Quantum key distribution with an efficient countermeasure against correlated intensity fluctuations in optical pulses

Quantum key distribution (QKD) allows two distant parties to share secret keys with the proven security even in the presence of an eavesdropper with unbounded computational power. Recently, GHz-clock decoy QKD systems have been realized by employing ultrafast optical communication devices. However, security loopholes of high-speed systems have not been fully explored yet. Here we point out a security loophole at the transmitter of the GHz-clock QKD, which is a common problem in high-speed QKD systems using practical band-width limited devices. We experimentally observe the inter-pulse intensity correlation and modulation pattern-dependent intensity deviation in a practical high-speed QKD system. Such correlation violates the assumption of most security theories. We also provide its countermeasure which does not require significant changes of hardware and can generate keys secure over 100 km fiber transmission. Our countermeasure is simple, effective and applicable to wide range of high-speed QKD systems, and thus paves the way to realize ultrafast and security-certified commercial QKD systems. A potential security loophole and its countermeasure have been discovered in practical implementations of high-speed quantum key distribution (QKD). Ken-ichiro Yoshino from NEC corporation and a team of researchers from Japan investigated the intensity fluctuations of optical pulses in a GHz-clocked QKD system, revealing that the limited bandwidth of the ultrafast optical transmitter’s electronics generates deviations from the ideal signal. These perturbations have been shown to carry signatures of previous modulation patterns - effectively introducing correlations between individual pulses. As the strength of QKD relies on its proof-of-principle security, which in many cases is derived under the assumption of independent pulses, these correlations constitute a loophole that might compromise the whole protocol. Fortunately, the researchers developed two countermeasures: pattern sifting and alternate key distillation, which recover security and do not impact performances too severely.


Introduction
Quantum key distribution (QKD) [1][2][3] allows two legitimate parties, Alice and Bob, to establish symmetric keys with the proven security even in the presence of an eavesdropper, Eve, who has unbounded computational power.Thanks to this unique feature, referred to as "information theoretic security", QKD, combined with Vernam's one-time pad cipher, enables the everlasting protection of confidentiality of data transmission, and hence must be an essential element to construct a long-term security system which cannot be realized only by cryptographic schemes based on computational security.Such a system has been exemplified in the literatures [4,5] as a long-term-secure storage network consisting of secret sharing, QKD and authentication schemes to deal with highly confidential data such as personal biomedical data, pharmaceutical, and genetic information.Because of growing interest in the confidentiality of those data, this storage network could be one of the killer applications of QKD.
Toward its practical realization, tremendous progress has been made during the past decades.
Metropolitan QKD networks have been successfully deployed [6][7][8][9][10] and is going to be a continental scale [11].To provide information-theoretically secure keys to real applications securely and seamlessly, an efficient key management system and application program interfaces has been developed [12].For the QKD device itself, high speed and stable operation is critical.By employing the ultrafast optical communication devices, high-speed QKD systems stably operated at GHz-clock frequency is realized in the installed-fiber networks [13][14][15].
Nevertheless, there remains an obstacle that makes the potential users hesitate to adopt this emerging technology; they would not innovate their existing secure-communication systems unless convinced that a QKD system at hand is really secure.In practice, like other cryptographic systems, a QKD system also has potential vulnerability due to mismatches between practical implementation and the theoretical model used for security proofs, which are referred to as side channels.For the QKD technology to be widely adopted, critical requirements are security certification, test-and-measurement method, security criteria for implementation, and countermeasures against the side channels.Moreover, those should be acceptable for non-experts.So far, receiver's security loopholes due to the side channels and countermeasures have been extensively studied for the existing QKD systems [16][17][18][19].
Also, the measurement device independent QKD protocol [20,21] can circumvent any receiver imperfections in principle.By contrast, researches on loopholes in transmitters have just begun in only a few aspects [22][23][24][25][26]. Loopholes in transmitters are directly linked to the mismatch of the state preparation between the ideal model and the implementation of QKD protocols.Therefore, rigorously quantitative evaluation of the imperfections in transmitters are essential to the security certification of QKD systems.
In this paper, we report a new security loophole, which may commonly exist in the transmitters of high-speed QKD systems, but has been overlooked so far despite its seriousness and generality.The current decoy-BB84 QKD systems generally rely on the matured ultrafast optical communication technology for high-speed operation, especially on signal modulation devices [13][14][15].As shown below, the loophole in fact hides in the intensity modulator (IM) of such systems.Since practical modulators and electrical drivers are band-limited (which is common in optical communication as well), electrical signal distortion causes intensity correlation between the optical pulses as well as intensity fluctuation of individual pulses, where the former is particularly critical for the security since current security analysis usually assumes independent and identically distributed (IID) pulses.Such an inter-pulse intensity correlation occurs inevitably, and would provide additional information to an eavesdropper (Eve) to distinguish decoy state pulses from signal pulses.In other words, the QKD system without the countermeasure against intensity correlation in optical pulse train can be no longer guaranteed secure, and such a defective QKD system may cause a disaster for secure communications.
Against such a serious loophole, we develop its countermeasure which does not require new hardware.Although there are previous works [27][28][29] extending the coverage of the security proofs to accommodate the non-IID cases, a better performance of the QKD system will be achieved by developing more preemptive methods to circumvent correlations and fluctuations, based on the understanding on the real GHz-clocked QKD system [12] characteristics.We experimentally observe this modulation-pattern dependent intensity deviation and provide an efficient countermeasure.Our countermeasure consists of three post-processing operations: pattern sifting (PS), alternate key distillation (AKD), and intensity sifting (IS), which effectively recover the IID assumption and work for finite key length.Finally, we estimate the secure key rate and confirm achievability of the transmitter-loophole-closed secure key generation by high-speed decoy QKD system over 100km.

Optical intensity deviation with inter-pulse correlation
Figure 1 shows a conceptual view of our QKD transmitter working at 1.24-GHz clock rate.The first intensity modulator (IM) controls the intensity of the 50ps-width laser pulse for the three-state decoy protocol [30,31] and the following devices are for the time-bin BB84 signal encoding by an asymmetric Mach-Zehnder interferometer (AMZI), a modulator for encoding, and a variable optical attenuator (VOA) to attenuate the pulse energy to the single-photon level.The decoy IM is a dualelectrode Lithium Niobate (LN) modulator of 10 GHz bandwidth, driven by an electrical circuit designed for 10 Gbps digital optical communication.Relative input timing of optical pulses and modulation signals to the IM is controlled by fiber length connected in front of the IM with the accuracy of 50 ps (corresponding to fiber length of 1 cm).
The three-state decoy pulses are generated as follows.Two phase shift parameters   ( = 1,2) in the waveguides determine the output intensity as   = cos 2 [( 1 −  2 )/2 ]   : { 1 ,  2 } = {0,0} for "signal" (S), { 1 ,  2 } = {, 0} for "vacuum" (V), and { 1 ,  2 } = {, } for "decoy" (D) states, where  is determined by the designed decoy intensity.The phase shifts  and  are generated by electrical voltage pulses with the heights of Vand V, respectively.We assign voltages of Vfor "Hi" and 0 for "Lo" as the driving signals to one electrode (signal 1), whereas V for "Hi" and 0 for "Lo" as the one to the other electrode (signal 2), respectively.Using these assignments, S state can be generated by {signal 1, signal 2} = {Lo, Lo}, and V state by {Hi, Lo}, so that transmittance of the IM takes the maximum and minimum values at these applied voltages.On the other hand, D state can be produced by either {Lo, Hi} or {Hi, Hi}.In our case, {Hi, Hi} is used because required value of V is smaller than {Lo, Hi} for typical intensities where D state intensity is less than half of S state.
Generally, an IM needs to be operated with mark rate of 50% to suppress the charge drift in the LN modulator during long-term operation.If the mark rates of modulation signals are biased, spontaneous polarization in the LN crystal is gradually enhanced, and it results in the waveform distortion of optical pulses.Our IM is operated with complementary mode, in which binary electrical signals Hi (Lo) in the first half of the pulse period is inverted to Lo (Hi) in the second half, automatically achieving mark rate of 50%.
If the modulation worked perfectly for the randomly chosen S, D, and V states, the intensity of the optical pulses should be determined independently without fluctuation.However, in real high speed systems, the electrical waveform distortion and the timing jitter of the optical pulses will cause unwanted intensity change depending on the state of the preceded pulse, i.e., the intensity becomes correlated.We call this phenomenon as "pattern effect".A simple explanation of the pattern effect is as follows; an ideal drive circuit with a flat frequency response provides rectangular waveforms to the IM.The pulse amplitudes are independent of the previous modulation signal, as shown by the waveforms in Fig. 1 (a).However, the frequency response of real drive circuits is not uniform; it may show resonant peaks, and reduction in high frequency signals.Such imperfect frequency response distorts the waveform as shown in Fig. 1 (b).The electrical signal amplitude may differ according to the previous modulation patterns.This phenomenon results in correlated intensity deviation of modulated optical pulses.Optical pulses for decoy state with the preceding pulse D experience smaller phase shift than that with S. (c) conceptual image of operation points of intensity modulation.
We measured the pattern effects by picking the optical pulses from the output of the IM.The optical pulses are measured by a high speed photo-receiver with 9.3 GHz-bandwidth and subsequently recorded in an oscilloscope with 8 GHz-bandwidth.We defined the pulse intensity as the area of the time profile of the measured signal in one period containing a pulse peak.This measurement can evaluate the energy of each optical pulse.We measured 100,000 pulses per single pulse pattern for statistical analysis.In this experiment, we evaluated the pulse intensity before strong attenuation by a VOA, assuming that the intensity fluctuation of the optical pulses linearly reflects the mean photon number fluctuation in the quantum pulses through heavy attenuation.
In the following, we will show that measurements on only six pulse patterns among countless patterns of previous pulses are enough to characterize the pattern effect in our QKD equipment.The main cause of the pattern effect is the limited frequency response of the driving circuit, as explained before.The electric waveforms in Fig. 1 (b) shows that modulation signals for the first pulses arrive at setting levels (0 or V(,) in 800 ps.It implies that the first half of the modulation signals has little effect on the second half.In other words, almost all the influence of pattern effect are limited to the adjacent pulses.Therefore we consider only the adjacent pulse states.Note that even if the complementary operation is used, pattern effects between adjacent pulses appear when the bandwidths of the devices are not enough because the voltage of the second half of previous modulation is different depending on its own signal (S, D or V).We ignore the intensity fluctuation of V state, since its effect on photon detection is smaller than that of stray light and dark counts.Then, we only need to measure the intensities of S pulses and D pulses with three types of predecessors: S, D, and V pulses.The six patterns are abbreviated to S→S, D→S, V→S, S→D, D→D, and V→D, where the intensities of the second pulses are to be measured.Table 1 lists the averaged pulse intensities for the six patterns.While pattern effects were small (0.6 %-2.1 %) on the S pulses, large deviation about 20 % was observed on the D pulses.The deviation exceeded the normalized standard deviation of the intensity fluctuation around 7-9%.
The different behavior of the D pulses comes from the operating point of the decoy pulses.At this point, the output intensity is sensitive to the applied voltage fluctuation as depicted in Fig. 1 (c).In contrast, those of the vacuum and signal pulses are set to the extreme of the input-output characteristics of the modulator, so that the output intensities are insensitive to the applied voltage.
One may consider the band-limitation of the measurement devices created "fake" pattern effects.
If so, the pattern effect should have also appeared in S-state.However, observation showed that the pattern effect occurred only in D-state.Therefore, we concluded that the pattern effect originated from the intensity modulator.
When such a correlated intensity deviation is apparent, IID property of the pulse sequence is not approved.Therefore, conventional security analyses can be no longer applied directly.This issue appears to varying degree as long as the operating point is set on the steep slope of the modulation curve, shown as point (D) in Fig. 1 (C).We propose a simple and effective solution in the next section.

Countermeasure to the pattern-effect loophole: pattern sifting and alternate key distillation
Here we provide a software-based countermeasure against the pattern effects called "pattern sifting (PS)" and "alternate key distillation (AKD)".We ignore the minor deviations observed in D->S and V->S, which are smaller than standard deviations, and assume that the intensity of an S pulse is independent of its predecessor.PS discards particular modulation patterns in the key distillation process.The sifting rule on a pulse should be independent of its nominal intensity S, D, or V. Otherwise sifting itself may offer information on the intensity to Eve.In other words, we should decide whether we discard the focused pulse using the knowledge of other pulses.As mentioned in the previous section, since we need to consider the correlation only between the adjacent pulses in our QKD transmitter using the complementary modulation, the sifting rule should depend on the state of the adjacent pulses.The effect of the predecessor pulse can be avoided by fixing its nominal pulse intensity.
The most efficient choice is to discard the pulse whose predecessor pulse is in D or V states, while sifting out the ones preceded by S pulses.The correlation with successor pulse can be disregarded by discarding the pulse whose successor is in D state, because the D state intensity is affected by the focused pulse intensity.The rule is summarized as follows: (A) Discard the pulse, if its predecessor is in D or V state.
(B) Discard the pulse, if its successor is in D state.
Pulses are discarded depending on the state of predecessor and successor, not on the state of target pulse itself.Therefore, proportion of S, D and V is unchanged.As a result of the PS, the statistics of the sifted even-indexed pulses becomes IID conditionally on the variables for the odd-indexed pulses, and the same goes for the sifted odd-indexed pulses.
After the PS process, we divide sifted keys into odd-indexed events and even-indexed events according to the emission time stamps, and execute key distillation for each bit sequence.We refer to this process as AKD.Although there are no correlations among the even-indexed pulses conditionally on the variables for the odd-indexed pulses, there still remains a possibility of correlations between the even-indexed pulses and the odd-indexed ones.This makes it rather nontrivial whether both of the odd and even keys from the AKD are simultaneously secure.We solved this issue by dividing known security proofs of a decoy-state BB84 protocol into two statements, one for estimation of photon number statistics through the use of decoy states and the other for security of a BB84 protocol with an imperfect source.We then found that each statement allows composition of the even and odd parts, namely, that a statement for the even-indexed part and one for the odd-indexed part together imply a similar statement for the whole, regardless of correlations.The detail is given in the Methods section.This fraction is 0.82 with the typical values, so that we can use most of the pulses for key distillation.The pattern effect can also be avoided by following naive protocol.If Alice sends a pulse with a fixed intensity before the pulse used for key distillation, no pattern effects would be observed.For example, Alice always selects S-state for odd number pulses, then the intensity of even number pulses are immune from the pattern effects.However, in this protocol, Alice and Bob should discard the odd number pulse outcomes, because Eve may also know the intensity of the odd number pulses and improve her measurement for successful eavesdropping.Therefore, the final key rate in the naive protocol is decreased to half of the original protocol.
Furthermore, one may think that faster devices can avoid the pattern effects.However, it is not clear how much bandwidth is needed for individual QKD systems, and it takes a very high cost, which is an obstruction against the widespread use of QKD systems.Our software-based PS and AKD enable to generate secure key using an existing QKD system without hardware replacements.

Finite-length analysis with intensity sifting
As long as the actual correlated pulse sequence is stationary, PS and AKD enable us to treat sifted key as if it was generated from an IID pulse sequence.Nevertheless, we have to consider the residual random intensity fluctuation, which would be brought by thermal noise or timing jitter of optical pulse and modulation electrical signals.Output power of the LD also would fluctuate.One way to establish a secure key in the presence of such a fluctuation is to apply "intensity sifting (IS)" to bound maximum and minimum of pulse intensities.In IS, we omit pulses whose intensities exceed the bound from key distillation process.This can be implemented with a pulse intensity monitor before attenuation by VOA in the transmitter and screening of the events for key distillation.
We evaluated standard deviations in the second pulse and normalized them using the average intensities of S and D as shown in Table1.We referred standard deviations of the second pulse in the case of S→S and S→D patterns as   and   , and normalized standard deviations as  ̃ and  ̃, respectively.The obtained values of  ̃ and  ̃ were 3.2% and 7.0%.The fluctuation of the decoy intensity  ̃ was larger than that of the signal  ̃, because of the steep slope of the modulation curve as depicted in Fig. 1 (c).
We extend a finite-key analysis [32] to consider the intensity fluctuations in signal, decoy and vacuum pulses.In Ref [32], authors provided concise finite-key security bounds which is based on the asymmetric decoy-state analysis proposed in Ref [30].The IS procedure assures that the mean photon number of each pulse stays within the range [   ,    ] ( = S, D, V).We rederived the key length formula of Ref [32], which yields smallest final key rate by considering the range of the mean photon number.Details of the reformulation are described in Supplementary Information.
Combination of PS, AKD and IS enables secure key generation even if the QKD equipment has correlated intensity deviation due to the pattern effect and random intensity distribution due to the thermal noise or timing jitter.We estimate the secure key rate of our GHz-clock QKD system.We assume that the intensity fluctuation obeys Gaussian distribution for S and D. We set the intensity range as [  −   ,   +   ] with a common factor t multiplied to standard deviation   for a = S, D. We model the intensity fluctuation of the vacuum signal V by a half-Gaussian distribution  exp[− 2 /(2 2 )] (c is a normalization constant, and  ≥ 0) and assume that its magnitude is similar to that of S, namely,  =   .The intensity range in IS is set to [0, ].Note that such Gaussian assumptions are not necessary in practice, since we can calibrate the probabilities of passing the IS and calculate effective probabilities pS, pD, and pV accordingly.
We evaluate secure key rate with the three state decoy protocol with the nominal intensities μS=0.5, μD=0.2.We assume that Alice selects Y-basis (Z-basis) with the probability of PYa=0.25 (PZa=0.75),and Bob adopts passive basis choice by a fiber splitter to feed photon pulses to a single photon detector (InGaAs/InP APDs) with the Pxb for each basis (x=Y, Z).We set the probabilities to PYb=0.25 and PZb=0.75.The detector performances are assumed as follows: detection efficiency of ηdet=0.1,dark count probability Pdc of 10 -6 and after pulse probability Pap of 10 -2 .Transmittance of the optical devices in Bob ηBob is assumed to be 0.25.We assume that the fiber of the quantum channel has an attenuation coefficient of 0.2dB/km, which refers to the transmittance of the quantum channel ηch=10 -0.2L/10 with the fiber length of L (km).
The error probability when Alice sends a pulse with the average photon number μa (a= S, D, V) in x-basis (x=Y, Z) is calculated with eax=Pdc+eopt[1-exp(-ημaPxb)]+PapDax/2, where eopt=0.01 is the error due to the imperfection of the optics, η is the total detection efficiency (η=ηchηBobηdet).Dax is the expected detection rate in x-basis detectors (excluding after-pulse effect) given as Dax=1-(1-2Pdc)exp(-ημaPxb) for the pulse of the average photon number μa in x-basis.
We set that our QKD is εsec-secret and εcor-correct.Here εsec-secret means that the secret key is distinguishable from the ideal key with probability at most of εsec, and εcor-correct means that the probability of Alice and Bob sharing identical secret key is no smaller than 1-εcor.In the key distillation process, we assume that the error correction cost is given by   =   ℎ(  ) with   = 1.2 and   = (    +     +     )/(  +   +   ) .We employ   = 2 × 10 −11 and   = 2 −127 in the secure key rate simulation.
The simulated secure key rate per pulse for several valid intensity ranges from 0.2  to 1.0  for 100 Mbits sifted key as functions of transmission length are shown in Fig. 3.This figure implies that smaller valid range leads to longer distance.On the other hand, regarding key generation rate at short and middle distance less than 70 km, around 0.6  is optimal because of the trade-off between the amount of eliminated pulses by IS and the amount of discarded bits in the privacy amplification due to the effect of intensity distribution.Note that the optimal intensity range highly depends on the characteristics of the QKD system.Therefore, to maximize secure key rate, we need careful parameter selections according to the intensity fluctuation levels in the real system.

Conclusion
We have pointed out and experimentally evaluated intensity fluctuations of each optical pulse for 1.24GHz-clocked high-speed QKD system for the first time.We found large intensity deviation of decoy pulse depending on previous modulation pattern due to distortion of electric signals originated from the limited bandwidth of the electronics.We newly developed countermeasures named "pattern sifting" and "alternate key distillation" against the correlated deviation, which aim at recovering the IID assumption common to the most of security proofs.We further showed that the remaining random intensity distribution due to thermal noise or timing jitter can be handled with "intensity sifting" method, which enables us to generate secure key with finite-length analysis using a real GHz-clock QKD system.The developed countermeasures yield reasonable key after 100-km transmission.Our results provide simple and effective solution to wide range of high-speed QKD systems, where the signal distortion is observed.

Methods
In Methods, we will prove security of the proposed decoy-state BB84 protocol under the pattern effect.
The protocol uses the pattern sifting (PS) and the alternate key distillation (AKD).These two methods enable us to attune security proofs for standard decoy-state BB84 protocols to prove our case.To represent existing analyses of standard decoy-state BB84 protocols, we summarize notations as follows.
 a : a sequence whose element { , , }  The assumptions used in existing analyses of standard decoy-state BB84 protocols are summarized as follows.
1.The sequence a is independent and identically distributed (IID) with prior probabilities SD , pp and V p .

A
x and

B
x is IID with given probabilities.

The sequence
A b is IID with probability 1/ 2 .

The probability distribution
Pr( , ) an is written as ( , ) aa f a n p q n   .

Conditioned on ,,
A a n x and A b , the state of the whole pulses is written as ,, ( , , ) The three sets of variables , an and Λ form a Markov chain, which we denote by  anΛ .Assumption 6 is not an independent assumption but is a consequence of assumption 5 and the independence of a from A x and A b .We have included it for convenience of discussions below.By use of them, we represent existing security analyses of standard decoy-state BB84 protocols as a combination of two arguments (a) and (b).The argument (a) is a decoy-state analysis, which makes estimation over a photon number distribution.The decoy-state analysis is purely mathematical and the only assumptions it uses are 4 and 6.The result of estimation is usually given as a set of inequalities that are satisfied except with a small probability a  .The inequalities imply, for example, a lower bound on the number of detections from single-photon ( 1 n  ) signals.For our purpose, it is convenient to represent these inequalities equivalently by using a set  of admissible values ( , , ) anΛ , namely, as ( , , )  anΛ .
The argument (b) is a BB84 analysis with a known photon number distribution.It provides a rule ( , ) l a Λ to determine the length l of the final key from the data available in the protocol, and proves that it is secure if ( , , )  anΛ holds.We emphasize here that this part of the argument does not rely on assumption 4 any longer since it only cares about the security in the case of ( , , )  anΛ .
To describe the argument (b) more precisely, let us describe the real protocol as a diagram given in Fig. 4, in which the box "key substitution" should be ignored.We also introduce the ideal protocol, in which the actual key is substituted by an ideal key.The real protocol is called  -secure if it is distinguishable from the ideal protocol by at most  , measured in terms of trace distance.
The argument (b) does not prove the security of the real protocol, but that of a variant which we  Hence, the intermediate protocol, which uses the actual a and n as an input of the sub-protocol, is also b  -secure.Since the difference between the real protocol and the intermediate protocol arises only if ( , , )   anΛ , assumption (a) implies that the trace distance is no larger than a  .Using the triangle inequality for the trace distance, the real protocol is proved to be ab ()   -secure.Now, we consider a protocol under the pattern effect, which means the i -th type for any 1 i a  .The probability distribution of ( , ) an is then written as 1 Pr( , ) ( , , ), where 11 ( , , ) ( , ( , )) . Although this change threatens assumption 4 in the standard case, we will show that the analyses in the standard case can be applied to the elements after PS and AKD, such as the even-indexed and pattern-sifted elements.To represent the restriction on the even-indexed elements, the odd-indexed elements and the pattern-sifted elements, we use the superscripts "even", "odd" and "PS", such as even odd,PS , an and so on.
We define a set of even indices as even I and a set of indices of the even-indexed and patternsifted elements as To show (i), we focus on the fact that the sequence of the pairs ( , ) ii an forms a Markov chain Pr( , | , , , ).
Pr( , | , , , ) and it means that the property (i) holds.Next, we consider the whole protocol with PS and AKD, which can be regarded as follows (see  ,,  anΛ is not satisfied, Eq. ( 10) bounds the trace distance to be no larger than a 2 .As a consequence, we find that real protocol is The above proof is also applicable when there exist independent fluctuations in the mean photon number after PS and AKD in our experiment.It can be done by extending a function ( , ) f a n to a set of functions satisfying a condition about intensity fluctuations.This change does not affect the above reasoning as long as the choice of set  in the argument (a) is dictated from a proof accommodating such fluctuations.This work was supported in part by the ImPACT Program of the Cabinet Office Japan.

Figure 1 :
Figure 1: Conceptual view of a transmitter (Alice) in typical decoy-BB84 QKD system using time-bin coding.LD: laser diode, IM: intensity modulator, AMZI: asymmetric Mach-Zehnder interferometer, PM: phase modulator, VOA: variable optical attenuator.(a) Ideal waveforms to the IM encoding signal (S) and decoy (D) state with complementary modulation.Pulse-shaped figures represent input timing of optical pulses.Pulse period (0.8 ns) is defined by the two solid lines.(b) Actual distorted waveforms from the 10-GHz bandwidth circuit.

Figure 2
Figure 2 summarizes sifting rules in PS and pulse selection rules in AKD.Upper table regardingPS shows the probabilities for the pulse patterns using typical values of selection probabilities of signal, decoy, and vacuum states pS=14/16, pD=1/16, and pV=1/16.After PS, pS(1-pD) of the pulses will contribute to the key distillation, where the first factor comes from PS (A) and the second from PS (B).

Figure 2 :
Figure 2: Summary of sifting rules in "pattern sifting (PS)" and pulse selection rules in "alternate key distillation (AKD)".The numbers after S, D, and V show the typical values of the selection probability.

Figure 3 :
Figure 3: Simulation of the final key rate for 100 Mbits sifted key considering intensity fluctuation caused by pattern effects and random noise.Valid intensity range of IS is changed from 0.2  to 1.0  (a= S, D, V).
represent choices of the basis for the i -th pulse by Alice and Bob, respectively.

Ab
: a sequence whose element , {0,1} Ai b  represents Alice's bit value for the i -th pulse.Λ : a sequence whose element i  represents the set of all the data associated with the i : mean photon numbers corresponding to the types S , D and V . of n photons emitted in a pulse with a mean photon number  .
call the intermediate protocol.In the intermediate protocol, the actual key is substituted by an ideal key if and only if ( , , )   anΛ holds.The fact that the argument (b) does not rely on assumption 4 implies that the security is not threatened even if a and n are determined by an adversary.Let us call the shaded region in Fig. 4 as the sub-protocol, which regards a and n as the data provided from outside.What is actually proved in the argument (b) is the security of the intermediate subprotocol, or its indistinguishability from the ideal sub-protocol.The statements of arguments (a) and (b) are summarized as follows.(a) For a positive real number a  and a set  , The intermediate sub-protocol with a set  and the final key length ( , ) l a Λ is b  -secure for a positive real number b  .

Figure 4 :
Figure 4: A schematic representing a standard decoy-state BB84 protocol.Depending on real, intermediate, and ideal protocols, the rounded-corner box works differently as written in the right side of this figure.The shaded area represents the sub-protocol.
assume a model in which the mean photon number of the i -th pulse is represented

Figure 5 :
Figure 5: A schematic representation of a decoy-state BB84 protocol with PS and AKD.The protocol includes two sub-protocols defined in Fig. 4. Depending on real protocol, intermediate and ideal protocols, the sub-protocols change as in Fig. 4.

Fig. 5 )
Fig.5).The protocol generates a and n , generates even,PS even,PS ( , ) an and two sub-protocols which are identical as the sub-protocol in Fig.4.Each of the subprotocols produces a final key, and the concatenation of the two keys is the output of the protocol.We define the intermediate protocols and the ideal protocols as in the standard case.The argument (b) guarantees that each of the intermediate sub-protocols is b  -secure.The standard argument of the universal composability means that the intermediate protocol is b 2 -secure.Since the difference between the real protocol and the intermediate protocol is caused by the event where the condition

Table 1 : Measured intensity of signal pulses and decoy pulses for three types of predecessors.
: signal pulse, D: decoy pulse, V: vacuum state.Deviation of the intensity is given by that from the reference patterns (S→S and S→D). S