Hacking on decoy-state quantum key distribution system with partial phase randomization
Shi-Hai Sun, Mu-Sheng Jiang, Xiang-Chun Ma, Chun-Yan Li, Lin-Mei Liang
aa r X i v : . [ qu a n t - ph ] J u l Hacking on decoy-state quantum key distribution system with partial phaserandomization
Shi-Hai Sun ∗ , Mu-Sheng Jiang, Xiang-Chun Ma, Chun-Yan Li, Lin-Mei Liang Department of Physics, National University of Defense Technology, Changsha 410073, P.R.China
Quantum key distribution (QKD) provides means for unconditional secure key transmis-sion between two distant parties. However, in practical implementations, it suffers fromquantum hacking due to device imperfections. Here we propose a hybrid measurement at-tack, with only linear optics, homodyne detection, and single photon detection, to the widelyused vacuum+weak decoy state QKD system when the phase of source is partially random-ized. Our analysis shows that, in some parameter regimes, the proposed attack would resultin an entanglement breaking channel but still be able to trick the legitimate users to believethey have transmitted secure keys. That is, the eavesdropper is able to steal all the keyinformation without discovered by the users. Thus, our proposal reveals that partial phaserandomization is not sufficient to guarantee the security of phase-encoding QKD systemswith weak coherent states.
Quantum key distribution (QKD) [1] admits two remote parties (Alice and Bob) to shareunconditional secure key based on the principle of quantum mechanics [2, 3], which has beendemonstrated in experiments with long distance and high repetition rate [4–7]. However, thepractical QKD system will suffer from quantum hacking due to device imperfections [8–15], thenthe unconditional security of QKD is compromised. In practical QKD systems based on BB84protocol, the weak coherent source (WCS) is often used to replace the single photon source whichis unavailable within current technology. However, the WCS contains multi-photon pulse withnonzero probability which will cause the photon-number-splitting (PNS) attack [16, 17], then themaximal secure distance of practical QKD system will be limited in tens of kilometers. Luckily,decoy state method [18–21] can efficiently overcome this problem, and extend the secure distanceof QKD to hundreds of kilometers.When the phase of WCS has been totally randomized, the source is a mixed state of all numberstates, and the channel between Alice and Bob can be considered as a photon number channel.Then, the key rate is given by the GLLP formula [3], R = q {− Q µ f ( E µ ) H ( E µ ) + µe − µ Y L [1 − H ( e U )] } , (1) ∗ email:[email protected] where q = 1 / H ( x ) is binary Shannon entropy, f ( E µ ) is theerror correction efficiency. Q µ and E µ are the total gain and QBER, which can be measured inexperiment. Y L and e U are the lower bound of yield and upper bound of QBER for single photonpulses, which must be estimated by Alice and Bob according to their measurement results. Infact, the main contribution of decoy state method is that it can give out the tight bound of Y and e with finite resources. For instance, the weak+vacuum decoy state method is enough for thelegitimate parties to tightly estimate the yield and QBER of single photon pulses, in which Alicerandomly sends three kinds of pulses with different intensities, signal state µ , decoy state ν , andvacuum state. After the communication, Alice and Bob calculate the total gain ( Q µ , Q ν and Q vac )and QBER ( E µ , E ν and E vac ) in experiment, then they estimate the lower bound of yield ( Y L )and the upper bound of QBER ( e U ) for the single photon pulse, which are given by [21] Y L = µµν − ν ( Q ν e ν − Q µ e µ ν µ − µ − ν µ Q vac ) ,e U = E ν Q ν e ν − E vac Q vac Y L ν . (2)Obviously, the phase randomization is the base of decoy state method. However, in practicalsituations, this assumption may not hold, since Eve may have some prior information about therandom phase of source. For example, in two-way systems, the source is totally controlled byEve, thus she can exactly know the phase of source; or in some systems, the pulse is generated bycutting off the coherent laser with a intensity modulation, and there may exits phase relationshipamong different pulses. In fact, some potential attack on source had been proposed [9, 15, 22].In Ref.[22], Lo and Preskill pointed out that the phase randomization assumption is necessary forthe security of BB84 protocol using WCS, and obtained the key rate formula with nonrandomphase. In Ref.[15], Tang et al. proposed and demonstrated an attack, based on a linear-opticunambiguous state discrimination measurement and PNS, to show that the security of a QKDsystem with nonrandom phase will be compromised. In Ref.[9], our group proposed an attack toshow that the QKD system is still insecure even if the phase of source is partially randomized, butit is invalid for the widely used weak+vacuum decoy state method (their attack is only valid forthe special one-decoy state method in some parameter regimes).In this paper we propose a more powerful hybrid measurement attack, with only linear optics,homodyne detection, and single photon detection (SPD), to the widely used vacuum+weak decoystate QKD system when the phase of source is partially randomized. Here partial phase random-ization means that the phase of source is randomized within the range of [0 , δ ), where δ ≤ π .Note that δ = 0, δ < π and δ = 2 π represents unrandomization, partial randomization and total (cid:1) (cid:1)(cid:2) (cid:2) (cid:3) (cid:3)(cid:4)(cid:5)(cid:6)(cid:7)(cid:8)(cid:9) (cid:2)(cid:3) (cid:1)(cid:10)(cid:11)(cid:12)(cid:13)(cid:14)(cid:15)(cid:16)(cid:9) (cid:15)(cid:16)(cid:9) (cid:17)(cid:18) (cid:3)(cid:19)(cid:2)(cid:7)(cid:20)(cid:21)(cid:6)(cid:9)(cid:22)(cid:23)(cid:24)(cid:10)(cid:25)(cid:10)(cid:20)(cid:22)(cid:26)(cid:9)(cid:25)(cid:9)(cid:8)(cid:25)(cid:7)(cid:10)(cid:20)(cid:19) (cid:27) (cid:19) (cid:28) (cid:29) (cid:11) (cid:2) (cid:30)(cid:10)(cid:31)(cid:10)(cid:26) (cid:20)(cid:9)(cid:22)(cid:26)(cid:9)(cid:25)(cid:9)(cid:8)(cid:25)(cid:7)(cid:10)(cid:20)(cid:26) (cid:28) (cid:26) (cid:27) FIG. 1: The diagram of the hybrid measurement attack. r ( s ) is the signal (reference) pulse of Alice.BS: beam splitter with transmittance 1/2; D and D are single photon detectors (SPDs); d and d arephotodiodes; x is the output of homodyne detection; LD: laser diode which is used by Eve to generate thereference pulse (LO pulse) of homodyne detection; PM: phase modulator which is used by Eve to modulate aphase (0 or π/
2) on LO. Jr.Eve has the same equipments as Alice, which is used to resend faked states to Bobaccording to her measurement results. Note that, Eve measures both r and s of Alice with a interferometerin the single photon detection part, but she only measures the phase information of s in the homodynedetection part. randomization, respectively. When the phase of source is just partially randomized, the photonnumber channel assumption, which is the base of the decoy state, is invalid, then Eve can use thisinformation to enhance her ability to spy the secret key. Our analysis shows that the proposedattack would result in an entanglement breaking channel but still be able to trick the legitimateusers to believe they have transmitted secure keys. That is, the eavesdropper is able to steal allthe key information without noticed by the users. Thus, our proposal reveals that partial phaserandomization is not sufficient to guarantee the security of phase-encoding QKD systems withcoherent states.Furthermore, we remark that, recently, the measurement device independent (MDI-) QKD isproposed [23] and demonstrated [24, 25] to exclude all the detection loopholes, but it requires thatthe source can be fully characterized. Specially, when WCS is used in practical MDI-QKD sytems,it also needs to ensure that the phase of source is totally randomized, otherwise, the decoy statemethod (weak+vacuum decoy state method) [26–29] can not be applied to estimate the key rate.Thus we think that our work is also significant for the MDI-QKD. Results
A diagram of our hybrid measurement attack is shown in Fig.1. Eve first splits Alice’s pulses(both r and s ) into two parts with a beam splitter (BS). Without loss generality, here we assumethe transmittance of BS is 1/2, and label the reflected part as a and transmitted part as b . For thepart a , Eve lets r and s to interfere with an asymmetry interferometer, then she records the resultswith two single photon detectors ( D and D ). For the part b , Eve generates a strong referencepulse (LO pulse) with her own laser diode (LD), and randomly modulates a phase ( φ e = 0 , π/ s to interfere with the LO pulse, andrecords the results with a homodyne detection which is composed with two photodiodes ( d and d ) and a subtracter. Note that, r is neglected in homodyne detection part, since it does not carrythe encoding phase of Alice. Furthermore, excepting phase information, the LO pulse generatedby Eve should be indistinguishable with the s in frequency, polarization and other dimensions.We think it is possible for Eve to generate the indistinguishable pulse with Alice, since, exceptingphase information, other characters of Alice’s laser are excluded in the secure model of Alice andcan be known by Eve.Now we give an explanation of our attack and show that it can be applied to the widelyused weak+vacuum decoy state method. In BB84 protocol with WCS, the state of Alice can bewritten as | αe i ( θ + φ ) / √ i s | αe iφ / √ i r , where α is real and | α | = µ is the intensity of Alice’s pulse, θ = { , π/ , π, π/ } is the encoding phase of Alice, φ ∈ [0 , δ ) is the random phase of source and δ is the range of phase randomization. According to the measurement theory, the probability that D and D click in the single photon detection part and measurement result x is obtained in thehomodyne detection part are given by P D = 1 − (1 − Y E ) e − µη E [1+ cos ( θ )] / ,P D = 1 − (1 − Y E ) e − µη E [1 − cos ( θ )] / ,P x ( θ, φ, φ e ) = s πκ E e − x − λ E | α | cos ( θ + φ − φ e ) / /κ E , (3)where Y E ( η E ) is the dark count (detection efficient) of Eve’s SPDs, φ e = 0 , π/ κ E and λ E represent the imperfection of Eve’shomodyne detection ( κ E = λ E = 1 for perfect homodyne detection).According to Eq.3, P D and P D are independent on the random phase φ , but P x ( θ, φ, φ e )depends on φ . Since Eve has no prior information about φ excepting that φ ∈ [0 , δ ), thus theprobability distribution of x should be written as P x ( θ, φ e ) = Z δ dφδ P x ( θ, φ, φ e ) . (4)The theoretical distribution of x is shown in Fig.2(a), which clearly shows that Eve can use x to distinguish encoding phase of Alice. For example, Eve can set a threshold ( x > x is larger than x , she judges that θ = 0, and when x < − x , she judges that θ = π , −2 −1 0 1 200.20.40.60.8 x P x θ =0 θ = π /2 θ = πθ =3 π /2 0.1 0.2 0.3 0.4 0.50.050.10.150.20.25 µ e rr o r r a t e e AE e AB FIG. 2: (a)The theoretical distribution of x for different encoding phase of Alice, which are drawn accordingto Eq.4. Here we assume φ e = 0, δ = π/ µ = 0 .
3. (b) The error rate of Eve and Bob under our attack,which are drawn according to Eq.7. The solid line shows the error rate between Alice and Eve, and thedashed line shows the error rate between Alice and Bob. Here we set δ = 10 ◦ , x = 1 .
5, and assume thatthe detection setups of both Alice and Bob are perfect. otherwise ( − x < x < x ), she randomly guess Alice’s bit. Note that, in BB84 protocol, Alicerandomly chooses her phase from two bases, thus Eve also should randomly modulate a phase( φ e = 0 , π/
2) on the LO pulse with a PM to judge which basis is used by Alice. In fact, thispart is the same as the partially random phase (PRP) attack proposed by our group [9], however,the PRP attack is invalid for the weak+vacuum decoy state method due to the fact that thehomodyne detection will export a successful result ( x > x or x < − x ) with high probability,even if a vacuum state is sent by Alice, thus the total gain and QBER are much larger than theexpectation of Bob without Eve. In order to reduce the disadvantage of homodyne detection, weintroduce an additional measurement for Eve. Eve uses an interferometer and two SPDs to judgewhether there is photon in Alice’s pulse or not. Only when one of her SPD clicks, she resends afaked state to Bob, otherwise, she resends a vacuum state to Bob. Therefore, the mapping fromEve’s measurement results to the phase of her faked state ( θ e ) is given by φ e = 0 x > x and P D click → θ e = 0 ,x < − x and P D click → θ e = π, otherwise → vacuum pulse .φ e = π/ x > x and P D click → θ e = π/ ,x < − x and P D click → θ e = 3 π/ , otherwise → vacuum pulse . (5)And the conditional probability that Eve resends the state with phase θ e = kπ/ k = 0 , , , θ is given by P | θe = 12 P D Z ∞ x dx Z δ dφδ P x ( θ, φ, φ e = 0) ,P π/ | θe = 12 P D Z ∞ x dx Z δ dφδ P x ( θ, φ, φ e = π/ ,P π | θe = 12 P D Z − x −∞ dx Z δ dφδ P x ( θ, φ, φ e = 0) ,P π/ | θe = 12 P D Z − x −∞ dx Z δ dφδ P x ( θ, φ, φ e = π/ . (6)Thus, when Eve is present, the probability that she successfully obtains a measurement event, theQBER between Alice and Bob ( e AB ), and the QBER between Alice and Eve ( e AE ) are given by P Esucc = 14 X j =0 3 X k =0 P kπ | jπ e ,e AB = 14 X j =0 P k =0 P kπ | jπ e e ABk | j P k =0 P kπ | jπ e ,e AE = 14 X j =0 P k =0 P kπ | jπ e e AEk | j P k =0 P kπ | jπ e , (7)where e ABk | j is the error rate introduced by Eve’s faked state with phase jπ/ θ = jπ/ e AEk | j is the error rate of Eve for given k and j . The error rate e AB and e AE are shown in Fig.2(b), which clearly shows that the error rate between Alice and Eve is muchsmaller than the error rate between Alice and Bob. Here we remark that although e AE is smallerthan e AB , it does not means no secret key can be derived due to the fact that post-processingis not symmetric between Eve and Bob. In fact, if we want to show our attack is succeed andthe QKD system is insecure, we must show that the lower bound of the estimated key rate giventhat Eve implements her attack but the legitimate parties ignore it is larger than the upper boundof key rate under the given attack [15]. For example, our analysis shows that, when our attackis implemented but the legitimate parties ignore it, the estimated key rate per pulse by Aliceand Bob can be larger than 10 − in some parameters regimes, but in fact our attack belongs tointercept-and-resend attack (Eve measures all the signals and resend her prepared pulses to Bob),which corresponds to an entanglement-breaking channel and no secret key can be generated underthis channel. In other words, the upper bound of key rate under our attack is zero. Thus all theestimated key are insecure. In the following, we give a detailed analysis.Since Eve can not distinguish the signal state, decoy state and vacuum state, thus we assumethat Eve resends a single photon state to Bob when she successfully obtains a measurement event. −6 −5 −4 −3 −2 k e y r a t e / pu l s e x c h a nn e l l e ng t h / k m δ =5 o δ =10 o δ =15 o len FIG. 3: The estimated key rate of Alice and Bob under our attack. But in fact, the key are inse-cure, since our attack corresponds to an entanglement-breaking channel and no secret key can be gen-erated under this channel. Here we also show the equivalent channel length of Q µ , defined as len = − (10 /a ) log { min(1 , Q µ / ( µη Bob ) } ( a = 0 .
21 is the loss of standard fiber), which represents the minimalchannel length of Alice and Bob that Eve can successfully load our attack. In the simulations, we as-sume that the SPD and homodyne detection of Eve are perfect, and set f ( E µ ) = 1 . Y = 1 . × − , η Bob = 0 . µ = 0 .
48, and ν = 0 . In other words, the total gain and QBER under our attack are given by Q ω = η Bob P Esucc + (1 − P Esucc η Bob ) Y ,Q ω E ω = η Bob P Esucc e Eve + (1 − P Esucc η Bob ) Y e . (8)where ω = { µ, ν, } , Y is the dark count of Bob’s SPD, e = 1 / η Bob is the transmittance of Bob’s setups. P Esucc and e Eve = e AB are given by Eq.7 for differentintensity of pulses.By substituting Eq.8 into Eq.1, we can estimate the key rate under our attack, which is shownin Fig.3. It clearly shows that even Eve is present, Alice and Bob still can obtain positive key rate.For example, when δ = 10 ◦ , the key rate is positive if Eve sets 1 . < x < .
63. However, thesekey are insecure in this range, since our attack corresponds to an entanglement-breaking channeland no secret key can be generated under this channel. Furthermore, we estimate the key ratefor different intensities of signal state and decoy state in Fig.4, which also clearly shows that ourattack is valid in some parameter regimes.
Discussion
According to the analysis above, we know that when the phase of source is partially randomized,the security of the widely used weak+vacuum decoy state QKD will be compromised. Our attack ν µ . . . . . . FIG. 4: The estimated key rate of Alice and Bob for different µ and ν when Eve is present. In the simulations,we set x = 1 . δ = 10 ◦ , and other parameters are the same as Fig.3. shows that, in some parameter regimes, when Eve is present, the legitimate parties will be cheatedand the estimated key rate is still positive, but in fact, the generated key are insecure, since ourattack belongs to intercept-and-resend attack (Eve measures all the signals and resend her preparedpulses to Bob), which corresponds to an entanglement-breaking channel and no secret key can begenerated under this channel. Here we remark that, we do not claim our attack is optimal forEve to exploit the partially random phase of source, in fact our attack is valid just in some givenparameter regimes. However, our attack still plays an important role in reminding the legitimateusers that, phase randomization is necessary to guarantee the security of practical QKD systemwith WCS, and, instead of calibrating the random phase before the communication, they mustcarefully consider the phase randomization assumption and ensure that this assumption hold inthe communication progress, otherwise their system may be insecure.In the end we discuss three countermeasures. The first one is that Alice uses an active phaserandomization equipment [30, 31] to ensure that the phase of source is totally randomized, thenour attack is automatically removed. Obviously, this method is the best way for Alice, since itcan remove not only our hybrid measurement attack but also other undiscovered attacks based onthe random phase of sources, but it may increase the complexity of the system, or introduce otherpotential and undiscovered loopholes. Note that even an active phase randomization equipmentis used by Alice, it is still necessary for her to check the degree of phase randomization in thecommunication program (but not calibrate it before the communication) to ensure that the phaseof source is really randomized in [0 , π ) and Eve does not break the efficiency of her active phaserandomization equipment. The second one is that the legitimate parties carefully design the systemparameters to ensure that Eve can not load our attack in these parameter regimes. This methodis valid for our hybrid measurement attack, since they know which parameter regimes are secureif they clearly know the parameters of their system, but there may exist other potential hackingstrategies so that Eve can also exploit the partially random phase to spy the final key in otherparameter regimes. The third one is that the legitimate parties carefully monitor the experimentaldata but not only estimate the key rate with these experimental data. For example, they cancheck the rate of gain Q µ /Q ν . In the parameters of Fig.3, Q µ /Q ν ≈ µ/ν = 4 . Q µ /Q ν ≈ .
79 when Eve is present, which is higher than theexpectation 4.8. Furthermore, they also can monitor, with a prior information about the loss ofchannel, the total gain adn QBER of signal state and decoy state, and so on.
Method
Here we give a simple proof of Eq.3. The state out of Alice can be written as | αe i ( φ + θ ) / √ i s ⊗| αe iφ / √ i r , when the two modes pass the BS of Eve (here we simply assume the transmittance ofBS is 1/2, in fact Eve can optimize this parameter to maximize her information), the final statesare | αe i ( φ + θ ) i as | αe iφ i ar | αe i ( φ + θ ) i bs | αe iφ i br . (9)If the interferometer of Eve is perfect, the state output of the interferometer can be written as | √ αe iφ (1 + e iθ ) i D | √ αe iφ (1 − e iθ ) i D . (10)Thus if the SPD of Eve is also perfect, the probability that D and D click is given by P D = 1 − (1 − Y E ) e − η E | √ αe iφ (1+ e iθ ) | = 1 − (1 − Y E ) e − η E | α | [1+ cos ( θ )] / ,P D = 1 − (1 − Y E ) e − η E | √ αe iφ (1 − e iθ ) | = 1 − (1 − Y E ) e − η E | α | [1 − cos ( θ )] / . (11)Furthermore, for a coherent state | α i , the probability distribution of the measured result of homo-dyne detection can be written as [9] P x = s πκ E e − x − λ E | α | cos ( θ )] /κ E , (12)where θ is the relative phase of signal pulse and local pulse. Thus, it is easy to obtain the thirdequation of Eq.3 for the mode bs .0Finally, we list e Bk | j and e Ek | j , which are given by e ABk | j = [ e Bkj ] = / / / / / / / / ,e AEk | j = [ e Ekj ] = . (13) [1] Bennett, C. H., Brassard, G. Quantum cryptography: public key distribution and coin tossing. Paperpresented at International Conference on Computers, Systems and Signal Processing, Bangalore, India.New York: IEEE. p.175-179 (1984).[2] Shor, P. W., Preskill, J. Simple Proof of Security of the BB84 Quantum Key Distribution Protocol. Phys. Rev. Lett. , 441-444 (2000).[3] Gottesman, D., Lo, H. K., L¨utkenhaus, N., Preskill, J. Security of quantum key distribution withimperfect devices. Quantum Inf. Comput. , 325 (2004).[4] Wang, S. et al. Opt. Lett. , 1008-1010 (2012).[5] Namekata, N., Adachi, S., Inoue S. 1.5 GHz single-photon detection at telecommunication wavelengthsusing sinusoidaly gated InGaAs/InP avalanche photodiode. Opt. Express , 6275-6282 (2009).[6] Yuan, Z. L., Dixon, A. R., Dynes, J. F. et al. Gigahertz quantum key distribution with InGaAs avalanchephotodiodes.
Appl. Phys. Lett. , 201104 (2008).[7] Liu, Y., Chen, T. Y. et al. Decoy-state quantum key distribution with polarized photons over 200km.
Opt. Express , 8587-8594 (2010).[8] Sun, S. H., Jiang, M. S., Liang, L. M. Passive Faraday-mirror attack in a practical two-way quantumkey distribution. Phys. Rev. A , 062331 (2011).[9] Sun, S. H., Gao, M. et al. Partially random phase attack to the practical two-way quantum-key-distribution system.
Phys. Rev. A , 032304 (2012).[10] Gerhardt, I., Liu, Q. et al. Full-field implementation of a perfect eavesdropper on a quantum cryptog-raphy system.
Nat. Commun. , 349 (2011).[11] Lydersen, L., Wiechers, C. et al. Hacking commercial quantum cryptography systems by tailored birghtillumination.
Nat. Photon. , 686 (2010).[12] Jain, N., Wittmann, C. et al. Device Calibration Impacts Security of Quantum Key Distribution.
Phys.Rev. Lett. , 110501 (2011). [13] Xu, F. H., Qi, B., Lo, H. K. Experimental demonstration of phase-remapping attack in a practicalquantum key distribution system. New J. Phys. , 113026 (2010).[14] Qi, B., Fred Fung, C. H., Lo, H. K., Ma, X. F. Time-shift attack in practical quantum cryptosystems. Quant. Inf. Comput. , 073 (2007).[15] Tang, Y. L., Yin, H. L., Ma, X. F., et al. Source attack of decoy-state quantum key distribution usingphase information.
Phys. Rev. A , , 022308 (2013).[16] Huttner, B., Imoto, N., Gisin, N., Mor, T. Quantum cryptography with coherent state. Phys. Rve. A , 1863 (1995).[17] Brassard, G., L¨utkenhasu, N., Mor, T., Sanders, B. C. Limitations on Practical Quantum Cryptography. Phys. Rve. Lett. , 1330 (2000).[18] Hwang, W. Y. Quantum Key Distribution with High Loss: Toward Global Secure Communication. Phys. Rve. Lett. , 057901 (2003).[19] Wang, X. B. Beating the Photon-Number-Splitting Attack in Practical Quantum Cryptography. Phys.Rve. Lett. , 230504 (2005).[20] Lo, H. K., Ma, X. F., Chen, K. Decoy State Quantum Key Distribution. Phys. Rev. Lett. , 230504(2005).[21] Ma, X. F., Qi, B. et al. Practical decoy state for quantum key distribution.
Phys. Rve. A , 012326(2005)[22] Lo, H. K., Preskill, J. Security of quantum key distribution using weak coherent states with nonrandomphases. Quant. Inf. Comput. , 431 (2007).[23] Lo, H. K., Curty, M., Qi, B. Measurement-Device-Independent Quantum Key Distribution. Phys. Rev.Lett. , 130503 (2013).[24] Liu, Y., Chen, T. Y., et al.
Experimental Measurement-Device-Independent Quantum Key Distribution.
Phys. Rev. Lett. , 130502 (2013).[25] Rubenok, A., Slater, J. A., Chen, P., Lucio-Martinez, I., Tittel, W. Real-World Two-Photon Interfer-ence and Proof-of-Principle Quantum Key Distribution Immune to Detector Attacks.
Phys. Rev. Lett. , 130501 (2013).[26] Wang, X. B. Three-intensity decoy state method for device-independent quantum key distribution withbasis-dependent errors.
Phys. Rev. A , 012320 (2013).[27] Ma, X. F., Fred Fung, C. H., Razavi, M. Statistical fulctuation analysis for measurement-device-independent quantum key distriubiton. Phys. Rev. A , 052305 (2012).[28] Xu, F. H., Curty, M., Qi, B., Lo, H. K. Practical Measurement-Device-Independent Quantum KeyDistribution. New J. Phys. , 113007 (2013).[29] Sun, S. H., Gao, M., Li, C. Y., Liang, L. M. Practical decoy-state measurement-device-independentquantum key distribution. Phys. Rev. A , 052329 (2013).[30] Zhao, Y., Qi, B., Lo, H. K. Experimental quantum key distributioin with active phase randomization. Appl. Phys. Lett. 90 , 044106 (2007). [31] Sun, S. H., Liang, L. M. Experimental demonstration of an active phase randomization and monitormodule for quantum key distribution. Appl. Phys. Lett. 101 , 071107 (2012).
Acknowledgements
This work is supported by the National Natural Science Foundation of China, Grant No.61072071, and Grant No. 11304391.
Author contributions
S.H.S proposed the main idea of this paper, and does the theoretical analysis and the numericalsimulations. M.S.J, X.C.M, C.Y.L and L.M.L contribute the theoretical analysis. All authors agreethe contents of the paper.