Tight finite-key analysis for quantum key distribution without monitoring signal disturbance

Unlike traditional communication, quantum key distribution (QKD) can reach unconditional security and thus attracts intensive studies. Among all existing QKD protocols, round-robin-differential-phase-shift (RRDPS) protocol can be running without monitoring signal disturbance, which significantly simplifies its flow and improves its tolerance of error rate. Although several security proofs of RRDPS have been given, a tight finite-key analysis with a practical phase-randomized source is still missing. In this paper, we propose an improved security proof of RRDPS against the most general coherent attack based on the entropic uncertainty relation. What’s more, with the help of Azuma’s inequality, our proof can tackle finite-key effects primely. The proposed finite-key analysis keeps the advantages of phase randomization source and indicates experimentally acceptable numbers of pulses are sufficient to approach the asymptotical bound closely. The results shed light on practical QKD without monitoring signal disturbance.


INTRODUCTION
As the maturest field of quantum information sciences, quantum key distribution (QKD) 1 is well-known for its information-theoretic security.In QKD, the law of quantum mechanics enables communicators to upper bound the potential information leakage to the eavesdropper (Eve).Since the BB84 1 protocol was proposed, more and more QKD protocols sprang up, such as device-independent (DI) 2 protocol, measurement-deviceindependent (MDI) 3 protocol and twin-field (TF) 4 protocol.In most of these protocols, estimating Eve's information is dependent on monitoring signal disturbance, e.g., information leakage in BB84 is a function of the error rate of sifted key bits.However, in 2014, Toshihiko Sasaki et al. proposed an exceptional protocol, named round-robin-differential-phase-shift (RRDPS) 5 , which can upper bound Eve's information without using any parameter of signal disturbance.After that, the verification of RRDPS has been completed in several experiments [6][7][8][9] .
In RRDPS, Alice firstly prepares an n-photon L-pulse train as a packet and encodes key bit 0(1) on every pulse by modulating phase 0(π), while these phase information are recorded in Alice's register.Then Alice sends the train to Bob through a quantum channel.Once Bob receives the train which is assumed to be a single-photon quantum state, his local quantum random number generator (QRNG) generates an integer r ∈ [1, L − 1].Bob interferes the a-th and b-th (b = a + r ≤ L) pulses in the train to decode his sifted key bit 0(1) corresponding to phase shift 0(π).After that, Bob announces (a, b) and Alice does xor on key bits on a-th and bth pulses to get her sifted key bit.In ref. 5 , Sasaki et al. proved Eve's information on sifted key bit is no larger than H 2 ð n LÀ1 Þ, where H 2 is the Shannon entropy H 2 ðxÞ :¼ Àxlog x À ð1 À xÞlog ð1 À xÞ.And we subscribe that log represents log 2 .It's clear that RRDPS protocol has a high error rate tolerance and doesn't need to monitor bit error rate to estimate information leakage.
Although ref. 5 has beautiful results, the bound for Eve's information is not tight.In 2018, Yin et al. put forward a phaserandomized method to improve it by constructing the optimal collective attack model 10 .Until now, their work has kept the highest secure key rate among all related works.However, their results cannot be directly used in finite-key cases because the collective attack is not equivalent to the most general coherent attack in finite-key cases.In order to remove this restriction, Liu et al. applied the post-selection technique 11 to the results of ref. 10 , then completed finite-key analysis 12 .Unfortunately, the results showed that RRDPS needed too many pulses to obtain satisfactory performance.Therefore, finite-key analysis for RRDPS is still an open issue.
RRDPS protocol will never be considered into practice until finding a proper method to reduce finite-size effects and minimize the number of emitted pulses as far as possible.Here we give a tight finite-key analysis for RRDPS with widely used phaserandomized weak coherent source.The essential idea is observing that the randomized phases of each pulse of the train lead the composite system of Alice, Bob and Eve into becoming a mixture state, in which different components may have different information leakage.Next one can apply the entropic uncertainty relation 13 to estimate phase error rates and min-entropies for each mixture components.Moreover, by introducing Azuma's inequality 14 , the effects of coherent attacks are well-considered.Note that the entropic uncertainty relation has been applied to BB84 15 , MDI 16 and even TF 17 protocol, although not to RRDPS yet, our analysis shows that it's doubtlessly feasible to use this technique in RRDPS.Numerical simulations fully demonstrate that our theoretical model is almost the optimal solution of the finitekey RRDPS with phase-randomized weak coherent source: experimentally acceptable amounts of pulses can help RRDPS behave closely to the asymptotic bounds given in ref. 10 .

Definition of protocol
The flow of actual RRDPS protocol has been given in ref. 5 .On the other hand, it's pointed out in ref. 5 that the security of RRDPS protocol is essentially regarded as a virtual protocol.Specifically, since the security proof can be reduced to how to bound Eve's potential information on Alice's key bits, one can just consider the virtual protocol 1 given as below.
Step. 1 Alice prepares Ψ j i B , which is the state of L-pulse train as a packet containing n-photon.Meanwhile, Alice prepares local , where ni :¼ ây i âi is the photon number operator for the i-th pulse in Ψ j i B , and then emits B to Bob via an unreliable quantum channel.The first step will be repeated for N em times.
Step. 2 For each B of N em emissions from Alice, Bob receives an L-pulse train (or a packet) B and measures its photon number.Bob just retains the trial that there is only one photon in the train.For each of the retained trials, Bob measures which pulse in the train the single-photon is in.Assuming the single-photon is in the a-th pulse, Bob generates another random number b ∈ [1, L] and b ≠ a, then announces (a, b) and the index of this trial through an authenticated classical channel.One may note that in the actual protocol, Bob measures the phase shift between two pulses through a variable-delay interferometer to obtain his sifted key bit.Anyway, the actual protocol is equivalent to the virtual one in the sense of security proof.
Step. 3 Given (a, b) for each of the retained trials, Alice applies a controlled-NOT operation to the corresponding local qubits A a and A b , where the former is the control qubit and the latter is the target qubit.Then Alice measures A a with Z-basis to obtain the sifted key bit for each trial.We denote e Z as the bit string of the sifted key bits from N retained trials and j e Zj ¼ N.
Step. 4 Alice and Bob evaluate some parameters used in privacy amplification, e.g., Eve's smooth min-entropy on e Z, which is essential for the security proof.Note that the results calculated here can be directly applied in the actual protocol to perform a post-processing step of sifted key bits and generate the final secret key.
Note that in the actual RRDPS protocol, Alice measures each of þ j i A1 þ j i A2 ::: þ j i AL with Z-basis at the very beginning of the protocol, and does not perform the controlled-NOT operation.Based on this observation, it's easy to see that the Step. 3 can be replaced by the Step. 3 0 , say Step. 3 0 Given (a, b) for each trial of the retained trials, Alice applies a controlled-NOT operation to the corresponding local qubits A a and A b , where the former is the target qubit and the latter is the control qubit.Then Alice measures A a with Z-basis to obtain the sifted key bit for each trial.We denote e Z as the bit string of the sifted key bits from N retained trials and j e Zj ¼ N. We name the virtual protocol 1 with Step. 3 0 instead of Step. 3 as virtual protocol 2. As a matter of fact, the virtual protocols 1 and 2 generates same sifted key bits, and Eve cannot distinguish Alice is performing virtual protocol 1 or virtual protocol 2. Therefore, from the view of security proof, the smooth min-entropy of the actual protocol can be lower bounded by the larger one of minentropies calculated in virtual protocols 1 and 2. This consideration is the first reason that our analysis can converge to the optimal key rate given in ref. 10 .In the following, we sketch how to estimate these smooth min-entropies.
The bound for smooth min-entropy Calculating the smooth min-entropies is a complicated problem, especially when the photon-number of Ψ j i B is large.For the ease of understanding, we only sketch the single-photon case here, while one can refer to Supplementary Note 7: General n photon-number case for the detailed proof for general cases.In singlephoton case, we have Ψ j i B ¼ P L i¼1 i j i B where i j i B represents the single-photon is in the i-th pulse.Then the encoding state in step. 1 for each trial can be written in a simple form given by , only the i-th local qubit A i is in À j i state while all others are in þ j i state.Let's consider Eve launches a coherent attack for the N communication rounds, which results in a tripartite quantum state shared by Alice, Bob and Eve, i.e., Here, the superscripts denote the indices of the retained trials of step. 2 in virtual protocols.
local qubits for the first retained trial.Similarly, j 1 j 2 ::: means that in the first retained trial the single photon is in the j 1 -th pulse, in the second retained trial the single photon is in the j 2 -th pulse, and in the last retained trial the single photon is in the j N -th pulse.C i 1 j 1 i 2 j 2 :::i N j N is a complex number.
Since we are interested in the Alice and Bob's local states for the l-th retained trial, the quantum state Φ j i ABE can be rewritten as where e C l i l j l :¼ Moreover, assuming that Bob announces (a, b) in the l-th trial, we obtain the quantum state where P x j i f g :¼ x j i x h j.Note that e C l i l j l is a quantum system of A ≠l , B ≠l and E.Then, it's very clear that the first part means Eve may learn sifted key bit from this mixture component.
Conversely, the second part decoupled with Eve, which will result in perfect secret key evidently.We call the former coupled case and the latter decoupled case, whose probabilities are To analyze the smooth min-entropy in the coupled case, we refer to the entropic uncertainty relation 13,15,18 .Indeed, a so-called phase error rate e ph can be used to characterize the smooth minentropy.In ref. 5 , e ph is defined as the probability of finding A b in À j i. Differently, we define P l a to be the probability of finding A l a in À j i and P l b the probability of finding A l b in À j i, just corresponding to the virtual protocols 1 and 2 respectively.Then it's straightfor- Above formulae of calculating P l deco , P l co , P l a and P l b are just for the l-th bit of e Z. On the other hand, the security proof needs to estimate the upper bound of smooth min-entropy of e Z.We resort to Azuma's inequality to complete estimation.The basic idea is to think of above cases as the flip of coins.Consider N coin tosses, and the results of the l-th coin maybe head or not, which is dependent on previous l − 1 tosses.We set a random variable X i ¼ h i À P i l¼1 p l , where p l is the probability of having a head in the l-th round, and h i is the number of heads.X 0 , X 1 , . . . is a martingale, and for two adjacent variables, X k À X kÀ1 j j 1; k 2 f1; 2; :::; ig.According to Azuma's inequality, for all N ≥ 0 and any α ≥ 0 we can get It's very similar between "coin cases" and our cases, which means in the l-th round, Alice's local qubits A a and A b in Step. 3 can be classified into decoupled cases or coupled cases, while coupled ones can be classified into with phase error and no phase error.For every kind of cases, we could construct a martingale, respectively, which justifies the application of Azuma's inequality.The same logic can be seen in ref. 19 .Among the N bits sifted key e Z, we denote N deco (N co ) as the bit number of decoupled(coupled) sifted key e Z deco ( e Z co ), and e ph as the phase error rate of the N co bits coupled key e Z co .According to Azuma's inequality, for all N ≥ 0 we can find holds with probability at least 1 À 2ϵ N deco .Similarly, and hold with probabilities at least 1 À 2ϵ N co and 1 À 2ϵ e ph co , respectively.Note that, P l :¼ minfP l a ; P l b g.We further set Then these inequalities could be rewritten by where the smooth parameters satisfy e ph co þ ϵ 0 0 and ϵ deco = 0. Finally, the smooth min-entropy H ϵ min ð e ZjEÞ depends on N co and e ph , which are further decided by parameters c 1 and c 2 .This means that we can optimize these parameters to obtain the maximum of H ϵ min ð e ZjEÞ.Basically, the derivations of H ϵ min ð e ZjEÞ for n-photon case is following the same manner and detailed in Supplementary Note 7: General n photon-number case.In short, ρ ABE is a mixture of decoupled component and n different types of coupled components, which implies H ϵ min ð e ZjEÞ is characterized by the bits of decoupled key N deco , the bits of the i-th type of coupled key N coi and its corresponding phase error rate e phi , 1 ≤ i ≤ n.

Secret key rate
We have obtained the smooth min-entropy in n photon-number case.However, it's more complex in actual QKD system with phase-randomized weak coherent source, which makes Ψ j i B to be a mixture of Fock states with Poisson distribution.Similarly, with the idea in ref. 5 , we set a threshold value of photon-number as v th and classified e Z into Z n v th and Z n > v th , where Z n > v th (Z n v th ) represents the sifted key bits generated by Ψ j i B of photonnumber (no) larger than v th .Without compromising the security, Eve's smooth min-entropy of Z n > v th is treated as 0, while each of Z n v th is regarded as the v th photon-number case, whose smooth min-entropy can be solved by the results in the last section.
Accordingly, we present the secret key length ℓ as where N n v th ¼ jZ n v th j. ξ refers to bit error correction efficiency, and e bit is the bit error rate.Besides, for simplicity, we have set all failure parameters to be the same e ϵ.See the Methods for a detailed derivation.Now we are going to evaluate the performance of RRDPS with a phase randomized weak coherent source in finite regions.We use Mathematica to simulate the final secret key rate per pulse marked as R = ℓ/LN em under different conditions.The detailed formula and the simulation parameters of R can be seen in Methods.
In Fig. 1, we show R versus channel loss at different number of pulses and L, while R versus N em with different L are shown in Fig. 2. The results show that to eliminate finite-key effects, pulse numbers less than 10 11 are sufficient for typical values of L.

DISCUSSION
From the results of simulations, we can see that the larger the value of L, the more emitted pulses needed.Despite all this, it's evident that our method makes R to be sufficiently close to the asymptotic bound when the number of emitted pulses is achievable in practical high speed QKD systems [20][21][22][23][24] .
The protocol most commonly used for comparison is decoystate [25][26][27] BB84 protocol.Evidently, if the optical misalignment is large, e.g., e mis ≥ 0.11, RRDPS with relevant L always has higher key rate.This is because BB84 can tolerant error rate e bit up to 0.11.Besides, RRDPS protocol does not require monitoring signal disturbance, which obviously reduces finite-size effects and simplifies the flow of post-processing.A comparison in finite-key region, especially when pulse number is particularly small, is more meaningful.Before comparison, one should note that Azuma's inequality is used in our proof which makes our proof applicable to arbitrary correlations and sifting 28,29 .Meanwhile, most of works on decoy-state BB84, typically the finite-key analysis in ref. 18 , assume independent random variables, and thus only applicable in non-iterative sifting 28,29 .Therefore, in some sense it's not fair to directly compare our results with decoy-state BB84 finite-key analyses.In order to solve this problem, we derive a corollary based on our general theory.Please see Supplementary Method: A corollary of an improved bound on phase error rate for details.This corollary gives a simple but improved (compared with ref. 5 ) bound on phase error rate e ph , i.e., e ph ≤ n/L.Then we can use Chernoff's inequality instead of Azuma's inequality to obtain a simple finite-key analysis just applicable for independent random variables and non-iterative sifting.With the same channel model and parameters, it's easy to verify that our method exhibits positive key rate when total number of pulses is 10 6.85 with L = 53, while decoy-state BB84 needs 10 7.44 pulses.Please see Fig. 3 for the complete curves.This implies the advantage of RRDPS over deocy-state BB84 when communication time is very short.
We note that there have been two important related works about finite-key analysis of RRDPS protocol.In ref. 30 , the security proof of RRDPS protocol is refined, but their results do not benefit from phase-randomized source thus cannot reach the asymptotic secret key rate given in ref. 10 .Besides, according to ref. 30 , they found that their key rate is lower than ref. 5 when pulse number is small.This implies that the key rate based on our corollary is higher than ref. 30 in cases of small pulse number-see Fig. 3.As for ref. 12 , it keeps the advantage of phase randomization, but the required number of pulses is too large to meet the practical systems.As far as we know, our results are optimal for RRDPS in finite-key region, which implies that QKD without monitoring signal disturbance can be realized in present QKD systems.Besides, from the view of security proofs, this is a try to apply the uncertainty relation and Azuma's inequality in high-dimensional QKD protocols.This may shed lights on the developments of techniques for security proofs.

METHODS Calculation for secret key rate
Our analysis is based on the universally composable security theory 31 .
In the frame of universally composable security, Alice can extract ℓ bits of the secret key using a random leftover hash function 32 or Trevisan's extractor 33 .The secret key length ℓ is Δ-secret 15 , where e Z denotes the sifted key bits, j e Zj ¼ N. E 0 is labelled as all information Eve knows about e Z during the protocol, i.e., Eve's quantum system E, error correction and verification codes announced by Alice.
To justify Δ 2ε þ ϵ, we can set Considering the bits announced for error correction and verification 31 , we have Fig. 2 Secret key rate R versus N em .The full lines show the secret key rate R versus N em for the RRDPS protocol when N em is finite.These lines from bottom to up with L = 8, 16, 32.The dashed lines represent the asymptotic results.The total security parameter of the final key is ϵ tot : = 10 −10 .The channel loss is fixed at 20 dB.Dark counts rate is d = 10 −6 per pulse, and the misalignment of measurement is e mis = 0.015.The efficiency of error correction ξ is 1.1.
Fig. 3 Comparison with other protocols.The full lines show the secret key rate versus total emitted pulses.The red curve represents the finite-key analysis of decoy-state BB84 protocol in ref. 18 .The yellow curve represents the original finite-key analysis of RRDPS protocol given in ref. 5 .The green curve represents the key rate based on our corollary.We set L = 53.The total security parameter of the final key is ϵ tot : = 10 −10 .The channel loss is fixed at 20dB, dark counts rate is d = 10 −6 per pulse, and the misalignment of measurement is e mis = 0.015.The efficiency of error correction ξ is 1.1.
Fig. 1 Secret key rate R versus channel loss.The full lines show the secret key rate R versus channel loss for the RRDPS protocol when N em is finite.From left to right, L is 3, 8, 16, 32, and the corresponding total emitted pulses are 2 × 10 9 , 10 10 , 4 × 10 10 , 6 × 10 10 , respectively.While the dashed lines represent the asymptotic results correspond to ref. 10 .The total security parameter of final key is ϵ tot : = 10 −10 .Dark counts rate is d = 10 −6 per pulse, and the misalignment of measurement is e mis = 0.015.The efficiency of error correction ξ is 1.1.
where ξ is the efficiency of error correction we have mentioned before and ϵ cor is the failure probability of error verification.Calculating H ε min ð e ZjEÞ is essential in our proof.Following a generalized chain rule for smooth min-entropy 34 Since Z deco is completely independent to other quantum systems including Eve's system E, H ϵdeco min ðZ deco jZ co1 Z co2 :::Z covth EÞ !jZ deco j :¼ N deco (17)   always holds with ϵ deco = 0.And the smooth parameter min ðZ coi jZ coother EÞ, we can refer to the uncertainty relation, namely, where Z coother ¼ Z coðiþ1Þ Z coðiþ2Þ :::Z covth , i ∈ [1, v th ], jZ coi j ¼ N coi , and e phi denotes the upper bound of phase error rate for Z coi , i.e., the chance of observing À j i with a hypothetical X-basis instead of Z-basis.Meanwhile, ϵ coi is equal to the probability that number of À j i is larger than N coi e phi .The next issue is how to calculate N deco , N coi and e phi .We prove that for an l-th retained trial (the event generating the l-th bit of Z n vth ), the probabilities of obtaining decoupled case, i-th coupled case and a corresponding phase error event, all of which can be given by some non-negative real numbers c i (i ∈ [1, v th + 1]) satisfying P vthþ1 i¼1 c i ¼ N n vth .We point out that the analysis method is similar to the single-photon case above, but more complex.The detailed proof is present in Supplementary Note 7: General n photon-number case.
Similarly, with the help of Azuma's inequality, one can bound N deco , N coi and e phi for the sifted key bit string Z n vth in terms of c i with some failure probabilities.Specifically, with probabilities at least 1 À 2ϵ To summarize the above analysis of H ε min ð e ZjEÞ, we have where N deco , N coi and e phi can be decided by Eqs. ( 19)- (21).The smooth parameters satisfy So far, we've completed the derivation of H ε min ð e ZjEÞ.By optimizing the parameters c i , the lower bound of H ε min ð e ZjEÞ can be found.In following, P vth i¼1 N coi H 2 ðe phi Þ represents its minimum value by optimizing c i under given smooth parameters.Substituting Eq. ( 22) to Eq. ( 14), we have where we have set all failure probabilities or smooth parameters in Eq. (22)  to be the same one e ϵ.Finally, we can get the secret key rate per pulse R :¼ We use empirical results , where μ represents the intensity per pulse of phase-randomized weak coherent source.The total security parameter 36 of final key is ϵ tot , Note that for a fixed ϵ tot , one should optimize v th to maximize R.
In the end, we further give the method used in the simulation.The channel efficiency is η = 10 −loss(dB)/10 .We assume that Bob's detectors have dark counts rate of d = 10 −6 per pulse, and there is a misalignment of measurement, that is e mis = 0.015.Set ξ to be 1.1, ϵ tot = 10 −10 .The observed yield Q and error rate e bit are assumed to be always equal to their asymptotic ones respectively, whose expressions can be found in ref. 10 .Then by optimizing the light intensity μ, the threshold photon-number v th and c i f g, one can calculate the R under a fixed security parameter ϵ tot .

i l a j 2 .
ward to obtain P l a ¼ P b j e C l aa j 2 P b P i l j e C l i l a j 2 , P l b ¼ P b j e C l ba j 2 P b P i l j e C l For ease of notations, we define variables x l 1 ¼ j e C l aa j 2 and x l 2 ¼ P b j e C l ba j 2 , which satisfy P b j e C l aa j 2 ¼ ðL À 1Þx l 1 and P b P i l ≠a;b j e C l i l a j 2 ¼ ðL À 2Þx l 2 .Here b ∈ {1, 2, . . ., L} and b ≠ a.Then,
min e pha ; e phb Nco r : (9) Now, we are ready to calculate Eve's smooth min-entropy H ϵ min ð e ZjEÞ.According to chain rules and entropic uncertainty relation, we have , we have H ε min ð e ZjEÞ !H ε min ðZ n vth Z n > vth jEÞ !H εn>v th min ðZ n > vth jZ n vth EÞ þ H no larger than v th , jZ n vth j ¼ N n vth , and Z n > vth represents the sifted key bits are generated by Ψ j i B of photon-number n larger than v th .For simplicity, we abbreviate ε n vth to ϵ, and then H εn v th min ðZ n vth jEÞ to H ϵ min ðZ n vth jEÞ.Besides, ε ¼ ϵ þ ε 0 .Right now, we are going to calculate H ϵ min ðZ n vth jEÞ.Without compromising security, it is assumed that all bits of Z n vth are generated by Ψ j i B of photon-number v th .As proved in Supplementary Note 7: General n photon-number case, Z n vth can be decomposed into decoupled bits Z deco and v th different types of coupled bits Z coi (i = 1, 2, . . ., v th ).Using v th times of chain rule, we have H ϵ min ðZ n vth jEÞ !H ϵdeco min ðZ deco Z co1 Z co2 :::Z covth jEÞ !H ϵdeco min ðZ deco jZ co1 Z co2 :::Z covth EÞ þ H ϵco1 min ðZ co1 jZ co2 Z co3 :::Z covth EÞ þ H ϵco2 min ðZ co2 jZ co3 Z co4 :::Z covth EÞ þ :::