Quantum key distribution with setting-choice-independently correlated light sources

Despite the enormous theoretical and experimental progress made so far in quantum key distribution (QKD), the security of most existing practical QKD systems is not rigorously established yet. A critical obstacle is that almost all existing security proofs make ideal assumptions on the QKD devices. Problematically, such assumptions are hard to satisfy in the experiments, and therefore it is not obvious how to apply such security proofs to practical QKD systems. Fortunately, any imperfections and security-loopholes in the measurement devices can be perfectly closed by measurement-device-independent QKD (MDI-QKD), and thus we only need to consider how to secure the source devices. Among imperfections in the source devices, correlations between the sending pulses and modulation fluctuations are one of the principal problems, which unfortunately most of the existing security proofs do not consider. In this paper, we take into account these imperfections and enhance the implementation security of QKD. Specifically, we consider a setting-choice-independent correlation (SCIC) framework in which the sending pulses can present arbitrary correlations but they are independent of the previous setting choices such as the bit, the basis and the intensity settings. Within the framework of SCIC, we consider the dominant fluctuations of the sending states, such as the relative phases and the intensities, and provide a self-contained information-theoretic security proof for the loss-tolerant QKD protocol in the finite-key regime. We demonstrate the feasibility of secure quantum communication, and thus our work constitutes a crucial step towards guaranteeing the security of practical QKD systems. A rigorous study on source device security brings practical quantum key distribution (QKD) a step closer to information theoretic security. Existing studies on the security of QKD focus on potential security breaches from imperfect measurement devices, but have overlooked loopholes associated to source imperfections. To tackle this problem, Akihiro Mizutani and co-workers in Japan, Spain and Canada consider the security of an imperfect quantum source that sends pulses with arbitrary correlations, and fluctuations in phase and intensity. They numerically prove that secure quantum communications is feasible provided that these correlations are independent of the choices made for bit, basis and intensity. Their information theoretic security proof with setting-choice-independent correlations in the source is based on practically viable, loss-tolerant QKD in the finite-key regime. The team is confident that their findings will help realize secure quantum communication with practical source devices.

Despite the enormous theoretical and experimental progress made so far in quantum key distribution (QKD), the security of most existing QKD implementations is not rigorously established yet.A critical obstacle is that almost all existing security proofs make ideal assumptions on the QKD devices.Problematically, such assumptions are hard to satisfy in the experiments, and therefore it is not obvious how to apply such security proofs to practical QKD systems.Fortunately, any imperfections and security-loopholes in the measurement devices can be perfectly closed by measurement-device-independent QKD (MDI-QKD), and thus we only need to consider how to secure the source devices.Among imperfections in the source devices, correlations between the sending pulses are one of the principal problems.In this paper, we consider a setting-choice-independent correlation (SCIC) framework in which the sending pulses can present arbitrary correlations but they are independent of the previous setting choices such as the bit, the basis and the intensity settings.Within the framework of SCIC, we consider the dominant fluctuations of the sending states, such as the relative phases and the intensities, and provide a self-contained information theoretic security proof for the loss-tolerant QKD protocol in the finite-key regime.We demonstrate the feasibility of secure quantum communication within a reasonable number of pulses sent, and thus we are convinced that our work constitutes a crucial step toward guaranteeing implementation security of QKD.

I. INTRODUCTION
Quantum key distribution (QKD) [1] is one of the most promising applications of quantum information processing, and it is now on the verge of global commercialization.Nonetheless, there are still several theoretical and experimental challenges [2] that need to be addressed before its wide-scale deployment.One such challenge is the lack of practical security proofs that bridge the gap between theory and practice.In the security proof of QKD, one typically assumes some mathematical models for Alice and Bob's devices.However, if these models do not faithfully capture the physical properties of the actual QKD devices, the security of the systems is no longer guaranteed.In fact, such discrepancies between device models assumed in security proofs and the properties of actual devices could be exploited by Eve to attack both the source [3,4] and the detection apparatuses [5][6][7][8][9][10][11][12].It is therefore indispensable for realising secure QKD to develop security proof techniques that can be applied to actual devices.
One possible approach to close this gap is to use device-independent QKD [13][14][15][16].Its main drawback is, however, that it delivers a quite low secret key rate with current technology, and it still requires some device characterisations 1 .An alternative solution is to use measurement-device-independent (MDI) QKD [19], which guarantees the security of QKD without making any assumption on the measurement device.That is, MDI-QKD completely closes the security loophole in the detection unit.This technique still requires, however, that certain assumptions on the source device are satisfied.
Unfortunately, the status of the security proofs with practical light sources is not fully satisfactory, as so far only a few security proofs accommodate realistic imperfections in the source device.Among the imperfections in the source, one of the crucial problems is the presence of correlations among the sending pulses.We categorize these correlations into two types: the first type is the setting-choice-independent correlation (SCIC) where the correlation is independent of Alice's choices of settings such as the bit, the basis, and the intensity settings, and the second type is the settingchoice-dependent correlation (SCDC) where the correlation is dependent on Alice's setting choices.For instance, the former case (SCIC) may arise when the temperature in the laser drifts slowly over time due to thermal effects, where such drift could depend on how long we have operated a device and the ambient temperature of the room.Another example may be found in modulation devices which are operated by power supply fluctuating in time.On the other hand, the latter case (SCDC) occurs when the i th sending state could depend on the previous setting choices that Alice has made up to the (i − 1) th pulse.That is to say, secret information encoded in the previous quantum signals sent by Alice could be leaked to subsequent quantum signals sent by Alice.In other words, subsequent signals could act as side channels for previous signals.Recently, the SCDC between the intensities of different pulses has been observed experimentally [20].Also, the authors of [20] conducted a security analysis which is valid for the restricted scenario where only the nearest neighbour correlation is considered.More in general, however, the i th state could be dependent on all the previous setting choices that Alice has made.This general correlation seems to be very hard to deal with theoretically, and even if we would have a theoretical countermeasure against it, the characterisation of the device might be highly non-trivial.Fortunately, it would be reasonable to assume that the SCDC could be eliminated if the modulation devices are initialized each time after Alice emits a pulse.For instance, before Alice sends the (i + 1) th pulse, she applies a random voltage to the modulation devices several times until the setting-choice information up to the i th pulse which is stored in the device is deleted.This potential solution may decrease the repetition rate of the source, however, this could be overcome by multiplexing several sources, for instance by employing integrated silicon photonics [21][22][23].With this reasonable solution, we are left with rigorously dealing with the SCIC.
In this paper, we consider the dominant fluctuations of the sending state, such as the relative phase [24][25][26][27] and the intensity [20,24,28,29] within the framework of SCIC, and we provide an information theoretic security proof in the finite-key regime.In particular, we consider the loss-tolerant QKD protocol [30] that is a BB84 type protocol which, unlike the standard BB84 protocol [31], has the advantage of being robust against phase modulation errors.The loss-tolerant protocol is highly practical and has been experimentally demonstrated in both prepare & measure QKD [26,32] and MDI-QKD [27].Our main contribution is to explicitly write down all the assumptions that we impose on QKD systems, and by using only these assumptions we give a self-contained security proof.Our numerical simulations of the key generation rate show that provably secure keys can be distributed over long distance within a reasonable number of pulses sent, e.g, 10 12 pulses.
The paper is organised as follows.In section II, we describe the assumptions that we make on Alice and Bob's devices and we introduce the protocol considered.In section III, we present a formula for the key generation length of the protocol.This formula depends on certain parameters that need to be estimated; the estimation results for these parameters are shown in section IV.Then in section V, we present our numerical simulation results for the key generation rate.Here, we assume realistic intervals for the actual phases and intensities under the framework of SCIC, and we show that secure communication is possible within a reasonable time frame of signal transmission, say 10 12 signals.Finally, section VI summarises the paper.There are also various appendixes describing all the detailed derivations of the parameters in the key rate.

II. ASSUMPTIONS AND PROTOCOL DESCRIPTION
Here, we introduce the assumptions on Alice and Bob's devices and the protocol we consider throughout this paper.To describe the assumptions, we use a shorthand notation X i := X i , X i−1 , ..., X 1 for a sequence of random variables {X j } i j=1 and X 0 := 0. In what follows, we first summarise the assumptions we make on the sending devices as well as those on the measurement devices, and then we move on to the description of the protocol.

A. Assumptions on Alice's transmitter
(A-1) Assumption on the sending state ρi (θ i , µ i ) B i We assume that Alice employs a coherent light source with a Poissonian photon number distribution in any basis, bit and intensity setting.Here we denote by c i ∈ C := {0 Z , 1 Z , 0 X } Alice's bit and basis choice for the i th pulse, and k i ∈ K := {k 1 , k 2 , k 3 } Alice's intensity setting choice for the i th pulse2 .Moreover, we consider that the i th signals are in a single-mode 3 .Also, we assume that she uses phase encoding, i.e., she encodes the i th bit and basis information into the relative phase θ i between two pulses, a signal and a reference pulse, whose common phase δ ∈ [0, 2π) is perfectly randomized.We denote by µ i the i th actual value of the intensity generated by Alice's source.Mathematically, given the phase and the intensity, the i th sending state ρi (θ i , µ i ) B i to Bob in the system B i can be described as Here, we assume that the intensities of the signal and the reference pulses are the same and equal to µ i /24 .In Eq. ( 1), we define P [|• ] := |• •|, the subscripts S i and R i respectively represent the optical modes of the i th signal and reference pulse, and ) being a Fock state with n photons in mode S i (R i ).Eq. ( 1) can be rewritten as where p(n where Furthermore, we suppose that there are no side-channels in Alice's source and Eve can only manipulate Bob's system B with her arbitrary prepared ancilla. In the following, we first explain our correlation model for the source device, and we make assumptions on how the phases {θ i } Nsent i=1 and the intensities {µ i } Nsent i=1 are determined in the source device, where N sent denotes the number of pulse pairs (signal and reference pulses) sent by Alice.See Fig. 1 for a schematic explanation of our correlation model of the source device.For illustration purposes, we exemplify in Fig. 2 the setting-choice-dependent correlation (SCDC) that is not taken into account in our security analysis.(A-2) Assumption on the correlation: Setting-choice-independent correlation (SCIC) The correlation model we consider is the setting-choice-independent correlation (SCIC), which means that the internal state of the source device which determines the i th sending state is arbitrarily correlated with the previous internal states of the source device but it does not depend on the previous setting choices made by Alice.We denote by g i the classical random variable representing the i th internal state of the source device; it determines the correspondence between the setting choices (c i and k i ) and the output parameters from the source device (θ i and µ i ).We suppose that g i depends on the past internal state of the source device g i−1 and is independent of the past setting choices and output parameters 5 .Hence, if we denote the i th setting choices and output parameters by the SCIC model can be mathematically expressed in terms of a probability distribution satisfying for any P i−1 and g i−1 the following (A-3) Assumption on the random choice of c i and k i We assume that conditioned on the past realisation P i−1 and g i , then c i and k i are independent of each other and also independent of P i−1 and of g i , which is expressed by the following condition (A-4) Assumption on the independence of θ i and µ i We suppose that the phase θ i (intensity µ i ) only depends on the setting choice c i (k i ) and on g i .Mathematically, this means that the probability distributions satisfy p(θ i , µ i |c i , k i , g i , P i−1 ) = p(θ i |c i , g i )p(µ i |k i , g i ). ( (A-5) Assumption on unique determination of θ i and µ i The phase θ i (intensity µ i ) is uniquely determined given g i and the setting choice c i (k i ) as θ i c i ,g i (µ i k i ,g i ), that is, θ i (µ i ) is a function of c i (k i ) and g i .This is expressed as where δ(x, y) denotes the Kronecker delta.Note that Eq. ( 8) does not impose any restriction on {g i } Nsent i=1 since there exists the information of θ i and µ i somewhere in the source device, and we can take the parameters {g i } Nsent i=1 such that {g i } Nsent i=1 uniquely determine the correspondence between {c i } c i ∈C and {θ i c i ,g i } c i ∈C , and {k i } k i ∈K and {µ i k i ,g i } k i ∈K .For the security analysis, we define the random variable associated to tagged events as follows.(D-1) Definition of tagged random variable For the internal state of the source device g i , we define the untagged set G i unt as and if g i ∈ ( / ∈)G i unt , we call the i th pulse the untagged (tagged) signal, which we denote by t i = u (t).In the above definition of the untagged set, R c i ph and R k i int respectively denote the interval of the phase for c i and the interval of the intensity for k i .(A-6) Assumption on the intervals for the phase and intensity The i th interval of the phase R c i ph is assumed to be given by for all instances i, where R 0 Z ph , R 1 Z ph and R 0 X ph do not overlap each other and the parameters {θ L c } c∈C and {θ Also, the i th interval of the intensity R k i int has the form for all instances i, and we suppose that the following three conditions are satisfied We suppose that the probability of g Nsent not being an element of G Nsent good is upper bounded by p fail , which is expressed as B. Assumptions on Bob's measurement unit (B-1) Assumption on basis-independent detection efficiency We denote by { My i ,b i } y i ∈{0,1,∅} the i th POVM (positive operator-valued measure) for Bob's measurement in the basis b i ∈ B := {Z, X}, where M0,b i ( M1,b i ) represents the POVM element associated to the detection of the bit value y i = 0 (1) in the basis b i , and the element M∅,b i represents the failure of outputting a bit value.We suppose that whether a detection occurs or not for each pulse pairs does not depend on the chosen measurement basis b i ; this condition is represented as (B-2) Assumption on random choice of the measurement basis We assume that Bob measures each incoming signal in a basis b i ∈ B chosen independently of the previous basis choices and measurement outcomes.This condition is expressed in terms of the probability distribution as Furthermore, we suppose that there are no side-channels in Bob's measurement device.Let us remark that our security model allows the use of threshold detectors; this simply implies that Bob's Z and X basis measurements are not necessarily measurements on a qubit space.Note also that any error in the detection apparatus (say, for example, modulation errors) can be accommodated in our security proof as long as the assumptions stated in (B-1) and (B-2) are satisfied.
b i y i = 0 FIG. 3: Description of the actual protocol with a typical measurement setup.In the i th trial (with 1 ≤ i ≤ Nsent), Alice's source device emits two consecutive coherent pulses: a signal and a reference pulse.Alice first inputs the basis and bit information c i ∈ C and the intensity setting k i ∈ K that she selects probabilistically.Let θ i and µ i denote the relative phase between the signal and the reference pulses and the total actual intensity of both pulses, respectively.On the receiving side, Bob uses a 50:50 beamsplitter (BS) to split the received pulses into two beams.Afterward, he applies a phase shift 0 or π/2 to one of them according to his basis choice b i = Z or b i = X, respectively.The pulses are then recombined at a 50:50 BS.A click in the detector D0 (D1) provides Bob the bit y i = 0 (y i = 1).

C. Protocol description
In this section, we describe the protocol of which we prove the security.See Fig. 3 for a typical setup of the actual protocol.In particular, we consider the loss-tolerant protocol [30].Also, we suppose that Alice uses the decoy-state method [33][34][35] with one signal and two decoys, and we consider asymmetric coding, i.e., the Z and X bases are chosen with probabilities p A Z := c i =0 Z ,1 Z p(c i ) and p A X := p(c i = 0 X ), respectively.In addition, we assume that the secret key is generated from those events where both Alice and Bob select the Z basis regardless of their intensity settings.
Next, we show in detail how the protocol runs.In its description, |A| represents the cardinality of a set or length of a bit string depending on whether A is a set or a bit string, respectively.The protocol is composed of the following steps: 0. Device characterisation and protocol parameter choice First, Alice characterises her source to determine the value of the parameters R c ph , R k int for all c ∈ C and k ∈ K, N tag and p fail .Also, Alice and Bob decide the secrecy parameter s given by Eq. ( 19), the correctness parameter c , the upper bound on N sent which we shall denote by N , and the quantity N det that is associated to the termination condition.
After this characterisation step, Alice (Bob) repeats the following step 1 (step 2) and both Alice and Bob repeat step 3 for i = 1, ..., N sent until the condition in the sifting step is met7 .

Preparation
For each i, Alice randomly selects the intensity setting k i ∈ K with probabilities p k1 := p(k i = k 1 ), p k2 := p(k i = k 2 ) and p k3 := p(k i = k 3 ), and the basis a i ∈ B with probabilities p A Z and p A X = 1 − p A Z .Afterward, if a i = Z she chooses the bit information with probability 1/2; otherwise, she chooses c i = 0 X .Finally, she generates the signal and reference pulses according to her choice of k i and c i , and sends them to Bob via a quantum channel.

Measurement
Bob measures the incoming signal and reference pulses using the measurement basis b i ∈ B, which he selects with probabilities p B Z := p(b i = Z) and p B X := p(b i = X).The outcome is recorded as {0, 1, ⊥, ∅}, where ⊥ and ∅ represent, respectively, a double click event, i.e., the two detectors click, and a no click event.If the outcome is ⊥, Bob assigns a random bit to the event 8 .As a result, Bob obtains y i ∈ {0, 1, ∅}.The outcomes 0 and 1 will be called a detection event.

Sifting
Bob declares over an authenticated public channel whether or not he obtained a detection event.If yes, Alice and Bob annouce their basis choices, and Alice identifies if the event can be assigned to the following sets for all k ∈ K: Alice asks Bob to also announce his measurement outcome, and Alice identifies if the event can be assigned to the following sets for all Then, Alice checks if the following termination condition is satisfied for a prefixed N det : S det := |S det | ≥ N det for the set S det = {i|y i = ∅}.Once this termination condition is met after sending N sent pulses, the results associated to the set S Z,Z,det := ∪ k∈K S Z,Z,k,det form Alice and Bob's sifted keys κ sift A and κ sift B .That is, the length of these sifted keys is If the termination condition is not met after sending N pulses, then Alice and Bob abort the protocol.

Parameter estimation
Alice calculates a lower bound for the parameter S Z,Z,n=1,u,det := |S Z,Z,n=1,u,det |, where S Z,Z,n,u,det := {i|a i = b i = Z, n i = n, t i = u, y i = ∅} is a subset of S Z,Z,det composed of those elements where Alice emitted an untagged n-photon state.We call a lower bound on S Z,Z,1,u,det as S L Z,Z,1,u,det , which is given by Eq. ( 21).Also, she calculates an upper-bound N U ph,Z,Z,1,u,det on the number of phase errors N ph,Z,Z,1,u,det for the set S Z,Z,1,u,det , whose quantity is given by Eq. ( 23).If the upper bound e U ph|Z,Z,1,u,det , where e U ph|Z,Z,1,u,det corresponds to the phase error rate associated with a zero secret key rate [see Eq. ( 20)], Alice and Bob abort the protocol.Otherwise, they proceed to step 5.

Bit error correction
Through public discussions, Bob corrects his sifted key κ sift B to make it coincide with Alice's key κ sift A and obtains

Privacy amplification
Alice and Bob conduct privacy amplification by shortening κ sift A and κ cor B to obtain the final keys κ fin A and κ fin B of size given by Eq. ( 20).

III. SECRET KEY GENERATION LENGTH
In this section, we present a formula to compute the secret key generation length that guarantees that the protocol introduced above is sec -secure.According to the universal composable security framework [37,38], we say that a protocol is sec -secure if it is both c -correct and s -secret where sec = c + s [39].We say that the protocol is holds in terms of the trace norm, where ρfin ) is a classical-quantum state between Alice's final key and Eve's system after finishing the protocol and ρideal AE is an ideal state in which Alice's key is uniformly distributed over 2 |κ fin A | values and decoupled from Eve's system.We suppose that the following two conditions for the random variables S Z,Z,1,u,det and N ph,Z,Z,1,u,det are satisfied regardless of Eve's attack.In this case, for any PA > 0, by setting [40,41] it can be shown that the protocol is c -correct and s -secret if the final key length satisfies where h(x) is the binary entropy function, and λ EC ( c ) is the cost of error correction to achieve c -correctness.

IV. RESULTS OF PARAMETER ESTIMATION
In this section, we summarise the estimation results of S L Z,Z,1,u,det and N U ph,Z,Z,1,u,det .All the detailed derivations of these quantities can be found in Appendices D and E, respectively.
First, regarding the estimation of S L Z,Z,1,u,det , we employ the decoy-state method and we obtain the lower bound on S Z,Z,1,u,det as except for error probability Here, we define S − Z,Z,k2,u,det := S Z,Z,k2,det − N tag and the statistical fluctuation term in the Modified Azuma's inequality (see Appendix C) is given by g MA ( , q, n) = √ ln (ln −18nq)−ln 3 . Second, in the estimation of the number of phase errors N ph,Z,Z,1,u,det for the untagged single-photon emission events in κ sift A , we follow the arguments in the loss-tolerant protocol in [24,25,30].In the main text, for simplicity of its expression, we only describe N ph,Z,Z,1,u,det with the following restricted phase intervals: Note that the expression of N ph,Z,Z,1,u,det with the general phase intervals in Eq. ( 10) should be refereed to Appendix E 2. Under the assumption of Eq. ( 22), N U ph,Z,Z,1,u,det can be written as a linear combination of the parameters S c,1,u,det,y,X , which are bounds on the cardinality of the sets S c,1,u,det,y,X = {i|c Here, we define the statistical fluctuation term of the Azuma's inequality [42] as g A (x, y) := 2x ln 1/y and the functions {Γ U y,c } y,c [25] as ). Regarding S c,1,u,det,y,X , we take the following upper or lower bounds on S c,1,u,det,y,X := |S c,1,u,det,y,X |, depending on the sign of Γ U y,c , such that N ph,Z,Z,1,u,det takes its upper bound: with FIG. 4: The key rate (per pulse) in logarithmic scale versus fibre length for the case with the phase fluctuation of ±0.03 rad [namely, θ = 0.03 in Eq. ( 22)] for any choice of c i ∈ C and the intensity fluctuation of ±3% for the choice of k i ∈ {k1, k2} and and where S − c,k,u,det,y,X := S c,k,det,y,X − N tag .Finally, we calculate the failure probability PH associated to the estimation of N U ph,Z,Z,1,u,det in Eq. ( 18), as PH = 1 PH + 2 PH , and we define 1 PH := 2 PH , on the other hand, is composed of the failure probabilities associated to the estimation of {S c,1,u,det,y,X } y=0,1,c∈C , and 2 PH has the form 2 PH = y=0,1 c∈C c,1,u,y,X with c,1,u,y,X = k=k2,k3 c,k,u,y,X MA + c,1,u,y,X MA or c,1,u,y,X = k∈K c,k,u,y,X MA + c,1,u,y,X MA depending on whether we use the upper bound given by Eq. (25) or the lower bound given by Eq. ( 26).

V. SIMULATION OF THE KEY RATE
In this section, we show the numerical simulation results of the key rate for a fibre-based QKD system.In the simulation, we assume that Bob uses a measurement setup with two single-photon detectors with detection efficiency η det = 10% and dark count probability per pulse p dark = 10 −5 .These parameters are set to be the same as those in [43].The attenuation coefficient of the optical fibre is 0.2 dB/km and its transmittance is η ch = 10 −0.2l/10 with l denoting the fibre length.We denote the channel transmission rate including detection efficiency by η := η ch η det .The overall misalignment error of the measurement system is fixed to be e mis = 1%.In addition, we assume an error correction cost equals to λ EC ( c ) = 1.05 × |κ sift A |h(e bit ) + log 2 (1/ c ), where e bit is the bit error rate of the sifted key (κ sift A , κ sift B ).Moreover, we suppose that the intervals of the intensity fluctuation in Eq. ( 11) are given by ] with µ k denoting the expected intensity (we suppose that µ k3 = 0) and where r k represents the deviation of the actual intensity from the expected value.For the intervals of the phase fluctuation R c i ph in Eq. ( 22), we take the experimental value of phase modulation error from Ref. [26] and we set θ = 0.03 rad 9 .In Fig. 4, we consider the two cases: (I) N tag = 0 and p fail = 0 and (II) N tag = N sent × 10 −7 and p fail = 0.The case (I) means that all the phases and the intensities lie in their intervals, and the case (II) means that the number of tagged events is upper bounded by N sent × 10 −7 .
Regarding the numbers of detection events S Z,Z,k,det and S c,k,det,y,b , we generate these quantities by assuming the following specific setup.In particular, for the i th trial, we consider that Alice sends Bob pairs of coherent states through the fibre of the form |e i(δ+θc) µ k /2 S i |e iδ µ k /2 R i with θ 0 Z = 0, θ 1 Z = π and θ 0 X = π/2 according to the choices of k i = k ∈ K and c i = c ∈ C10 .Bob measures the incoming signals using a Mach-Zehnder interferometer with two 50:50 BSs and a phase modulator as shown in Fig. 3.More precisely, he uses a first 50:50 BS to split the received pulses into two beams, and after that he applies a phase shift 0 or π/2 to one of them according to his basis choice of b i = Z or b i = X, respectively, and finally he lets interfere the resulting pulses using a second 50:50 BS.In this setup, we obtain the following probabilities: for y ∈ {0, 1}, and p( for y, x ∈ {0, 1}.Moreover, we assume that the bit error rate e bit is given by e bit = y=0,1 p( With these probabilities, we suppose that the experimentally observed numbers satisfy S Z,Z,k,det = N sent x,y=0,1 In the simulation, we perform a numerical optimization of the key rate SCIC /N sent over the two free parameters µ k1 and µ k2 .In the solid and dashed lines in Fig. 4, we respectively plot the key rate of the cases (I) and (II) for the finite-case when N sent ∈ {10 10 , 10 10.5 , 10 11 , 10 11.5 , 10 12 } (from left to right).For comparison, the rightmost solid and dashed lines respectively correspond to the asymptotic key rate of the cases (I) and (II), where no statistical fluctuation terms in Eqs. ( 21) and ( 23) are taken into account.Our simulation results show the feasibility of secure key distribution within a reasonable time by employing practical devices that satisfy our device assumptions.For instance, if Alice uses a laser diode operating at 1 GHz repetition rate and she sends N sent = 10 12 signals, then we find that it is possible to distribute a 1-Mb secret key over a 75-km fibre link in < 0.3 hours.This scenario corresponds to the solid blue line (the fifth solid line from the left) shown in Fig. 4.

VI. CONCLUSION
In summary, we have provided an information theoretic security proof for the loss-tolerant QKD protocol which accommodates the setting-choice-independent correlation (SCIC) in the finite key regime.Within the framework of SCIC, the relative phases and intensities of the sending coherent states fluctuate over time.Once realistic intervals for these fluctuations (such as for instance ±0.03 rad and ±3%, respectively) are guaranteed, our numerical simulations have shown that secure quantum communication is feasible with a reasonable number of signal transmissions such as for example N sent = 10 12 .Therefore, our results constitute a significant step toward realising secure quantum communication with practical source devices.On a more general outlook, it would be of great practical interest to improve the convergence speed of the key rate in the finite-key regime and it would be also important to weaken the requirements for Alice's source device which could lead to a simpler characterisation of the source devices.

Appendix A: Summary of notations
A list of the parameters used throughout this paper together with their notation is provided in Tables I and II.

Random variables and sets
Meaning Set of bit and basis information: Alice's i th choice of bit and basis information K Set of intensity setting: {k1, k2, k3} k i ∈ K Alice's i th choice of intensity setting θ i ∈ [0, 2π) i th relative phase between the signal and reference pulses i th total intensity in both the signal and reference pulses G i unt Untagged set of the i th internal state of the source device g i ∈ G i unt ∪ G i unt i th internal state of Alice's source device g ≥i Abbreviation of g i , g i+1 , ..., g N sent t i ∈ {u, t} Indicator of Set of g N sent where ntag is upper bounded by a fixed number Total number of photons in the i th signal and reference pulses B Set of bases: {Z, X} a i (b i ) ∈ B Alice's (Bob's) i th basis choice    For later discussions, we introduce the following theorem about the description of Alice's sending states, which is a direct consequence of the assumptions (A-1)-(A-5) in Sec.II A.
Theorem 1 From the assumptions (A-1)-(A-5), we have that all the N sent sending states can be written as with G Nsent := G 1 , ..., G Nsent .Here, G i , C i , K i , Θ i and M i denote the systems storing the information of g i , c i , k i , θ i and µ i , respectively.According to the assumption (A-1), note that these five systems are possessed by Alice.This is to ensure that there is no side channel leaking information to Eve.Also, |ρ i (θ i c i ,g i , µ i k i ,g i ) N i B i is a purified state of Eq. ( 2) with N i being a system storing the number of photons contained in the i th sending state, which has the form Proof of Theorem 1 For the most general case, the total N sent sending states can be coherently written as Next, we calculate p(g Nsent , P Nsent ) using the assumptions (A-2)-(A-5).
where in the 3 rd equation we use the assumption (A-2), and in the 5 th equation we use the assumptions (A-3)-(A-5).With this expression, Eq. (B3) results in Eq. (B1), which ends the proof.

Appendix C: Modified Azuma's inequality
Here, we introduce the Modified Azuma's inequality [44] that we use in the decoy-state method (see Appendix D).
Theorem 2 (Modified Azuma's inequality) [44].Let Y i be an i random variable with Y 0 := 0 (0 ≤ i ≤ n) defined on the probability space (Ω, F, p) with the filtration , where F 0 is the trivial σ-algebra {∅, Ω} and F is the power set of Ω (consisting of all the subsets of Ω).We suppose that the sequence of random variables the Martingale condition: the bounded difference condition: and the zero-difference condition: for a constant q (0 ≤ q ≤ 1).Then, for any > 0, we have that are satisfied, where g MA ( , q, n) is defined by For completeness, below we prove Theorem 2.

Appendix D: Decoy-state method
In this Appendix, we present the decoy-state method that we use to estimate bounds on the parameters S c,n,u,det,y,X and S Z,Z,n,u,det for n = 1 in the presence of intensity fluctuations within the framework of SCIC.Here, S c,n,u,det,y,X denotes the cardinality of the set S c,n,u,det,y,X = {i|c i = c, n i = n, t i = u, b i = X, y i = y} (with y ∈ {0, 1}).More precisely, the goal here is to bound the quantities S c,n=1,u,det,y,X and S Z,Z,n=1,u,det (D1) with the available experimentally observed data, that is, respectively.We first derive the upper and lower bounds on S c,1,u,det,y,X (see Sec. D 1), and after that we derive the lower bound on S Z,Z,1,u,det (see Sec. D 2).
To achieve this goal, we divide the task into four steps.To illustrate the method, let us consider for instance the case for S c,1,u,det,y,X .In step 1, we use the Modified Azuma's inequality to relate the numbers S c,1,u,det,y,X and S c,k,u,det,y,X with the quantities S c,1,u,y,X det in Eq. (D11) and S c,k,u,y,X det in Eq. (D3), respectively.Here, S c,k,u,det,y,X denotes the cardinality of the set S c,k,u,det,y,X = {i|c i = c, k i = k, t i = u, b i = X, y i = y}.In step 2, we derive the bounds on S c,k,u,y,X det by using the functions {f c,n,u,y,X|det } n that are related to the quantities { S c,n,u,y,X det } n .Here, S c,n,u,y,X det and f c,n,u,y,X|det are defined in Eqs.(D11) and (D22) respectively.In step 3, we derive the bounds on S c,n=1,u,y,X det with { S c,k,u,y,X det } k .In step 4, we finally combine Eqs.(D25) and (D30) with Eqs.(D10) and (D12) which are obtained by means of the Modified Azuma's inequality, and we obtain the bounds on S c,n=1,u,det,y,X with the observed data {S c,k,det,y,X } k∈K .
1. Upper and lower bounds on S c,1,u,det,y,X a. Step 1. Modified Azuma's inequality In order to obtain upper and lower bounds on S c,1,u,det,y,X , we first relate the numbers S c,1,u,det,y,X and S c,k,u,det,y,X with the quantities S c,1,u,y,X det and S c,k,u,y,X det , respectively.In the discussion, we use a shorthand notation ), and S c,k,u,y,X det is defined as Here, δ(x, y) denotes the Kronecker delta.To relate Eq. (D3) with the number S c,k,u,det,y,X , we introduce the following random variable where S j det is the set containing the first j elements of the set S det , and Λ j c,k,u,y,X denotes the number of instances where (c, k, u, X, y) is realised among the set S j det , namely, Then, the random variables {Y j c,k,u,y,X } N det j=1 satisfy Eq. (C1), the Martingale condition [see Eq. (C2)], the bounded difference condition [see Eq. (C3)] and the zero-difference condition [see Eq. (C4)] 11 : 11 This statement can be proven as follows.Since Y j c,k,u,y,X − Y j−1 c,k,u,y,X is written as we can confirm that the Martingale condition holds.Also, Eq. (D5) assures the bounded difference condition: |Y j − Y j−1 | ≤ 1.Finally, from Eq. (D5) and using the assumptions (B-1) and (B-2), we obtain the zero-difference condition in Eq. (D6) as Here, we identify the filtration F j−1 with the random variables (χ ).Therefore, we can apply the Modified Azuma's inequality in Eqs.(C5) and (C6), and we obtain Here, c,k,u,y,X MA denotes the failure probability associated to the estimation of S c,k,u,y,X det , and the function g MA ( c,k,u,y,X MA , p B X , N det ) is defined in Eq. (C7).Note that the quantity S c,k,u,det,y,X in Eqs.(D7) and (D8) is not directly observed in the actual experiments, and we only know its range, given that the number of tagged signals n tag is upper bounded by N tag , as where S c,k,det,y,X := |S c,k,det,y,X |.By combining Eqs.(D7), (D8) and (D9), we obtain except for error probability 2 c,k,u,y,X

MA
. The bounds on S c,n=1,u,det,y,X will be expressed as a function of the rhs and the lhs of Eq. (D10).
Next, we define the quantity S c,n,u,y,X det that will be related to the number S c,n,u,det,y,X through the Modified Azuma's inequality as and we follow the above arguments about the Modified Azuma's inequality.As a result, we obtain except for error probability 2 c,n,u,y,X MA .From Eqs. (D10) and (D12) obtained by means of the Modified Azuma's inequality, we find that the remaining task is to bound S c,1,u,y,X det with { S c,k,u,y,X det } k such that S c,1,u,det,y,X can be bounded by the observed data appearing in Eq. (D10).Next, in step 2, we relate the expectation S c,k,u,y,X det with { S c,n,u,y,X det } n through some functions {f c,n,u,y,X|det } n , and then by using this relation we bound S c,1,u,y,X det with { S c,k,u,y,X det } k in step 3. b.Step 2. Upper and lower bounds on S c,k,u,y,X det with {f c,n,u,y,X|det }n In this step, we bound S c,k,u,y,X det in Eq. (D3) with { S c,n,u,y,X det } n through the functions {f c,n,u,y,X|det } n .In the following discussion, we use the notation g ≥i := g i , g i+1 , ..., g Nsent .
First, from the law of total probability, the definition (D-1) in Sec.II A and Bayes' theorem, Eq. (D3) can be rewritten as Next, we calculate the first factor of Eq. (D13) to obtain Eq. (D20) below.
where in Eq. (D14) we use the decoy-state property, namely, p(y i = ∅, holds.This is because once g Nsent is fixed, Eq. (B1) assures that the total N sent sending states have a tensor product structure which implies that the information of k i is only encoded in the i th sending system B i , and the n-photon state in the system B i is the same for any choice of k i .In Eq. (D15) we use the assumption (B-2) in Sec.II B, in Eq. (D16) we recursively use the decoy-state property and the assumption (B-2), in Eqs.(D17) and (D19) we use the Bayes' theorem, and finally in Eqs.(D18) and (D20) we use Eq.(B1).
In Eq. (D20), from Eq. ( 11), ∀i ∈ S det and With these bounds, S c,k,u,y,X det can be upper and lower bounded as where we define the function and respectively.It is notable that Eq. (D21) represents a linear combination of {f c,n,u,y,X|det } n , and f c,n,u,y,X|det is independent of k, which is crucial in the next discussion.
If we assume µ − k1 > µ + k2 + µ + k3 (which we actually imposed in the protocol), we have that ( ) n holds for n ≥ 2 [45].Therefore, Eq. (D27) leads to which is equivalent to If we assume 1 > µ + k1 (which we actually imposed in the protocol), by using in Eq. (D29), the third inequality in Eq. (D26) and the definition of f c,1,u,y,X|det in Eq. (D22), we obtain the lower bound on S c,1,u,y,X det as a function of { S c,k,u,y,X det } k as Here, we define Pois L (1|u) = k∈K p k Pois L (1|k, u).In this step, we finally derive the upper and the lower bounds on S c,n=1,u,det,y,X with experimentally observed data {S c,k,det,y,X } k .
(i) Upper bound on S c,1,u,det,y,X We combine Eqs.(D10) and (D12), which result from the application of the Modified Azuma's inequality, with Eq. (D25) to derive the upper bound on S c,1,u,det,y,X .S c,1,u,det,y,X ≤ S U c,1,u,det,y,X := except for error probability (ii) Lower bound on S c,1,u,det,y,X Similarly, we combine Eqs.(D10) and (D12) with Eq. (D30) to derive the lower bound on S c,1,u,det,y,X .Just by following the same arguments that we use for the estimation of the bounds on S c,1,u,det,y,X in Secs.D 1 a-D 1 d, we find that S Z,Z,1,u,det is lower bounded by the following quantity: except for error probability Here, we define S − Z,Z,k2,u,det := S Z,Z,k2,det − N tag .
This means that the state | Υi (θ i c i ,g i , 1) B i can be rewritten in terms of the Z eigenstates as | Υi (θ i c i ,g i , 1) For convenience, we describe Alice's state preparation process of |Ψ i g i C i K i N i B i for g i ∈ G i unt and n i = 1 by means of an entanglement-based scheme.That is, we assume that she first generates the state , and afterwards she measures the system C i to obtain c i .In this subsection, given c i = c and g i ∈ G i unt , we suppose that θ i c,g i lies in the following interval for any i: To prove the security of the key generated from the Z basis, we follow the definition of the phase error rate.That is, we consider Alice and Bob's hypothetical measurements on their systems C i and B i (where B i represents the system B i after Eve's intervention) in the X basis given that Alice prepared the state In this virtual scenario, we have therefore, that Alice sends Bob the state |ψ i vir,m,g i B i with probability p i vir,m,g i by projecting the system C i in the basis and For later convenience, we define Thanks to Proposition 1 below, we are allowed to evaluate the security of the actual protocol by using the virtual scheme illustrated in Fig. 5.In particular, we consider a virtual protocol where for each signal emission, Alice can in principle prepare the following state if where the system A i is stored by Alice in a quantum memory.Here, the states {|ψ i α i ,g i } α i are defined as and the probabilities {p i α i ,g i } α i are given by Alice sends Bob the system B i in Eq. (E1), and Eve performs an arbitrary operation on this system.On the receiving side, thanks to the assumption (B-1) in Sec.II B, Bob can apply the filter operation F to the system B i to determine announced by Alice and Bob up to the (i − 1) th trials.With this CP map, the state in the i th systems G i , C i , K i , N i and B i is of the form where σζ i−1 ,I i−1 is defined as Here, the set of Kraus operators { Âi s i ,ζ i−1 ,I i−1 ,g ≥i } s i acting on the system B i depends on the measurement results ζ i−1 and the iterative information I i−1 announced by Alice and Bob.
Let us now derive an upper bound on the number of phase errors N ph,Z,Z,1,u,det .For this, we consider the joint measurement performed by Alice and Bob on the i th event with i ∈ S det .In particular, we are interested in the probability of obtaining the measurement outcome n i = 1 on the system N i , the measurement outcome g i ∈ G i unt (namely, t i = u) on the system G i , the measurement outcome α i = α ∈ {0, 1, 2, 3, 4} on the system A i , and the measurement outcome y i = y ∈ {0, 1} in the X basis measurement on the system B i given that Bob's filter operation F was successful.Such probability can be expressed as p(n i = 1, t i = u, α i = α, b i = X, y i = y|ζ i−1 , y i = ∅) , C i g i := k i p(k i )p(1|µ k i ,g i ), q α := 1 for α ∈ {0, 1, 2, 3} and q 4 := p B X .Also, we define the operator T i y,X,ζ i−1 ,I i−1 ,g ≥i as T i y,X,ζ i−1 ,I i−1 ,g ≥i := In Eq. (E15), for convenience of notation, we have defined A := g i ∈G i unt g ≥i+1 p(g Nsent )A.If we define N 1,u,α,y,X as the number of events where Alice obtains the measurement outcome n i = 1 on the system N i , g i ∈ G i unt on the system G i , α i = α ∈ {0, 1} on her system A i and Bob obtains the outcome y i = y ∈ {0, 1} in the X basis measurement on the system B i , the phase error rate is defined as the rate at which Bob obtains the outcome y i = α ⊕ 1 on the system B i among α=0,1,y=0,1 N 1,u,α,y,X .The phase error rate for the untagged single-photon emissions can be expressed as e ph|Z,Z,1,u,det = In the third equality, we use the assumption (B-1) in Sec.II B which states that the efficiency of Bob's measurement is the same for the bases Z and X.In Eq. (E17), the denominator can be estimated directly with the decoy-state method.Next, we calculate an upper bound for the quantity N ph,Z,Z,1,u,det .For this, we first relate N ph,Z,Z,1,u,det with the sum of the probabilities 1 α=0 p(n i = 1, t i = u, α i = α, b i = X, y i = α ⊕ 1|ζ i−1 , y i = ∅) over i ∈ S det .This can be done by using Azuma's inequality [42]; we obtain p N ph,Z,Z,1,u,det − i∈S det 1 α=0 p(n i = 1, t i = u, α i = α, b i = X, y i = α ⊕ 1|ζ i−1 , y i = ∅) ≥ g A (N det , ph,Z, where M i g i := ( V i 0 Z ,g i , V i 1 Z ,g i , V i 0 X ,g i ) T with ( V i c,g i ) T := (1, sin θ i c,g i , cos θ i c,g i ), and where T represents the transpose operator.To calculate tr[ T i α⊕1,X,ζ i−1 ,I i−1 ,g ≥i ÎB i /2], tr[ T i α⊕1,X,ζ i−1 ,I i−1 ,g ≥i XB i /2], and tr[ T i α⊕1,X,ζ i−1 ,I i−1 ,g ≥i ẐB i /2], we use information from the states that are sent in the actual protocol.In doing so, we can upper-bound the first term of the rhs in Eq. (E19) as α,0 X i∈S det p(n i = 1, t i = u, α i = 4, b i = X, y i = α ⊕ 1|ζ i−1 , y i = ∅)/p B X p i 4,g i .(E21) In the first inequality, the parameter p U α (with α ∈ {0, 1}) is an upper bound on p i 0(1),g i := p A Z p B Z p i vir,+(−),g i , where p i vir,±,g i is defined in Eq. (E7), and these quantities are given by FIG. 4:The key rate (per pulse) in logarithmic scale versus fibre length for the case with the phase fluctuation of ±0.03 rad [namely, θ = 0.03 in Eq. (22)] for any choice of c i ∈ C and the intensity fluctuation of ±3% for the choice of k i ∈ {k1, k2} and R k 3 int = [0, 10 −3 ] for the weakest decoy setting k i = k3.In solid lines, we assume (I) Ntag=0 and p fail = 0, and in the dashed lines, we assume (II) Ntag = Nsent × 10 −7 and p fail = 0.The secrecy and correctness parameters are s = c = 10 −10 and for each set of solid and dashed lines, the total number of signals sent by Alice is Nsent ∈ {10 10 , 10 10.5 , 10 11 , 10 11.5 , 10 12 } from left to right.The rightmost solid and dashed lines respectively correspond to the asymptotic key rate of the cases (I) and (II) where no statistical flucuation terms in N U ph,Z,Z,1,u,det and S L Z,Z,1,u,det are taken into account.The experimental parameters are described in the main text.

2 PH
With the above parameters, we simulate the key rate SCIC /N sent for a fixed value of the correctness and secrecy parameters c = s = 10 −10 and we set Z = 1/2 × 10 −10 , PA = PH = 1/16 × 10 −20 , and Z,k,u MA = Z,1,u MA = Z /4 = 1/8 × 10 −10 .We also assume that each failure probability which is contained in the expression of 1 PH and takes the value c,1,u,y,X A = ph,Z,1,u A = 1/26 × PH and c,k,u,y,X MA = c,1,u,y,X MA = 1/26 × PH , respectively, and we set p A Z = p B Z = p k1 = 0.8 and p k2 = 0.1.
Lower bound on |SZ,Z,1,u,det | N ph,Z,Z,1,u,det Number of phase errors in the set S Z,Z,1,u,det N U ph,Z,Z,1,u,detUpper bound on N ph,Z,Z,1,u,det Alice's (Bob's) sifted key κ cor B Bob's reconciled key κ fin A(B) Alice's (Bob's) final key sec Security parameter of the protocol s Secrecy parameter of the protocol c Correctness parameter of the protocol PA Error probability of privacy amplification Z Failure probability of the estimation of S L Z,Z,1,u,det given that S det = N det PH Failure probability of the estimation of N U ph,Z,Z,1,u,det given that ntag ≤ Ntag and S det = N det Length (in bits) of the final key

d. Step 4 .
Upper and lower bounds on S c,n=1,u,det,y,X with {S c,k,det,y,X } k

1 α=0 N 1
7) Assumption on the number of tagged signals We define the good set G Nsent good of g Nsent as that whose number of tagged events n tag := |{i|g i / ∈ G i unt }| is upper bounded by a constant number N tag as

TABLE I :
Random variables and sets used throughout the paper