Composable security for practical quantum key distribution with two way classical communication
aa r X i v : . [ qu a n t - ph ] F e b Composable security for practical quantum key distribution with two way classicalcommunication
Cong Jiang,
1, 2
Xiao-Long Hu, Zong-Wen Yu,
1, 4 and Xiang-Bin Wang
1, 2, 5, 6, 7, ∗ State Key Laboratory of Low Dimensional Quantum Physics,Department of Physics, Tsinghua University, Beijing 100084, P. R. China Jinan Institute of Quantum Technology, Jinan, Shandong 250101, P. R. China School of Physics, State Key Laboratory of Optoelectronic Materials and Technologies,Sun Yat-sen University, Guangzhou 510275, China Data Communication Science and Technology Research Institute, Beijing 100191, P. R. China Shanghai Branch, CAS Center for Excellence and SynergeticInnovation Center in Quantum Information and Quantum Physics,University of Science and Technology of China, Shanghai 201315, P. R. China Shenzhen Institute for Quantum Science and Engineering, and Physics Department,Southern University of Science and Technology, Shenzhen 518055, China Frontier Science Center for Quantum Information, Beijing, China.
We present methods to strictly calculate the finite-key effects in quantum key distribution (QKD)with error rejection through two-way classical communication (TWCC) for the sending-or-not-sending twin-field protocol. Unlike the normal QKD without TWCC, here the probability of taggingor untagging for each two-bit random group is not independent. We rigorously solve this problemby imagining a virtual set of bits where every bit is independent and identical. We show the rela-tionship between the outcome starting from this imagined set containing independent and identicalbits and the outcome starting with the real set of non-independent bits. With explicit formulas, weshow that simply applying Chernoff bound in the calculation gives correct key rate, but the failureprobability changes a little bit.
I. INTRODUCTION
As a crucially important issue of practical quantum keydistribution (QKD) [1–14], the finite-key effect has beenextensively studied in the past [15–23]. These studiesshow that secure QKD in practice is possible. However,the finite-key study on QKD with two-way classical com-munication (TWCC) [24–27] is rare. Through TWCC,one can take error rejection by parity check on those ran-domly grouped two-bit pairs and reduce the bit-flip errorseffectively. Importantly, this raises the fault-toleranceperformance of QKD [24–27]. Given the potential impor-tance of TWCC for QKD, a robust theory for finite-keyeffects of QKD with TWCC shall be especially useful.Here we present such a theory.
Short review and the major problem on finite-key ef-fects with TWCC.
The central idea in TWCC is to take bit-flip error rejection through random grouping and par-ity check which requires two-way classical communica-tion. In the standard TWCC, Alice and Bob shall ran-domly group their bits of Z basis (coding basis) two bytwo and obtain many pairs of bits (two-bit groups). Theyperform parity check on each pair and discard those pairswith different parity values while keeping one bit of anypair with the same parity values of two sides. In this way,the bit-flip error rate will be effectively reduced.However, if we apply TWCC to the decoy-statemethod, we need to verify the number of untagged pairs ∗ Corresponding author: [email protected] containing two untagged bits. Each bits are not indepen-dent on tagging or untagging. A strict treatment of this isneeded and here we present such a strict treatment. Ourstudy show that if one simply applies Chernoff bound forthis step, the key rate from the calculation is still cor-rect, though the failure probability changes a little bit.Surely, the study for finite key effects of TWCC withstrict bounds is crucially important for security of faulttolerant QKD. However, so far study towards this end israre. Ref. [23] has studied finite key size [15–18] to boundthe phase-flip errors in sending-or-not-sending (SNS) [28]protocol of twin-field (TF) QKD [14] with TWCC [29].Here,we present a simple and rigorous study for both theupper bound of phase error rate and lower bound forthe number of untagged bits after error rejection. Withthese, we calculate key rate strictly with the composablesecurity.We associate sifted bits in the real protocol mathemat-ically with a virtual set of independent identical bits. Weseek conditions with high probability when the outcomeof the virtual set is worse than that of the real bits aftererror rejection. Based on this idea, we present math-ematical formulas pointing directly to the lower boundof the number of untagged bits after error rejection inthe real protocol, with an explicitly known small failureprobability. Using our method, calculating the number ofuntagged bits after error rejection in the real bits is trans-formed to calculating the value with a virtual set contain-ing independent and identical bits, and hence the strictbound values are easily obtained with existing methods,such as the Chernoff bound [30].This paper is arranged as follows: In Sec. II, weshow the theorems on how to make a strict and efficientmethod to estimate parameter values after error rejec-tion. In Sec. III and Sec. IV, we show how to apply ourresults to the SNS protocol with the standard TWCC,OPER and AOPP methods. We then take numerical cal-culations on the SNS protocol with the standard TWCCmethod and its variants.
II. MATHEMATICAL MODEL WITH WHITEBALLS AND BLACK BALLS
We extract the question into the following mathemat-ical model: Set U contains N balls, some of them arewhite and some of them are black. There are two kindsof sets. In one type of set, k of them are white and N − k of them are black. In another type of set, every ball hasindependent and identical probability to be white. Af-ter random grouping, at least how many pairs containingtwo white balls are created with a certain failure proba-bility ? (We assume N to be an even number throughoutthis paper, and we shall also assume the number of ele-ments of any subset of U to be an even number if we takerandom grouping to the elements in the subset.)For clarity, we list our important notations first. Notation 2.1 [ k, N ]: a set containing N balls, amongwhich there are k white balls and N − k black balls. Notation 2.2 [ p u , N ] iid : a set containing N balls,where every ball has an independent and identical prob-ability p u to be white, and probability 1 − p u to be black. Notation 2.3 n αβ : the observed number of αβ -pairsafter random grouping to the corresponding set of balls.The αβ -pair can be a ww -pair that contains two whiteballs or a wb − pair that contains a white ball and a blackball. We shall study the failure probability of n αβ ≥ n αβ ,where n αβ is a specific bound. Notation 2.4 ε ( n αβ |U ) : probability that the numberof αβ -pairs is less than n αβ after random grouping toballs initially in set U . The set can be [ k, N ] or [ p u , N ] iid .According to Notation 2.2 , set [ p u , N ] iid can be re-garded as the probability distribution over set [ m, N ].Explicitly, the probability on [ m, N ] is:˜ p ( m ) = C mN p mu (1 − p u ) N − m . (1)With these notations, we now present our major math-ematical conclusions below. We shall show the proofs inAppendix A. Lemma 1
For sets W = [ k , N ] , W = [ k , N ] , the in-equality ε ( n ww | W ) ≤ ε ( n ww | W ) (2) always holds for whatever non-negative integer n ww pro-vided that k ≥ k ≥ . Result 2.1 : If we take random pairing to set [ k, N ], wecan calculate the lower bound of the number of ww -pairs by the Chernoff bound or any other tail bounds assumingthe independent probability of k/N for every ball, withthe failure probability multiplied by 2. Mathematically: ε ( n ww | [ k, N ]) ≤ ǫ = 2 ε ( n ww | [ p u = k/N, N ] iid ) . (3)This result shows that we can simply regard the set[ k, N ] as the set [ p u = k/N, N ] iid in calculating n ww forthe input set [ k, N ], we only need multiply the failureprobability by a factor 2. For set [ p u , N ] iid , we can usethe existing ways such as the Chernoff bound or the nu-merical bound calculating the lower bound here becauseevery ball in set [ p u , N ] iid is independent and identical.In particular ǫ = 2 n ww − X l =0 p lu (1 − p u ) N/ − l C lN/ . (4)More conveniently, we can relate the failure probabil-ity with the standard value from a Binomial distribution B ( M, p ) where there are M elements and each elementhas an independent and identical probability p to be ”1”.If we denote ξ L ( x ; p, M ) as the probability of obtainingless than x ”1” from a binomial distribution set B ( M, p ),we can formulate ξ L ( x ; p, M ) = x − X l =0 p l (1 − p ) M − l C lM . (5)Eq.(4) can be written in ǫ = 2 ξ L ( n ww ; p u , N/ . (6)A detailed proof for the more general form of Result2.1 , Theorem 1, is given in Appendix A. But here we canshow it in a simple way:Proof of Result 2.1: Given the input set [ p u = k/N, N ] iid , we denote n w to be the observed number ofwhite balls in set [ k/N, N ] iid . We define P A = X n w ≤ k ˜ p ( n w ) (7)as the probability for n w ≤ k and P B = P n w >k ˜ p ( n w )as the probability for n w > k . Here ˜ p ( n w ), as defined inEq.(1) is the probability of observing n w white balls inset [ k/N, N ] iid . Strictly [31], P A = 1 / δ is a bit largerthan 1/2 and P B = 1 / − δ is a bit smaller than 1/2.Define κ A = X n w ≤ k ˜ p ( n w ) ε ( n ww | [ n w , N ]) (8)and κ B = P n w >k ˜ p ( n w ) ε ( n ww | [ n w , N ]).Obviously, ε ( n ww | [ k/N, N ] iid ) = κ A + κ B ≥ κ A , (9)Applying Lemma 1, we have κ A ≥ X n w ≤ k ˜ p ( n w ) ε ( n ww | [ k, N ]) = P A ε ( n ww | [ k, N ])(10)because no n w inside the summation of Eq.(8) can belarger than k . By Lemma 1, every term ε ( n ww | [ n w , N ])inside the summation in the right hand side of Eq.(10)has to respect ε ( n ww | [ n w , N ]) ≥ ε ( n ww | [ k, N ]). We haveused the definition of P A in Eq.(7) in the second equalityabove.Combining Eq.(9) and Eq.(10) we obtain ε ( n ww | [ k/N, N ] iid ) ≥ P A ε ( n ww | [ k, N ]) , (11)which concludes ε ( n ww | [ k, N ]) ≤ ε ( n ww | [ k/N, N ] iid ) P A ≤ ε ( n ww | [ k/N, N ] iid )= ǫ. (12)We have used the fact that P A is a bit larger than 1 / k is the lowerbound value rather than the exact value for the numberof white balls in set [ k, N ], Result 2.1 still holds becauseof Lemma 1.Actually, we are not limited to use the specific settingof k/N . We have more general result presented as
Theorem 1
The inequality ε ( n ww | [ k u , N ]) ≤ ε ( n ww | [ p u , N ] iid ) γ iid , (13) always holds with whatever non-negative integer k u , n ww ,and whatever probability value p u . Here γ iid = k u X k =0 ˜ p ( k ) , (14) where ˜ p ( k ) is defined in Eq. (1) III. TWCC-SNS
As an important variant of twin field QKD [14], theSNS protocol [28] together with its modified proto-cols [23, 29, 32, 33] have attracted many attentions due toits large noise tolerance and high key rate. Moreover, theSNS protocol has a unique advantage that the traditionaldecoy-state method directly applies, which makes thefinite-key analysis very efficient. The SNS protocol hasbeen experimentally demonstrated in proof-of-principlein Ref. [34], and realized in real optical fiber with thefinite-key effects taken into consideration [35, 36]. No-tably, the SNS protocol has been experimentally demon-strated over 509 km optical fiber [35] which is the longestsecure distance of QKD in optical fiber. Here, applying our mathematical results above, weshall take the strict bound calculation for the finite key ef-fects on the SNS protocol with standard TWCC method(TWCC-SNS) [29] in the post data processing, whichcan also be applied to other protocols of decoy-statemethod [6–8, 37–42], obviously. In the standard TWCC-SNS [29], for any pair, if both sides observed the sameparity value no matter it is odd or even, we shall takeone bit from this pair for final key distillation. We shalldirectly apply the method above for both the number ofun-tagged bits and phase-flip errors after error rejection,as requested for final-key calculation.After light-pulse transmission, post selection and errortest in the protocol, there are n t remaining bits for Z -basis which will be used for the final key distillation. Wedenote these n t bits by set W . Suppose there are n untagged bits in set W . We denote W u for the set of these n untagged bits. By the decoy-state analysis we canverify the lower of n , say, n . We define the untaggedpair as a pair that contains two bits from set W u afterrandom grouping. We also name an untagged pair as a uu pair.Suppose there are n uu untagged pairs after randomgrouping to all bits in set W . Regarding bits in set W u as the white balls in our Result 2.1, we can immediatelylower bound the number of uu pair n uu by n uu ≥ n uu , (15)except for a probability ǫ twcc , ǫ twcc = 2 ξ L ( n uu ; n n t , n t ξ L is defined in Eq.(5)We use notation U for the set of these n uu pairs, andnotation V for those 2 n uu untagged bits which form these n uu untagged pairs in set U . Suppose there are m v e phaseerrors in set V . As shown below in Remark 3.1, set V isa random subset of set W u . Therefore the upper boundvalue m v e can be faithfully and efficiently estimated bydecoy-state analysis.Since there is no bit-flip error for untagged bits in SNSprotocol, so all those n uu untagged pairs will pass theparity check for sure and they will contribute n uu bitsafter discarding one bit in each pair. Our task now isto faithfully upper bound the phase-flip error rate of n uu survived untagged bits after error rejection.There are two kinds of untagged pairs: a phase-errorpair that contains one phase error only and a perfect pairthat either contains 0 phase error or 2 phase errors. Asshown in the prior art works [24, 25], a phase error pairwill produce a bit with one phase-error for sure after errorrejection and the perfect pairs will not produce any phaseerror after error rejection step.Given the number of phase errors m v e in set V , we havethe following equation for the number of phase-error pairs n Ie = m v e − n ee (17)where n Ie is the number of phase-error pairs and n ee isthe number of pairs containing two errors. The formulaabove is based on the simple fact: those n ee pairs contain-ing two phase errors have consumed 2 n ee phase errors inset V , each of the remaining m v e phase errors will onlybe paired with a perfect bit.Immediately we have n Ie ≤ m v e . (18)If we use this strict bound, we don’t have to considerany statistical fluctuation at this step, because this isthe worst-case result already, whose failure probability is0. Though we have no way to know the exact value of m v e , we can upper bound it by m v e ≤ ¯ m v e by decoy stateanalysis, given that set V is a random subset of set W u as shown below.Remark 3.1: We consider the following game: Clareinitially keeps those bits in set W u and Bob keeps all theother bits. Clare randomly permutes all those bits pri-vately and after that he places each bit inside a sealedenvelope and passes all envelopes to Bob. Bob is notallowed to use any bit information inside the envelope.Under such a condition, in whatever way Bob may take(including the way that he uses additional bits kept byhimself), he has no way to produce a subset of W u thatis not a random subset of W u . Therefore, subset V abovecan only be a random subset of W u . The mathematicalconclusion does not depend on who takes random per-mutation or whether to place the bits inside envelopes.It simply means that, if initially all bits in set W u arerandomly permuted, no mater who creates the random-ness, any subset of bits must be a random subset of W u provided that bits in the subset are chosen in a way in-dependent of bit value or phase error information of anybits.Numerical simulation shows that satisfactory key ratecan be obtained by the simple and strict bound ofEq.(18).Consequently, we can calculate the final key rate (persent pulse) of SNS protocol[28] with standard TWCC byformula R = 1 N tol { n uu [1 − H (¯ e Ap )] − f [ n t H ( E ) + n t H ( E )+ n t H ( E )] − log ε sec − √ ε P A ˆ ε } (19)where N tol is the total number of pulse pairs sent by Aliceand Bob, and n t , n t , n t are number of survived bitsfrom different kinds of pairs, ¯ e Ap = ¯ m v e /n uu is the upperbound of phase-flip error rate for those survived untaggedbits after error rejection. They are distinguished by apair containing one bit value 1 and one bit value 0, a paircontaining two bit value 0, and a pair containing two bitvalue 1. E , E , E are bit-flip errors of each pair. Tailingterm of − log ε sec − √ ε PA ˆ ε is the additional costfor security with finite size as shown in Ref. [19, 21]. With the key rate formula (19), the protocol is ε tol = ε cor + ε sec -secure [18, 19] where ε sec = 2ˆ ε + ε P A + 4 p ε e + ε n , (20) ε e is the failure probability of the estimation of phase-flip error rate, ε n is the failure probability of the esti-mation of the number of untagged bits in Eq. (19), ε cor is the failure probability of error correction, ε P A is thefailure probability of privacy amplification, and ˆ ε is thecoefficient while using the chain rules of max- and min-entropy [21]. IV. ODD-PARITY ERROR REJECTION ANDACTIVELY ODD-PARITY PAIRING
By the similar idea, we can strictly take the effects offinite data size to calculate the key rate of SNS proto-col by other TWCC method such as the odd-parity er-ror rejection (OPER) and the actively odd-parity pairing(AOPP) [23, 29] which can further improve the key ratesignificantly.
A. More mathematical results with white balls andblack balls
We need some additional mathematical results. Thedetails of the proof are shown in Appendix A.
Result 4.1:
After random pairing to balls in set [ k, N ]that contains N balls, the following inequality alwaysholds ε ( n wb | [ k, N ]) ≤ ξ L ( n wb + 1; 2 p u (1 − p u ) , N/
2) (21)provided that k ≤ N/ p u = k/N . Here functional ξ L is defined in Eq.(5). B. OPER-SNS
We name the SNS protocol [28] with OPER [23, 29] inthe post data processing as OPER-SNS. Again, we needbound values of two quantities after error rejection: thenumber of survived untagged bits from odd parity pairsand their phase error rate.We can upper bound the number of phase errors inthose survived untagged bits after OPER, and denote theupper bound number as ¯ M oper . This can be done by thezigzag approach [23] basing on the quantum de Finettitheorem [16, 43]. For completeness, we also present thedetails of Zigzag approach in Appendix C of this work,in a readable way.The number of survived untagged bits after OPER isjust the number of odd parity untagged pairs n oper . Itslower bound n oper can be calculated by applying Result4.1 , with the input of values n t , n , n before TWCC.Here n t is the total number of effective bits in Z basis, n , n are lower bounds number of untagged bits withbit value 0 and 1 respectively.Since in the zigzag approach, we only need the sur-vived n uu untagged pairs after random grouping the n t bit that containing n untagged bits. We only needto study those n uu untagged pairs in the calculation of n oper , too. Consider set Y containing those 2 n uu bitsthat formed those n uu untagged pairs, among which thereare at least n ′ untagged bits 0 and n ′ untagged bits 1.Let n min = min( n ′ , n ′ ). Relating n min to the numberof white balls in Result 4.1 , we have n oper ≥ n oper witha failure probability ǫ oper and ǫ oper = 2 ξ L ( n oper ; n min n uu (1 − n min n uu ) , n uu ) (22)The calculation details of n ′ and n ′ are shown in theAppendix D.We can then calculate the key rate by: R = 1 N tol { n oper [1 − H ( e ′ ph )] − f n ot H ( E OZ ) − (log ε sec − √ ε P A ˆ ε ) } . (23)Here e ′ ph = ¯ M oper /n oper is the upper bound of the phase-flip error rate after OPER, n ot is the number of survivedbits after OPER, and E OZ is the bit-flip error rate afterOPER. Moreover, the result can be even better if wetake active odd parity pairing which will produce moreodd-parity pairs. C. AOPP-SNS
We name the SNS protocol [28] with AOPP [23, 29] inthe post data processing as AOPP-SNS. In the AOPP,we shall take odd-parity grouping actively so that we canobtain more odd-parity pairs than the OPER does. Wedivide the odd-parity pairs in AOPP into g subsets sothat the number of pairs in each subsets is smaller thanthe number of odd-parity pairs in OPER. The final keydistillation taken on each subset has no difference fromthat taken in an OPER using partial of its odd-paritypairs. For simplicity, we shall only use two equal sub-sets here. Say, if we can obtain 2˜ n g odd-parity pairs byAOPP, we divide these into two subsets, each containing˜ n g pairs. We consider the following steps:1) Take random grouping to bits in set W one by one,we stop grouping at the time ˜ n g pairs of odd-parity pairsare obtained. Suppose ˜ n t bits are used in the randomgrouping when ˜ n g odd-parity pairs are created. This ˜ n t is an observed number and therefore we don’t have toconsider the statistical fluctuation in our calculation. Weshall simply use ˜ n t = ˜ n g n t N N in our numerical simulation.2) Take AOPP to the n t bits in set W . We obtain 2˜ n g pairs and divide them into two equal subsets. Each sub-set contains ˜ n g odd parity pairs which could have comefrom OPER. We can calculate the key rate of exch subset by the formula of Eq. (23) of OPER, in the case that weonly use tilde ˜ n t bits there. V. NUMERICAL SIMULATION
We use the linear model to simulate the observed val-ues with certain experiment devices and certain sourceparameters [21]. We assume symmetric channel andsource parameters between Alice and Bob. The decoystate analysis can be used to calculate the lower boundof the number of untagged bits and the upper bound oftheir corresponding phase-flip error rate before TWCC.The details of decoy state analysis are shown in the Ap-pendix B. The details of how to use data before OPERto estimate the phase errors after OPER are shown inthe Appendix C. By setting the failure probability whilecalculating the effect of statistical fluctuation as 10 − ,and other failure probabilities as 10 − , too, we achieve asecurity level of 1 . × − , 2 . × − and 4 . × − in the standard TWCC, OPER and AOPP, respectively. p d e d η d f α f ξ c . × −
3% 30 .
0% 1 . . − TABLE I. List of experimental parameters used in numeri-cal simulations. Here p d is the dark count rate of Charlie’sdetectors; e d is the misalignment-error probability; η d is thedetection efficiency of Charlie’s detectors; f is the error cor-rection inefficiency; α f is the fiber loss coefficient ( dB/km ); ξ c is the failure probability while calculating the effect of sta-tistical fluctuation. Figure 1 are the comparison of the key rates of differentprotocols. We set N tol = 10 in Figure 1. The other ex-periment parameters used in the numerical simulation areshown in Table. I. We find that with TWCC, the key rateof the SNS protocol of TF-QKD in a large distance rangecan by far exceed the PLOB bound [44] as a benchmarkof key rate of QKD established by Pirandola, Laurenza,Ottaviani, and Banchi [44]. The absolute PLOB boundand the relative PLOB bound are the bound with what-ever devices and the practical bound assuming the lim-ited detection efficiency, respectively [44]. Figure 1 showsthat in the case of finite-key size, the TWCC method canimprove the maximum distance of the SNS protocol ofTF-QKD by 50 km, and greatly improve the key rate atlong distances. The furthest distance of those three im-proved method: the standard TWCC, OPER and AOPP,are the same, but in almost all distances, the key ratesof AOPP method are the highest.In the calculation of standard TWCC of Figure 1, weuse the Eq. (18) to estimate the phase errors after errorrejection. In Figure 2, we compare the key rates of stan-dard TWCC with Eq. (17) and Eq. (18). The simulationresults show that the key rates of those two method arealmost the same in all distances.
200 250 300 350 400 450
Distance (km) -9 -8 -7 -6 -5 -4 K e y r a t e s ( p e r s e n t pu l s e ) AOPP-SNSOPER-SNSTWCC-SNSoriginal SNSAbsolute PLOB boundRelative PLOB bound
FIG. 1. The key rates of different protocols. Here we set N tol = 10 . The other experiment parameters used in thenumerical simulation are shown in Table. I. The absolutePLOB bound and the relative PLOB bound are the boundwith whatever devices and the practical bound assuming thelimited detection efficiency, respectively.
100 150 200 250 300 350 400 450
Distance (km) -9 -8 -7 -6 -5 -4 -3 K e y r a t e s ( p e r s e n t pu l s e ) TWCC-SNS (Eq. 17)TWCC-SNS (Eq. 18)Absolute PLOB boundRelative PLOB bound
FIG. 2. The key rates standard TWCC with Eq. (17) andEq. (18)
VI. CONCLUSION
In TWCC, the probability of tagging or untagging foreach two-bit random groups are not independent. Werigorously solve this problem by imagining a virtual setof bits where every bit is independent and identical. Weshow that we can naively regard the bits in the real set tobe independent and identical and get the bound valuesby applying Chernoff bound, with the failure probabilitymultiplied 2. We also show how to apply our mathemati-cal results to the SNS protocol with several TWCC meth-ods. Numerical results show that the TWCC method can improve the maximum distance of the SNS protocol ofTF-QKD by 50 km, and greatly improve the key rate atlong distances.
Appendix A: The proofs1. The proof of Lemma 1
The proof of Lemma 1 is very simple. Since we take thegrouping randomly , the outcome probability distributionover numbers of white-white pairs or other kind of pairsis independent of the initial positions of white balls orblack balls before grouping, it only depends on the initialnumber of white balls. Suppose k − k = ∆ ≥
0. If werandomly label any ∆ white balls in set W and changethem into ∆ black balls, we shall obtain a set equiva-lent to set W for the random grouping process. Also,we may choose to obtain the random grouping result ofset W by this: we start with set W , randomly label ∆white balls before grouping. After grouping, we changethose ∆ white balls initially labelled into the black. Thisshows that by whatever grouping method, a ww pair cor-responding to the initial set W is always a ww pair cor-responding to the initial set W , but the reverse is notnecessarily. This means by whatever grouping method,if the outcome corresponding to initial set W satisfiesthe condition n ww ≥ n ww , the outcome correspondingto initial set W must also satisfy the same condition.This completes Lemma 1 from the ergodic viewpoint ofprobability.According to Notation 2.2 , set [ p u , N ] iid can be re-garded as the probability distribution over set [ k, N ]. Ex-plicitly, the probability on [ k, N ] is:˜ p ( k ) = C kN p ku (1 − p u ) N − k . (A1)We shall use this in our proofs of Theorems.
2. The proof of Theorem 1
Starting from the failure probability for n ww ≥ n ww with the virtual set [ p u , N ] iid , we have ε ( n ww | [ p u , N ] iid )= X k ˜ p ( k ) ε ( n ww | [ k, N ])= X k ≤ k u ˜ p ( k ) ε ( n ww | [ k, N ]) + X k>k u ˜ p ( k ) ε ( n ww | [ k, N ]) ≥ X k ≤ k u ˜ p ( k ) ε ( n ww | [ k, N ]) ≥ X k ≤ k u ˜ p ( k ) ε ( n ww | [ k u , N ]) ≥ γ iid ε ( n ww | [ k u , N ])We have used Lemma 1 in the second inequality above.This ends the proof of Theorem 1.For the binomial distribution B ( M, p ), np is its me-dian if M p is a integer. Thus by setting p u = k u /N and combining with Lemma 1, we immediately transformTheorem 1 to Result 2.1.
3. The proof of Result 4.1
To proof Result 4.1, we first introduce the followinglemma and theorem.
Lemma 2
For sets W = [ k , N ] , W = [ k , N ] , the in-equality ε ( n wb + 1 | W ) ≥ ε ( n wb | W ) (A2) always hold for whatever non-negative integer n wb pro-vided that ≤ k ≤ k ≤ N/ ; We shall prove Lemma 2 in two cases.For the case 0 ≤ k < n wb ≤ k ≤ N/
2, it is easy tocheck ε ( n wb + 1 | W ) = 1 ≥ ε ( n wb | W ) (A3). For the case 0 ≤ n wb ≤ k ≤ k ≤ N/
2, if ε (2 n e + 1 | [2 k, n ]) ≥ ε (2 n e + 1 | [2 k + 1 , n ]) , (A4)and ε (2 n e + 1 | [2 k, n ]) ≥ ε (2 n e + 1 | [2 k + 2 , n ]) , (A5)hold for any n e and k that satisfied 2 n e + 1 < k ≤ n − ε ( n wb + 1 | W ) ≥ ε ( n wb | W ). Ourtask now is reduced to prove Eqs. (A4) and (A5).Denote P (2 l ) k as the probability that there are 2 l wb -pairs after performing random grouping to set [2 k, n ],and we have P (2 l ) k = C k − ln C ln − ( k − l ) A k k A n − k n − k l A n n , (A6)where C ba is the number of combinations and A ba is thenumber of arrangements. It is easy to check that P (2 l + 1) k +1 = 2 n − k − l n − k P (2 l ) k + 2 l + 22 n − k P (2 l + 2) k , (A7) P (2 l ) k +2 = 2 n − (2 k + 1) − (2 l − n − (2 k + 1) P (2 l − k +1 + 2 l + 12 n − (2 k + 1) P (2 l + 1) k +1 . (A8) According to Notation 2.4 , we have ε (2 n e + 1 | [2 k, n ]) = n e X l =0 P (2 l ) k ,ε (2 n e + 1 | [2 k + 1 , n ]) = n e X l =1 P (2 l − k +1 ,ε (2 n e + 1 | [2 k + 2 , n ]) = n e X l =0 P (2 l ) k +2 . (A9)Combining Eq. (A7) and (A9), we have ε (2 n e + 1 | [2 k + 1 , n ]) = ε (2 n e + 1 | [2 k, n ]) − x ,ε (2 n e + 1 | [2 k + 2 , n ]) = ε (2 n e + 1 | [2 k, n ]) − x + x , (A10)where x = 2 n − k − n e n − k P (2 n e ) k ,x = 2 n e + 12 n − (2 k + 1) P (2 n e + 1) k +1 . (A11)As x is a positive number, thus Eq. (A4) holds. As2 k ≤ n −
1, we have x x = 2 n k + 1 − ≥ , (A12)thus Eq. (A5) holds.This ends the proof of Lemma 2.With Lemma 2,we have Theorem 2
The inequality ε ( n wb | [ k u , N ]) ≤ ε ( n wb + 1 | [ p u , N ] iid ) γ ′ iid (A13) always holds with whatever nature number n wb , k u ≤ N and whatever probability value p u . Here ε ( n wb + 1 | [ p u , N ] iid ) = n wb X k =0 C k N P k (1 − P ) N − k (A14) where P = 2 p u (1 − p u ) and γ ′ iid = k u X k =0 ˜ p ( k ) . (A15)According to the definition of ε ( n wb + 1 | [ p u , N ] iid ), wehave ε ( n wb + 1 | [ p u , N ] iid )= X k ˜ p ( k ) ε ( n wb + 1 | [ k, N ]) ≥ X k ≤ k u ˜ p ( k ) ε ( n wb + 1 | [ k, N ]) ≥ X k ≤ k u ˜ p ( k ) ε ( n wb | [ k u , N ])= γ ′ iid ε ( n wb | [ k u , N ]) . Here we use Lemma 2 for the second inequality. Thisends the proof of Theorem 2.For the binomial distribution B ( M, p ), M p is its me-dian if
M p is a integer. Thus by setting p u = k u /N and combining with Lemma 2, we immediately transformTheorem 2 to Result 4.1. Appendix B: The decoy state analysis
Since the original SNS protocol was proposed [28], ithas been further studied extensively [23, 29, 32, 33]. The4-intensity and 3-intensity SNS protocols with weak co-herent state (WCS) sources are usually applied in the ex-periment. In the 4-intensity SNS protocol [21, 32], thereare four sources with intensities 0 , µ a , µ a and µ az at Al-ice’s side and intensities 0 , µ b , µ b and µ bz at Bob’s side.If we set µ a = µ az and µ b = µ bz , the 4-intensity SNSprotocol becomes the 3-intensity protocol. In this paper,we take the 4-intensity SNS protocol as an example toshow our calculation method.In the whole protocol, Alice and Bob ( they ) send N pulse pairs to Charlie, who is assumed to perform in-terferometric measurements on the received pulses andannounces the measurement results to them . If only onedetector clicks, they would take it as an one-detector her-alded event. At each time window, Alice (Bob) randomlydecides whether it is a decoy window with probability1 − p z , or a signal window with probability p z . If it isa signal window, with probability ǫ A ( ǫ B ), Alice (Bob)prepares a pulse with intensity µ az ( µ bz ), and denoteit as bit 1 (0); with probability 1 − ǫ a (1 − ǫ b ), Alice(Bob) prepares a vacuum pulse, and denote it as bit 0(1). If it is a decoy window, Alice (Bob) randomly pre-pares a vacuum pulse or a pulse with state | e iθ a √ µ a i or | e iθ a √ µ a i ( | e iθ b √ µ b i or | e iθ b √ µ b i ) with probabil-ities p a = 1 − p a − p a , p a and p a , ( p b = 1 − p b − p b , p b and p b ) respectively, where θ a , θ a , θ b and θ b aredifferent in different windows, and are random in [0 , π ).We set the following constraint for the security of SNSprotocol [33] µ a µ b = ǫ a (1 − ǫ b ) µ az e − µ az ǫ b (1 − ǫ a ) µ bz e − µ bz . (B1)For the symmetric SNS protocol, saying p az = p bz , p a = p b , µ az = µ bz and so on, the constraint (B1) is automat-ically satisfied.After they repeat the above process for N times, theyacquire a series of data. For a time window that both them decide a signal window, it is a Z window. Theone-detector heralded events in Z windows are effec-tive events, and the corresponding bits of those effectiveevents formed the n t -bit raw key strings, which are usedto extract the final keys. For a time window that both them decide send out a pulse with intensities µ a and µ b respectively, and their phases satisfy1 − | cos ( θ a − θ b ) | ≤ λ, (B2) where λ is a small positive number, it is an X window.The one-detector heralded events in X windows are ef-fective events. And for an effective event in the X win-dow, if cos ( θ a − θ b ) > θ a − θ b ) < X windows are used to estimate thephase-flip error rate. And λ would be taken as an opti-mized parameter to get the best estimation of phase-fliperror rate.We denote the vacuum source, the WCS source withintensity µ a , µ a , and µ az ( µ b , µ b , and µ bz ) of Alice(Bob) by ao, ax, ay and az ( bo, bx, by , and bz ). We sim-plify the symbols of two pulse sources aκ, bζ ( κ, ζ = o, x, y as κζ . We denote the number of pulse pairs of source κζ sent out in the whole protocol by N κζ , and the to-tal number of one-detector heralded events of source κζ by n κζ . We define the counting rate of source κζ by S κζ = n κζ /N κζ , and the corresponding expected valueby h S κζ i . The Chernoff bound can be used to estimatethe lower and upper bound of the expected values ac-cording to their observed values.Then we can use the decoy-state method to calculatethe lower bounds of the expected values of the countingrate of single-photon states | ih | and | ih | , whichare [33] h s i = µ b e µ b h S ox i − µ b e µ b h S oy i − ( µ b − µ b ) h S oo i µ b µ b ( µ b − µ b ) , (B3) h s i = µ a e µ a h S xo i − µ a e µ a h S yo i − ( µ a − µ a ) h S oo i µ a µ a ( µ a − µ a ) . (B4)Then we can get the lower bound of the expected valueof the counting rate of untagged photons h s i = µ a µ a + µ b h s i + µ b µ a + µ b h s i , (B5)and the lower bounds of the expected values of the theuntagged bits h n i , untagged bits 1, h n i , and untaggedbits 0, h n ih n i = N p az p bz [ ǫ a (1 − ǫ b ) µ az e − µ az + ǫ b (1 − ǫ a ) µ bz e − µ bz ] h s i , (B6) h n i = N p az p bz ǫ a (1 − ǫ b ) µ az e − µ az h s i , (B7) h n i = N p az p bz ǫ b (1 − ǫ a ) µ bz e − µ bz h s i . (B8)With Chernoff bound, we can estimate the lower boundsof the number of untagged bits 1, n , and untagged bits0, n n = ϕ L ( h n i ) , n = ϕ L ( h n i ) , n = n + n , (B9)where ϕ L ( x ) are the lower bound while using Chernoffbound to estimate the real value according to the ex-pected value.We denote the number of total pulses sent out in the X windows by N X , and the number of error effectiveevents by m X , then we have the error counting rate of X windows T X = m X N X . (B10)Then we have h e ph i = h T X i − e − µ a − µ b h S oo i / e − µ a − µ b ( µ a + µ b ) h s i , (B11)where h T X i is the expected value of T X . Here we haveused the fact that the expected value of the error rate ofvacuum pulses are always .Finally, by using Chernoff bound [30], we can get theupper bound of the number of phase-flip errors beforeTWCC. Appendix C: Zigzag approach to phase error afterOPER
Here we review the main idea of the zigzag ap-proach [23] on how to calculate the phase-error rate afterOPER, with finite data size.Suppose they have n t effective bits in Z basis, where N u of them are untagged bits before OPER. After ran-dom pairing, there are n uu untagged pairs, formed by M = 2 n uu untagged bits. Given the lower bound num-ber of untagged bits in Z basis, n uu can be lower boundedby our Result 2.1.For clarity, we image to replace those N u untagged bitsby N u virtual bipartite entangled single-photons sharedby Alice and Bob. However, since there is no bit flip er-ror, each photon lives in a two-dimensional space only.We shall simple call this bipartite entangled single pho-tons by qubits.Consider those M = 2 n uu qubits that form the n uu un-tagged pairs. Before random pairing, they are a randomsubset of set from all those N u untagged qubits (recallour Remark 3.1). Therefore we can apply the quantumde Finetti theorem [16, 43]. Main idea : We shall consider the mathematical prop-erties of density operator of those M qubits, ρ . Accord-ing to the quantum de Finetti theorem, there exists an-other density operator ˜ ρ which has a very small tracedistance with ρ . We name this ˜ ρ as the associate stateof ρ . Among the M qubits for state ˜ ρ , there are M − r qubits in classical mixture of states where every qubitis identical. We denote set I D for these M − r qubits.Without any loss of generallity, the density operator ofqubits in set I D can be weitten in the following form:˜ ρ ′ = Z f ( p ) σ ⊗ ( M − r ) p dp (C1)where σ p is a qubit density operator that has robability p taking a phase error and f ( p ) is the probability distri-bution on phase-error probability p . The above form of state ˜ ρ ′ means that every qubit is in a certain idepen-dent and identical state σ p , and there is a probabilitydistribution for all possible σ p . Although we are not ableto calculate the upper bound of phase error after OPERwith the input state ρ , we can upper bound the numberof phase errors after OPER with the associate state ˜ ρ .This also upper bounds the number of phase errors withinput ρ , with a small failure probability since the tracedistance of state ρ and ˜ ρ is very small.1) For state ρ , the number of phase errors m e is upperbounded by ¯ m e , i.e. m e ≤ ¯ m e (C2)with a failure probability at most ǫ . This fact is verifiedby the error test in X basis and the decoy-state analysis.2) Applying the quantum de Finetti theorem, there ex-ists another M − qubit density operator ˜ ρ with the follow-ing two mathematical properties: i) The trace distancebetween ρ and ˜ ρ is at most ǫ , i.e. D ( ρ, ˜ ρ ) ≤ ǫ (C3)and ii) In state ˜ ρ , M − r qubits are in the classical mix-ture of independently identically distribution (iid) states,as shown in Eq. (C1). We denote set I D for these M − r qubits. Also, Eqs.(C2) and (C3) mathematically con-straint the number of phase errors ˜ m e for state ˜ ρ by˜ m e ≤ ¯ m e (C4)with a failure probability ǫ .3) Given properties above for density operator ˜ ρ , thenumber of phase errors ˜ m ′ e of set I D are at most ¯ m e , i.e.,˜ m ′ e ≤ ¯ m e (C5)with a failure probability upper bounded by ǫ .4) We can upper bound the value of p in state ofEq.(C1) with failure probability ǫ . The qubits in set I D are the classical mixture states where every qubit has thesame probability p to carry a phase-flip error as shown inEq.(C1). Naviely speaking, this value p ≤
1. However,we can have a nontrivial upper bound for the value p byapplying the constraint of Eq.(C5). Say, if we choose theupper bound value to be p e , we can compute the failureprobability ǫ for the inequality p ≤ p e . (C6)Here in our numerical calculation simulation, we havetaken p e = ¯ m e M − r as the upper bound of phase-flip errorrate of set I D . As shown in the end of this subsection,the failure probability for inequality (C6) ǫ is boundedby ǫ ≤ ǫ (C7)5) Number of phase errors after OPER. Define a paircontaining two qubits from set I D as an DD -pair. With0step 4), we can regard every qubit in set I D has indepen-dent and identical probability p to be a phase error withconstraint p ≤ p e . Taking the worst case p = p e we canupper bound m s , the number of phase error odd-parity DD -pairs by m s ≤ ¯ m s (C8)with a failure probability at most ǫ , where m s is thenumber of phase errors after OPER and upper boundedby ¯ m s . To explicitly calculate ¯ m s , we need use the par-ity check operator given in Ref. [23]. In the M -qubitassociate state ˜ ρ , there are r qubits not beloning set I D .Consider the worst case for those r bits not in set I D inrandom pairing in OPER : they paticipate in r odd-paritypairs and each pair produces a phase error in its survivedbit. We conclude the final equation for the number ofphase-error untagged odd-parity pairs after OPER: m ′ s ≤ ¯ m s + r. (C9)6) Eq.(C9) also makes the upper bound of phase errors m odd of survived bits from odd-parity pairs with input ofstate ρ , m odd ≤ ¯ m s + r. (C10)with failure probability ǫ .Since all operations are done in Z basis, it makes no dif-ference if each side does the local measurement in the be-ginning. In this case, it is just a protocol taking randompairing on classical bits. In a protocol with pre-sharedsingle-photon entangled states, the number of odd par-ity pairs are directly observed. In a real protocol withcoherent states from each sides, the the lower bound ofnumber of odd parity untagged pairs can be verified bythe decoy-state method and the results in this paper.All those ǫ i are computable. ǫ is done by phase errorestimation in the decoy-state method. ǫ is determinedby the size of the whole set of untagged bits in Z basisand the value M , number of untagged bits for those n uu untagged pairs after random pairing. Lower bound M can be verified by Result 2.1. ǫ is determined by ǫ and ǫ while ǫ is upper bounded by 2 ǫ in Eq.(C7). ǫ is thefailure probability of a binomial distribution as shown inRef. [23]. ǫ is determined by ǫ and the trace distancebetween ρ and ˜ ρ .Proof of Eq.(C7): Consider Eq.(C1), the failure prob-ability ǫ for inequality (C6) is ǫ = Z p e f ( p ) dp. (C11)To upper bound this ǫ , we introduce a notation firstfirst: Notation C.1