## Introduction

Quantum key distribution (QKD)1,2 provides a secret key shared between two remote legitimate parties with information-theoretic security, enabling private communication regardless of an adversary’s computational power and advanced hardware technology. It also has a welcome feature that, for a simple prepare-and-measure type of QKD protocols, the sender’s and the receiver’s device can be implemented with current technology such as lasers, linear optics components, and photon detectors. A drawback is a limitation on the key generation rate stemming from the loss in the channel. For a direct link from the sender to the receiver, the key rate cannot surpass the loss bounds3,4 of $$O(\eta )$$, where $$\eta$$ is the single-photon transmissivity of the link. Although quantum repeaters5 are known to beat this limitation by placing untrusted intermediate stations to segment the link, the required technology to manipulate quantum states is demanding. Early proposals to mitigate this demand to beat the $$O(\eta )$$ scaling still requires quantum memories6 or quantum non-demolition (QND) measurements7, which are currently in the developing stage.

Surprisingly, possibility of achieving an $$O\left( {\sqrt \eta } \right)$$ scaling with current technology was recently proposed8 as a protocol called twin-field (TF) QKD, a variant of the measurement-device independent (MDI) protocols9. In this protocol, an untrusted station Charlie sitting midway between Alice and Bob simply conducts an interference measurement to learn the relative phase between the pulse pair sent from Alice and Bob. On the surface, the scaling may be understood from the interpretation that a photon detected by Charlie has traveled either the Alice-Charlie segment or the Bob-Charlie segment with transmissivity $$\sqrt \eta$$. But a similar phase encoding scheme was already adopted in an earlier MDI-QKD protocol10, which did not achieve the $$O\left( {\sqrt \eta } \right)$$ scaling. The essential point lies elsewhere, in how Alice and Bob can monitor the adversary’s attack on the link and on Charlie’s apparatus. For this purpose, the TF QKD was specifically designed so as to attain the compatibility to the standard decoy-state method11,12,13, which have been successfully used in other QKD protocols.

As the original proposal8 lacked a rigorous security proof, many intensive studies14,15,16,17,18,19,20,21 have been devoted to achieving information-theoretic proofs of variants of TF QKD15,16,17 and a family of similar protocols called phase-matching (PM) QKD14,18,19,20,21. As was the case for other QKD protocols, these first proofs mainly consider the asymptotic regime. All the key rates shown to beat the loss bounds so far are achievable only in the limit of infinitely large number of pulses being sent. Explicit formulation in the finite-size regime is found only in the work of Tamaki et al.15, but this early proposal barely surpasses the loss bounds even in the asymptotic limit, and no numerical values were given for finite-size effect. Hence, at this point, we have totally no clue on how long one must run a QKD protocol on end to beat the loss bounds. It could be hours, days, or even longer.

We should also be aware that the finite-size regime is not a mere appendage to the asymptotic regime. In the latter regime, the fraction of the communication time devoted to the monitoring of the adversary is assumed to be negligible. This implies that one is allowed to invest an infinite resource to the monitoring with no penalty, despite the fact that the monitoring is the main obstacle in the TF-type protocols. In fact, the protocol by Lin and Lütkenhaus20, which attains both the simplest of the proofs and the highest of the asymptotic key rates, adopts a newly proposed generalization of the decoy-state method for a complete characterization of the adversary’s act, by using the set of test states composed of coherent states with every complex amplitude. Although it gives a lucid view on the problem, it is probably not the shortest route to answer the ultimate question of whether one can find a protocol with information-theoretic security to beat the loss bounds with current technology.

Here we positively answer to the above question by proposing a variant of PM-QKD protocol equipped with a simple security proof in the finite-size regime. Our protocol also involves a kind of extension of the standard decoy-state method, but interestingly, its direction is the opposite of the generalization by Lin and Lütkenhaus: we try to learn about the adversary’s act as little as possible except the parameter crucial for the security. For this purpose, we construct a minimal set of test states to satisfy an operator inequality, which we call an operator dominance condition. Our method drastically simplifies the analysis of the finite-size effect to just a double use of classical Bernoulli sampling.

## Results

### Proposed protocol

The setup for our proposed protocol is illustrated in Fig. 1. In order to distribute a secure key, Alice and Bob both send optical pulses to Charlie, the central untrusted station. Each of the senders randomly switches between the signal mode and the test mode. They use the signal mode for accumulating raw key bits and the test mode for monitoring the amount of leak.

The signal mode is based on the PM-QKD protocol14, which is common to previous proposals18,19,20,21. We assume Alice and Bob have phase-locked pulse sources to generate in-phase pulses. Each party encodes a random bit by applying 0 or π phase shift to the pulse with a fixed intensity μ (defined in terms of its mean photon number) and sends it to Charlie. He measures and announces whether the two pulses are in-phase or anti-phase, by using a 50:50 beam-splitter and a pair of photon detectors. Successful detection at Charlie allows Alice and Bob to learn whether their bits have the same or different values. Thus, by appropriately flipping Bob’s bits, Alice, and Bob can accumulate shared random bits by repetition, which we call sifted keys.

As in refs. 19,21, we associate the amount of leak to the phase errors in an equivalent protocol in which Alice and Bob use auxiliary qubits A and B. Let us call $$\left\{ {\left. {|0} \right\rangle ,\left. {|1} \right\rangle } \right\}$$ the Z basis of a qubit, and $$\left\{ {\left. {\left| \pm \right.} \right\rangle : = \left( {\left. {\left| 0 \right.} \right\rangle \pm \left. {\left| 1 \right.} \right\rangle } \right)/\sqrt 2 } \right\}$$ the X basis. Alice and Bob’s procedure in the signal mode can be equivalently executed by preparing the qubits AB and the optical pulses CACB in a joint quantum state

$${\frac{{\left| {0} \right\rangle _{\mathrm{A}}\left| {\sqrt{\mu}} \right\rangle _{{\mathrm{C}}_{\mathrm{A}}} + \left| {1} \right\rangle _{\mathrm{A}}\left| { - \sqrt \mu } \right\rangle _{{\mathrm{C}}_{\mathrm{A}}}}}{{\sqrt 2 }}} {\otimes \frac{{\left| {0} \right\rangle _{\mathrm{B}}\left| {\sqrt \mu } \right\rangle _{{\mathrm{C}}_{\mathrm{B}}} - \left| {1} \right\rangle _{\mathrm{B}}\left| { - \sqrt \mu } \right\rangle _{{\mathrm{C}}_{\mathrm{B}}}}}{{\sqrt 2 }}.}$$
(1)

Suppose that Charlie has declared K0 detected rounds after the repetition. This leaves the corresponding K0 pairs of qubits at Alice and Bob. If they measure the qubits in the Z basis, they obtain K0-bit sifted keys in the actual protocol. To assess the amount of leak in the sifted keys, we consider a virtual protocol in which they measure the qubits in the X basis instead and count the number of phase errors (X errors) among the K0 pairs. Here an X error is defined to be an event where the pair was found in either state $$\left. {| + } \right\rangle \left. {| - } \right\rangle$$ or $$\left. {| - } \right\rangle \left. {| + } \right\rangle$$. We denote the number of X errors as $$K_0^{({\mathrm{even}})}$$ for the reason we clarify later. If there is a promise that the phase error rate $$K_0^{({\mathrm{even}})}/K_0$$ is low, it implies that the leak on the sifted keys is small. Hence, the aim of the test mode is to gather data to compute a good upper bound eph on $$K_0^{({\mathrm{even}})}/K_0$$. In the asymptotic limit, shortening by fraction h(eph) via privacy amplification achieves the security22,23, where $$h(x) = - x{\mathrm{log}}_2x - (1 - x){\mathrm{log}}_2(1 - x)$$ for $$x \le 1$$/2 and $$h(x) = 1$$ for $$x > 1$$/2.

To obtain a good intuition on the meaning of the observable $$K_0^{({\mathrm{even}})}$$ in the virtual protocol, consider a scenario in which Alice and Bob make the X basis measurements before sending out the optical pulses. Notice that the state (Eq. 1) is rewritten as

$$\begin{array}{*{20}{l}} {\left({\sqrt {c_ + } \left| + \right\rangle _{\mathrm{A}}\left|\sqrt{\mu_{{\mathrm{even}}}}\right\rangle_{{\mathrm{C}}_{\mathrm{A}}} + \sqrt{c_ - } \left| - \right\rangle _{\mathrm{A}}\left|\sqrt{\mu _{{\mathrm{odd}}}}\right\rangle_{{\mathrm{C}}_{\mathrm{A}}}} \right)} \hfill \\ {\quad \otimes \left( {\sqrt {c_ - } \left| + \right\rangle_{\mathrm{B}}\left|\sqrt{\mu _{{\mathrm{odd}}}}\right\rangle _{{\mathrm{C}}_{\mathrm{B}}} + \sqrt {c_ + } \left| - \right\rangle _{\mathrm{B}}\left|\sqrt{\mu _{{\mathrm{even}}}}\right\rangle _{{\mathrm{C}}_{\mathrm{B}}}} \right),} \hfill \end{array}$$
(2)

where $$c_ + : = {\mathrm{e}}^{ - \mu }{\kern 1pt} {\mathrm{cosh}}{\kern 1pt} \mu$$ and $$c_ - : = e^{ - \mu }{\kern 1pt} {\mathrm{sinh}}{\kern 1pt} \mu$$. The state $$\left. {|\sqrt{\mu _{{\mathrm{even}}}}} \right\rangle : = \left( {\left. {|\sqrt \mu } \right\rangle + \left. {|\sqrt { - \mu } } \right\rangle } \right)/2\sqrt {c_ + }$$ consists of even photon numbers, whereas the state $$\left. {|\sqrt{\mu _{{\mathrm{odd}}}}}\right\rangle : = \left( {\left. {|\sqrt \mu } \right\rangle - \left. {|\sqrt { - \mu } } \right\rangle } \right)/2\sqrt {c_ - }$$ consists of odd photon numbers. Then, we may interpret that an X error occurs with probability $$p_{{\mathrm{even}}}: = c_ + ^2 + c_ - ^2 = {\mathrm{e}}^{ - 2\mu }{\kern 1pt} {\mathrm{cosh}}{\kern 1pt} 2\mu$$ and the optical pulses are sent in state $$\rho ^{({\mathrm{even}})}$$, which is given by

$$\begin{array}{*{20}{l}} {p_{{\mathrm{even}}}\rho ^{({\mathrm{even}})}} \hfill & = \hfill & {c_ + ^2\left| {\sqrt{\mu} {\,\!}_{{\mathrm{even}}}\sqrt{\mu} {\,\!}_{{\mathrm{even}}} }\right\rangle \left\langle {\sqrt{\mu} {\,\!}_{{\mathrm{even}}}\sqrt{\mu} {\,\!}_{{\mathrm{even}}}} \right|} \hfill \\ {\,\!} \hfill & {\,\!} \hfill & { + c_ - ^2\left| {\sqrt{\mu} {\,\!}_{{\mathrm{odd}}}\sqrt{\mu} {\,\!}_{{\mathrm{odd}}}} \right\rangle \left\langle {\sqrt{\mu} {\,\!}_{{\mathrm{odd}}}\sqrt{\mu} {\,\!}_{{\mathrm{odd}}}} \right|.} \hfill \end{array}$$
(3)

For probability $$p_{{\mathrm{odd}}}: = 1 - p_{{\mathrm{even}}}$$, the optical pulses are sent in state $$\rho ^{({\mathrm{odd}})}$$, where

$$\begin{array}{*{20}{l}} {p_{{\mathrm{odd}}}\rho ^{({\mathrm{odd}})}} \hfill & = \hfill & {c_ + c_ - \left| {\sqrt{\mu} {\,\!}_{{\mathrm{even}}}\sqrt{\mu} {\,\!}_{{\mathrm{odd}}}} \right\rangle \left\langle {\sqrt{\mu} {\,\!}_{{\mathrm{even}}}\sqrt{\mu} {\,\!}_{{\mathrm{odd}}}} \right|} \hfill \\ {\,\!} \hfill & {\,\!} \hfill & { + c_ - c_ + \left| {\sqrt{\mu} {\,\!}_{{\mathrm{odd}}}\sqrt{\mu} {\,\!}_{{\mathrm{even}}}} \right\rangle \left\langle {\sqrt{\mu} {\,\!}_{{\mathrm{odd}}}\sqrt{\mu} {\,\!}_{{\mathrm{even}}}} \right|.} \hfill \end{array}$$
(4)

We see that for state $$\rho ^{({\mathrm{even}})}$$, the total number of photons in the pulse pair is always even. Hence, the number $$K_0^{({\mathrm{even}})}$$ can be interpreted as the frequency of detection when the total emitted photon number of the pulse pair was even.

The main question is how we should design the test mode to estimate the number $$K_0^{({\mathrm{even}})}$$ in the signal mode. An obvious choice is to prepare actually the state $$\rho ^{({\mathrm{even}})}$$ as was proposed recently21, but generation of such a non-classical optical state with a good fidelity will be hard to realize in current technology. For the use of laser pulses, previous approaches18,19 for the asymptotic regime use the standard decoy-state method in which various detection rates labeled by emitted photon numbers are estimated. A bound on the phase error rate is then computed from those rates through a set of inequalities. Lin and Lütkenhaus20 generalized the decoy-state method to a kind of tomography, in which case tight estimation of phase error rate $$K_0^{({\mathrm{even}})}$$/$$K_0$$ should be possible. In order to simplify the security argument for the finite-size regime, here we take a more direct approach of constructing a state approximating $$\rho ^{({\mathrm{even}})}$$. Of course, $$\rho ^{({\mathrm{even}})}$$ is a highly non-classical optical state and thus it is impossible to approximate it by a mixture of coherent states. As the second-best plan, we propose to find a linear combination $$\mathop {\sum}\nolimits_i {{\kern 1pt} \alpha ^{(i)}\rho ^{(i)}(\alpha ^{(i)} \in {\Bbb R})}$$ of test states $$\{ \rho ^{(i)}\}$$ to approximate $$\rho ^{({\mathrm{even}})}$$. The crux is that we allow coefficients $$\{ \alpha ^{(i)}\}$$ to include negative values as long as it satisfies an operator inequality,

$$\mathop {\sum }\limits_i {\kern 1pt} \alpha ^{(i)}\rho ^{(i)} \ge \rho ^{({\mathrm{even}})},$$
(5)

which we call an operator dominance condition.

Based on the above design policy, we found the following potocol (see Fig. 1).

1. 1.

Alice chooses a label from {“0”, “10”, “11”, “2”} with probabilities p0, p10, p11, and p2, respectively. According to the label, Alice performs one of the following procedures.

“0”: She generates a random bit a and sends a pulse with amplitude $$( - 1)^a\sqrt \mu$$.

“10”: She sends the vacuum.

“11”: She sends a phase-randomized pulse with intensity μ1.

“2”: She sends a phase-randomized pulse with intensity μ2.

2. 2.

Bob independently carries out the same procedure as Alice in Step 1.

3. 3.

Alice and Bob repeat Steps 1 and 2 in total of Ntot times.

4. 4.

For every pair of pulses received from Alice and Bob, Charlie announces whether the phase difference was successfully detected. When it was detected, he further announces whether it was in-phase or anti-phase.

5. 5.

Alice and Bob disclose their label choices. Let K0 be the number of detected rounds for which both Alice and Bob chose “0”. Alice concatenates the random bits for the K0 rounds to define her sifted key. Bob defines his sifted key in the same way except that he flips all the bits for the rounds declared to be anti-phase.

6. 6.

Let K10, K11, and K2 be the number of detected rounds for which both Alice and Bob chose the same label “10”, “11”, and “2”, respectively. Let $$K_1: = K_{10} + K_{11}$$.

7. 7.

For error correction, Alice announces HEC bits of syndrome of a linear code for her sifted key. Bob reconciles his sifted key accordingly. Alice and Bob verify the correction by comparing $$\zeta^\prime$$ bits via universal2 hashing24.

8. 8.

They apply the privacy amplification to obtain final keys of length

$$G = K_0 - \left\lceil {K_0h(f(K_1,K_2)/K_0)} \right\rceil - H_{{\mathrm{EC}}} - \zeta - \zeta^\prime ,$$
(6)

where the parameter $$\zeta$$ and the function $$f(K_1,K_2)$$ will be specified below.

### Security proof

In order to prove the security of the above protocol, we need to construct an upper bound on the phase error rate $$K_0^{({\mathrm{even}})}$$/$$K_0$$ in the virtual protocol. To cover the finite-size cases as well, our objective is to construct $$f(K_1,K_2)$$ which satisfies

$${\mathrm{Prob}}\left\{ {K_0^{({\mathrm{even}})} \le f(K_1,K_2)} \right\} \ge 1 - \epsilon$$
(7)

for any attack in the virtual protocol. It is known that it immediately implies that the actual protocol is $$\epsilon _{{\mathrm{sec}}}$$-secure with a small security parameter $$\epsilon _{{\mathrm{sec}}} = \sqrt 2 \sqrt {\epsilon + 2^{ - \zeta }} + 2^{ - \zeta^\prime }$$. See methods section for the detailed definition of security.

Let $$\tau (\mu )$$ be the phase-randomized coherent state with mean photon number μ,

$${\tau (\mu )}\, \hfill {: = } \int_0^{2\pi} { {\kern 1pt} d\theta \left| {\sqrt{\mu} e^{i\theta }}\right\rangle \left\langle {\sqrt{\mu} e^{i\theta }} \right|} = {\mathop {\sum }\limits_{n = 0}^\infty {\kern 1pt} \frac{{\mu ^n{\mathrm{e}}^{ - \mu }}}{{n!}}\left. {|n} \right\rangle \left\langle {n|} \right..}$$
(8)

Our proof method is based on an operator dominance condition which reads

$$\begin{array}{*{20}{l}} {p_{10}^2\tau (0) \otimes \tau (0) + p_{11}^2\tau (\mu _1) \otimes \tau (\mu _1) - {\mathrm{\Gamma }}\tau (\mu _2) \otimes \tau (\mu _2)} \hfill \\ {\quad \ge {\mathrm{\Lambda }}\rho ^{({\mathrm{even}})},} \hfill \end{array}$$
(9)

where $${\mathrm{\Gamma }}$$ and $${\mathrm{\Lambda }}$$ are positive constants. Our security argument below holds for any set of parameters (p10, p11, μ, μ1, μ2, $${\mathrm{\Gamma }}$$, $${\mathrm{\Lambda }}$$) satisfying Eq. (9). A simple method of computing $${\mathrm{\Gamma }}$$ and $${\mathrm{\Lambda }}$$ from (p10, p11, μ, μ1, μ2) is given in methods section.

We first clarify the meaning of numbers K1 and K2 collected in the test mode. By definition of the protocol, K1 is the frequency of detection when the pulse pair CACB was initially prepared in state $$\rho ^{({\mathrm{test}}1)}$$, where

$${(p_{10}^2 + p_{11}^2)\rho ^{({\mathrm{test}}1)}} {= p_{10}^2\tau (0) \otimes \tau (0) + p_{11}^2\tau (\mu _1) \otimes \tau (\mu _1).}$$
(10)

Similarly, K2 is the frequency of detection for state

$$\rho ^{({\mathrm{test}}2)} = \tau (\mu _2) \otimes \tau (\mu _2).$$
(11)

Also recall that $$K_0^{({\mathrm{even}})}$$ is the frequency of detection for state $$\rho ^{({\mathrm{even}})}$$ defined in Eq. (3).

When Eq. (9) holds, there exists a normalized state $$\rho ^{({\mathrm{junk}})}$$, which satisfies

$$(p_{10}^2 + p_{11}^2)\rho ^{({\mathrm{test}}1)} = {\mathrm{\Gamma }}\rho ^{({\mathrm{test}}2)} + {\mathrm{\Lambda }}\rho ^{({\mathrm{even}})} + {\mathrm{\Delta }}\rho ^{({\mathrm{junk}})}$$
(12)

for $${\mathrm{\Delta }}: = p_{10}^2 + p_{11}^2 - {\mathrm{\Gamma }} - {\mathrm{\Lambda }} \ge 0$$. Therefore, we can reinterpret the state $$\rho ^{({\mathrm{test}}1)}$$ as a mixture of the three states $$\rho ^{({\mathrm{test}}2)}$$, $$\rho ^{({\mathrm{junk}})}$$, and $$\rho ^{({\mathrm{even}})}$$. Let us consider a modified scenario in which the state of the pulse pair is directly prepared in various states with the probabilities specified in Fig. 2. In this scenario, the frequencies $$K_1^{({\mathrm{test}}2)}$$ and $$K_1^{({\mathrm{even}})}$$ shown in Fig. 2 are also well-defined. Suppose that the adversary’s attack (which may include taking over Charlie’s announcement) is the same as that for the actual/virtual protocols. As the breakdown of the mixed state $$\rho ^{({\mathrm{test}}1)}$$ in the actual protocol is revealed only after Charlie has announced all the detections, we see that the following property naturally holds.

1. (i)

The marginal joint probability of the three variables $$(K_2,K_1,K_0^{({\mathrm{even}})})$$ in the modified scenario is the same as that in the virtual protocol.

This means that if Eq. (7) is true in the modified scenario, it is also true in the virtual protocol.

From comparison between the first and the second rows in Fig. 2, we notice that K2 and $$K_1^{({\mathrm{test}}2)}$$ in the modified scenario are detection frequencies of the same initial state $$\rho ^{({\mathrm{test}}2)}$$. As the adversary has no clue about whether a pulse pair in state $$\rho ^{({\mathrm{test}}2)}$$ belongs to Test1 mode or to Test2 mode, they cannot force Charlie to detect one of the cases preferably over the others. Hence, the ratio of K2 to $$K_1^{({\mathrm{test}}2)}$$ is expected to be close to the initial ratio of the two cases, $$p_2^2/{\mathrm{\Gamma }}$$. More precisely, K2 is a Bernoulli sampling from a population with $$K_2 + K_1^{({\mathrm{test}}2)}$$ elements. This is also the case with $$K_1^{({\mathrm{even}})}$$ and $$K_0^{({\mathrm{even}})}$$. It leads to the following property of conditional probabilities stated in terms of binomial distribution $$B(K;n,p): = p^K(1 - p)^{n - K}n!/K!(n - K)!$$.

1. (ii)

In the modified scenario, it holds that

$${\mathrm{Prob}}\left\{ {K_2} \middle| {K_2 + K_1^{({\mathrm{test}}2)} = n} \right\} = B\left( {K_2;n,p_2^2/\left( {p_2^2 + {\mathrm{\Gamma }}} \right)} \right)$$
(13)

and similarly,

$$\begin{array}{*{20}{l}} {{\mathrm{Prob}}\left\{ {K_1^{({\mathrm{even}})}} \middle| {K_0^{({\mathrm{even}})} + K_1^{({\mathrm{even}})} = n} \right\}} \hfill \\ {\quad = B\left( {K_1^{({\mathrm{even}})};n,{\mathrm{\Lambda }}/\left( {p_0^2p_{{\mathrm{even}}} + {\mathrm{\Lambda }}} \right)} \right).} \hfill \end{array}$$
(14)

The properties (i) and (ii) reduce the security proof to an elementary problem of classical random sampling. In an asymptotic limit of K1, $$K_2 \to \infty$$, a bound on $$K_0^{({\mathrm{even}})}$$ is immediately obtained from the relations $$K_1^{({\mathrm{test}}2)}/K_2 = {\mathrm{\Gamma }}/p_2^2$$, $$K_0^{({\mathrm{even}})}/K_1^{({\mathrm{even}})} = p_0^2p_{{\mathrm{even}}}/{\mathrm{\Lambda }}$$, and $$K_1 \ge K_1^{({\mathrm{test}}2)} + K_1^{({\mathrm{even}})}$$. A finite-size bound $$f(K_1,K_2)$$ satisfying Eq. (7) can be constructed by the use of the Chernoff bound25. As explained in methods section, we can compute general bounds $$M^ \pm (K,p,\epsilon )$$ that satisfy

$${\mathrm{Prob}}\left\{ {M \le M^ + (K;p,\epsilon )} \right\} \ge 1 - \epsilon$$
(15)
$${\mathrm{Prob}}\left\{ {M \ge M^ - (K;p,\epsilon )} \right\} \ge 1 - \epsilon ,$$
(16)

when $${\mathrm{Prob}}\{ K|M + K = n\} = B(K;n,p)$$ holds for all $$n \ge 1$$. Then, we can construct the function $$f(K_1,K_2)$$ as

$$f(K_1,K_2) = M^ + \left( {K_1^{({\mathrm{even}}) + };\frac{{\mathrm{\Lambda }}}{{p_0^2p_{{\mathrm{even}}} + {\mathrm{\Lambda }}}},\frac{\epsilon }{2}} \right)$$
(17)

with

$$K_1^{({\mathrm{even}}) + }: = K_1 - M^ - \left( {K_2;\frac{{p_2^2}}{{p_2^2 + {\mathrm{\Gamma }}}},\frac{\epsilon }{2}} \right)$$
(18)

which obviously satisfies Eq. (7) and hence completes the security proof.

For an intuitive understanding of the amount of the finite-size effect, an approximate expression of the bound $$f(K_1,K_2)$$ may be helpful. The general bounds M± are approximated as

$$M^ \pm (K;p,\epsilon ) \cong \frac{{1 - p}}{p}K \pm \sqrt { - {\mathrm{log}}\epsilon } \frac{{\sqrt {2(1 - p)} }}{p}\sqrt K$$
(19)

when $$(1 - p)K \gg - {\mathrm{log}}{\kern 1pt} \epsilon$$. Then, we can approximate $$f(K_1,K_2)$$ as

$$\begin{array}{*{20}{l}} {f(K_1,K_2)} \hfill {\ =\, \frac{{p_0^2p_{{\mathrm{even}}}}}{{\mathrm{\Lambda }}}\left( {K_1 - \frac{{\mathrm{\Gamma }}}{{p_2^2}}K_2 + v(K_1,K_2)\sqrt { - {\mathrm{log}}(\epsilon /2)} } \right)} \hfill \end{array}$$
(20)

with

$$\begin{array}{*{20}{l}} {v(K_1,K_2)} \hfill & \cong \hfill & {\left[ {\frac{{\sqrt {2{\mathrm{\Gamma }}(p_2^2 + {\mathrm{\Gamma }})} }}{{p_2^2}}\sqrt {K_2} } \right.} \hfill \\ {\,\!} \hfill & {\,\!} \hfill & {\left. { + \sqrt {2\left( {1 + \frac{{\mathrm{\Lambda }}}{{p_0^2p_{{\mathrm{even}}}}}} \right)} \sqrt {K_1 - \frac{{\mathrm{\Gamma }}}{{p_2^2}}K_2} } \right].} \hfill \end{array}$$
(21)

### Numerical simulation

We simulated the key rate G/Ntot as a function of distance L between Alice and Bob when they are fiber-linked to Charlie with a loss of 0.2 dB/km. We assumed a detection efficiency of $$\eta _{\mathrm{d}} = 0.3$$ for Charlie’s apparatus. The parameters $$(\mu ,\mu _1,\mu _2,p_0,p_{10},p_{11},p_2)$$ are optimized for each distance. The detail of the model for determining K0, K1, and K2 is given in methods section.

Figure 3 shows the key rates of our protocol in the asymptotic limit and in the finite-size cases with $$N_{{\mathrm{tot}}} = 10^{11}$$ and 1012. We have also plotted the PLOB bound4, −$${\mathrm{log}}_2(1 - \eta _{{\mathrm{AB}}})$$, for the direct link from Alice to Bob with transmissivity $$\eta _{{\mathrm{AB}}} = \eta _{\mathrm{d}}10^{ - 0.2L/10}$$, assuming the same detection efficiency. The asymptotic key rate shows an $$O\left( {\sqrt {\eta _{{\mathrm{AB}}}} } \right)$$ scaling. As expected, the asymptotic rate is lower than those of the protocols18,19,20 investing more resources for the monitoring. The main feature of our protocol lies in the provably secure key rate in the finite-size regime. We see that at $$N_{{\mathrm{tot}}} = 10^{11}$$ it barely surpasses the PLOB bound, and at $$N_{{\mathrm{tot}}} = 10^{12}$$ it clearly beats the bound at ~ 300 km. The dotted line below the PLOB bound is the asymptotic rate for the ideal decoy-state BB84 protocol2,4,13, $$\eta _{{\mathrm{AB}}}$$/$$(2\mathrm{e})$$, which is surpassed by our protocol beyond 200 km even with $$N_{{\mathrm{tot}}} = 10^{11}$$.

As an example, we present explict values of the optimized parameters for $$N_{{\mathrm{tot}}} = 10^{12}$$ at 340 km. The intensities are $$(\mu ,\mu _1,\mu _2) = (0.012,0.23,0.022)$$ and the probabilities are $$(p_0,p_{10},p_{11},p_2) = (0.73,0.21,0.013,0.049)$$. The operator dominance condition (Eq. 9) is satisfied with $${\mathrm{\Gamma }} = 1.2 \times 10^{ - 3}$$ and $${\mathrm{\Lambda }} = 1.2 \times 10^{ - 2}$$. The observed values expected from the model are $$(K_0,K_1,K_2) = (1.6 \times 10^6,1.0 \times 10^5,1.2 \times 10^5)$$.

## Discussion

We proposed a variation of TF-type QKD protocol by using the signal mode of the PM-QKD protocol and the test mode specifically designed to simplify the estimation process of the amount of information leak. The simulated key rate shows that it beats the PLOB bound when the total number of pulse pairs emitted from Alice and Bob is 1011 to 1012, which corresponds to several to twenty minutes for a system of 1 GHz pulse repetition. It amounts to settling down the conjecture with a comprehensive information-theoretic security proof covering the finite-size key regime.

In the protocol, the events where Alice and Bob have chosen different local labels are simply discarded. It is an interesting question whether we may improve the key rate by incorporating the detection frequencies of such events in the analysis. Conversely, by accepting a lower key rate, we may be able to simplify the protocol to use only three intensities $$(0,\mu ,\mu _1)$$ instead of four in the current protocol. We leave these questions to future study.

An essential ingredient of our design is the operator dominance method of estimating the detection frequency of one state from those of a combination of different test states. We can identify two instances of binomial distribution in a modified scenario, which simplifies the required statistical analysis in the finite-size regime. As a methodology, the number of test states forming the linear combination to approximate the target state does not affect the simplicity of analysis. As long as the operator dominance condition is satisfied, we can group the states with positive coefficients to define state $$\rho ^{({\mathrm{test}}1)}$$ and those with negative to define $$\rho ^{({\mathrm{test}}2)}$$. Such a flexibility will be used to improve the finite-size key rate of TF-type protocols further. We also expect that the method can be used to simplify the security analysis of other QKD protocols, especially when the imperfection of practical devices is taken into account.

## Methods

### Definition of security in the finite-size regime

We evaluate the secrecy of the final key as follows. When the final key length is $$G \ge 1$$, we represent Alice’s final key and an adversary’s quantum system as a joint state

$$\rho _{{\mathrm{AE}}|G}^{{\mathrm{fin}}} = \mathop {\sum }\limits_{z = 0}^{2^G - 1} {\kern 1pt} {\mathrm{Prob}}(z)\left. {|z} \right\rangle \left\langle {z|} \right._{\mathrm{A}} \otimes \rho _{{\mathrm{E}}|G}^{{\mathrm{fin}}}(z),$$
(22)

and define the corresponding ideal state as

$$\rho _{{\mathrm{AE}}|G}^{{\mathrm{ideal}}} = \mathop {\sum }\limits_{z = 0}^{2^G - 1} {\kern 1pt} 2^{ - G}\left. {|z} \right\rangle \left\langle {z|} \right._{\mathrm{A}} \otimes {\mathrm{Tr}}_{\mathrm{A}}\left( {\rho _{{\mathrm{AE}}|G}^{{\mathrm{fin}}}} \right).$$
(23)

Let $$\left\| \sigma \right\|_1 = {\mathrm{Tr}}\sqrt {\sigma ^{\mathrm{\dagger }}\sigma }$$ be the trace norm of an operator σ. We say a protocol is $$\epsilon _{{\mathrm{sct}}}$$-secret when

$$\frac{1}{2}{\kern 1pt} \mathop {\sum }\limits_{G \ge 1} {\kern 1pt} {\mathrm{Prob}}(G)\parallel \rho_{{\mathrm{AE}}|G}^{{\mathrm{fin}}} - \rho _{{\mathrm{AE}}|G}^{{\mathrm{ideal}}}\parallel _1 \le \epsilon _{{\mathrm{sct}}}$$
(24)

holds regardless of the adversary’s attack. It is known26 that if the number of phase errors is bounded as in Eq. (7), the protocol is $$\epsilon _{{\mathrm{sct}}}$$-secret with $$\epsilon _{{\mathrm{sct}}} = \sqrt 2 \sqrt {\epsilon + 2^{ - \zeta }}$$.

For correctness, we say a protocol is $$\epsilon _{{\mathrm{cor}}}$$-correct if the probability for Alice’s and Bob’s final key to differ is bounded by $$\epsilon _{{\mathrm{cor}}}$$. Our protocol achieves $$\epsilon _{{\mathrm{cor}}} = 2^{ - \zeta^\prime }$$ via the verification in Step 7.

When the above two conditions are met, the protocol becomes $$\epsilon _{{\mathrm{sec}}}$$-secure with $$\epsilon _{{\mathrm{sec}}} = \epsilon _{{\mathrm{sct}}} + \epsilon _{{\mathrm{cor}}}$$ in the sense of universal composability27.

### Construction of operator dominance condition

Here we describe a procedure to compute parameter sets fulfilling the operator dominance condition (Eq. 9). Suppose that values of μ1, μ2, p10, and $$p_{11} > 0$$ satisfying

$$0 < \frac{{\mu _1 - \mu _2}}{{\mu _2}} < \frac{{p_{10}^2}}{{p_{11}^2{\mathrm{e}}^{ - 2\mu _1}}}$$
(25)

are given. Then, we can satisfy Eq. (9) by choosing $${\mathrm{\Gamma }}$$ and $${\mathrm{\Lambda }}$$ according to the following:

$$\frac{{\mathrm{\Gamma }}}{{p_{11}^2}} = \frac{{\mu _1{\mathrm{e}}^{ - 2\mu _1}}}{{\mu _2{\mathrm{e}}^{ - 2\mu _2}}}$$
(26)
$${\frac{{p_{{\mathrm{even}}}p_{11}^2}}{{\mathrm{\Lambda }}}} = {\frac{{{\mathrm{e}}^{ - 2\mu }}}{{p_{10}^2/p_{11}^2 - {\mathrm{e}}^{ - 2\mu _1}(\mu _1 - \mu _2)/\mu _2}}} { \,+ \frac{{{\mathrm{e}}^{ - 2\mu }}}{{\mu _1{\mathrm{e}}^{ - 2\mu _1}}}\mathop {\sum }\limits_{k = 1}^\infty \frac{{(k + 1)\mu ^{2k}}}{{\mu _1^{2k - 1} - \mu _2^{2k - 1}}}.}$$
(27)

The proof goes as follows. Using the representation $$\tau (\mu ) = {\mathrm{e}}^{ - \mu }\mathop {\sum}\nolimits_k {(\mu ^k/k!)\left. {|k} \right\rangle \left\langle {k|} \right.}$$, we see that the lefthand side of Eq. (9) has a diagonal form $$\mathop {\sum}\nolimits_{k,k^\prime } {(q_{k + k^\prime }/k!k^\prime !)\left. {|k,k^\prime } \right\rangle \left\langle {k,k^\prime |} \right.}$$ on the Fock basis, where

$$q_m = \left\{ {\begin{array}{*{20}{l}} {p_{11}^2{\mathrm{e}}^{ - 2\mu _1}\mu _1^m - {\mathrm{\Gamma e}}^{ - 2\mu _2}\mu _2^m} \hfill & {(m \ge 1)} \hfill \\ {p_{11}^2{\mathrm{e}}^{ - 2\mu _1} - {\mathrm{\Gamma e}}^{ - 2\mu _2} + p_{10}^2} \hfill & {(m = 0).} \hfill \end{array}} \right.$$
(28)

Substituting Eq. (26), we have

$$q_m = \left\{ {\begin{array}{*{20}{l}} {p_{11}^2\mu _1{\mathrm{e}}^{ - 2\mu _1}\left( {\mu _1^{m - 1} - \mu _2^{m - 1}} \right) > 0} \hfill & {(m \ge 2)} \hfill \\ 0 \hfill & {(m = 1)} \hfill \\ {p_{10}^2 - p_{11}^2{\mathrm{e}}^{ - 2\mu _1}(\mu _1 - \mu _2)/\mu _2 > 0} \hfill & {(m = 0)} \hfill \end{array}} \right.$$
(29)

under condition (Eq. 25). Using qm, Eq. (27) is rewritten as

$$\frac{{p_{{\mathrm{even}}}}}{{\mathrm{\Lambda }}} = {\mathrm{e}}^{ - 2\mu }\mathop {\sum }\limits_{k = 0}^\infty \frac{{(k + 1)\mu ^{2k}}}{{q_{2k}}}.$$
(30)

Let $$\pi _{\mathrm{e}} = \mathop {\sum}\nolimits_{k = 0}^\infty {\left. {|2k} \right\rangle \left\langle {2k|} \right.}$$ and $$\pi _{\mathrm{o}} = \mathop {\sum}\nolimits_{k = 0}^\infty {\left. {|2k + 1} \right\rangle \left\langle {2k + 1|} \right.}$$ be projections to the subspaces with even and odd photon numbers, respectively. We denote $$\pi _{st}: = \pi _s \otimes \pi _t(s,t = {\mathrm{e}},{\mathrm{o}})$$. From Eq. (3), we have

$${p_{{\mathrm{even}}}\rho ^{{\mathrm{(even)}}}} ={\pi _{{\mathrm{ee}}}\left. {|\sqrt \mu ,\sqrt \mu } \right\rangle \left\langle {\sqrt \mu ,\sqrt \mu |} \right.\pi _{{\mathrm{ee}}}} { + \pi _{{\mathrm{oo}}}\left. {|\sqrt \mu ,\sqrt \mu } \right\rangle \left\langle {\sqrt \mu ,\sqrt \mu |} \right.\pi _{{\mathrm{oo}}}.}$$
(31)

Hence, Eq. (9) is equivalent to the following set of conditions:

$${p_{{\mathrm{even}}}\mathop {\sum }\limits_{k,k^\prime :{\mathrm{even}}} \frac{{q_{k + k^\prime }}}{{k!k^\prime !}}\left. {|k,k^\prime } \right\rangle \left\langle {k,k^\prime |} \right.} { \ge {\mathrm{\Lambda }}\pi _{{\mathrm{ee}}}\left. {|\sqrt \mu ,\sqrt \mu } \right\rangle \left\langle {\sqrt \mu ,\sqrt \mu |} \right.\pi _{{\mathrm{ee}}}}$$
(32)
$${p_{{\mathrm{even}}}\mathop {\sum }\limits_{k,k^\prime :{\mathrm{odd}}} \frac{{q_{k + k^\prime }}}{{k!k^\prime !}}\left. {|k,k^\prime } \right\rangle \left\langle {k,k^\prime |} \right.} { \ge {\mathrm{\Lambda }}\pi _{{\mathrm{oo}}}\left. {|\sqrt \mu ,\sqrt \mu } \right\rangle \left\langle {\sqrt \mu ,\sqrt \mu |} \right.\pi _{{\mathrm{oo}}}}$$
(33)
$$q_{k + k^\prime } \ge 0\;(k + k^\prime :{\mathrm{odd}}).$$
(34)

The condition (Eq. 34) is obviously true from Eq. (29). Since $$q_{k + k^\prime } > 0$$ when $$k + k^\prime$$ is even, Eq. (32) is true if

$$p_{{\mathrm{even}}}\pi _{{\mathrm{ee}}} \ge {\mathrm{\Lambda }}\left. {|\varphi _{{\mathrm{ee}}}} \right\rangle \left\langle {\varphi _{{\mathrm{ee}}}|} \right.$$
(35)

with

$$\left. {|\varphi _{{\mathrm{ee}}}} \right\rangle = \mathop {\sum }\limits_{k,k^\prime :{\mathrm{even}}} \left( {\frac{{q_{k + k^\prime }}}{{k!k^\prime !}}} \right)^{ - 1/2}\left. {|k,k^\prime } \right\rangle \left\langle {k,k^\prime |\sqrt \mu ,\sqrt \mu } \right\rangle .$$
(36)

Since

$$\left\langle {\varphi _{{\mathrm{ee}}}|\varphi _{{\mathrm{ee}}}} \right\rangle = \mathop {\sum }\limits_{k,k^\prime :{\mathrm{even}}} \frac{{{\mathrm{e}}^{ - 2\mu }\mu ^{k + k^\prime }}}{{q_{k + k^\prime }}} = \frac{{p_{{\mathrm{even}}}}}{{\mathrm{\Lambda }}}$$
(37)

from Eq. (30), we see that condition Eq. (35) is true and so is condition (Eq. 32). Similarly, for

$$\left. {|\varphi _{{\mathrm{oo}}}} \right\rangle = \mathop {\sum }\limits_{k,k^\prime :{\mathrm{odd}}} \left( {\frac{{q_{k + k^\prime }}}{{k!k^\prime !}}} \right)^{ - 1/2}\left. {|k,k^\prime } \right\rangle \left\langle {k,k^\prime |\sqrt \mu ,\sqrt \mu } \right\rangle ,$$
(38)

we have

$$\left\langle {\varphi _{{\mathrm{oo}}}|\varphi _{{\mathrm{oo}}}} \right\rangle = {\mathrm{e}}^{ - 2\mu }\mathop {\sum }\limits_{k = 1}^\infty \frac{{k\mu ^{2k}}}{{q_{2k}}} < \frac{{p_{{\mathrm{even}}}}}{{\mathrm{\Lambda }}},$$
(39)

implying that condition (Eq. 33) is also true.

### Bounds for a classical random sampling

Here we give a computable definition of functions $$M^ \pm (K;p,\epsilon )$$ and prove the relevant properties. We assume $$p \in (0,1)$$ and $$\epsilon > 0$$. Let $$\bar p: = 1 - p$$, $$M_{p,K}: = K\bar p/p$$, $$K_{p,\epsilon }: = {\mathrm{log}}{\kern 1pt} \epsilon /{\mathrm{log}}{\kern 1pt} p$$, and

$$g(M,K): = (M + K)D(M/(M + K)\parallel \bar p)$$
(40)

with $$D(q\parallel p): = q{\kern 1pt} {\mathrm{log}}(q/p) + (1 - q){\kern 1pt} {\mathrm{log}}[(1 - q)/(1 - p)]$$. Then, for $$K \ge 0$$, we have $$g(0,K_{p,\epsilon }) = - {\mathrm{log}}{\kern 1pt} \epsilon$$, $$g(M_{p,K},K) = 0$$, and $$g(\infty ,K) = \infty$$. The partial derivatives satisfy

$$\frac{{\partial g}}{{\partial M}} > 0,\,\frac{{\partial g}}{{\partial K}} < 0\,{\quad \mathrm{for}\quad }\,M > \, (M + K)\bar p$$
(41)

and

$$\frac{{\partial g}}{{\partial M}} < 0,\,\frac{{\partial g}}{{\partial K}} > 0\,{\quad \mathrm{for}\quad }\,M < \, (M + K)\bar p.$$
(42)

Hence we may uniquely define $$M^ \pm (K;p,\epsilon )$$ for $$K \ge 0$$ as follows.

### Definition 1

M+ is the unique solution of the equation $$g(M,K) = - {\mathrm{log}}{\kern 1pt} \epsilon$$ for $$M \in (M_{p,K},\infty )$$. For $$K > K_{p,\epsilon }$$, M is the unique solution of the equation $$g(M,K) = - {\mathrm{log}}{\kern 1pt} \epsilon$$ for $$M \in (0,M_{p,K})$$. For $$K \le K_{p,\epsilon }$$, let $$M^ - : = 0$$.

Due to the properties of $$g(M,K)$$ described above, $$M^ \pm (K)$$ is non-decreasing. Using this definition, we can prove the following lemma:

### Lemma 1

Let M and K be random variables taking nonnegative integer values. If $${\mathrm{Prob}}\{ K|M + K = n\} = B(K;n,p)$$ for all $$n \ge 1$$, then

$${\mathrm{Prob}}\{ M \le M^ + (K;p,\epsilon )\} \ge 1 - \epsilon$$
(43)

and

$${\mathrm{Prob}}\{ M \ge M^ - (K;p,\epsilon )\} \ge 1 - \epsilon .$$
(44)

Proof: using the Chernoff bound25 for the binominal distribution, we have

$${\mathrm{Prob}}\left\{ nD(M/n\parallel \bar p) \ge - {\mathrm{log}}\epsilon\; \wedge\; M \ge n\bar p|M + K = n\right\} \le \epsilon$$
(45)

for all $$n \ge 1$$, leading to

$${\mathrm{Prob}}\left\{ g(M,K) \ge - {\mathrm{log}}\epsilon \; \wedge \; M \ge (M + K)\bar p \; \wedge\; M + K \ne 0\right\} \le \epsilon .$$
(46)

If $$M > M^ + (K) > M_{p,K}$$, then $$M > (M + K)\bar p \ge 0$$ and $$g(M,K) > g(M^ + (K),K) = - {\mathrm{log}}{\kern 1pt} \epsilon$$ hold. Hence Eq. (46) implies $${\mathrm{Prob}}\{ M > M^ + (K)\} \le \epsilon$$, leading to Eq. (43). Similarly to Eq. (46), we can also obtain

$${\mathrm{Prob}}\left\{ g(M,K) \ge - {\mathrm{log}}\epsilon \; \wedge \; M \le (M + K)\bar p \; \wedge \; M + K \ne 0\right\} \le \epsilon .$$
(47)

If $$M < M^ - (K) < M_{p,K}$$, then $$M < (M + K)\bar p$$, $$K > K_{p,\epsilon } > 0$$, and $$g(M,K) > g(M^ + (K),K) = - {\mathrm{log}}{\kern 1pt} \epsilon$$ hold. Then, Eq. (47) implies $${\mathrm{Prob}}\{ M < M^ - (K)\} \le \epsilon$$, leading to Eq. (44).

### Calculation of simulated key rates

For the simulation of the key rate G/Ntot as a function of distance between Alice and Bob, we adopted the following model for the channels and Charlie’s detection apparatus. We assumed a fiber loss of 0.2 dB/km and a detection efficiency of $$\eta _{\mathrm{d}} = 0.3$$ for Charlie’s apparatus. The distance between Alice and Bob is denoted by L (in km). The overall transmissivity from Alice to Charlie’s detection is then $$\eta = \eta _{\mathrm{d}}10^{ - 0.2L/20}$$. The overall transmissivity from Bob to Charlie is also $$\eta$$. We assume that (honest) Charlie declares a success when one or both of the detectors have reported detection. When both have detected, he randomly declares in-phase or anti-phase. We assume that each detector has a dark count probability of $$p_{\mathrm{d}} = 10^{ - 8}$$, which amounts to the effective probability $$d: = 2p_{\mathrm{d}} - p_{\mathrm{d}}^2$$ from the two detectors. The expected frequencies of detection are then modeled as

$$K_0/N_{{\mathrm{tot}}} = p_0^2\left( {1 - {\mathrm{e}}^{ - 2\eta \mu } + {\mathrm{e}}^{ - 2\eta \mu }d} \right),$$
(48)
$$K_1/N_{{\mathrm{tot}}} = p_{11}^2\left( {1 - {\mathrm{e}}^{ - 2\eta \mu _1} + {\mathrm{e}}^{ - 2\eta \mu _1}d} \right) + p_{10}^2d,$$
(49)
$$K_2/N_{{\mathrm{tot}}} = p_2^2\left( {1 - {\mathrm{e}}^{ - 2\eta \mu _2} + {\mathrm{e}}^{ - 2\eta \mu _2}d} \right).$$
(50)

For the bit error rate, we use the following model that includes a mode/phase mismatch error of $$e_{\mathrm{m}} = 0.03$$:

$${e_{{\mathrm{bit}}}} = { \frac{{\left[ {1 - \sqrt {1 - d}\; {\mathrm{exp}}( - 2e_{\mathrm{m}}\eta \mu )} \right]}{\left[ {1 + \sqrt {1 - d}\; {\mathrm{exp}}( - 2(1 - e_{\mathrm{m}})\eta \mu )} \right]}}{{2\left[ {1 - (1 - d){\mathrm{e}}^{ - 2\eta \mu }} \right]}}.}$$
(51)

We assume the cost of error correction HEC to be $$1.1 \times K_0h(e_{{\mathrm{bit}}})$$.

For calculation of the key rate with a finite value of Ntot, we chose the security parameters as $$\epsilon = 2^{ - 66}$$, $$\zeta = 66$$, and $$\zeta^\prime = 32$$, which makes the protocol $$\epsilon _{{\mathrm{sec}}}$$-secure with $$\epsilon _{\sec } = 2^{ - 31} < 10^{ - 10}$$. The final key length $$G = K_0(1 - h(f(K_1,K_2)/K_0)) - H_{{\mathrm{EC}}} - \zeta - \zeta^\prime$$ is then optimized with the Nelder–Mead method over six parameters μ, $$a = \mu _1/\mu$$, $$b = \mu _2/\mu$$, p2, $$p_1 = p_{10} + p_{11}$$, and $$s = p_{10}$$/$$(p_{10} + p_{11})$$. For every point shown in Fig. 3, we confirmed that the absolute values of the numerical partial derivative at each optimized condition were sufficiently small compared with the parameter values.

For calculation of the asymptotic key rate, we analytically reduced the number of parameters as follows. Using Eq. (20), the phase error rate for $$N_{{\mathrm{tot}}},K_0,K_1,K_2 \to \infty$$ is given by

$$\frac{{f(K_1,K_2)}}{{K_0}} = \frac{{p_0^2}}{{K_0}}\frac{{p_{{\mathrm{even}}}p_{11}^2}}{{\mathrm{\Lambda }}}\left( {\frac{{K_1}}{{p_{11}^2}} - \frac{{\mathrm{\Gamma }}}{{p_{11}^2}}\frac{{K_2}}{{p_2^2}}} \right).$$
(52)

From Eqs. (26), (27), (48), (49), and (50), we see that it can be cast into the form $$f(K_1,K_2)$$/$$K_0 = g(p_{10}^2/p_{11}^2)$$ with

$$g(\lambda ) = C_1\left( {\frac{1}{{\lambda - C_2}} + C_3} \right)(\lambda + C_4),$$
(53)

where {Cj}j depend only on μ, μ1, μ2, $$\eta$$, and d. The function g(λ) takes its minimum at $$\lambda ^ \ast : = C_2 + \sqrt {(C_2 + C_4)/C_3}$$ with

$$g(\lambda ^ \ast ) = C_1\left( {1 + \sqrt {\left( {C_2 + C_4} \right)C_3} } \right)^2.$$
(54)

Hence, in the limit of $$p_0 \to 1$$ and p10, p11, $$p_2 \to 0$$ with $$p_{10}^2$$/$$p_{11}^2 = \lambda ^ \ast$$, we have

$${\frac{G}{{N_{{\mathrm{tot}}}}}} \to {\left( {1 - {\mathrm{e}}^{ - 2\eta \mu } + {\mathrm{e}}^{ - 2\eta \mu }d} \right)\left( {1 - h(g(\lambda ^ \ast ))} \right)} { - 1.1 \times h(e_{{\mathrm{bit}}}).}$$
(55)

To calculate the asymptotic key rate in Fig. 3, we optimized the above expression over μ, $$a = \mu _1$$/μ and $$b = \mu _2$$/μ with the Nelder–Mead method.