Improved Finite-Key Security Analysis of Quantum Key Distribution Against Trojan-Horse Attacks

Most security proofs of quantum key distribution (QKD) disregard the effect of information leakage from the users' devices, and, thus, do not protect against Trojan-horse attacks (THAs). In a THA, the eavesdropper injects strong light into the QKD apparatuses, and then analyzes the back-reflected light to learn information about their internal setting choices. Only a few recent works consider this security threat, but predict a rather poor performance of QKD unless the devices are strongly isolated from the channel. Here, we derive finite-key security bounds for decoy-state-based QKD schemes in the presence of THAs, which significantly outperform previous analyses. Our results constitute an important step forward to closing the existing gap between theory and practice in QKD.


Introduction
Quantum key distribution (QKD) [1][2][3][4] is arguably the most mature practical application of quantum information science, allowing to establish information-theoretic secure communications between two distant parties (commonly known as Alice and Bob) by combining the distribution of quantum systems to generate symmetric cryptographic keys with the well-known one-time-pad encryption scheme [5]. Unlike classical methods, whose security typically relies on computational assumptions, the security of QKD is only based on quantum information principles, and thus protects against any potential eavesdropper (Eve) with unlimited computational power.
Nevertheless, there are still important challenges that need to be overcome to being able to deploy secure and practical QKD networks worldwide. In particular, it is critical to close the existing gap between the theoretical models used to prove the security of the protocols and their real-world implementations. Any deviation between the actual functioning of the devices employed by Alice and Bob and the physical model that characterizes their behavior might be exploited by Eve to compromise the security of QKD. Indeed, a typical assumption in most security proofs of QKD, including even those of device-independent QKD [6][7][8][9], is that Alice and Bob's devices do not leak any unwanted information about their internal settings to the quantum channel. Unfortunately, however, this requirement is very hard to guarantee in practice. For instance, Eve could perform a so-called Trojan-horse attack (THA) [10,11] by injecting bright light into Alice's transmitter to create side channels that might leak sensitive information about the generated signals.
There exist two main complementary approaches to re-establish the security of QKD in the presence of THAs. From the experimental side, one should implement methods to detect and monitor any potential side channel in real time, as well as to improve the isolation of the involved devices. On the theory side, one needs to relax the strict assumptions of most current security proofs to incorporate the effect of these potential side channels in the security analysis. Indeed, this is the approach that has been recently considered for instance in [12][13][14][15]. In particular, in [13] the authors analyzed the asymptotic security of decoy-state QKD [16][17][18] in the presence of information leakage from Alice's intensity and bit/basis encoding setups. This work has been later on extended to the realistic finite-key regime by Wang et al [14,19]. Unfortunately, the resulting secret-key rate is relatively poor and severely affected by both finite-key and side-channel effects, unless the devices are strongly isolated from the channel. As a side remark, we note that, in addition, all these results do not consider the fact that Eve's injected light might also vary certain parameters of Alice's signals, depending on the amount of isolation that is applied to the transmitter [20,21].
In this work, we analyze the finite-key security of two well-known decoy-state-based QKD protocols in the presence of THAs. Specifically, we consider a decoy-state-based BB84 [4,[16][17][18] scheme, for which we notably improve the results reported previously in the scientific literature [14], with respect to the achievable key rate and distance. Besides, we consider a decoy-state-based loss-tolerant (LT) [22] scheme, whose single-photon implementation is known to deliver the same asymptotic secret-key rate like that of the BB84 protocol in the absence of device imperfections. In order to derive both security analyses, we use two main ingredients. First, we take advantage of novel concentration inequalities for sums of dependent random variables [23] to bound the finite-key deviations. And, second, we make use of the concept of reference states recently introduced in [24][25][26][27]. This allows us to incorporate any potential information leakage from Alice's devices into the analysis. The only requisite is to certify a single experimental parameter that encapsulates all the imperfections, and which is directly related to the isolation of the QKD devices. In doing so, we can roughly double the maximum achievable distance at which Alice and Bob can distill a secret key in various realistic scenarios when compared to previous approaches. Also, we show that our analysis can easily handle any potential modification of the intensity of Alice's signals due to Eve's THA [20].

Transmitted states
Let us consider first the standard decoy-state BB84 protocol [16][17][18] with three intensity settings. In each round Alice prepares a BB84 state whose bit/basis encoding a ∈ {0 Z , 1 Z , 0 X , 1 X } is chosen with probability p a , and whose intensity is set to μ ∈ {μ 0 , μ 1 , μ 2 } with probability p μ . That is, for concreteness here we consider that the settings a and μ are selected independently, but the analysis below can be straightforwardly generalized to the case in which different intensity settings μ and probabilities p μ are chosen for each basis (Z and X) [28]. Besides, we do not assume any specific encoding, being the analysis valid for all of them, e.g., polarization, phase, or time-bin encoding.
In an entanglement-based view of the protocol, and in the absence of any device imperfection or attack, the state generated by Alice's source in any given round reads where the states |R a , R μ A ≡ |R a A 1 ⊗ |R μ A 2 form an orthonormal basis of Alice's register, with system A = A 1 A 2 , and The coefficients p n|μ = e −μ μ n /n! denote the photon-number statistics corresponding to the intensity setting μ, and C is a purifying system not accessible to the parties such that Tr C {|φ a,μ BC φ a,μ |} = n p n|μ |n a B n a |, being |n a an a-encoded n-photon state. As standard, we consider that Alice selects her settings a and μ with the pre-defined probabilities by performing projective measurement with elements {|R a , R μ A } on her register. In particular, to simplify the notation we set The absence of correlations between the generated states associated to different rounds implies that the global state of all the N protocol rounds delivered by Alice's source factors as |Ψ N ABC = ⊗ N u=1 |Ψ u ABC , where the round index u refers to each system and state. In what follows, however, we will omit the index u from the systems and states whenever it is clear that we refer to a particular round for simplicity of notation. Now let us consider that Eve injects an arbitrary photonic system into Alice's device with the aim of learning some information about both her bit/basis encoding (a) and intensity (μ) choices by analyzing the back-reflected light, as illustrated in figure 1. We have that the most general state describing all the quantum systems involved in this particular scenario after Eve's probe system interacts with Alice's bit/basis and Figure 1. Schematic representation of a THA. Eve injects a photonic state (represented in the figure with a yellow arrow) into Alice's transmitter and analyzes the back-reflected light (represented in the figure with blue and green arrows), which might carry information about the internal configuration of Alice's bit/basis and intensity encoding setups. After that, Eve performs an arbitrary joint measurement on her own systems and Alice's transmitted pulses, and she decides the appropriate quantum states to be re-transmitted to Bob. intensity encoding setups can be written as is the state that is actually generated when Alice selects a and μ, being E the optical mode of the back-reflected photonic light produced by the THA. Note that in general E can also include any other systems at Eve's hands (as well as other modes inaccessible to Eve). Precisely, here we consider the case in which this state can be written as where the exact form of |ñ a,μ BE depends on Eve's THA and is typically unknown, and so the probabilities p n|μ , which do not necessarily need to follow a Poissonian distribution. This might happen because, as already mentioned, apart from the leak of information about Alice's settings via the state |ñ a,μ BE , Eve's attack might slightly modify the intensity of Alice's laser [20]. Specifically, |ñ a,μ BE represents the state that outputs the transmitter when, under Eve's attack, Alice selects the settings a and μ, and her laser generates a n-photon pulse. That is, this state includes the back-reflected light. For simplicity, here we disregard the effect that the THA might have on the phase randomization process, and consider that the states generated by the source are Fock diagonal. This is because, as discussed in section 5, our analysis suggests that the amount of isolation required to protect Alice's transmitter against the THA guarantees that the intensity of Eve's light at the input of Alice's laser could be too weak to affect the phase of the generated pulses.

Security proof
Here we prove the security of the standard decoy-state BB84 protocol when the emitted states are given by equations (3) and (4). For this, we shall assume that Alice only sends a signal to Bob once he has detected the signal corresponding to the previous round. In doing so, we guarantee that Eve's actions in the uth round cannot be influenced by the variables a u and μ u for any u > u.
Our starting point is the conditional probability that Alice selects a particular intensity μ, the Z basis, and there is a click at Bob's side in the uth round given all the classical information publicly announced by them up to that round. This quantity can be written as where Bob-Eve's measurement operator associated to observing a click in the uth round, which acts on systems B and E and depends on all the classical information publicly announced by Alice and Bob up to that round, and |Ψ ABCE is given in equation (3).
Importantly, we note that the standard decoy-state technique cannot be applied directly to this scenario to relate the probabilities Q u Z,μ to the single-photon yields for two main reasons. First, the side channel provokes that the n-photon yields could now depend on the intensity setting μ, and, second, the statistics p n|μ might be in general unknown, as already mentioned.
To overcome these two problems and be able to use the decoy-state technique, we define a virtual reference state [24] for that round as where, in this case, we can decide a convenient form for |φ a,μ BCE , which is That is, in equation (7) the states |n a BE consist in a part |n a B that is perfectly characterized-they are the states ideally defined in the protocol, see equation (2)-, and a part |τ that could be any state of system E which does not depend on Alice's settings. In short, besides having no information leakage, the reference state given in equation (6) represents a perfect phase-randomized weak coherent pulse when tracing out systems C and E. For this reference state, the probability that Alice selects the intensity μ, the Z basis, and there is a click at Bob's side in the uth round conditioned on the previous public announcements made by Alice and Bob is defined analogously to equation (5), i.e., These reference gains Q u,ref Z,μ , for the different intensity settings, can be straightforwardly related to the probability of observing a single-photon click in the uth round in the reference scenario, namely the single-photon yield Y u,ref 1 , by means of well-known analytical or numerical bounds [17,18,29,30]. Since the reference states are never sent in the actual implementation of the protocol, we cannot directly observe the quantities Q u,ref Z,μ . Fortunately, however, one can indirectly estimate them by using the following relation [24,25,27] where Q u Z,μ is given in equation (5), and The inequality √ p 1 p 2 + (1 − p 1 )(1 − p 2 ) δ, which following [27] we will call Cauchy-Schwarz (CS) inequality, leads to two different bounds that depend on δ, namely p 1 G U δ (p 2 ) and and . Now, similarly to the gains Q u Z,μ and Q u,ref Z,μ , we denote the conditional probability of a n-photon click at Bob's side in the Z basis given all the previous information announced by Alice and Bob up to the uth round by for the reference and actual scenarios, respectively, with Π n C ≡ |n n| C . Note that here we are defining the yields as joint probabilities, i.e., they are not conditioned on sending a n-photon pulse. Focusing on the single-photon case, the yields Y u,ref 1 and Y u 1 can be related, again, through the CS inequality, i.e., Next we use the previous relations to prove the security of the protocol in the presence of a THA. In particular, we first estimate the number of successful rounds in which Alice transmitted a single-photon pulse. Then, we estimate the number of single-photon phase errors within Alice and Bob sifted key. Finally, based on these estimations, we calculate a lower bound on the length of the secret key.

Number of detected single-photon pulses
Here we estimate the number of detected Z-basis rounds in which Alice transmitted a single-photon pulse, namely M Z 1 , from the observed number of Z-basis detections for the different intensity settings, namely M Z μ . This can be done, as mentioned before, by applying the decoy-state idea combined with the reference technique. Below we describe briefly the process: (a) Finite-key bounds: we first use concentration inequalities for sums of dependent random variables to lower bound M Z 1 from a sum of conditional probabilities Y u 1 that runs on the rounds u = 1, . . . , N. In particular, by applying say Kato's inequality 3 [23] one can lower-bound M Z 1 as which holds except with probability . The functionK L N, is defined in appendix A. (b) CS inequality: the lower bound in equation (14) requires an estimation on the sum N u=1 Y u 1 . As mentioned at the beginning of this section, in the absence of a THA one could relate the single-photon yields Y u 1 of each round directly to the gains Q u Z,μ through the decoy-state method. In the presence of a THA this is not possible, so we take advantage of the reference states. In particular, from equation (13), we know that each single-photon yield Y u 1 in equation (14) can be related to its corresponding reference yield Y u,ref 1 by means of the CS inequality, i.e., where the parameter δ represents any lower bound on the quantity δ u . Furthermore, due to the convexity of the function G L δ (p), one can use Jensen's inequality [31] to obtain a lower bound on the sum of single-photon yields, i.e., which can be directly plugged into equation (14) to obtain (c) Decoy-state technique: for the reference states it is possible to write the single-photon yields as a linear combination of the different gains, i.e., we have that Y u,ref , for a certain linear function F D of the gains. Besides, due to the linearity of F D , we have that For convenience, we write 1 where p n = μ p μ p n|μ andỸ u,ref n is the conditional probability of observing a click at Bob's side given that Alice's transmitted a n-photon pulse and both users selected the Z basis in the reference scenario. Then, we have that 1 can be lower bounded by solving the following linear program (LP): where ∞ n=n cut +1 (d) CS inequality: we can now bound the reference gains Q u,ref Z,μ that are required to estimate the reference single-photon yields through the LP presented in the previous step by applying again the CS inequality, Besides, we can take advantage again of the convexity and concavity of the functions G L δ and G U δ , respectively, to obtain (e) Finite-key bounds: finally we can apply again concentration inequalities to bound, with very high probability, the sum of gains from a function of the number of clicks observed by Alice and Bob (see appendix A). That is, where M Z μ is the number of detections in which Alice selects the intensity μ, and both she and Bob select the Z basis. From equations (23) and (24) we have that the constraints on the LP given by equation (20) now take the form  (17) and (19), one obtains a lower bound M Z,L 1 M Z 1 . In the following subsection we apply an analogous procedure to estimate the number of single-photon phase errors M ph,1 .

Number of single-photon phase errors
We consider that Alice and Bob extract their secret keys from the detected rounds in which Alice prepares a single-photon pulse and both she and Bob select the Z basis. We then define a virtual scenario in which Alice and Bob perform their measurements in the complementary basis for all of such key rounds, which means that Alice measures her system Let us rewrite the reference state given by equations (6) and (7) as with and where we remark that |n a BE : = |n a B |τ E . That is, if we defineD u b to be Bob-Eve's measurement operator associated to the outcome b ∈ {0 Z , 1 Z , 0 X , 1 X } in the uth round, the probability of a phase error in that round for the reference virtual state can be written as On the other hand, we have that the probability of a single-photon bit error in the X basis for the reference states can be written as whereD u X, . Now we take advantage of the symmetries in the set of BB84 states (which imply that |1 vir 0 = |1 0 X and |1 vir 1 = |1 1 X according to equation (27)) to relate both errors as This means that one can estimate the number of phase errors from the sum of probabilities N u=1 Γ u,ref X,1 in the reference framework by following a similar procedure to the previous section. We omit the details here for simplicity. In particular, we have that M ph, 1 from equation (31). For this, note again that the reference states do not leak information about Alice's settings, and thus the probability Γ u,ref X,1 can be bounded by a linear function of the observed bit-error statistics.
We remark that the reference states are never sent in the real protocol, but the statistical relations between the mentioned quantities are still valid. In particular, one can upper bound N u=1 Γ u,ref X,1 by solving the following LP: is the conditional probability of observing a bit error in the uth round given that Alice sent a n-photon state and both she and Bob select the X basis, e u,ref , is the probability that, in the reference scenario, Alice selects the intensity μ, she and Bob select the X basis, and a bit error occurs, conditioned on all the previous information announced by Alice and Bob up to the uth round, and Λ μ has been defined in equation (21).
Finally, the sum of probabilities N u=1 e u,ref X,μ can be bounded, for each μ, from the corresponding observed number of bit errors in the protocol, namely E X,μ , by following an analogous procedure to the previous subsection, which results in

Secret-key rate
After obtaining the bounds M U ph, 1 M ph, 1 and M Z,L 1 M Z 1 , Alice and Bob perform error correction, error verification, and privacy amplification. The secret-key rate of the protocol is given by R = l/N where, as shown in appendix B, the length of the final key is given by where e U ph = M U ph, 1 /M Z,L 1 , and λ EC is the number of bits revealed in the error correction process, which we set to λ EC = M Z f e h(e Z ), i.e., it depends on the overall number of Z-basis detection events M Z , the error-correction efficiency f e , and the quantum bit error rate in the Z basis e Z . A detailed explanation of the meaning of all the remaining parameters c , 2 and PA can be found in appendix B.

Simulations
For the simulations, we use a typical channel model (see appendix D) for a three-intensity decoy-state BB84 protocol. Furthermore, we fix the dark-count probability of Bob's detectors to p d = 7.2 × 10 −8 and their detection efficiency to η D = 0.65 (matching the parameters used in a recent experiment reported in [32]). Besides, we set the system misalignment to ϕ mis = 6 • , which roughly corresponds to an intrinsic error rate of 1%, and we consider a typical fiber-loss coefficient α dB = 0.2 dB km −1 . Regarding the protocol parameters, for concreteness we set s = c = 10 −10 , and f e = 1.2, and, for simplicity, we impose PA = 2 = s /3, ε = ( s /6) 2 , and = ε/14. We note that the value of these latter probabilities can be chosen freely to maximize the secret-key rate, as long as they satisfy s = 2 + PA + 2 √ (see appendix B).  [32]. Also, we fix the system's misalignment to ϕ mis = 6 • , and the loss coefficient of the channel to α dB = 0.2 dB km −1 . For further details, see the main text.
For each distance we optimize the two highest intensities μ 0 and μ 1 , leaving the weakest intensity fixed to μ 2 = 10 −4 due to the finite extinction ratio of real intensity modulators, which are the devices typically used to control the intensity of the transmitted pulses. Besides, we optimize the Z-basis selection probability, which we assume equal for Alice and Bob, i.e., p A Z = p B Z , and the probability that Alice selects the intensity μ 0 , namely p μ 0 , being the remaining intensity probabilities fixed to p μ 1 = p μ 2 = (1 − p μ 0 )/2 for simplicity.
The results are shown in figure 2, in which we evaluate the performance of the protocol for different values of δ, being the number of transmitted signals equal to N = 10 10 for all the curves. We find that the protocol allows to distill a secret key even for relatively low values of the parameter δ, such as δ = 1-10 −4 , but at the cost of reducing the maximum distance between the users. It is important to note that, in principle, the parameter δ can be made as close to 1 as desired by simply increasing the isolation of Alice's equipment. This is because the intensity of Eve's injected light could be limited in practice due to the laser-induced damage threshold, which provides an estimation of the maximum energy that can be injected into Alice's transmitter in a characteristic time interval without damaging it [12]. Naturally, this quantity has to be measured experimentally, but once this experimental characterization is done, it provides a practical upper bound on the intensity of Eve's injected light. Indeed, some experiments with continuous-wave lasers have shown that single-mode optical fibers are severely damaged if they are exposed to an average power of 2-5 W [12,33,34]. Moreover, this power limit may be lowered by using on-purpose devices as optical fuses [35], optical circulators and isolators [36], or other power limiting devices based on the thermo-optical defocusing effect [37]. In addition, one could also put a limit on the intensity of Eve's injected light by placing a monitor detector to abort the protocol if the input intensity surpass a predefined threshold. With this, and given the amount of isolation included at the transmitter, one can obtain an upper bound on the maximum intensity of Eve's back-reflected light, which can be subsequently used to lower bound δ. We refer the reader to appendix C for an example about this point.
In figure 3 we compare our results with the security proof introduced previously in [14] based on the earlier works reported in [12,13]. For this, we consider the case in which Eve's probe is a coherent state that does not modify the behavior of Alice's devices [12][13][14] and the back-reflected light leaks information about Alice's bit/basis and intensity settings. Specifically, we consider that such back-reflected light is a coherent state of the form |β a,μ e iθ a,μ E , where β 2 a,μ I max and the quantities β a,μ and θ a,μ depend on Alice's setting choices a and μ [12][13][14]. This means that the state |ñ a,μ BE in equation (4) can be particularized here to |ñ a,μ BE = |n a B ⊗ |β a,μ e iθ a,μ E , and the photon number statistics remain unaltered, i.e.,p n|μ = p n|μ . Thus, according to equation (10), we have that, in this scenario, the parameter δ has the form δ = a,μ p a p μ n p n|μ ñ a,μ |n a BE = a,μ p a p μ τ |β a,μ e iθ a,μ E . Figure 3. Comparison between the secret-key rates R, in logarithmic scale, obtained in the presence of a THA in which Eve injects strong coherent light [12][13][14] for the case of N = 10 12 transmitted signals. The results associated to the security proof introduced in this paper are illustrated in blue, while those of reference [14], which correspond to a finite key analysis of the asymptotic results in [12,13], are shown in magenta. In these simulations we use the same experimental parameters considered in [14], i.e., p d = 5 × 10 −6 , η D = 0.25, and an intrinsic error rate due to misalignment of 1% (which roughly corresponds to a misalignment angle ϕ mis = 6 • ).
If we set, for instance, |τ E = |vac E , which is a natural choice for the reference states if we assume that Eve's side-channel information is highly attenuated by Alice's isolator, we obtain For the numerical simulations we select the same experimental parameters considered in [14], which further assumes that the number of transmitted signals is N = 10 12 . In particular, the dark-count probability of Bob's detectors is now p d = 5 × 10 −6 , their detection efficiency is η D = 0.25, and the intrinsic error rate due to misalignment is 1% (which for the channel model shown in appendix D roughly corresponds to a misalignment angle ϕ mis = 6 • , as mentioned above). The improvement offered by the security proof introduced in this paper is rather remarkable, being now the maximum achievable distance more than twice of that obtained in [14] for I max = 10 −7 . Indeed, it can be shown that, in terms of isolation, the security proof introduced in [14] requires Alice to increase the isolation of her transmitter in roughly 17 dB to achieve the same maximum distance that she could attain with the security proof presented in this work. Also, we note that our finite-key security analysis is much tighter than that in [14], as we can observe from the curves shown in figure 3 for the case of no information leakage, i.e., I max = 0.
In appendix E we provide the finite-key security analysis for a decoy-state-based three-state LT protocol [22], and we compare its performance with the decoy-state BB84 scheme. We refer the readers to that appendix for the details. Finally, in appendix F we show how the case in which the photon number statistics of Alice's signals might be partially modified by Eve, as has been demonstrated in [20], can also be straightforwardly included in the analysis.

Discussion
As already mentioned, the security proof presented in section 3 disregards the fact that a THA may affect the phase of the transmitted pulses, which would compromise the random-phase assumption considered in decoy-state based QKD. We disregard this effect because, for the typical levels of isolation that are required to protect the transmitter against a THA, the intensity of Eve's pulses at the input of Alice's laser source is probably too weak to being able to modify its phase.
To see this, note, for instance, that if the power of Eve's injected light is limited to, say, 1 dBm [35][36][37], then to obtain a lower bound δ δ L ≈ 1-4 × 10 −8 (see appendix C)-which is already a relatively high value for long-distance QKD-it is necessary to consider about 140 dB of total isolation, which includes the effect of optical isolators, attenuators, the reflectivity of the optical elements, and other internal losses. Besides, note that since Eve's light has to make a round trip, the isolation provided by certain elements-e.g. the optical attenuators-has to be taking into account twice. Now, if the isolation from the channel to the laser source-i.e., that considering only the one-way trip of Eve's light from the channel to Alice's laser-is, say, around 90 dB, then the intensity of Eve's light at the input of Alice's laser would be ∼ 1 pW, which is several orders of magnitude weaker than the lowest values considered in the experiments reported in [21] in order to alter the phase of the source. Still, we note that possible violations of the random-phase assumption might be incorporated to the security analysis, for instance by taking advantage of the techniques that have been introduced to prove the security of decoy-state QKD protocols with discrete phase randomization. In particular, the method presented in [38] allows to perform a decoy-state analysis when the transmitted states are not diagonal in the Fock basis-which would be the effect of not generating perfect phase-randomized coherent states-for which they require to diagonalize the transmitted states in a different basis. In any case, how to combine specifically the ideas introduced in [38] with our particular security proof is beyond the scope of this paper and is left for future studies.

Conclusions
In this work we have introduced a general finite-key security proof for decoy-state-based QKD in the presence of potential information leakage from Alice's transmitter, which could be produced, for instance, by a THA. For this, we have taken advantage of a CS-based constraint to incorporate the information leakage from the bit/basis and intensity encoding setups in the security analysis. This constraint requires the users to bound a single parameter that encapsulates all the imperfections, and we have used novel concentration bounds to deal with the finite-key effects. In practice, such single parameter can be directly related to the amount of isolation of Alice's transmitter.
For illustration purposes, we have evaluated the performance of the standard decoy-state BB84 protocol and the decoy-state LT protocol in the presence of a THA. The results demonstrate the feasibility of both schemes over long distances given that the information leakage is small enough, which could be achieved by increasing the isolation of the devices. Our results significantly outperform previous approaches by doubling the maximum achievable distance in realistic scenarios.

Acknowledgments
This work was supported by the Galician Regional Government (consolidation of Research Units: AtlantTIC), the Spanish Ministry of Economy and Competitiveness (MINECO), the Fondo Europeo de Desarrollo Regional (FEDER) through Grant No. PID2020-118178RB-C21, and MICIN with funding from the European Union NextGenerationEU (PRTR-C17.I1) and the Galician Regional Government with own funding through the 'Planes Complementarios de I+D+I con las Comunidades Autónomas' in Quantum Communication.

Data availability statement
All data that support the findings of this study are included within the article (and any supplementary files).

Appendix A. Concentration bounds for dependent random variables
Let ξ 1 , . . . , ξ N be a sequence of Bernoulli random variables, and let Λ l = l u=1 ξ u . Let F l be its natural filtration, i.e., the σ-algebra generated by {ξ 1 , . . . , ξ l }. According to Kato's inequality [23], for any N, a, b such that b |a|, we have that Besides, by replacing ξ l with 1 − ξ l and a with −a in equation (A1), one obtains [39] Pr In [40] it is shown how to use equation (A1) to derive an upper bound on the sum of conditional probabilities, namely N u=1 whose analytical solution is 4 Then, we have that,K L N, (S) := except with probability . Below we include for completeness the remaining bounds that we use in this work [39,40], being all of them held except with probability . In particular, an upper bound on the actual value Λ N is given bȳ A lower bound on the sum S is given by where the optimal values for a and b can be obtained if we have a prediction of Λ N , which we denoteΛ N . To obtain this prediction, one could use data from previous executions of the protocol or a theoretical model for the quantum channel. Based on this prediction, the optimal values for a and b are given by (A9) Finally, an upper bound on the sum S is given by where X 1 is the bit string Bob would obtain if he measured system B in the complementary basis, and Figure 4. Schematic representation of the channel model. Alice selects the settings a and μ and prepares a weak coherent pulse with intensity μ and polarization angle ϕ a . We recall that ϕ mis (η) stands for the misalignment introduced by de channel (overall system efficiency). In the figure, we consider for simplicity a fixed Z-basis measurement at Bob's side, which consists in a PBS and two threshold single-photon detectors (D 0 and D 1 ).
where we have taken |τ E = |vac E . For the value of μ THA out previously estimated, this bound corresponds to δ L ≈ 1-4 × 10 −8 . Importantly, note that this value can be further improved by increasing the isolation of Alice's equipment or by placing stronger power limiters between Alice's transmitter and the channel.

Appendix D. Channel model
We consider a typical channel model for decoy-state QKD based on polarization encoding, which is sketched in figure 4. In particular, for each value of a ∈ {0 Z , 1 Z , 0 X , 1 X }, Alice prepares a coherent state with polarization angle ϕ a ∈ {0, π 2 , π 4 , 3π 4 }. Besides, she sets the amplitude of each transmitted pulse accordingly to the intensity setting μ. Note that in this model we are not required to consider a random phase for Alice's coherent states since we are describing an honest implementation of the quantum channel in which the phases of the coherent states do not play any role. That is, we would obtain exactly the same result if we considered phase-randomized coherent states in the calculations below.
In the quantum channel, we model the polarization misalignment with a unitary operation U ϕ mis that makes the creation operators of its input modes evolve asâ † H → cos ϕ misb † are, respectively, the creation operators associated to the horizontal and vertical polarization modes before (after) the misalignment. On the other hand, the overall system efficiency is modeled with a beamsplitter (BS) of transmittance η = η D η c , where η D is the efficiency of Bob's detectors, η c = 10 −α dB L/10 is the transmittance of the quantum channel, α dB is the fiber-loss coefficient, and L is the total distance between Alice and Bob.
Finally, at Bob's side the horizontal and vertical modes are spatially separated with a polarizing beamsplitter (PBS) whose output ports are connected to two threshold single-photon detectors of perfect efficiency (since η D has already been considered in η) and dark-count probability p d .
For this simple model, the click probability at Bob's side given that Alice prepares a signal with intensity μ is given by which means that the number of Z-basis detections in which Alice selects the intensity μ satisfies On the other hand, it can be shown that the probability P b|a,μ,Z B that Bob observes a particular outcome b ∈ {0, 1} when he measures the incoming signal in the Z basis given that Alice selected the settings a and μ is where h ϕ a = 1 − e −ημ sin ϕ a 1 − e −ημ cos ϕ a + p d e −ημ sin ϕ a + e −ημ cos ϕ a − 2e −ημ + p 2 d e −ημ , and ϕ a = ϕ a + ϕ mis . In equations (D2) and (D3) we have considered that each double-click event at Bob's side is randomly re-assigned to a single-click event in one of the two detectors D 0 or D 1 (see figure 4). Also, note that due to the symmetry of the model, we have that P b|a,μ,X B can be obtained from P b|a,μ,Z B by simply shifting the angle ϕ a by π/2 radians. With this, we can write M a,b Z ,μ ≈ Np μ p a p B Z P b|a,μ,Z B and M a,b X ,μ ≈ Np μ p a p B X P b|a,μ,X B . Next, we take the sum over all rounds in both sides of the equality given in equation (E6) where M a,b,μ refers to the number of rounds in which Alice selects the settings a and μ, and Bob observes the successful outcome b.

E.2. Comparison with the decoy-state BB84 protocol
Here we compare the secret-key rate of the decoy-state LT and BB84 protocols in the presence of information leakage. For the simulations we consider the same experimental and user parameters employed in figure 2, with the only exception of , which in the case of the LT protocol is set to = ε/32 since the concentrations bounds must be applied more times than in the BB84 case. The results are shown in figure 5, which demonstrates that the BB84 protocol outperforms the LT in all the considered scenarios. This is mainly due to the fact that the phase-error rate estimation of the LT protocol requires to estimate four different yields, requiring to apply the corresponding decoy-state, CS, and concentration bounds more times, while in the BB84 protocol the number of phase errors can be estimated in a more direct way due to the symmetries in the set of transmitted states.

Appendix F. THA that modifies the intensity of Alice's pulses
Here we consider the case in which the photon number statistics of Alice's transmitted pulses may vary with respect to those of the ideal scenario. This might be provoked, for instance, by Eve's injected light, which apart from leaking information about Alice's setting choices through the corresponding back-reflected light, it can also modify the functioning of the laser source increasing the intensity of Alice's pulses [20], or by passive intensity fluctuations in the transmitted pulses. Figure 6. Secret-key rate R of the BB84 protocol in logarithmic scale considering a THA in which Eve injects strong coherent light that, apart from provoking information leakage, it also increases Alice's intensities by a factor κ, expressed as a percentage. In (a) we assume that the modified intensities could be round dependent (which corresponds to N it = 1), while in (b) it is assumed that Eve's attack increases the intensity of all the transmitted signals in the same factor κ (for which we set, in particular, N it = 16). We consider that the intensity of Eve's back-reflected light is upper bounded by I max = 10 −5 , and the number of transmitted signals is N = 10 10 . The experimental parameters used for the simulation are the same as those used in figure 2.
Below we shall focus on the case of an active attack, although the analysis is also valid for the case of intensity fluctuations. In particular, we consider that the photon-number statistics of Alice's signal in the uth round no longer satisfyp n|μ = p n|μ , but instead we havep n|μ = p n|μ u = e −μ uμ n u n! , withμ u ∈ [μ, κμ], being κ a multiplicative factor that depends on Eve's attack. Let us remark, however, that the analysis below could be straightforwardly adapted to any probability distribution. Besides, we consider, as in the main text, that the intensity β 2 a,μ of the back-reflected light is upper-bounded by I max and Eve uses this light to learn information about the settings a and μ. This means, according to equation (10), that The results are illustrated in figure 6(a), which shows how the secret-key rate is significantly affected by the multiplicative factor κ. In particular, we observe that a small increase in κ leads to a quick drop of the secret-key rate. This drop is more notorious if lower values of I max are selected. This is because the quantities I max and (1 + κ − 2 √ κ)μ are directly summed in the exponential term of equation (F1), which means that the increase of κ has negligible impact when κ changes within a region such that I max (1 + κ − 2 √ κ)μ. Note, however, that one expects κ to be small if the isolation at Alice's transmitted is sufficiently high, which is also required to minimize the information leakage.
Significantly better results can be obtained if one assumes that the values of the modified intensitiesμ u do not depend on the particular round, i.e., Eve's attacking strategy is round-independent. In this case, one can consider the worst-case scenario for the secret-key length given thatμ u =μ ∈ [μ, κμ]. That is, one could take the smallest value of the secret-key length, namely l wcs , such that l wcs minμ ∈[μ,κμ] lμ, where lμ is the secret-key length given in equation (33), which now depends on the modified intensitiesμ but assumes that these intensities are known precisely.
Importantly, even though we do not know the exact value of minμ ∈[μ,κμ] lμ, we can obtain a valid l wcs by means of a simple numerical evaluation without compromising the security of the protocol. For this, note that Alice and Bob can always divide the interval [μ, κμ] in N it equally-spaced sub-intervals [μ k , μ k κ k ], and take l wcs = min where l [μ k ,μ k κ k ] is the secret-key length obtained by considering the intensity settings μ k = μ + kΔμ, with Δμ = μ(κ−1) N it , and a multiplicative factor κ k = μ+(k+1)Δμ μ+kΔμ = N it +(k+1)(κ−1) N it +k(κ−1) . That is, for each k, the imperfections due to Eve's attack, are incorporated through equation (F1), but substituting μ → μ k and κ → κ k in that equation. Note that, in doing so, one gets as close as desired to the perfect minimization min μ∈[μ,κμ] l μ by increasing N it without compromising in any case the security of the protocol. The results for the particular case of N it = 16 and for different values of κ (expressed as percentage) are shown in figure 6(b). As expected, the secret-key rate is much less sensitive to Eve's attack than in the previous scenario shown in figure 6(a).