKD, the four BB84 states, in another words, |0 and |1 as the Z basis, |+ = √ 2 2 (|0 + |1 ) and |− = √ 2 2 (|0 − |1 ) as the X basis, are required [14]. Our protocol reduces the demands so that Alice and Bob can prepare an unbalanced "X basis" that satisfies where |ϕ 2 and |ϕ 3 (|ϕ 2 and |ϕ 3 ) correspond to Alice's (Bob's) original |+ and |− respectively, the θ denotes the phase-reference frame misalignment [50,51] between two users. We use β (β ) to describe the imbalance misalignment of Alice (Bob), and the positive real number coefficients c 0 = cos(45 • + β) and c 1 = sin(45 • + β) (c 0 = cos(45 • + β ) and c 1 = sin(45 • + β )) respectively, where β ∈ (−45 • , 45 • ). The protocol has an invariant high performance with different β, and maintains its security when the reference-frame misalignment θ = 0 and the states in "X basis" are not pure due to modulation fluctuations. As a matter of fact, the prepared mixed states in "X basis" can be regarded as uncharacterized |ϕ 2 and |ϕ 3 in Eq.(1). The detail of proof can be found in Supplemental Material. In each turn, Alice (Bob) randomly selects one of the four states and sends it to untrusted Charlie to perform a measurement. Charlie publicly announces if he has measured a successful event. If Charlie is honest, he should do the Bell state measurement (BSM) and announce the |01 − e iθ |10 . Charlie may not perform the required measurement because he is unreliable and θ is an unknown value, but the property of the MDIQKD guarantees the protocol security and an appropriate θ can maximize the secret key rate.

2.Measurement:
Charlie projects his received pulsepair to the Bell-state |ψ − = 1 √ 2 (|0 |1 + e −iθ |1 |0 ) and publicly announces success or failure in each turn. Alice and Bob generate theit raw key bits according to Charlie's announcement 3.Sifting: After the above trial has been repeated enough times, Alice and Bob publicly announce their basis for each turn. If both of them select the code basis, they maintain the raw key bit. Otherwise the raw key bit is discarded. The remained raw key bits are named sifted key bits.

4.Parameter estimation:
By sacrificing some of the data for public discussion, users estimate the single-photon yield q nm . According to the q nm , the users estimate the bit and phase error rate.

5.
Error correction and security amplification: According to the above estimated parameters, Alice and Bob perform the error correction and security amplification to generate the secret key bits.
According to the announcement of success or failure, Alice and Bob record or discard the data. When the users have accumulated sufficient data, they sacrifice some of the data for public discussion to estimate the q nm , which is defined as the yield when Alice codes |ϕ n and Bob codes |ϕ m . Especially, when both Alice and Bob select the Z basis, the raw key bits are generated according to the data. Other data are used in parameter estimations. The positive real coefficients c 0 , c 1 , c 0 , c 1 can be accurately calculated by c 0 = q 10 q T 1 − q 11 q T 0 q 01 q 10 − q 00 q 11 , c 1 = q 01 q T 0 − q 00 q T 1 q 01 q 10 − q 11 q 00 , c 0 = q 01 q 1T − q 11 q 0T q 01 q 10 − q 00 q 11 , c 1 = q 10 q 0T − q 00 q 1T q 01 q 10 − q 11 q 00 . ( where q T m = q2m+q3m 2 , q nT = qn2+qn3 2 (n, m ∈ {0, 1}). The information leakage is bounded by H(e p ), where the H(x) = −x log 2 (x) − (1 − x) log 2 (1 − x) denotes the binary Shannon entropy function and the e p is the phase error rate of the Z basis, which is described as which is invariant as if the relation in Eq.(1) is met. In another word, Eve's information can be precisely bounded even if the "X basis" is unbalanced. We note that the e p would jump to 0.5 in several extreme cases that the four quantum states are not different from each other (One may see Supplemental Material for more details.). The secret key rate (SKR) is described by the Shor-Preskill formula [3] where q C = (q 00 + q 01 + q 10 + q 11 )/4 denotes the yield when Alice and Bob both select the Z basis, and the e b = (q 00 + q 11 )/(q 00 + q 01 + q 10 + q 11 ) denotes the bit error rate when both of the users select the Z basis.
To demonstrate the property against the imbalance misalignment, we simulated our single-photon protocol and several ideal single-photon uncharacterized-qubits MDIQKDs [39,40]. As illustrated in Fig. 1, the performance of the uncharacterized-qubits MDIQKDs decay with the increasing β (β ), in contrast, the performance of our protocol is invariant.
The protocol procedure is described in the Box. In contrast, the performance of our protocol is nearly a constant value before approaching the extreme point that β = 45 • . The simulation parameters are P d = 3 × 10 −6 (dark count rate), Pη = 20% (detection efficiency), and the transmission loss is 20 dB.

PROTOCOL WITH MIXED STATES
In practical systems, the prepared states could be mixed states due to the modulation fluctuations. Our protocol can maintain its security in these mixed-state cases and we prove this property in two steps.
test basis: We first consider the scenario that the test basis is not pure. Here we only introduce our key idea and the details of proof are in the Supplemental Material. Our key idea is proving that the mixed states in our test basis equal to the uncharacterized states |ϕ 2 and |ϕ 3 with Eve's operation in the quantum channel.
We take Alice as an example, due to the modulation fluctuations, the misalignment β is not a fixed value but satisify the random distribution with probability density function P (β). The test basis can be described as mixed states where σ Z and σ θ X are Pauli matrices, I is the identity matrix,Ŝ Z (Ŝ X ) denotes the Z (X) component of the prepared state in the Bloch sphere. The prepared state is a pure state ifŜ 2 Z +Ŝ 2 X = 1 and a mixed state if S 2 Z +Ŝ 2 X < 1. Defining Eve's operation which satisfying The ε can be intuitively regarded as Eve doing nothing with the probability λ 0 and performing the σ Z -operation with the probability λ 1 . We can find that the ε satisfies So the protocol security in the case that the test-basis has modulation fluctuation equals to the security in the case that the users prepare pure-states |0 , |1 and uncharacterized |ϕ 2 , |ϕ 3 while Eve performs ε in the quantum channel. Noting that the operations in the quantum channel have nothing to do with security, we can claim that our protocol is secure in this scenario. code basis: The code basis is usually well-aligned in practical timebin phase coding systems so that the pure-state protocol is enough for most cases. However, if the Z basis is out of control due to the modulation error and fluctuation, we should consider an improved analysis. Here we still only introduce our key idea and leave the details in our Supplement Material.
In this scenario, when Alice wants to prepare |0 (|1 ), she actually randomly prepares cos(β 0 ) |0 +e iθ sin(β 0 ) |1 or cos(β 0 ) |0 − e iθ sin(β 0 ) |1 ( sin(β 1 ) |0 + e iθ cos(β 1 ) |1 or sin(β 1 ) |0 − e iθ cos(β 1 ) |1 ), where the randomness of "+" and "−" derive from Alice's randomly modulation of 0 or π relative phase between the two time bins when selecting the code basis. Besides, because of the modulation fluctuations, the misalignment β 0 and β 1 are not fixed value but random distribution with probability density functions P 0 (β 0 ) and P 1 (β 1 ) respectively. In other words, Alice actually prepares mixed states The ξ and ζ are defined as the misalignment errors of Alice's |0 and |1 respectively. Similarly, Bob's |0 and |1 are changed to respectively, and the ξ and ζ are misalignment errors of Bob's |0 and |1 respectively. In the mixed state scenario, the observable values are the mixed-state yields y nm rather than q nm . Our key idea is bounding the pure-state yields q nm by the observed y nm and the lower and upper bounds of the Z basis misalignments, namely, the υ L and υ U where υ ∈ {ξ, ζ, ξ , ζ }. Indeed, the misalignment errors are unknown values but their lower and upper bounds can be estimated by previously calibration or be monitored by inserting a local single-photon detector (similar to the monitor SPD-Moni in Fig.4). As far as the q nm is bounded, the phase error e p can be estimated similar to the pure-state case.
We have also analyzed the decoy-state method and the statistical fluctuation for the mixed-state scenarios. The details are also in our Supplemental Material.

PROTOCOL WITH DECOY-STATE METHOD
The above protocol is based on ideal single-photon sources, which are still not practically available. So we propose a four-intensity decoy-state method to connect the theory with practice. In this section we only analyze the asymptotic case that the data size is infinite, and the non-asymptotic that considers the statistical fluctuation [58] is introduced in Supplemental Material.
In our method, Alice (Bob) prepares a phase randomized weak coherent pulse and randomly selects an intensity l (r) from a pre-decided set {µ, ν, ω, o} ({µ , ν , ω , o}), where the µ (µ ) is defined as signal state and the others are defined as decoy states. Especially, the o = 0 is also named vacuum state. If the signal state is selected, Alice (Bob) only selects the code basis. Else if other intensities are selected, they prepare the four quantum states just like the single-photon protocol. Alice and Bob record their data according to Charlie's announcement and sacrifice some of them for estimating the gains. They should publicly announce which intensity is selected. If both of them select the signal state, the recorded data would become the raw key bit. In other cases, they would announce which state is selected. According to their announcement, they can calculate out the gains Q lr nm where the subscript nm denotes Alice and Bob prepare |ϕ n and |ϕ m (|ϕ 0 = |ϕ 0 = |0 , |ϕ 1 = |ϕ 1 = |1 ) respectively, and the superscript lr denotes Alice and Bob select intensity l and r respectively. With these Q lr nm , Alice and Bob can bound the single-photon yields tightly [37,[52][53][54][55][56]63] so that the SKR can be described as where the p µ and p µ denote the probability of selecting the signal state, the a µ is the Poisson distribution probability for sending a single-photon state, the Q µµ C and E µµ C are the observed gain and the observed error rate of the signal state pulse-pairs respectively, f = 1.16 is the error correction efficiency, and the underline and overline are lower and upper bound respectively. Figure 2 shows the asymptotic SKR of the fourintensity decoy-state method. When the X basis is unbalanced, our protocol maintains an invariant result while other protocols may not work. Especially, the plots of our protocol with different imbalances are nearly overlapping with the original MDIQKD with perfect coding, which indicates higher robustness and better practicality of our protocol. Fig. 3 shows the simulation of the unbalanced-basis-misalignment tolerance. We can find that the asymptotic secret key rate is nearly invariant and the non-asymptotic secret key rate decreases slowly, which indicates that the asymptotic e p is near invariant before closing to the extreme point and the non-asymptotic e p is slightly affected by the unbalancedbasis-misalignment β (the details of the non-asymptotic cases are introduced in Supplemental Material).
It worth noting that the above analysis is suitable for the pure-state scenario. The analysis for the mixed-state scenario is a little different, we would introduce its detail in the Supplemental Material. Secret key rate IG. 2. The SKR as a function of fiber length of different decoy-state MDIQKDs in asymptotic cases. We simulated our protocol in many different combinations of β and β and find that their asymptotic SKR are nearly indistinguishable in this figure so we only use a cyan solid line to represent our protocol with different β and β . As a contrast, we simulate the asymptotic SKR of the original MDIQKD (black dash line) without any misalignment (β = β = 0) . We can find that in asymprotic case, our protocol with the imbalance misalignment has the same performance compared with ideal original MDIQKD. We also simulated the state-of-the-art uncharacterized qubits MDIQKD [40,41](dot-dash line) with different β and β and use lines in different colors to denote different imbalances. red: The simulation parameters are P d = 3 × 10 −6 , Pη = 20%, and the fiber loss is 0.2 dB/km. The secret key rate as a function of the misalignment β in the "decoy-state cases". The blue line denotes the asymptotic case that the data size is infinite. The red, yellow, and purple lines denote the SKR with the data size of 10 13 , 10 12 , 10 11 respectively. The simulation parameters are P d = 3 × 10 −6 , Pη = 20%, fiber length is 50 km and the fiber loss is 0.2 dB/km, failure probability in using chernoff bound [64] is 5.73 × 10 −7 .

EXPERIMENTAL DEMONSTRATION
We experimentally demonstrated our protocol in the non-asymptotic cases (the parameter estimation for the non-asymptotic cases is in Supplemental Material.) As illustrated in Fig. 4, our experiment setup consists of two identical legitimate users and an untrusted relay. Each of the legitimate users employs a continuous-wave laser (Wavelength References Clarity-NLL-1542-HP) that is frequency locked to a molecular absorption line of 1542.38 nm center wavelength. Then the continuous-wave lasers are chopped [28,29,41,65] into a 500 ps temporal width pulse sequence with a 25 MHz repetition by the intensity modulator IM-1, which is driven by a homemade narrow-pulse generator. The phase modulator PM-1 next to the IM-1 actively randomizes the phase of the pulses to avoid imperfect-source attacks [66,67]. After that, the phase randomized coherent pulses are fed into the intensity modulator IM-2 to randomly modulate four different intensities for our decoy-state method. The IM-2 is driven by a homemade two-bit digital to analog converter (DAC) with a 25 Mbps bitrate, and the digital pseudo random numbers come from an FPGA-based driver board (PXIe-6547, National Instruments). Besides, when the vacuum state is selected, the IM-1 and IM-2 eliminate the pulse jointly to achieve an over 50 dB extinction ratio.
Following the IM-2, a Sagnac interferometer accompanies connecting an asymmetric-Mach-Zehnder structure (AMZS) that consists of a long and a short path is employed to modulate the four quantum states. The PM-2 in the Sagnac interferometer allows the users to modulate the interference of the Sagnac interferometer to switch the path. The constructive and destructive interference pipe the pulse into long and short paths respectively, where the long path case denotes the late bin occupation |0 and the short path case denotes the early bin occupation |1 . A medium interference would split the pulse into both of the paths to prepare a superposition of |0 and |1 so that the test basis is selected in this case. In the AMZS, a phase modulator PM-3 is inserted into the short path to modulate the relative phase of the two paths. The code of the test basis is defined as the relative phase of the two paths that 0 and π denote the |ϕ 2 and |ϕ 3 respectively. The PM-2 and the PM-3 are also driven by the homemade 2-bit DAC to randomly modulate the four quantum states where the digital random numbers also come from the FPGA-based driver board.
Finally, the pulses are attenuated to a single-photon level by an electric variable optical attenuator (EVOA) and split to two parts, one of which is measured by a local single-photon detector (SPD) (SPD-300, Qasky), and the results are recorded by the FPGA-based driver board to monitor the intensity of the four decoy-states. According to the statistical result of the local SPD, users can adjust the EVOA and compensate for the DC drift of the IM-2 to keep the stability of the decoy states. The other part is sent to Charlie through a 25 km standard fiber for the BSM.
For the measurement unit Charlie, the two pulses interfere in the beam splitter (BS) and are detected by SPD-L and SPD-S (SPD-300, Qasky) that work in the gated mode [68]. The BS and the two SPDs constitute a BSM device for projecting quantum states to the bell state |ψ − [14]. The two SPDs whose gate width, average efficiency, and dark count rate are 1 ns, 20.9%, and 3 × 10 −6 respectively, are triggered by 25 MHz gate signals, and the gate signals for SPD-L and SPD-S are aligned with late bin occupation |0 and early bin occupation |1 , respectively. The two electronic polarization controllers (EPCs) are employed to compensate for the polarization drift [28,69].
To demonstrate the imbalance tolerance, we experimentally demonstrate our protocol in three different imbalances as listed in Tab.I and calculate the secret key rate by the analysis methods for pure-state case and mixed-state case respectively. The system is continuously run to collect 5 × 10 11 pulse pairs for the case of each imbalance. The improved four-intensity decoy-state method against the effect of statistical fluctuation is proposed and employed for data processing (the details are in the Supplemental Material). With the improved decoystate method, we successfully generate secret keys with the SKR of 1.10 × 10 −6 , 7.37 × 10 −7 , and 5.87 × 10 −7 by the "pure-state" analysis method and SKR of 8.56×10 −7 , 6.39 × 10 −7 , 3.87 × 10 −7 by the "mixed-state" analysis method. The maximum Z basis misalignment υ U for the "mixed-state" analysis is set to 1% (We note that we process the data by two different analysis methods to generate the SKR for the "pure-state" cases and the "mixed-state" cases ). Figure 5 illustrates the simulation of the nonasymptotic SKRs (only including the statistical fluctuation) and shows our experiment results in the enlarged subfigure. The experiment results indicate that the protocol maintains a good performance against the unbalanced basis in the non-asymptotic cases. In nonasymptotic cases, we can find that our protocol performance is worse than the original MDIQKD and the SKR decrease with the imbalance β and β . The main reason is that our protocol estimates more quantities so that the impacts of the statistical fluctuations are more serious. A feasible solution for this problem is improving the decoy-state method [55][56][57]70]. Considering that our decoy-state is primitive, the protocol performance could be further improved in following works. FIG. 5. The main figure illustrates non-asymptotic SKRs as the function of fiber length. The black, red, and blue denote the three different imbalances as listed in Tab.I respectively. The solid lines and dash lines denote our protocol with the pure-state scenario and the mixed-state scenario. The dot lines denote the state-of-the-art uncharacterized qubits MDIQKD [40] and the thin dash-dot line denotes the original MDIQKD without any imbalances. The simulation parameters are P d = 3 × 10 −6 , Pη = 20%, the data size N = 5 × 10 11 ,the background error rate is 0.9%, the failure probability in using chernoff bound [64] is fixed to 5.73 × 10 −7 , the fiber loss is 0.2 dB/km, the υ L and υ U for the "mixed-state" analysis are 0 and 1% respectively. The enlarged subfigure shows our experiment results. The solid geometries and hollow geometries denote the results for the pure-state scenario and the mixed-state scenario respectively.

SECURITY PROOF
Pure-state scenario Alice and Bob prepare N pairs of entangled states that where the state |n A and |m B denote the ancillas of Alice and Bob respectively. P C and P T (P C and P T ) are probabilities for selecting code mode and test mode respectively. n(m) = 0, 1 denotes the code basis, and n(m) = 2, 3 denotes the test basis. The |ϕ n and |ϕ m are pure states in a two-dimensional Hilbert space (qubit) to send to Charlie for BSM and they satisfy The measurement unit Charlie can be anyone, so we consider the worst case that he is, in fact, the eavesdropper Eve.
Following the similar argument used in Ref. [3], we design an entanglement distillation protocol that is equivalent to the MDIQKD protocol [14]. The initial states |ϕ n , |ϕ m and the Eve's ancillas |e E are separable. So Eve's collective attack can be defined as where the |0 M and |1 M is publicly announced message that 0 is failure and 1 is success; the Γ 0(1) nm E is the corresponding normalized Eve's arbitrary quantum states for |ϕ n |ϕ m |e E and the failure (success) event; the q 0 nm and q 1 nm are the corresponding probabilities of the Γ 0 nm E and Γ 1 nm E respectively. Considering that the failure events have been discarded, we only need to consider the terms q 1 nm Γ 1 nm E |1 M . The |1 M and superscript 1 could be omitted for simplification. Combining Eq. (12) and (14), the Alice, Bob and Eve's post-selected state of the code basis is where the |Γ nm E can be described as an orthogonal decomposition in a set of orthonormal states |v that |Γ nm E = v γ v nm |v . From normalization, v |γ v nm | 2 = 1. The density matrix of Alice and Bob is q 00 + q 01 + q 10 + q 11 (16) where tr E denote the trace and P(|k ) = |k k|.
The aim of the entanglement distillation protocol is to find a set of Bell states and project Alice's and Bob's ancillas to the |ψ − . We define the Bell states as thus the bit error rate e b and phase error rate e p of the code basis are and e p = ψ + ρ ψ + + φ + ρ φ + = 1 2 + √ q 00 q 11 Re e iθ Γ 00 |Γ 11 + √ q 01 q 01 Re e −iθ Γ 01 |Γ 10 q 00 + q 01 + q 10 + q 11 . respectively.
The key idea for estimating information leakage is using the observable values to describe the e p . Eq.(14) and Eq. (13) give constraints that for n, m ∈ {0, 1}, and where θ m = 0 when m = 0 and θ m = θ when m = 1. Eq. (20) indicates that so that The positive real coefficients c 0 , c 1 , c 0 , c 1 can be accurately calculated. Besides, Eq.
where θ m(l) = 0 when m(l) = 0 and θ m(l) = θ when m(l) = 1. Accoding to Eq.(24), we can find that −(q 23 + q 32 ) + (q 22 + q 33 ) = 8c 0 c 0 c 1 c 1 √ q 00 q 11 Re(e iθ Γ 11 |Γ 00 ) + √ q 10 q 01 Re(e −iθ Γ 10 |Γ 01 ) , so that Indeed, Charlie may not project his received pulse pair to the |ψ − = (|0 |1 − e −iθ |1 |0 )/ √ 2 because he is unreliable. However, according to the property of the MDI-QKD, the protocol security has nothing to do with Charlie's measurement and announcement. So our protocol is secure even if the phase reference frame between Alice and Bob is not well-aligned. Besides, if Charlie is honest, he can compensate the reference-frame misalignment θ to maximize the secret key rate. modulation fluctuation in the test basis In practical system, the unbalanced-basis-misalignments β and β (we will abbreviate it to "imbalance" for simplicity) are usually not a fixed values but satisify the random distribution with probability density function P (β) due to the modulation fluctuations. The key idea for proving the security against this case is equating the source side modulation fluctuations to Eve's operations in quantum channel. Here we introduce the method to equating the mixed state to uncharacterized |ϕ 2 and |ϕ 3 that satisfy Eq.(13). We define where P(|x ) = |x x|, I is the identity matrix, and are Pauli matrices. The test basis can be described as mixed states and where β β P (β)dβ = 1,Ŝ X = β β S X (β)P (β)dβ,Ŝ Z = β β S Z (β)P (β)dβ. We define |ϕ 2 = c 0 |0 + c 1 e iθ |1 and |ϕ 3 = c 0 |0 − c 1 e iθ |1 are two uncharacterized states satisify Define Eve's operation as which satisfies The ε can be intuitively regarded as Eve doing nothing with the probability λ 0 and performing the σ Z -operation with the probability λ 1 . We can find that the ε satisfies |0 0| = ε(|0 0|), |1 1| = ε(|1 1|), So the mixed states ρ 2 and ρ 3 can be regarded as uncharacterized pure states |ϕ 2 and |ϕ 3 with Eve's operation ε in the quantum channel, and the |ϕ 2 and |ϕ 3 satisfy Eq. (13). Noting that the operations in the quantum channel have nothing to do with the security, we can claim that the security in this scenario equals to the pure-state scenario. modulation misalignment and fluctuation in the code basis We note that Z basis of the time-bin phase coding systems is usually well-aligned so that its modulation misalignment is ignorable and the above pure-state method is enough for most of the scenarios. However, if the Z basis is lose control due to the modulation error and fluctuation, we should consider an improved post-processing.
Our key idea is to bound the pure-state yields by the practically observable mixed-state yields. Noting that the preparing the mixed states in code basis is equivalent to the case that Alice (Bob) prepare pure states normally but randomly adds some noise to her (his) Z-basis raw key bits. In other words, Alice (Bob) randomly flips some Z-basis raw key bits and forgets which bits are flipped. Compared with the original pure-state protocol in which there is no the random flips, Eve obviously cannot get any additional information. So the information leakage upper bound for the pure-state protocol still holds in the mixed-state case.
In the scenarios that the Z basis also has misalignments, Alice actually randomly prepares cos(β 0 ) |0 +e iθ sin(β 0 ) |1 or cos(β 0 ) |0 − e iθ sin(β 0 ) |1 when she wants to prepare |0 and actually prepares sin(β 1 ) |0 + e iθ cos(β 1 ) |1 or sin(β 1 ) |0 − e iθ cos(β 1 ) |1 when she wants to prepare |1 . The randomness of above "+" and "−" derive from Alice randomly modulate 0 or π relative phase between the two time bins when selecting the Z basis. Besides, because of the modulation fluctuations, the misalignment β 0 and β 1 are not fixed values but satisify the random distributions with probability density functions P 0 (β 0 ) and P 1 (β 1 ) respectively. In other words, Alice actually prepares mixed states when she wants to prepare |0 , and when she wants to prepare |1 . The misalignment error ξ and ζ are defined as and respectively. Similarly, when Bob wants to prepare |0 and |1 , he actually prepares mixed states and respectively, where ξ and ζ are misalignment errors of the Z basis. When both of the users select |0 , they actually prepare Eq. (41) indicates that Similarly, we have and By solving the above equation set, we can get Indeed, Alice and Bob do not know the specific value of the misalignments ζ, ζ , ξ, and ξ , but they can estimate the lower and upper bounds of these misalignments according to their calibration or monitor these misalignments by a local detector similar to the monitor "SPD-Moni" in our experiment. We define υ L and υ U as the estimated lower and upper bounds of misalignment υ where υ ∈ {ζ, ζ , ξ, ξ }, the upper and lower bounds of the q nm can be estimated by considering the worst case of Eq.(47) so that The pure-state yields for the two users selecting different bases can also be estimated by solving equations. We take the q 02 and q 12 as examples. We have proved that the fluctuation in the test basis can be equivalent to Eve's operations in the quantum channel so that we can always assume that the users prepare the uncharacterized pure-states |ϕ 2 and |ϕ 3 . When Alice selects |0 and Bob selects |ϕ 2 , they practically prepared mixed-state which indicates that Similarly, we have so that we can get an equation set that The solution of the equation set is Considering the worst cases, the lower and upper bound of q 02 and q 12 are respectively. Similarly, we can conclude that where n, m ∈ {2, 3}. Besides, when both of the users select the test basis, we can conclude that q nm = y nm (n, m ∈ {2, 3}) because the states in the test basis can be regarded as pure-states as we have proved. As far as we have bounded the q nm , namely, the pure-state yields, the phase error e p can be estimated similar to the above pure-state cases.
The target function can also be expressed as In other words, we only need to estimate the lower bound of (q 01 q 10 − q 00 q 11 ) 2 (q 10 q T 1 − q 11 q T 0 )(q 00 q T 1 − q 01 q T 0 )(q 01 q 1T − q 11 q 0T )(q 00 q 1T − q 10 q 0T ) .
To demonstrate the maximal tolerated imbalance, we simulated our decoy-state protocol with different fiber lengths and different data sizes. As illustrated in Fig.6, we can find that its property of the imbalance tolerance increases with the data size. In non-asymptotic cases, the protocol performance slowly decreases with the increasing β and in asymptotic cases, our protocol has nearly invariant performance.

Mixed-state scenario
The decoy-state analysis for the mixed-state scenario is a little different from the pure-state scenario because we should bound the mixed-state yields y α first and estimate the q α by the upper and lower bound of the y α , where α ∈ {00, 01, 10, 11, T s , T d , T 0, T 1, 0T, 1T, C}.
The upper and lower bound of y α can be estimated by the equations similar to Eq.(58), Eq.(59), Eq.(60), and Eq.(61) except that all pure-state single-photon yields "q α " should be replaced by mixed-state single-photon yields "y α ". The q α can be bounded by equations similar to Eq.(55) and Eq.(48) except that the y α are replaced by its Secret key rate as a function of the imbalance β (β = β) in the pure-state scenarios. The blue lines denote the asymptotic case that the data size is infinite. The red, yellow, and purple lines denote the secret key rates with the data size of 10 13 , 10 12 , 10 11 respectively.
upper or lower bound for the worst-case estimation: As long as the q α are bounded, the e p can be estimated by the same method as the pure-state scenario. The final secret key rate is expressed as We also simulated the performance and the imbalance tolerance for the mixed-state scenario. The results are illustrated in Fig.7, which indicates that our protocol also have a good imbalance tolerance in the mixed-state scenarios. Secret key rate as a function of the imbalance β (β = β) in the mixed-state scenarios. The blue lines denote the asymptotic case that the data size is infinite. The red, yellow, and purple lines denote the secret key rates with the data size of 10 13 , 10 12 , 10 11 respectively.

PARAMETER OPTIMIZATION
For the best performance, Alice and Bob set same experimental parameters and optimize [67] eight of them, including three intensities µ, ν, ω, three probabilities p µ , p ν , p ω for selecting the corresponding intensity; and two conditional probabilities p C|ν , p C|ω for selecting the code basis on the condition that the corresponding intensity has been selected. As listed in Tab. II, three sets of parameters are optimized for the three different cases respectively. The remaining parameters are constrained by relations as follows: the probability of selecting o is p o = 1−p µ −p ν −p ω ; the probabilities of selecting the test basis are p T |ν = 1 − p C|ν and p T |ω = 1 − p C|ω . The experimental data is processed by the two different post-processing methods, namely, the pure-state method and the mixed-state method. The results and the important intermediate variables for the two scenarios are listed in Tab.III and Tab.IV respectively.

DISCUSSION
In summary, we have proposed a MDIQKD that has the same performance compared with the original MDIQKD while fewer assumptions in encoding systems are required. The new protocol has higher security since it is not only measurement device independent, but also immune to some side-channel attacks stems from the imperfect coding. In addition, it is more experimentally convenient since it simplifies the encoding system. We have successfully validated the protocol with a practical MDIQKD system, which is automatically calibrated and works continuously to collect sufficient data. We have collected 5 × 10 11 pulse pairs in each of the three different imbalances and successfully generate positive key rate. The performance would be further improved by employing higher clockwork frequency, superconducting nanowire single-photon detectors, and improved decoy-state methods. Due to the higher security, simpler coding method, and comparable key rate, this protocol would be a benefit for practical applications, especially in the scenarios that the precision of control systems is limited or the calibration is difficult, such as the network scenarios. The performance in non-asymmetric scenarios could be further improved by designing more efficient decoystate methods or introducing better analysis for the finite-key size effect. This work would also provide inspiration for designing protocols with fewer assumptions by combining with other protocols.