Quantum key distribution with flawed and leaky sources

In theory, quantum key distribution (QKD) allows secure communications between two parties based on physical laws. However, most of the security proofs of QKD today make unrealistic assumptions and neglect many relevant device imperfections. As a result, they cannot guarantee the security of the practical implementations. Recently, the loss-tolerant protocol (K. Tamaki et al., Phys. Rev. A, 90, 052314, 2014) was proposed to make QKD robust against state preparation flaws. This protocol relies on the emission of qubit systems, which, unfortunately, is difficult to achieve in practice. In this work, we remove such qubit assumption and generalise the loss-tolerant protocol to accommodate multiple optical modes in the emitted signals. These multiple optical modes could arise, e.g., from Trojan horse attacks and/or device imperfections. Our security proof determines some dominant device parameter regimes needed for achieving secure communication and, therefore, it can serve as a guideline to characterise QKD transmitters. Furthermore, we compare our approach with that of H.-K. Lo et al. (Quantum Inf. Comput., 7, 431–458, 2007) and identify which method provides the highest secret key generation rate as a function of the device imperfections. Our work constitutes an important step towards the best practical and secure implementation for QKD.


I. INTRODUCTION
Quantum key distribution (QKD) [1][2][3] enables two distant parties, Alice and Bob, to share a common secret key that can be used to encrypt and decrypt messages.In theory, QKD can offer information-theoretic security based on the laws of physics.In practise, however, it does not because typical security proofs of QKD require assumptions that are not actually met by the practical implementations, as they usually ignore many experimental device imperfections.This discrepancy between the theory and the practice of QKD has been evidenced by many quantum hacking attacks, especially by those that exploit flaws in the detectors of QKD systems [4,5].Fortunately, the proposal of measurementdevice-independent QKD (MDI-QKD) [6] can solve all security loopholes in the measurement unit, and therefore Eve cannot take advantage of detector side-channels to learn information about the key.Furthermore, MDI-QKD can be implemented experimentally using standard optical components [7][8][9][10][11][12].Therefore, to guarantee implementation security we now need to focus on how to secure the source in QKD.
Ideally, the sending devices are single-photon sources and the encoding of the light pulses is executed perfectly, without any state preparation flaw (SPF).However, none of these two conditions are met experimentally since all devices have inherent deficiencies.The decoy-state method [13][14][15] was proposed to replace single-photon sources with coherent light sources.Also, by using the Gottesman-Lo-Lütkenhaus-Preskill (GLLP) security analysis [16] the problem with SPFs is fixed.The main drawback of this last approach is that the resulting secret key rate is poor and fragile against channel loss.This is because it assumes the worst case scenario in which Eve could enhance the signals' flaws through channel loss, which significantly decreases the performance of the QKD scheme.
Recently, a protocol that is loss-tolerant to SPFs has been proposed [17] to address the limitation of the GLLP analysis.The loss-tolerant protocol employs only three states and takes into account modulation errors due to an imperfect phase modulator (PM).Remarkably, by using a different phase error estimation technique involving the use of the basis mismatched events, the secret key rate of the loss-tolerant protocol remains almost unchanged even if the SPFs increase.In fact, the maximum transmission distance for a QKD system in fiber so far has been recently achieved using this protocol [18], which shows that the loss-tolerant protocol is highly practical.Its main weakness, however, is the assumption that the single-photon signals sent by Alice are qubits, which is difficult to guarantee in practice.For instance, if Eve conducts a Trojan horse attack (THA) [19][20][21][22][23] against the source, this assumption can be violated.In a THA, Eve sends bright light into Alice's PM and obtains information about the encoding by measuring the back-reflected light that exits Alice's lab.Moreover, an optical mode of the light pulse emitted by Alice could be dependent on the value of the phase modulation, which means that a sent single-photon pulse might not be a qubit (we call this imperfection the non-qubit assumption).That is, Alice's setting choice information could be encoded in other degrees of freedom of the emitted light, and this spontaneous leakage of information results in a higher-dimensional sending state.This work aims to reduce the big gap between the theory and the practice of QKD by generalising the losstolerant protocol such that it includes typical imperfections in the sending device.These imperfections encompass SPFs in a single-mode qubit space, THAs and the non-qubit assumption.Therefore, our analysis covers dominant imperfections that a source device has, allowing the use of a much wider class of imperfect devices in a secure manner.Our generalised loss-tolerant protocol can be applied to any multi-mode scenario as long as the states of the emitted signals are independently and identically distributed (I.I.D.), namely, this proof does not consider correlations between the sending signals.However, we remark that recent results reported in [24] imply that our analysis could also accommodate correlations between the signals which are independent of Alice's setting choice.Moreover, our protocol can be applied to MDI-QKD.Using our formalism, we can quantify the device parameters required to ensure secure communications with flawed and leaky sources.
Additionally, we investigate how Lo-Preskill's security analysis [25] behaves in the presence of the same device's imperfections and, by using imperfectly characterised states, we compare it with our generalised loss-tolerant protocol.As a result, we determine which security proof provides a higher secret key rate as a function of the device parameters.These parameters are essential for experimentalists to produce and to calibrate the transmitting devices, and therefore our work can be used as a guideline for securing the source in the presence of multi-mode signals.
This paper is organised as follows.In section II, we describe the assumptions that we make in our security proof and introduce the QKD protocol considered.In section III, we present the security analysis for our generalised loss-tolerant protocol.Then, in section IV, we consider a particular device model to perform the simulations for our analysis and in order to compare it with Lo-Preskill's analysis.Finally, we conclude our paper in section V and provide additional explanations and calculations in the Appendixes.

II. DESCRIPTION OF THE PROTOCOL
We shall assume that Alice's lab has a laser source that emits phase-randomised weak coherent pulses and she distils secret key from the single-photon contributions.For this, she uses the decoy-state method [13][14][15], which in principle allows her to effectively evaluate the detection rate and the phase error rate of the single-photon pulses emitted.For simplicity, we shall assume that Alice and Bob can obtain this information precisely, that is, we shall assume that they use an infinite number of decoy settings.We remark, however, that our analysis could be easily adapted to the scenario with a finite number of decoy settings.We omit it here only because this results in an unnecessarily cumbersome analysis.Therefore, below we focus on the single-photon pulses emitted by Alice and our security proof only applies to these single-photon pulses.Fig. 1 shows the QKD setup.Next, we describe the assumptions we make on Alice's and Bob's devices and then we present the actual protocol.and is decomposed into the reference and the signal pulses.The reference pulse travels through the longer arm of Alice's Mach-Zehnder interferometer.To perform the encoding, she uses a PM that applies a phase shift to the signal pulse.The two pulses are recombined at the second 50:50 BS, sent through the quantum channel and then received in Bob's lab.On reception, they are split by a 50:50 BS and Bob applies a phase shift on the reference and signal pulses in the upper arm of his Mach-Zehnder interferometer.These pulses then interfere with the pulses that travelled through the shorter arm of the interferometer at the second 50:50 BS. Bob can then detect click events corresponding to photons choosing the shortest arm in Alice's interferometer and the longest one in Bob's, and to the opposite, by using two detectors, D0 and D1, which correspond to obtaining bit value 0 and 1 respectively.

A. Assumptions on Alice's device
In this work, we consider the asymptotic scenario where Alice sends Bob an infinite number of pulses.Our formalism is valid for any source that emits pulses whose quantum state is of the form with , where j ∈ {0, 1} and β ∈ {Z, X} are Alice's bit value and basis choices respectively.As in the loss-tolerant analysis introduced in [17], we consider a three-state protocol where Alice selects jβ ∈ {0Z, 1Z, 0X}.She sends the states to Bob but due to a potential THA we use the notation BE, which stands for Bob's and Eve's system.Furthermore, in Eq. ( 1), we assume that |φ jβ BE is a pure state in a single-mode qubit space (however, by introducing an ancilla system for Alice to purify the state, our formalism is also valid for a mixed state in a single-mode qubit space, as shown in Appendix A) and |φ ⊥ jβ BE corresponds to any state outside of the single mode qubit space, including a state of a side-channel, and it is in an Hilbert space orthogonal to |φ jβ BE .Therefore, the inner product φ jβ |φ ⊥ j β BE for all j, j , β and β is always zero.Also, depending on Alice's knowledge about the state given in Eq. ( 1) she might have to consider the worst-case scenario, i.e., φ ⊥ jβ |φ ⊥ j β BE = 0 for any combination of (j, β) and (j , β ).
On the other hand, if Alice knows some structure of the side-channel she should fully exploit it and lower bound φ ⊥ jβ |φ ⊥ j β BE .For example, if she knows that the side-channel is associated with the polarisation state of the singlemode qubit then the worst case scenario does not apply, i.e., φ ⊥ jβ |φ ⊥ j β BE = 0, since it is impossible for three states to be orthogonal to each other given the two-dimensionality of polarisation.
We remark that, to apply the procedure introduced below we only need to determine the coefficients a jβ , b jβ , and the relative phase between them, but it is not necessary to completely characterise the quantum information of the side-channel, |φ ⊥ jβ BE .That is, our characterisation seems to be rather simple, and there is no need to perform further detailed characterisations.Nonetheless, the better Alice and Bob know the state given in Eq. ( 1), the better the resulting performance, as explained later in Section IV.An experimental procedure to perform this estimation is out of the scope of this paper hence, we assume that these parameters are given.
Furthermore, our work can accommodate any SPF in the single-mode qubit space, and one could also employ the techniques in [24,26].For example, we may select a case in which the states that Alice prepares can be expressed as Here, δ(≥ 0) is the deviation of the phase modulation from the intended value, , where v stands for vacuum, |1 denotes a Fock state with one photon and the subscript r (s) corresponds to the reference (signal) pulse.Therefore, our formalism can be used, for instance, when the information about Alice's choice of state is leaked and/or the optical mode depends on Alice's selection.This leakage from the source can occur spontaneously or with an active THA.In Section IV, the connection between Eq. (1) and Eq. ( 2) becomes clear when we consider a particular device and THA model as an example of the application of our formalism.

B. Assumptions on Bob's device
Bob receives the signal and reference pulses from Alice and measures them in a basis selected at random.More precisely, Bob's measurements are defined by the positive-operator valued measures (POVMs) { M0β , M1β , Mf }, where M0β ( M1β ) with β ∈ {X, Z} corresponds to obtaining the bit value 0 (1) when Bob chooses the basis β, and Mf corresponds to an inconclusive outcome.Importantly, Mf is assumed to be the same for the two bases.Moreover, we consider no side-channels in Bob's setup.

C. Actual protocol
The three-state protocol makes an asymmetric choice of basis, namely, the Z and the X basis are selected with a priori different probabilities for both Alice and Bob.The events when both of them select the Z basis are used for key generation.Also, all announcements between Alice and Bob are done via an authenticated public channel.Next, we describe the steps of the QKD protocol in detail.
1. Initialisation: Before running the protocol, Alice and Bob agree on a number N f ixed of rounds, on the error correcting codes, and on a set of hash functions to perform privacy amplification.Steps 2-4 of the protocol are repeated N times until the number of detected events N becomes N f ixed .
2. State preparation: Alice generates the states given in Eq. (1).First, she selects the basis β ∈ {Z, X} for encoding the states with probabilities P Z A and P X A = 1 − P Z A respectively.If the Z basis is selected, she randomly chooses a bit value.Then, Alice prepares the signal and reference pulses following these specifications and sends the pulses to Bob via a quantum channel.Due to a potential THA, the sending states might contain Eve's system E as well.
3. Measurement: Bob measures each incoming signal using the basis β ∈ {Z, X} which he selects with probabilities P Z B and P X B = 1 − P Z B respectively.
4. Detection announcement: Bob checks whether the signal in Step 3 is detected or not.For each detected event, N is increased by 1 unit1 .If N = N f ixed , Bob announces the detected events, and they proceed to Step 5, otherwise they go back to Step 2.

5.
Basis announcement and sifting: Alice and Bob announce their basis choices for the detected events.Also, they define bit strings associated with the basis matched and mismatched events.
6. Parameter estimation: Alice and Bob announce the bit strings s X,0Z , s X,1Z and s X,0X which correspond to the events when Alice sends one of the three possible states and Bob measures it in the X basis.These bit strings are used to estimate the number of bits that need to be removed from the sifted key, which is composed by the Z basis matched events, during privacy amplification.

7.
Error correction and privacy amplification: Alice and Bob randomly select an error correcting code from Step 1 to perform error correction on these sifted strings and then they exchange the syndrome information about the Z basis matched events.Then, based on the result of the parameter estimation in Step 6, they perform privacy amplification on the corrected sifted keys.At the end of this step, Alice and Bob obtain the key strings k Z A and k Z B , respectively.

III. SECURITY ANALYSIS
In order to prove the information-theoretic security of our protocol we use the complementary scenario introduced by Koashi [29,30].For this, we first need to create an equivalent virtual protocol (see Appendix A) concerning an observable conjugate to the key.The classical and quantum information available to Eve in the actual and virtual protocols are the same and therefore she cannot distinguish and behave differently between them.Hence, by proving the security in the virtual protocol we ensure the security of the actual protocol.Additionally, from the virtual protocol we can determine the phase error rate, which quantifies the amount of information that is leaked to Eve and has to be removed in the privacy amplification step.In this section, we show how this last quantity is estimated by generalising the loss-tolerant method.

A. Secret key rate
As explained before, for simplicity we assume the asymptotic scenario where Alice uses an infinite number of decoy settings.In doing so, we assume that Alice and Bob can accurately estimate the detection rate of the single-photon contributions of the coherent states generated by Alice's source.The asymptotic key rate for the single-photon signals can be expressed as where Y Z is the yield of the single photons in the Z basis, i.e. the joint probability of Alice emitting a single-photon in the Z basis and Bob detecting it with a measurement also in the Z basis.The function h is the binary entropy function and f is the error correction efficiency.The term e X is the phase error rate and thus, h(e X ) is the cost of performing privacy amplification in order to remove the correlations between the corrected sifted key and Eve.The term e Z is the bit error rate and f h(e Z ) corresponds to the amount of syndrome information required to make Alice's and Bob's keys the same.The quantities Y Z and e Z in Eq. ( 3) are estimated using the decoy-state method.Therefore, we are left with the estimation of the phase error rate.We do this below.

B. Estimation of the phase error rate
We assume that when Alice sends Bob single photons, she prepares the states |Φ jβ BE as defined in Eq. ( 1).These states take into consideration the non-qubit assumption, a possible THA by Eve, and SPFs.In the virtual protocol (see Appendix A for further details), Alice prepares the following state in the Z basis: We then define the bit error rate as where the yields sZ,jZ , with s, j ∈ {0, 1}, are the joint probabilities that Alice prepares the state |Ψ Z ABE , Bob selects the Z basis, and Alice (Bob) obtains the bit value j (s) when she (he) measures the system A (B) in the Z basis.Note that, the superscript (Z) in the yields represents the basis used in the state preparation while the subscripts denote the bases employed in the measurements.These yields can be estimated using the decoy state method since we use a coherent light source instead of a perfect single-photon source.Similarly, the phase error rate is defined as where Y (Z)vir sX,jX , with s, j ∈ {0, 1}, is the joint probability that Alice prepares the state |Ψ Z ABE , she and Bob select the Z basis but both use the X basis for their measurements (rather than the selected Z basis), and Alice (Bob) obtains the bit value j (s).The phase error rate corresponds to the bit error in the virtual protocol.Also, we have that the denominator of e X in Eq.( 6) is equal to 1Z,1Z , since by assumption the probability to obtain an inconclusive outcome associated to the operator Mf is the same for the both basis for any incoming state.This means that to estimate e X we only need to calculate the virtual yields Y (Z)vir 0X,1X and Y (Z)vir 1X,0X .In the virtual protocol, after Alice measures the system A in Eq. ( 4) in the X basis, she sends Bob the (unnormalised) states: where Tr A is the partial trace over the virtual system A. Using Eqs. ( 4) and ( 7) we can calculate the unnormalised states sent by Alice for j ∈ {0, 1} and obtain that θBE,jX,vir = |ψ ψ| BE,jX,vir with By normalising the terms in the expression above, Eq. ( 8) can be rewritten as: where the normalised states |γ jX BE have the form and the normalised states |γ ⊥ jX BE , which are orthogonal to |γ jX BE , are given by Note that, in Eq. ( 9), we have decomposed |ψ BE,jX,vir into a single-mode qubit |γ jX BE and a state in any mode orthogonal to it, |γ ⊥ jX BE .This decomposition follows the definition provided in Eq. ( 1), and it is an essential step for our estimation of the phase error rate.
To obtain the yields Y (Z)vir sX,jX we need to calculate where DsX = k Â † k MsX Âk corresponds to Eve's action, represented by the Kraus operators Âk , as well as Bob's measurement with MsX being an element of Bob's POVM.Here, recall the definition of the phase error rate where the Z basis is selected but both Alice and Bob use the X basis for their measurements (rather than the selected Z basis), which is why P Z A and P Z B appear in Eq. (12).Moreover, here we assume, for simplicity, that Eve applies the same quantum operation to every signal, which corresponds to a collective attack, but our analysis can be generalised to coherent attacks by considering the Azuma's inequality [28] (see Appendix A), which deals with any correlations among the events, i.e., the phase error rate pattern.Using Eqs. ( 9)-( 12) we obtain the following expression for the yields: where the coefficients A j , B j , and C j are defined in Appendix B, and we omit presenting their explicit expressions here for simplicity.Since the state |γ jX BE in the first term of Eq. ( 13) is a single-mode qubit state, its density matrix can be expressed as where P jX,vir i are the coefficients of the Bloch vector and σi , with i ∈ {Id, x, y, z}, represent the identity and the three Pauli operators, respectively.Therefore, we have that A j Tr DsX |γ jX γ jX | BE = A j P jX,vir Id q sX|Id + P jX,vir x q sX|x + P jX,vir y q sX|y + P jX,vir z q sX|z , ( where P jX,vir i = Tr σi |γ jX γ jX | BE and q sX|i = 1 2 Tr DsX σi can be regarded as the transmission rates of the operator σi .These can be calculated by solving a system of linear equations with the events from the actual protocol, which we will explain later.Moreover, by choosing the y axis of the Bloch sphere appropriately we can always set P jX,vir y = 0 for all the Bloch vectors, since the PM just creates rotations in the X-Z plane of the Bloch sphere.Indeed, even if the PM introduces loss depending on Alice's state selection, as long as the three states form a triangle in the Bloch sphere, we can apply such simplification [17]. Furthermore, it is possible to find both lower and upper bounds on the second term of Eq. ( 13).In particular, this term can be written as Tr DsX N j where N j is the matrix with eigenvalues Using the properties of POVMs we have that the operators DsX have eigenvalues between 0 and 1, therefore Tr DsX N j is bounded by λ minj ≤ Tr DsX N j ≤ λ maxj , since λ minj is negative.This means that the virtual yields satisfy: x q sX|x + P jX,vir z q sX|z + λ minj ≤ Y (Z)vir sX,jX ≤ P Z A P Z B A j q sX|Id + P jX,vir x q sX|x + P jX,vir z q sX|z + λ maxj . ( To find the transmission rates q sX|i , the actual events (which can be estimated using decoy-state techniques) we need to consider are those associated with the yields sX,1Z and Y (X) sX,0X .These are defined as , where the normalised actual states |Φ jβ BE are defined in Eq. (1).That is, |Φ jβ BE are the states emitted by Alice in the actual protocol when she chooses the bit value j and the basis β, in the presence of multi-mode signals.Using exactly the same method explained above, we obtain where Therefore, we find that the actual yields satisfy where are the eigenvalues for the non-qubit part of the actual states and, P jβ x and P jβ z are the coefficients of the Bloch vector for the actual states.By substituting jβ ∈ {0Z, 1Z, 0X} in Eqs.(19) and (20), we obtain a system of three linear inequalities, which can be expressed as where and where the superscript T means transpose.By rearranging Eq. ( 21) we obtain the bounds on the transmission rates q sX|Id , q sX|x , and q sX|z to be where Â−1 is the inverse of the matrix Â.By solving Eq. ( 22), we can calculate the transmission rates and then substitute them into Eq.( 17) to find the upper bounds on the virtual yields Y (Z)vir 0X,1X and Y (Z)vir 1X,0X .Finally, by using these upper bounds on the virtual yields and the yields from the actual events we can estimate the phase error rate e X in Eq. ( 6).

IV. SIMULATION OF THE KEY RATE A. Particular device model
Only for the purpose of the simulation, we now consider a particular device model and a particular THA.In general, to experimentally guarantee that the three states emitted by Alice remain in two dimensions, i.e., in a single-mode qubit, her PM needs to have the same temporal, spectral, spatial and polarisation mode independently of the bit and basis choices.However, due to imperfections in the devices this condition is hard to fulfil.Some counter-measures against these imperfections have been suggested [31][32][33][34], but they cannot rigorously ensure a single-mode qubit.Therefore, it is crucial to consider how device's flaws can be taken into account in a security proof.This is the aim of our analysis.For simplicity, among many imperfections, we select the polarisation mode as an example of how to use our framework.
A change in polarisation can arise from the imperfect alignment of the laser with the principal axis of the PM and/or when the PM is polarisation dependent, i.e., the state of polarisation of the signals prepared might be different for each encoding phase value.In principle, this could be avoided by using a polarisation beam splitter (PBS) that selects a single polarisation mode.In practice, however, because of the finite extinction ratio of the PBS this is usually not the case.Here, we relax the need for a perfect PBS by considering a polarisation multi-mode scenario.We remark, nonetheless, that our analysis can be applied to any multi-mode scenario.Using our formalism, we can express the states sent by Alice in the scenario considered in an analogous way to Eq. ( 1): for jβ ∈ {0Z, 1Z, 0X}, where the subscripts H and V refer to the horizontal and vertical polarisation modes, respectively.That is, now the polarisation state of |ω jβ B depends on Alice's bit and basis choices instead of being the same independently of her encoding.Next, we add the SPF and the THA to this particular device model.
For the states |ω jβ HB and |ω jβ V B we use the definitions in Eq. ( 2), where they both live in a qubit space.Also, by using Eq. ( 2) these states already include SPFs whenever the parameter δ > 0. As stressed in Section II, since in this case we know the form of the states we do not need to consider the worst case scenario but only the inner product ω jβ |ω j β HB V B = 0 for all j, j , β and β .Additionally, we consider an active information leakage in our device model.For this, we assume that Eve sends strong light into Alice's PM, which is then back-reflected and exits Alice's lab in the form In this expression, , where µ is the intensity of Eve's back reflected light.In this case, note that the condition e jβ |e j β E = 0 is not satisfied since Eve will never be able to perfectly distinguish the states dependent on Alice's encoding.The value of this overlap depends on the isolation of the devices.Below, however, we conservatively assume for simplicity the worst case scenario where this overlap is zero.
Putting Eq. ( 23) and Eq. ( 24) together, Alice's emitted state for the single photon pulses is modelled as By using Eqs.( 2)-( 23)-( 24 The first term of Eq. ( 26) has polarisation H and is insensitive to the THA, it corresponds to a jβ |φ jβ BE in Eq. ( 1).Similarly, the other terms have either polarisation V and/or are affected by the THA, and together they correspond to b jβ |φ ⊥ jβ BE in Eq. (1).In this case, the unnormalised virtual states given by Eq. ( 9) have now the form where we have used the relationship In order to estimate the phase error rate, we need to calculate the transmission rates q sX|Id , q sX|x and q sX|z using the actual yields.For this, we use Eq. ( 22) where in this particular example, the matrix Â is where E jβ = C 2 I cos 2 θ jβ .Then, we can find the virtual yields by using Eq. ( 17) where, in this example, the coefficients of the Bloch vectors are Finally, one can directly use Eq. ( 6) to estimate the phase error rate e X .

B. Lo-Preskill's analysis with imperfectly characterised states
With the method described above, it is possible to employ the leaky source without compromising the security of the QKD system.Nonetheless, depending on the situation and the particular experimental parameters it might be beneficial to consider another method that in some cases might provide a higher key generation rate.Therefore, it is important to compare our generalised loss-tolerant protocol with an alternative method, say the Lo-Preskill's analysis introduced in [25].In Appendix C we provide a detailed description of this analysis.
To ensure a fair comparison between the two methods, we consider the same assumptions about the states for both of them.For this, we employ the decomposition of the state of the single-photon pulses emitted by Alice into a single-mode qubit and any other modes which are orthogonal to the former, i.e., Eq. ( 1).Also, we apply Lo-Preskill's analysis to the same particular device model described in Section IV.A.Note that, Lo-Preskill's approach uses the BB84 protocol [35] where Alice sends four states to Bob, and this corresponds to the three states used in this work plus one more state encoded in the X basis.
In order to quantify the phase error rate e X in the Lo-Preskill's analysis we use the following expression [25] e which depends on the bit error rate e Z and on the imbalance ∆ of a quantum coin.To find this imbalance, we need to calculate the inner product of Eqs.(C1) and (C2).In turn, these equations depend on the states |Φ jβ BE , defined in Eq. ( 26), therefore, their overlaps allows us to find ∆ .Using Eq. ( 26) we can calculate the inner product of these states to be where j, j ∈ {0, 1} and β, β ∈ {X, Y }.
Using the same definition for the secret key rate given by Eq. ( 3), below we compare both security approaches for the same device model as a function of the device parameters.

C. Results and discussion
In this section, we present the results obtained for the secret key generation rate R as a function of the distance, for different values of δ, θ jβ and µ which correspond to the SPFs, non-qubit assumption and THA respectively.In our simulations, we consider the experimental parameters given in Table I.Moreover, we assume for simplicity that in the loss-tolerant protocol and in the Lo-Preskill's analysis P Z A = 2 3 and P Z B = 1 2 .This selection of probabilities might not be ideal but it is sufficient for the purpose of the simulation.By using the channel model described in Appendix D, we find that 2 )pd + η where η is the overall transmission efficiency of the channel and the detectors (see Appendix D for more details).The bit error rate is then given by e 1. Generalised loss-tolerant protocol In order to evaluate how the different imperfections of the source affect the key generation rate we analyse each of them separately.Furthermore, we consider both the cases when the mode dependency parameter θ jβ , which is associated with the non-qubit assumption, is independent and dependent on Alice's bit and basis choice.When it is independent (i.e., when θ jβ = θ), Eqs. ( 26) and ( 27) are simplified and become, respectively and Using these equations, and following the method described in Section III, we estimate the phase error rate.When the mode dependency parameter is setting dependent, we use Eqs.( 26) and ( 27) with θ jβ , for jβ ∈ {0Z, 1Z, 0X}.To the best of our knowledge, this parameter has not yet been quantified experimentally.Therefore, for the simulations, we choose the angles θ jβ to be: θ 0Z = 0, θ 1Z = π θ and θ 0X = π 2 θ for a certain angle θ.This choice comes from Alice's encoding of the different states, which means that θ jβ is associated with the prepared state |ω jβ B .The results are shown in Fig. 2.
In Fig. 2(a), we consider four values of δ: 0, 0.063, 0.126 and 0.188 which correspond to the angles 0 • , 3.62 • ,7.24 • and 10.86 • respectively [31].This figure demonstrates that even if δ increases the key rate stays approximately the same, which means that Eve cannot enhance the flaws of the signals by exploiting channel loss.This is one main advantage of the loss-tolerant protocol [17].
We consider the case when θ is independent of Alice's encoding in Fig. 2(b).The perfect scenario, i.e, when θ = 0, implies that the signals prepared by Alice are in the single horizontal mode H, as seen in Eq. (33).If θ increases, the fraction of vertical polarisation also increases and the states sent becomes progressively more imperfect and vulnerable to a possible attack.For instance, these states form a three dimensional Hilbert space hence, Eve can perform an unambiguous state discrimination (USD) attack [36,37], in which she sends the identified state to Bob only when the USD measurement succeeds.This results in a decrease of the secret key rate as shown in Fig. 2(b).Additionally, our results show that as long as θ is sufficiently small (for the experimental parameters considered this means θ 10 −7 ) the effect on the secret key rate is negligible, since it is approximately the same as when θ = 0.It is important to note, however, that because we are assuming a setting independent θ we have the freedom to choose a good polarisation mode.For instance, instead of the definition used above we could have called cos θ |ω jZ HB + sin θ |ω jZ V B our mode if Alice had identified θ exactly, and regard it as the single-mode qubit, in turn affecting the results shown in Fig. 2(b).This means that Eve would be unable to exploit this flaw and obtain information about the key, and hence the secret key rate would be unaffected.This scenario would be equivalent to θ = 0 and it is not the one considered in Fig. 2(b).
For the setting dependent parameter θ jβ , we obtain a slightly lower key rate as expected, since this scenario provides more information about Alice's encoding to a possible eavesdropper.The reason for this difference lies in the orthogonality of the states, which increases when we have a setting dependent θ jβ .Note that, in this case Alice and Bob are no longer able to generate a key when θ ≥ 10 −2 .The key generation rate decreases even further due to passive information leakage, in particular, θ 10 −2 no longer provides a positive key generation rate.(d) As the intensity µ increases Eve obtains more information about the key causing the key rate to decrease.Finally, Fig. 2(d) shows how the THA affects the generalised loss-tolerant protocol, where µ quantifies the intensity of Eve's back reflected light.An increase in µ results in a lower secret key rate since Eve acquires more information about Alice's encoding thus compromising the security of the system.Furthermore, no key can be obtained around µ 10 −4 .By comparing Figs.2(b) and 2(d), it can be seen that there is a relationship between µ and θ.In particular, the resulting secret key rate coincides when µ ∼ θ 2 .For example, the key rate is the same when µ = 10 −6 and when θ = 10 −3 .This relationship can also be obtained analytically from the coefficient of the first term in Eq. (33), by using approximations to the series expansion of cos θ and e −µ .

Comparison between the generalised loss-tolerant protocol and the Lo-Preskill's analysis
In a similar manner, we can evaluate how the secret key generation rate R depends on the device parameters for the Lo-Preskill's analysis.The results and discussion are in Appendix C. Below we compare both security proofs and identify which one provides a better R depending on the experimental set-up.This way an experimentalist can choose which method to use for known device parameters, and ensure the security of the generated key between Alice and Bob.Since the range of the experimental parameters greatly depend on the devices being used, we select the SPFs to be either δ = 0.063 or δ = 0.126 [31], and for the mode dependency we choose θ = 10 −3 and θ = 10 −5 .In this comparison we use the setting dependent mode dependency parameter since it corresponds to a more realistic scenario.Finally, for the intensity of Eve's back reflected light during the THA we use µ = 10 −10 , µ = 10 −7 and µ = 10 −4 [21].The results are shown in Fig. 3.  3(d), we can see how an increase in the parameter δ, which is associated with SPFs, affects both protocols.For the generalised loss-tolerant protocol (LT) the key rate stays approximately the same as expected, since this method is loss tolerant to SPFs.On the other hand, the Lo-Preskill's analysis (LP) is greatly influenced by SPFs (see also Fig. 7 in Appendix C).The reason for this disparity is that in LP it is assumed the worst case scenario, in which Eve can enhance the basis dependence of the signals by exploiting the channel loss.However, in LT no such assumption is required hence the performance is maintained.This means that LT will typically outperform LP in the presence of high SPFs.
To compare LT LP as a function of the setting dependent θ jβ we can contrast Figs.3(a) and 3(b), or Figs.3(c) and 3(d).The graphs show clear differences due to decreasing the value of θ, especially for the LT case.In Fig. 3(a) LP reaches a longer distance for any value of µ, but when θ = 10 −5 LT gets better, particularly for µ = 10 −10 and µ = 10 −7 as seen in Fig. 3(b).Furthermore, Fig. 3(a) shows that even when there are SPFs, LP can still do better than LT if the states sent are far from the idealised qubit.This is because the non-qubit assumption negatively affects more LT than LP (see Figs. 2(c) and 7(c)).
When we compare the values of µ for the LT and LP we can see a similar trend in the secret key rate for all graphs in Fig. 3. Namely, the difference between the curves when µ = 10 −10 (blue) and µ = 10 −4 (yellow) is much larger for LT than for LP, which means that the THA is worse for the LT.However, µ is a parameter that can be easily controlled experimentally by introducing passive countermeasures, such as optical isolators [21].This means that the LT method may be a better alternative for most of the scenarios when these three imperfections are present, since it outperforms the LP for low µ in Figs.3(b), 3(c) and 3(d).
As explained above, the non-qubit assumption and the THA affect more the LT than the LP analysis.This might be because our generalisation of the loss-tolerant protocol is overestimating Eve.When we calculate the bounds for the yields we obtain that the eigenvalues λ max and λ min depend on the state preparation.However, this is probably too pessimistic because there might be some additional constraints among them, since the space spanned by the states associated to 0Z and 1Z, respectively, is not orthogonal to the one spanned by the virtual states associated to 0X vir and 1X vir .This means that these separate optimisations should not be possible in practise because Eve cannot achieve optimal values for all λs.In other words, by improving our characterisation of the states we can improve the performance of the generalised loss-tolerant protocol.This is however beyond the scope of this paper and we leave it for future work.
In order to further investigate the differences between the two methods, we determine the parameter regimes where their performance is identical.First, by setting θ = 10 −6 , we can identify which values of δ and µ provide the same key generation rate R for LT and LP.The results are presented in Fig. 4(a), where the diagram clearly shows which protocol performs better given a certain δ and µ: above the fitted curve, the LT provides a better performance but below the curve LP is the preferable method.In other words, as the SPFs increase the LT is superior but, as µ increases LP becomes more suitable.FIG.4: The fitted line corresponds to those experimental parameters that result in the same key generation rate R for both methods, the generalised loss-tolerant protocol and the Lo-Preskill's analysis.Above the line, the generalised loss-tolerant protocol performs better and below the line, the Lo-Preskill's analysis is the preferred method.The data points were fitted using a shape-preserving interpolant in Matlab.(a) Plot of δ against µ for θ = 10 −6 .(b) Plot of δ against θ for µ = 10 −6 .
Similar results are obtained when µ = 10 −6 .This case is particularly useful since in principle we can control the value of µ experimentally by the amount of isolation we use in our devices.Again, as SPFs increase the LT becomes better, giving a better estimation of the phase error rate and a better secret key generation rate.

V. CONCLUSION
Typical security proofs ignore many imperfections of experimental devices thus hindering the security claim of quantum key distribution (QKD).In work, we have generalised the loss-tolerant QKD protocol to accommodate general imperfections.In particular, our formalism is valid for a general device model with, for instance, state preparation flaws (SPFs), mode dependency and Trojan horse attacks (THAs), which result in passive and active information leakage to an eavesdropper.Using this multi-mode scenario, we have shown that the qubit assumption can be removed from the loss-tolerant protocol without compromising the security of the QKD scheme.
In order to compare our generalised loss-tolerant protocol with other security proofs we have applied the Lo-Preskill's analysis [25] to the same device model.In so doing, we have identified which approach delivers a higher secret key rate as a function of the experimental parameters.For example, the results obtained show that Lo-Preskill's method performs better under the non-qubit assumption and the THA but the generalised loss-tolerant protocol is better when there are SPFs.Since THAs can be controlled using passive countermeasures, such as optical isolators, we have shown that the generalised loss-tolerant protocol seems to be the preferable method when these three imperfections are present simultaneously.This way, our work can be used as a guideline to improve current experimental implementations in which multi-mode QKD is unavoidable.
FIG. 5: The logical schematics for the virtual protocol, where the notation X A /Z A , X B /Z B corresponds to Alice's and Bob's measurements bases respectively.The virtual states correspond to c = 1, 2, the actual Z states to c = 3, 4, and the actual X states to c = 5.For each click event, Alice measures system S and Bob measures system BE.
Note that, the selection of c = 1, 2, 3, 4 already includes Bob's measurement in the X basis, but when c = 5 his measurement basis is chosen probabilistically.
In the virtual protocol, we require that Alice and Bob postpone their measurements until the quantum communication ends, therefore, we assume that Alice and Bob possess quantum memories where they can store their systems.The reason for this deferral comes from the application of Azuma's inequality, which is explained later.In the case of Alice, she only makes her measurement after the termination condition, in Step 5.This is allowed because it does not matter when she performs the measurement since it commutes with Eve's operations and hence it will not affect Alice's statistics.For Bob, we divide his measurement in two steps: a QND measurement, which allows him to know when a detected event occurred, and a measurement to output the bit value with the chosen basis.If the QND measurement results in a detected instance, Bob performs the measurement using the Z or X basis.We are able to delay Bob's measurement choice because the inconclusive outcomes are assumed to be independent of the basis, as explained in Section II.The key point in the virtual protocol is as follows: the security of the events when Alice sends the actual Z basis states and Bob obtains a detected event in the actual protocol with the Z basis, can be analysed by imagining that Alice and Bob both employ the X basis to measure respectively the systems A 2 and BE.This means that when Alice sends a virtual state (c = 1, 2) Bob's measurement basis is always the X basis.
It is clear that the virtual protocol described here is equivalent to the actual protocol in Section II.This is so because the quantum states sent by Alice are the same in both protocols as well as the announcements made by the two parties.For instance, when Alice sends the virtual states they both measure in the X basis but they announce the Z basis (Step 5).In the actual protocol, these events are used for key generation and therefore Alice and Bob also announce the Z basis.This means that the protocols are indistinguishable from Eve's perspective as required.Note that, the virtual protocol does not produce a key, it is merely used for the estimation of the phase error rate.

Azuma's inequality and its application to the security proof
In coherent attacks, Eve interacts with all the signals sent by Alice followed by a joint measurement after listening to all the classical information exchanged between Alice and Bob.In this scenario we use Azuma's inequality [28] which takes into account this dependency, and allows us to derive a relation between the expected values and the where P (X ∩ c) = P (c) for c = 1, 2, 3, 4 and P (X ∩ c) = P (c)P (X B ) for c = 5.In this expression, t,BE|O k−1 represents Eve's action as well as Bob's measurement.This is independent of c, which means that Eve cannot behave differently depending of the state sent.Importantly, the probability P csX|O l−1 essentially corresponds to the actual yields Y sX,jβ in the main text when c = 3, 4, 5.Note that the yields in this Appendix are normalised by the detected events while those in the main text are not.In the finite key size regime, the normalisation according to the detected events results in a better performance, however, in the limit of large number of pulses, they are essentially the same.As we consider this limit throughout this paper, in the main text we adopt the yields that are not normalised by the detected events for simplicity of explanation.We know Λ 3sX , Λ 4sX and Λ 5sX by collecting the corresponding number of events from the actual protocol.Therefore using Azuma's inequality, i.e., Eq. (A13), we can calculate the conditional probabilities which correspond to the yields sX,1Z and Y (X) sX,0X respectively.From Section III, we know how these yields are related to the transmission rates, and in turn, how these are related to the virtual yields Y (Z)vir 1X,0Z and Y (Z)vir 0X,1Z .Here, we would like to emphasise that using Eq. ( 17) we can calculate these yields, which correspond to the probabilities P 11X|O l−1 and P 20X|O l−1 respectively, both of which are conditional on the previous measurement outcomes.Using Azuma's inequality again, we can find the number of number of events, Λ 1sX and Λ 2sX , which are the number of phase errors, and this concludes the estimation of the phase error rate.
These states contain Eve's system E since we are considering a potential THA, and the states |Φ jβ for j ∈ {0, 1} and β ∈ {Z, X} are defined in Eq. ( 1).If the state preparation is perfect and the source is completely isolated there is no passive or active leakage of information, which is the case when δ = θ jβ = µ = 0.This means that these states are basis independent, i.e., |Υ Z ABE = |Υ X ABE .When the state preparation is not perfect (at least one of the quantities δ, θ jβ , µ is greater than zero), the states |Υ Z ABE and |Υ X ABE are close to each other but not equal hence, some information related with the basis choice could be leaked from the source.This means that Eve might be able to distinguish the states emitted when the Z basis is chosen from the ones when the X basis is chosen.This basis-dependency can be quantified by considering an equivalent virtual protocol that evaluates the "balance" of a "quantum coin" [16].To investigate this, we consider that Alice prepares the state where C corresponds to the quantum coin.She performs a measurement on the coin with the basis {|0 Z , |1 Z } to determine the encoding of the signal.From Koashi's approach [30,40], we can find the phase errors using the complementary scenario, by applying the "Bloch sphere bound" [41] to the quantum coin.For this, we consider switching the measurement basis (to measure with the X basis instead of the Z basis) on the quantum coin, thus it is useful to write Eq.(C3) as For characterising how close these states are, we employ the probability ∆ associated with finding the state |1 X C and the outcome X = 1.This can be expressed as where Υ Z |Υ X * ABE is the complex conjugate of Υ Z |Υ X ABE .These overlaps can be calculated to obtain ∆, which quantifies the basis dependence of Alice's states.If there are no imperfections, the inner product Υ Z |Υ X ABE = Υ Z |Υ X * ABE = 1 and therefore the coin imbalance is ∆ = 0. Note that, this justifies our choices of states in Eqs.(C1) and (C2).Similarly, when they are completely orthogonal to each other the inner products are zero and ∆ = 1  2 .This means that, the closer these states are to each other, the smaller is the coin imbalance ∆ and therefore, less information is leaked to Eve.
In a QKD scheme, not all the signals sent from the source are detected due to channel loss.Therefore, Eve might take advantage of this flaw by blocking certain signals that are not favourable to her without being detected, enhancing the basis dependence of the signals.To take this into consideration, the Lo-Preskill's analysis assumes the worst case scenario, where it maximises the imbalance of the coin, or in other words, maximises the leakage of information to Eve.This means that it assumes that all the signals that do not produce a click on Bob's side are associated with the outcome X = 0 when measuring the quantum coin.The accommodation of this worst case scenario is reflected by considering an enhancement probability of ∆ such that: ∆ where Y Z (Y X ) is the single photon yield in the Z (X) basis [21].
In order to find the secret key rate R we need to estimate the phase error rate e X , which corresponds to what the bit error rate would have been if Alice and Bob had measured their states in the X basis when the entangled state prepared is |Υ Z ABE .In the Lo-Preskill's analysis, e X cannot be calculated directly from the channel model but using e Z and the coin imbalance ∆ the phase error rate can be estimated to be [25] e (C6) In the ideal scenario, when the states |Υ Z ABE and |Υ X ABE are close to each other, ∆ is very small and e X ≈ e Z .By substituting Eq. (C6) into Eq.( 3) and using the same definition for e Z as in Eq. ( 32) we are able to calculate R. 6. Measurement and basis announcement: For the detected events, Alice measures the quantum coin with the Z C basis or the X C basis, chosen with probabilities P Z C and P X C = 1 − P Z C respectively.Then, she announces the chosen basis.If Z C is selected she also announces the measurement outcome (the Z or the X basis), however, she always measures system A with the X basis.As for Bob, if C = 0 (1) in Step 2 he announces the same (opposite) basis that was announced by Alice, however, he always measures his system with the X basis.
7. Sifting and announcement: Alice and Bob announce the bit string in the X basis, which corresponds to the events when C = 0 and Z C = 1.

Bob flips coin C'
QND FIG.6: The logical schematics for the virtual protocol.It is the use of a second coin that allows us to pre-select only the matched events.When Alice selects the Z basis to measure the coin C she prepares the state |Υ Z or |Υ X , but in the virtual protocol she always measures in the X basis.
In this virtual protocol, Alice's and Bob's measurements are postponed because it is useful to clearly define the outcomes of each run of the protocol.Note that, in Step 6 Alice employs the X basis for the measurement, and this is required for the estimation of the phase error rate.It can be seen that the classical and quantum information available to Eve is the same in both the actual and virtual protocols, and also the key generated is identical therefore, the virtual protocol can be used to prove the security of the QKD scheme.

Simulation of the key rate for the Lo-Preskill's analysis with imperfectly characterised states
In this section, we evaluate Lo-Preskill's analysis for the particular device model described in Section IV.Since it considers the BB84 protocol [35], Alice sends Bob the three states in Eq. ( 2) and another state in the X basis, which we assume to be In order to estimate the phase error rate we use the coin imbalance ∆ , Eq. ( 31) and Eq.(C6).To calculate the secret key rate R we use Eq. ( 3), where the yield of single photons in the Z basis is Y Z = P Z A P Z B 4(1 − η 2 )pd + η for overall transmission efficiency η and the bit error rate is defined in Eq. (32).For simplicity, we assume the probabilities P Z C → 1, P Z A = 2 3 and P Z B = 1 2 and for fair comparisons, we use the same channel model used to evaluate the generalised loss-tolerant protocol (see Appendix D) and the experimental parameters in Table I.As before, we analyse each of the different source imperfections separately to evaluate how they affect the key generation rate.These are: SPFs parameterised by δ, the phase modulation deviation; the non-qubit assumption where θ jβ is the mode dependency; and a THA which depends on the intensity of the back-refelcted light µ.The results are shown below.In Fig. 7(a) we can see how δ dramatically affects the secret key rate R as it increases.Moreover, when δ = 0.188 no secret key can be obtained between Alice and Bob.The explanation for this lies in the fact that Lo-Preskill's method assumes the worst case scenario, namely, the detected signals are chosen to maximise the imbalance of the coin.This assumption is required since not all signals emitted by Alice are detected, thus Eve can exploit these losses to enhance the basis dependence of the detected signals without being exposed.These results contrast with our generalised loss-tolerant protocol, as shown in Fig. 2(a), where R remains almost the same independently of δ.Fig. 7(b) evaluates the setting independent θ, that is, when θ is independent of Alice's encoding.As θ increases the key rate is approximately the same but for values of θ 10 −4 it starts to decrease.However, when we compare it with Fig. 2(b) we see that it decreases slower than in the generalised loss-tolerant protocol.
When we consider a setting dependent θ jβ instead, the R deteriorates even further, as shown in Fig. 7(c).This result is expected since Eve is now able to better distinguish the states sent by Alice.Note that we can still generate a key when θ = 10 −2 , in contrast with the generalised loss-tolerant protocol, as shown in Fig. 2(c).
Finally, in Fig. 7(d) we can see how the THA affects the secret key rate.An increase in µ results in a lower R but, it decreases at a slower rate when compared with the generalised loss-tolerant protocol in Fig. 2(d).As observed, no key can be obtained around µ 10 −3 and the secret key rate is roughly the same for values of µ 10 −8 .
From these results we can conclude that the Lo-Preskill's analysis is highly affected by SPF but it is slightly more resistant to the non-qubit assumption and THA when compared to the generalised loss-tolerant protocol.In order to see this comparison more clearly we refer the reader back to Section IV.

Appendix D: Channel model
The three states sent by Alice in Eq. ( 2) can be expressed in terms of creation operators as follows where â † r and â † s are creation operators for a photon in the reference and signal pulses respectively.Using these states, we can simulate the QKD protocol as shown in Fig. (1).We assume that the detectors D0 and D1 have the same detection efficiency and that the dark counts pd are independent of the incoming signals.The overall transmission efficiency of the system can be expressed as η = η channel η detector , where η channel = 10 −αl/10 , α in dB/Km is the fiber loss coefficient and l is transmission distance in Km.Note that, only half of the pulses interfere in Bob's lab.Furthermore, we do not assume misalignment in the channel.For simplicity, the non-qubit assumption and the THA are not included in this model because we assume that they are not affected by the channel.By neglecting the terms associated with pd

FIG. 1 :
FIG.1:Each phase-randomised weak coherent pulse emitted by Alice's laser goes through a 50:50 beamsplitter (BS) and is decomposed into the reference and the signal pulses.The reference pulse travels through the longer arm of Alice's Mach-Zehnder interferometer.To perform the encoding, she uses a PM that applies a phase shift to the signal pulse.The two pulses are recombined at the second 50:50 BS, sent through the quantum channel and then received in Bob's lab.On reception, they are split by a 50:50 BS and Bob applies a phase shift on the reference and signal pulses in the upper arm of his Mach-Zehnder interferometer.These pulses then interfere with the pulses that travelled through the shorter arm of the interferometer at the second 50:50 BS. Bob can then detect click events corresponding to photons choosing the shortest arm in Alice's interferometer and the longest one in Bob's, and to the opposite, by using two detectors, D0 and D1, which correspond to obtaining bit value 0 and 1 respectively.

FIG. 2 :
FIG.2: Asymptotic secret key rate R versus distance for the generalised loss-tolerant protocol for various values of δ, θ jβ and µ.When we change the value of one of these parameters the others are kept constant and set to zero, which allows us to observe how each parameter affects the secret key rate.(a) Even if the parameter δ that characterises the SPFs increases, R stays almost the same.(b) Setting independent θ: As θ gets larger, the further away we are from the qubit scenario, hence R decreases.(c) Setting dependent θ jβ : The key generation rate decreases even further due to passive information leakage, in particular, θ 10 −2 no longer provides a positive key generation rate.(d) As the intensity µ increases Eve obtains more information about the key causing the key rate to decrease.

FIG. 3 :
FIG. 3:Secret key rate R versus distance for the generalised loss-tolerant protocol (LT) and Lo-Preskill (LP) analysis.The blue and red lines are superimposed in some of the graphs.(a) The Lo-Preskill's protocol performs sightly better in this scenario because the SPFs are small but θ is high.(b) For a smaller θ, the loss-tolerant analysis is better when µ = 10 −10 or µ = 10 −7 .(c) The generalised loss-tolerant protocol performs better when δ is larger even if θ is high.(d) For large δ and small θ, the generalised loss-tolerant clearly surpasses the Lo-Preskill's analysis when µ = 10 −10 or µ = 10 −7 .

5 .
Detection announcement: If N = N f ixed , Bob announces the termination of the quantum communication phase and the detection pattern.Otherwise Alice and Bob return to Step 2 of the protocol.

FIG. 7 :
FIG. 7: Asymptotic secret key rate R against distance, for different values of δ, dependent and independent θ, and µ, using the Lo-Preskill's analysis with imperfectly characterised states.(a) As the SPF δ increases, R decreases rapidly and when δ = 0.188 no secret key can be generated.(b) As the setting independent θ gets larger, the component of vertical polarisation increases and R decreases.(c) When θ jβ is setting dependent the key rate R decreases even further.(d) As the intensity of Eve's back-reflected light µ increases, more information is leaked causing R to decrease.
1, and |e E (|e jβ E ) represents (represent) the setting independent (dependent) state (states) on Alice's bit and basis choice, where we assume that e|e jβ E = 0.That is, the state |e E (|e jβ E ) provides Eve with no (some) information about Alice's bit and basis values each given time.Therefore, our model for the THA can be parameterised by only two parameters, C I and C D , and no further detailed information is needed to apply our analysis.For instance, when we increase isolation on Alice's sending device, the independent component increases and Eve obtains less information about the states being sent.Moreover, in the absence of further information about the states |e jβ E , we assume the worst case scenario where these states are orthogonal to each other, i.e., e jβ |e j β E = 0 for any (j, β) = (j , β ).Clearly, if Alice and Bob know the states |e jβ E , this information can be trivially included in the formalism below.If |ξ jβ E is say, for instance, a coherent state, |e E is the vacuum state (i.e., |e E

TABLE I
: Experimental parameters considered in the simulations.η detector is the detection efficiency of Bob's detections, which for simplicity we assume is the same for all detectors.
2, the results obtained are