Introduction

So far, there have existed many kinds of protocols describing how quantum key distribution (QKD)1,2 works, such as the Bennett–Brassard—1984 (BB84)3, Bennett–Brassard–Mermin—19924, Bennett—19925, six-state6, continuous variable7,8 and measurement-device-independent9,10,11 protocols. Although different protocols contain different processes, they all serve the same purpose to guarantee that two parties, named Alice and Bob, can share a string of key data through a channel fully controlled by an eavesdropper, named Eve3. Unlike some computational assumptions, these protocols are all proven to be secure with fundamental physical laws in the recent years12,13,14,15,16,17,18, which shows the great advantage in information transmitting that QKD holds. BB84 stands out as the most important protocol due to its best overall performance. However, implementations of the BB84 protocol differ from the original theoretical proposal. For an ideal single-photon source is not available yet, in actuality, a weak pulsed laser source is in place of it. Nevertheless, there is a critical flaw in the weak pulsed laser source that an non-negligible part of laser pulses contains more than one photon, which will be exploited by Eve through the photon-number-splitting (PNS) attack19. To address this drawback with high channel loss, the decoy-state method is introduced20,21,22.

The source will generate the phase-randomized coherent state in decoy-state method, which can be regarded as the mixed photon number state. The essence of the decoy state idea can be summarized as that the yield (bit error rate) of n-photon in signal state is equal to that in decoy state. However, this equal-yield condition can only be established under the asymptotic-key regime. The expected value of yield (bit error rate) of n-photon in signal state and decoy state are identical while the corresponding observed value cannot be assumed to be the same in the finite-key regime. By exploiting the decoy-state method, one can establish the linear system of equations about the expected values to obtain expected value of yield (bit error rate) of the single-photon component, where we need estimate the expected value of some parameters given by the known observed values. Actually, the observed value of yield (bit error rate) of the single-photon component in the key extraction data is what we really need, where we must estimate the observed value given by the known expected value.

The Gaussian analysis method23 is first proposed to deal with the the deviation between expected value and observed value given by the known observed value. The Gaussian analysis method is not rigorous because of the identically distributed assumption, which can only be valid in the collective attack. Resulting the extracted secret key cannot be secure against the coherent attack. Recently, the multiplicative form Chernoff bound24 and Hoeffding inequality25 methods are proposed to remove the identically distributed assumption, respectively. However, there is a considerable gap between the secret key rate bounds obtained from Chernoff–Hoeffding method and that obtained from the Gaussian analysis. In order to close this gap, the inverse solution Chernoff bound method26 is presented, which achieves a similar performance with Gaussian analysis. Here, we should point out that the inverse solution Chernoff bound method also seems to be not rigorous. An important assumption in Chernoff bound is that one should have the prior knowledge of expected value. However, the problem that we have in hand is the opposite that we need to estimate expected value for a given observed value. This is why the multiplicative form Chernoff bound is somehow complex and carefully tailored. A direct criterion is that the lower bound result of inverse solution Chernoff bound is superior to the Gaussian analysis when one has a small observed value. Note that the result of Gaussian analysis should be optimal because the identically distributed assumption is a special case.

For BB84 protocol, one need bound the the conditional smooth min-entropy27, which relates to the phase error rate. The phase error rate cannot be directly observed, which can only be estimated by using the random sampling without replacement theory for security against the general attacks. A hypergeometric distribution method28 is first proposed to deal with the deviation between phase error rate of computational basis and bit error rate of dual basis in the finite-key regime. By using the inequality scaling technique, a numerical equation solution by using Shannon entropy function29 is acquired to estimate the phase error rate. Based on this, an analytical solution is obtained when the data size is large25. A looser analytical solution is using the Serfling inequality24. By exploiting the Ahrens map for Hypergeometric distribution, one uses Clopper–Pearson confidence interval30 replace the Serfling inequality. Recently, a specifically tailored analytical solution is acquired31, which achieves a big advantage compared to Serfling inequality. Here, we should point out that the specifically tailored analytical solution31 for random sampling without replacement is incorrect. The inequality scaling of binomial coefficient and Eq. (11) in supplementary information of Ref.31 is wrong.

In order to further improve the secret key rate in the case of high-loss, some authors of us have developed the tightest method to solve the above two tasks of statistical fluctuation32. Thereinto, the numerical equation of Chernoff bound is used to estimate the observed value for a given expected value. A numerical equation of Chernoff bound’s variant is exploited to obtain the expected value for a given observed value. A numerical equation relating to the hypergeometric distribution is directly applied to acquire the phase error rate for a given bit error rate. These numerical equation solutions are very tight but they are very inconvenient to use. On the one hand, it will be very time consuming if we optimize the system parameters globally by solving transcendental equations. On the other hand, it is a challenge to solve transcendental equations for each time post-processing in commercial QKD system with hardware. In this work we present the optimal analytical formulas to solve the two tasks of statistical fluctuation by using the rigorous inequality scaling technique. Furthermore, we establish the complete finite-key analysis for decoy-state BB84 QKD with composable security. The simulation results show that the secret key rate and secure transmission distance of our method have a significant advantage compared with previous rigorous methods.

Results

Statistical fluctuation analysis

We let \(x^*\) be the expected value, x be the observed value, \({\underline{x}}\) and \({\overline{x}}\) be the lower and upper bound of x. Here, we first introduce the numerical equation result of Ref.32. Then we present the tight analytical formulas by using the rigorous inequality scaling technique, which are the slightly looser bounds than those obtained by solving equations.

Random sampling without replacement

Let \(X_{n+k}\)\(:=\{x_1,x_2,...,x_{n+k}\}\) be a string of binary bits with \(n+k\) size, in which the number of bits value is unknown. Let \(X_k\) be a random sample (without replacement) bit string with k size from \(X_{n+k}\). Let \(\lambda \) be the probability of bit value 1 observed in \(X_k\). Let \(X_n\) be the remaining bit string, where the probability of bit value 1 observed in \(X_n\) is \(\chi \). Then, in this article, we let \(C^j_i=\frac{i!}{j!(i-j)!}\) be the binomial coefficient. For any \(\epsilon > 0\), we have the upper tail \(\mathrm{Pr}[\chi \ge \lambda + \gamma ^{U}] \le \epsilon \), where \(\gamma ^{U}\) represents \(\gamma ^{U}(n,k,\lambda ,\epsilon )\) and \(\gamma ^{U}\) is the positive root of the following equation32

$$\begin{aligned} \ln C_{k}^{k\lambda }+\ln C_{n}^{n(\lambda +\gamma ^{U})}-\ln C_{n+k}^{(n+k)\lambda +n\gamma ^{U}}=\ln \epsilon . \end{aligned} $$
(1)

Calculating Eq. (1), we get numerical results of \(\gamma ^{U}\), corresponding to the upper bound of the random sampling without replacement. Solving transcendental equation Eq. (1) is usually very complicated. Here, we are going to make use of some techniques mathematically to get rigorous tight analytical result. Detailed proof can be found in “Methods” section. For the upper tail, let \(0<\lambda <\chi \le 0.5\), we have the analytical result

$$\begin{aligned} \gamma ^{U}=\frac{\frac{(1-2\lambda )AG}{n+k}+ \sqrt{\frac{A^2G^2}{(n+k)^2}+4\lambda (1-\lambda )G}}{2+2\frac{A^2G}{(n+k)^2}}, \end{aligned}$$
(2)

where \(A=\max \{n,k\}\) and \(G=\frac{n+k}{nk}\ln {\frac{n+k}{2\pi nk\lambda (1-\lambda )\epsilon ^{2}}}\). Therefore, the upper bound of \(\chi \) can be given by \(\chi =\lambda +\gamma ^{U}\) with a failure probability \(\epsilon \). Figure 1 shows the comparison results between our method and previous method24,25,26,32, which means that our analytic result is optimal and closes to the numerical results.

Figure 1
figure 1

Comparison of the random sampling without replacement for five methods: our analytic result, analytic result with Serfling inequality24, approximate analytic result25, numerical result with Shannon entropy function26 and optimal numerical result with binomial coefficient32. Let \(n=10^{5}\) and failure probablity \(\epsilon =10^{-10}\).

Full size image

Chernoff bound

Let \(X_1, X_2...,X_N\) be a set of independent Bernoulli random variables that satisfy \(\mathrm{Pr}(X_i=1)=p_i\) (not necessarily equal), and let \(X:=\sum _{i=1}^NX_i\). The expected value of X is denoted as \(x^*:=E[X]=\sum _{i=1}^Np_i\). An observed value of X is represented as x for a given trial. Note that, we have \(x\ge 0\), \(x^*\ge 0\), \(x^*\) is known and x is unknown. For any \(\epsilon >0\), we have the upper tail \(\mathrm{Pr}[x\ge (1+\delta ^{U})x^*]\le \epsilon \), where \(\delta ^{U}\) represents \(\delta ^{U}(x^{*},\epsilon )\) and \(\delta ^{U}>0\) is the positive root of the following equation32

$$\begin{aligned} x^*[\delta ^{U}-(1+\delta ^{U})\ln (1+\delta ^{U})]=\ln \epsilon . \end{aligned} $$
(3)

For any \(\epsilon >0\), we have the lower tail \(\mathrm{Pr}[x\le (1-\delta ^{L})x^{*}]\le \epsilon \), where \(\delta ^{L}\) represents \(\delta ^{L}(x^{*},\epsilon )\) and \(0<\delta ^{L}\le 1\) is the positive root of the following equation32

$$\begin{aligned} -x^{*}[\delta ^{L}+(1-\delta ^{L})\ln (1-\delta ^{L})]=\ln \epsilon . \end{aligned} $$
(4)

By solving Eqs. (3) and (4), we get numerical results of \(\delta ^{U}\) and \(\delta ^{L}\), corresponding to the upper bound and lower bound. Solving transcendental equations Eqs. (3) and (4) are usually very complicated. For the upper tail, by using the inequality \(\ln (1+\delta ^{U})>2\delta ^{U}/(2+\delta ^{U})\) in Eq. (3), we have the analytical result

$$\begin{aligned} \delta ^U=\frac{\beta +\sqrt{8\beta x^{*}+\beta ^2}}{2x^{*}}, \end{aligned}$$
(5)

where we let \(\beta =\ln \epsilon ^{-1}\). For the lower tail, by using the inequality \(-\ln (1-\delta ^{L})<\delta ^{L}(2-\delta ^{L})/[2(1-\delta ^{L})]\) in Eq. (4), we have the analytical result

$$\begin{aligned} \delta ^L=\sqrt{\frac{2\beta }{x^{*}}}. \end{aligned}$$
(6)

Therefore, the lower and upper bound of observed value x for a given expected value \(x^*\) can be given by \({\overline{x}}=x^{*}+\frac{\beta }{2}+\sqrt{2\beta x^{*}+\frac{\beta ^2}{4}}\) and \({\underline{x}}=x^{*}-\sqrt{2\beta x^{*}}\) with a failure probability \(\epsilon \), respectively. Note that we must have the lower bound \({\underline{x}}\ge 0\). The analytic result of upper bound in Eq. (5) is also acquired in Ref.26 while we obtain more optimal lower bound in Eq. (6).

Figure 2
figure 2

Comparison of the lower bound of expected value given a observed value for five methods: our analytic result, numerical result of Ref.32, Gaussian analysis, numerical result and analytic result of Ref.26.

Full size image

Variant of Chernoff bound

Let \(X_1, X_2...,X_N\) be a set of independent Bernoulli random variables that satisfy \(\mathrm{Pr}(X_i=1)=p_i\) (not necessarily equal), and let \(X:=\sum _{i=1}^NX_i\). The expected value of X is denoted as \(x^*:=E[X]=\sum _{i=1}^Np_i\). An observed outcome of X is represented as x for a given trial. Note that, we have \(x\ge 0\), \(x^*\ge 0\), x is known and \(x^*\) is unknown. For any \(\epsilon >0\), we have the upper tail \(\mathrm{Pr}[x^{*}\le x+\Delta ^{U}]\), where we use \(\Delta ^{U}\) represents \(\Delta ^{U}(x,\epsilon )\) and \(\Delta ^{U}\) is the positive root of the following equation32

$$\begin{aligned} -\Delta ^{U}+x\ln \frac{x+\Delta ^{U}}{x}=\ln \epsilon . \end{aligned} $$
(7)

For any \(\epsilon >0\), we have the upper tail \(\mathrm{Pr}[x^{*}\ge x+\Delta ^{L}]\), where \(\Delta ^{L}\) represents \(\Delta ^{L}(x,\epsilon )\) and \(\Delta ^{L}\) is the positive root of the following equation32

$$\begin{aligned} \Delta ^{L}-(x+\Delta ^{L})\ln \frac{x+\Delta ^{L}}{x}=\ln \epsilon . \end{aligned} $$
(8)

By solving Eqs. (7) and (8), we get numerical results of \(\Delta ^{U}\) and \(\Delta ^{L}\), corresponding to the upper bound and lower bound. Solving transcendental equations Eqs. (7) and (8) are usually very complicated. For the upper tail, by using the inequality \(\ln \left( 1+\frac{\Delta ^{U}}{x}\right) <\frac{\Delta ^{U}}{x}\left( 2+\frac{\Delta ^{U}}{x}\right) /\left[ 2\left( 1+\frac{\Delta ^{U}}{x}\right) \right] \) in Eq. (7), we have the analytical result

$$\begin{aligned} \Delta ^U=\beta +\sqrt{2\beta x+\beta ^2}. \end{aligned} $$
(9)

For the lower tail, by using the inequality \(\ln \left( 1+\frac{\Delta ^{L}}{x}\right) >2\frac{\Delta ^{L}}{x}/\left( 2+\frac{\Delta ^{L}}{x}\right) \) in Eq. (8), we have the analytical result

$$\begin{aligned} \Delta ^L=\frac{\beta }{2}+\sqrt{2\beta x+\frac{\beta ^2}{4}}.\\ \end{aligned} $$
(10)

Therefore, the lower and upper bound of expected value \(x^{*}\) for a given observed value x can be given by \({\overline{x}}^{*}=x+\beta +\sqrt{2\beta x+\beta ^2}\) and \({\underline{x}}^{*}=x-\frac{\beta }{2}-\sqrt{2\beta x+\frac{\beta ^2}{4}}\) with a failure probability \(\epsilon \), respectively. Note that we must have the lower bound \({\underline{x}}^{*}\ge 0\). Utilizing a simple function transformation, the numerical result of upper bound \({\overline{x}}^{*}\) with Eq. (7) is the same as (Eq. (28) in this paper) in Ref.26, while the analytic result of upper bound is more optimal in this work. The numerical result of lower bound \({\underline{x}}^{*}\) with Eq. (8) is different from that in Ref.26, and the difference between two analytic results of lower bound is only \(\beta \). However, we should point out that our result is always inferior to the Gaussian analysis, while the result of Ref.26 is superior to the Gaussian analysis given a small observed value, details can be found in Fig. 2. It means that our result is rigorous while that of Ref.26 is not. The case of small observed value is very important since the vacuum state is widely used in decoy-state method, especially for the experiment of measurement-device-independent QKD33.

Finite-key analysis for decoy-state BB84 QKD

We exploit our statistical fluctuation analysis methods to deal with finite-key effects against coherent attacks25,34 for BB84 QKD with two decoy states. Note that the four-intensity protocol35 usually has better performance. Compared with previous results24,25,26, we provide the complete extractable secret key formula. For example, the number of vacuum component events, the number of single-photon component events, and the phase error rate associated with the single-photons component events are all required to use observed values in the extractable secret key formula, while all or part of them are taken as the expected values in Ref.24,25,26. Obviously, they are observed values, for instance, the QKD system with single-photon source27.

The asymmetric coding BB84 protocol, based on which we consider our protocol, means that the bases \({\mathsf {Z}}\) and \({\mathsf {X}}\) are chosen with biased probabilities, both when Alice prepare the quantum states and when Bob measure those states. Furthermore, intended to simplifying the protocol a little, we let the secret key be extracted only if Alice and Bob both choose the \({\mathsf {Z}}\) basis. Also, for the same purpose, the protocol will be built on the transmission of phase-randomized laser pulses and makes use of vacuum and weak decoy states. Below we provide a detailed description of the protocol with active basis choosing.

  1. 1.

    Preparation The first three steps are repeated by Alice and Bob for \(i=1,\ldots ,N\) until the conditions in the reconciliation step are satisfied. Alice will prepare weak coherent pulse and encode under the \(\{{\mathsf {Z}},{\mathsf {X}}\}\) basis, along with an intensity \(k \in \{\mu ,\nu ,0 \}\). Let the probability of choosing \({\mathsf {Z}}\) and \({\mathsf {X}}\) basis be \(p_z\) and \(p_x=1-p_z\). Simultaneously, the probabilities of selecting intensities are \(p_{\mu }\), \(p_{\nu }\) and \(p_{0}=1-p_{\mu }-p_{\nu }\), respectively. Then Alice sends the weak coherent pulse to Bob through the insecure quantum channel.

  2. 2.

    Measurement When receiving the pulse, Bob also chooses a basis \({\mathsf {Z}}\) and \({\mathsf {X}}\) with probabilities \(q_{\mathrm{z}}\) and \(q_{\mathrm{x}}=1-q_{\mathrm{z}}\), respectively. Then, he measures the state with two single-photon detectors in that basis. An effective event represents at least one detector click. For double detector click event, he acquires a random bit value.

  3. 3.

    Reconciliation Alice and Bob share the effective event, basis and intensity information with each other using an authenticated classical channel. We use the following sets \({\mathcal {Z}}_{k}\) (\({\mathcal {X}}_{k}\)), which identifies signals where both Alice and Bob select the basis \({\mathsf {Z}}\) (\({\mathsf {X}}\)) for k intensity. Then, they check for \(|{\mathcal {Z}}_{k}| \ge n^{{\mathsf {Z}}}_{k}\) and \(|{\mathcal {X}}_{k}| \ge n^{\mathsf {X}}_{k}\) for all values of k. They repeat step 1 to step 3 until these conditions are satisfied. We remark that the vacuum state prepared by Alice has no basis information.

  4. 4.

    Parameter estimation After reconciling the basis and intensity choices, Alice and Bob will select a size of \(n^{{\mathsf {Z}}}=n^{{\mathsf {Z}}}_{\mu }+n^{{\mathsf {Z}}}_{\nu }\) to get a raw key pair \(({\mathbf{Z}}_{\mathrm{A}},{\mathbf{Z}}_{\mathrm{B}})\). All sets are used to compute the number of vacuum events \(s_0^{\mathsf {Z}}\) and single-photon events \(s_1^{\mathsf {Z}}\) and the phase error rate of single-photon events \(\phi _1^{\mathsf {Z}}\) in \({\mathbf{Z}}_{\mathrm{A}}\). After that, a condition should be met that the phase error rate \(\phi _1^{\mathsf {Z}}\) is less than \( \phi _{{\mathrm{tol}}}\), where \(\phi _{\mathrm{tol}}\) is a predetermined phase error rate. If not, Alice and Bob abort the results and get started again. Otherwise, they move on to step 5.

  5. 5.

    Postprocessing  First, Alice and Bob operate an error correction, where they reveal at most \(\lambda _{\mathrm{EC}}\) bits of information. Then, an error-verification step is performed using a random universal\(_{2}\) hash function that announces \(\lceil \log _2\frac{1}{\varepsilon _{\mathrm{cor}}}\rceil \) bits of information36, where \(\varepsilon _{\mathrm{cor}}\) is the probability that a pair of nonidentical keys passes the error-verification step. At last, there is a privacy amplification on their keys to get a secret key pair (\(\mathbf{S }_{\mathrm{A}}\),\(\mathbf{S }_{\mathrm{B}}\)), both of which are \(\ell \) bits, by using a random universal\(_{2}\) hash function.

Before stating how to calculate the security bound, we will spell out our security criteria, i.e., the so-called universally composable framework37. We have two criteria (\(\varepsilon _{\mathrm{cor}}\) and \(\varepsilon _{\mathrm{sec}}\)) to determine how secure of our protocol. If \(\Pr [{\mathbf{S}}_{\mathrm{A}}\not ={\mathbf{S}}_{\mathrm{B}}] \le \varepsilon _{\mathrm{cor}}\), which means the secret keys are identical except with a small probability \(\varepsilon _{\mathrm{cor}}\), we can call it is \(\varepsilon _{\mathrm{cor}}\)-correct. Meanwhile, if \((1-p_{\mathrm{abort}})\Vert \rho _{\mathrm{AE}}-U_{\mathrm{A}} \otimes \rho _{\mathrm{E}}\Vert _1/2 \le \varepsilon _{\mathrm{sec}}\), we can call it is \(\varepsilon _{\mathrm{sec}}\)-secret. Thereinto, \(\rho _{\mathrm{AE}}\) is the classical-quantum state describing the joint state of \({\mathbf{S}}_{\mathrm{A}}\) and \({\mathbf{E}}\)\(U_{\mathrm{A}}\) is the uniform mixture of all possible values of \({\mathbf{S}}_{\mathrm{A}}\), and \(p_{\mathrm{abort}}\) is the probability that the protocol aborts. This security criterion guarantees that the pair of secret keys can be unconditionally safe to use, we can call the protocol is \(\varepsilon \)-secure if it is \(\varepsilon _{\mathrm{cor}}\)-correct and \(\varepsilon _{\mathrm{sec}}\)-secret with \(\varepsilon _{\mathrm{cor}}+\varepsilon _{\mathrm{sec}}\le \varepsilon \).

The protocol is \(\varepsilon _{\mathrm{sec}}\)-secret if the secret key of length \(\ell \) satisfies25

$$\begin{aligned} \ell = {\underline{s}}_0^{\mathsf {Z}}+{\underline{s}}_1^{\mathsf {Z}}\left[ 1-h\left( {\overline{\phi }}_1^{\mathsf {Z}}\right) \right] -\lambda _{\mathrm{EC}}-\log _2\frac{2}{\varepsilon _{\mathrm{cor}}}-6\log _2\frac{23}{\varepsilon _{\mathrm{sec}}}, \end{aligned} $$
(11)

where \(h(x):=-x\log _2x-(1-x)\log _2(1-x)\) is the binary Shannon entropy function. Note that observed values \({\underline{s}}_0^{\mathsf {Z}}\), \({\underline{s}}_1^{\mathsf {Z}}\) and \({\overline{\phi }}_1^{\mathsf {Z}}\) are the lower bound for the number of vacuum events, the lower bound for the number of single-photon events, and the upper bound for the phase error rate associated with the single-photons events in \({\mathbf{Z}}_{\mathrm{A}}\), respectively. Here, we simply assume an error correction leakage \(\lambda _{\mathrm{EC}} = n^{{\mathsf {Z}}}\zeta h(E^{{\mathsf {Z}}})\), with the efficiency of error correction \(\zeta = 1.22\) and the bit error rate \(E^{{\mathsf {Z}}}\) in \(({\mathbf{Z}}_{\mathrm{A}},{\mathbf{Z}}_{\mathrm{B}})\).

Let \(n^{{\mathsf {Z}}}_{k}\) and \(n^{\mathsf {X}}_{k}\) are the observed number of bit in set \({\mathcal {Z}}_{k}\) and \({\mathcal {X}}_{k}\). Let \(m^{{\mathsf {Z}}}_{k}\) and \(m^{\mathsf {X}}_{k}\) denote the observed number of bit error in set \({\mathcal {Z}}_{k}\) and \({\mathcal {X}}_{k}\). Note that one cannot obtain the \(m^{{\mathsf {Z}}}_{\mu }\) and \(m^{{\mathsf {Z}}}_{\nu }\), which we just hypothetically use to estimate the error correction information. The bit error rate is \(E^{{\mathsf {Z}}}=(m^{{\mathsf {Z}}}_{\mu }+m^{{\mathsf {Z}}}_{\nu })/n^{{\mathsf {Z}}}\). By using the decoy-state method for finite sample sizes, we can have the lower bound on the expected numbers of vacuum event \({\underline{s}}_0^{{\mathsf {Z}}^*}\) and single-photon event \({\underline{s}}_1^{{\mathsf {Z}}^{*}}\) in \({\mathbf{Z}}_{\mathrm{A}}\),

$$\begin{aligned} {\underline{s}}_0^{{\mathsf {Z}}^*}\ge&\,( e^{-\mu }p_\mu + e^{-\nu }p_\nu ) \frac{p_{z}{\underline{n}}_0^{{\mathsf {Z}}^*}}{p_0},\\ {\underline{s}}_1^{{\mathsf {Z}}^*}\ge&\,\frac{\mu ^{2} e^{-\mu }p_\mu +\mu \nu e^{-\nu }p_\nu }{\mu \nu -\nu ^2}\\&\times \left( e^\nu \frac{{\underline{n}}_\nu ^{{\mathsf {Z}}^*}}{p_\nu }-\frac{\nu ^2}{\mu ^2}e^\mu \frac{{\overline{n}}_\mu ^{{\mathsf {Z}}^*}}{p_\mu }-\frac{\mu ^2-\nu ^2}{\mu ^2} \frac{p_{z}{\overline{n}}_0^{{\mathsf {Z}}^*}}{p_0}\right) , \end{aligned} $$
(12)

where \({\underline{n}}_0^{{\mathsf {Z}}^*}\) and \({\underline{n}}_\nu ^{{\mathsf {Z}}^*}\) (\({\overline{n}}_\mu ^{{\mathsf {Z}}^*}\) and \({\overline{n}}_0^{{\mathsf {Z}}^*}\)) are the lower (upper) bound of expected values associated with the observed values \(n_0^{{\mathsf {Z}}}\) and \(n_\nu ^{{\mathsf {Z}}}\) (\(n_\mu ^{{\mathsf {Z}}}\) and \(n_0^{{\mathsf {Z}}}\)). We can also calculate the lower bound on the expected number of single-photon event \({\underline{s}}_1^{\mathsf {X}^{*}}\) and the upper bound on the expected number of bit error \({\underline{t}}_1^{\mathsf {X}^{*}}\) associated with the single-photon event in \({\mathcal {X}}_{\mu }\cup {\mathcal {X}}_{\nu }\),

$$\begin{aligned} {\underline{s}}_1^{\mathsf {X}^*}\ge&\,\frac{\mu ^{2} e^{-\mu }p_\mu +\mu \nu e^{-\nu }p_\nu }{\mu \nu -\nu ^2}\\&\times \left( e^\nu \frac{{\underline{n}}_\nu ^{\mathsf {X}^*}}{p_\nu }- \frac{\nu ^2}{\mu ^2}e^\mu \frac{{\overline{n}}_\mu ^{\mathsf {X}^*}}{p_\mu }- \frac{\mu ^2-\nu ^2}{\mu ^2}\frac{p_{x}{\overline{n}}_0^{\mathsf {X}^*}}{p_0}\right) ,\\ {\overline{t}}_1^{\mathsf {X}^{*}}\le&\,\frac{\mu e^{-\mu }p_{\mu }+\nu e^{-\nu }p_{\nu }}{\nu }\left( e^{\nu }\frac{{\overline{m}}_{\nu }^{\mathsf {X}^{*}}}{p_{\nu }}-\frac{p_{x}{\underline{n}}_{0}^{\mathsf {X}^{*}}}{2p_{0}}\right) , \end{aligned} $$
(13)

where we use a fact that expected value \(m_{0}^{\mathsf {X}^*}\equiv n_{0}^{\mathsf {X}^*}/2\). Parameters \({\underline{n}}_0^{\mathsf {X}^*}\) and \({\underline{n}}_\nu ^{\mathsf {X}^*}\) (\({\overline{n}}_\mu ^{\mathsf {X}^*}\), \({\overline{n}}_0^{\mathsf {X}^*}\) and \({\overline{m}}_{\nu }^{\mathsf {X}^{*}}\)) are the lower (upper) bound of expected values associated with the observed values \(n_0^{\mathsf {X}}\) and \(n_\nu ^{\mathsf {X}}\) (\(n_\mu ^{\mathsf {X}}\), \(n_0^{\mathsf {X}}\) and \(m_{\nu }^{\mathsf {X}}\)). The nine expected values \({\underline{n}}_0^{{\mathsf {Z}}^*}\), \({\underline{n}}_\nu ^{{\mathsf {Z}}^*}\), \({\overline{n}}_\mu ^{{\mathsf {Z}}^*}\), \({\overline{n}}_0^{{\mathsf {Z}}^*}\), \({\underline{n}}_0^{\mathsf {X}^*}\), \({\underline{n}}_\nu ^{\mathsf {X}^*}\), \({\overline{n}}_\mu ^{\mathsf {X}^*}\), \({\overline{n}}_0^{\mathsf {X}^*}\) and \({\overline{m}}_{\nu }^{\mathsf {X}^{*}}\) can be obtained by using the variant of Chernoff bound with Eqs. (9) and (10) for each parameter with failure probability \(\varepsilon _{\mathrm{sec}}/23\), for example, \({\underline{n}}_\nu ^{{\mathsf {Z}}^*}=n_\nu ^{{\mathsf {Z}}}-\Delta ^{L}(n_\nu ^{{\mathsf {Z}}},\varepsilon _{\mathrm{sec}}/23)\).

Once acquiring the four expected values \({\underline{s}}_0^{{\mathsf {Z}}^*}\), \({\underline{s}}_1^{{\mathsf {Z}}^*}\), \({\underline{s}}_1^{\mathsf {X}^*}\) and \({\overline{t}}_1^{\mathsf {X}^{*}}\), one can exploit the Chernoff bound with Eqs. (5) and (6) to calculate the corresponding observed values \({\underline{s}}_0^{{\mathsf {Z}}}\), \({\underline{s}}_1^{{\mathsf {Z}}}\), \({\underline{s}}_1^{\mathsf {X}}\) and \({\overline{t}}_1^{\mathsf {X}}\) for each parameter with failure probability \(\varepsilon _{\mathrm{sec}}/23\), for example, \({\underline{s}}_1^{{\mathsf {Z}}}={\underline{s}}_1^{{\mathsf {Z}}^*}(1-\delta ^{L}({\underline{s}}_1^{{\mathsf {Z}}^*},\varepsilon _{\mathrm{sec}}/23))\). By using the random sampling without replacement with Eq. (2), one can calculate the upper bound of hypothetically observed phase error rate associated with the single-photon events in \({\mathbf{Z}}_{\mathrm{A}}\),

$$\begin{aligned} {\overline{\phi }}_1^{\mathsf {Z}}=\frac{{\overline{t}}_1^\mathsf {X}}{{\underline{s}}_1^\mathsf {X}} +\gamma ^{U}\left( {\underline{s}}_1^{\mathsf {Z}},{\underline{s}}_1^\mathsf {X}, \frac{{\overline{t}}_1^\mathsf {X}}{{\underline{s}}_1^\mathsf {X}}, \frac{\varepsilon _{\mathrm{sec}}}{23}\right) . \end{aligned}$$
(14)

In order to show the performance of our method in terms of the secret key rate and the secure transmission distance, we consider a fiber-based QKD system model with active basis choosing measurement. We use the widely used parameters of a practical QKD system38, as listed in Table 1. For a given experiment, one can directly acquire the parameters \(n_{k}^{{\mathsf {Z}}}\), \(n_{k}^{\mathsf {X}}\), \(m_{k}^{{\mathsf {Z}}}\) and \(m_{k}^{\mathsf {X}}\). For simulation, we can use the formulas \(n_k^{\mathsf {Z}}=Np_{k}p_{z}q_{z} Q_k^{\mathsf {Z}}\), \(n_k^\mathsf {X}=Np_{k}p_{x}q_{x} Q_k^\mathsf {X}\), \(m_k^{\mathsf {Z}}=Np_{k}p_{z}q_{z} E_k^{\mathsf {Z}}Q_k^{\mathsf {Z}}\) and \(m_k^\mathsf {X}=Np_{k}p_{x}q_{x} E_k^\mathsf {X}Q_k^\mathsf {X}\), where \(Q_{k}^{{\mathsf {Z}}}\) and \(Q_{k}^{\mathsf {X}}\) are the gain of Z and X basis when Alice chooses optical pulses with intensity k. For vacuum state without basis information, we should reset \(n_0^{\mathsf {Z}}=Np_{0}q_{z} Q_0^{\mathsf {Z}}\), \(n_0^\mathsf {X}=Np_{0}q_{x} Q_0^\mathsf {X}\), \(m_0^{\mathsf {Z}}=Np_{0}q_{z} E_0^{\mathsf {Z}}Q_0^{\mathsf {Z}}\) and \(m_0^\mathsf {X}=Np_{0}q_{x} E_0^\mathsf {X}Q_0^\mathsf {X}\). \(E_{k}^{{\mathsf {Z}}}\) and \(E_{k}^{\mathsf {X}}\) are the bit error rate of Z and X basis when Alice chooses optical pulses with intensity k. Without loss of generality, these gain and bit error rate parameters can be given by23

$$ \begin{array}{*{20}l} {Q_{k}^{\text{Z}} = Q_{k}^{\text{X}} = 1 - (1 - Y_{0} )e^{{ - k\eta }} } \hfill \\ {E_{k}^{\text{Z}} Q_{k}^{\text{Z}} = E_{k}^{\text{X}} Q_{k}^{\text{X}} = e_{d} Q_{k}^{\text{Z}} + (e_{0} - e_{d} )Y_{0} } \hfill \\ \end{array} , $$
(15)

where we assume that those observed values for different parameters can be denotes by their asymptotic values without Eve’s disturbance. \(\eta =\eta _{d}\times 10^{-\alpha L/10}\) is the overall efficiency with the fiber length L and single-photon detector (Table 1).

Table 1 List of simulation parameters.
Full size table

To show the advantage of our results compared with previous works24,25,26, we drew the curves about the secret key rate \(\ell /N\) as function of the fiber length, as shown in Fig. 3. For a given number of signals \(10^{10}\), only ten seconds in 1 GHz system, we optimize numerically \(\ell /N\) over all the free parameters. For fair comparison, we add a step about from expected value to observed value estimation for all curves, which is not taken into account in Refs.24,25. The corresponding methods of Refs.23,24,25,26 to deal with statistical fluctuation can be summarized in Methods. Note that the black dashed line uses the Gaussian analysis to obtain expected value instead of the inverse solution Chernoff bound method26. The simulation results show that the secret key rate and secure transmission distance of our method have significant advantage under the security against the general attacks.

Figure 3
figure 3

The secret key rate vs fiber length. It shows the comparison of the secret key rates of different statistical fluctuation methods. Numerically optimized secret key rates with logarithmic scale are obtained for a predetermined signals \(N=10^{10}\).

Full size image

Conclusion

In this work, we proposed the almost optimal analytical formulas to deal with the statistical fluctuation under the security against the general attacks. Analytical formulas of classical postprocessing can be expediently used in practical system, which do not introduce complex calculations of resource consumption. Our methods can directly increase the performance without changing the quantum process, which should be widely used to quantum cryptography protocols against the finite-size effects. In order to compare with previous works, we establish the complete finite-key analysis for decoy-state BB84 QKD, including from observed value to expected value, from expected value to observed value and from the observed bit error of \({\mathsf {X}}\) basis to hypothetical observed phase error of \({\mathsf {Z}}\) basis. We remark that the joint constraint method39 can further decrease the statistical fluctuation. However, we do not consider this issue in this paper due to the lack of the analytical solutions, which is difficult to implement in commercial systems. The secret key rate of decoy-state BB84 QKD is linear scaling with channel transmittance \(\eta \), which has been shown by the repeaterless PLOB bound40.

Methods

Proof of random sampling without replacement

Here, we use the technique of Ref.31 to acquire the correct analytical results. We remark that the result of Ref.31 is wrong due to the incorrect inequality scaling about binomial coefficient and Eq. (11) in supplementary information of Ref.31. Specifically, a sharp double inequality for binomial coefficient can be given by Ref.41,

$$ \begin{aligned} \frac{1}{{\sqrt {2\pi } }} & e^{{ - \frac{1}{{8x}}}} \frac{{x^{{ - \frac{1}{2}}} m^{{mx + \frac{1}{2}}} }}{{(m - p)^{{(m - p)x + \frac{1}{2}}} p^{{px + \frac{1}{2}}} }} < C_{{mx}}^{{px}} \\ & < \frac{1}{{\sqrt {2\pi } }}e^{{\frac{1}{{12mx}} - \frac{1}{{12px + 1}} - \frac{1}{{12x(m - p) + 1}}}} \frac{{x^{{ - \frac{1}{2}}} m^{{mx + \frac{1}{2}}} }}{{(m - p)^{{(m - p)x + \frac{1}{2}}} p^{{px + \frac{1}{2}}} }} \\ \end{aligned} $$
(16)

where \(m>p\ge 1\) and \(x\ge 1\). Ref.31 directly substitutes \(p = \alpha \), \(m = 1\) and \(x=n\) to give a inequality about binomial coefficient. Actually, one has \(\alpha \le 0.5\) in the calculation of the phase error rate. Therefore, one cannot simply let \(p=\alpha \). Besides, there is a minus sign in Eq. (11) in supplementary information of Ref.31, thus, one cannot directly exploit \(\lambda \) to replace \(\lambda _{\mathrm{all}}\).

For the upper tail, the failure probability \(\epsilon \) can be bound by29,31,32 \(C_{k}^{k \lambda } C_{n}^{n \chi }/C_{n+k}^{(n+k)y}\), where \(y=\lambda +\frac{n}{n+k} \gamma \) and \(\chi =\lambda +\gamma \). Let \(F(\alpha , n)=\frac{\alpha ^{-\alpha n}(1-\alpha )^{-(1-\alpha ) n}}{\sqrt{2 \pi n \alpha (1-\alpha )}}\) and the sharp double inequality for binomial coefficient41

$$\begin{aligned} e^{-\frac{1}{8 \alpha n}} F(\alpha , n)<C_{n}^{\alpha n}<e^{\left( \frac{1}{12 n}-\frac{1}{12 n \alpha +1}-\frac{1}{12 n (1-\alpha )+1}\right) } F(\alpha , n), \end{aligned}$$
(17)

where we let \(p=1\), \(\alpha =\frac{1}{m}\) and \(mx=n\) in Eq. (16). One can give the following inequality for failure probability

$$\begin{aligned} \frac{C_{k}^{k \lambda } C_{n}^{n \chi }}{C_{n+k}^{(n+k)y}} <&\frac{e^{\ln 2 \cdot \left[ n h\left( \chi \right) +k h\left( \lambda \right) -(n+k) h\left( y\right) \right] }}{\sqrt{2 \pi n k \lambda (1-\lambda ) /(n+k)}}\sqrt{\frac{y(1-y) }{\chi (1-\chi )}}\\&\times e^{\left( \frac{1}{8(n+k)y}+\frac{1}{12k}- \frac{1}{12k\lambda +1}-\frac{1}{12k(1-\lambda )+1}\right) }\\&\times e^{\left( \frac{1}{12 n}-\frac{1}{12 n\chi +1}- \frac{1}{12 n(1-\chi )+1}\right) }, \end{aligned} $$
(18)

where Shannon entropy function \(h(x)=-x \log _{2} x-(1-x) \log _{2}(1-x)\). Note that one can prove \(e^{\left( \frac{1}{8(n+k)y}+\frac{1}{12k}-\frac{1}{12k\lambda +1}-\frac{1}{12k(1-\lambda )+1}+\frac{1}{12 n}-\frac{1}{12 n\chi +1}-\frac{1}{12 n(1-\chi )+1}\right) }<1\) and \(\sqrt{\frac{y(1-y) }{\chi (1-\chi )}}<1\) for \(n,k>0\) and \(0<\lambda<y<\chi \le 0.5\). Thereby, the inequality can be given by

$$\begin{aligned} \frac{C_{k}^{k \lambda } C_{n}^{n \chi }}{C_{n+k}^{(n+k)y}}<&\frac{e^{\ln 2 \cdot \left[ n h\left( \chi \right) +k h\left( \lambda \right) -(n+k) h\left( y\right) \right] }}{\sqrt{2 \pi n k \lambda (1-\lambda ) /(n+k)}}. \end{aligned} $$
(19)

By using Taylor expanding for the case of \(n\ge k\), we have \(n h(\chi )+k h(\lambda )-(n+k) h(y) \le \frac{h^{\prime \prime }(y)}{2} \frac{\gamma ^{2} n k}{n+k}\), where \(h^{\prime \prime }(y)=-\frac{1}{y(1-y) \ln 2}\). Therefore, by solving a quadratic equation with one unknown, we have

$$\begin{aligned} \gamma =\frac{\frac{(1-2 \lambda ) n G}{n+k}+\sqrt{\frac{n^{2} G^{2}}{(n+k)^{2}}+4 \lambda (1-\lambda )G}}{2+2 \frac{n^{2} G}{(n+k)^{2}}}, \end{aligned}$$
(20)

where parameter \(G=\frac{n+k}{nk}\ln {\frac{n+k}{2\pi nk\lambda (1-\lambda )\epsilon ^{2}}}\). By using Taylor expanding for the case of \(n\le k\), we have the following inequalities \(n h(\chi )+k h(\lambda )-(n+k) h(y)\le n h(\lambda )+k h(\chi )-(n+k) h(z)\le \frac{h^{\prime \prime }(z)}{2} \frac{\gamma ^{2} n k}{n+k}\) where \(z=\lambda +\frac{k}{n+k} \gamma \) and \(h^{\prime \prime }(z)=-\frac{1}{z(1-z) \ln 2}\). Therefore, by solving a quadratic equation with one unknown, we have

$$\begin{aligned} \gamma =\frac{\frac{(1-2 \lambda ) k G}{n+k}+\sqrt{\frac{k^{2} G^{2}}{(n+k)^{2}}+4 \lambda (1-\lambda )G}}{2+2 \frac{k^{2} G}{(n+k)^{2}}}. \end{aligned}$$
(21)

Note that the above result is always true for all \(n,k>0\) and \(0<\lambda <\chi \le 0.5\).

Method in Ref.24

The upper bound of the random sampling without replacement can be calculated by using the Serfling inequality,

$$\begin{aligned} \gamma ^{U}=\sqrt{\frac{(n+k)(k+1)}{nk^{2}}\ln \epsilon ^{-1}}. \end{aligned} $$
(22)

The upper bound and lower bound of expected value for a given observed value can be calculated by using the multiplicative form Chernoff bound as follows. We always can obtain the worst lower bound of expected value, \(\mu _{\mathrm{L}}=x-\sqrt{N/2\ln {\epsilon ^{-1}}}\), where N is the total number of random variables. Let \(test_1\), \(test_2\) and \(test_3\) denote, respectively, the following three conditions: \(\mu _{\mathrm{L}}\ge \frac{32}{9}\ln (2\epsilon _{1}^{-1})\), \(\mu _{\mathrm{L}}>3\ln \epsilon _{2}^{-1}\) and \(\mu _{\mathrm{L}}>\left( \frac{2}{2e-1}\right) ^{2}\ln \epsilon _{2}^{-1}\), and let \(g(x,y)=\sqrt{2x\ln {y^{-1}}}\). Now:

  1. 1.

    When \(test_1\) and \(test_2\) are fulfilled, we have that \(\Delta ^{U}=g(x, \epsilon _{1}^4/16)\) and \(\Delta ^{L}=g(x, \epsilon _{2}^{3/2})\).

  2. 2.

    When \(test_1\) and \(test_3\) are fulfilled (and \(test_2\) is not fulfilled), we have that \(\Delta ^{U}=g(x, \epsilon _{1}^4/16)\) and \(\Delta ^{L}=g(x, \epsilon _{2}^{2})\).

  3. 3.

    When \(test_1\) is fulfilled and \(test_3\) is not fulfilled, we have that \(\Delta ^{U}=g(x, \epsilon _{1}^4/16)\) and \(\Delta ^{L}=\sqrt{N/2\ln {\epsilon _{2}^{-1}}}\).

  4. 4.

    When \(test_1\) is not fulfilled and \(test_2\) is fulfilled, we have that \(\Delta ^{U}=\sqrt{N/2\ln {\epsilon _{1}^{-1}}}\) and \(\Delta ^{L}=g(x, \epsilon _{2}^{3/2})\).

  5. 5.

    When \(test_1\) and \(test_2\) are not fulfilled, and \(test_3\) is fulfilled, we have that \(\Delta ^{U}=\sqrt{N/2\ln {\epsilon _{1}^{-1}}}\) and \(\Delta ^{L}=g(x, \epsilon _{2}^{2})\).

  6. 6.

    When \(test_1\), \(test_2\) and \(test_3\) are not fulfilled, we have that \(\Delta ^{U}=\sqrt{N/2\ln {\epsilon _{1}^{-1}}}\) and \(\Delta ^{L}=\sqrt{N/2\ln {\epsilon _{2}^{-1}}}\)

To simplify this simulation, we consider the case of \(\epsilon =\epsilon _{1}=\epsilon _{2}\). For all observed value x, we make \({\overline{x}}^{*}=x+\Delta ^{U}\) and \({\underline{x}}^{*}=x-\Delta ^{L}\), where

$$\begin{aligned} \Delta ^{U} & = \sqrt {8\beta x + 8x\ln 2}, \\ \Delta ^{L} & = \sqrt {3\beta x}. \\ \end{aligned}$$
(23)

Note that it is not rigorous in Eq. (23) for small x.

Method in Ref.25

The upper bound of the random sampling without replacement can be calculated by

$$\begin{aligned} \gamma ^{U}=\sqrt{\frac{(n+k)\lambda (1-\lambda )}{nk\ln 2}\log _{2} {\frac{n+k}{nk\lambda (1-\lambda )\epsilon ^{2}}}}, \end{aligned}$$
(24)

where the result is true only when n and k are large.

The upper bound and lower bound of expected value for a given observed value can be calculated by using the tailored Hoeffding inequality for decoy-state method. Let \(x_{k}\) be the observed value for k intensity and \(X=\sum _{k}x_{k}\). Therefore, we have \({\overline{x}}_{k}^{*}=x_{k}+\Delta ^{U}\) and \({\underline{x}}_{k}^{*}=x_{k}-\Delta ^{L}\), where

$$\begin{aligned} \Delta ^{U}=\Delta ^{L}=\sqrt{X/2\ln \epsilon ^{-1}}. \end{aligned}$$
(25)

Note that the deviation is the same for all intensities of k, which will lead large fluctuation for small intensity, especially vacuum state.

Method in Ref.26

The upper bound of the random sampling without replacement can be calculated by using the following transcendental equation,

$$h\left( \lambda +\frac{n}{n+k}\gamma ^{U}\right) -\frac{k}{n+k}h(\lambda )- \frac{n}{n+k}h(\lambda +\gamma ^{U}) =\frac{1}{2(n+k)}\log _{2}\frac{n+k}{nk\lambda (1-\lambda )\epsilon ^{2}}.$$
(26)

The upper bound and lower bound of expected value for a given observed value can be calculated by using the Gaussian analysis. Therefore, we have \({\overline{x}}^{*}=x+\Delta ^{U}\) and \({\underline{x}}^{*}=x-\Delta ^{L}\) with

$$\begin{aligned} \Delta ^{U}=\Delta ^{L}=\mathrm{erfcinv}(2\epsilon )\sqrt{2x} , \end{aligned} $$
(27)

where \(a=\mathrm{erfcinv}(b)\) is the inverse function of \(b=\mathrm{erfc}(a)\) and \(\mathrm{erfc}(a)=\frac{2}{\sqrt{\pi }}\int _{a}^{\infty }e^{-t^2}dt\) is the complementary error function.

Furthermore, the upper bound and lower bound of expected value for a given observed value can also be calculated by using the inverse solution Chernoff bound. Therefore, we have \({\overline{x}}^{*}=x/(1-\delta ^{U})\) and \({\underline{x}}^{*}=x/(1+\delta ^{L})\), where \(\delta ^{U}\) and \(\delta ^{L}\) can be obtained by using the following transcendental equation,

$$\begin{aligned} \frac{x}{1-\delta ^{U}}[-\delta ^{U}-(1-\delta ^{U})\ln (1-\delta ^{U})]&=&\ln \epsilon ,\\ \frac{x}{1+\delta ^{L}}[\delta ^{L}-(1+\delta ^{L})\ln (1+\delta ^{L})]&=&\ln \epsilon ,\\ \end{aligned}$$
(28)

while the slightly looser analytic result can be given by

$$\begin{aligned} \delta ^{U}=\frac{\sqrt{8\beta x+9\beta ^{2}}-\beta }{2(x+\beta )},\\ \end{aligned} $$
(29)

and

$$\begin{aligned} \delta ^{L}=\frac{\sqrt{8\beta x+\beta ^{2}}+3\beta }{2(x-\beta )}.\\ \end{aligned} $$
(30)

Through simple calculation, the upper bound and lower bound are \({\overline{x}}^{*}=x+\frac{3}{2}\beta +\sqrt{2\beta x+\frac{9}{4}\beta ^{2}}\) and \({\underline{x}}^{*}=x+\frac{\beta }{2}-\sqrt{2\beta x+\frac{\beta ^{2}}{4}}\), respectively.