Quantum key distribution with prepare-and-measure Bell test

The prepare-and-measure quantum key distribution (QKD) has the merits of fast speed, high key generation rate, and easy implementation. However, the detector side channel attacks greatly undermine the security of the key bits. The eavesdropper, Eve, exploits the flaws of the detectors to obtain illegal information without violating quantum principles. It means that she can intervene in the communication without being detected. A prepare-and-measure Bell test protocol will be proposed. By randomly carrying out Bell test at the side of the information receiver, Bob, Eve’s illegal information gain within the detector side channel attack can be well bounded. This protocol does not require any improvement on the detectors used in available prepare-and-measure QKD. Though we only illustrate its application in the BB84 protocol, it is applicable for any prepare-and-measure QKD.

measurement settings to measure their incoming photons. The binarily possible measurement outcomes obtained from the measurement settings are assigned with − 1 and 1. Alice and Bob use their basis choices and measurement outcomes to calculate the CHSH polynomial 37 Here 〈 A i 〉 , 〈 B j 〉 are the average values generated on A i and B j , with i, j ∈ {1, 2}. In local hidden variable theory and classical physics, the measurement outcomes at Alice's side cannot be affected by those at Bob's side. Similarly, the measurement outcomes at Bob's side cannot be affected by those at Alice's side, namely, the relation 〈 A i B j 〉 = 〈 A i 〉 〈 B j 〉 obeys 41 . Because − 1 ≤ 〈 A i 〉 ≤ 1 and − 1 ≤ 〈 B j 〉 ≤ 1 should be satisfied, S CHSH varies from − 2 to 2. Quantum-mechanically, its lower bound and upper bound are −2 2 and 2 2 , respectively 42 . Now that the Bell violation has been obtained with loophole-free Bell test [38][39][40] , the lhv theory does not need to be considered. If the experiment is not artificially controlled, Bell violation certifies the existence of entanglement.
Suppose that the entangled photon pair generated from the PDC source is encoded with Φ = + + ( 00 1 1 ) AB AB AB 1 2 , where the subscripts A and B denote Photon A and Photon B, respectively. After the photon pairs generated from the PDC source, Photon A is distributed to Alice, while Photon B is sent to Bob. In order to maximize the Bell violation, confinements are put on their basis choices. Without loss of any generality, one can assume that σ ≡Â , the state on Photon B should correlate with what Alice obtains in her measurement. The same correlation can also be obtained with prepare-and-measure procedure: Suppose that single photon is generated from Alice's source. She randomly chooses the rectilinear basis σ z or the diagonal basis σ x , together with random bit value − 1 or 1, to prepare Photon B. Before Photon B is measured, its state correlates with the state chosen by Alice.
If Alice's basis choices and bit value choices on Photon B are totally random, the item 〈 A 1 B 1 〉 in (1) can be calculated as Similarly, one can obtain . It is the same as that when the entangled state Φ + AB is used. This is because the correlations between the state on Photon B and that of Alice are the same in these two cases.

BB84 protocol with the prepare-and-measure Bell test
The BB84 protocol is a prepare-and-measure QKD protocol. Alice prepares the state on Photon B and transfers it to Bob. Bob measures it in randomly chosen basis to read its state. The states |0〉 B and |+ 〉 B are used to encode the bit value 0, while the states |1〉 B and |− 〉 B are used to encode the bit value 1 (Here the definitions of the bit values in the quantum key distribution and those of the Bell test are different).
The prepare-and-measure BB84 protocol is characterized as follows: (a) N single photons are generated in Alice's laboratory. She randomly chooses between the diagonal basis σ =Â (b′ ) When Bob chooses the signal mode, Alice and Bob publish their measurement bases through the public channel. They keep their measurement outcomes in the same bases as the sifted key bits.
(b″ ) When Bob chooses the test mode, Alice and Bob announce their basis choices and measurement outcomes through the public channel to calculate the value of S CHSH .
(c) After the key distribution, Alice and Bob implement error correction (EC) and privacy amplification (PA) on their sift key bits. If secure key bits can be generated, their key distribution task is fulfilled. Or else, their task is failed.
Because Alice randomly chooses her basis and bit values on Photon B, the state on it is for any third party. The state is uniformly prepared in the conjugated bases. Eve cannot differentiate which state is prepared. If she carries out state distinguishing task on the photon, disturbance must be introduced 43,44 . Without loss of any generality, one can assume that Eve interacts on Photon B with a probe. If the interaction between the probe and Photon B can be characterized as a unitary process, one can obtain Here |E〉 is the blank state on Eve's probe. f and e correspond to the probability that the state on Photon B is intact and the probability that the state on Photon B is changed, respectively. It means that Eve's intervention introduces quantum bit error rate (QBER) with probability e. The amount of information for Alice and Bob used to correct the errors on their bit string is Similarly, one has It means Alice's and Bob's states are correlated with probability f, and anti-correlated with probability e that is also known as the QBER. After Eve's intervention,

Refute the detector side channel attack
In the BB84 protocol, Eve's illegal information is also bounded as 3,4,7 Here e is the phase error rate gained on Bob's state. Strictly speaking, phase error rate is the concept of entangled states. Because of the symmetry of BB84 protocol, however, the phase error rate is estimated from the bit error rate on the results generated from the conjugated bases 4,7 . Within the process of Eve's attack, if she can hide the bit error rates of both bases, Alice and Bob cannot find her existence. In the detector side channel attack, for instance, it is possible for Eve to intervene without introducing any bit error rate.
If Bob's detectors are imperfect, the detector side channel information leaking problem may exist. Eve can exploit the flaws of Bob's detectors to carry out the detector side channel attacks. In the detector side channel attack, though drawbacks exist on Bob's detectors, it is indispensable to assume that no unwanted information can leak out of his laboratory. Or else, the security of QKD cannot be ensured. It means that Eve should control the information leaking from the detectors indirectly. If Alice's state on Photon B is uniformly prepared, H a priori = 1 is obtained.
Consider that H a posteriori = ∑ r P(r)H(i|r), with P(r) the probability Eve obtains the measurement result r, and H(i|r) the information gain of i conditioned on r. If Eve does not interact with Photon B, H a posteriori = 1 after Bob declaring his basis choices. Thus I E = 0 and Eve cannot obtain any illegal information on Alice's state. In the detector side channel attack, r has two possible values: the registered and the unregistered, and ∑ r P(r) = 1 is satisfied. Whether for the registered pulses or for the unregistered pulses, Bob's measurement outcomes are controlled to be bit value biased. Bob announces Alice the values of r after his measurements. The bias of Bob's measurement outcomes is known to Eve in the detector side channel attack and H(i|r) should be less than 1. Correspondingly, H a posteriori < 1 and I E > 0 are satisfied. In some detector side channel attacks, Eve's uncertainty on Alice's states is eliminated with the intercept-resend attack. However, only the pulses encoded with Eve's expected bit values and expected bases are forced to be detected by Bob. Or else, Alice and Bob can find Eve's presentence according to the correlations between them. In any case, Bob's measurement outcomes are partially or totally certain to Eve. Thus we end the proof.
In order to refute the detector side channel attack, Alice and Bob should estimate Eve's information gain from the attack. In practical QKD, time-windows is set for the detectors so that their dark count rate can be decreased. Thus their detection efficiencies are time-dependent. If the time windows of the two detectors are not the same, there are detection mismatches between them. This can be exploited by Eve to launch the so-called time-shift attack. Furthermore, the detector flaws may also be used by Eve to control the detectors to detect unwanted signals. Taking the blinding attack for instance, the detectors can be blinded with strong illuminations so that they are insensitive to single-photon pulses but to strong pulses. Both in the time-shift attack and in the blinding attack, Eve's a posteriori information on Alice's bit value is partially or even totally deterministic.
In practical Bell test with EPR pairs, the quantum channel is lossy and one has to consider the detection loophole. It means that any pulse in quantum channel cannot represent the others in violating the CHSH inequality. If the devices are inefficient, fair-sampling assumption must be made to obtain the Bell violation. If Alice and Bob can implement quantum non-demolition measurement on the photon number, they differentiate the vacuum pulses from the non-vacuum pulses. With this technique, they can remove the channel loss. Now that the lhv theory has be excluded by recent experiments, it is reasonable to assume that the movements all pulses obey the quantum principles and all photon pulses experience the same transmission situation. Thus one can sample the behaviors of some of the incoming pulses on the behalf of those of the others.
We consider the QKD with active basis choice. Bob has two detectors D 0 and D 1 to decode the key bits 0 and 1 encoded on Alice's pulses. Their detection efficiencies are assumed to be η 0 and η 1 , respectively. D 0 and D 1 are manufactured to be the same so that η 0 = η 1 = η is satisfied when there is no detector side channel attack. We assume that Bob has another detector D t whose detection efficiency is η t . D t is also the same as D 0 and D 1 apart from its big time window. The time window of D t is big enough so that its detection efficiency is stably kept within the whole time windows of both D 0 and D 1 . This can be realized by keeping D t switched on within this period of time. When Bob receives the pulses from Alice, she randomly detect them directly with D t or decode their key bits with D 0 and D 1 in randomly chosen bases. When detector side channel attacks randomly happen on D 0 and D 1 , η 0 and η 1 decrease. For Bob, the detection efficiency he can observe for D 0 and D 1 is η = η η + 2 0 1 . According to Eqs (2) and (3), the value of the CHSH polynomial should be normalized as This relation can also be explained with the theory raised by Garg and Mermin where the photons that can be detected by D t but are missed by D 0 and D 1 can only be assigned with the bit value 0 48 . Accordingly, the illegal information gain Eve obtained within her detector side channel attack is calculated to be The performance of the present protocol In practical QKD, instead of single-photon source, weaken coherent sources are used for Alice to encode her key bits. Compared with single-photon source, multi-photon pulses exist. It is proven that Eve can exploit the multi-photon pulses to launch the so-called PNS attack. Thus decoy states are usually added in practical QKD protocol to beat this attack [12][13][14] . We consider the practical decoy state protocol raised by Ma et al. where a signal source, a weaker decoy source and a vacuum decoy source are used 14 Here Y 0 and ′ Y 0 are the dark counts on D 0 /D 1 and D t that can be estimated from the vacuum decoy state. After Bob's measurements, Alice announces Bob her state choices with which Bob can calculate the values of η and η t .
After the EC and PA, the final key generation rate is where ν Q 1 is the gain on the untagged pulses of the weaker decoy source, f(E ν ) is error correction efficiency, and E ν is the total QBER on the sifted key bits generated from the decoy source. Here we choose the weaker decoy source for key generation because the multi-photon pulses affect the value of the CHSH polynomial greatly. Numerical results shows that no Bell violation can be obtained when the intensity of the signal source is greater than 0.659 even if D 0 and D 1 have perfect detection efficiency. The fraction of the multi-photon pulses in the decoy source is comparably small, however, thus we assume Alice and Bob use it to generate the key bits.
We will give some numerical simulations on the performance of the QKD with prepare-and-measure Bell test. We will use the setup parameters from the QKD experiment completed by Gobby, Yuan and Shields (GYS) 49 that has also been taken used for numerical simulation in ref. 14. Namely, the transferring coefficient is β = 0.21dB/km, the detector's detection efficiency is η B = 4.5%, the misalignment coefficient is e d = 3.3%, and the dark count rate Y 0 = 1.7 × 10 −6 . The intensities of the signal pulses, weaker decoy pulses and vacuum pulses are 0.48, 0.1 and 0, respectively. One thing should be pointed out that we will not consider the contribution of the misalignment to the value of the CHSH polynomial.
Firstly, we want to show the performances of the present protocol under the blinding attack and the time-shift attack. For blinding attack, Eve controls the basis of Bob. When Bob's basis choices coincide with hers, there are efficient registers on his measurement settings. Or else, no clicking event happens. Thus one can obtain η t = 2η, and the value of CHSH polynomial is 2 for perfect single-photon source. It means that no secure key bits can be generated between Alice and Bob. For the time-shift attack, the CHSH inequality after the time-shift attack is calculated to be . For simplicity of discussion, one can assume that η 0 < η 1 .
It is apparent that the big the value 1, however, one can obtain S CHSH ≤ 2. It means that the classical bound of the CHSH inequality cannot be violated and no secure key bit can be generated. We can also compare the key generation rate of the present protocol with that of the practical decoy state QKD 14 . In Fig. 2, one can see that the key generation rate of the present protocol is small than that in ref. 14. This is because we generate the key bits from the weaker decoy state whose intensity is smaller than that of the signal state. Furthermore, the transmission distance of the present protocol can reach about 103 km (solid line). This distance is also shorter than that in ref. 14 (dash line).

Discussion and Conclusion
In this paper, the QKD protocol with prepare-and-measure Bell test has been proposed. Though the security of the present protocol is based on Bell's theorem, it is different with the DI-QKD protocol 46,47 and the Ekert91 protocol 2 . First, there is no need to care about the detection efficiency. In the present protocol, only the registered photons are used to calculate the CHSH polynomial. Second, entanglement is not required in the present protocol. The protocol is implemented in a prepare-and-measure way. Furthermore, the Bell test in the present protocol is only carried out at Bob's side. Our protocol is also different with the detection device-independent