Measurement-device-independent quantum key distribution with leaky sources

Measurement-device-independent quantum key distribution (MDI-QKD) can remove all detection side-channels from quantum communication systems. The security proofs require, however, that certain assumptions on the sources are satisfied. This includes, for instance, the requirement that there is no information leakage from the transmitters of the senders, which unfortunately is very difficult to guarantee in practice. In this paper we relax this unrealistic assumption by presenting a general formalism to prove the security of MDI-QKD with leaky sources. With this formalism, we analyze the finite-key security of two prominent MDI-QKD schemes—a symmetric three-intensity decoy-state MDI-QKD protocol and a four-intensity decoy-state MDI-QKD protocol—and determine their robustness against information leakage from both the intensity modulator and the phase modulator of the transmitters. Our work shows that MDI-QKD is feasible within a reasonable time frame of signal transmission given that the sources are sufficiently isolated. Thus, it provides an essential reference for experimentalists to ensure the security of implementations of MDI-QKD in the presence of information leakage.


I. INTRODUCTION
In theory, quantum key distribution (QKD) [1][2][3][4] provides an information-theoretically secure way to distribute secret keys between two distant parties (commonly known as Alice and Bob).
In practice, however, this is not the case. This is so because real devices do not typically conform to the requirements imposed by the security proofs. Indeed, various types of quantum hacking attacks have been proposed and experimentally demonstrated recently, which exploit devices' imperfections in practical QKD systems [4]. To tackle these implementation security loopholes, many efforts have been made, among which device-independent (DI) QKD [5][6][7] and measurement-device-independent (MDI) QKD [8] are two prominent approaches. The security of DI-QKD relies on the violation of a Bell inequality [9,10] and no knowledge about the inner working of the quantum apparatuses is needed given that the apparatuses are 'honest' [11], i.e., given that they follow the prescriptions of the protocol and not those of Eve. DI-QKD is, however, difficult to implement experimentally with current technology, especially for long distances [12][13][14]. On the other hand, thanks to its feasibility, MDI-QKD has attracted great attention and has been widely experimentally demonstrated in recent years [15][16][17][18][19][20][21][22]. In terms of security, MDI-QKD closes all side-channels in the detection unit, which significantly simplifies the path towards achieving implementation security, as now one only needs to secure the source. In particular, MDI-QKD typically requires that certain assumptions on the sources are satisfied. Particularly, it requires that Alice's and Bob's transmitters do not leak any unwanted information out of their security zones.
Inspired by the results introduced in [23 -25], which study the information leakage problem in standard decoy-state QKD systems, here we relax such an unrealistic requirement and perform a finite-key security analysis of MDI-QKD with leaky sources. In particular, we focus on information leakage from two main apparatuses within the transmitters, the intensity modulator (IM), which is used to generate decoy states, and the phase modulator (PM), which is used to encode the basis and bit information. For instance, such information leakage might be due to a Trojan-horse attack (THA) [26] performed by Eve. In this framework, we evaluate the security of two prominent MDI-QKD protocols: the symmetric three-intensity decoy-state MDI-QKD scheme [27], and the efficient four-intensity decoy-state MDI-QKD protocol introduced in [28], which has recently been implemented over a distance of 404 km [20]. As expected, our results show that MDI-QKD is more sensitive to information leakage than standard decoy-state QKD.
Still, we show that MDI-QKD is feasible within a reasonable time frame of signal transmission given that Alice's and Bob's sources are sufficiently isolated. Moreover, we find that when the amount of information leakage is small enough, its effect has a slightly bigger impact on the fourintensity decoy-state MDI-QKD protocol than on the symmetric three-intensity decoy-state MDI-QKD protocol. However, when the amount of information leakage increases, the four-intensity protocol becomes more robust against information leakage than the symmetric three-intensity protocol.
The paper is organized as follows. In Sec. II we summarize the assumptions that we make in the security analysis. In this section, we also define the symmetric three-intensity decoy-state MDI-QKD protocol. Then, in Sec. III we present the parameter estimation method to determine the secret key rate of the protocol in the presence of information leakage from the IM and the PM.
The simulation results for different practical cases are shown in Sec. IV. In Sec. V, we evaluate the security of the four-intensity decoy-state MDI-QKD protocol and simulate its secret key rate.
Finally, Sec. VI summarizes the main contributions of this paper. The detailed calculations to estimate the relevant parameters that are needed to evaluate the lower bound on the secret key rate are shown in Appendixes.

II. ASSUMPTIONS AND PROTOCOL DESCRIPTION
We begin by providing a brief summary of the assumptions that we make on the users' devices in the absence of information leakage: 1. Each of Alice and Bob generates perfect phase-randomized weak coherent pulses (WCPs) of the form where p j n = (γ j ) n e −γ j /n! is the probability that Alice (Bob) sends an n-photon pulse given that she (he) selects the intensity setting γ j , and |n denotes a Fock state with n photons.
2. The state of a pulse generated by Alice (Bob) is in a single mode and the joint state of all the pulses generated by Alice (Bob) is in a tensor product. That is, we assume that the pulses are not correlated with each other when there is no information leakage. We note that the scenario where the users generate multi-mode signals could be evaluated with the techniques recently introduced in [29], while the case of correlated pulses could be analyzed with the techniques developed in [30].
3. There are no intensity fluctuations, i.e., the intensity of the pulses generated by Alice and Bob is precisely γ j . 4. Alice and Bob can perfectly encode the bit and basis information, i.e., there are no state preparation flaws. We remark that the case of state preparation flaws could be studied using the methods presented in [29,31] 5. Alice's and Bob's phase modulators modulate only the phase of the pulses, and their intensity modulators modulate only the intensity of the pulses. That is, the information is only encoded in the desired degrees of freedom of the signals.
With these assumptions in mind, next we describe the specific steps of the symmetric threeintensity decoy-state MDI-QKD protocol in detail. Here, we consider a sifting strategy which protects the protocol against the sifting attack [32]. This is so because the total number of pulses sent by Alice and Bob is fixed a priori and, moreover, the termination condition is basis independent [33]. More specifically, the steps of the protocol are as follows: 1. State preparation: The first two steps of the protocol are repeated N times, where N is a prefixed number. In each round, Alice and Bob select a basis χ ∈ {Z, X} with probabilities p Z and p X = 1 − p Z , and select an intensity setting γ j A and γ j B with j A , j B ∈ {s, v, w}, with probability p j A and p j B , respectively. Afterwards, each of them encodes a random bit in a phase-randomized WCP of the chosen intensity in the chosen basis and sends it to the untrusted relay via the quantum channel.

Measurement:
The untrusted relay is supposed to perform a Bell state measurement on the states received from Alice and Bob and then record the measurement outcomes. However, the relay can behave as Eve decides.
3. Announcement of the measurement outcome and random data post-selection: Once the N rounds of steps 1 and 2 have finished, the relay announces in which rounds he obtained successful measurements together with the corresponding measurement outcomes. For each successful measurement event, Alice selects a fictitious basis Z Ac or X Ac with probability p Z Ac and p X Ac = 1 − p Z Ac , respectively, and then she announces her fictitious basis choices. 4. Sifting: If Alice's choice is the X Ac basis, Bob announces his state preparation basis choice but Alice does not announce hers and then they discard the corresponding data. If Alice's choice is the Z Ac basis, both Alice and Bob announce their state preparation basis choices as well as their intensity settings. We denote by Z j A j B (X j A j B ) the set of indexes that identify the successful measurement events when Alice and Bob select the intensity settings γ j A and γ j B , respectively, Alice chooses the fictitious basis Z Ac , and both of them select the Z (X) basis. If the sifting conditions are satisfied for all are prefixed threshold values, Alice and Bob proceed to execute the next steps of the protocol. If the sifting conditions are not satisfied, the protocol aborts.
5. Parameter estimation: Alice and Bob estimate a lower bound, which we denote by N L click,00,ss|Z (N L click,11,ss|Z ), on the number of successful measurement events in the sifted key data set Z ss , in which both of them sent vacuum (single-photon) pulses. Also they use all the data in the sets Z k A k B and X j A j B , except that in the set Z ss , to estimate an upper bound on the single-photon phase error rate in the sifted key date set Z ss , which we denote by e U ph .
6. Information reconciliation and privacy amplification: Alice and Bob perform an error correction step for a predetermined quantum bit error rate (QBER), which we denote by E ss Z . Then Alice computes a hash of the sifted key data in Z ss by using a random universal 2 hash function [34] and sends Bob the hash value together with the hash function. Bob uses the hash function to compute a hash of his corrected sifted key data and checks if the hash value coincides with that of Alice. If both hash values coincide, this error verification step guarantees that they share identical keys after error correction except for an exponentially small probability. If this step succeeds, then they perform a privacy amplification step by applying a random universal 2 hash function to distill the final secret key.
Note that the sifting condition in Step 4 of the above protocol is only for data processing, and it is not related to the termination of the quantum communication steps, i.e., Steps 1 and 2, which is basis independent. Therefore, as indicated above, the protocol is secure against the sifting attack [33].

III. PARAMETER ESTIMATION METHOD FOR LEAKY SOURCES
In this section we present a method to estimate the relevant parameters that are required to evaluate the secret key rate formula in the presence of information leakage. For concreteness, we consider the security analysis introduced in [35], which provides a lower bound on the secret key length, , given by where is the binary Shannon entropy function. The parameter leak EC is the amount of syndrome information declared by Alice in the error correction step of the protocol, given by leak EC = |Z ss |f EC H(E ss Z ) for simplicity, where the parameter f EC is the efficiency of the error correction code. The quantities ε sec and ε cor are the secrecy and correctness parameters of the protocol, respectively, and ε ≤ 1 − ε Z,00 ε Z,11 ε ph,11 with ε Z,00 , ε Z,11 and ε ph,11 being defined as the success probabilities when estimating the quantities N L click,00,ss|Z , N L click,11,ss|Z and e U ph , respectively. In other words, ε denotes the failure probability that at least one of the estimations of N L click,00,ss|Z , N L click,11,ss|Z and e U ph is incorrect. In the following we show how to estimate the quantities N L click,00,ss|Z , N L click,11,ss|Z and e U ph in the presence of information leakage. For concreteness, we shall assume that the information leakage is due to a THA performed by an active Eve. In this THA against the MDI-QKD system, Eve separately sends bright light into Alice's and Bob's devices and then measures the back-reflected light. In so doing, she can obtain partial information about Alice's and Bob's internal settings for each experimental trial. See Fig. 1 for an illustration of Eve's THA. We remark, however, that our method is general and can be applied to analyze passive information leakage scenarios as well.
Importantly, and similar to the analysis performed in [25], a THA against the IM affects the estimation of the parameters N L click,00,ss|Z , N L click,11,ss|Z and e U ph , while a THA against the PM only influences the value of e U ph . Below, we follow the structure introduced in [25] to present the estimation method in different steps. First, we mathematically relate the expected numbers of events associated with different intensity settings in the presence of information leakage. Second, we use Azuma's inequality [36] to relate these expected numbers of events to the corresponding actual numbers of events taking into account some bounded deviation terms. These relations Bell  impose some constraints on the relevant parameters needed to evaluate Eq. (2). Note that, to use Azuma's inequality, the number of trials must be fixed a priori, i.e., before the trials start [33].
Finally, we estimate these relevant parameters given the constraints provided by the mathematical relations obtained in the previous step. This last step can be done by using, for instance, linear programming techniques [37].

A. THA against the intensity modulator
Here, we analyze a THA targeted against the intensity modulator (IM), which is used to generate decoy states. To simplify the analysis, we first consider an asymptotic scenario where Alice and Bob send an infinite number of pulses.  for different intensity settings. In particular, we consider how well she can distinguish the intensity settings γ j A and γ j B from, say, γ k A and γ k B or γ l A and γ l B in each trial, where j A , j B , k A , k B , l A , l B ∈ {s, v, w} and j A = k A , l A and j B = k B , l B . All these quantum systems are listed in Table. I.
According to the trace distance argument [24,25,38], we have that where Ω is a set of physical events that satisfies ω∈Ω P (ω) = 1, P (ω |ρ ) is the conditional probability that the event ω occurs given a state ρ, and σ γ k A l A γ k B l B ,i χ,nm corresponds to the normalized joint state of Alice's n-photon pulse and Bob's m-photon pulse when they select the intensity settings γ k A and γ k B or γ l A and γ l B , respectively, with the same basis choice χ, together with the systems E A a , E B a , E A p and E B p in the ith trial. We remark that more general cases with up to eight different combinations of intensity settings (i.e., all combinations of intensity settings except γ j A and γ j B ) could be considered here. The parameter D j A j B ,k A k B l A l B ,i χ,nm denotes the trace distance between the states and it is given by By multiplying both sides of Eq. (5) by p j A p j B p j A n p j B m and taking the sum over i = {1, 2, ..., N χ }, where N χ denotes the number of events when both Alice and Bob choose the χ basis, we obtain where Pr i (click, nm, j A j B |χ ) is the conditional probability that Alice selects the intensity setting γ j A and sends an n-photon pulse, Bob selects the intensity setting γ j B and sends an m-photon pulse, and the relay obtains a successful measurement result given that they both select the χ basis. In Eq. (6) we have used the definition The quantity Pr i (click, nm, j A j B |χ ) corresponds to the conditional expected number of events, which we shall denote by E click,nm,j A j B |χ . Then, we have that Eq. (6) can be rewritten as If we take, for instance, the particular case where l A = k A and l B = k B , then Eq. (7) can be written as: where Equivalently, Eq (8) can be written as: where the parameter Note that in the asymptotic limit where N χ → ∞, we have that the actual number of events converge to the expected number of events and therefore one can directly use the constraints given by Eq. (10).

The Finite-Key Regime
In the previous section, we have derived mathematical relations between the expected numbers of events associated with different intensity settings in the asymptotic limit. By applying Azuma's inequality [36], this analysis can be extended to the realistic regime where Alice and Bob send a finite number (N ) of pulses. For this, one can consider a virtual scenario in which Alice and Bob first decide the basis χ for each of the total N rounds. And thus the value of the quantity N χ is now fixed. To be precise, in such a fictitious scenario we perform a delayed choice of the intensity setting "after" finishing all the basis choices in the actual protocol. Therefore, N χ is fixed, and then we can use Azuma's inequality for the decoy-state method. Note that the Kraus operator acting on the ith pulse depends on all the previous intensity choices, all the basis choices and Eve's arbitrary operation that is dependent on all the announcements she made. Importantly, the trace distance argument is still valid thanks to the generality of the trace distance as well as the fact that Eve does not know Alice and Bob's intensity information for the ith pulse in advance.
According to Azuma's inequality, we have that where N χ is the actual number of trials, and N click,nm,j A j B |χ is the actual number of such events.
That is, ε j A j B χ,nm quantifies the error probability that δ j A j B χ,nm is not lower bounded by −∆ j A j B χ,nm and ε j A j B χ,nm quantifies the error probability that the parameter δ j A j B χ,nm is not upper bounded by ∆ j A j B χ,nm . Note that Azuma's inequality takes any correlation between the probabilities Pr i (click, nm, j A j B |χ ) associated with different trials into account. To simplify our notation, here we omit, however, the explicit dependence of the probabilities Pr i (click, nm, j A j B |χ ) with all the previous events, all the basis choices, and Eve's arbitrary operation that is dependent on all the announcements she made.
On the other hand, we also have that where E click,j A j B |χ denotes the expected number of events when Alice and Bob select the intensity settings γ j A and γ j B , respectively, and the relay obtains a successful measurement result given that both Alice and Bob select the χ basis in N χ trials. N click,j A j B |χ is the corresponding actual except for a small error quantifies the error probability that δ j A j B χ is not lower bounded by −∆ j A j B χ and ε j A j B χ quantifies the error probability that the parameter By combining Eqs. (11) and (13), we obtain the following equation: That is, we have that N click,j A j B |χ = ∞ n,m=0 δ j A j B χ,nm . The equations above relate the expected number of events to the corresponding actual numbers.
These equations provide linear constraints on the quantities that we want to estimate. More precisely, by combining Eqs (10) and (14) and by taking k A = k B = s, we obtain where ∆ j A j B ss χ,nm . Then, by combining Eq. (15) with Eq (13), we obtain the following linear constraints: Thus, Eq. (16) relates the actual observed quantities N click,j A j B |χ to the quantities to be estimated, N click,nm,ss|χ .
The equations above contain an infinite number of unknown variables. To numerically estimate the quantities N L click,00,ss|Z , N L click,11,ss|Z and e U ph by using linear programming techniques, we need to reduce the number of unknowns to a finite set. Due to the fact that where p j A n p j B m for any natural number S cut ≥ 0. Therefore, we obtain the following constraints: for any j A , j B ∈ {s, v, w} and j A j B = ss. Importantly, these equations now have a finite number of unknown variables.
Finally, according to Eqs. (11) and (13) where j A , j B ∈ {s, v, w} and j A j B = ss. The unknown variables in the linear program above are: The solution to the linear program above is exactly N L click,00,ss|Z , with a total error probability where are the error probabilities associated with the estimation of the bounds on The terms ε ss Z,nm andε ss Z,nm are the error probabilities associated with the estimation of the bounds on δ ss Z,nm . To estimate the parameter N L click,11,ss|Z , one can reuse the same linear program given by Eq. (19) after replacing the objective with "min N click,11,ss|Z ".
The steps to estimate the phase error rate e U ph are as follows. First, one can redo the analysis above for those "click" events in the relay which are associated with an error (see [24,25]). That is, now we focus on the quantities E error,nm,j A j B |χ which denote the expected number of events when Alice and Bob select the intensity settings γ j A and γ j B to send an n-photon pulse and an m-photon pulse, respectively, and the relay's detectors provide a click corresponding to an error given that both Alice and Bob select the χ basis. In addition, we can use the fact that 0 ≤ E error,nm, In so doing, one can obtain constraints on error events which are similar to the ones given by Eq. (18). Second, with these equations as well as the constraints given by Eq. (19) but now applied to the X basis events, one can estimate a lower bound on the number of single-photon click events when both Alice and Bob select the intensity setting γ s given that they both select the X basis, which we denote by N L click,11,ss|X , as well as an upper bound on the corresponding number of errors, N U error,11,ss|X . Note that the derivation of N L click,11,ss|X is similar to the one of N L click,11,ss|Z . For this, one can use the linear program used to estimate N L click,11,ss|Z after replacing all the parameters and variables in the Z basis with the corresponding ones in the X basis. Similarly, one can further modify the program for N L click,11,ss|X to calculate N U error,11,ss|X . Specifically, one can simply replace all the numbers of click events with those of error events. In addition, one replaces "min N click,11,ss|X " with "max N error,11,ss|X " to obtain an upper bound on N error,11,ss|X . Finally, given the values of N L click,11,ss|Z , N L click,11,ss|X and N U error,11,ss|X , one can use a random sampling argument to relate the number of errors in the single-photon events in the X basis to the number of phase errors associated with the single-photon events in the Z basis and thus estimate e U ph [27,39]. More precisely, by using Serfling's inequality [40], we obtain that except for a failure probability where the function Υ (x, y, z) is defined as Υ (x, y, z) = (x + 1) ln (z −1 ) / [2y (x + y)], and ε X, 11 and ε E X ,11 are the failure probabilities corresponding to the estimation of N L click,11,ss|X and N U error,11,ss|X , respectively.

B. THA against the phase modulator
A THA against the PM might render Alice's and Bob's output states (which now also contain Eve's systems) basis dependent. As a result, Eve might be able to learn partial information about Alice's and Bob's basis and bit value choices each given time. The security of the standard BB84 protocol with a basis-dependent flaw has been analyzed in a previous work [41] by using the idea of a quantum coin [42,43]. This idea was then generalized to phase encoding schemes for MDI-QKD where both Alice and Bob have basis-dependent flaws [44]. Here, to estimate the phase error rate in the presence of a THA against the PM, we apply the method introduced in Ref. [44] to our protocol.

The Asymptotic Limit
To simplify the analysis, let us first consider a scenario where Alice's and Bob's light sources are both ideal single-photon sources. Also, let us assume that Alice's and Bob's basis choices are random and do not depend on the IM or on previous emitted pulses. Let |Ψ i Z A,E and |Ψ i Z B,E (|Ψ i X A,E and |Ψ i X B,E ) denote the states that Alice and Bob prepare (in an equivalent entanglement-based scenario) in the Z (X) basis together with Eve's system from a THA in the ith trial of the protocol. The subscripts A, B and E denote the systems of Alice, Bob and Eve, respectively. As already mentioned, here we consider a virtual entanglement scenario where each of Alice and Bob prepares a bipartite entangled state and then measures one of the two systems to actually prepare the states that are sent to the relay. More precisely, the system A (B) above contains a virtual qubit A q (B q ) indicating Alice's (Bob's) bit value choice, and Alice's (Bob's) photonic system A p (B p ) that is sent to the relay via the quantum channel. In addition, the system A (B) could also contain an ancilla system A a (B a ) stored in Alice's (Bob's) lab to account for the loss in the transmitter. And Eve's system E corresponds to the back-reflected light from a THA.
That is, the system A ≡ A q A p A a and it is similar for B. All these quantum systems are listed in Table. II.
The state that Alice (Bob) prepares in the Z basis together with Eve's system in the ith trial of the protocol The state that Alice (Bob) prepares in the X basis together with Eve's system in the ith trial of the protocol Alice's (Bob's) photonic system that is sent to the relay via a quantum channel The phase error rate is the fictitious bit error rate that Alice and Bob would obtain if they would measure the systems A q and B q in the X basis, given that they prepared the states |Ψ i Z A,E and |Ψ i Z B,E , respectively. In order to estimate the phase error rate in the presence of information leakage from the PM, we consider a fictitious protocol where we assume that Alice and Bob meet together [44] and they decide the basis choices by measuring a so-called quantum coin [42,43].
Particularly, we assume that in the ith trial of this protocol, Alice and Bob first prepare a joint state where In Eq. (23), the first system A ba denotes a system in Alice's hands which decides whether or not Alice's and Bob's basis choices match by measuring it in the Z basis. More precisely, if she obtains the measurement outcome corresponding to |0 Z A ba (|1 Z A ba ), then Alice's and Bob's basis choices (do not) match. The relay can perform any operation on each received signal pair from Alice and Bob to decide in which rounds there will be "click" events. For each click event, the relay then performs some measurement on the received signal pair and both Alice and Bob measure their systems A q and B q in the X basis. Besides, Alice selects the Z Ac or X Ac basis with probabilities p Z Ac and p X Ac , respectively, to measure her quantum coin, denoted by the system A c in Eq. (23) in the selected basis. In Eq. (24), the system A is defined as A ≡ A p A a and the definition of the system B is similar.
After applying the Bloch sphere bound [45] to this fictitious scenario, we obtain and where Pr i (X Ac = − |click, sb, X − error, X Ac ) is the conditional probability that in the ith trial Alice's X basis measurement result on the quantum coin is '−' given that the relay obtains a successful result in his measurement device, Alice and Bob select the same basis (sb) for the state preparation, Bob's X basis measurement outcome on B q differs from that obtained by Alice when she measures her system A q in the X basis (which we call an 'X − error'), and Alice performs the X Ac basis measurement on the quantum coin. The other conditional probabilities that appear in Eqs. (25) and (26) are defined similarly.
Note that Pr i (Z Ac |click) = p Z Ac for any round 'i' and we also have Pr i (sb |click, X Ac ) = Pr i (sb |click). To relate the probabilities in Eq. (29) to the expected numbers of events, we take the sum over i ∈ {1, 2, ..., N click }, where N click is the number of click events. Due to the concavity of the square root function, we have that In Eq. (30), we have that Pr i (sb |click) = E sb|click , with E sb|click being the expected number of events where Alice and Bob select the same basis given that there is a click. Also, we have that Pr i (sb |click) Pr i (X Ac = − |click, X Ac , sb).
Note that, although in the actual protocol there is no data corresponding to the event 'X Ac = −', we can still upper bound the probability Pr i (X Ac = − |click, X Ac , sb). For this, we assume a worst-case scenario where we take the maximum value of this probability in the total number N of rounds. More precisely, we have that The detailed calculation of the probability Pr j (X Ac = − |X Ac , sb) can be found in Appendix B.
Let us denote Then Eq. (30) can be written as Eq. (34) gives the mathematical relation between the expected number of events in the asymptotic limit. Next we will explain how to extend Eq. (34) to the actual protocol in the finitekey regime by applying Azuma's inequality.

The Finite-Key Regime
Here, we apply Azuma's inequality [36] again to relate the expected numbers of events to the corresponding actual numbers of events. Let N λ denote the actual number of times that the event 'λ' occurs in N click trials.
Then Eq. (34) can be rewritten as  denotes the actual number of events where Alice and Bob both select the same basis and the intensity setting γ s and send a single photon state given that the relay obtains a successful measurement result. This replacement is allowed because in principle Alice and Bob can perform a quantum non-demolition measurement to know in which pulse each of them emits a singlephoton, and we can apply the analysis above to such instances. As long as we do not use explicity in which instance Alice and Bob emit a single-photon, which is exactly the case in our analysis, the security follows.
Then we can rewrite Eq. (35) as follows: also holds except for a small failure probability. bound or an upper bound on each of these three parameters. This means that, we need to estimate these three parameters independently. Also, we set p Z Ac as input and search for its optimal value by using a Monte Carlo method. For each given value of p Z Ac , the only unknown variable in Eq. (37) is N X−error,11,ss|Z , which can be numerically estimated by using the optimization toolbox of Matlab.

IV. SIMULATION OF THE SECRET KEY RATE
In the simulation, only for illustration purposes we assume a particular example of THA, which is shown in Fig. 2 We remark that incorporating the information leakage about the bit value is straightforward and our results remain exactly the same even if we include the information leakage about the bit value as long as the fidelities are the same, i.e., as long as the value of ∆ X Ac =− is unchanged.
In the presence of information leakage, the actual secret key length, , is bounded by where is given by Eq. (2). Here, Γ AB and Γ E denote the spaces of the parameters controlled by Alice and Bob, and by Eve, respectively. In the simulation, we assume a practically reasonable  value for the weakest decoy state, γ w = 5 × 10 −4 , and, without loss of generality, we assume that θ s = 0. The experimental parameters used in the simulations are listed in Table III.
Below we present the simulation results of the secret key rate in three practical cases within the framework of the THA described above. Each case corresponds to a particular model for the back-reflected light.
A. Case 1 In the framework of the THA considered, it is clear that the higher the intensity of the backreflected light is, the more information Eve can extract. In this first example, we evaluate a worstcase scenario, where Alice and Bob may overestimate the intensity of the back-reflected light we minimize it over the angles θ r and θ χ controlled by Eve, respectively. That is, we consider the worst-case scenario where the phases θ r and θ χ are selected such that they provide maximal information to Eve. leaked to Eve. In particular, we suppose that the intensity β r 2 is always upper bounded by a certain value I max for all r and we conservatively assume that The simulation result of the secret key rate, /N , as a function of the transmission distance between Alice and Bob in this case is shown in Fig. 3 (a)  As already observed in the finite-key analysis for decoy-state QKD [25], here we also find that in MDI-QKD Alice and Bob need to discard part of their data (on average about N p X Ac pulse pairs) to estimate the phase error rate when there is information leakage from the PM. In our simulation, we find that the optimal value of p Z Ac typically lies in the interval [0.65, 0.9]. Note that, compared to the simulation result in [25], we have that the value of p Z Ac is typically smaller in the MDI-QKD protocol, which means that MDI-QKD has to sacrifice a bigger proportion of data than in the case of the standard decoy-state QKD protocol to estimate the phase error rate.
Also, we find that MDI-QKD seems to be more sensitive to information leakage. In order to obtain a certain performance, the value of I max in MDI-QKD is much smaller than that in standard decoy-state QKD (indeed, the value of I max in MDI-QKD is roughly the square of that in standard decoy-state QKD). The main reason for this behavior is that in MDI-QKD there are two leaky sources (Alice and Bob) instead of only one leaky source as is the case in standard decoy-state QKD. Thus, to implement the MDI-QKD protocol, both Alice and Bob need to carefully isolate their devices from the external environment to guarantee the security of the system. In Fig. 3 (b), the different colored lines show the secret key rate as a function of the distance for a fixed value I max = 10 −16 and for different total numbers of transmitted pulses. Here, for simplicity, we only plot the key rates against information leakage from the IM and omit the results when there is also information leakage from the PM as they are similar to those shown in Fig. 3

(b).
That is, in this figure we can see the effect of the information leakage as a function of the number of transmitted pulses. For example, when I max = 10 −16 , the longest achievable distance is about 84 km when the total number of transmitted pulses is N = 10 15 . However, when N = 10 12 , this distance decreases to 32 km. Our results indicate that the finite-key effect has a much bigger impact on the secret key rate in the presence of information leakage [27]. The reason for this is mainly that, in order to estimate the statistical fluctuations for a finite sampling size in the presence of information leakage from the IM, our methodology relies on applying Azuma's inequality [36] to the total number of transmitted pulses. In contrast, when there is no information leakage from the IM, one can apply Azuma's inequality to the number of pulses detected. This is so because in this latter case, one can assume a counterfactual scenario where Alice and Bob select their intensity settings a posteriori, i.e., after the relay has detected the successful events. As a consequence, increases. We remark that the simulation results for the other two cases that we consider next are analogous to those of Fig. 4 and thus we omit them in the next two subsections. we minimize it over the angles θ r and θ χ controlled by Eve, respectively. That is, we consider the worst-case scenario where the phases θ r and θ χ are selected such that they provide maximal information to Eve.

B. Case 2
In the previous case, we considered a conservative scenario for Alice and Bob, where the intensity of the back-reflected light is maximal and independent of the settings of the IM. Thus, the amount of information leaked might be overestimated, which results in a relatively pessimistic lower bound on the secret key rate. However, in practice, the input light of Eve may also go through the IM. As a consequence, the back-reflected light could be modulated in the same manner as the senders' pulses during the state preparation process. In this case, we have that That is, here we assume that the maximum amount of information leakage comes from the largest intensity setting of the senders, namely I max = β s 2 . The intensity of the back-reflected light corresponding to the other intensity settings fulfills the conditions: β s 2 /β v 2 = γ s /γ v and The simulation result of the secret key rate as a function of the transmission distance between Alice and Bob when N = 10 14 and for different values of I max is shown in Fig. 5 (a). Fig. 5 (b) shows the secret key rate as a function of the distance in the presence of information leakage (with a fixed value of I max = 10 −16 ) from only the IM and for different values of N . The behavior of the curves is very similar to those in Case 1, and in the simulation we find that the optimized value of p Z Ac is similar as well. One main difference is that with the same experimental parameters the secret key rate is now a little bit higher and can go a bit further than that in Case 1. For example, when the total number of transmitted pulses is 10 14 and I max = 10 −13 , we find that the secret key is positive up to about 54 km while in Case 1 this distance is 48 km in the presence of information leakage only from the IM.

C. Case 3
In this case we consider a more favorable situation for Alice and Bob where they implement an additional step to randomize the phase of each signal going out of their transmitters including the back-reflected light to Eve. Moreover, we optimistically assume that there is no information leakage from this phase randomization step. Furthermore, we suppose that the amplitudes β k still satisfy Eq. (40) like in the previous case. Then, we have that the state of Eve's back-reflected light from the IM and the PM are given by: respectively.
This means that the information about Alice's and Bob's inner settings can only be leaked via the amplitudes of the back-reflected light but Eve cannot obtain any information from the phases.
We remark that here we consider a model which is different from the ones considered in previous works [24,25]. To be precise, in Refs. [24,25]  The simulation result of the secret key rate as a function of the transmission distance between Alice and Bob when N = 10 14 and for different values of I max is shown in Fig. 6 (a). Fig. 6 (b) shows the finite-key effect on the secret key rate as a function of the distance for a fixed value of In practice, however, Eve might also perform a THA against the phase randomization step to obtain some information about the random phase applied by Alice and Bob each given time. This will reduce the benefit of the phase randomization step. One can also analyze this last scenario with the techniques in this paper, but for simplicity we omit it here.

V. THE FOUR-INTENSITY DECOY-STATE MDI-QKD PROTOCOL
In this section, we now consider the MDI-QKD protocol introduced in [28], which has been recently implemented over a record distance of 404 km [20] (we note that the current record is 421 km [46]). In that protocol, each of Alice and Bob uses one intensity setting γ s for the Z basis states, and three intensity settings γ v , γ w and γ 0 = 0 for the X basis states. This is motivated by the fact that in order to increase the number of single-photon pulses emitted in the Z basis used for key generation, the intensity of the signal states, γ s , needs to be close to one, while in order to have a tight estimation of the relevant parameters, the intensities in the X basis used for parameter estimation need to be weak. With the four-intensity decoy-state MDI-QKD protocol, one can optimize the intensities for key generation and parameter estimation independently. The probabilities to select the corresponding intensities are p s , p v , p w and p 0 , respectively, with p s + p v +p w +p 0 = 1. Note that the probability to choose the Z basis is now p Z = p s and the probability to choose the X basis is given by p X = p v + p w + p 0 .
The security analysis of this protocol against information leakage from the IM and the PM is slightly different from that in the previous section. This is because of the following. Since now the intensity setting in the Z basis is unique and it is typically different from the intensity settings in the X basis, by analyzing the information leakage from the IM Eve can also learn partial information about the users' basis choices. Similarly, by analyzing the information leakage from the PM Eve can learn partial information about the users' intensity settings as well. That is, the information leakage from the IM and the PM of each user is now correlated. Fortunately, a general procedure to estimate the relevant parameters in this situation has already been briefly introduced in Ref. [24]. It applies the quantum coin idea to estimate the phase error rate, together with a similar "post-selection step" like that employed in [25] where Alice post-selects part of her data (with probability p Z Ac ) and discards the other part.
In what follows, for illustration purposes we consider a particular example of a THA against the correlated IM and PM performed by Eve, which is shown in Fig. 7. For comparison purposes, we use the same assumptions in this THA like those in Sec. IV. That is, we suppose that Eve sends Alice (Bob) two high intensity single-mode coherent pulses, each of which is denoted by β E e iθ E .
One of them targets the IM and the other one targets the PM. And the state of the back-reflected light from the IM has the form β r e iθr and the one from the PM is √ I max e iθχ , where r and χ refer to the intensity setting and basis choice, respectively, with r ∈ {s, v, w, 0} and χ ∈ {Z, X}.
Now, since the IM and the PM are correlated, in this THA Eve can jointly measure the states β r e iθr and √ I max e iθχ to extract partial information about both the intensity settings and the basis choices. Importantly, to have a fair comparison with the simulation results shown in Sec. IV, we assume that the amount of information leaked to Eve in both protocols is the same. That is, we assume that the intensity of the back-reflected light is equal in both cases. In addition, in this THA we assume, for example, that Eve splits the joint back-reflected light (from both the IM and the PM together, which can be described with the product state β r e iθr ⊗ √ I max e iθχ ) into two parts by means of a 50:50 beamsplitter, one part is used to learn partial information about the intensity settings and the other part is used to learn partial information about the basis choices. We remark, however, that our method to estimate the phase error rate could be applied to any strategy applied by Eve.
Note that, in general, when the IM and the PM are correlated, the yields associated with different photon number states can also depend on the bit value [24]. However, for simplicity, in the model above we assume that the back-reflected light does not carry information about the bit value. This latter case is briefly discussed in Appendix C.
A. Estimation of the parameters N L click,00,ss and N L click, 11,ss In this section, we present the procedure to estimate the parameters N L click,00,ss|Z and N L click, 11,ss|Z which are needed to evaluate the secret key rate formula given by Eq. (2). Due to the fact that in this protocol the intensity γ s is only used for the data in the Z basis, we have that N L click,00,ss|Z ≡ N L click,00,ss and N L click,11,ss|Z ≡ N L click,11,ss , where N L click,00,ss (N L click,11,ss ) is a lower bound on the number of events where Alice and Bob both select the intensity γ s and send a vacuum (singlephoton) pulse, and the relay obtains a successful measurement result. In the MDI-QKD protocol introduced in [28], the data in the Z basis is used for key distillation and the data in the X basis is used for parameter estimation, and we first estimate the quantities N L click,00,vv and N L click,11,vv , which correspond to the intensity γ v only in the X basis. For this we use the same techniques, like in the previous section, which rely on the trace distance argument among events only in the X basis.
More precisely, the quantities N L click,00,vv and N L click,11,vv can be estimated by applying similar linear programming techniques with all the sifted data in the X basis as what has been done in Sec. III A. single-mode coherent pulses, each of which is denoted by β E e iθE . One of them targets the IM and the other one targets the PM. We further assume for simplicity that the back-reflected light from the IM and the PM to Eve is in a product state of two coherent states. One comes from the IM, which we denote by β r e iθr , and the other comes from the PM, which has the form √ I max e iθχ , where r and χ refer to the intensity setting and basis choice, respectively, with r ∈ {s, v, w, 0} and χ ∈ {Z, X} for the MDI-QKD protocol introduced in [28]. In addition, for simplicity, we assume that Eve splits the joint back-reflected light (from both the IM and the PM together) into two parts by means of a 50:50 beamsplitter, one part is used to learn partial information about the intensity settings and the other part is used to learn partial information about the basis choices.
This analysis is valid because we can imagine a fictitious delayed measurement scenario in which Alice and Bob determine the basis first, and then for the events where both of them use the X basis, Alice and Bob start to choose the intensity settings. Note that since this estimation only involves events in the X basis, it is not affected by the information leakage from the PM. Next, we can relate these two quantities to the parameters N L click,00,ss and N L click,11,ss , respectively, by using the trace distance argument between the X and Z basis states. For example, in Eqs. (6)-(8) if we focus on the total number of events N instead of on the N χ events where both Alice and Bob select the χ basis and take n = m = 0, j A = j B = s and k A = k B = v, we have that where E click,00,vv is the expected number of events where both Alice and Bob select the intensity setting γ v and send a vacuum pulse and the relay obtains a successful event. Note that, E click,00,vv ≡ E click,00,vv|X as the intensity setting γ v is only selected in the X basis. The quantity E click,00,ss is defined in an analogous way and it is equal to E click,00,ss|Z . The deviation term ) being the normalized joint state of both Alice's and Bob's vacuum pulses when they both select the intensity setting γ v (γ s ) together with the systems E A a , E B a , E A p , E B p in the ith trial. The definitions of E A a , E B a , E A p and E B p are the same as those of Sec. III A. Next we apply Azuma's inequality to Eq. (42) and obtain where the parameter δ ss 00 denotes the deviation term between E click,00,ss and N click,00,ss and it can be bounded by [−∆ ss 00 , ∆ ss 00 ] except for a small error probability ε ss 00 + ε ss 00 . The bounds are given by ∆ ss 00 = f (N, ε ss 00 ) and ∆ ss 00 = f (N, ε ss 00 ), and the parameter δ vv 00 denotes the deviation term between E click,00,vv and N click,00,vv and it can be bounded by [−∆ vv 00 , ∆ vv 00 ] except for a small error probability ε vv 00 + ε vv 00 . The bounds are given by ∆ vv 00 = f (N, ε vv 00 ) and ∆ vv 00 = f (N, ε vv 00 ). In this way, given the quantity N L click,00,vv , we can estimate N L click,00,ss according to Eq. (44). Note that, in general, one could alternatively first estimate all N L click,00,kl for k, l ∈ {v, w, 0} by using the linear programming method. Then by performing the trace distance argument, one obtains E click,00,ss − k,l q 00,kl E click,00,kl ≤ D ss, kl 00 , with k, l ∈ {v, w, 0}, where q 00,kl is the normalization probability given by q 00,kl = In so doing, and after applying Azuma's inequality in Eq. (45), one can relate N L click,00,ss to all N L click,00,kl for k, l ∈ {v, w, 0} in a similar way like Eq. (44). Finally, one can derive N L click,00,ss from the estimations of all the quantities N L click,00,kl . However, our simulations suggest that the improvement obtained when estimating N L click,00,ss with this general method is negligible compared to the simpler method given by Eq. (44). Thus, in the following we use Eq. (44) to obtain N L click,00,ss from N L click,00,vv . Similarly, if we focus on the total number of events, N , and take n = m = 1, j A = j B = s and k A = k B = v in Eqs. (6)-(8), we can estimate the quantity N L click,11,ss by following the same procedure explained above. We omit the explicit calculations here for simplicity.

B. Estimation of the parameter e U ph
To apply the idea of the quantum coin, we need to determine the form of the joint state prepared by Alice and Bob together with Eve's systems in a virtual scenario. To be precise, we shall consider a virtual single-photon scenario, where we assume that Alice and Bob meet together and follow the procedure introduced in [44]. That is, they prepare a joint state in each round of the protocol, which has the form [44]: where the system A ba denotes a system in Alice's hands which decides whether or not Alice's and Bob's basis choices match by measuring it in the Z basis. The system A c denotes Alice's quantum coin and this system determines her basis choice by measuring it in the Z basis. The system A q (B q ) denotes a virtual qubit, which contains Alice's (Bob's) bit value choice, the system A p (B p ) represents Alice's (Bob's) single-photon system that she (he) sends to the relay via the quantum channel, the system A a (B a ) denotes an ancilla system stored in Alice's (Bob's) lab to account for the loss in the transmitter, and the system A int (B int ) denotes a virtual system which decides Alice's (Bob's) intensity setting choice. E IM and E PM , on the other hand, denote the systems corresponding to the back-reflected light to Eve from the IM and the PM, respectively, together with the systems E A a and E B a in Eve's hands. In this virtual protocol, the relay can perform any operation on each received signal pair from Alice and Bob to decide in which rounds there will be 'click' events (i.e., successful measurement results with the notation used in this paper). For each click event, the relay then performs some measurement on the received signal pair and both Alice and Bob measure their systems A q and B q in the X basis. Besides, Alice selects the Z Ac or X Ac basis with probabilities p Z Ac and p X Ac , respectively, to measure her quantum coin in the selected basis.
In general, we have that the states prepared by Alice for the Z and X bases are given by where |0 Z Aq , |1 Z Aq and |0 X Aq , |1 X Aq are the states of the virtual qubits which Alice measures in the Z or X basis, respectively, to prepare a state with a particular bit value. Φ γ k A int is the virtual state that determines the intensity setting choice k with k ∈ {s, v, w}. It holds that where N 11,ss+vv|click = N click,11,ss + N click,11,vv . The quantity N X−error,11,ss|Z is the actual number of phase errors, which can be numerically estimated by using a similar method as that explained in Sec. III B 2 and δ X−error,11,ss|Z is the deviation term when using Azuma's inequality to estimate it.
Note, however, that the value of ∆ X Ac =− is now different. To calculate ∆ X Ac =− we apply

C. Simulation
The lower bound on the length of the secret key is given by Eq. (2). Let Γ AB and Γ E denote the spaces of the parameters controlled by Alice and Bob, and by Eve, respectively. In the simulation, we assume, without loss of generality, that θ 0 = 0. Also, we assume that Eve's back-reflected light from the PM only depends on the basis information like we did in Sec. IV. In this case, we use the following equation to replace Eq. (47) to calculate the quantity ∆ X Ac =− in the simulation: The states described by Eq. (50) correspond to the case illustrated in Fig. 7.
Note that since the information leakage from the IM and the PM is correlated, in the following figures, we plot the secret key rates in the presence of information leakage from both the IM and  The simulation result of the secret key rate, /N , as a function of the transmission distance between Alice and Bob in this case is shown in Fig. 8 (a) Imax=10  -13 ,3-int   Imax=10  -16 ,3-int   Imax=10 -20 ,3-int   Imax=10  -13 ,4-int   Imax=10  -16 ,4-int   Imax=10 - To further compare the effect of the information leakage on the secret key rate in the two MDI-QKD protocols that we consider, we plot the the ratio ( Imax>0 / Imax=0 ) between the secret key rates for different positive values of information leakage, I max , and the secret key rate when there is no information leakage, i.e., I max = 0, given a fixed total number of transmitted pulses, say, N = 10 14 in Fig. 9. The solid and dotted lines represent the ratios in the symmetric three-intensity decoy-state MDI-QKD protocol and in the four-intensity decoy-state MDI-QKD protocol, respectively. In the following, for simplicity, let us denote these two protocols by '3int' and '4-int', respectively. The result in Fig. 9 indicates that when the amount of information leakage is small enough, for instance, I max = 10 −20 , the impact of the information leakage on the 3-int protocol is smaller than that on the 4-int protocol as the green solid line is always above the green dotted line. However, the key rate ratio drops much faster as the amount of information leakage increases in the 3-int protocol than that in the 4-int protocol. From Fig. 9, we find that when I max = 10 −16 and I max = 10 −13 , the ratio in the 4-int protocol is bigger than that in the 3-int protocol. That is, when I max increases, the effect of information leakage becomes more relevant on the 3-int protocol than that on the 4-int protocol given a fixed total number of transmitted pulses.
The intuition for this behaviour could be the following: From Figs. 2 and 7, we can see that the back-reflected light from the PM is the same for the 3-int and 4-int protocol. Now suppose that in the 4-int protocol Eve measures the back-reflected light from the IM and the PM independently instead of splitting the back-reflected light with a 50:50 BS. Then she learns the same information from the PM in both protocols. However, it may be more difficult for Eve to learn the information from the IM in the 4-int protocol than in the 3-int protocol because she needs to distinguish between four states in the former but she only needs to distinguish between three states in the latter. In this case, the 4-int protocol is more robust against information leakage than the 3-int protocol for all values of I max . Nevertheless, if Eve exploits the correlations between the backreflected light from the IM and the PM, then which protocol is more robust seems to depend on the value of I max . In addition, note that the results illustrated in Fig. 9 consider the case where Eve splits the back-reflected light with a 50:50 BS, which might not be the optimal option for the example of THAs evaluated.

Case 2
The simulation result of the secret key rate as a function of the transmission distance between Alice and Bob when N = 10 14 and for different values of I max is shown in Fig. 10 (a). Fig. 10 (b) shows the secret key rate as a function of the distance for a fixed value of I max = 10 −16 and different values of N . The behavior of the curves is very similar to those in case 1, and in the simulation we find that the optimized value of p Z Ac is also similar. One main difference is that with the same experimental parameters (see Table. III) the secret key rate is a little higher and the achievable distance is a little longer than those in Case 1. For example, when the total number of transmitted pulses is N = 10 14 and I max = 10 −13 , now we find that the secret key is positive up to about 57 km while in Case 1 this distance is 52 km.
Here we omit the comparison of the key rate ratios between the two protocols as the result in this case is similar to that shown in Fig. (9). And for the same reason, we omit such comparison in Case 3 as well. our simulations, for each value of the distance we maximize the secret key rate over the amplitudes γ s , γ v and γ w , and the probabilities p ZA c , p s , p v and p w which are controlled by Alice and Bob, and we minimize it over the angles θ r , θ Z and θ X controlled by Eve, respectively.

Case 3
The simulation result of the secret key rate as a function of the transmission distance between Alice and Bob when N = 10 14 and for different values of I max is shown in Fig. 11 (a). Fig. 11 (b) shows the finite-key effect on the secret key rate as a function of the distance for a fixed value of I max = 10 −8 and for different values of N . Here, we find that the typical interval that

VI. CONCLUSION AND DISCUSSION
In this paper, we have quantitatively analyzed the security of two decoy-state MDI-QKD protocols with leaky sources in the finite-key regime. Specially, we have simulated the secret key rate under three particular examples of THA, where Eve sends coherent pulses of light to probe the intensity modulators and phase modulators of the legitimate parties. Similar to the analysis presented in [25], we have introduced an additional post-processing step in the actual protocol where Alice and Bob sacrifice part of their data. This step is necessary for the security proof to go through. Our simulation results suggest that MDI-QKD is more sensitive to information leakage than standard decoy-state QKD, but is possible to distill secure keys from leaky sources within a reasonable time frame of signal transmission given that Alice's and Bob's sources are sufficiently isolated. Furthermore, we have found that when the amount of information leakage is small enough, the effect of information leakage has a bigger impact on the fourintensity decoy-state MDI-QKD protocol than on the symmetric three-intensity decoy-state MDI-QKD protocol. However, when the amount of information leakage increases, the four-intensity MDI-QKD protocol becomes more robust against information leakage than the symmetric three-intensity MDI-QKD protocol.
In this context it would be interesting to consider a stronger THA, where Eve sends entangled probe states to Alice's and Bob's sources instead of sending them independent bright pulses. In this scenario, by performing a joint measurement on the outgoing states as well as on her ancilla system, Eve might be able to extract more information about Alice's and Bob's internal settings than what has been presented in this paper. This scenario, however, is beyond the scope of this work but could be evaluated with the techniques that have been introduced in this paper.
Acknowledgments-This work was supported by the Galician Regional Government, For simplicity, we assume that there is no quantum correlation between Alice's (Bob's) and Eve's systems [25]. As a result, the parameter D j A j B ,ss Z,nm does not depend on the basis Z nor on the photon number n, m. Therefore, we shall denote it by D j A j B ,ss . Below we show the values of D j A j B ,ss for the three different cases considered in the simulation. The detailed calculations are similar to those in [24].

Case 2
In this case, we have that D j A j B ,ss = 1 − β j A e iθ j A |β s e iθs × β j B e iθ j B |β s e iθs 2

Case 3
In this last case, we further assume that the following constraints hold: I max ≤ log2 and γ w ≤ γ v ≤ γ s for any P cut ≥ 1. According to the definition of the states given by Eq. (41), it turns out that D j A j B ,ss is given by for any P cut ≥ 0.

Four-intensity MDI-QKD protocol
In this section, we present the trace distance parameters for the four-intensity MDI-QKD protocol. We make the same assumptions as those in the previous section. The only difference comes from the fact that now the back-reflected light from the PM also contributes to the trace distance parameters. In particular, we obtain the following results in the three cases.

Case 1
In this case, D j A j B ,ss is given by