Optimized protocol for twin-field quantum key distribution

Twin-field quantum key distribution (TF-QKD) and its variant protocols are highly attractive due to the advantage of overcoming the rate-loss limit for secret key rates of point-to-point QKD protocols. For variations of TF-QKD, the key point to ensure security is switching randomly between a code mode and a test mode. Among all TF-QKD protocols, their code modes are very different, e.g. modulating continuous phases, modulating only two opposite phases, and sending or not sending signal pulses. Here we show that, by discretizing the number of global phases in the code mode, we can give a unified view on the first two types of TF-QKD protocols, and demonstrate that increasing the number of discrete phases extends the achievable distance, and as a trade-off, lowers the secret key rate at short distances due to the phase post-selection. Quantum key distribution is a method to enable secure communication between two parties and prevent an eavesdropper from stealing information. Here, the authors use twin-field quantum key distribution combined with discrete phase randomisation to improve on the distance at which secure communication can be achieved.


Q
uantum key distribution (QKD) 1,2 provides two distant parties (Alice and Bob) with a secure random bit string against any eavesdropper (Eve) guaranteed by the law of quantum mechanics.During the past three decades, QKD has rapidly developed both in theory and experiment [3][4][5][6][7] , and it is on the way to a wide range of implementation.Among all QKD experiments before, without quantum repeaters, the maximum key rates are bounded with respect to the channel transmittance η, defined as the probability for an effective detector click caused by a transmitted photon.So, one of the crucial tasks for the theorists is to find the maximum key rate achievable under ideal implementation (based on perfect single-photon sources, pure-loss channels, perfect detectors, perfect post-processing, and so on).With the aim of finding an upper bound of secret key rate, the theorists have provided several answers [8][9][10] .The recent work has provided the fundamental limit called Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound 10 , which establishes that the secret key rate without quantum repeaters must satisfy R ≤ −log(1 − η).
Remarkably, the twin-field (TF)-QKD protocol, proposed by Lucamarini et al. 11 , is capable of overcoming this PLOB bound with some restrictions on Eve's strategies, which is mainly attributed to the single-photon interferometric measurement at the third untrusted party Eve.In other words, a single photon that came from either Alice or Bob interferes at Eve's beam splitter and clicks the detector, which means that generating a secret key bears a unilateral transmission loss.Because of this dramatic breakthrough, a variant of TF-QKD protocols have been proposed consequentially [12][13][14][15][16][17] and some protocols have been demonstrated experimentally [18][19][20][21][22] .For variant TF-QKD protocols, the key idea to ensure the security is switching probabilistically between a code mode and a test mode, where the former is for key generation, and the latter is for parameter estimation 17 .Among all TF-QKD protocols, their code modes are very different, e.g., modulating continuous phases 11,12 , modulating only two opposite phases [14][15][16] , and sending or not sending signal pulses 13 .The code modes of the first two kinds are similar in some sense.Intuitively, they may be explained by a unified view.
Interestingly, by discretizing the global phases of Alice and Bob's emitted pulses in the code mode, we can give a unified view on two kinds of TF-QKD protocols 11,12,[14][15][16] .Specifically, Alice and Bob encode classical bit 0, 1 into phases 0, π of a coherent state, respectively, then randomize them by adding a phase chosen randomly 0, π/M, 2π/M, …, (M − 1)π/M.According to whether or not to perform phase post-selection in the test mode, we introduce two protocols.To prove their security, we establish a universal framework against collective attacks, which can be extended to robust against coherent attacks 23 with the technique in ref. 24 .The security analysis indicates that increasing the number of discrete phases can extend the achievable distance but lower the secret key rate at short distances due to the phase postselection.Furthermore, simulation results show that a small number of random phases (say M = 2) may be the best choice for practical implementations.

Results
We first describe details of our proposed TF-QKD protocols that have discrete phase randomization in the code mode, and the schematic set-up is shown in Fig. 1.
Protocol I Step 1. Alice and Bob randomly choose code mode or test mode in each trial.
Step 2. If a code mode is selected, Alice (Bob) randomly generates a key bit k a (k b ) and a random number x (y) and then prepares the coherent state ), where β a (β b ) is randomly chosen from a pre-decided set.
Step 3. Alice and Bob send their quantum states to the untrusted receiver Eve.For each trial, only three outcomes are acceptable, which are "Only detector L clicks", "Only detector R clicks", and "No detectors click", and Eve announces one of these outcomes.Note that the outcome "Both detectors L and R click" is considered as "No detectors click".
Step 4. Alice and Bob repeat the above steps many times.For the successful detection outcomes (only detector L or R clicks), Alice and Bob publicly announce which trials are the code modes and which trials are the test modes.For each successful trial in the code mode, Alice and Bob announce their x and y, and keep k a , k b as their raw key if x = y.Moreover, Bob should flip his key k b if Eve announces "Only detector R clicks".
Step 5.For each trial that both Alice and Bob select test mode, Alice and Bob announce β a with random phase ϕ a and β b with random phase ϕ b , and only keep the trial that β a = β b and |ϕ a − ϕ b | = 0 or π.
Step 6. Alice and Bob perform information reconciliation and privacy amplification to extract the final secure keys.
For the simplicity in experiments, we can remove post-selection in the test mode, and the simplified protocol runs as follows.
Protocol II Step 1. Same as Protocol I.
Step 2. Same as Protocol I.
Step 3. Alice and Bob send their quantum states to the untrusted receiver Eve.For each trial, only three outcomes are acceptable, which are "Only detector L clicks", "Only detector R clicks", and "No detectors click".Note that, the outcome "Both detectors L and R click" is considered as "No detectors click" in the code mode and is considered as only detector L or R clicks with equal probability in the test mode.Consequentially, Eve announces one of these outcomes.
Step 4. Alice and Bob repeat the above steps many times.For the successful detection outcomes (only detector L or R clicks), Alice and Bob publicly announce which trials are the code modes and which trials are the test modes.For each successful trial in the code mode, Alice and Bob announce their x and y, and keep k a , k b as their raw key if x = y.Moreover, Bob should flip his key k b if Eve announces "Only detector R clicks".; β 1 e iϕ 1 ; ; β k e iϕ k g.After interference at beam splitter (BS) and detector click on Eve's side, she announces the outcome.More detailed explanation can be found in protocol descriptions.
Step 5.For each trial that both Alice and Bob select the test mode, the yield Y l,k , probability of Eve announcing the successful outcome provided Alice emits l-photon state and Bob emits kphoton state, can be estimated.
Step 6. Same as Protocol I.
Our security proof is based on Devetak-Winter's bound 25 , concretely, bounding the information leakage I AE .Thus the secret key rate is given by where Q is the counting rate, 1/M is the shifting factor, e is the error rate, and f is the error correction efficiency.By applying infinite decoy states [26][27][28][29] in the test mode, we can simulate the performance of our two protocols with different M. The simulation parameters are given in Table 1.For Protocol I, we present the numerical simulations of secret key rate in Fig. 2 and the maximal channel loss in Table 2.If we remove the sifting efficiency, the limitary channel loss with M → ∞ is 81.5 dB as shown in Table 2.According to Fig. 2 and Table 2, it is sufficient to apply TF-QKD with M = 2, which almost reaches the theoretical limit channel loss.Analogously, for Protocol II, we get simulation results comparable to those of Protocol I, and we show the secret key rate in Fig. 3 and the theoretical limit channel loss in Table 3.
When removing the sifting factor, the maximal channel loss of Protocol II with M → ∞ is 75.8 dB.In addition, one may refer to "Methods" section and Fig. 4 for the cases with finite decoy states.
When we compare Protocol I with Protocol II, the latter one does not require post-selection in the test mode; as a trade-off, the maximal channel loss will be lower.Here we consider the relationship with several varietal TF-QKD protocols 12,[14][15][16] .When M → ∞, Protocol I is exactly the phase matching QKD 12 if we relax the post-selection condition |ϕ a − ϕ b | = 0 or π and add a corresponding sifting factor.When M = 1, Protocol II is the      same as [14][15][16] in the code mode, the difference is the way to estimate the information leakage or the "phase error".To some extent, our proposed TF-QKD protocols with discrete phase randomization in code mode cover the four varietal TF-QKD protocols above.

Discussion
In summary, we have introduced a variant TF-QKD with discrete phase randomization in the code mode and proven its security in asymptotic scenarios.Our protocol can be viewed as a generalization of the four varietal TF-QKD protocols 12,[14][15][16] to some extent.The security proof discloses that the transmission distance becomes longer with M exponentially increasing; as a trade-off, the secret key rate is lower at short distances.As a result, the transmission distance reaches a limitation when M tends to infinity.Numerical simulations show that it is sufficient to apply TF-QKD with M = 2, for it almost reaches the limitary transmission distance at the cost of about half of secret key rate, compared with the case of M = 1, at short distance.Furthermore, post-selection in the test mode is not convenient in experiment, thus we remove it to make experiments simpler in a modified protocol.We find that the removal of post-selection in the test mode has very limited influence on the secret key rate and achievable distance.Our findings expect that TF-QKD can be run with optimal phase randomization actively, i.e., at short distance one can simply bypass phase randomization, while a phase randomization of 0 or π/2 is sufficient at the long distance case.
During the preparation of this paper, we found that Primaatmaja et al. 30 proposed an open question that if coding phases in TF-QKD under different bases, which is quite similar to our idea of phase discrete randomization, can improve secret key rate significantly.Their open question is answered by our finding that M = 2 is almost optimal in some sense.

Methods
Security proof.Here we present security proof Protocol I. First, we analyze the composite states shared by Alice and Bob when they both select the test mode.In the case of β a = β b = β and ϕ a = ϕ b = ϕ, the composite state of Alice and Bob can be written as where the fock state is defined as and the probability is given by where μ = |β| 2 is the light intensity.In the case of β a = β b = β and ϕ a = ϕ b + π(mod 2π) = ϕ, the composite state of Alice and Bob can be written as where the fock state is defined as In what follows, we concentrate on bounding Eve's Holevo information.Eve's general collective attack can be given by where state e j i E is Eve's ancilla.Then Eve is supposed to announce one of legal outcomes "Only detector L clicks", "Only detector R clicks", and "No detectors click" determined by her measurement results " L j i", " R j i", and " N j i", respectively.In the case of β a = β b and ϕ a = ϕ b , jγ L n;þ i, jγ R n;þ i, and jγ N n;þ i are some arbitrary quantum states referring to Eve's measurement results " L j i", " R j i", and " N j i", respectively.
the yields referring to Eve's measurement results " L j i", " R j i", and " N j i", respectively.Similarly, in the case of β a = β b and |ϕ a − ϕ b | = π, jγ L n;À i, jγ R n;À i, and kγ N n;À i are some arbitrary quantum states referring to Eve's measurement results " L j i", " R j i", and " N j i", respectively.Y L n;À , Y R n;À , and À ¼ 1 are the yields referring to Eve's measurement results " L j i", " R j i", and " N j i", respectively.
Without loss of generality, we first consider the secret key rate when her measurement result is " L j i".When Alice and Bob both select the code mode, the initial prepared state αe iðk a þ x M Þπ and jαe iðk b þ y M Þπ i, with matched-basis trials x = y, can be given by For the sake of simplicity, we define unnormalized states where j ∈ {0, 1, 2, …, 2M − 1}.We also define other unnormalized states After Eve's attack according to Eq. ( 7) and her announcing " L j i," Alice and Bob keep trials only if x = y.Thus the unnormalized state of Eve conditioned on Alice's classical bit can be given by where Pf x j ig ¼ x j i x h j.The probability of Alice obtaining a shifted key (x = y) in a code mode when Eve announces " L j i" is and correspondingly an error click occurs if k a ⊕ k b = 1, thus the error rate of shifted key (x = y) is given by Thanks to the strong subadditivity of von Neumann entropy (the detailed derivation of how we apply the strong subadditivity is in the Appendix A of ref. 31 ), Eve's Holevo information with her announcing " L j i" is given by where HðxÞ ¼ Àx log 2 x À ð1 À xÞlog 2 ð1 À xÞ is binary Shannon entropy and the second inequality holds due to Jensen's inequality.For each trial that x = y and Eve announces " L j i", the secret key rate is given by where f is error correction efficiency.What we need to do next is to calculate the average secret key rate for different x when Eve announces " L j i." Without considering the sifting factor, the average secret key rate when Eve announces " L j i" We use Q L to denote the average gain and e L to denote the average error rate of shifted key, which are written as Thanks to the concavity of binary Shannon entropy, we utilize Jensen's inequality to minimize R L .For the second term of Eq. ( 16) on the right, we have The condition for equality of Eq. ( 18) is that e L Similarly, for the third term of Eq. ( 16) on the right, we have Here we define . Consequently, we have Similarly, when Eve's measurement result is " R j i", the analysis of secret key rate is almost the same with the ones when she announces " L j i".Thus the secret key rate when Eve announces " R j i" is given by where I R AE is given by The trials when Eve's measurement result is " N j i" will not contribute to the secret key.Thus the total secret key rate is R = R L + R R .The total gain and the total error rate of shifted key are given by In order to find the lower bound of the total secret key rate R, we apply the Jensen's inequality to the estimation items in Eqs. ( 15) and ( 21), and we can get where the equality holds when e L = e R = e and where we define Consequently, the total secret key rate formula can be expressed by where 1/M is the shifting factor.And the problem of finding the lower bound of the total secret key rate can be converted into finding the upper bound of I AE , Simulation.In this section, we simulate the performance of our TF-QKD protocols, and the simulation method is very similar to Ma et al. 12 .Ideally, for Protocol I, Alice and Bob can estimate Y L=R n; ± precisely by infinite decoy-state method.We assume that the total efficiency of channels and detectors is η, dark counting rate of single photon detectors is d per trial, the optical misalignment is e mis , and the mean photon number of each pulse emitted by Alice and Bob is μ.The counting rate is given by and the error rate is Applying infinite decoy states, Y L=R n; ± can be given by We define Thanks to Cauchy inequality, we have Thus we can get an equivalent upper bound of I AE given by The security proof of Protocol II is almost the same as Protocol I.In Protocol II, Eve's general collective attack is given by where l; k j i AB represents the photon-number base prepared by Alice and Bob, jγ L l;k i, jγ R l;k i, and jγ N l;k i are some arbitrary quantum states referring to Eve's measurement results " L j i", " R j i", and " N j i", respectively.Besides, Y L l;k , Y R l;k , and the yields referring to Eve's measurement results " L j i", " R j i", and " N j i", respectively.Compared to the expression of Eve's general collective attack in Protocol I, it can be argued that the general collective attack is actually the same as Protocol I if we set ffiffiffiffiffiffiffiffiffiffiffiffiffiffi ffi Consequently, applying the security proof method to Protocol II, we find that the expression of the upper bound of I AE is same as the one of Protocol I.In Protocol II, for removing phase post-selection, we estimate the yield Y l,k rather than Y n to bound X 2M + 2j .Combining Eqs. ( 9) and (36), we obtain where even and odd are the assembles referring to even number set and odd number set, respectively.Similar to Eq. (33), by utilizing Cauchy inequality, we have Thus we have obtained the upper bound of X 2M+2j given as follows Briefly, the upper bound of I AE in Protocol II is given by, For the sake of analyzing the upper bound of I AE with the increase of M, we define the upper bound of P MÀ1 j¼0 X 2Mþ2j as a function of positive integer M, which is given by FðMÞ As binary Shannon entropy H(x) increases when 0 ≤ x ≤ 1/2 and decreases when 1/2 ≤ x ≤ 1, it is sufficient to consider the case of F(M) ≤ Q/2.It can be proven that where N is a positive integer.In order to prove Eq. ( 43), we rewrite Eq. (42) as follows

GðMÞ
where we denote F(M) and ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi P 2Mnþ2j Y 2Mnþ2j p as G(M) and A 2Mn+2j , respectively.For A 2Mn+2j is absolutely a nonnegative term, we have where the inequality holds because of the nonnegative cross term P MÀ1 j≠j 0 ð where we use subscript k instead of Nj þ j 0 .The nonnegative cross term vanishes when M → ∞, then we have Thus we have proven Eq. ( 43).Then we obtain that the upper bound of I AE decreases with M exponentially increasing.In other words, the achievable distance becomes longer as M exponentially increases.As a result, the achievable distance comes to a limitation when M tends to infinity.
Finite-decoy method for Protocol II with M = 2.As Protocol II does not require phase post-selection in the test mode, it is more practical than Protocol I.For Protocol II, it almost reaches the limitary transmission distance with M = 2 shown in Table 3, thus it is interesting and necessary to consider applying finite-decoy states in the test mode.

Fig. 1
Fig. 1 Schematic set-up of our twin-field quantum key distribution protocols.In each trial, Alice and Bob randomly choose code mode and test mode and send their quantum states to the untrusted receiver Eve.If a code mode is selected, Alice (Bob) prepares coherent state chosen from fjαe ik aðbÞ π i; jαe iðk aðbÞ þ 1 M Þπ i; ; jαe iðk aðbÞ þ MÀ1 M Þπ ig.If a test mode is selected, Alice (Bob) prepares coherent state chosen from f β 0 e iϕ 0; β 1 e iϕ 1 ; ; β k e iϕ k g.After interference at beam splitter (BS) and detector click on Eve's side, she announces the outcome.More detailed explanation can be found in protocol descriptions.

Fig. 2
Fig.2Secret key rate R versus channel loss for Protocol I.The curves represent the secure key rate of twin-field quantum key distribution protocol for M = 1, M = 2, and M = 4 (M is the number of random phases) and the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound, respectively.We do not show the case of M → ∞ because the key rate tends to 0.

Fig. 3
Fig.3Secret key rate R versus channel loss for Protocol II.The curves represent the secure key rate of twin-field quantum key distribution protocol for M = 1, M = 2, and M = 4 (M is the number of random phases) and the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound, respectively.We do not show the case of M → ∞ because the key rate tends to 0.

Fig. 4
Fig.4 Secret key rate R versus channel loss for Protocol II with M = 2 (M is the number of random phases).The curves represent the secure key rate in the case of infinite intensities, three intensities, and the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound, respectively.
When finite-decoy states are implemented, finding the upper bound of I AE is equivalent to the following optimized problem Max : Y l;k ≤ Q μ a μ b ≤

Table 2
The maximal channel loss for Protocol I with different M.

Table 3
The maximal channel loss with Protocol II different M.