Finite-key security analysis of quantum key distribution with imperfect light sources

In recent years, the gap between theory and practice in quantum key distribution (QKD) has been significantly narrowed, particularly for QKD systems with arbitrarily flawed optical receivers. The status for QKD systems with imperfect light sources is however less satisfactory, in the sense that the resulting secure key rates are often overly dependent on the quality of state preparation. This is especially the case when the channel loss is high. Very recently, to overcome this limitation, Tamaki et al proposed a QKD protocol based on the so-called ‘rejected data analysis’, and showed that its security—in the limit of infinitely long keys—is almost independent of any encoding flaw in the qubit space, being this protocol compatible with the decoy state method. Here, as a step towards practical QKD, we show that a similar conclusion is reached in the finite-key regime, even when the intensity of the light source is unstable. More concretely, we derive security bounds for a wide class of realistic light sources and show that the bounds are also efficient in the presence of high channel loss. Our results strongly suggest the feasibility of long distance provably secure communication with imperfect light sources.


I. INTRODUCTION
The gist of quantum key distribution (QKD) [1][2][3] is that it allows two remote parties, Alice and Bob, to establish common secret keys in the presence of an adversary, Eve, who may have unlimited computing resources and technological advances.Today, three decades after its introduction, QKD has made enormous progress in both theory and practice, and is arguably on the verge of global commercialisation.Having said that, however, there are still some issues, both theoretical and experimental, that need to be resolved before we can reach that level.Amongst those, the most pressing one is the mismatch between device models used in security proofs and actual devices used in QKD systems.In particular, such implementation loopholes can lead to side-channel attacks that break the security of QKD.Notably, it has been repeatedly demonstrated that the behaviour of single-photon detectors employed in QKD systems can be externally controlled, simply by exploiting their physics [4].In this case, it is easy to verify that security cannot be achieved, since the measured data are not representative of the quantum channel [5].Undoubtedly, such hacking demonstrations raise not only the importance of proper calibration of QKD systems, but also the importance in developing security proof techniques that can tackle modeling discrepancies.Indeed, in the past few years, much attention has been devoted towards the development of such proof techniques and side-channel countermeasures, particularly in the areas of security of finite-length keys [6][7][8][9][10] and detector side-channel attacks [11][12][13][14].
Amongst these theoretical results, only a few considered the issue of state preparation flaws-despite that it is a commonly faced experimental problem.More concretely, typical light sources used in QKD systems are not true single-photon sources and practical optical modulators employed to encode the light pulses are inherently limited in precision.The former can be resolved by using the decoy-state method [15][16][17], which allows QKD systems based on practical light sources to achieve the security performance of single-photon QKD.The latter, however, does not have an adequate solution.In particular, it has been firstly shown by Gottesman et al [18] that such inaccuracies in encoding can lead to very pessimistic secret key rates in the presence of high quantum channel loss.Also, other works show similar results [19].This strong dependency on channel loss is primarily due to the fact that state preparation flaws can be seen as a form of basis information leakage, which gives Eve some advantage in formulating basis-dependent attacks.Crucially, as shown in [18,19], Eve's advantage can be significantly enhanced by exploiting channel losses.Consequently, this heavily penalizes the secret key rate whenever the channel loss is substantial.
Very recently, a loss-tolerant QKD protocol [20] has been proposed by Tamaki et al as a means to overcome typical encoding flaws in QKD systems.More specifically, as briefly mentioned earlier, here we are considering encoding flaws due to imprecise alignment of optical modulators.For example, if the quantum states are encoded into the polarisation degree-of-freedom of photons, an encoding flaw could be due to a misalignment in the wave-plate used to set the desired polarisation.The protocol is similar to the Bennett-Brassard 1984 (BB84) QKD scheme [21], but In each trial, Alice's laser emits two consecutive coherent pulses representing the signal and the reference pulse.For this, she first uses an amplitude modulator to select the pulses' intensity k ∈ K.After that, she applies a phase shift {0, π, π/2} to the signal pulse.On reception, Bob splits the received pulses into two beams and then applies a phase shift {0, −π/2} to one of them.Also, he applies a one-pulse delay to one of the arms of the interferometer and then recombine the pulses at a 50:50 beamsplitter (BS).A "click" in detector D0 (D1) provides Bob the key bit y ′ = 0 (y ′ = 1).
instead of considering all the four BB84 states, it uses only three of them.Interestingly, by considering statistics beyond those of the BB84 protocol, the resulting secret key rate is the same as the one of BB84's [22][23][24][25][26].More importantly, the secret key rate has the very nice property in that it is almost independent of encoding flaws.These results imply that the usual stringent demand on precise state preparation can be considerably relaxed and one only needs to know the prepared states.Additionally, it is useful to mention that most current BB84 QKD systems can easily switch to the loss-tolerant QKD protocol without much hardware modifications.
In anticipation that the loss-tolerant QKD protocol will be widely implemented in the near future, we extend the security analysis in Ref. [20] to the finite-key regime, i.e., we derive explicit bounds on the extractable secret key length (in [27], the authors have implemented the loss-tolerant protocol experimentally with careful verification of the qubit assumption used in the protocol.This paper also includes some finite-key analysis of the protocol.Unfortunately, however, its phase error rate estimation seems to be valid only against collective attacks).Furthermore, our bounds can be applied to a wide range of imperfect light sources-including typical cases whereby the intensity of the laser is fluctuating between a certain range.Also, the security bounds are obtained within the so-called universal-composable framework [28,29], and thus secret keys generated using these bounds can be applied to other cryptographic tasks like the one-time-pad.In order to investigate the feasibility of our results, we consider a QKD system model that borrows parameters from recent fibre-based QKD experiments.With this realistic model, our numerical simulations show that provably-secure keys can be distributed up to a fibre length of about 120 km, even when only 10 11 signals are sent by Alice to Bob.
This paper is organised as follows.In section II, we describe some assumptions that we made in our security analysis and after that we introduce our protocol.In section III, we give the security definition of the protocol and provide the formulation of the extractable secret key length.In section IV, we present the results of the parameter estimation using the decoy-state method for two different cases: an exact intensity control case and an intensity-fluctuation case.Then, in section V, we simulate the key generation rate for both scenarios.Finally, section VI concludes the paper with a summary.The paper includes as well some Appendixes with additional calculations.

A. Assumptions on Alice and Bob's devices
Prior to stating the actual protocol, we first describe the assumptions on the user's devices.
We consider that Alice's transmitter contains a laser source, an amplitude modulator and a phase modulator.See Fig. 1.The laser is single-mode and emits signals with a Poissonian photon number distribution.Also, we assume that Alice encodes the bit and the basis information in the relative phase θ A between a signal and a reference pulse, whose joint phase is perfectly randomised 1 .Let us emphasise, however, that the security proof that we provide in this paper applies as well to other coding schemes like, for instance, the polarisation or the time-bin coding schemes.Next we present the two types of imperfections that we consider for Alice's device.

Intensity fluctuations.
The fluctuation of the intensity of the emitted coherent light is typically due to the laser source and imperfections in the amplitude modulator.Here we shall consider that Alice does not have a full description of the probability density function of the fluctuations, but she only knows their range2 .That is, she knows that the intensity k of the emitted coherent light lies in an interval k ∈ [k − , k + ] except with error probability ǫ inten , where k +(−) is the upper (lower) intensity.For simplicity, we shall assume that ǫ inten = 0.If ǫ inten > 0 this error probability can be directly taken into account through the security parameter ǫ sec whose definition is referred to equation (40).The intensities of the signal and reference pulses are k sig := kV and k ref := k(1 − V ) respectively, with 0 < V < 1.
In section IV.A we study the case where k = k − = k + , i.e., there are no intensity fluctuations.After that, in section IV.B, we evaluate the typical scenario where k + > k − .

Imperfect encoding of the bit and basis information.
In our protocol, Alice chooses the relative phase θ A at random from {0, π/2, π} to encode the bit and basis information.The phase θ A ∈ {0, π} corresponds to the Z basis states which are selected with equal probability, and θ A = π/2 denotes the X basis state.Alice assigns a bit value y = 0 to θ A ∈ {0, π/2} and a bit value y = 1 to θ A = π.
Due to the misalignment of the optical system, however, the actual relative phase prepared by Alice may deviate from the desired angle θ A by a factor ∆θ A .Hence, we have that the actual state Alice sends to Bob can be typically described as Here, we define ) is a random phase, the state |α s(r) is the coherent state of the signal (reference) pulse, and p(∆θ A ) is the probability distribution of ∆θ A .Alice does not need to know the origin of the encoding errors ∆θ A , but we assume that she knows p(∆θ A ). Also, we assume that p(∆θ A ) is independently and identically distributed for each run of the protocol.Moreover, we consider that there are no side-channels in Alice's device.

Assumptions on Bob's apparatus
We consider that the detection efficiency of Bob's detectors is independent of his measurement basis choice.A phase value θ B = 0 (θ B = −π/2) corresponds to a device parameter to choose the Z (X) basis for the measurement.Also, like in the case of Alice, we consider that Bob uses an imperfect phase modulator that shifts the phase of the incoming signals by θ B + ∆θ B , where ∆θ B is the modulation error.Note, however, that this last assumption is not needed in the security proof; we use it only for simulating the resulting secret rate.Furthermore, we assume that there are no side-channels in Bob's device.

B. Protocol description
We study a three-state protocol that uses one signal and two decoy settings.Also, we consider that the protocol employs an asymmetric coding, i.e., the Z and the X basis are chosen with probabilities p z and p x = 1 − p z , respectively.The secret key is extracted only from those events where both Alice and Bob select the Z basis and the signal setting.In addition, we assume that Alice and Bob do not implement a random sampling procedure to estimate the bit error rate, but they perform error correction for a pre-established fixed value of it.The error verification step of the protocol (see Step 5 below) informs them about whether or not the actual residual bit error rate exceeds the considered value.
The protocol runs as follows.

Actual protocol
First, Alice and Bob decide a security parameter ǫ sec whose definition is referred to equation (40).Then, they repeat the first three steps of the protocol for i = 1, ..., N until the conditions in the Sifting step are met.
Then, Alice randomly selects the basis a ∈ {Z, X} with probabilities p z and p x , respectively.Next, she chooses at random the signal phase θ A ∈ {0, π} when she selects the Z basis, and she chooses θ A = π when she selects the X basis.Finally, she generates the signal and reference pulses following these specifications and sends them to Bob via the quantum channel.

Measurement
Bob measures the incoming signal and reference pulses using the measurement basis b ∈ {Z, X}, which he randomly selects with probabilities p z and p x , respectively.The outcome is recorded in d ∈ {0, 1, ⊥, ∅}, where ⊥ and ∅ represent the double click event and the no click event, respectively.If d =⊥, Bob assigns a random bit to it3 .As a result, he obtains y ′ = {0, 1, ∅}.

Sifting
Alice and Bob announce their bases and intensity choices over an authenticated public channel and identify the following sets: Then, they check if the following conditions are met: , where | * | represents the length of the set * .We denote by N the number of pairs of coherent states (i.e., signal and reference pulses) sent by Alice until these conditions are fulfiled.We denote Alice and Bob's sifted keys as (Z A , Z B ); their size is

Parameter estimation
They estimate the number of events m 0 (1) where Alice emitted the vacuum (the single-photon) state within the set Z ks .Their expression is given by equations ( 12) and (18) for the scenario without intensity fluctuations, and by equations ( 23) and (28) for the case with intensity fluctuations.Also, Alice and Bob estimate N ph , i.e., the number of the so-called phase errors in the single-photon emissions within the set Z ks (see equation (36)).They check if the phase error rate e ph := N ph /m 1 is lower than a predetermined threshold value e ph , which corresponds to the phase error rate associated with a zero secret key rate (see equation (2)).If e ph ≥ e ph they abort the protocol; otherwise they proceed to step 5.

Postprocessing
Alice and Bob perform error correction over an authenticated public channel for (Z A , Z B ).This step consumes at most λ EC bits.Finally, they implement an error verification step and, after that, they perform privacy amplification using a hash function that extracts a secret key pair (S A , S B ), where

III. SECURITY BOUNDS
The security of a QKD protocol is characterised by its correctness and secrecy.That is, following the universal composable security framework [28,29], the protocol is called ǫ sec -secure if it is both ǫ c -correct and ǫ s -secret, where ǫ sec = ǫ c + ǫ s .Here, the correctness criterion is met whenever the output keys, S A and S B , are identical.More generally, for some small error ǫ c in the correctness, we say that the protocol is ǫ c -correct if Pr[S A = S B ] ≤ ǫ c is met.For the secrecy criterion, it is met whenever the joint classical-quantum state describing Alice's output key and Eve's quantum system is of the following form, U A ⊗ ρ E , where U A is the uniform distribution over all bit strings, and ρ E is an arbitrary quantum state held by Eve.Likewise, for some small error ǫ s , we say the protocol is ǫ s -secret if where ρ SAE is the joint state shared by Alice and Eve.Note that || • || 1 is the trace norm defined as || • || 1 = Tr √ • † •.Using these security definitions, it can be shown (see Appendix A for details) that a lower bound on the secret key length for the protocol described above where h is the binary entropy function, m L 0(1) is a lower bound on m 0(1) , e U ph := N U ph /m L 1 is an upper bound on the phase error rate, and η is the sum of the failure probabilities when estimating m 0 and e ph .This last parameter is upper bounded by η ≤ 1 − E Z,0 E Z,1 E ph , where E Z,0 , E Z,1 and E ph are the failure probabilities associated to the estimation of m L 0 , m L 1 and to the upper bound on the number of the phase errors N U ph , respectively.

IV. PARAMETER ESTIMATION
In this section, we briefly describe the estimation procedure to obtain m L 0 and m L 1 .Also, we provide an expression for N U ph .The detailed calculations are included in Appendix D. As mentioned in section II.B, we assume that the phase of each pulse generated by the laser is perfectly randomised.This means, in particular, that we can regard the signals sent by Alice as a classical mixture of Fock states, each of them representing the total number of photons contained both in the signal and in the reference pulse.That is, the probability that Alice emits a pulse with n photons conditioned on the fact that she selects the intensity setting k ∈ K is written as Also, from the property of the decoy state method we have that the total number of detection events when both Alice and Bob use the Z basis is given by where S Z,n represents the number of detection events when Alice and Bob used the Z basis and Alice emitted an n-photon state.
A. Estimation of the number of vacuum and single-photon contributions for the exact intensity control case We consider first the scenario without intensity fluctuations in the source, i.e., when Owing to the use of decoy-states [15][16][17], it can be shown that Eve cannot obtain any useful information about Alice's intensity choice if she observes an n-photon state in the quantum channel.Therefore, it can be demonstrated that the actual protocol, where Alice chooses the intensity of each signal before she actually sends it to Bob, is equivalent to a counterfactual protocol described as follows.First, Alice prepares and sends n-photon states to Bob.Then, Bob measures all the signals received from Alice.Afterwards, Alice decides the intensity setting for each signal.Due to this equivalence between the actual and the counterfactual protocols, we have that the number of detection events |Z k | for setting k ∈ K within |Z tot | has the form except with certain error probability that will be introduced later on, and where Z k denotes the mean value of |Z k | given by The parameter δ k that appears in equation (5) denotes the deviation between the experimentally obtained quantity |Z k | and its expected value.The convergence of δ k is discussed in Appendix B.

a. Estimation of the number of vacuum contributions
At first, we calculate a lower bound on m 0 , the number of events in Z ks that originate from a vacuum state sent by Alice.We define the mean value of m 0 as µ 0 = p(k s |0)S Z,0 .Now, by applying Lemma 1 from Appendix B we obtain that except with certain error probability ǫ Z,0 , where the deviation ∆ Z,0 is given by ∆ Z,0 = g C (µ 0 , ǫ Z,0 ) with g C (x, y) = 2x ln 1/y.So far, the lower bound on m 0 depends on the unknown mean value µ 0 which cannot be directly observed in the experiment.According to the definition of µ 0 , however, this problem can be solved by estimating a lower bound on S Z,0 .For this, we use a result from [8].In particular, we have that where p(0) = k∈K p k p(0|k).To estimate the mean values Z k d1 and Z k d2 , we can employ either Lemma 2 or Lemma 3 introduced in Appendix B, such that the fluctuation is minimised.In so doing, we obtain a lower bound on Z k d2 together with an upper bound on Z k d1 given by where g M (x, y) = 2x ln 1/y and g H (x, y) = x/2 ln 1/y.The failure probability associated with the estimation of , depending on which Lemma (2 or 3) we use.As a result we find that which only depends on known parameters.Note that in equation (11) we have used the fact that p(k s |0) = p ks p(0|k s )/p(0) = p ks e −ks /p(0) in combination with equation (8).We finally obtain, therefore, that except with error probability

b. Estimation of the number of single-photon contributions
Here, we calculate a lower bound on the number of single-photon pulses sent by Alice that contribute to Z ks .For this, we use a similar technique to the one described in the previous section.In particular, let µ 1 be the mean value of m 1 , which is given by µ 1 = p(k s |1)S Z,1 .Then we have that except with error probability ǫ Z,1 , where ∆ Z,1 = g C (µ 1 , ǫ Z,1 ).From Ref. [8], we have that where p(1) = k∈K p k p(1|k).As before, by using Lemmas 2 and 3 from Appendix B we obtain a lower bound on Z k d1 , and an upper bound on Z k d2 and Z ks .They are given by where the second equality holds for k ∈ {k s , k d2 }.The failure probability associated with the estimation of Z k (with , depending again on which Lemma (2 or 3) we apply.By employing the relation p(k s |1) = p ks p(1|k s )/p(1) = p ks k s e −ks /p(1), we obtain a lower bound on µ 1 , which only depends on known parameters, Therefore, we have that except with error probability , where the parameters ε k d1 Z,0 and ε k d2 Z,0 come from the estimation of µ L 0 .

B. Estimation of the number of vacuum and single-photon contributions for the intensity-fluctuation case
We now evaluate the scenario where the laser suffers from intensity fluctuations.As introduced above, here we shall assume that Alice only knows the range [k − , k + ] where the intensity value k lies.Below we introduce the final expressions for the different parameters; the detailed derivations are referred to Appendix C.

a. Estimation of the number of vacuum contributions
Here, we present the result for the estimation of the lower bound on T Z,0 .Here, T Z,0 is the sum of the conditional probability that Bob detects a signal in the Z basis conditioned that Alice chooses the signal intensity and sends a vacuum state in the Z basis (see equation ( 61)).It is given by To calculate the mean values Z k d1 and Z k d2 we employ Azuma's inequality, which is described in Lemma 4 (see Appendix B).Importantly, note that this inequality holds without assuming independence of the trials.As a result, we obtain a lower bound on Z k d1 together with an upper bound on Z k d2 .They are given by where g A (x, y) = 2x ln(1/y), and N z is the number of events where Alice and Bob use the Z basis within N trials.
In so doing, we find a lower bound on µ 0 that only depends on parameters that are directly observed in the experiment.It has the form where the p − (k s ∧ 0) is a lower bound on p(k s ∧ 0).Finally, we obtain a lower bound on m 0 which is given by except with error probability ε

b. Estimation of the number of single-photon contributions
Here, we introduce a lower bound on T Z,1 .Here, T Z,1 is the sum of the conditional probability that Bob detects a signal in the Z basis conditioned that Alice chooses the signal intensity and sends a single-photon state in the Z basis (see equation ( 70)).
It is given by Again, to estimate the mean values Z k d1 , Z k d2 and Z ks we employ Lemma 4. This way we obtain a lower bound on Z k d1 and an upper bound on Z k d2 and Z ks as where the second equality holds for k ∈ {k s , k d2 }.
Hence, a lower bound on µ 1 can be directly written as where p − (k s ∧ 1) is a lower bound on p(k s ∧ 1).Finally, we obtain m L 1 as except with error probability ε Z,1 =

C. Estimation of the number of phase errors
In this section we present an upper bound on N ph , which is the number of phase errors in the single-photon emissions within the set Z ks .As already mentioned in section II.B, the states sent by Alice are given by equation ( 1), and we assume that the distribution p(∆θ A ) is known to Alice.
We denote the single-photon part of equation (1) as ρ(θ A ); it is given by where the parameter γ = k sig /k ref .
Here we define the eigenvectors of the Pauli operators σ Y , σ Z and σ X as: The state |n r(s) denotes an n-photon number state of the reference (signal) pulse.
With this notation, the single-photon part of the three states sent by Alice can be expressed as . From [20] we have that if V Y = 0, the phase error rate of ρ 0z and ρ 1z is equivalent to that obtained after the application of the following filter operation, This means, in particular, that we can restrict ourselves to the estimation of the phase error rate of the states ρS which lie in the σ X -σ Z plane, where the parameters r S x and r S z are given by r S The states ρS given by equation (31) can also be decomposed as where the probabilities P S i have the form and the eigenvectors |φ S i are given by =: for i ∈ {0, 1}, and where N is the normalisation factor of the state.After some lengthy calculations (see Appendix D for details), we obtain that N ph is upper bounded by except with error probability ε ph .Here, the terms N MXs (j) with j ∈ {3, 4, 5} are defined in equations ( 97)-(99); the quantities P (1) and P (2) are given by equation (82); the parameters C t,l have the form are the (i, j) element of the following matrix where ; and the fluctuation term ∆ s⊕1 A,s+1 is given by equation (96).

V. SIMULATION OF THE KEY RATE
In this section, we show the simulation result for a fibre-based QKD system.Alice chooses the intensity of the laser from the set {k s , k d1 , k d2 }, where we fix the intensity of the weakest decoy state to k d2 = 2×10 −4 .This is so because, in practice, it is difficult to generate a vacuum state due to the imperfect extinction of the amplitude modulator.Also, we assume that Bob uses an active measurement setup with two single-photon detectors with detection efficiency FIG.2: (Colour online) Secret key rate (per pulse) in logarithmic scale vs fibre length for the case with exact intensity control.The security parameter is ǫsec = 10 −10 and the total number of signals sent by Alice is N = 10 s with s = 9, 10, 11 and 12 (from left to right).The rightmost two lines correspond to the asymptotic secret key rate with two decoy settings.The solid lines denote the case ξ=0 (i.e., the perfect encoding scenario) while the dashed lines show the case ξ=0.147 which is equivalent to a phase modulation error of 8.42 • (this error parameter is measured in an updated version of a commercial plug&play system (ID Quantique Clavis2) [27]).The experimental parameters are described in the main text.η det = 15% and a dark count probability p d = 5 × 10 −7 .The attenuation coefficient of the optical fibre is 0.2dB/km and its transmittance is η ch = 10 −0.2D/10 with D denoting the fibre length.The overall misalignment error of the optical system is fixed to be e mis = 1%.In addition, we assume an error correction leakage λ EC = f EC |Z ks |h(e z ), where e z is the bit error rate of the sifted key (Z A , Z B ).Moreover, for simplicity, we consider that the error correction efficiency of the protocol is a constant number f EC =1.16 which does not depend on the size of Z ks .For simplicity, we model the imperfection of Alice's (Bob's) phase modulator as ∆θ A = ξθ A /π (∆θ B = −∆θ A ). Also, we consider that the intensity fluctuation of the laser source lies in the interval [k − , k + ] with k − = (1 − r)k and k + = (1 + r)k for a fixed value r.
In these conditions, we simulate the secret key generation rate R = ℓ/N for a fixed value of the correctness coefficient ǫ c = 10 −15 .For this, we perform a numerical optimisation of the resulting secure key rate over the free parameters p z , p ks , p k d1 , k s and k d1 .

A. Key generation rate for the exact intensity control case
The resulting secret key rate for this scenario, i.e. when r = 0, is shown in Fig. 2. The security parameter is ǫ sec = 10 −10 and the total number of signals sent by Alice is N = 10 s with s = 9, 10, 11 and 12.We consider two possible cases: ξ = 0 (i.e., the perfect encoding case) and ξ = 0.147, which is equivalent to a phase modulation error of 8.42 • .For comparison, Fig. 2 also includes the asymptotic secret key rate (i.e., the key rate in the limit of infinitely large keys) with two decoy settings.As a result, we find that the effect of state preparation flaws on the key generation rate is almost negligible.Also, we have that if the total number of signals sent by Alice is about N = 10 12 , Alice and Bob can exchange secret keys over 150 km both when ξ = 0 and ξ = 0, 147.
Finally, Fig. 3 shows the postprocessing block size |Z ks | which is the length of the bit string to be processed in error correction and privacy amplification as a function of the distance when N = 10 s with s = 9, 10, 11 and 12.

B. Key generation rate for the intensity-fluctuation case
In this section we evaluate the resulting secret key rate when the laser source suffers from intensity fluctuations.We study two cases: r = 0.02 and r = 0.05, where r is the deviation rate from the expected value of the intensity.The results are shown in Figs. 4 and 6.Here we consider that N = {10 14 , 10 15 }, and the term ξ takes again the values ξ = 0 and ξ = 0.147.The security parameter is ǫ sec = 10 −10 in Fig. 4 and ǫ sec = 10 −8 in Fig. 6.
For comparison, these two figures also show the asymptotic secret key rate when Alice and Bob use two decoy settings.In this asymptotic case, we find that the degradation on the achievable key rate, when compared to the scenario r = 0, is only about 10 km (20 km) when r = 0.02 (r = 0.05).
In the finite-key regime, however, we obtain that the presence of intensity fluctuations seems to strongly limit the key generation rate if Alice and Bob do not know their probability distribution but only know the interval where the fluctuations lie in.For instance, when N = 10 11 and r = 0 (see Fig. 2) Alice and Bob can distribute a secret key over more than 100 km.However, to achieve a similar secret key rate performance when the intensity fluctuation of the source is 2% (i.e., the parameter r = 0.02) they need to exchange about N = 10 15 signals.The main technical reason for this behaviour seems to be the fact that Azuma's inequality [39] has a relatively slow convergence speed when compared to the Chernoff bound [37] and the Multiplicative Chernoff bound [13].
As a side remark, let us mention that when r = 0.05 and N = 10 14 we find that the achievable secret key rate is basically zero unless we increase the security parameter ǫ sec from ǫ sec = 10 −10 to ǫ sec = 10 −8 .This is illustrated in Fig. 6.
Finally, Figs. 5 and 7 show the postprocessing block size |Z ks | as a function of the distance when N = 10 s with s = {14, 15} for the 2% intensity fluctuation case and for the 5% intensity fluctuation case, respectively.

VI. CONCLUSION
In summary, we have provided explicit security bounds for the loss-tolerant QKD protocol in the finite-key regime.On the application front, our results constitute an important step towards practical QKD with imperfect light sources, in that the resulting security performance is robust against encoding inaccuracies like, for instance, optical misalignments.Furthermore, our results take into account intensity fluctuations in the light source, which is a common experimental fact.Our results highlight the importance of the stable control of the intensity modulator as well as the need for a precise estimation of its intensity, which is not often sufficiently emphasised in the experiments.On a more general outlook, it would be of great practical interest to incorporate our results into measurement-device-independent QKD (mdiQKD) [11].

VII. ACKNOWLEDGEMENTS
We thank Lo H-K, Xu F, Kato G, Azuma K, Ikuta R, Nagamatsu Y, Takeuchi Y and Matsuki K for valuable discussions on the security analysis and parameter estimation procedure, and Yoshino K, Fujiwara M, Sasaki M, and Tomita A for fruitful discussions on practical QKD systems.AM acknowledges support from the JSPS Grant-in-Aid for Scientific Research(A) 25247068.MC thanks the Galician Regional Government (program "Ayudas para proyectos de investigacion desarrollados por investigadores emergentes", and consolidation of Research Units: AtlantTIC), and the Spanish Government (project TEC2014-54898-R) for financial support.KT acknowledges support from the National Institute of Information and Communications Technology (NICT) of Japan (Project "Secure Photonic Network Technology" as part of Project UQCC) and the ImPACT program.

APPENDIX A: DERIVATION OF THE SECURITY BOUND
Here we present the calculations for the security bound given by equation (2).The security analysis is based on the universal composable security framework [28,29].
Recall that after privacy amplification, the joint state shared by Alice, Bob and Eve is described by the following classical-quantum state where s A and s B are the classical bit strings for the keys, associated with orthonormal states |s A and |s B in a Hilbert space.Here, p(s A , s B ) denotes the distribution of the keys and ρ sA,sB E is the quantum state of Eve's system conditioned on S A = s A and S B = s B .In the ideal scenario, the joint state is described by where S A = S B = s and ρ E is an arbitrary quantum state held by Eve.Using the security definition stated in the main text, a ǫ sec -secure QKD protocol satisfies Furthermore, if the security parameter ǫ sec is appropriately chosen, it can be seen as the sum of errors in the correctness and secrecy, i.e., ǫ sec = ǫ s + ǫ c .To see this, let us introduce an intermediate state, which is just a trivial classical extension of Alice's state.Then, by using the triangle inequality property of the trace distance metric, we have Fixing the first term on the R.H.S to ǫ c gives where the inequality is due to the fact that the trace distance metric is contractive under any trace-preserving operation (in our case, the partial trace operation).Similarly, by fixing the second term to ǫ s we have Therefore, fixing ǫ sec = ǫ s + ǫ c gives the desired decomposition.
From [35], the lower bound on the secret key length of our protocol is written as where m L 0 and m L 1 are the lower bounds on the detection events of the vacuum and the single-photon emission, respectively, and m L 1 Γ = m L 1 (h(e U ph ) + δ) is the number of rounds performing the random hashing to correct the phase error, which is equivalent to the number of bits sacrificed in the privacy amplification step of the protocol.The parameter λ EC denotes the number of bits consumed in bit error correction, and ⌈log 2 1/ǫ c ⌉ ≤ log 2 2/ǫ c is the length of the hash that Alice sends to Bob for the error verification using the universal 2 hash functions.From [7] and [36], we have that ǫ s can be bounded by . Therefore, the secret key length is obtained as where we consider η as a fixed value in this paper.

APPENDIX B: TECHNICAL LEMMAS
In this Appendix we introduce four different concentration inequalities which are used throughout this paper.First, we introduce the stochastic model that is assumed in Lemmas 1, 2 and 3.
Lemma 4. Azuma's inequality [39,40] This result plays a crucial role in our security analysis.It is applicable to any stochastic model as long as the Martingale and the Bounded difference conditions (BDC) are satisfied.In particular, a sequence of random variables X (0) , X (1) , . . . is called a Martingale if and only if E[X (l+1) |X (0) , X (1) , . . ., X (l) ] = X (l) for all non-negative integer l, where E[•] represents the expectation value.On the other hand, X (0) , X (1) , . . . is said to fulfil the BDC if there exists c (l) > 0 such that |X (l+1) − X (l) | ≤ c (l) for all non-negative integer l.
Let us consider N trials of a random variable X (l) , where l refers to the lth trial.If X (l) is a Martingale and satisfies the BDC with c (l) = 1 then Azuma's inequality guarantees that for any δ ∈ (0, 1).
Let us now define the following random variable for the lth trial, where Λ (l) represents the actual number of events of the form X (l) = 1 observed among the first l trials, and P (u|ξ 0 , ..., ξ u−1 ) is the conditional probability of having the event "1" in the uth trial conditioned on the first u − 1 outcomes ξ 0 , . . ., ξ u−1 .In this scenario, it is straightforward to show that the random variables given by equation ( 48) are Martingale and satisfy the BDC with c (l) = 1.Hence, by applying Azuma's inequality we have that This means, in particular, that except with error probability ǫ A +ǫ A , where the parameter δ A lies in the interval δ A ∈ [−∆ A , ∆A ] with ∆ A = g A (N, ǫ A ) and ∆A = g A (N, ǫA ), and where g A (x, y) = 2x ln(1/y).

APPENDIX C: DECOY-STATE ANALYSIS
In this Appendix we first present the detail of the decoy-state analysis for the intensity fluctuation case and then we summarise all the equations for the decoy-state analysis, including those for the exact intensity control case.More precisely, we describe the estimation procedure that we use in order to obtain a lower bound on the number of vacuum contributions T Z,0 , and both a lower and an upper bound on the number of single-photon contributions T Z,1 .

Intensity fluctuation case
Here, we generalise the decoy-state method to cover the case where the source suffers from intensity fluctuations.For this, as already mentioned previously, we shall consider that Alice and Bob only know the interval [k − , k + ] where the intensity k lies.
We begin by calculating the mean value Z k .Our starting point is the random variable X for the ith trial when both Alice and Bob select the Z basis.This random variable takes the value 1 if Alice chooses the intensity k and, moreover, the generated signal is detected by Bob; otherwise it is 0. The term may depend on all the previous i − 1 trials.With this notation, Z k can be expressed as where N z is the number of events where both Alice and Bob select the Z basis.The probability p (i| − − → i−1) ( * ) denotes the conditional probability that the event * occurs in the ith trial conditioned on the results obtained in the previous i − 1 trials, and the term k ∧ det|Z represents the event where Alice selects the intensity k and Bob detects the generated signal given that both of them have chosen the Z basis.By using Bayes rule, we can rewrite equation (51) as where p k is the probability that Alice chooses the intensity k; n denotes an n-photon signal; p z represents the probability of selecting the Z basis; and p (i) ( * ) is the probability that the event * occurs in the ith trial.For instance, p (i) (n|k ∧ Z) is the conditional probability that Alice emits an n-photon state in the ith trial given that she has chosen the intensity k and both Alice and Bob have selected the Z basis in the ith trial.Note that in the transformation from equation (54) to equation ( 55) we have used the property of the decoy-state method i.e., p In so doing, we obtain that Z k is upper bounded by Similarly, we find that

Lower bound on the number of vacuum contributions
To obtain this bound, we first rewrite equations ( 56) and (57) for the cases k = k d2 and k = k d1 , respectively.We obtain the following two inequalities, Next, we multiply equation (58) by k − d1 and equation (59) by k + d2 , and we add both expressions.In so doing, we find that where the second inequality holds because k − d1 > k + d2 .As a result, we find that T Z,0 is lower bounded by To estimate the expectation values Z k d1 and Z k d2 , we use Azuma's inequality because each trial of the random variables X may depend on the previous ones.
Lower bound on the number of single-photon contributions Here, we first particularise equations ( 56) and (57) for the cases k = k d1 and k = k d2 , respectively.We have that Next, we add both expressions and we obtain This last equation can be rewritten as Next, we evaluate the third term on the R.H.S of equation ( 65).This term is lower bounded by because when the conditions The R.H.S of equation (66) can be lower bounded using the R.H.S of equation (67).This is so because k . Hence, we have that the third term on the R.H.S of equation ( 65) is lower bounded by That is, if we now combine equations ( 65) and (68) we find that which directly gives us a lower bound on T Z,1 , Upper bound on the number of single-photon contributions By adding equations ( 58) and (59), we have that where the second inequality holds because k − d1 > k + d2 .This means, in particular, that T Z,1 is upper bounded by

Summary of the decoy-state analysis
Here, we summarise all the equations needed in the decoy-state method, including those for the exact intensity control case.

Lower bound on the number of vacuum contributions
Let Decoy 0 (ay, by ′ ) denote a lower bound on the number of events where Alice generates a vacuum state using the signal intensity and the basis setting a ∈ {Z, X} to encode a bit value y ∈ {0, 1}, and Bob observes the bit value y ′ ∈ {0, 1} when he measures the received signal using the basis b ∈ {Z, X}.
where the parameters a y b y ′ − k d2 and a y b y ′ + k d1 are defined in a similar way like equations ( 9) and ( 10) for the exact intensity control case and like equations ( 20) and ( 21) for the intensity-fluctuation case, respectively.The probability p − (k s ∧ 0) is a lower bound on p(k s ∧ 0) which denotes the probability that Alice selects the signal intensity setting and sends a vacuum state.

Lower bound on the number of single-photon contributions
Let Decoy 1 (ay, by ′ ) denote a lower bound on the number of events where Alice prepares a single-photon state using the signal intensity and the basis setting a ∈ {Z, X} to encode a bit value y ∈ {0, 1}, and Bob observes the bit value y ′ ∈ {0, 1} when he measures the received signal using the basis b ∈ {Z, X}.
Decoy 0 (ay, by ′ ) where the probability p − (k s ∧ 1) is a lower bound on p(k s ∧ 1) which denotes the probability that Alice selects the signal intensity setting and sends a single-photon state.
Upper bound on the number of single-photon contributions Let Decoy 1 (ay, by ′ ) denote an upper bound on the number of events where Alice prepares a single-photon state using the signal intensity and the basis setting a ∈ {Z, X} to encode a bit value y ∈ {0, 1}, and Bob observes the bit value y ′ ∈ {0, 1} when he measures the received signal using the basis b ∈ {Z, X}.
where the probability p + (k s ∧ 1) is an upper bound on p(k s ∧ 1).

APPENDIX D: PHASE ERROR RATE ESTIMATION
In this Appendix we explain how to derive equation (36).That is, we obtain an upper bound on the number of phase errors associated to the single-photon pulses emitted by Alice when she selects the signal intensity setting, both Alice and Bob use the Z basis, and Bob obtains a successful detection event (i.e., y ′ = ∅).As we are interested in the phase error rate defined in the single-photon emission events and all the statistics associated with the single-photons can be estimated using the decoy state method, in the virtual protocol we only consider the cases where Alice emits single photons.
For this, in the security proof we consider a virtual protocol that based on the complementarity argument [25] is equivalent to the actual protocol.In the virtual scheme, Alice prepares an ancilla qubit which is entangled with the pulse that she sends to Bob.Importantly, from Eve's viewpoint both protocols are completely indistinguishable because they emit the same quantum states and announce the same classical information.
Let us start our analysis by introducing the following joint states, which we shall denote as | ψjz A1,B .They are a purification of the signals ρjz with j ∈ {0, 1} (see equation ( 32)), where the index A 1 represents the ancilla system and the index B is the system that Alice sends to Bob.In addition, we define the state: where the ancilla system A 2 stores the bit information.The aim of the virtual protocol is to quantify how accurately Bob can estimate Alice's measurement outcome if she would measure system A 2 in the complementarity basis (i.e., if she would use the POVM M X,A2 = {|+ +|, |− −|}, where |± = 1/ √ 2(|0 ± |1 )).This way one can characterise the information that Eve could have obtained about the raw key [25].Note that equation (77) can be rewritten as where the normalised virtual states | ψvir jx A1,B , with j ∈ {0, 1}, are defined as Let us now introduce some additional notation before we describe in detail the different steps of the virtual protocol.In particular, the states prepared by Alice in the virtual protocol are given by |φ sh,A1,B = where the shield system sh belongs to Alice's laboratory, the states |φ (c) A1,B have the form |φ (1)  A1,B = | ψvir 0x A1,B , |φ (2)  A1,B = | ψvir 1x A1,B , |φ (3)  A1,B = | ψ0z A1,B , |φ (4)  A1,B = | ψ1z A1,B , |φ (5)  A1,B = | ψ0x A1,B , and the probabilities P (c) are given by Also, we define Bob's POVM for the Z and the X basis measurement as M Z,B = {M Z0 , M Z1 , M Zf } and M X,B = {M X0 , M X1 , M Xf }, respectively.Here, the operator M Z(X)f corresponds to the inconclusive outcome in the Z (X) basis.Importantly, in the security analysis we assume that this operator is the same for both basis, i.e., M f := M Zf = M Xf .This assumption allows us to conceptually delay Bob's measurement basis choice until he is certain to obtain a conclusive result.That is, we can consider that Bob first conducts a filter operation with Kraus operators D = { √ I − M f , √ M f } followed by the Z or X basis measurement, which we redefine as {M Z0 , M Z1 } and {M X0 , M X1 }, respectively.
Next we present the steps of the virtual protocol in detail.
Virtual protocol Alice repeats the first step n 1 times, where n 1 is the number of single-photon emissions generated by Alice in the actual protocol within the set |Z ks |.

Preparation
Alice prepares the state |φ sh,A1,B given by equation (80).Afterwards, she sends Bob system B over a quantum channel and delays her measurement on system sh until step 3.

Filter operation
Bob performs on system B the filter operation D and, if this operation succeeds, he stores this system in a quantum memory.We will denote the set of successful filter results as S, and |S| = N 1 .

Collective measurement
Alice and Bob perform on the states in the set S a collective measurement characterised by the POVM elements F Ω,s , with Ω ∈ {1, 2, ..., 6} and s ∈ {0, 1} (see equation ( 85)) on the states in the set S.

Classical communication
Alice announces the Z (X) basis choice over an authenticated public channel when the result of her measurement in step 3 is Ω = 1, 2, 3, 4 (Ω = 5, 6).Then, Bob announces the Z (X) basis choice, also over an authenticated public channel, when the measurement outcome in step 3 is Ω = 1, 2, 6 (Ω = 3, 4, 5) to ensure that the classical information declared in both the actual and the virtual protocols coincide (see the main text below for further details).In addition, Bob declares the value of s when Ω = 3, 4, 5, 6.

Estimation of the number of phase errors
Alice and Bob calculate an upper bound on the number of phase errors.This upper bound is given by where the parameter Decoy 1 (ay, by ′ ) is defined in Appendix C. Also, the POVM elements F Ω,s of Alice and Bob's collective measurement are given by These POVM elements satisfy s∈{0,1} Ω∈{1,...,6} F Ω,s = I sh ⊗ I B .
It is easy to demonstrate that from Eve's viewpoint the virtual protocol described above is completely equivalent to the actual protocol.Indeed, the quantum states that Alice sends to Bob are exactly the same in both protocols.Also, both schemes declare precisely the same classical information.To see this last point, let us further clarify the fourth step of the virtual protocol.In particular, note that when Ω = 1(2) the state that Alice sends to Bob in the virtual protocol is Tr A1 P [| ψ0 (1)x A1B ] and Bob uses the X basis.However, in this case, Alice and Bob announce the Z basis.In so doing, the actual and virtual protocols are indistinguishable.This is so because in the actual protocol the events Ω = 1 or 2 are used to generate a secret key, i.e., in these events both Alice and Bob select, and therefore also declare, the Z basis.Then, the virtual protocol has to do the same declaration, otherwise it could be distinguished from the actual protocol.That is, with our definition of the virtual protocol we guarantee that it produces precisely the same classical information as the actual protocol.
Next, we present the estimation method that we use in order to upper bound the quantities Λ where P Ω,s (u|ξ 0 , ..., ξ u−1 ) is the conditional probability of obtaining the values Ω and s in the collective measurement performed in the uth trial of the third step of the virtual protocol, conditioned on the first u−1 measurement outcomes from the collective measurements ξ 0 , ..., ξ u−1 .To obtain this conditional probability we use the following joint state in N 1 trials, where |φ−−→ u−1 sh,A1,B , |φ u sh,A1,B , and |φ− −−− → N1−u sh,A1,B represent, respectively, Alice's prepared states in the first u − 1 trials, in the uth trial, and in the rest of trials.
Let U BE denote Eve's unitary transformation on Bob's system B and on her system E. We have that where B t,B denotes the Kraus operator which acts on system B depending on Eve's measurement outcome of her ancilla.Now we consider Alice and Bob's collective measurement.In particular, let M sh v ,sv represent the Kraus operator associated with the vth (1 ≤ v ≤ u) measurement outcome of Alice's system sh and Bob's system.Also, let O u−1,sh,B denote Alice and Bob's joint measurement operator up to u − 1 trials.It can be written as Note that the parameters Λ (N1) Ω,s , with Ω ∈ {3, 4, 5}, can be upper and lower bounded using the decoy-state method.We shall denote the failure probability of this estimation as ǫ Z0,Xs , ǫ Z1,Xs and ǫ X0,Xs , respectively.
As a result, we obtain bounds on N1 u=1 T

(u| − − → u−1) MXs
Tr A1 P [|φ (Ω) A1,B ] that maximise the number of phase errors N ph in the single-photon emissions within the set |Z ks |.They are denoted as N MXs (Ω) and have the form When Ω ∈ {1, 2}, the quantity T given by equation ( 79).This quantity can be decomposed into the transmission rate of the Pauli operators σ I , σ X and σ Z .However, for later convenience, we will decompose it as a function of ρ0z and ρ1z , together with σ I , σ X and σ Z .Here, the states ρ0z and ρ1z are defined in equation (31).In particular, from equation (79) we find that where we have used equation (76) in the second equality and see equation (35) for the definition of a S t and b S t .In addition, we have that the transmission rate of ρ0z , ρ1z and ρ0x can be decomposed using the Pauli operators as follows Hence, the transmission rate of the Pauli operators can be described as where the inverse matrix A −1 is given in equation (37).
Now, if we combine equations (100), ( 102) and (96), we obtain that N ph is upper bounded by Finally, by using the results given by equations ( 97)-(99), we find that =: except with error probability (ǫ Z0,Xs + ǫ Z1,Xs + ǫ X0,Xs ), where ǫ s A,Ω is the failure probability that equation (95) does not hold for Ω ∈ {1, ..., 5} and s ∈ {0, 1}.Also, ǫ Z0(1),Xs and ǫ X0,Xs are the failure probabilities of the decoy state method i.e., the failure probabilities of the estimation of Λ  For this, we need to obtain |Z k | for all k ∈ K. Afterwards, we simply apply the procedure described in section IV.A (for the exact intensity control case) and in section IV.B (for the intensity fluctuation case).We consider that the total number of pulses sent by Alice using the intensity setting k is given by N k = N p k , where N denotes the total number of transmissions until the conditions in the Sifting step of the protocol are met.The total system loss η sy := η det η ch includes the channel loss and the detection efficiency of Bob's detectors.The conditional probability p (k) (Zj|Zi) that Bob obtains the bit j ∈ {0, 1} using the Z basis given that Alice sends him a bit i encoded with the intensity k and also in the Z basis can be written as The conditional probability p (k) (Zj ∧ Zj ⊕ 1|Zi) that Bob interprets the bit value j (after a random assignment of double click events to single clicks events) when he uses the Z basis given that Alice sends him a pulse with the intensity k, prepared in the Z basis, and encoding the bit value i is written as To simulate the misalignment in the optical system we transform this probability as In so doing, we obtain The bit error rate in the Z basis when Alice sends Bob a pulse using the signal intensity is given by e z = j∈{0,1} P (ks) (Zj ⊕ 1 ∧ Zj|Zj) i,j∈{0,1} P (ks) (Zj ∧ Zj ⊕ 1|Zi) Calculation of the parameter N ph According to equation ( 36), we have that N ph is upper bounded by To obtain Decoy 1 (X0, X1) and Decoy 1 (X0, X0) we first calculate the probability p (k) (Xj ∧ Xj ⊕ 1|X0) that Bob obtains the bit j with the X basis given that Alice sends him a pulse of intensity k using the X basis and encoding the bit value 0. For this, we have that Finally, we include the effect of the misalignment in the optical systems.That is, we transform p (k) (Xj ∧ Xj ⊕ 1|Xi) as The number |X j k | is therefore given by Next, we calculate Decoy 1 (Z0, X0) and Decoy 1 (Z1, X0).For this we need to obtain |Z i X j k |.We have that the probability p (k) (Xj|Zi) that Bob obtains the bit j with the X basis given that Alice sends him a pulse of intensity k, prepared in the Z basis, and encoding the bit value i is given by p (k) (Xj|Z0) = FIG.1:In each trial, Alice's laser emits two consecutive coherent pulses representing the signal and the reference pulse.For this, she first uses an amplitude modulator to select the pulses' intensity k ∈ K.After that, she applies a phase shift {0, π, π/2} to the signal pulse.On reception, Bob splits the received pulses into two beams and then applies a phase shift {0, −π/2} to one of them.Also, he applies a one-pulse delay to one of the arms of the interferometer and then recombine the pulses at a 50:50 beamsplitter (BS).A "click" in detector D0 (D1) provides Bob the key bit y ′ = 0 (y ′ = 1).

FIG. 3 :
FIG. 3: (Colour online) Postprocessing block size |Z ks | vs fibre length for a fixed total number of signals N = 10 s sent by Alice with exact intensity control, with s = 9, 10, 11 and 12 (from left to right).The solid lines correspond to the case ξ=0 and the dashed lines are for ξ=0.147.

FIG. 4 :
FIG. 4: (Colour online)Secret key rate (per pulse) in logarithmic scale vs fibre length when the intensity fluctuation is 2%.The security parameter is ǫsec = 10 −10 and the total number of signals sent by Alice is N = 10 s with s = {14, 15} (from left to right).The rightmost two lines correspond to the asymptotic secret key rate with two decoy settings.The solid lines denote the case ξ = 0 (i.e., the perfect encoding scenario) while the dashed lines show the case ξ = 0.147 (which is equivalent to a phase modulation error of 8.42 • ).The experimental parameters are described in the main text.

FIG. 6 :
FIG.6: (Colour online) Secret key rate (per pulse) in logarithmic scale vs fibre length when the intensity fluctuation is 5%.The security parameter is ǫsec = 10 −8 and the total number of signals sent by Alice is N = 10 s with s = {14, 15} (from left to right).The rightmost two lines correspond to the asymptotic secret key rate with two decoy settings.The solid lines denote the case ξ = 0 (i.e., the perfect encoding scenario) while the dashed lines show the case ξ = 0.147 (which is equivalent to a phase modulation error of 8.42 • ).The experimental parameters are described in the main text.
denotes the number of outcomes associated to the operator F Ω,s after N 1 trials, and Λ the set S (see step 2 of the virtual protocol) is upper bounded by|S| = N 1 ≤ a,b∈{Z,X} y,y ′ ∈{0,1}Decoy 1 (ay, by ′ ),

P
experimentally observed values.For this, we consider the sequence of random variables X (l) Ω,s , with l = 1, ..., N 1 , given by X Ω,s (u|ξ 0 , ..., ξ u−1 ), 0x ] + ∆ s⊕1 A,s+1 .(103) APPENDIX E: SIMULATIONIn this Appendix we present the calculations used to obtain Figs. 2, 4 and 6 in the main text.In particular, we consider that Alice sends Bob pairs of coherent states of the form | √ k ref e iχ r | k sig e i(χ+θA+∆θA) s , and we set Alice's (Bob's) phase modulation error to ∆θ A = ξθ A /π (∆ B = −∆ A ). Also, we assume a Gaussian distribution for the intensity fluctuations of the laser within an interval [k − , k + ].That is, we consider that the probability density function of the fluctuations is given by pG (k) = A exp[−(k − µ) 2 /2σ 2 ], where µ is the desired value (e.g., k s , k d1 , and k d2 ), the dispersion σ 2 has the form σ 2 = rµ/5, and the normalisation factor A is such thatk + k − p G (k)dk = 1.Calculation of the parameters m L 0 and m L 1

1 .
PreparationFor each i, Alice randomly chooses the intensity k ∈ K = {k s , k d1 , k d2 } with probability p ks , p k d1 and p k d2 = 1 − p ks − p k d1 , respectively.The intervals [k − , k + ] where the different intensities lie have to satisfy k − d1 > k + d2 and k − s [13]a 3. Multiplicative Chernoff bound[13]This bound does not require the knowledge of µ.It combines Lemma 1 and 2 above.It uses Lemma 2 to estimate a lower bound on µ that is then basically used in combination with Lemma 1.In particular, let µ L = x − N/2 ln 1/ǫ H for certain ǫ H > 0.Then, if the following two conditions are satisfied: (2ǫ −1 M ) 1/µL ≤ exp(9/32) and ǫ except with error probability ǫ H + ǫH , where the fluctuation term δ H lies in the interval δ H ∈ [−∆ H , ∆H ] with ∆ H = g H (N, ǫ H ) and ∆H = g H (N, ǫH ), and where g H (x, y) = x/2 ln 1/y.