Security evaluation of quantum key distribution with weak basis-choice flaws

Quantum key distribution (QKD) can share an unconditional secure key between two remote parties, but the deviation between theory and practice will break the security of the generated key. In this paper, we evaluate the security of QKD with weak basis-choice flaws, in which the random bits used by Alice and Bob are weakly controlled by Eve. Based on the definition of Li et al. (Sci Rep 5:16200, 2015) and GLLP’s analysis, we obtain a tight and analytical bound to estimate the phase error and key rate for both the single photon source and the weak coherent source. Our approach largely increases the key rate from that of the original approach. Finally, we investigate and confirm the security of BB84-QKD with a practical commercial devices.

Based on the principle of quantum mechanics, "quantum cryptography" is a possible means of implementing unconditional secure communication. One famous quantum cryptography approach is quantum key distribution (QKD) combined with One-Time pad. Since the proposal of the first QKD protocol BB84 1 , QKD has attracted much interest. The unconditional security of QKD had been proven in both perfect 2 and imperfect 3,4 devices. QKD has also been experimentally demonstrated in fibers 5,6 , free space 7,8 , and satellites 9,10 . Multi-user quantum networks based on these results have become available in many countries 11-14 . However, because practical devices are imperfect, some assumptions of the theoretical analysis may be violated in practical situations. If the gap between theory and practice is exploited by an eavesdropper (Eve), the security of the final key may be broken. In fact, many loopholes have been discovered in practical QKD systems [15][16][17][18][19][20][21] . These loopholes are closed by two main approaches: device-independent QKD protocols and security patches. The former include full-device-independent QKD 22,23 , measurement-device-independent QKD [24][25][26] , and semi-device-independent QKD 27 . Security patches account for the parameters of practical devices (as many as possible) in the security model. Although device-independent QKD can remove all or a portion of the loopholes, the task remains technologically challenging, especially in practical commercial QKD networks. Thus, most practical QKD systems implement security patches.
In the BB84 protocol, both Alice and Bob must determine how to prepare and measure the quantum states. For this purpose, they require random bits. In practical situations, the random bits may be weakly known or controlled by Eve, and the security of the generated key is compromised. A typical attack that exploits the weak randomness of QKD is wavelength attack 16,17 . The security of QKD with weak randomness was first studied by Li et al. 28 , and has since been applied to different cases 29,30 . In Li's analysis, if the legitimate parties use the "one-step post processing method" to distill the final key, even a small degree of non-randomness will rapidly reduce the final key rate. The key rate can be improved if the legitimate parties adopt the "two-step post processing method", or biased basis protocol, in which Alice and Bob distill the key from the rectilinear and diagonal bases, respectively. However, to maximize Eve's information, they must perform global optimization, which is hampered by at least two disadvantages: large time cost and convergence to a local optimum. The time cost is incurred by the complexity or cost of post processing, and local (rather than global) optimization compromises the security of the generated key.
To mitigate these problems, we develop an analytical formula that estimates the key rate for both the single photon source (SPS) and the weak coherent source (WPS). In numerical simulations, our method significantly increased the key rate over the original method of Li et al. 28 . For example, the original method of Ref. 28 can generate no secure key for a SPS with a basis-choice flaw of 0.1 when the bit error rate exceeds 3.4%, but our method achieves a final key rate of 0.45 under these conditions. Furthermore, to evaluate the performance of QKD under wavelength attack, we also estimate the key rate of a practical QKD system with a passive basis-choice.

Results
Weak randomness and one-step post processing. This section briefly reviews the analysis of Ref. 28 .
Alice determines her quantum state from two random bits: x 0 for bit and x 1 for basis. Meanwhile, Bob chooses his basis from a random bit, y. As the final key is distilled only when Alice and Bob choose the same basis ( x 1 = y ), the following analysis is limited to the case x 1 = y . In a practical QKD system, x 0 ( x 1 ) may be weakly controlled by Eve with a hidden variable 0 ( 1 ). Setting k and k ′ = [0, 1] as the values of x 0 and x 1 , respectively, the probabilities of obtaining x 0 = k and x 1 = k ′ are respectively given by Here i p 0 =i = j p 1 =j = 1 . Due to the existence of the hidden variable 0 , we cannot guarantee that p(x 0 = 0| 0 = i) = p(x 0 = 1| 0 = i) = 1/2 holds for all i, even if p(x 0 = 0) = p(x 0 = 1) = 1/2 holds. The same conclusion is reached for p(x 1 = k ′ ) . To evaluate the weak randomness of x 0 and x 1 , the deviations is defined as respectively. Here, 0 ≤ ε 0 , ε 1 ≤ 1 define the amount of prior information known to Eve.
When the hidden variables 0 = i and 1 = j are given, the quantum state shared by Alice and Bob can be written as 28 with Here, µ, ν ∈ {0, 1} , and q µ,ν is the probability that Eve performs different operators on the quantum state |ϕ� 0 =i . These probabilities satisfy µ,ν q µ,ν = 1 . I is the unity matrix, X and Z are Pauli matrices, and H = 1 In the following, we first discuss the case of SPS, then expand our results to WPS. In SPS, the total key rate is given by The key rate for a given i, j is where e i,j bit ( e i,j phase ) is the bit error (phase error) of the given i, j. Because an experiment reveals only the total bit error e bit = i,j p 0 =i p 1 =j e i,j bit , Eq. (5) can be rewritten as Here e phase is the total phase error, and the second inequality uses the Jensen inequality because H(x) is concave. Before obtaining the lower bound of the key rate, we should estimate the upper bound of e phase . The authors of 28 proved that for the density matrix given by Eq.
1,bit ) are the total gain and error, respectively, for all is the efficiency of the error correction, which can be considered constant. In the third inequality, we recognize that Q s ≥ Q i,j The gain Q s and error E s,bit in the equality can be directly measured in experiments, and the contributions of the single photon pulse ( Q s,1 and e 1,bit ) should be estimated by the decoy state method 32-34 . Our method with one-step post processing. In this section, we show that the upper bound of the phase error (Eq. 8) is suboptimal, and that the key rate can be improved by imposing a tight bound. Given the density matrix ρ i,j AB (Eq. 3), the bit error rate and phase error rate are respectively written as where δ 0 is defined in Eq. (9), and 0 ≤ q µν ≤ 1 for all q µν . Thus, the upper bound of the phase error can be written as Submitting the above inequality into Eq. (5) and applying the method described in "Weak randomness and onestep post processing", the final key rate is rewritten as  www.nature.com/scientificreports/ Figure 1 compares the numerical simulation results of the method in Ref. 28 (Eqs. 10, 11) and our method (Eq. 15). Our method significantly improved the key rate for both SPS and WPS (the simulation method is given in " Formulations of simulation". For example, in the SPS case with ε 0 = ε 1 = 0.1 , the maximal tolerable error rate was only 3.4% in the method of Ref. 28 , but was increased to 8.5% by our method. In the WPS case with ε 0 = ε 1 = 0.1 , no secure key was generated by the method in Ref. 28 , but a final key of fiber length 132 km was generated by our method.
To evaluate the security of practical QKD with weak randomness flaws, we test the performance of commercial BS which may suffer from the wavelength attack. The experimental scheme and results are given in "Formulations of simulation", and the estimated key rate is listed in Table 1.
Biased base QKD protocol. In some practical QKD systems, two bases (Z and X) can deliver different gain or error rate performances. Therefore, to improve the total key rate, we let Alice and Bob observe bases Z and X, respectively. In this section, we analyze the security of biased base QKD with weak randomness. When Alice and Bob distill the key from their respective bases, the key rate becomes  Table 1. Key rates estimated by our method. Here γ = (R ideal − R prac )/R ideal defines the practical key rate ( R prac ) relative to the ideal key rate without basis-choice flaws ( R ideal ). In the simulations, we set ε 0 = 0 , and the other parameters were those assumed in Fig. 1. Ref. [28] this work www.nature.com/scientificreports/ In these expressions, e b00 and e b01 ( e b10 and e b11 ) are the bit error rates in the rectilinear and diagonal bases, respectively, given a hidden variable 1 = 0 ( 1 = 1 ). p rec and p dia are the probabilities that Bob obtains the outcome in the rectilinear and diagonal bases, respectively. They are calculated as r e s p e c t i v e l y , w h e r e p rec1 = p 1 =0 p( As the bit error rates e b rec and e b dai can be directly measured in experiments, we need only to estimate the upper bounds of the phase error rates e p rec and e p dai . Using Eq. (17), the phase error e p rec becomes By the above method, we also obtain Here we assume that the bit weak randomness in Z-basis is the same as that of X-basis, thus the same δ 0 is used in the equations above. But, by considering δ 0 in the bases respectively, our analysis is also valid for the QKD system with different bit weak randomness.Then Eq. (16) can then be written as Applying the method above and GLLP's analysis, the key rate given by Eq. (21) can be expanded to the WPS case as follows: where Q s,rec ( Q s,rec ) and E b s,dia ( E b s,dia ) denote the total gain and bit error rate, respectively, in the rectilinear (diagonal) base, and Q 1,rec ( Q 1,rec ) and e b 1,dia ( e b 1,dia ) are the gain and bit error rate, respectively, of a single photon pulse in the rectilinear (diagonal) base.

Discussion
We evaluated the security of QKD with weak basis-choice flaws. The previous analysis of Li et al. 28 was extended by applying a tight analytical bound for estimating the phase error. The final key rate was significantly improved by the proposed approach. For example, when ε 0 = ε 1 = 0.1 and the bit error rate exceeded 3.4%, no final key was generated by the previous method, but a final key rate of 0.45 was achieved by our method. Applying our analysis, we evaluated the security of a practical QKD system in which Bob passively chooses his basis with a BS. In experiments using a practical BS with typical parameters, the key rate was reduced by less than 6%. Thus, the proposed method improves the QKD performance even in weak randomness scenarios.
Note that, although we analyze the weak randomness of basis-choice in this paper, there are other imperfections in source and detection. Thus, how to take all of these imperfections in one general mode is still an open question, and we will discuss it in our further works. (17)     Here, ω ∈ {s} and ω ∈ {d} are the intensities of the signal state (s) and decoy state (d), respectively, Y 0 is the dark count of the single photon detector, and e 0 is the background error rate. η is the total transmittance of the system, which is given by In this expression, η Bob is the transmittance of Bob's optical devices and the efficiency of single-photon detectors, and α is the channel loss. In QKD with a weak coherent source, photon-number-dependent attacks (such as photon-number splitting attacks) must be removed by the decoy state method. Assuming that Alice and Bob use infinite decoy states, the gain and quantum bit error rate of a single photon pulse are respectively given by Experiment. In some practical QKD systems, Bob passively chooses his measured basis with a BS. Because this scheme requires no active modulator, it enables high-speed, low-cost, and low-complexity operations. However, (as is well known) the transmittance of the BS may depend on the wavelength of the light, opening a potential loophole for wavelength attack by Eve 16,17 . In this section, we evaluate the performance of QKD with a passive BS by the above analysis. The experimental scheme is shown in the left panel of Fig. 2. The BS was encased in a temperature box that controlled its working temperature. The input of the BS was a tunable laser (model JW3113; province, country), and the light output was measured by a dual-channel power meter (model JW8103D, province, country). In a perfect BS, the measured power of both power meters is identical. The performance of a real BS is defined by its deviation ratio as follows: Here, P 0 and P 1 are the powers of the light measured by the two optical power meters, T is the working temperature of the BS, and is the wavelength of the input light.
The measured deviation ratio of the BS was measured at different wavelengths of the input light and different working temperatures. The results are shown in the right panel of Fig. 2. From the experimental results, the weak randomness in Bob's basis-choice can be estimated as The estimated key rates in the SPS and WPS cases are listed in Table 1 (see main text). At communication distances smaller than 100 km, the key rate was reduced by less than 6%. Topical subheadings are allowed. Authors

Figure 2.
Experimental scheme (left) and measured deviation ratio (right) of a practical commercial BS that evaluates the key rate under a weak measured basis flaw. The deviation ratio is determined by Eq. (26) and T is the working temperature of the BS, which is controlled by the temperature box.