Security analysis of the decoy method with the Bennett–Brassard 1984 protocol for finite key lengths

1.1. Background

1.2. Our formula for sacrifice bit-length with the finite-length setting

When the raw keys are generated by the BB84 protocol with the weak coherent pulses by the decoy method, we apply the error correction and the privacy amplification to the raw keys. The security of final keys can be evaluated by the size of the sacrifice bit-length. The aim of this paper is to provide a calculation formula for the sacrifice bit-length guaranteeing a given security level with universal composability. Since the generated pulses contain the vacuum pulses, the single-photon pulses, and the multi-photon pulses, we need to estimate these ratios among the pulses generating the raw keys. Note that the vacuum pulses also generate part of the raw keys. The flow of our analytical framework is illustrated in figure 1. First, using the relation between phase error and the security, we give a formula for the sacrifice bit-length based on the numbers of the detected pulses originated from the vacuum emissions by Alice, the detected pulses from the single-photon emissions, and the detected pulses from the multi-photon emissions among the detected pulses consisting of the raw keys. In the following, we call these numbers the partition of the detected pulses generating the raw keys. When a component of the partition is divided by total pulse number, we obtain the fractions. For the finite-length analysis, we need the partition instead of the fractions.

Zoom In Zoom Out Reset image size

In order to estimate the partition of the detected pulses generating the raw keys, we need to estimate the detection rates of the respective kinds of pulses and the phase error probability of single photon pulses, which characterize Eveʼs operations and can be regarded as parameters of the quantum communication channel. For this purpose, Alice sends the pluses with different intensities. This method is called the decoy method, and enables us to estimate the above detection rates and the phase error probability of single photon pulses. This estimation part can be divided into two parts. The first part is the derivation of channel parameters from the detection rates, the phase error rates, and the partition of respective transmitted pulses by solving joint inequalities, which are given from non-negativity of several channel parameters. The second part is the treatment of statistical fluctuation. If we could treat an infinite number of pulses, we would not have to deal with the statistical fluctuation. However, our finite-length setting requires the treatment of the statistical fluctuation. In contrast with the previous papers [5, 34], this paper deals with the statistical fluctuation by interval estimation ⁶ and per cent point ⁷ . The interval estimation is employed for deriving the detection rates and the phase error rates of transmitted pulses with respective intensities from the observed detection rates and the observed phase error rate. The per cent points are employed for deriving the partitions of transmitted pulses with respective intensities. Similarly, we employ per cent points for deriving the partition of the detected pulses generating the raw keys from the channel parameters.

In our analysis, we focus on the universal composability criterion. Our calculation formula for the sacrifice bit-length employs only the basic formulas of per cent points and the interval estimation of the binomial distribution, whose numerical calculations are possible using many computer software packages. Hence, it does not contain any optimization process, and it requires a relatively shorter calculation time. Then, using our formula, we numerically calculate the key generation rate per pulse in several cases. In our numerical calculations, we require that the universal composability criterion is less than ${{2}^{-80}}$. Under this requirement, we require too small error probabilities to calculate the exact per cent point and the exact interval estimation. For this purpose, due to the reason given appendix A, using Chernoff bound, we derive upper and lower estimates of the true parameter.

Further, similar to Wang et al [15, 16], in section 6, we discuss our key generation rate with finite-length when the intensities are not fixed and obey certain probability distributions. We numerically calculate the above key generation rate when the intensities obey Gaussian distributions because the fluctuations of intensities are usually caused by thermal noise.

Here, we summarize the physical assumption. The photon source generates the coherent state, and the phase factor of the coherent state is completely randomized. The receiver uses the threshold detector. We do not care about other types of imperfection of the devices, as follows. For example, we assume no side-channel-attack, e.g., Trojan horse attack [55] because there is a countermeasure, e.g., by monitoring the incoming light [57]. We also assume no detector blinding attack (faked state attack) [58] because its countermeasure is also known [56]. Further, we do not assume perfect vacuum pulses. That is, we allow for the fact that a non-vacuum state is mixed in the vacuum pulses if the probability of erroneous emission of a non-vacuum state is sufficiently small. We do not assume the collective attack while we employ the binary distribution. That is, our security proof works well for the coherent attack. The reason why the binary distribution can be used instead of the hypergeometric distribution is given in section 7 of [59].

1.3. Organization

An evaluation method for using the trace norm of the difference between the true state and the ideal state is known as a universally composable security criterion in QKD [38]. Hence, we call it the universal composability criterion. When the length m of the final keys is not fixed, we need a more careful treatment. We denote the final state and Eveʼs final state by ${{\rho }_{ABE\left| {} \right.m}}$ and ${{\rho }_{E\left| {} \right.m}}$, respectively, when the length of the final keys is m. However, we consider only the secrecy against Eve; we focus only on the composite system of Alice and Eve, whose state is the state ${{\rho }_{AE\left| {} \right.m}}$. Since Aliceʼs information is classical information with respect to the bit basis $\left\{ \left| {} \right.{{u}_{0}}\left. {} \right\rangle ,\left| {} \right.{{u}_{1}}\left. {} \right\rangle \right\}$, the state ${{\rho }_{AE\left| {} \right.m}}$ is written as ${{\sum }_{{{i}_{1}},\ldots ,{{i}_{m}}}}{{P}_{A}}\left( {{i}_{1}},\ldots ,{{i}_{m}} \right)\left| {} \right.{{u}_{{{i}_{1}}}},\ldots ,{{u}_{{{i}_{m}}}}\left. {} \right\rangle \left\langle {} \right.{{u}_{{{i}_{1}}}},\ldots ,{{u}_{{{i}_{m}}}}\left| {} \right.\otimes {{\rho }_{E\left| {} \right.{{i}_{1}},\ldots ,{{i}_{m}}}}$. Our ideal Aliceʼs state is the uniform distribution ${{\rho }_{{\mbox{mix}}\left| {} \right.{\mbox{m}}}}$ on m bits. Hence, the ideal composite state is ${{\rho }_{{\mbox{mix}}\left| {} \right.m}}\otimes {{\rho }_{E\left| {} \right.m}}$. We denote the state indicating that the length of final keys is m, by $\left| {} \right.m\left. {} \right\rangle \left\langle {} \right.m\left| {} \right.$, and its probability by P(m). Then, the state of the composite system is ${{\rho }_{AE}}:={{\sum }_{m}}P\left( m \right)\left| {} \right.m\left. {} \right\rangle \left\langle {} \right.m\left| {} \right.\otimes {{\rho }_{AE\left| {} \right.m}}$, and its ideal state is ${{\rho }_{{\mbox{ideal}}}}:={{\sum }_{m}}P\left( m \right)\left| {} \right.m\left. {} \right\rangle \left\langle {} \right.m\left| {} \right.\otimes {{\rho }_{{\mbox{mix}}\left| {} \right.{\mbox{m}}}}\otimes {{\rho }_{E\left| {} \right.m}}$. Hence, the averaged universal composability criterion of the obtained keys is written as the trace norm of the difference between the real state ${{\rho }_{AE}}$ of the composite system and its ideal state ${{\rho }_{{\mbox{ideal}}}}$ as [39] ⁸

$$\begin{eqnarray}&&\shortparallel {{\rho }_{A,E}}-{{\rho }_{{\mbox{ideal}}}}{{\shortparallel }_{1}}.\end{eqnarray} \tag{ 1 }$$

Thus, a smaller trace norm guarantees more secure final keys.

However, we focus on the phase basis:

$$\begin{eqnarray}&&\left| {} \right.{{v}_{i}}\left. {} \right\rangle :=\frac{1}{\sqrt{2}}\left( \left| {} \right.{{u}_{0}}\left. {} \right\rangle +{{(-1)}^{i}}\left| {} \right.{{u}_{1}}\left. {} \right\rangle \right)\quad \left( i=0,1 \right).\end{eqnarray} \tag{ 2 }$$

When we apply surjective universal$_{2}$linear hash functions as the privacy amplification [23, 34] the above value is bounded by the averaged virtual failure probability of error correction with respect to the phase basis (phase error correction) ${{P}_{ph}}$ as ⁹

$$\begin{eqnarray}&&\shortparallel {{\rho }_{A,E}}-{{\rho }_{{\mbox{ideal}}}}{{\shortparallel }_{1}}\leqslant 2\sqrt{2}\sqrt{{{P}_{ph}}}.\end{eqnarray} \tag{ 3 }$$

Then, the security analysis of QKD can be reduced to the evaluation of ${{P}_{ph}}$.

In the following, we consider the protocol containing the privacy amplification with the sacrifice bit-length S over the raw keys with length M. When phase error occurs in E bits among M-bit raw keys and we apply the minimum length decoding, the averaged virtual failure probability of phase error correction ${{P}_{ph}}$ is evaluated as ¹⁰

$$\begin{eqnarray}&&{{P}_{ph}}\leqslant {{2}^{Mh\left( {\rm min} \left( \frac{E}{M},\frac{1}{2} \right) \right)-S}}.\end{eqnarray} \tag{ 4 }$$

Hence, we can guarantee the security of the final keys when the sacrifice bit-length S is sufficiently larger than $Mh\left( {\rm min} \left( \frac{E}{M},\frac{1}{2} \right) \right)$. However, the number E of bits having the phase error does not take a deterministic value, and it obeys a probability distribution Q(E). Then, when we apply the minimum length decoding, the averaged virtual failure probability of phase error correction ${{P}_{ph}}$ is evaluated as

$$\begin{eqnarray}&&{{P}_{ph}}\leqslant \mathop{\sum }\limits_{E}Q\left( E \right){\rm min} \left( {{2}^{Mh\left( {\rm min} \left( \frac{E}{M},\frac{1}{2} \right) \right)-S}},1 \right).\end{eqnarray} \tag{ 5 }$$

When we use an imperfect photon source, the M transmitted pulses generate M-bit raw keys. Then, each of the M transmitted pulses takes the following three types of states. The first is the vacuum state, the second is the single-photon state, and the third is the multi-photon state. In the following, we assume that the M transmitted pulses consist of ${{J}^{\left( 0 \right)}}$ pulses with the vacuum state, ${{J}^{\left( 1 \right)}}$ pulses with the single-photon state, and ${{J}^{\left( 2 \right)}}$ pulses with the multi-photon state. This assumption guarantees the relation $M={{J}^{\left( 0 \right)}}+{{J}^{\left( 1 \right)}}+{{J}^{\left( 2 \right)}}$. That is, the triplet $\left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},{{J}^{\left( 2 \right)}} \right)$ gives the partition of the M transmitted pulses. When we send the pulse with the vacuum state, no information can be leaked to Eve. That is, the leaked information in this case equals the leaked information to Eve when we send single-photon pulses with phase error probability 0. On the other hand, in the multi-photon case, we have to consider that all information is leaked to Eve. Hence, the leaked information in the multi-photon case equals the leaked information to Eve when we send single-photon pulses with phase error probability $1/2$. In the following, we assume that the phase error occurs in $J_{e}^{\left( 1 \right)}$ bits among ${{J}^{\left( 1 \right)}}$ bits. As is shown in [23] and [26], when we apply a proper class of hash functions in the privacy amplification ¹¹ , the averaged virtual failure probability of phase error correction ${{P}_{ph}}$ is evaluated as ¹²

$$\begin{eqnarray}&&{{P}_{ph}}\leqslant {{2}^{\phi \left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)} \right)-S}}\end{eqnarray} \tag{ 6 }$$

because ${{J}^{\left( 2 \right)}}=M-{{J}^{\left( 0 \right)}}-{{J}^{\left( 1 \right)}}$, where, we define

$$\begin{eqnarray}\begin{array}{rcl} \phi \left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)} \right) & := & {{J}^{\left( 1 \right)}}h\left( {\rm min} \left( \frac{J_{e}^{\left( 1 \right)}}{{{J}^{\left( 1 \right)}}},\frac{1}{2} \right) \right)+\left( M-{{J}^{\left( 0 \right)}}-{{J}^{\left( 1 \right)}} \right)h\left( \frac{1}{2} \right) \\ {} & = & {{J}^{\left( 1 \right)}}h\left( {\rm min} \left( \frac{J_{e}^{\left( 1 \right)}}{{{J}^{\left( 1 \right)}}},\frac{1}{2} \right) \right)+\left( M-{{J}^{\left( 0 \right)}}-{{J}^{\left( 1 \right)}} \right), \\ \end{array}\end{eqnarray} \tag{ 7 }$$

which provides step (5) in figure 1. Indeed, the rate $\phi \left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)} \right)/M$ asymptotically coincides with the rate of sacrifice bits given by [6]. Due to equation (6), we can regard $\phi \left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)} \right)$ as leaked information.

In the actual case, the values ${{J}^{\left( 0 \right)}}$, ${{J}^{\left( 1 \right)}}$, and $J_{e}^{\left( 1 \right)}$ do not take deterministic values, and obey a joint distribution $Q\left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)} \right)$. Hence, the averaged virtual failure probability of phase error correction ${{P}_{ph}}$ is evaluated by

$$\begin{eqnarray}&&{{P}_{ph}}\leqslant \mathop{\sum }\limits_{{{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)}}Q\left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)} \right){\rm min} \left( {{2}^{\phi \left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)} \right)-S}},1 \right).\end{eqnarray} \tag{ 8 }$$

In the general case, the size of sacrifice bit-length S also does not take a deterministic value, and is stochastically determined. In such a case, the values ${{J}^{\left( 0 \right)}}$, ${{J}^{\left( 1 \right)}}$, $J_{e}^{\left( 1 \right)}$, and S obey a joint distribution $Q\left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)},S \right)$, and the averaged virtual failure probability of phase error correction ${{P}_{ph}}$ is evaluated by

$$\begin{eqnarray}&&{{P}_{ph}}\leqslant \mathop{\sum }\limits_{{{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)},S}Q\left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)},S \right){\rm min} \left( {{2}^{\phi \left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)} \right)-S}},1 \right).\end{eqnarray} \tag{ 9 }$$

In the following, for simplicity, we employ the notations ${\boldsymbol{J}} =\left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)} \right)$ and $\phi \left( {\mathbf{J}} \right):=\phi \left( {{J}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)} \right)$.

In the following, we assume that ${{M}_{s}}$-bit raw keys are generated by ${{N}_{s}}$ signal pulses generated by an imperfect photon source. Now, we assume that there are $N_{s}^{\left( 0 \right)}$ vacuum state pulses and $N_{s}^{\left( 1 \right)}$ single-photon pulses among ${{N}_{s}}$ transmitted pulses. Then, the remaining $N_{s}^{\left( 2 \right)}={{N}_{s}}-N_{s}^{\left( 0 \right)}-N_{s}^{\left( 1 \right)}$ pulses take multi-photon states. In the following discussion, the partition of ${{N}_{s}}$ signal pulses is described by the triplet $\left( N_{s}^{\left( 0 \right)},N_{s}^{\left( 1 \right)},N_{s}^{\left( 2 \right)} \right)$, and plays an important role.

Now, we prepare three parameters ${{\bar{q}}^{\left( 0 \right)}}$, ${{\bar{q}}^{\left( 1 \right)}}$, and $\bar{b}_{\times }^{\left( 1 \right)}$ as follows. The parameter ${{\bar{q}}^{\left( 0 \right)}}$ is the detection rate in the vacuum pulse, i.e., the rate of the vacuum pulses detected in Bobʼs side to the vacuum pulses transmitted from Aliceʼs side. The parameter ${{\bar{q}}^{\left( 1 \right)}}$ is the detection rate in the single-photon pulse, i.e., the rate of the single-photon pulses detected in Bobʼs side to the single-photon pulses transmitted from Aliceʼs side. The parameter $\bar{b}_{\times }^{\left( 1 \right)}$ is the rate of the single-photon pulses detected with phase error in Bobʼs side to the single-photon pulses transmitted from Aliceʼs side. We call the rate $\bar{b}_{\times }^{\left( 1 \right)}$ the phase-error detection rate in the single-photon pulse. Then, the numbers ${{J}^{\left( 0 \right)}}$, ${{J}^{\left( 1 \right)}}$, and $J_{e}^{\left( 1 \right)}$ can be estimated as

$$\begin{eqnarray}&&{{J}^{\left( 0 \right)}}\sim N_{s}^{\left( 0 \right)}{{\bar{q}}^{\left( 0 \right)}},{{J}^{\left( 1 \right)}}\sim N_{s}^{\left( 1 \right)}{{\bar{q}}^{\left( 1 \right)}},J_{e}^{\left( 1 \right)}\sim N_{s}^{\left( 1 \right)}\bar{b}_{\times }^{\left( 1 \right)}.\end{eqnarray} \tag{ 10 }$$

However, it is not easy to estimate the partition of ${{N}_{s}}$ pulses, i.e., $\left( N_{s}^{\left( 0 \right)},N_{s}^{\left( 1 \right)},N_{s}^{\left( 2 \right)} \right)$. Now, we consider the case when the ${{N}_{s}}$ ${{\mu }_{1}}$-intensity weak coherent pulses are transmitted.

Then, we obtain the expansion with respect to the photon-number states.

$$\begin{eqnarray}&&\mathop{\sum }\limits_{n=0}^{\infty }{{e}^{-{{\mu }_{1}}}}\frac{\mu _{1}^{n}}{n!}\left| {} \right.n\left. {} \right\rangle \left\langle {} \right.n\left| {} \right.={{e}^{-{{\mu }_{1}}}}\left| {} \right.0\left. {} \right\rangle \left\langle {} \right.0\left| {} \right.+{{e}^{-{{\mu }_{1}}}}{{\mu }_{1}}\left| {} \right.1\left. {} \right\rangle \left\langle {} \right.1\left| {} \right.+{{e}^{-{{\mu }_{1}}}}\mu _{1}^{2}{{\omega }_{2}}{{\rho }_{2}},\end{eqnarray} \tag{ 11 }$$

where

$$\begin{eqnarray}&&{{\rho }_{2}}:=\frac{1}{{{\omega }_{2}}}\mathop{\sum }\limits_{n=2}^{\infty }\frac{\mu _{1}^{n-2}}{n!}\left| {} \right.n\left. {} \right\rangle \left\langle {} \right.n\left| {} \right.,\quad {{\omega }_{2}}:=\frac{1}{\mu _{1}^{2}}\left( {{e}^{{{\mu }_{1}}}}-\left( 1+{{\mu }_{1}} \right) \right).\end{eqnarray} \tag{ 12 }$$

Then, the partition can be estimated as

$$\begin{eqnarray}&&N_{s}^{\left( 0 \right)}\sim {{N}_{s}}{{e}^{-{{\mu }_{1}}}},N_{s}^{\left( 1 \right)}\sim {{N}_{s}}{{e}^{-{{\mu }_{1}}}}{{\mu }_{1}}.\end{eqnarray} \tag{ 13 }$$

Hence, it is needed to estimate the parameters ${{\bar{q}}^{\left( 0 \right)}}$, ${{\bar{q}}^{\left( 1 \right)}}$, and $\bar{b}_{\times }^{\left( 1 \right)}$. For this purpose, we shuffle ${{\mu }_{1}}$-intensity coherent pulses and ${{\mu }_{2}}$-intensity coherent pulses. This method is called the decoy method [7–9, 12, 13] ¹³ because ${{\mu }_{2}}$-intensity pulses work as a 'decoy' for estimating the parameters ${{\bar{q}}^{\left( 0 \right)}}$, ${{\bar{q}}^{\left( 1 \right)}}$, and $\bar{b}_{\times }^{\left( 1 \right)}$. Hence, the intensity ${{\mu }_{1}}$ to be used for generating the raw keys is called the signal pulse, and the other intensity ${{\mu }_{2}}$ is called the decoy pulse. In the following, we assume that ${{\mu }_{1}}<{{\mu }_{2}}$. Then, the ${{\mu }_{2}}$-intensity coherent pulse has the following expansion:

$$\begin{eqnarray}\begin{array}{rcl} \mathop{\sum }\limits_{n=0}^{\infty }{{e}^{-{{\mu }_{2}}}}\frac{\mu _{2}^{n}}{n!}\left| {} \right.n\left. {} \right\rangle \left\langle {} \right.n\left| {} \right. & = & {{e}^{-{{\mu }_{2}}}}\left| {} \right.0\left. {} \right\rangle \left\langle {} \right.0\left| {} \right.+{{e}^{-{{\mu }_{2}}}}{{\mu }_{2}}\left| {} \right.1\left. {} \right\rangle \left\langle {} \right.1\left| {} \right. \\ {} & {} & +{{e}^{-{{\mu }_{2}}}}\mu _{2}^{2}{{\omega }_{2}}{{\rho }_{2}}+{{e}^{-{{\mu }_{2}}}}\mu _{2}^{2}\left( {{\mu }_{2}}-{{\mu }_{1}} \right){{\omega }_{3}}{{\rho }_{3}}, \\ \end{array}\end{eqnarray} \tag{ 14 }$$

where

$$\begin{eqnarray}&&{{\rho }_{3}}:=\frac{1}{{{\omega }_{3}}}\mathop{\sum }\limits_{n=3}^{\infty }\frac{\mu _{2}^{n-2}-\mu _{1}^{n-2}}{\left( {{\mu }_{2}}-{{\mu }_{1}} \right)n!}\left| {} \right.n\left. {} \right\rangle \left\langle {} \right.n\left| {} \right.\end{eqnarray} \tag{ 15 }$$

$$\begin{eqnarray}&&{{\omega }_{3}}:=\frac{1}{\mu _{2}^{2}}\left( {{e}^{{{\mu }_{2}}}}-\left( 1+{{\mu }_{2}}+\frac{\mu _{2}^{2}}{2} \right) \right)-\frac{1}{\mu _{1}^{2}}\left( {{e}^{{{\mu }_{1}}}}-\left( 1+{{\mu }_{1}}+\frac{\mu _{1}^{2}}{2} \right) \right).\end{eqnarray} \tag{ 16 }$$

Using the difference between the coefficients in the two expansions (11) and (34), we can estimate the detection rates ${{\bar{q}}^{\left( 0 \right)}}$ and ${{\bar{q}}^{\left( 1 \right)}}$ using the method explained in section 6.

In this paper, we use superscript numbers and subscript numbers with the following rules. The superscript expresses the kind of state, i.e., the superscripts 0, 1, 2, and 3 correspond to $\left| {} \right.0\left. {} \right\rangle \left\langle {} \right.0\left| {} \right.$, $\left| {} \right.1\left. {} \right\rangle \left\langle {} \right.1\left| {} \right.$, ${{\rho }_{2}}$, and ${{\rho }_{3}}$, respectively. The subscript expresses the intensity except for ${{\rho }_{2}}$, ${{\rho }_{3}}$, ${{\omega }_{2}}$, and ${{\omega }_{3}}$. That is, the subscripts 0, 1, 2, 3 and 4 correspond to the vacuum pulse, the ${{\mu }_{1}}$-intensity pulse, the ${{\mu }_{2}}$-intensity pulse, the ${{\mu }_{1}}$-intensity pulse with the phase error, and the ${{\mu }_{2}}$-intensity pulse with the phase error, respectively.

In the following, we give the detail of our protocol, in which both ${{\mu }_{1}}$-intensity pulses with the bit basis and ${{\mu }_{2}}$-intensity pulses with the bit basis are used for generating the raw keys ¹⁴ .

• (1)   
  Transmission: Alice (the sender) sends the pulses with the vacuum, the ${{\mu }_{1}}$-intensity coherent pulses and the ${{\mu }_{2}}$-intensity coherent pulses, randomly with a certain rate. Here, she chooses the bit basis $\left\{ \left| {} \right.{{u}_{0}}\left. {} \right\rangle ,\left| {} \right.{{u}_{1}}\left. {} \right\rangle \right\}$, and the phase basis $\left\{ \left| {} \right.{{v}_{0}}\left. {} \right\rangle ,\left| {} \right.{{v}_{1}}\left. {} \right\rangle \right\}$ given in (2) with the ratio $1-\lambda :\lambda$ among the ${{\mu }_{1}}$-intensity coherent pulses and the ${{\mu }_{2}}$-intensity coherent pulses. Here, Alice randomizes the phase of the coherent state so that the transmitted state is $\left| {} \right.0\left. {} \right\rangle \left\langle {} \right.0\left| {} \right.$, (11), or (34).
• (2)   
  Detection: Bob (the receiver) chooses the bit basis and the phase basis with the ratio $1-\lambda :\lambda$ and measures the pulses in the received side. Then, he records the existence or non-existence of the detection, his basis, and the measured bit. For details, see remark 2.
• (3)   
  Verification of basis: using the public channel, Alice sends Bob all information with respect to the basis and the intensity for all pulses. Using the public channel, Bob informs Alice what pulses has the matched basis. Then, as is illustrated in table 1, they decide the numbers ${{N}_{0}}$, ${{N}_{1}}$, ${{N}_{2}}$, ${{N}_{s,1}}$ and ${{N}_{s,2}}$ as follows. ${{N}_{0}}$ is the number of vacuum pulses, ${{N}_{1}}$ is the number of ${{\mu }_{1}}$-intensity pulses with the phase basis in both sides, ${{N}_{2}}$ is the number of ${{\mu }_{2}}$-intensity pulses with the phase basis in both sides, ${{N}_{s,1}}$ is the number of ${{\mu }_{1}}$-intensity pulses with the bit basis in both sides, and ${{N}_{s,2}}$ is the number of ${{\mu }_{2}}$-intensity pulses with the bit basis in both sides.
• (4)   
  Parameter estimation: Alice and Bob announce all bit information with respect to ${{N}_{1}}+{{N}_{2}}$ pulses with the phase basis in both sides. Then, as is illustrated in table 2, they decide the numbers ${{M}_{0}}$, ${{M}_{1}}$, ${{M}_{2}}$, ${{M}_{3}}$, ${{M}_{4}}$, ${{M}_{s,1}}$ and ${{M}_{s,2}}$ as follows. ${{M}_{0}}$ is the number of vacuum pulses detected by Bob. For i = 1, 2, ${{M}_{i}}$(${{M}_{i+2}}$) is the number of ${{\mu }_{i}}$-intensity coherent pulses that are detected by Bob and have the phase basis in both sides and the agreement bit values (the disagreement bit values). (However, they will not use ${{M}_{4}}$.) ${{M}_{s,1}}$ is the number of ${{\mu }_{1}}$-intensity coherent pulses which are detected by Bob and have the bit basis in both sides. ${{M}_{s,2}}$ is the number of ${{\mu }_{2}}$-intensity coherent pulses that are detected by Bob and have the bit basis in both sides.

In the following, we describe the key distillation protocol for ${{M}_{s,1}}$-bit raw keys generated by the ${{\mu }_{1}}$-intensity coherent pulses. The key distillation protocol for ${{M}_{s,2}}$-bit raw keys generated by the ${{\mu }_{2}}$-intensity coherent pulses can be obtained when ${{N}_{s,1}}$ and ${{M}_{s,1}}$ are replaced by ${{N}_{s,2}}$ and ${{M}_{s,2}}$, respectively.

Table 1.  Transmitted pluses

Aliceʼs basis	Bobʼs basis	vacuum	${{\mu }_{1}}$	${{\mu }_{2}}$
bit basis	bit basis	${{N}_{0}}$	${{N}_{s,1}}$	${{N}_{s,2}}$
	phase basis
phase basis	bit basis
	phase basis		${{N}_{1}}$	${{N}_{2}}$

Table 2.  Detected pluses

Aliceʼs basis	Bobʼs basis		vacuum	${{\mu }_{1}}$	${{\mu }_{2}}$
bit basis	bit basis		${{M}_{0}}$	${{M}_{s,1}}$	${{M}_{s,2}}$
	phase basis
phase basis	bit basis
	phase basis	correct		${{M}_{1}}$	${{M}_{2}}$
		incorrect		${{M}_{3}}$	${{M}_{4}}$

• (5)   
  Error correction: first, Alice and Bob choose a suitable ${{M}_{s,1}}$-bit classical code ${{C}_{1}}$ that can correct errors of the expected bit error rate ${{p}_{+}}$. For decoding, they prepare a set ${{\left\{ {\boldsymbol{s}} _{\left[ {\boldsymbol{s}} \right]}^{\left( 2 \right)} \right\}}_{\left[ {\boldsymbol{s}} \right]\in \mathbb{F}_{2}^{{{M}_{s,1}}}/{{C}_{1}}}}$ of representatives for respective cosets $\left[ {\boldsymbol{s}} \right]\in \mathbb{F}_{2}^{{{M}_{s,1}}}/{{C}_{1}}$. They also prepare another set ${{\left\{ {\boldsymbol{s}} _{\left[ {\boldsymbol{s}} \right]}^{\left( 1 \right)} \right\}}_{\left[ {\boldsymbol{s}} \right]\in \mathbb{F}_{2}^{{{M}_{s,1}}}/{{C}_{1}}}}$ of representatives for respective cosets $\left[ {\boldsymbol{s}} \right]\in \mathbb{F}_{2}^{{{M}_{s,1}}}/{{C}_{1}}$. Then, they exchange their information $\mathbb{F}_{2}^{{{M}_{s,1}}}/{{C}_{1}}$. Alice obtains ${\boldsymbol{x}} :={\boldsymbol{s}} -{\boldsymbol{s}} _{\left[ {\boldsymbol{s}} \right]}^{\left( 1 \right)}$ in ${{C}_{1}}$, and Bob obtains ${\boldsymbol{x}} ^{\prime} :={\boldsymbol{s}} ^{\prime} -{\boldsymbol{s}} _{\left[ {\boldsymbol{s}} \right]}^{\left( 1 \right)}-{\boldsymbol{s}} _{\left[ {\boldsymbol{s}} ^{\prime} -{\boldsymbol{s}} \right]}^{\left( 2 \right)}$ in ${{C}_{1}}$.
• (6)   
  Privacy amplification: using the method explained later, Alice and Bob define the sacrifice bit-length S in the privacy amplification from ${{N}_{s,1}},{{N}_{0}},{{N}_{1}},{{N}_{2}}$, ${{M}_{s,1}},{{M}_{0}},{{M}_{1}},{{M}_{2}},{{M}_{3}}$. Then, they apply the ε-almost dual universal$_{2}$hash function from ${{C}_{1}}\cong \mathbb{F}_{2}^{l}$ to $\mathbb{F}_{2}^{l-S}$ [26]. Then, they obtain the final keys.
• (7)   
  Error verification: Alice and Bob apply a suitable hash function to the final keys. They exchange the exclusive OR between the above hash value and other prepared secret keys. If the above exclusive OR agrees, their keys agree with a high probability [40, 41].

In the error correction, we lose more than ${{M}_{s,1}}h\left( {{p}_{+}} \right)$ bits. When we lose $\eta {{M}_{s,1}}h\left( {{p}_{+}} \right)$ bits in the error correction, the final key length is ${{M}_{s,1}}-\eta {{M}_{s,1}}h\left( {{p}_{+}} \right)-S$. In a realistic case, we choose η to be 1.1. In the above protocol, it is possible to restrict the intensity to generate the raw keys to ${{\mu }_{1}}$ or ${{\mu }_{2}}$. In this case, we restrict the intensity with the bit basis to ${{\mu }_{1}}$ or ${{\mu }_{2}}$. When we restrict the intensity with the bit basis to ${{\mu }_{2}}$, the numbers ${{N}_{s,1}}$ and ${{M}_{s,1}}$ become 0.

In the following discussion, we denote the number of transmitted pulses for generation of raw keys, the number of raw keys, and the signal intensity by ${{N}_{s}}$, ${{M}_{s}}$, and ${{\mu }_{s}}$. That is, when we discuss the security of final keys generated from raw keys with the intensity ${{\mu }_{i}}$, the numbers ${{N}_{s}}$, ${{M}_{s}}$, and ${{\mu }_{s}}$ are chosen to be ${{N}_{s,i}}$, ${{M}_{s,i}}$, and ${{\mu }_{i}}$ for i = 1, 2.

Remark 1. In the above protocol, the raw keys are generated from the bit basis. However, this assumption is not essential. For example, our analysis can be applied to the case when the raw keys are generated from both bases as follows. First, we replace step (3) by the following step (3').

• (3')   
  Verification of basis: using the public channel, Alice sends Bob all information with respect to the basis and the intensity for all pulses. Using the public channel, Bob informs Alice what pulses have the matched basis. Then, as is illustrated in table 1, they decide the numbers ${{N}_{0}}$, ${{N}_{1}}^{\prime}$, ${{N}_{2}}^{\prime}$, ${{N}_{s,1}}^{\prime}$ and ${{N}_{s,2}}^{\prime}$ as follows. ${{N}_{0}}$ is the number of vacuum pulses, ${{N}_{1}}^{\prime}$ is the number of ${{\mu }_{1}}$-intensity pulses with the phase basis in the both sides, ${{N}_{2}}^{\prime}$ is the number of ${{\mu }_{2}}$-intensity pulses with the phase basis in the both sides, ${{N}_{s,1}}^{\prime}$ is the number of ${{\mu }_{1}}$-intensity pulses with the bit basis in the both sides, and ${{N}_{s,2}}^{\prime}$ is the number of ${{\mu }_{2}}$-intensity pulses with the bit basis in the both sides.Then, we decide smaller numbers ${{N}_{1}}$, ${{N}_{2}}$, ${{N}_{s,1}}$, ${{N}_{s,2}}$ than ${{N}_{1}}^{\prime}$, ${{N}_{2}}^{\prime}$, ${{N}_{s,1}}^{\prime}$, ${{N}_{s,2}}^{\prime}$, respectively. Next, we randomly choose ${{N}_{1}}$, ${{N}_{2}}$, ${{N}_{s,1}}$, ${{N}_{s,2}}$ pulses among ${{N}_{1}}^{\prime}$, ${{N}_{2}}^{\prime}$, ${{N}_{s,1}}^{\prime}$, ${{N}_{s,2}}^{\prime}$ pulses, respectively.

After step (7) , we choose numbers ${{N}_{s,1}}$ , ${{N}_{s,2}}$ , ${{N}_{1}}$ , ${{N}_{2}}$ to be ${{N}_{1}}^{\prime} -{{N}_{1}}$ , ${{N}_{2}}^{\prime} -{{N}_{2}}$ , ${{N}_{s,1}}^{\prime} -{{N}_{s,1}}$ , ${{N}_{s,2}}^{\prime} -{{N}_{s,2}}$ , respectively. We apply step (4) and the following steps to the remaining ${{N}_{s,1}}+{{N}_{s,2}}+{{N}_{1}}+{{N}_{2}}$ pulses and ${{N}_{0}}$ vacuum pulses with exchanging the roles of the bit and the phase bases. In this case, we may choose the classical error correcting code ${{C}_{1}}$ based on the observed error rate in step (5).

Remark 2. When the receiver uses the threshold detector, in step (2) (Detection), the receiver might detect both events. In this case, we use the following type detector [47].

In fact, since the encoding does not depend on the choice of the detector, the formula (3) holds with the averaged virtual failure probability of phase error correction ${{P}_{ph}}$ based on any of Bobʼs virtual decoders employing any of Bobʼs detectors when Bobʼs detection event does not depend on the choice of the basis. Hence, our security analysis is still valid even in the above detector.

Remark 3. Fung et al [40] proposed the use of error verification of the phase basis instead of step (4) when the raw keys are generated from both bases in both intensities ${{\mu }_{1}}$ and ${{\mu }_{2}}$. In this case, the error verification of the phase basis yields ${{M}_{1}}$, ${{M}_{2}}$, ${{M}_{3}}$, and ${{M}_{4}}$ according to their method.

However, when the raw keys are generated only from the bit basis, their method cannot be applied.

In the following, we describe the strategy of Eve. For this purpose, we treat only the vacuum pulses and the pulses with matched bases, i.e., ${{N}_{0}}+{{N}_{1}}+{{N}_{2}}+{{N}_{s}}$ pulses given in table 1. We do not treat other kinds of pulses. Eve cannot distinguish pulses with the intensities ${{\mu }_{1}}$ and ${{\mu }_{2}}$ perfectly although she can distinguish them with certain probabilities. Alternatively, Eve can choose her strategy depending on the number of photons because she can distinguish the number of photons [7–9] ¹⁵ . Therefore, we assume that Eve can distinguish the states $\left| {} \right.0\left. {} \right\rangle \left\langle {} \right.0\left| {} \right.$, $\left| {} \right.1\left. {} \right\rangle \left\langle {} \right.1\left| {} \right.$, ${{\rho }_{2}}$, and ${{\rho }_{3}}$ defined in (12) and (15) because we can guarantee the security of our model by showing the security under the assumption.

We assume the following partition of pulses given in table 1 as follows:

• There are $N_{1}^{\left( 0 \right)}$ pulses with the vacuum state and $N_{1}^{\left( 1 \right)}$ pulses with the single-photon state among ${{N}_{1}}$ ${{\mu }_{1}}$-intensity pulses with the phase basis.
• There are $N_{2}^{\left( 0 \right)}$ pulses with the vacuum state, $N_{2}^{\left( 1 \right)}$ pulses with the single-photon state, and $N_{2}^{\left( 2 \right)}$ pulses with the state ${{\rho }_{2}}$ among ${{N}_{2}}$ ${{\mu }_{2}}$-intensity pulses with the phase basis.
• There are $N_{s}^{\left( 0 \right)}$ pulses with the vacuum state and $N_{s}^{\left( 1 \right)}$ pulses with the single-photon state among ${{N}_{s}}$ ${{\mu }_{s}}$-intensity pulses with the bit basis.

For simplicity, we employ the notations ${{{\boldsymbol{N}} }_{s}}:=\;\left( N_{s}^{\left( 0 \right)},N_{s}^{\left( 1 \right)},N_{s}^{\left( 2 \right)} \right)$, ${{{\boldsymbol{N}} }_{1}}:=\;\left( N_{1}^{\left( 0 \right)},N_{1}^{\left( 1 \right)} \right)$, ${{{\boldsymbol{N}} }_{2}}:=\;\left( N_{2}^{\left( 0 \right)},N_{2}^{\left( 1 \right)},N_{2}^{\left( 2 \right)} \right)$, and ${\boldsymbol{\vec{N}}} :=\;\left( {{{\boldsymbol{N}} }_{1}},{{{\boldsymbol{N}} }_{2}} \right)$. In the above partition, there are ${{N}_{0}}+N_{1}^{\left( 0 \right)}+N_{2}^{\left( 0 \right)}+N_{s}^{\left( 0 \right)}$ pulses with the vacuum state, $N_{1}^{\left( 1 \right)}+N_{2}^{\left( 1 \right)}+N_{s}^{\left( 1 \right)}$ pulses with the single-photon state, $N_{1}^{\left( 2 \right)}+N_{2}^{\left( 2 \right)}$ pulses with the state ${{\rho }_{2}}$ and the phase basis, and $N_{2}^{\left( 3 \right)}$ pulses with the state ${{\rho }_{3}}$ and the phase basis, where $N_{1}^{\left( 2 \right)}:={{N}_{1}}-N_{1}^{\left( 0 \right)}-N_{1}^{\left( 1 \right)}$ and $N_{2}^{\left( 3 \right)}:={{N}_{2}}-N_{2}^{\left( 0 \right)}-N_{2}^{\left( 1 \right)}-N_{2}^{\left( 2 \right)}$. Note that the average state with the bit basis is not the same as the average state with the phase basis in the case of the multi-photon state.

Then, Eve is assumed to be able to control the detection rates ${{\bar{q}}^{\left( 0 \right)}}$, ${{\bar{q}}^{\left( 1 \right)}}$, $\bar{q}_{\times }^{\left( 2 \right)}$, and $\bar{q}_{\times }^{\left( 3 \right)}$ in Bobʼs side among ${{N}_{0}}+N_{1}^{\left( 0 \right)}+N_{2}^{\left( 0 \right)}+N_{s}^{\left( 0 \right)}$ vacuum pulses, $N_{1}^{\left( 1 \right)}+N_{2}^{\left( 1 \right)}+N_{s}^{\left( 1 \right)}$ single-photon pulses, $N_{1}^{\left( 2 \right)}+N_{2}^{\left( 2 \right)}$ pulses of the state ${{\rho }_{2}}$ with the phase basis, and $N_{2}^{\left( 3 \right)}$ pulses of the state ${{\rho }_{3}}$ with the phase basis, respectively. Similarly, Eve is assumed to be able to control the phase-error detection rates $\bar{b}_{\times }^{\left( 1 \right)}$, $\bar{b}_{\times }^{\left( 2 \right)}$, and $\bar{b}_{\times }^{\left( 3 \right)}$ in Bobʼs side among $N_{1}^{\left( 1 \right)}+N_{2}^{\left( 1 \right)}+N_{s}^{\left( 1 \right)}$ single-photon pulses, $N_{1}^{\left( 2 \right)}+N_{2}^{\left( 2 \right)}$ pulses of the state ${{\rho }_{2}}$ with the phase basis, and $N_{2}^{\left( 3 \right)}$ pulses of the state ${{\rho }_{3}}$ with the phase basis, respectively. In the following discussion, we use the parameters $\bar{a}_{\times }^{\left( 1 \right)}:={{\bar{q}}^{\left( 1 \right)}}-\bar{b}_{\times }^{\left( 1 \right)}$, $\bar{a}_{\times }^{\left( 2 \right)}:=\bar{q}_{\times }^{\left( 2 \right)}-\bar{b}_{\times }^{\left( 2 \right)}$, $\bar{a}_{\times }^{\left( 3 \right)}:=\bar{q}_{\times }^{\left( 3 \right)}-\bar{b}_{\times }^{\left( 3 \right)}$, instead of ${{\bar{q}}^{\left( 1 \right)}}$, $\bar{q}_{\times }^{\left( 2 \right)}$, $\bar{q}_{\times }^{\left( 3 \right)}$. For a simplicity, we employ the notations ${\boldsymbol{\bar{a}}} :=\;\left( \bar{a}_{\times }^{\left( 1 \right)},\bar{a}_{\times }^{\left( 2 \right)},\bar{a}_{\times }^{\left( 3 \right)} \right)$ and ${\boldsymbol{\bar{b}}} :=\;\left( \bar{b}_{\times }^{\left( 1 \right)},\bar{b}_{\times }^{\left( 2 \right)},\bar{b}_{\times }^{\left( 3 \right)} \right)$. Eve is also assumed to be able to control the parameters ${{\bar{q}}^{\left( 0 \right)}}$, ${\boldsymbol{\bar{a}}}$ and ${\boldsymbol{\bar{b}}}$ dependently on the partition of the total ${{N}_{0}}+{{N}_{1}}+{{N}_{2}}+{{N}_{s}}$ pulses. Further, Eve is assumed to choose these values stochastically. Hence, the joint distribution conditioned with ${\boldsymbol{\vec{N}}}$ and ${{{\boldsymbol{N}} }_{s}}$ can be written as ${{Q}_{e}}\left( {{{\bar{q}}}^{\left( 0 \right)}},{\boldsymbol{\bar{a}}} ,{\boldsymbol{\bar{b}}} \left| {} \right.{\boldsymbol{\vec{N}}} ,{{{\boldsymbol{N}} }_{s}} \right)$. Since our analysis depends only on ${\boldsymbol{\vec{N}}}$, we use the conditional distribution ${{Q}_{e}}\left( {{{\bar{q}}}^{\left( 0 \right)}},{\boldsymbol{\bar{a}}} ,{\boldsymbol{\bar{b}}} \left| {} \right.{\boldsymbol{\vec{N}}} \right):={{\sum }_{{{{\boldsymbol{N}} }_{s}}}}{{P}_{s}}\left( {{{\boldsymbol{N}} }_{s}} \right){{Q}_{e}}\left( {{{\bar{q}}}^{\left( 0 \right)}},{\boldsymbol{\bar{a}}} ,{\boldsymbol{\bar{b}}} \left| {} \right.{\boldsymbol{\vec{N}}} ,{{{\boldsymbol{N}} }_{s}} \right)$, where ${{P}_{s}}$ is the distribution of ${{{\boldsymbol{N}} }_{s}}$ and cannot be controlled by Eve.

5.1. Formula for sacrifice bit-length

The aim of this section is to give formulas for the sacrifice bit-length S satisfying

$$\begin{eqnarray}&&\shortparallel {{\rho }_{A,E}}-{{\rho }_{{\mbox{ideal}}}}{{\shortparallel }_{1}}\leqslant {{2}^{-\beta }}\end{eqnarray} \tag{ 17 }$$

as a function of $\beta ,{{\mu }_{s}},{{\mu }_{1}},{{\mu }_{2}},{{N}_{s}},{{N}_{0}},{{N}_{1}},{{N}_{2}}$, and ${\boldsymbol{M}}$, where ${{\rho }_{A,E}}$ is the final state and ${{\rho }_{{\mbox{ideal}}}}$ is the ideal state. This paper gives two formulas, the non-improved formula and the improved formula. While the improved formula gives a shorter sacrifice bit-length than the non-improved formula, the non-improved formula is simpler than the improved formula. Hence, for simpler understanding, we give only the non-improved formula in this section. In appendix C, we give the improved formula. For this purpose, we prepare fundamental definitions for behavior of random variables.

Definition 1. When the true distribution is the N-trial binary distribution (Bernoulli distribution) with the success probability p, ¹⁶ which is denoted by ${\mbox{Bin}}\left( N,p \right)$, we denote the upper per cent point with probability α by $X_{{\mbox{per}}}^{+}\left( N,p,\alpha \right)$, and denote the lower per cent point with probability α by $X_{{\mbox{per}}}^{-}\left( N,p,\alpha \right)$. Then, we define $p_{{\mbox{per}}}^{+}\left( N,p,\alpha \right):=X_{{\mbox{per}}}^{+}\left( N,p,\alpha \right)/N$, and $p_{{\mbox{per}}}^{-}\left( N,p,\alpha \right):=X_{{\mbox{per}}}^{-}\left( N,p,\alpha \right)/N$. When we observe the value k subject to the binomial distribution ${\mbox{Bin}}\left( N,p \right)$ with N trials and probability p, we denote the lower confidence limit of the lower one-sided interval estimation with the confidential level $1-\alpha$ by $p_{{\mbox{est}}}^{-}\left( N,k,\alpha \right)$. Similarly, we denote the upper confidence limit of the upper one-sided interval estimation with the confidential level $1-\alpha$ by $p_{{\mbox{est}}}^{+}\left( N,k,\alpha \right)$. Then, we define $X_{{\mbox{est}}}^{-}\left( N,k,\alpha \right):=p_{{\mbox{est}}}^{-}\left( N,k,\alpha \right)N$, and $X_{{\mbox{est}}}^{+}\left( N,k,\alpha \right):=p_{{\mbox{est}}}^{+}\left( N,k,\alpha \right)N$.

When N is not so large (e.g., 10 000) or α is not so small (e.g., 0.001), the per cent point $X_{{\mbox{per}}}^{\pm }\left( N,p,\alpha \right)$ can be calculated by a mathematical software package (e.g., Mathematica). As is summarized in appendix E.1, the interval estimation $p_{{\mbox{est}}}^{\pm }\left( N,k,\alpha \right)$ is described by F distribution, and can also be calculated by mathematical package. However, when N is too large and α is too small, these calculations cannot be done by the usual mathematical packages. But since N is large enough, using the formulas given in appendices E and F, we can calculate good lower and upper bounds of these values, which is close enough to the exact values for our purpose. The calculation of the formulas can be implemented with small calculation times.

Indeed, in order to guarantee unconditional security, we have to use the hypergeometric distribution instead of the binomial distribution. However, the hypergeometric distribution can be partially replaced by the binomial distribution. Section 7 of [59] explains which case allows this replacement. This is the reason why we can employ the Chernoff inequality given in appendix E. This replacement greatly simplifies the calculation of sacrifice bit-length.

Now, we give the non-improved formula of the sacrifice bit-length S as a function of $\beta ,{{\mu }_{s}},{{\mu }_{1}},{{\mu }_{2}},{{N}_{s}},{{N}_{0}},{{N}_{1}},{{N}_{2}}$, and ${\boldsymbol{M}} =\left( {{M}_{s}},{{M}_{0}},{{M}_{1}},{{M}_{2}},{{M}_{3}} \right)$. The whole structure of our formulas is summarized in figure 2. Then, as is shown later, when the sacrifice bit-length is given in the following way, the final key satisfies (17).

Zoom In Zoom Out Reset image size

• Step (1)  
  We estimate the detection rates of pulses from the observed data based on interval estimation:

  $$\begin{eqnarray}&&{{\hat{M}}_{i}}:=X_{{\mbox{est}}}^{-}\left( {{N}_{i}},{{M}_{i}},{{2}^{-2\beta -8}} \right)\end{eqnarray} \tag{ 18 }$$

  $$\begin{eqnarray}&&{{\hat{M}}_{3}}:=X_{{\mbox{est}}}^{+}\left( {{N}_{1}},{{M}_{3}},{{2}^{-2\beta -8}} \right)\end{eqnarray} \tag{ 19 }$$

  for $i=0,1,2$.
• Step (2)  
  We estimate the partitions of several kinds of transmitted pulses by using per cent points:

  $$\begin{eqnarray}&&\hat{N}_{i}^{\left( 0 \right)}:=X_{{\mbox{per}}}^{-}\left( {{N}_{i}},{{e}^{-{{\mu }_{i}}}},{{2}^{-2\beta -8}} \right)\end{eqnarray} \tag{ 20 }$$

  $$\begin{eqnarray}&&\hat{N}_{i}^{\left( 1 \right)}:=X_{{\mbox{per}}}^{-}\left( {{N}_{i}},{{\mu }_{i}}{{e}^{-{{\mu }_{i}}}},{{2}^{-2\beta -8}} \right)\end{eqnarray} \tag{ 21 }$$

  $$\begin{eqnarray}&&\hat{N}_{2}^{\left( 2 \right)}:=X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{{\omega }_{2}}\mu _{2}^{2}{{e}^{-{{\mu }_{2}}}},{{2}^{-2\beta -8}} \right)\end{eqnarray} \tag{ 22 }$$

  for i = 1, 2.
• Step (3)  
  We estimate the channel parameters from the partitions and the detection rates of several kinds of transmitted pulses by solving joint inequalities:

  $$\begin{eqnarray}&&{{\hat{q}}^{\left( 0 \right)}}\left( {{{\hat{M}}}_{0}} \right):=\frac{{{{\hat{M}}}_{0}}}{{{N}_{0}}}\end{eqnarray} \tag{ 23 }$$

  

  $$\begin{eqnarray}&&\hat{b}_{\times }^{\left( 1 \right)}\left( {\boldsymbol{\hat{M}}} ,\overrightarrow{{{\boldsymbol{\hat{N}}} }} \right):=\;{{\left[ \frac{{{{\hat{M}}}_{3}}-\frac{1}{2}{{{\hat{q}}}^{\left( 0 \right)}}\left( {{{\hat{M}}}_{0}} \right)\hat{N}_{1}^{\left( 0 \right)}}{\hat{N}_{1}^{\left( 1 \right)}} \right]}_{+}},\end{eqnarray} \tag{ 25 }$$

  where ${{\left[ x \right]}_{+}}:={\rm max} \left( x,0 \right).$
• Step (4)  
  We estimate the partition of detected pulses of raw keys from the channel parameters by using per cent points:

  $$\begin{eqnarray}&&{{\hat{J}}^{\left( 0 \right)}}:=X_{{\mbox{per}}}^{-}\left( {{N}_{s}},{{e}^{-{{\mu }_{s}}}}{{{\hat{q}}}^{\left( 0 \right)}},{{2}^{-2\beta -8}} \right)\end{eqnarray} \tag{ 26 }$$

  $$\begin{eqnarray}&&{{\hat{J}}^{\left( 1 \right)}}:=X_{{\mbox{per}}}^{-}\left( {{N}_{s}},{{e}^{-{{\mu }_{s}}}}{{\mu }_{s}}\left( \hat{a}_{\times }^{\left( 1 \right)}+\hat{b}_{\times }^{\left( 1 \right)} \right),{{2}^{-2\beta -8}} \right)\end{eqnarray} \tag{ 27 }$$

  $$\begin{eqnarray}&&\hat{r}_{\times }^{\left( 1 \right)}:=p_{{\mbox{per}}}^{+}\left( {{{\hat{J}}}^{\left( 1 \right)}},\frac{\hat{b}_{\times }^{\left( 1 \right)}}{\hat{a}_{\times }^{\left( 1 \right)}+\hat{b}_{\times }^{\left( 1 \right)}},{{2}^{-2\beta -8}} \right).\end{eqnarray} \tag{ 28 }$$
• Step (5)  
  We estimate the leaked information from the partition of detected pulses of raw keys by using the relation between the phase error and the security:

  $$\begin{eqnarray}&&{{\hat{\phi }}_{2}}:={{M}_{s}}-{{\hat{J}}^{\left( 0 \right)}}-{{\hat{J}}^{\left( 1 \right)}}\left( 1-h\left( {\rm min} \left\{ \hat{r}_{\times }^{\left( 1 \right)},1/2 \right\} \right) \right).\end{eqnarray} \tag{ 29 }$$
• Step (6)  
  We give the sacrifice bit-length from the leaked information:

  $$\begin{eqnarray}S:=\;\left\{ \begin{array}{ccccccccccccccc} {{{\hat{\phi }}}_{2}}+2\beta +5 & {\mbox{if}}\;{\mbox{conditions}}\;1,2\;{\mbox{and}}\;3\;{\mbox{given}}\;{\mbox{in}}\;{\mbox{appendix}}\;{\mbox{B}}\;{\mbox{hold}}. \\ {\rm dim}\;{{C}_{1}} & {\mbox{otherwise}}. \\ \end{array} \right.\end{eqnarray} \tag{ 30 }$$

  That is, when one of the conditions 1, 2 and 3 does not hold, we abort the protocol.

(Adjustment of for non-improved formula).

Remark 4 When the vacuum pulse has a possibility of containing a non-vacuum state, we cannot apply the above formula ${{\hat{q}}^{\left( 0 \right)}}$. Hence, we need it to be adjusted. Assume that the vacuum pulse becomes a non-vacuum state with a probability q. In this case, we replace ${{\hat{q}}^{\left( 0 \right)}}$ by

$$\begin{eqnarray}&&{{\hat{q}}^{\left( 0 \right)}}\left( {{M}_{0}} \right):=p_{{\mbox{est}}}^{+}\left( {{N}_{0}}-X_{{\mbox{per}}}^{+}\left( {{N}_{0}},q,{{2}^{-2\beta -8}} \right),{{M}_{0}}-X_{{\mbox{per}}}^{+}\left( {{N}_{0}},q,{{2}^{-2\beta -8}} \right),{{2}^{-2\beta -8}} \right).\end{eqnarray} \tag{ 31 }$$

Now, we consider the case when an eavesdropper might exist. In this case, even if we choose ${{\mu }_{1}}$, ${{\mu }_{2}}$, ${{N}_{0}}$, ${{N}_{1}}$, ${{N}_{2}}$ suitably, the eavesdropper might control the channel parameters ${{\bar{q}}^{\left( 0 \right)}}$, ${\boldsymbol{\bar{a}}}$ and ${\boldsymbol{\bar{b}}}$ so that conditions 2 and 3 do not hold. Hence, we need to prepare a method to smoothly decide whether conditions 2 and 3 hold. The detailed version [59] shows that the non-improved formula satisfies the (17).

5.2. Numerical analysis

Next, we carry out numerical analysis. In this subsection, we employ the improved formula of the sacrifice-bit length given in appendix C instead of the non-improved formula because the improved formula yields a better rate. In the following, we consider only the case when the perfect vacuum state is available and the signal intensity is ${{\mu }_{2}}$, the decoy intensity is ${{\mu }_{1}}$, i.e., ${{\mu }_{s}}={{\mu }_{2}}$, ${{N}_{s}}={{N}_{s,2}}$, and ${{M}_{s}}={{M}_{s,2}}$. This is because this case is better than the opposite case in the asymptotic case as is shown in the paper [49]. We also choose the parameters as ${{N}_{0}}={{N}_{1}}={{N}_{2}}={{N}_{s,2}}/10$, and $\beta =80$, i.e., the trace norm is less than ${{2}^{-80}}$.

It is natural to assume that the measured values ${{M}_{0}}$, ${{M}_{1}}$, ${{M}_{2}}$, ${{M}_{3}}$, and ${{N}_{s,2}}$ are given as functions of ${{M}_{s,2}}$ in the following way

$$\begin{eqnarray}&&{{M}_{0}}={{p}_{0}}{{N}_{0}},\quad {{M}_{1}}=\left( {{p}_{1,\times }}-{{s}_{1,\times }} \right){{N}_{1}}\end{eqnarray} \tag{ 32 }$$

$$\begin{eqnarray}&&{{M}_{2}}=\left( {{p}_{2,\times }}-{{s}_{2,\times }} \right){{N}_{2}},\quad {{M}_{3}}={{s}_{1,\times }}{{N}_{1}},\quad {{N}_{s,2}}={{M}_{s,2}}/{{p}_{2,+}}.\end{eqnarray} \tag{ 33 }$$

We also assume that the channel parameters, i.e., the detection rates ${{p}_{i,\times }}$ and ${{p}_{i,+}}$ of ${{\mu }_{i}}$-intensity pulses with the bases × and $+$ and the rates ${{s}_{i,\times }}$ and ${{s}_{i,+}}$ of the detected ${{\mu }_{i}}$-intensity pulses having phase error to the transmitted ${{\mu }_{i}}$-intensity pulses swith the bases × and $+$ as follows [50, 51].

$$\begin{eqnarray}\begin{array}{ll} {} & {} & {{p}_{i,+}}={{p}_{i,\times }}=1-{{e}^{-\alpha {{\mu }_{i}}}}+{{p}_{0}}, \\ {} & {} & {{s}_{i,+}}={{s}_{i,\times }}=s\left( 1-{{e}^{-\alpha {{\mu }_{i}}}} \right)+\frac{{{p}_{0}}}{2}, \\ \end{array}\end{eqnarray} \tag{ 34 }$$

where α is the total transmission including the quantum efficiency of the detector, and s is the error due to the imperfection of the optical system. In the following, we choose $\alpha =1.0\times {{10}^{-3}}$, ${{p}_{0}}=4.0\times {{10}^{-7}}$, s = 0.03. Then, we consider the key generation rate with finite-length:

$$\begin{eqnarray}&&{{R}_{2,f}}:=\frac{{{M}_{s,2}}-S-\eta h\left( \frac{{{s}_{1,+}}}{{{p}_{1,+}}} \right){{M}_{s,2}}}{{{N}_{s,2}}},\end{eqnarray} \tag{ 35 }$$

where S is the sacrifice bit-length and $\eta =1.1$.

Since the required value ${{2}^{-80}}$ is too small and the sizes ${{N}_{0}},{{N}_{1}},{{N}_{2}},{{M}_{s}}$ are too large, the exact calculations of the values $X_{{\mbox{per}}}^{\pm }\left( N,p,\alpha \right)$, $X_{{\mbox{est}}}^{\pm }\left( N,k,\alpha \right)$, and $p_{{\mbox{est}}}^{\pm }\left( N,k,\alpha \right)$ take too much time. So, instead of the exact calculation, we employ the bounds of these values based on the Chernoff bound, which require a smaller number of calculations and are summarized in appendices E and F. Indeed, when N is large enough, the exact values of $X_{{\mbox{per}}}^{\pm }\left( N,p,\alpha \right)$, $X_{{\mbox{est}}}^{\pm }\left( N,k,\alpha \right)$, and $p_{{\mbox{est}}}^{\pm }\left( N,k,\alpha \right)$ are sufficiently close to the values based on the Chernoff bound for our purpose because the difference between the exact values $X_{{\mbox{per}}}^{\pm }\left( N,p,\alpha \right)$, $X_{{\mbox{est}}}^{\pm }\left( N,k,\alpha \right)$ and their values based on the Chernoff bound behaves with the order ${\rm log} N$.

As is illustrated in figures 3 and 4 with ${{\mu }_{1}}=0.1$, $\alpha =1/1000$, ${{p}_{0}}=0.000\;0004$, $\eta =1.1$, the key generation rate is close to the asymptotic key generation rate ${{R}_{2}}\left( {{\mu }_{1}},{{\mu }_{2}} \right)$ when the length of the code ${{M}_{s,2}}$ is increasing. As is shown in [49], the asymptotic key generation rate is monotonically decreasing with respect to ${{\mu }_{1}}$. However, as is illustrated in figure 5 with $\alpha =1/1000$, ${{p}_{0}}=0.000\;0004$, $\eta =1.1$, the key generation rate is not monotonically decreasing with respect to ${{\mu }_{1}}$ when the length of the code ${{M}_{s,2}}$ is not sufficiently large. That is, too small ${{\mu }_{1}}$ does not give a good key generation rate. This is because smaller ${{\mu }_{1}}$ yields a larger estimation error.

Zoom In Zoom Out Reset image size

Zoom In Zoom Out Reset image size

Zoom In Zoom Out Reset image size

Unfortunately, many realized quantum key distribution systems have fluctuation for the intensities. The formulas of the secure sacrifice bit-length given in section 5 can guarantee the security (17) when the partitions of ${{N}_{1}}$ pulses and ${{N}_{2}}$ pulses obey the Poisson distribution with a fixed intensity. However, when the intensities have fluctuation, we have to derive the sacrifice bit-length by taking into account this factor. That is, we need to discuss the distribution for ${\boldsymbol{\vec{N}}}$ in the different way. In appendix D, we give a modified formula for the sacrifice bit-length by taking into account the statistical fluctuation for the intensities.

Now, we numerically apply the modified formula given in appendix D to the case when two intensities ${{\mu }_{1}}$ and ${{\mu }_{2}}$ independently and identically obey the Gaussian distributions with the averages $\overline{{{\mu }_{1}}}$ and $\overline{{{\mu }_{2}}}$ and the standard deviations $\overline{{{\mu }_{1}}}t$ and $\overline{{{\mu }_{2}}}t$, respectively, because these fluctuations are usually caused by thermal noise. That is, we assume the value t is independent of the intensity. This assumption holds if the weak pulses are obtained from strong light pulses with a well-calibrated attenuator; the error originates mainly from the intensity fluctuation of the light source. In the following, we consider only the case when the signal intensity is ${{\mu }_{2}}$ and the decoy intensity is ${{\mu }_{1}}$, i.e., ${{\mu }_{s}}={{\mu }_{2}}$, ${{N}_{s}}={{N}_{s,2}}$, and ${{M}_{s}}={{M}_{s,2}}$. We also choose the parameters as ${{N}_{0}}={{N}_{1}}={{N}_{2}}={{N}_{s,2}}/10$, and $\beta =80$, i.e., the trace norm is less than ${{2}^{-80}}$.

In order to calculate the sacrifice bit-length given above, we need ${\mbox{E}}\left[ {{e}^{{{\mu }_{i}}}} \right]$, ${\mbox{E}}\left[ {{\mu }_{i}}{{e}^{{{\mu }_{i}}}} \right]$, ${\mbox{E}}\left[ \mu _{i}^{2}{{e}^{{{\mu }_{i}}}} \right]$, and ${{\omega }_{2}}$, which can be easily calculated from the formulas given in appendix H. In this case, due to (G.6), it is natural to assume that the measured values ${{M}_{0}}$, ${{M}_{1}}$, ${{M}_{2}}$, and ${{M}_{3}}$ are given by (32) and (33) when ${{p}_{i,+}}$, ${{p}_{i,\times }}$, ${{s}_{i,+}}$, and ${{s}_{i,\times }}$ are given as

$$\begin{eqnarray}&&{{p}_{i,+}}={{p}_{i,\times }}=1-{\mbox{E}}\left[ {{e}^{-\alpha {{\mu }_{i}}}} \right]+{{p}_{0}}=1-{{e}^{\frac{2\alpha \overline{{{\mu }_{i}}}-{{\alpha }^{2}}{{t}^{2}}{{\overline{{{\mu }_{1}}}}^{2}}}{2}}}+{{p}_{0}}\end{eqnarray} \tag{ 36 }$$

$$\begin{eqnarray}&&{{s}_{i,+}}={{s}_{i,\times }}=s\left( 1-{\mbox{E}}\left[ {{e}^{-\alpha {{\mu }_{i}}}} \right] \right)+\frac{{{p}_{0}}}{2}=s\left( 1-{{e}^{\frac{2\alpha \overline{{{\mu }_{i}}}-{{\alpha }^{2}}{{t}^{2}}{{\overline{{{\mu }_{1}}}}^{2}}}{2}}} \right)+\frac{{{p}_{0}}}{2}.\end{eqnarray} \tag{ 37 }$$

Hence, we choose ${{N}_{s,2}}$ to be ${{M}_{s,2}}/{{p}_{2,+}}$. Under this assumption, substituting the sacrifice bit-length given above into the key generation rate ${{R}_{f,2}}$ given in (35), we obtain the numerical calculation in figures 6 and 7. These numerical results suggest that when the standard deviation is less than 10% of the average, the fluctuations of intensities do not cause serious decrease of the key generation rate. Here, similar to subsection 5.2, we employ the bounds of $X_{{\mbox{per}}}^{\pm }\left( N,p,\alpha \right)$, $X_{{\mbox{est}}}^{\pm }\left( N,k,\alpha \right)$, and $p_{{\mbox{est}}}^{\pm }\left( N,k,\alpha \right)$ given in appendices E and F.

Zoom In Zoom Out Reset image size

Zoom In Zoom Out Reset image size

In this paper, under the BB84 protocol with the decoy method, based on several observed values, we have derived the required sacrifice bit-length $S\left( {\boldsymbol{M}} \right)={{\hat{\phi }}_{2}}\left( {\boldsymbol{M}} \right)+2\beta +5$, where ${{\hat{\phi }}_{2}}\left( {\boldsymbol{M}} \right)$ is given in step (6). Under the above sacrifice bit-length, we have shown that the final keys satisfy the security condition $\shortparallel {{\rho }_{A,E}}-{{\rho }_{{\mbox{ideal}}}}{{\shortparallel }_{1}}\leqslant {{2}^{-\beta }}$ when the parameters ${{\mu }_{1}}$, ${{\mu }_{2}}$, ${{N}_{s}}$, ${{N}_{0}}$, ${{N}_{1}}$, and ${{N}_{2}}$ satisfy condition 1. Hence, in order to apply our formula, we need to choose the parameters ${{\mu }_{1}}$, ${{\mu }_{2}}$, ${{N}_{s}}$, ${{N}_{0}}$, ${{N}_{1}}$, and ${{N}_{2}}$ so that condition 1 holds. This is a definitive requirement for our analysis. However, when we choose sufficiently large integers ${{N}_{s}}$, ${{N}_{0}}$, ${{N}_{1}}$, and ${{N}_{2}}$ for the two values ${{\mu }_{1}}$ and ${{\mu }_{2}}-{{\mu }_{1}}$, condition 1 holds. Indeed, when the two positive values ${{\mu }_{1}}$ and ${{\mu }_{2}}-{{\mu }_{1}}$ are quite small, we need to choose quite large integers ${{N}_{s}}$, ${{N}_{0}}$, ${{N}_{1}}$, and ${{N}_{2}}$. As the second requirement, we need to choose the parameters ${{\mu }_{1}}$, ${{\mu }_{2}}$, ${{N}_{s}}$, ${{N}_{0}}$, ${{N}_{1}}$, and ${{N}_{2}}$ so that conditions 2 and 3 hold with a high probability when there is no eavesdropper. This requirement is also satisfied when the integers ${{N}_{s}}$, ${{N}_{0}}$, ${{N}_{1}}$, and ${{N}_{2}}$ are sufficiently large and the noise in the channel is sufficiently small. Indeed, it is not so difficult to realize sufficiently large ${{N}_{s}}$, ${{N}_{0}}$, ${{N}_{1}}$, and ${{N}_{2}}$ for these requirements because a universal$_{2}$hash function (or an ε-almost dual universal$_{2}$hash function) with a large size can be implemented with a small cost [48].

Since the decoy method has so many parameters, it is quite difficult to derive tight evaluation. The proposed method might be improved by modifying several points. However, such a modification might make the protocol more complex. For example, while we treat the failure probability of phase error correction and the estimation error probability, separately, The paper [34] treated them jointly. In order to keep the simplicity, it is better to treat these terms separately. Further, we proposed to treat the probability based on the hypergeometric distribution by using the binomial distribution. If we treat the probabilities given with the hypergeometric distribution, we obtain a better evaluation, but our analysis becomes much harder.

Therefore, we have to consider the trade-off between the complexity and the tightness of our evaluation. This kind of trade-off cannot be ignored from an industrial view point. If the protocol is more complex, the cost for maintenance becomes higher. In particular, when we change the arrangement of the total system or we change the parameter of the system, we have to rewrite the program for calculating the sacrifice bit-length. If the protocol is simple, the change can be easily done. Otherwise, it creates some additional cost. Hence, we have to take into account this trade-off. This paper has treated this trade-off heuristically.

However, its systematic treatment might be partially possible in the following sense. Assume that we employ Rennerʼs formalism instead of the phase error correction formalism. If we parametrize the channel with more parameters to be estimated, the asymptotic key generation rate becomes better. One might consider that, if the number of parameters describing the model increases, we obtain a better estimation of the model. However, it is considered that it is not true in statistics. This is because if we do not have enough data to characterize so many parameters, we obtain a larger error. In order to resolve this problem, we have to treat the trade-off between the error and the number of parameters. Such a problem is called the model selection. In order to treat this problem quantitatively, we can use several information criteria, e.g., Akaike information criterion (AIC) [42], Takeuchi information criterion (TIC) [43], and minimum description length principle (MDL) [44]. If we employ Rennerʼs formalism, and increase the number of channel parameters for a precise description of the channel, we need to consider this kind of trade-off. Currently, it is not known that what kind of information criterion is suitable for the above trade-off.

MH thanks Professor Masahide Sasaki, Professor Akihisa Tomita, Dr Toyohiro Tsurumaru, Professor Ryutaroh Matsumoto, Dr Kiyoshi Tamaki, and Dr Wataru Kumagai for valuable comments. He is partially supported by a MEXT Grant-in-Aid for Scientific Research (A) grant no 23246071. He is also partially supported by the National Institute of Information and Communication Technology (NICT), Japan. The Center for Quantum Technologies is funded by the Singapore Ministry of Education and the National Research Foundation as part of the Research Centres of Excellence programme. The authors are grateful to the referee for his helpful comments.

The Chernoff bound is an upper bound of the error probability. As is explained in appendices appendix E and F, it requires quite a small number of calculations. Hence, using the Chernoff bound, we can derive upper and lower estimates of the true parameter. Since the Chernoff bound is not the tight bound of the error probability, these upper and lower estimates are looser than the exact interval estimation. Then, some readers might consider that this drawback of the Chernoff bound is crucial because we require that the universal composability criterion is less than ${{2}^{-80}}$. This case requires very small error probabilities for phase error correction. Even in this case, when the size of obtained data is sufficiently large, these upper and lower estimates are sufficiently close to the exact interval estimation for the following reason. Hence, this drawback of the Chernoff bound is not crucial. Therefore, we can conclude that we should employ the Chernoff bound due to the advantage of requiring few calculations.

The following is the reason why the upper and lower estimates given by the Chernoff bound are sufficiently close to the exact interval estimation. The rate of the Chernoff bound to the true error probability behaves polynomially with respect to the size of data. In particular, in the binary case, the rate behaves linearly with respect to the size of data. Hence, even when the required error probabilities are very small, when the size of obtained data is sufficiently large, these upper and lower estimates are sufficiently close to the exact interval estimation.

Now, we describe conditions 1, 2, and 3, which are used in our sacrifice bit-length formula. In order to give these conditions, we define the set ${{\Omega }_{1}}$ as the set of ${\boldsymbol{\vec{N}}}$ satisfying

$$\begin{eqnarray}&&N_{1}^{\left( 0 \right)}\in \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{1}},{{e}^{-{{\mu }_{1}}}},{{2}^{-2\beta -8}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{1}},{{e}^{-{{\mu }_{1}}}},{{2}^{-2\beta -8}} \right) \right]\end{eqnarray} \tag{ B.1 }$$

$$\begin{eqnarray}&&N_{1}^{\left( 1 \right)}\in \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{1}},{{\mu }_{1}}{{e}^{-{{\mu }_{1}}}},{{2}^{-2\beta -8}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{1}},{{\mu }_{1}}{{e}^{-{{\mu }_{1}}}},{{2}^{-2\beta -8}} \right) \right]\end{eqnarray} \tag{ B.2 }$$

$$\begin{eqnarray}&&N_{2}^{\left( 0 \right)}\in \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{{e}^{-{{\mu }_{2}}}},{{2}^{-2\beta -8}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{2}},{{e}^{-{{\mu }_{2}}}},{{2}^{-2\beta -8}} \right) \right]\end{eqnarray} \tag{ B.3 }$$

$$\begin{eqnarray}&&N_{2}^{\left( 1 \right)}\in \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{{\mu }_{2}}{{e}^{-{{\mu }_{2}}}},{{2}^{-2\beta -8}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{2}},{{\mu }_{2}}{{e}^{-{{\mu }_{2}}}},{{2}^{-2\beta -8}} \right) \right]\end{eqnarray} \tag{ B.4 }$$

$$\begin{eqnarray}&&N_{2}^{\left( 2 \right)}\in \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{{\omega }_{2}}\mu _{2}^{2}{{e}^{-{{\mu }_{2}}}},{{2}^{-2\beta -8}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{2}},{{\omega }_{2}}\mu _{2}^{2}{{e}^{-{{\mu }_{2}}}},{{2}^{-2\beta -8}} \right) \right].\end{eqnarray} \tag{ B.5 }$$

Condition 1. Any element ${\boldsymbol{\vec{N}}} \in {{\Omega }_{1}}$ satisfies

$$\begin{eqnarray*} && X_{{\rm{per}}}^{-}\left(N_1,\mu_1 e^{-\mu_1},2^{-2\beta-8}\right) X_{{\rm{per}}}^{-}\left(N_2,\omega_2 \mu_2^2 e^{-\mu_2},2^{-2\beta-8}\right) \\ &&\qquad > \left(N_1- X_{{\rm{per}}}^{-}\left(N_1,e^{-\mu_1},2^{-2\beta-8}\right) -X_{{\rm{per}}}^{-}\left(N_1,\mu_1 e^{-\mu_1},2^{-2\beta-8}\right)\right) X_{{\rm{per}}}^{+}\left(N_2,\mu_2 e^{-\mu_2},2^{-2\beta-8}\right), \\ && X_{{\rm{per}}}^{-}\left(N_2,\omega_2 \mu_2^2 e^{-\mu_2},2^{-2\beta-8}\right) X_{{\rm{per}}}^{-}\left(N_1,e^{-\mu_1},2^{-2\beta-8}\right) \\ &&\qquad > \left(N_1- X_{{\rm{per}}}^{-}\left(N_1,e^{-\mu_1},2^{-2\beta-8}\right) -X_{{\rm{per}}}^{-}\left(N_1,\mu_1 e^{-\mu_1},2^{-2\beta-8}\right)\right) X_{{\rm{per}}}^{+}\left(N_2,e^{-\mu_2},2^{-2\beta-8}\right), \\ && \frac{X_{{\rm{per}}}^{-}\left(N_2,\omega_2 \mu_2^2 e^{-\mu_2},2^{-2\beta-8}\right)}{N_1- X_{{\rm{per}}}^{-}\left(N_1,e^{-\mu_1},2^{-2\beta-8}\right) -X_{{\rm{per}}}^{-}\left(N_1,\mu_1 e^{-\mu_1},2^{-2\beta-8}\right)} + \frac{X_{{\rm{per}}}^{-}\left(N_2,e^{-\mu_2},2^{-2\beta-8}\right)}{X_{{\rm{per}}}^{+}\left(N_1,e^{-\mu_1},2^{-2\beta-8}\right)} \\ &&\qquad > \frac{2 X_{{\rm{per}}}^{+}\left(N_2,\mu_2 e^{-\mu_2},2^{-2\beta-8}\right)}{X_{{\rm{per}}}^{-}\left(N_1,\mu_1 e^{-\mu_1},2^{-2\beta-8}\right)}. \end{eqnarray*}$$

Condition 2. For any ${\boldsymbol{\vec{N}}} \in {{\Omega }_{1}}$, all of the following values are positive.

$$\begin{eqnarray*} A^{\left(0\right)}_1&:=&{ \hat{M}_2 - \hat{q}^{\left(0\right)} \left(N^{\left(0\right)}_2 +N^{\left(2\right)}_2\right)/ 2} - N_2^{\left(1\right)} \frac{ N^{\left(2\right)}_2\left(\hat{M}_1 - \hat{q}^{\left(0\right)} N^{\left(0\right)}_1 / 2\right) -N^{\left(2\right)}_1 \left(\hat{M}_2 - \hat{q}^{\left(0\right)} N^{\left(0\right)}_2 / 2\right) }{N^{\left(1\right)}_1 N^{\left(2\right)}_2- N^{\left(1\right)}_2 N^{\left(2\right)}_1} ,\\ A^{\left(1\right)}_1&:=&{ \hat{M}_2 - \hat{q}^{\left(0\right)} N^{\left(0\right)}_2 / 2} - \left(N_2^{\left(2\right)}+N_2^{\left(1\right)}\right) \frac{ N^{\left(2\right)}_2\left(\hat{M}_1 - \hat{q}^{\left(0\right)} N^{\left(0\right)}_1 / 2\right) -N^{\left(2\right)}_1 \left(\hat{M}_2 - \hat{q}^{\left(0\right)} N^{\left(0\right)}_2 / 2\right) }{N^{\left(1\right)}_1 N^{\left(2\right)}_2- N^{\left(1\right)}_2 N^{\left(2\right)}_1} , \\ A^{\left(1\right)}_2&:=&\frac{N^{\left(2\right)}_1\left(N^{\left(2\right)}_2\left(\hat{M}_1 - \frac{\hat{q}^{\left(0\right)}}{2} N^{\left(0\right)}_1\right)- N^{\left(2\right)}_1 \left(\hat{M}_2 - \frac{\hat{q}^{\left(0\right)}}{2} N^{\left(0\right)}_2\right) \right) }{N^{\left(1\right)}_1 N^{\left(2\right)}_2- N^{\left(1\right)}_2 N^{\left(2\right)}_1}, \\ A^{\left(2\right)}_2&:=& { \hat{M}_1 - \frac{\hat{q}^{\left(0\right)}}{2} N^{\left(0\right)}_1} - \frac{ N^{\left(1\right)}_1\left( N^{\left(2\right)}_2 \left(\hat{M}_1 - \frac{\hat{q}^{\left(0\right)}}{2} N^{\left(0\right)}_1\right) - N^{\left(2\right)}_1 \left(\hat{M}_2 - \frac{\hat{q}^{\left(0\right)}}{2} N^{\left(0\right)}_2\right) \right) }{N^{\left(1\right)}_1 N^{\left(2\right)}_2- N^{\left(1\right)}_2 N^{\left(2\right)}_1} \\ B^{\left(1\right)}_1 &:=& { \hat{M}_3 - \hat{q}^{\left(0\right)} N^{\left(0\right)}_1 /2}. \end{eqnarray*}$$

Condition 3. Any element ${\boldsymbol{\vec{N}}} \in {{\Omega }_{1}}$ satisfies

$$\begin{eqnarray}&&\frac{\hat{b}_{\times }^{\left( 1 \right)}\left( {\boldsymbol{\hat{M}}} ,{\boldsymbol{\vec{N}}} \right)}{\hat{a}_{\times }^{\left( 1 \right)}\left( {\boldsymbol{\hat{M}}} ,{\boldsymbol{\vec{N}}} \right)+\hat{b}_{\times }^{\left( 1 \right)}\left( {\boldsymbol{\hat{M}}} ,{\boldsymbol{\vec{N}}} \right)}\leqslant \frac{1}{8}.\end{eqnarray} \tag{ B.6 }$$

Here, we should remark that condition 1 is given for the initial parameters $\beta ,{{\mu }_{1}},{{\mu }_{2}},{{N}_{1}},{{N}_{2}}$ while conditions 2 and 3 are given for the observed values ${\boldsymbol{M}} =\left( {{M}_{s}},{{M}_{0}},{{M}_{1}},{{M}_{2}},{{M}_{3}} \right)$ as well as the initial parameters $\beta ,{{\mu }_{1}},{{\mu }_{2}},{{N}_{0}},{{N}_{1}},{{N}_{2}}$. Hence, it is required to choose the initial parameters $\beta ,{{\mu }_{1}},{{\mu }_{2}},{{N}_{1}},{{N}_{2}}$ satisfying condition 1. Further, we need to choose the initial parameters $\beta ,{{\mu }_{1}},{{\mu }_{2}},{{N}_{0}},{{N}_{1}},{{N}_{2}}$ so that conditions 2 and 3 hold with high probability.

Since the formula given in section 5.1 requires too long an error margin, an improved formula is required. Hence, by reducing the error margin, we replace steps (1), (2), (4), condition 1, and the definition of the set ${{\Omega }_{1}}$ as follows. That is, conditions 2 and 3 are replaced by the conditions based on the improved version of ${{\Omega }_{1}}$. The formula given here for the sacrifice bit-length is called the improved formula. The detailed version [59] explains why the improvement is possible. That is, it shows that the improved formula also guarantees the (17).

• Step (1)  
  We replace the estimated detection rates of pulses in the following way:

  $$\begin{eqnarray}&&{{\hat{M}}_{0}}:=X_{{\mbox{est}}}^{-}\left( {{N}_{0}},{{M}_{0}},{{2}^{-\beta -6}} \right),\end{eqnarray} \tag{ C.1 }$$

  $$\begin{eqnarray}&&{{\hat{M}}_{1}}:=X_{{\mbox{est}}}^{-}\left( {{N}_{1}},{{M}_{1}},{{2}^{-2\beta -7}} \right),\end{eqnarray} \tag{ C.2 }$$

  $$\begin{eqnarray}&&{{\hat{M}}_{2}}:=X_{{\mbox{est}}}^{+}\left( {{N}_{2}},{{M}_{2}},{{2}^{-2\beta -7}} \right),\end{eqnarray} \tag{ C.3 }$$

  $$\begin{eqnarray}&&{{\hat{M}}_{3}}:=X_{{\mbox{est}}}^{+}\left( {{N}_{1}},{{M}_{3}},{{2}^{-2\beta -7}} \right).\end{eqnarray} \tag{ C.4 }$$
• Step (2)  
  We replace the estimated partitions of several kinds of transmitted pulses in the following way:

  $$\begin{eqnarray}&&\hat{N}_{1}^{\left( 0 \right)}=X_{{\mbox{per}}}^{-}\left( {{N}_{1}},{{e}^{-{{\mu }_{1}}}},{{2}^{-\beta -6}} \right)\end{eqnarray} \tag{ C.5 }$$

  $$\begin{eqnarray}&&\hat{N}_{1}^{\left( 1 \right)}:=X_{{\mbox{per}}}^{-}\left( {{N}_{1}},{{\mu }_{1}}{{e}^{-{{\mu }_{1}}}},{{2}^{-\beta -6}} \right)\end{eqnarray} \tag{ C.6 }$$

  $$\begin{eqnarray}&&\hat{N}_{2}^{\left( 0 \right)}:=X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{{e}^{-{{\mu }_{2}}}},{{2}^{-\beta -6}} \right)\end{eqnarray} \tag{ C.7 }$$

  $$\begin{eqnarray}&&\hat{N}_{2}^{\left( 1 \right)}:=X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{{\mu }_{2}}{{e}^{-{{\mu }_{2}}}},{{2}^{-\beta -6}} \right)\end{eqnarray} \tag{ C.8 }$$

  $$\begin{eqnarray}&&\hat{N}_{2}^{\left( 2 \right)}:=X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{{\omega }_{2}}\mu _{2}^{2}{{e}^{-{{\mu }_{2}}}},{{2}^{-\beta -6}} \right).\end{eqnarray} \tag{ C.9 }$$
• Step (4)  
  We replace the estimated partition of detected pulses and the estimated phase error rate of the single photon of raw keys in the following way:

  $$\begin{eqnarray}&&{{\hat{J}}^{\left( 0 \right)}}:=X_{{\mbox{per}}}^{-}\left( {{N}_{s}},{{e}^{-{{\mu }_{s}}}}{{{\hat{q}}}^{\left( 0 \right)}},{{2}^{-\beta -6}} \right)\end{eqnarray} \tag{ C.10 }$$

  $$\begin{eqnarray}&&{{\hat{J}}^{\left( 1 \right)}}:=X_{{\mbox{per}}}^{-}\left( {{N}_{s}},{{e}^{-{{\mu }_{s}}}}{{\mu }_{s}}\left( \hat{a}_{\times }^{\left( 1 \right)}+\hat{b}_{\times }^{\left( 1 \right)} \right),{{2}^{-\beta -6}} \right)\end{eqnarray} \tag{ C.11 }$$

  $$\begin{eqnarray}&&\hat{r}_{\times }^{\left( 1 \right)}:=p_{{\mbox{per}}}^{+}\left( {{{\hat{J}}}^{\left( 1 \right)}},\frac{\hat{b}_{\times }^{\left( 1 \right)}}{\hat{a}_{\times }^{\left( 1 \right)}+\hat{b}_{\times }^{\left( 1 \right)}},{{2}^{-2\beta -7}} \right).\end{eqnarray} \tag{ C.12 }$$

The definition of the set ${{\Omega }_{1}}$ is replaced by the set of ${\boldsymbol{\vec{N}}}$ satisfying

$$\begin{eqnarray}&&N_{1}^{\left( 0 \right)}\in \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{1}},{{e}^{-{{\mu }_{1}}}},{{2}^{-\beta -6}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{1}},{{e}^{-{{\mu }_{1}}}},{{2}^{-\beta -6}} \right) \right]\end{eqnarray} \tag{ C.13 }$$

$$\begin{eqnarray}&&N_{1}^{\left( 1 \right)}\in \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{1}},{{\mu }_{1}}{{e}^{-{{\mu }_{1}}}},{{2}^{-\beta -6}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{1}},{{\mu }_{1}}{{e}^{-{{\mu }_{1}}}},{{2}^{-\beta -6}} \right) \right]\end{eqnarray} \tag{ C.14 }$$

$$\begin{eqnarray}&&N_{2}^{\left( 0 \right)}\in \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{{e}^{-{{\mu }_{2}}}},{{2}^{-\beta -6}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{2}},{{e}^{-{{\mu }_{2}}}},{{2}^{-\beta -6}} \right) \right]\end{eqnarray} \tag{ C.15 }$$

$$\begin{eqnarray}&&N_{2}^{\left( 1 \right)}\in \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{{\mu }_{2}}{{e}^{-{{\mu }_{2}}}},{{2}^{-\beta -6}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{2}},{{\mu }_{2}}{{e}^{-{{\mu }_{2}}}},{{2}^{-\beta -6}} \right) \right]\end{eqnarray} \tag{ C.16 }$$

$$\begin{eqnarray}&&N_{2}^{\left( 2 \right)}\in \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{{\omega }_{2}}\mu _{2}^{2}{{e}^{-{{\mu }_{2}}}},{{2}^{-\beta -6}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{2}},{{\omega }_{2}}\mu _{2}^{2}{{e}^{-{{\mu }_{2}}}},{{2}^{-\beta -6}} \right) \right].\end{eqnarray} \tag{ C.17 }$$

condition 1 is replaced as follows.

Condition 1. Any element ${\boldsymbol{\vec{N}}} \in {{\Omega }_{1}}$ satisfies

$$\begin{eqnarray*} && X_{{\rm{per}}}^{-}\left(N_1,\mu_1 e^{-\mu_1},2^{-\beta-6}\right) X_{{\rm{per}}}^{-}\left(N_2,\omega_2 \mu_2^2 e^{-\mu_2},2^{-\beta-6}\right) \\ &&\qquad > \left(N_1- X_{{\rm{per}}}^{-}\left(N_1,e^{-\mu_1},2^{-\beta-6}\right) -X_{{\rm{per}}}^{-}\left(N_1,\mu_1 e^{-\mu_1},2^{-\beta-6}\right)\right) X_{{\rm{per}}}^{+}\left(N_2,\mu_2 e^{-\mu_2},2^{-\beta-6}\right), \\ && X_{{\rm{per}}}^{-}\left(N_2,\omega_2 \mu_2^2 e^{-\mu_2},2^{-\beta-6}\right) X_{{\rm{per}}}^{-}\left(N_1,e^{-\mu_1},2^{-\beta-6}\right) \\ &&\qquad > \left(N_1- X_{{\rm{per}}}^{-}\left(N_1,e^{-\mu_1},2^{-\beta-6}\right) -X_{{\rm{per}}}^{-}\left(N_1,\mu_1 e^{-\mu_1},2^{-\beta-6}\right)\right) X_{{\rm{per}}}^{+}\left(N_2,e^{-\mu_2},2^{-\beta-6}\right), \\ && \frac{X_{{\rm{per}}}^{-}\left(N_2,\omega_2 \mu_2^2 e^{-\mu_2},2^{-\beta-6}\right)}{N_1- X_{{\rm{per}}}^{-}\left(N_1,e^{-\mu_1},2^{-\beta-6}\right) -X_{{\rm{per}}}^{-}\left(N_1,\mu_1 e^{-\mu_1},2^{-\beta-6}\right)} + \frac{X_{{\rm{per}}}^{-}\left(N_2,e^{-\mu_2},2^{-\beta-6}\right)}{X_{{\rm{per}}}^{+}\left(N_1,e^{-\mu_1},2^{-\beta-6}\right)} \\ &&\qquad > \frac{2 X_{{\rm{per}}}^{+}\left(N_2,\mu_2 e^{-\mu_2},2^{-\beta-6}\right)}{X_{{\rm{per}}}^{-}\left(N_1,\mu_1 e^{-\mu_1},2^{-\beta-6}\right)}. \end{eqnarray*}$$

Remark 5 When the vacuum pulse has a possibility of containing a non-vacuum state, we cannot apply the above formula ${{\hat{q}}^{\left( 0 \right)}}$. Hence, we need to adjust it. Assume that the vacuum pulse becomes a non-vacuum state with a probability q. In this case, we replace ${{\hat{q}}^{\left( 0 \right)}}$ by

$$\begin{eqnarray}&&{{\hat{q}}^{\left( 0 \right)}}\left( {{M}_{0}} \right):=p_{{\mbox{est}}}^{+}\left( {{N}_{0}}-X_{{\mbox{per}}}^{+}\left( {{N}_{0}},q,{{2}^{-\beta -6}} \right),{{M}_{0}}-X_{{\mbox{per}}}^{+}\left( {{N}_{0}},q,{{2}^{-\beta -6}} \right),{{2}^{-\beta -6}} \right).\end{eqnarray} \tag{ C.18 }$$

D.1. Modifications of ${{\rho }_{2}}$, ${{\rho }_{3}}$, ${{\omega }_{2}}$, and ${{\omega }_{3}}$

In the following, we modify the definition of ${{\rho }_{2}}$ properly because the definition of ${{\rho }_{2}}$ given in (11) depends on the intensity ${{\mu }_{1}}$. We assume that the intensities ${{\mu }_{1}}$ and ${{\mu }_{2}}$ independently obey independent and identical distributions of the distributions ${{P}_{1}}$ and ${{P}_{2}}$ satisfying the following condition. For any integer $n\geqslant 3$, the relation

$$\begin{eqnarray*}&&{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}}\mu _{2}^{n} \right]{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]\geqslant {\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{n} \right]{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}}\mu _{2}^{2} \right]\end{eqnarray*}$$

holds, where ${\mbox{E}}$ denotes the expectation under the distributions ${{P}_{1}}$ and ${{P}_{2}}$. Under the above assumption, we have expansions for two kinds of pulses.

$$\begin{eqnarray}&&\mathop{\sum }\limits_{n=0}^{\infty }\frac{{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{n} \right]}{n!}\left| {} \right.n\left. {} \right\rangle \left\langle {} \right.n\left| {} \right.={\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}} \right]\left| {} \right.0\left. {} \right\rangle \left\langle {} \right.0\left| {} \right.+{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}{{\mu }_{1}} \right]\left| {} \right.1\left. {} \right\rangle \left\langle {} \right.1\left| {} \right.+{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]{{\omega }_{2}}{{\rho }_{2}},\end{eqnarray} \tag{ D.1 }$$

$$\begin{eqnarray}&&\begin{array}{r} \mathop{\sum }\limits_{n=0}^{\infty }\frac{{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}}\mu _{2}^{n} \right]}{n!}\left| {} \right.n\left. {} \right\rangle \left\langle {} \right.n\left| {} \right.={\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}} \right]\left| {} \right.0\left. {} \right\rangle \left\langle {} \right.0\left| {} \right.+{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}}{{\mu }_{2}} \right]\left| {} \right.1\left. {} \right\rangle \left\langle {} \right.1\left| {} \right. \\ \quad +{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}}\mu _{2}^{2} \right]{{\omega }_{2}}{{\rho }_{2}}+{{\omega }_{3}}^{\prime} {{\rho }_{3}}, \\ \end{array}\end{eqnarray} \tag{ D.2 }$$

where

$$\begin{eqnarray}&&{{\rho }_{2}}:=\frac{1}{{{\omega }_{2}}}\mathop{\sum }\limits_{n=2}^{\infty }\frac{{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{n} \right]}{n!{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]}\left| {} \right.n\left. {} \right\rangle \left\langle {} \right.n\left| {} \right.\end{eqnarray} \tag{ D.3 }$$

$$\begin{eqnarray}&&{{\rho }_{3}}:=\frac{1}{{{\omega }_{3}}^{\prime} }\mathop{\sum }\limits_{n=3}^{\infty }\frac{{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}}\mu _{2}^{n} \right]{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]-{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{n} \right]{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}}\mu _{2}^{2} \right]}{n!{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]}\left| {} \right.n\left. {} \right\rangle \left\langle {} \right.n\left| {} \right.\end{eqnarray} \tag{ D.4 }$$

$$\begin{eqnarray}&&{{\omega }_{2}}:=\mathop{\sum }\limits_{n=2}^{\infty }\frac{{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{n} \right]}{n!{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]}\end{eqnarray} \tag{ D.5 }$$

$$\begin{eqnarray}&&{{\omega }_{3}}^{\prime} :=\mathop{\sum }\limits_{n=3}^{\infty }\frac{{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}}\mu _{2}^{n} \right]{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]-{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{n} \right]{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}}\mu _{2}^{2} \right]}{n!{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]}.\end{eqnarray} \tag{ D.6 }$$

Indeed, our analysis in the previous sections uses the expansions (11) and (34) and their coefficients. Hence, replacing expansions (11) and (34) by expansions (D.1) and (D.2), we can apply the discussion with suitable modifications in the following way. (A similar idea was used in Wang [15, 16].)

D.2. Modifications of the set ${{\Omega }_{1}}$ and the estimate ${{{\boldsymbol{\hat{N}}} }_{1}}$ and ${{{\boldsymbol{\hat{N}}} }_{2}}$

We redefine the set ${{\Omega }_{1}}$ as the set of ${\boldsymbol{\vec{N}}}$ satisfying

$$\begin{eqnarray*}\begin{array}{rcl} N_{1}^{\left( 0 \right)} & \in & \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{1}},{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}} \right],{{2}^{-\beta -6}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{1}},{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}} \right],{{2}^{-\beta -6}} \right) \right] \\ N_{1}^{\left( 1 \right)} & \in & \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{1}},{\mbox{E}}\left[ {{\mu }_{1}}{{e}^{-{{\mu }_{1}}}} \right],{{2}^{-\beta -6}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{1}},{\mbox{E}}\left[ {{\mu }_{1}}{{e}^{-{{\mu }_{1}}}} \right],{{2}^{-\beta -6}} \right) \right] \\ N_{2}^{\left( 0 \right)} & \in & \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}} \right],{{2}^{-\beta -6}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{2}},{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}} \right],{{2}^{-\beta -6}} \right) \right] \\ N_{2}^{\left( 1 \right)} & \in & \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{\mbox{E}}\left[ {{\mu }_{2}}{{e}^{-{{\mu }_{2}}}} \right],{{2}^{-\beta -6}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{2}},{\mbox{E}}\left[ {{\mu }_{2}}{{e}^{-{{\mu }_{2}}}} \right],{{2}^{-\beta -6}} \right) \right] \\ N_{2}^{\left( 2 \right)} & \in & \left[ X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}}\mu _{2}^{2} \right]{{\omega }_{2}},{{2}^{-\beta -6}} \right),X_{{\mbox{per}}}^{+}\left( {{N}_{2}},{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}}\mu _{2}^{2} \right]{{\omega }_{2}},{{2}^{-\beta -6}} \right) \right]. \\ \end{array}\end{eqnarray*}$$

We also redefine ${{{\boldsymbol{\hat{N}}} }_{1}}$ and ${{{\boldsymbol{\hat{N}}} }_{2}}$ in the following way.

$$\begin{eqnarray*}\begin{array}{rcl} \hat{N}_{1}^{\left( 0 \right)} & := & X_{{\mbox{per}}}^{-}\left( {{N}_{1}},{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}} \right],{{2}^{-\beta -6}} \right) \\ \hat{N}_{1}^{\left( 1 \right)} & := & X_{{\mbox{per}}}^{-}\left( {{N}_{1}},{\mbox{E}}\left[ {{\mu }_{1}}{{e}^{-{{\mu }_{1}}}} \right],{{2}^{-\beta -6}} \right) \\ \end{array}\begin{array}{ccccccccccccccc} \hat{N}_{2}^{\left( 0 \right)} & := & X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}} \right],{{2}^{-\beta -6}} \right) \\ \hat{N}_{2}^{\left( 1 \right)} & := & X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{\mbox{E}}\left[ {{\mu }_{2}}{{e}^{-{{\mu }_{2}}}} \right],{{2}^{-\beta -6}} \right) \\ \hat{N}_{2}^{\left( 2 \right)} & := & X_{{\mbox{per}}}^{-}\left( {{N}_{2}},{\mbox{E}}\left[ {{e}^{-{{\mu }_{2}}}}\mu _{2}^{2} \right]{{\omega }_{2}},{{2}^{-\beta -6}} \right). \\ \end{array}\end{eqnarray*}$$

D.3. Modifications of conditions 1, 2, and 3

Under the above modification, we change condition 1 as follows.

Condition 1. Any element ${\boldsymbol{\vec{N}}}$ in the modified set ${{\Omega }_{1}}$ satisfies

$$\begin{eqnarray*} && X_{{\rm{per}}}^{-}\left(N_1,{\rm E} [\mu_1 e^{-\mu_1}],2^{-\beta-6}\right) X_{{\rm{per}}}^{-}\left(N_2, \omega_2 {\rm E} [ \mu_2^2 e^{-\mu_2}],2^{-\beta-6}\right) \\ &&\qquad > \left(N_1- X_{{\rm{per}}}^{-}\left(N_1,{\rm E} [ e^{-\mu_1}],2^{-\beta-6}\right) -X_{{\rm{per}}}^{-}\left(N_1,{\rm E} [\mu_1 e^{-\mu_1}],2^{-\beta-6}\right)\right) X_{{\rm{per}}}^{+}\left(N_2,{\rm E} [\mu_2 e^{-\mu_2}],2^{-\beta-6}\right),\\ && X_{{\rm{per}}}^{-}\left(N_2,\omega_2 {\rm E} [\mu_2^2 e^{-\mu_2}],2^{-\beta-6}\right) X_{{\rm{per}}}^{-}\left(N,{\rm E} [e^{-\mu_1}],2^{-\beta-6}\right) \\ &&\qquad > \left(N_1- X_{{\rm{per}}}^{-}\left(N_1,{\rm E} [e^{-\mu_1}],2^{-\beta-6}\right) -X_{{\rm{per}}}^{-}\left(N_1,{\rm E} [\mu_1 e^{-\mu_1}],2^{-\beta-6}\right)\right) X_{{\rm{per}}}^{+}\left(N_2,{\rm E} [e^{-\mu_2}],2^{-\beta-6}\right),\\ && \frac{X_{{\rm{per}}}^{-}\left(N_2,\omega_2 {\rm E} [ \mu_2^2 e^{-\mu_2}],2^{-\beta-6}\right)} {N_1- X_{{\rm{per}}}^{-}\left(N_1,{\rm E} [e^{-\mu_1}],2^{-\beta-6}\right) -X_{{\rm{per}}}^{-}\left(N_1,{\rm E} [\mu_1 e^{-\mu_1}],2^{-\beta-6}\right)} + \frac{X_{{\rm{per}}}^{-}\left(N_2,{\rm E} [e^{-\mu_2}],2^{-\beta-6}\right)}{X_{{\rm{per}}}^{+}\left(N_1,{\rm E} [e^{-\mu_1}],2^{-\beta-6}\right)} \\ &&\qquad > \frac{2 X_{{\rm{per}}}^{+}\left(N_2,{\rm E} [\mu_2 e^{-\mu_2}],2^{-\beta-6}\right)}{X_{{\rm{per}}}^{-}\left(N_1,{\rm E} [\mu_1 e^{-\mu_1}],2^{-\beta-6}\right)}. \end{eqnarray*}$$

Conditions 2 and 3 are redefined in the term of ${{\Omega }_{1}}$ defined above.

Condition 2. For any element ${\boldsymbol{\vec{N}}}$ in the modified set ${{\Omega }_{1}}$, all of $A_{1}^{\left( 0 \right)}$, $A_{1}^{\left( 1 \right)}$, $A_{2}^{\left( 0 \right)}$, $A_{2}^{\left( 1 \right)}$, and $A_{2}^{\left( 2 \right)}$ are negative.

Condition 3. Any element ${\boldsymbol{\vec{N}}}$ in the modified set ${{\Omega }_{1}}$ satisfies the conditions in original condition 3.

D.4. Modifications of sacrifice bit-length S

Next, in order to modify the sacrifice bit-length S, we modify ${{\hat{J}}^{\left( 0 \right)}}$, ${{\hat{J}}^{\left( 1 \right)}}$, $\hat{r}_{\times }^{\left( 1 \right)}$, and ${{\hat{\phi }}_{1}}$ as follows.

$$\begin{eqnarray*} \hat{J}^{\left(0\right)}\left(\bar{q}^{\left(0\right)},N_s\right) &:=& X_{{\rm{per}}}^-\left(N_s,{\rm E} [e^{-\mu_s}] \bar{q}^{\left(0\right)},2^{-2\beta-8}\right)\\ \hat{J}^{\left(1\right)}\left(\bar{a}^{\left(1\right)}_{\times},\bar{b}^{\left(1\right)}_{\times},N_s\right) &:=& X_{{\rm{per}}}^-\left(N_s,{\rm E} [e^{-\mu_s} \mu_s] \left(\bar{a}^{\left(1\right)}_{\times}+\bar{b}^{\left(1\right)}_{\times}\right),2^{-2\beta-8}\right)\\ \hat{r}^{\left(1\right)}_{\times}\left(\bar{a}^{\left(1\right)}_{\times},\bar{b}^{\left(1\right)}_{\times},N_s\right) &:=& p_{{\rm{per}}}^+\left(\hat{J}^{\left(1\right)}\left(\bar{a}^{\left(1\right)}_{\times},\bar{b}^{\left(1\right)}_{\times},N_s\right) , \frac{\bar{b}^{\left(1\right)}_{\times}}{\bar{a}^{\left(1\right)}_{\times}+\bar{b}^{\left(1\right)}_{\times}} , 2^{-2\beta-8}\right)\\ \hat{\phi}_1\left(\bar{q}^{\left(0\right)},\bar{a}^{\left(1\right)}_{\times},\bar{b}^{\left(1\right)}_{\times},N_s\right) &:=& M_s-\hat{J}^{\left(0\right)}\left(\bar{q}^{\left(0\right)},N_s\right) \\ & &- \hat{J}^{\left(1\right)}\left(\bar{a}^{\left(1\right)}_{\times},\bar{b}^{\left(1\right)}_{\times},N_s\right) \left(1- h\left(\min \left\{\hat{r}^{\left(1\right)}_{\times}\left(\bar{a}^{\left(1\right)}_{\times},\bar{b}^{\left(1\right)}_{\times},N_s\right) ,1/2\right\}\right) \right) . \end{eqnarray*}$$

Then, using the same functions ${{\hat{q}}^{\left( 0 \right)}}$, $\hat{a}_{\times }^{\left( 1 \right)}$, and $\hat{b}_{\times }^{\left( 1 \right)}$, we define ${{\hat{\phi }}_{2}}$ by (29).

Finally, we define the sacrifice bit-length S by (30) with modified conditions 1, 2, and 3. Then, the relation (17) holds. This fact can be shown by replacing the definitions of ${{\rho }_{2}}$ and ${{\rho }_{3}}$ and related parameters in the security proofs given in the detail version [59].

D.5. Extension to the case when the distributions of ${{\mu }_{2}}$ and ${{\mu }_{1}}$ are unknown

Next, we treat the case when there are several candidates for the distribution of ${{\mu }_{2}}$ and ${{\mu }_{1}}$ while ${{\mu }_{2}}$ and ${{\mu }_{1}}$ obey independent and identical distributions. The possible distributions are denoted by ${{P}_{\theta ,1}}$ and ${{P}_{\theta ,2}}$, and the expectation is written by ${{{\mbox{E}}}_{\theta }}$. Then, we denote the set ${{\Omega }_{1}}$ under the distribution ${{P}_{\theta }}$ by ${{\Omega }_{1,\theta }}$.

In this case, conditions 1 and 2 need to be satisfied for any θ. Hence, condition 1 is redefined as follows. That is, the following relations hold for any θ.

$$\begin{eqnarray*} && X_{{\rm{per}}}^{-}\left(N_1,{\rm E}_{\theta} [\mu_1 e^{-\mu_1}],2^{-\beta-6}\right) X_{{\rm{per}}}^{-}\left(N_2,\omega_{2|\theta} {\rm E}_{\theta} [\mu_2^2 e^{-\mu_2}],2^{-\beta-6}\right) \\ >&& \left(N_1- X_{{\rm{per}}}^{-}\left(N_1,{\rm E}_{\theta} [ e^{-\mu_1}],2^{-\beta-6}\right) - X_{{\rm{per}}}^{-}\left(N_1,{\rm E}_{\theta} [\mu_1 e^{-\mu_1}],2^{-\beta-6}\right)\right) X_{{\rm{per}}}^{+}\left(N_2,{\rm E}_{\theta} [\mu_2 e^{-\mu_2}],2^{-\beta-6}\right),\\ && X_{{\rm{per}}}^{-}\left(N_2,\omega_{2|\theta} {\rm E}_{\theta} [\mu_2^2 e^{-\mu_2}],2^{-\beta-6}\right) X_{{\rm{per}}}^{-}\left(N,{\rm E}_{\theta} [e^{-\mu_1}],2^{-\beta-6}\right) \\ >&& \left(N_1- X_{{\rm{per}}}^{-}\left(N_1,{\rm E}_{\theta} [e^{-\mu_1}],2^{-\beta-6}\right) - X_{{\rm{per}}}^{-}\left(N_1,{\rm E}_{\theta} [\mu_1 e^{-\mu_1}],2^{-\beta-6}\right)\right) X_{{\rm{per}}}^{+}\left(N_2,{\rm E}_{\theta} [e^{-\mu_2}],2^{-\beta-6}\right),\\ && \frac{X_{{\rm{per}}}^{-}\left(N_2,\omega_{2|\theta} {\rm E}_{\theta} [ \mu_2^2 e^{-\mu_2}],2^{-\beta-6}\right)} {N_1- X_{{\rm{per}}}^{-}\left(N_1,{\rm E}_{\theta} [e^{-\mu_1}],2^{-\beta-6}\right) -X_{{\rm{per}}}^{-}\left(N_1,{\rm E}_{\theta} [\mu_1 e^{-\mu_1}],2^{-\beta-6}\right)} + \frac{X_{{\rm{per}}}^{-}\left(N_2,{\rm E}_{\theta} [e^{-\mu_2}],2^{-\beta-6}\right)}{X_{{\rm{per}}}^{+}\left(N_1,{\rm E}_{\theta} [e^{-\mu_1}],2^{-\beta-6}\right)} \\ >&& \frac{2 X_{{\rm{per}}}^{+}\left(N_2,{\rm E}_{\theta} [\mu_2 e^{-\mu_2}],2^{-\beta-6}\right)}{X_{{\rm{per}}}^{-}\left(N_1,{\rm E}_{\theta} [\mu_1 e^{-\mu_1}],2^{-\beta-6}\right)}, \end{eqnarray*}$$

where ${{\omega }_{2\left| {} \right.\theta }}$ is ${{\omega }_{2}}$ with the distribution ${{P}_{\theta ,1}}$.

Further, we redefine condition 2 as the condition that all of $A_{1}^{\left( 0 \right)}$, $A_{1}^{\left( 1 \right)}$, $A_{2}^{\left( 0 \right)}$, $A_{2}^{\left( 1 \right)}$, and $A_{2}^{\left( 2 \right)}$ are negative for ${\boldsymbol{\vec{N}}} \in {{}_{\theta }}{{\Omega }_{1,\theta }}$. We define ${{\hat{\phi }}_{2,\theta }}$ to be ${{\hat{\phi }}_{2}}$ given in (29) when the true distributions are ${{P}_{\theta ,1}}$ and ${{P}_{\theta ,2}}$. Finally, we define the sacrifice bit-length S by ${{{\rm sup} }_{\theta }}{{\hat{\phi }}_{2,\theta }}+2\beta +5$ when modified conditions 1, 2, and 3 hold. Otherwise, we set S to be ${\rm dim}\;{{C}_{1}}$. Then, letting ${{\rho }_{A,E\left| {} \right.\theta }}$ be the final state with the true distributions ${{P}_{\theta ,1}}$ and ${{P}_{\theta ,2}}$, ${{\rho }_{{\mbox{ideal}}\left| {} \right.\theta }}$ be the ideal state, we obtain

$$\begin{eqnarray}&&\shortparallel {{\rho }_{A,E\left| {} \right.\theta }}-{{\rho }_{{\mbox{ideal}}\left| {} \right.\theta }}{{\shortparallel }_{1}}\leqslant {{2}^{-\beta }}.\end{eqnarray} \tag{ D.7 }$$

That is, the inequality holds for any θ.

In the following, we consider the case when the pulses are generated with the mixture of the plural independent and identical distributions ${{P}_{\theta ,1}}$ and ${{P}_{\theta ,2}}$, respectively. In this case, we define conditions 1, 2, and 3 in the above way. Then, the intensities of ${{N}_{s,1}}+{{N}_{1}}$ pulses are described by $\left( {{\mu }_{1,1}},\ldots ,{{\mu }_{1,{{N}_{s,1}}+{{N}_{1}}}} \right)$ and are subject to the distribution ${{\sum }_{\theta }}{{\lambda }_{\theta }}P_{\theta ,1}^{\times }\left( {{N}_{s,1}}+{{N}_{1}} \right)$, where ${{P}^{\times }}{{N}_{s,1}}$ is the ${{N}_{s,1}}$-fold independent and identical distribution of P. Similarly, the intensities of ${{N}_{s,2}}+{{N}_{2}}$ pulses are described by $\left( {{\mu }_{2,1}},\ldots ,{{\mu }_{2,{{N}_{s,2}}+{{N}_{2}}}} \right)$ and are subject to the distribution ${{\sum }_{\theta }}{{\lambda }_{\theta }}P_{\theta ,2}^{\times }\left( {{N}_{s,2}}+{{N}_{2}} \right)$. Then, we choose the sacrifice bit-length S to be ${{{\rm sup} }_{\theta }}{{\hat{\phi }}_{2,\theta }}\left( {\boldsymbol{M}} \right)+2\beta +5$ when modified conditions 1, 2, and 3 hold. Otherwise, we set S to be ${\rm dim}{{C}_{1}}$. Since the final state is ${{\sum }_{\theta }}{{\lambda }_{\theta }}{{\rho }_{A,E\left| {} \right.\theta }}$, we obtain

$$\begin{eqnarray}&&\shortparallel \left( \mathop{\sum }\limits_{\theta }{{\lambda }_{\theta }}{{\rho }_{A,E\left| {} \right.\theta }} \right)-\left( \mathop{\sum }\limits_{\theta }{{\lambda }_{\theta }}{{\rho }_{{\mbox{ideal}}\left| {} \right.\theta }} \right){{\shortparallel }_{1}}\leqslant \mathop{\sum }\limits_{\theta }{{\lambda }_{\theta }}\shortparallel {{\rho }_{A,E\left| {} \right.\theta }}-{{\rho }_{{\mbox{ideal}}\left| {} \right.\theta }}{{\shortparallel }_{1}}\leqslant {{2}^{-\beta }}.\end{eqnarray} \tag{ D.8 }$$

Hence, the universal composability criterion is upper bounded by ${{2}^{-\beta }}$.

First, we derive a lower bound of the lower per cent point $X_{{\mbox{per}}}^{-}\left( N,p,\alpha \right)$ with probability α by using the Chernoff inequality. When the random variable X obeys the binomial distribution ${\mbox{Bin}}\left( N,p \right)$, the Chernoff inequality

$$\begin{eqnarray}&&{{P}_{p}}\left\{ X\leqslant Nq \right\}\leqslant {\rm exp} (-ND\left( q\shortparallel p \right))\end{eqnarray} \tag{ E.1 }$$

holds with $q<p$, where the relative entropy $D\left( q\shortparallel p \right)$ is defined as $q{\rm log} \frac{q}{p}+\left( 1-q \right){\rm log} \frac{1-q}{1-p}$, where ${{P}_{p}}$ is the distribution when the success probability with one trial is p.

Hence, letting ${{q}^{-}}$ be the solution of the equation $D\left( q\shortparallel p \right)=-\frac{{\rm log} \alpha }{N}$ with respect to q with $q<p$, we obtain

$$\begin{eqnarray}&&{{P}_{p}}\left\{ X\leqslant N{{q}^{-}} \right\}\leqslant {\rm exp} (-ND\left( {{q}^{-}}\shortparallel p \right))=\alpha .\end{eqnarray} \tag{ E.2 }$$

That is, we obtain $X_{{\mbox{per}}}^{-}\left( N,p,\alpha \right)\geqslant N{{q}^{-}}$. Similarly, letting ${{q}^{+}}$ be the solution of the equation $D\left( q\shortparallel p \right)=-\frac{{\rm log} \alpha }{N}$ with respect to q with $q>p$, we obtain $X_{{\mbox{per}}}^{+}\left( N,p,\alpha \right)\leqslant N{{q}^{+}}$.

Further, combining the Pinsker inequality $D\left( q\shortparallel p \right)\geqslant 2\left( {\rm log} e \right){{\left( p-q \right)}^{2}}$, we obtain

$$\begin{eqnarray}&&{{P}_{p}}\left\{ X\leqslant Nq \right\}\leqslant {\rm exp} (-2\left( {\rm log} e \right)N{{\left( p-q \right)}^{2}}).\end{eqnarray} \tag{ E.3 }$$

Hence, solving the equation $2\left( {\rm log} e \right){{\left( p-q \right)}^{2}}=-\frac{{\rm log} \alpha }{N}$ with respect to q, we obtain two solutions ${{\tilde{q}}^{-}}:=p-\sqrt{\frac{-{\rm log} \alpha }{2\left( {\rm log} e \right)N}}$ and ${{\tilde{q}}^{+}}:=p+\sqrt{\frac{-{\rm log} \alpha }{2\left( {\rm log} e \right)N}}$. Then, we obtain $X_{{\mbox{per}}}^{-}\left( N,p,\alpha \right)\geqslant N{{\tilde{q}}^{-}}$ and $X_{{\mbox{per}}}^{+}\left( N,p,\alpha \right)\leqslant N{{\tilde{q}}^{+}}$.

Using the information geometry, we have a better evaluation than the Pinsker inequality as follows. The relative entropy can be written with an integral form as follows [45].

$$\begin{eqnarray}&&\frac{D\left( q\shortparallel p \right)}{{\rm log} e}=\int _{q}^{p}\frac{t-p}{t\left( 1-t \right)}dt.\end{eqnarray} \tag{ E.4 }$$

We consider only the case $p<1/2$. When $q<p<1/2$, we have

$$\begin{eqnarray}&&\frac{D\left( q\shortparallel p \right)}{{\rm log} e}\geqslant \frac{{{\left( p-q \right)}^{2}}}{2p\left( 1-p \right)}.\end{eqnarray} \tag{ E.5 }$$

Hence, solving the equation $\frac{{{\left( p-q \right)}^{2}}}{2p\left( 1-p \right)}=-\frac{{\rm log} \alpha }{N\left( {\rm log} e \right)}$ with respect to q, we obtain the smaller solution ${{\bar{q}}^{-}}:=p-\sqrt{\frac{-2\left( {\rm log} \alpha \right)p\left( 1-p \right)}{\left( {\rm log} e \right)N}}$. Then, we obtain $X_{{\mbox{per}}}^{-}\left( N,p,\alpha \right)\geqslant N{{\bar{q}}^{-}}$.

The treatment for $X_{{\mbox{per}}}^{+}\left( N,p,\alpha \right)$ is a little complex. When $p<q\leqslant 1/2$, we have

$$\begin{eqnarray}&&\frac{D\left( q\shortparallel p \right)}{{\rm log} e}\geqslant \frac{{{\left( p-q \right)}^{2}}}{2q\left( 1-q \right)}.\end{eqnarray} \tag{ E.6 }$$

Hence, solving the equation $\frac{{{\left( p-q \right)}^{2}}}{2q\left( 1-q \right)}=-\frac{{\rm log} \alpha }{N\left( {\rm log} e \right)}$ with respect to q, we obtain the larger solution ${{\bar{q}}^{+}}:=\frac{p-{\rm log} \alpha /\left( N{\rm log} e \right)+\sqrt{\left( -{{p}^{2}}+p-{\rm log} \alpha /\left( 2N{\rm log} e \right) \right)\cdot \left( -2{\rm log} \alpha \right)/\left( N{\rm log} e \right)}}{1-2{\rm log} \alpha /\left( N{\rm log} e \right)}$. Then, when ${{\bar{q}}^{+}}\leqslant 1/2$, we obtain $X_{{\mbox{per}}}^{+}\left( N,p,\alpha \right)\leqslant N{{\bar{q}}^{+}}$. Indeed, since ${{\bar{q}}^{+}}$ is complicated, we introduce a simpler upper bound. Since $\sqrt{a+b}\leqslant \sqrt{a}+\sqrt{b}$,

$$\begin{eqnarray*}\begin{array}{rcl} {{{\bar{q}}}^{+}}\leqslant {{{\hat{q}}}^{+}} & := & \frac{p-{\rm log} \alpha /\left( N{\rm log} e \right)+\sqrt{\left( -{{p}^{2}}+p \right)\left( -2{\rm log} \alpha \right)/\left( N{\rm log} e \right)}+\sqrt{{{\left( {\rm log} \alpha /\left( N{\rm log} e \right) \right)}^{2}}}}{1-2{\rm log} \alpha /\left( N{\rm log} e \right)} \\ {} & = & \frac{p-2{\rm log} \alpha /\left( N{\rm log} e \right)+\sqrt{p\left( 1-p \right)\left( -2{\rm log} \alpha \right)/\left( N{\rm log} e \right)}}{1-2{\rm log} \alpha /\left( N{\rm log} e \right)}. \\ \end{array}\end{eqnarray*}$$

Then, when ${{\hat{q}}^{+}}\leqslant 1/2$, we obtain $X_{{\mbox{per}}}^{+}\left( N,p,\alpha \right)\leqslant N{{\hat{q}}^{+}}$.

F.1. One-sided interval estimation based of F distribution

We consider lower one-sided interval estimation with the confidential level $1-\alpha$ when we observe the value k subject to the binomial distribution ${\mbox{Bin}}\left( N,p \right)$ with N trials and probability p.

For this purpose, when we fix an integer k and define the constants

$$\begin{eqnarray}&&{{n}_{1}}:=2\left( N-k+1 \right),{{n}_{2}}:=2k,{{f}_{1}}:=\frac{{{n}_{2}}}{{{n}_{1}}}\frac{\left( 1-p \right)}{p},\end{eqnarray} \tag{ F.1 }$$

it is known that the random variable $F\left( {{n}_{1}},{{n}_{2}} \right)$ subject to F distribution with the freedom $\left( {{n}_{1}},{{n}_{2}} \right)$ satisfies

$$\begin{eqnarray}&&{\rm Pr} \left\{ F\left( {{n}_{1}},{{n}_{2}} \right)>{{f}_{1}} \right\}={{P}_{p}}\left\{ X\geqslant k \right\}=\mathop{\sum }\limits_{i=k}^{N}\left( \frac{N}{i} \right){{p}^{i}}{{\left( 1-p \right)}^{N-i}}.\end{eqnarray} \tag{ F.2 }$$

Our task is solving ${{P}_{p}}\left\{ X\geqslant k \right\}=1-\alpha$ with respect to p with $p<\frac{k}{N}$ for a given k. Define $f_{1}^{*}$ to be the solution of $P\left\{ F\left( {{n}_{1}},{{n}_{2}} \right)>{{f}_{1}} \right\}=1-\alpha$ with respect to ${{f}_{1}}$. Then, the solution $p=\frac{{{n}_{2}}}{{{n}_{1}}f_{1}^{*}+{{n}_{2}}}$ satisfies the equation $\frac{{{n}_{2}}}{{{n}_{1}}}\frac{\left( 1-p \right)}{p}=f_{1}^{*}$. Thus, we obtain

$$\begin{eqnarray}&&{{P}_{\frac{{{n}_{2}}}{{{n}_{1}}f_{1}^{*}+{{n}_{2}}}}}\left\{ X\geqslant k \right\}=1-\alpha .\end{eqnarray} \tag{ F.3 }$$

That is, $\frac{{{n}_{2}}}{{{n}_{1}}f_{1}^{*}+{{n}_{2}}}$ is the lower confidence limit $p_{{\mbox{est}}}^{-}\left( N,k,\alpha \right)$ of the lower one-sided interval estimation with the confidential level $1-\alpha$ when we observe the value k.

Similarly, when we fix an integer k and define the constants

$$\begin{eqnarray}&&{{m}_{1}}=2\left( k+1 \right),\;{{m}_{2}}=2\left( N-k \right),{{f}_{2}}=\frac{{{m}_{1}}}{{{m}_{2}}}\frac{p}{\left( 1-p \right)},\end{eqnarray} \tag{ F.4 }$$

it is known that the random variable $F\left( {{m}_{1}},{{m}_{2}} \right)$ subject to F distribution with the freedom $\left( {{m}_{1}},{{m}_{2}} \right)$ satisfies

$$\begin{eqnarray}&&{\rm Pr} \left\{ F\left( {{m}_{1}},{{m}_{2}} \right)>{{f}_{2}} \right\}={{P}_{p}}\left\{ X\geqslant k \right\}.\end{eqnarray} \tag{ F.5 }$$

Our task is solving ${{P}_{p}}\left\{ X\geqslant k \right\}=\alpha$ with respect to p with $p<\frac{k}{N}$ for a given k. Define $f_{2}^{*}$ to be the solution of $P\left( F\left( {{m}_{1}},{{m}_{2}} \right)>{{f}_{2}} \right)=\alpha$ with respect to ${{f}_{2}}$. Then, the solution $p=\frac{{{m}_{1}}{{f}_{2}}}{{{m}_{1}}{{f}_{2}}+{{m}_{2}}}$ satisfies the equation $\frac{{{m}_{1}}}{{{m}_{2}}}\frac{p}{\left( 1-p \right)}=f_{2}^{*}$. Thus, we obtain

$$\begin{eqnarray}&&{{P}_{\frac{{{m}_{2}}}{{{m}_{1}}f_{2}^{*}+{{m}_{2}}}}}\left\{ X\geqslant k \right\}{{\left( 1-\frac{{{m}_{2}}}{{{m}_{1}}f_{2}^{*}+{{m}_{2}}} \right)}^{N-i}}=\alpha .\end{eqnarray} \tag{ F.6 }$$

That is, $\frac{{{m}_{2}}}{{{m}_{1}}f_{2}^{*}+{{m}_{2}}}$ is the upper confidence limit $p_{{\mbox{est}}}^{+}\left( N,k,\alpha \right)$ of the upper one-sided interval estimation with the confidential level $1-\alpha$ when we observe the value k.

F.2. Application of the Chernoff inequality

Assume that we observe the random variable X subject to the binomial distribution $Bin\left( N,p \right)$ with N trials and probability p. For a fixed integer k, we have

$$\begin{eqnarray}&&{{P}_{p}}\left\{ \frac{X}{N}\leqslant \frac{k}{N} \right\}\leqslant {\rm exp} \left( -ND\left( \frac{k}{N}\shortparallel p \right) \right)\end{eqnarray} \tag{ F.7 }$$

with $\frac{k}{N}<p$. Hence, letting ${{p}^{-}}$ be the solution of the equation $D\left( \frac{k}{N}\shortparallel p \right)=-\frac{{\rm log} \alpha }{N}$ with respect to p with $\frac{k}{N}<p$, we obtain

$$\begin{eqnarray}&&{{P}_{{{p}^{-}}}}\left\{ \frac{X}{N}\leqslant \frac{k}{N} \right\}\leqslant {\rm exp} \left( -ND\left( \frac{k}{N}\shortparallel {{p}^{-}} \right) \right)=\alpha .\end{eqnarray} \tag{ F.8 }$$

Thus, ${{p}^{-}}\leqslant p_{{\mbox{est}}}^{-}\left( N,k,\alpha \right)$. Similarly, letting ${{q}^{+}}$ be the solution of the equation $D\left( \frac{k}{N}\shortparallel p \right)=-\frac{{\rm log} \alpha }{N}$ with respect to p with $\frac{k}{N}>p$, we obtain ${{p}^{+}}\geqslant p_{{\mbox{est}}}^{+}\left( N,k,\alpha \right)$.

Further, combining the Pinsker inequality $D\left( q\shortparallel p \right)\geqslant 2\left( {\rm log} e \right){{\left( p-q \right)}^{2}}$, we obtain

$$\begin{eqnarray}&&{{P}_{p}}\left\{ \frac{X}{N}\leqslant \frac{k}{N} \right\}\leqslant {\rm exp} \left( -2\left( {\rm log} e \right)N{{\left( p-\frac{k}{N} \right)}^{2}} \right).\end{eqnarray} \tag{ F.9 }$$

Hence, solving the equation $2\left( {\rm log} e \right){{\left( p-\frac{k}{N} \right)}^{2}}=-\frac{{\rm log} \alpha }{N}$ with respect to p, we obtain two solutions ${{\tilde{p}}^{-}}:=\frac{k}{N}-\sqrt{\frac{-{\rm log} \alpha }{2\left( {\rm log} e \right)N}}$ and ${{\tilde{p}}^{+}}:=\frac{k}{N}+\sqrt{\frac{-{\rm log} \alpha }{2\left( {\rm log} e \right)N}}$. Then, we obtain ${{\tilde{p}}^{-}}\leqslant p_{{\mbox{est}}}^{-}\left( N,k,\alpha \right)$ and ${{\tilde{p}}^{+}}\geqslant p_{{\mbox{est}}}^{+}\left( N,k,\alpha \right)$.

Using the relation (E.4), we consider better bounds only for the case $\frac{k}{N}<1/2$. Solving the equation $\frac{{{\left( p-\frac{k}{N} \right)}^{2}}}{2\frac{k}{N}\left( 1-\frac{k}{N} \right)}=-\frac{{\rm log} \alpha }{N\left( {\rm log} e \right)}$ with respect to p with $p<\frac{k}{N}<1/2$, we obtain the smaller solution ${{\bar{p}}^{-}}:=\frac{k}{N}-\sqrt{\frac{-2\left( {\rm log} \alpha \right)\frac{k}{N}\left( 1-\frac{k}{N} \right)}{\left( {\rm log} e \right)N}}$. Then, we obtain $p_{{\mbox{est}}}^{-}\left( N,k,\alpha \right)\geqslant {{\bar{q}}^{-}}$. The treatment for $p_{{\mbox{est}}}^{+}\left( N,k,\alpha \right)$ is a little complex. When $\frac{k}{N}<p\leqslant 1/2$, we have

$$\begin{eqnarray}&&\frac{D\left( \frac{k}{N}\shortparallel p \right)}{{\rm log} e}\geqslant \frac{{{\left( p-q \right)}^{2}}}{2q\left( 1-q \right)}.\end{eqnarray} \tag{ F.10 }$$

Hence, solving the equation $\frac{{{\left( p-\frac{k}{N} \right)}^{2}}}{2p\left( 1-p \right)}=-\frac{{\rm log} \alpha }{N\left( {\rm log} e \right)}$ with respect to p, we obtain the larger solution ${{\bar{p}}^{+}}:=\frac{k/N-{\rm log} \alpha /\left( N{\rm log} e \right)+\sqrt{\left( -{{\left( k/N \right)}^{2}}+k/N-{\rm log} \alpha /\left( 2N{\rm log} e \right) \right)\left( -2{\rm log} \alpha \right)/\left( N{\rm log} e \right)}}{1-2{\rm log} \alpha /\left( N{\rm log} e \right)}$. Then, when ${{\bar{p}}^{+}}\leqslant 1/2$, we obtain $p_{{\mbox{est}}}^{+}\left( N,k,\alpha \right)\leqslant {{\bar{p}}^{+}}$. Indeed, since ${{\bar{p}}^{+}}$ is complicated, we introduce a simpler upper bound:

$$\begin{eqnarray*}&&{{\bar{p}}^{+}}\leqslant {{\hat{p}}^{+}}:=\frac{k/N-2{\rm log} \alpha /\left( N{\rm log} e \right)+\sqrt{k/N\left( 1-k/N \right)\left( -2{\rm log} \alpha \right)/\left( N{\rm log} e \right)}}{1-2{\rm log} \alpha /\left( N{\rm log} e \right)}.\end{eqnarray*}$$

Then, when ${{\hat{p}}^{+}}\leqslant 1/2$, we obtain $p_{{\mbox{est}}}^{+}\left( N,k,\alpha \right)\leqslant {{\hat{p}}^{+}}$.

In order to calculate the sacrifice bit-length given in section 6, we need ${\mbox{E}}\left[ {{e}^{{{\mu }_{i}}}} \right]$, ${\mbox{E}}\left[ {{\mu }_{i}}{{e}^{{{\mu }_{i}}}} \right]$, ${\mbox{E}}\left[ \mu _{i}^{2}{{e}^{{{\mu }_{i}}}} \right]$, and ${{\omega }_{2}}$. For this purpose, we calculate ${{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}$ as follows.

$$\begin{eqnarray}&&\frac{d{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}}{dx}=-\frac{1}{{{\sigma }^{2}}}\left( x-\left( \mu -{{\sigma }^{2}} \right) \right){{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}\end{eqnarray} \tag{ G.1 }$$

Hence, $x{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}},{{x}^{2}}{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}$ can be written by using ${{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}$ and its first and second derivatives as follows.

$$\begin{eqnarray}&&x{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}=-{{\sigma }^{2}}\frac{d{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}}{dx}+\left( \mu -{{\sigma }^{2}} \right){{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}\end{eqnarray} \tag{ G.3 }$$

$$\begin{eqnarray}\begin{array}{rcl} {{x}^{2}}{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}} & = & {{\sigma }^{4}}\frac{{{d}^{2}}{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}}{d{{x}^{2}}} \\ {} & {} & +\left( 2\left( \mu -{{\sigma }^{2}} \right)x-\left( {{\left( \mu -{{\sigma }^{2}} \right)}^{2}}-{{\sigma }^{2}} \right) \right){{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}. \\ \end{array}\end{eqnarray} \tag{ G.4 }$$

We also prepare the following formula for ${{e}^{-x}}{{e}^{-\frac{{{\left( x-\mu \right)}^{2}}}{2{{\sigma }^{2}}}}}$.

$$\begin{eqnarray}\begin{array}{rcl} {{e}^{-x}}{{e}^{-\frac{{{\left( x-\mu \right)}^{2}}}{2{{\sigma }^{2}}}}} & = & {{e}^{-\frac{{{\left( x-\mu \right)}^{2}}}{2{{\sigma }^{2}}}-x}}={{e}^{-\frac{1}{2{{\sigma }^{2}}}\left( {{x}^{2}}-2\left( \mu -{{\sigma }^{2}} \right)x+{{\mu }^{2}} \right)}} \\ {} & = & {{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}{{e}^{-\frac{{{\mu }^{2}}}{2{{\sigma }^{2}}}+\frac{{{\left( \mu -{{\sigma }^{2}} \right)}^{2}}}{2{{\sigma }^{2}}}}}={{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}{{e}^{\frac{\left( {{\sigma }^{2}}-2\mu \right)}{2}}}. \\ \end{array}\end{eqnarray} \tag{ G.5 }$$

When X obeys the Gaussian distribution with the average μ and the variance ${{\sigma }^{2}}$, using (G.3), (G.4), and (G.5), we can calculate the expectations of ${{e}^{-x}},x{{e}^{-x}}$, and ${{x}^{2}}{{e}^{-x}}$ as follows.

$$\begin{eqnarray}\begin{array}{rcl} {\mbox{E}}\left[ {{e}^{-x}} \right] & = & \frac{1}{\sqrt{2\pi {{\sigma }^{2}}}}\int _{-\infty }^{\infty }{{e}^{-x}}{{e}^{-\frac{{{\left( x-\mu \right)}^{2}}}{2{{\sigma }^{2}}}}}dx=\frac{{{e}^{\frac{\left( {{\sigma }^{2}}-2\mu \right)}{2}}}}{\sqrt{2\pi {{\sigma }^{2}}}}\int _{-\infty }^{\infty }{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}dx \\ {} & = & {{e}^{\frac{\left( {{\sigma }^{2}}-2\mu \right)}{2}}} \\ \end{array}\end{eqnarray} \tag{ G.6 }$$

$$\begin{eqnarray}\begin{array}{rcl} {\mbox{E}}\left[ x{{e}^{-x}} \right] & = & \frac{1}{\sqrt{2\pi {{\sigma }^{2}}}}\int _{-\infty }^{\infty }x{{e}^{-x}}{{e}^{-\frac{{{\left( x-\mu \right)}^{2}}}{2{{\sigma }^{2}}}}}dx=\frac{{{e}^{\frac{\left( {{\sigma }^{2}}-2\mu \right)}{2}}}}{\sqrt{2\pi {{\sigma }^{2}}}}\int _{-\infty }^{\infty }x{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}dx \\ {} & = & {{e}^{\frac{\left( {{\sigma }^{2}}-2\mu \right)}{2}}}\left( \mu -{{\sigma }^{2}} \right) \\ \end{array}\end{eqnarray} \tag{ G.7 }$$

$$\begin{eqnarray}\begin{array}{rcl} {\mbox{E}}\left[ {{x}^{2}}{{e}^{-x}} \right] & = & \frac{1}{\sqrt{2\pi {{\sigma }^{2}}}}\int _{-\infty }^{\infty }{{x}^{2}}{{e}^{-x}}{{e}^{-\frac{{{\left( x-\mu \right)}^{2}}}{2{{\sigma }^{2}}}}}dx=\frac{{{e}^{\frac{\left( {{\sigma }^{2}}-2\mu \right)}{2}}}}{\sqrt{2\pi {{\sigma }^{2}}}}\int _{-\infty }^{\infty }{{x}^{2}}{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}dx \\ {} & = & \frac{{{e}^{\frac{\left( {{\sigma }^{2}}-2\mu \right)}{2}}}}{\sqrt{2\pi {{\sigma }^{2}}}}\left( {{\sigma }^{4}}\int _{-\infty }^{\infty }\frac{{{d}^{2}}{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}}{d{{x}^{2}}}dx+2\left( \mu -{{\sigma }^{2}} \right)\int _{-\infty }^{\infty }x{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}dx \right. \\ {} & {} & \left. -\left( {{\left( \mu -{{\sigma }^{2}} \right)}^{2}}-{{\sigma }^{2}} \right)\int _{-\infty }^{\infty }{{e}^{-\frac{1}{2{{\sigma }^{2}}}{{\left( x-\left( \mu -{{\sigma }^{2}} \right) \right)}^{2}}}}dx \right) \\ {} & = & {{e}^{\frac{\left( {{\sigma }^{2}}-2\mu \right)}{2}}}\left( {{\left( \mu -{{\sigma }^{2}} \right)}^{2}}+{{\sigma }^{2}} \right). \\ \end{array}\end{eqnarray} \tag{ G.8 }$$

Next, we calculate the real number ${{\omega }_{2}}$ when ${{\mu }_{1}}$ obeys the Gaussian distribution with the average μ and the variance ${{\sigma }^{2}}$.

$$\begin{eqnarray}\begin{array}{rcl} {{\omega }_{2}} & := & \mathop{\sum }\limits_{n=2}^{\infty }\frac{{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{n} \right]}{n!{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]}=\frac{1}{{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]}{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mathop{\sum }\limits_{n=2}^{\infty }\frac{1}{n!}\mu _{1}^{n} \right] \\ {} & = & \frac{1}{{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]}{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\left( \left( \mathop{\sum }\limits_{n=0}^{\infty }\frac{1}{n!}\mu _{1}^{n} \right)-1-{{\mu }_{1}} \right) \right]=\frac{1}{{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]}{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\left( {{e}^{{{\mu }_{1}}}}-1-{{\mu }_{1}} \right) \right] \\ {} & = & \frac{1}{{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}}\mu _{1}^{2} \right]}\left( 1-{\mbox{E}}\left[ {{e}^{-{{\mu }_{1}}}} \right]-{\mbox{E}}\left[ {{\mu }_{1}}{{e}^{-{{\mu }_{1}}}} \right] \right)=\frac{{{e}^{-\frac{\left( {{\sigma }^{2}}-2\mu \right)}{2}}}-\left( \mu -{{\sigma }^{2}} \right)-1}{{{\left( \mu -{{\sigma }^{2}} \right)}^{2}}+{{\sigma }^{2}}}. \\ \end{array}\end{eqnarray} \tag{ G.9 }$$

We consider the state ${{\rho }_{AE}}:={{\sum }_{m}}P\left( m \right)\left| {} \right.m\left. {} \right\rangle \left\langle {} \right.m\left| {} \right.\otimes {{\rho }_{AE\left| {} \right.m}}$, where ${{\rho }_{AE\left| {} \right.m}}$ is the composite state on ${{\left( {{\mathbb{C}}^{2}} \right)}^{\otimes m}}\otimes {{\mathcal{H}}_{E}}$. Now, we consider a function f from ${{}_{m}}{{\left\{ 0,1 \right\}}^{m}}$ to $\left\{ 0,1 \right\}$. Then, we have the state ${{\rho }_{f\left( A \right),E}}={{\sum }_{m}}P\left( m \right){{\rho }_{f\left( A \right)E\left| {} \right.m}}$ on ${{\mathbb{C}}^{2}}\otimes {{\mathcal{H}}_{E}}$. Due to the monotonicity of the trace norm, the state ${{\rho }_{f\left( A \right),E}}$ satisfies

$$\begin{eqnarray}&&\shortparallel {{\rho }_{f\left( A \right),E}}-{{\rho }_{f\left( A \right)}}\otimes {{\rho }_{E}}{{\shortparallel }_{1}}\leqslant \shortparallel {{\rho }_{A,E}}-{{\rho }_{{\mbox{ideal}}}}{{\shortparallel }_{1}}.\end{eqnarray} \tag{ H.1 }$$

When ${{\rho }_{f\left( A \right),E}}={{p}_{0}}\left| {} \right.0\left. {} \right\rangle \left\langle {} \right.0\left| {} \right.\otimes {{\rho }_{0,E}}+{{p}_{1}}\left| {} \right.1\left. {} \right\rangle \left\langle {} \right.1\left| {} \right.\otimes {{\rho }_{1,E}}$, due to the monotonicity of the trace norm, any two-valued POVM $\left\{ T,I-T \right\}$ on ${{\mathcal{H}}_{E}}$ satisfies

$$\begin{eqnarray*}\begin{array}{lcl} {} & {} & \shortparallel {{\rho }_{f\left( A \right),E}}-{{\rho }_{f\left( A \right)}}\otimes {{\rho }_{E}}{{\shortparallel }_{1}} \\ {} & \geqslant & {{p}_{0}}\left( \left| {} \right.{\mbox{Tr}}{{\rho }_{0,E}}T-{\mbox{Tr}}\left( {{p}_{0}}{{\rho }_{0,E}}+{{p}_{1}}{{\rho }_{1,E}} \right)T\left| {} \right.+\left| {} \right.{\mbox{Tr}}{{\rho }_{0,E}}\left( I-T \right)-{\mbox{Tr}}\left( {{p}_{0}}{{\rho }_{0,E}}+{{p}_{1}}{{\rho }_{1,E}} \right)\left( I-T \right)\left| {} \right. \right) \\ {} & {} & +{{p}_{1}}\left( \left| {} \right.{\mbox{Tr}}{{\rho }_{1,E}}T-{\mbox{Tr}}\left( {{p}_{0}}{{\rho }_{0,E}}+{{p}_{1}}{{\rho }_{1,E}} \right)T\left| {} \right.+\left| {} \right.{\mbox{Tr}}{{\rho }_{1,E}}\left( I-T \right)-{\mbox{Tr}}\left( {{p}_{0}}{{\rho }_{0,E}}+{{p}_{1}}{{\rho }_{1,E}} \right)\left( I-T \right)\left| {} \right. \right) \\ {} & = & 4{{p}_{0}}{{p}_{1}}\left| {} \right.{\mbox{Tr}}{{\rho }_{0,E}}T-{\mbox{Tr}}{{\rho }_{1,E}}T\left| {} \right.. \\ \end{array}\end{eqnarray*}$$

When T supports $f\left( A \right)=0$ and $I-T$ supports $f\left( A \right)=1$, the success probability is bounded by

$$\begin{eqnarray*}\begin{array}{lcl} {} & {} & {{p}_{0}}{\mbox{Tr}}{{\rho }_{0,E}}T+{{p}_{1}}{\mbox{Tr}}{{\rho }_{1,E}}\left( I-T \right)\leqslant {\rm max} \left( {{p}_{0}},{{p}_{1}} \right)\left( {\mbox{Tr}}{{\rho }_{0,E}}\left( I-T \right)+{\mbox{Tr}}{{\rho }_{1,E}}T \right) \\ {} & = & {\rm max} \left( {{p}_{0}},{{p}_{1}} \right)\left( 1+\left| {} \right.{\mbox{Tr}}{{\rho }_{0,E}}T-{\mbox{Tr}}{{\rho }_{1,E}}T\left| {} \right. \right)\leqslant {\rm min} \left( {{p}_{0}},{{p}_{1}} \right)\left( 1+\frac{1}{4{{p}_{0}}{{p}_{1}}}\shortparallel {{\rho }_{f\left( A \right),E}}-{{\rho }_{f\left( A \right)}}\otimes {{\rho }_{E}}{{\shortparallel }_{1}} \right). \\ \end{array}\end{eqnarray*}$$