Security of quantum key distribution with imperfect phase randomisation

The performance of quantum key distribution (QKD) is severely limited by multiphoton emissions, due to the photon-number-splitting attack. The most efficient solution, the decoy-state method, requires that the phases of all transmitted pulses are independent and uniformly random. In practice, however, these phases are often correlated, especially in high-speed systems, which opens a security loophole. Here, we address this pressing problem by providing a security proof for decoy-state QKD with correlated phases that offers key rates close to the ideal scenario. Our work paves the way towards high-performance secure QKD with practical laser sources, and may have applications beyond QKD.


I. INTRODUCTION
Quantum key distribution (QKD) allows two users, Alice and Bob, to securely establish a symmetric cryptographic key over an untrusted channel controlled by an adversary, Eve, with unlimited computational power [1,2].The security of QKD is based on information theory and the laws of quantum mechanics.However, a practical implementation of a QKD protocol is only secure if it meets all the assumptions made in its corresponding security proof.For example, the early proofs [3,4] of the widely-known BB84 protocol [5] assumed the availability of single-photon sources, which are difficult to achieve in practice.Instead, implementations of the protocol typically rely on laser sources that emit weak coherent pulses (WCPs), either with or without randomised phases, which are vulnerable to the photon-numbersplitting attack [6] and to an unambiguous state discrimination attack [7], respectively.This has a severe impact on the obtainable secret-key rate and limits the maximum distance to a few tens of kilometers [8,9].
The most efficient solution to this problem is known as the decoy-state method [10][11][12][13], and is currently used by the majority of commercial QKD systems.It requires the users to emit phase-randomised (PR) WCPs of various intensities, and exploits the fact that PR-WCPs are diagonal in the Fock basis, with each photon-number component containing no information about the intensity it originated from.Thanks to this, one can use the observed detection statistics to characterize the effect of the channel on different photon-number states, and derive tight bounds on the fraction of the sifted key that originates from single-photon emissions, as well as on its phase-error rate.As a result, one can ideally obtain a secret-key rate comparable to that offered by single-photon sources [14].
However, generating perfect PR-WCPs, i.e.WCPs whose phase is uniformly and independently random in [0, 2π), may be challenging in certain scenarios, particularly at high repetition rates.The most common approach to randomise the pulse phase is to operate the laser under gain-switching conditions [15][16][17][18][19], i.e. to turn the laser on and off between pulses.However, due to the difficulty in attenuating the intracavity field of the laser strongly enough to ensure significant phase diffusion, experiments suffer from residue correlations between the phases of consecutive pulses [20,21], which invalidate the standard decoy-state analysis.As an alternative, one can also actively randomise the phase of each emitted pulse by using a random number generator and a phase modulator [22], and security proofs have been proposed to deal with the resulting discretisation effect [23,24].However, due to memory effects in the phase modulator and the electronics that control it [21], this approach may also suffer from correlations, which the existing proofs do not take into account.
Because of this discrepancy between the existing security proofs of decoy-state QKD and its practical implementations, the security of the latter is not sufficiently guaranteed, which is an important open problem in the field.Here, we address this problem by proving its security in the presence of phase correlations between consecutive pulses, which arise when running gain-switched laser sources at high repetition rates.Importantly, our simulation results suggest that decoy-state QKD is robust against this imperfection, and that one could obtain key rates close to the ideal scenario when using currently-available high-speed laser sources.

II. ASSUMPTIONS AND PROTOCOL DESCRIPTION
Clearly, the secret key rate obtainable in the presence of imperfect phase randomisation should depend on the strength of the imperfection.The case in which the phases are not random is known to result in a very poor performance [9], while one may expect that, if the source emits a train of pulses whose phases are close to the ideal scenario (i.e., all being independent and uniformly distributed), one should also be able to obtain a performance that is close to ideal.Thus, determining the obtainable key rate inevitably requires a certain degree of source characterisation, with the only question being which specific parameters are the relevant ones.Our proof demonstrates that only two parameters need to be characterized.The main parameter that determines the protocol performance, which we denote as the source quality q ∈ (0, 1], evaluates how close each individual phase is to being uniformly random from the perspective of an eavesdropper that holds all possible side-information about it, i.e., that has knowledge of all previous and following phases that are correlated with it.
The other relevant parameter in our security proof is the correlation length l c , which does not affect the asymptotic key rate obtainable, but does have consequences in the post-processing step, see Section II B below.We remark that the case l c = 0 -i.e., the case in which the phases are independent but not uniformly random, which may be relevant if Eve performs an active laser seeding attack [25] -has already been considered in Refs.[26,27]; our proof becomes similar to that of these works for this scenario.For concreteness, in this work, we focus on the applicability of our proof to the case of naturally-occurring phase correlations.

A. Assumptions of our proof
The sequence of phases Φ 1 ...Φ N of Alice's pulse train constitute a discrete-time stochastic process whose joint distribution can be represented by a probability density function (PDF) f (ϕ 1 ...ϕ N ).Our proof does not require a precise characterisation of this distribution; it requires just two pieces of knowledge, which we state as the following two assumptions: (A1) The stochastic process Φ 1 ...Φ N has at most l c rounds of memory, for some finite and known l c .That is, for all rounds i, (A2) The conditional PDF of Φ i given all other phases is lower bounded, i.e., for all i and some known 0 < q ≤ 1, The equality in Eq. ( 2) follows from Eq. (1).
In addition, for simplicity, we consider that the phase randomisation process is not affected by the intensity modulation and bit-and-basis encoding processes; and for concreteness, we also consider that neither the latter processes nor Bob's measurement setup suffer from imperfections.Precisely, we assume that (A3) Alice's choice of intensities and the phase of her pulses are independent; (A4) Alice's (bit-and-basis) encoding operations commute with the process that (imperfectly) randomises the phase of her pulses; (A5) Alice's choice of bit, basis and intensity for round i only affects the i-th pulse; (A6) Alice's encoding operations are characterised and identical for all rounds; (A7) the intensities of Alice's pulses perfectly match her choices; and (A8) the efficiency of Bob's measurement is independent of his basis choice.We note that previous works have investigated the security of QKD when some of these assumptions are not met [28][29][30][31][32][33][34][35][36][37][38][39][40][41][42].

B. Protocol description
(1) For each round, Alice probabilistically selects a random intensity µ from a predetermined set and attempts to generate a PR-WCP of that intensity.Then, she selects a random bit b and basis ω ∈ {Z, X}, and applies an encoding operation Vbω to her pulse, satisfying V † bω Vbω = I1 .
In the security proof, we consider the following equivalent process for the state preparation: (1a) Alice generates | √ ν⟩ ⊗N , where ν ≥ µ ∀µ; (1b) she applies an imperfect phase randomisation operation to the pulse train, obtaining (2) For each incoming signal, Bob chooses a random basis Z or X, and measures the incoming pulse.
(3) Bob announces which rounds were detected and, for these rounds, both Alice and Bob reveal their basis choices, and Alice reveals her intensity choices.They define their sifted keys as the bit outcomes of the detected rounds in which both chose the Z basis and Alice chose a certain signal intensity µ s .Also, they define the test rounds as the detected rounds in which Bob used the X basis, and reveal their bit values for these rounds.Moreover, they assign each round i to a group w ∈ {0, ..., l c } according to the value w = i mod (l c + 1).The w-th sifted subkey is defined as the fraction of the sifted key belonging to group w.
(4) Alice and Bob sacrifice a small fraction of the w-th sifted subkey to estimate its bit-error rate, and use the detection statistics of the w-group test rounds to estimate its phase-error rate.Then, they perform error correction and privacy amplification independently for each subkey.

III. SECURITY PROOF
The main idea and contribution of our security proof is finding an equivalence between the actual scenario described above, in which Alice's source is correlated and partially uncharacterised, and an alternative scenario in which, within the w-group rounds, Alice prepares characterised and uncorrelated states that are close to a PR-WCP, and then applies a global quantum operation that imprints the correlations present in the actual source, which, from the perspective of the security proof, can be considered to be part of the Eve-controlled quantum channel.In this alternative scenario, it is straightforward to prove the security of the w-th subkey using numerical techniques; by doing so, we also indirectly prove the security of the w-th subkey in the actual protocol.By repeating this procedure for all w ∈ {0, ..., l c }, we can independently prove the security of each subkey, and guarantee the security of the concatenated final key due to the universal composability property of each individual security proof.For more information on this latter argument, we refer the reader to Appendix C of Ref. [43], as well as to Ref. [36] for an example of its application in the case l c = 1.
A. Reduction to the (w-th) alternative scenario Let G w (G w ) be the set of rounds that belong (do not belong) to group w, let ⃗ ϕ Gw ( ⃗ ϕ Gw ) be a particular joint value for all phases in G w (G w ), let f ( ⃗ ϕ Gw ) be the joint marginal PDF of the phases in G w , and let f ( ⃗ ϕ Gw | ⃗ ϕ Gw ) be the joint conditional PDF of the phases in G w given ⃗ ϕ Gw .
After the chain of equivalences (E1)-(E4) below, the actual protocol is reduced to the w-th alternative scenario, in which Alice's source is characterised and uncorrelated within the rounds in G w .For the first equivalence, note that, due to Assumption (A1), the phases in G w are conditionally independent of each other given knowledge of the phases in G w , i.e., as shown in Appendix A.
{ Vbω } encodes a single mode of light in a prefixed input polarization into four possible outcome polarizations whose creation operators can be expressed as a linear function of those of horizontal and vertical polarizations.To compute the numerical results in Fig.
and due to Eq. ( 4), the overall generated state is For the next equivalence, note that Alice could attenuate her pulses before applying the phase shifts above, rather than afterwards.Also, for all i ∈ G w , due to Assumptions (A1) and (A2).As a consequence, instead of shifting the i-th phase according to the PDF f (ϕ i | ⃗ ϕ Gw ) when i ∈ G w , Alice could have equivalently done the following [26,27]: to flip a biased coin C i such that C i = 0 with probability q, and (a) if C i = 0, shift the phase by a uniformly random value, (b) if C i = 1, shift it according to the PDF The equivalence is due to where (E2) Instead of steps (1a) to (1c), for each round i, Alice probabilistically chooses an intensity µ, and (a where ρ µ PR is a perfect PR-WCP of intensity µ.Then, Alice chooses ⃗ ϕ Gw according to the PDF f ( ⃗ ϕ Gw ) and, for each round i, (a) if i ∈ G w , she shifts the phase by her selected fixed value ϕ i ∈ ⃗ ϕ Gw ; (b) if i ∈ G w , she shifts the phase according to the PDF f (ϕ i | ⃗ ϕ Gw , C i = 1) in Eq. (8).
Clearly, the rounds in G w are identical in both (E1) and (E2).The rounds in G w are also identical.Alice's phase shift does not affect the ρ µ PR term in Eq. (10), and it causes the | √ µ⟩⟨ √ µ| term to acquire the phase distribution in Eq. (8).
Thus, the overall phase distribution of the pulse after the shift is f (ϕ i | ⃗ ϕ Gw ), due to Eq. ( 9).We can represent Alice's probabilistic selection of ⃗ ϕ Gw together with all the phase shifts described above as a single global quantum operation E w .(E3) Same as (E2), but Alice applies her encoding operations Vbω 1 ... Vbω N before E w , rather than afterwards, which is possible thanks to Assumption (A4).
(E4) Since E w is now the last operation before the quantum channel, we consider that Alice does not actually apply it.Eve may or may not apply E w as part of her attack, putting her in a position that is never less advantageous than in the previous scenarios.Thus, if the w-th subkey is secure in (E4), it is also secure in the actual protocol.We refer to (E4) as the w-th alternative scenario.

B. Security of the w-th subkey
As a consequence of the reduction above, when proving the security of the w-th subkey, we can assume that, in the w-group rounds, Alice generates the characterised and uncorrelated states {ρ µ model } µ .Thanks to this, it becomes straightforward to prove its security using numerical methods.In particular, flexible techniques based on semidefinite programming (SDP) have been recently proposed [27,[44][45][46][47][48][49][50], which can handle almost any scenario, as long as the emitted states are characterised and uncorrelated, making them well suited to our purpose.The specific approach that we have developed uses ideas from these works but is targeted to this particular scenario.Below, we provide an overview of the main ideas, and refer the reader to Appendix B for a detailed description.
Each of Alice's generated states {ρ µ model } µ can be diagonalised as where we have omitted the dependence of the eigenvalues and eigenstates on q for notational simplicity.Each set of eigenstates {|λ µ n ⟩} n forms an orthonormal basis of the Fock space, and can be regarded as imperfect versions of the Fock states {|n⟩} n , with the two sets of states converging as q → 1.Similarly, the eigenvalues {p λn|µ } n approach a Poisson distribution when q → 1.Note that, when q ̸ = 1, the states {|λ µ n ⟩} n depend slightly on the intensity setting µ, and therefore the standard decoy-state method cannot be applied to this scenario.However, we can still assume a counterfactual scenario in which Alice holds the ancillary system that purifies ρ µ model and measures it to learn the value of n for each round.The information leakage of the w-th sifted subkey can then be determined by estimating the fraction q λ1,w of its bits that originated from emissions of |λ µs 1 ⟩, and the phase-error rate e λ1,µs ph,w of these bits, as shown in Appendix C. The first can be expressed as where Y Z,w λ1,µs is the yield probability of |λ µs 1 ⟩ when encoded in the Z basis, which needs to be estimated, and Q Z µs,w is the observed rate at which Bob obtains detections conditioned on Alice choosing the intensity µ s , both users choosing the Z basis, and the round being in G w .On the other hand, to define the phase-error rate, we consider that, in the rounds in which both users choose the Z basis and Alice prepares |λ µs 1 ⟩, she actually generates the entangled state and performs an X-basis measurement on system A [51].Equivalently, she emits with probability Also, we assume that Bob replaces his Z-basis measurement by an X-basis measurement, which is allowed due to the basis-independent detection efficiency assumption, (A8).The phase-error rate is then given by e λ1,µs ph,w = where is the probability that Bob obtains the measurement outcome (β ⊕ 1) X conditioned on Alice emitting |λ virβ ⟩.
In Appendix B, we show how to obtain a lower bound Y Z,w,L λ1,µs and an upper bound e λ1,µs,U ph,w on Y Z,w λ1,µs and e λ1,µs ph,w , respectively, using SDP techniques.In doing so, the main hurdle to overcome is the fact that the states {ρ µ model } µ are infinite-dimensional, preventing us from finding their exact eigendecompositions using numerical methods, and from constructing finite-dimensional SDPs using these states.Instead, we construct the SDPs using the finite projections of {ρ µ model } µ onto the subspace with up to M photons [26,27], after numerically obtaining the eigendecompositions where Π M = M n=0 |n⟩⟨n|.Then, by bounding the deviation between the eigenvalues and eigenvectors of ρ µ model and Π M ρ µ model Π M using perturbation theory results, we can correct the SDP constraints and solutions, ensuring that the final bounds Y Z,w,L λ1,µs and e λ1,U ph,w apply to the original infinite-dimensional scenario.The secret-key rate obtainable per emitted w-group pulse is then given by where E Z µs,w is the bit-error rate of the w-th sifted subkey, is a correction term due to the finite projection, h(x) is the binary entropy function, f is the error correction inefficiency, and the rest of terms have already been defined.

IV. DISCUSSION
We have proven the security of decoy-state QKD in the presence of phase correlations, which appear when running gain-switched laser sources at high-repetition rates.For simplicity, we have focused on the BB84 protocol, although our analysis can be straightforwardly adapted to other schemes, such as the three-state protocol [52,53] and measurementdevice-independent QKD [54], and our techniques may be applicable to other quantum communication protocols that rely on phase-randomised weak coherent sources, such as blind quantum computing [55] and quantum coin flipping [56].Our proof requires knowledge of the parameters l c and q, see Eqs. ( 1) and ( 2).The former is an upper bound on the correlation length (in a generalised Markovian sense), while the latter can be regarded as a lower bound on the uniformity of the conditional distribution of each phase given knowledge of all the other phases.
In Fig. 1, we plot the overall secret-key rate obtainable for different values of q.We note that the asymptotic key rate does not depend on l c , since it is only affected by the form of the states {ρ µ model } µ , which is independent of l c ; see Eq. (10).To compute these results, we have used a simple channel model in which the only source of error is the dark count rate of Bob's detectors.Moreover, for simplicity, we have assumed that { Vbω } are ideal BB84 encoding operators, and set M = 9.Key rate q = 0.8 q = 0.85 q = 0.9 q = 0.95 q = 0.992407 Ideal (q = 1) [13] Figure 1.Asymptotic secret-key rate of the decoy-state BB84 protocol with imperfect phase randomisation as a function of the overall system loss (solid lines), compared with the case of ideal phase randomisation [13] (dashed line).We assume three intensities µs > µw > µv = 0.Moreover, for simplicity, we set µw = µs/5, and optimise over µs; while for the ideal case, we optimise over both µs and µw.We consider a dark count probability p d = 10 −8 for Bob's detectors, and an error correction inefficiency f = 1.16.
To gauge the values of q that one may expect in practical implementations, we examine the available literature.Recent works [20,21] have studied the magnitude and properties of phase correlations in gain-switched lasers under the implicit assumption that l c = 1.In particular, Ref. [20] argues that the phase difference between adjacent pulses follows a Gaussian distribution, and shows how to estimate its variance by measuring the fringe visibility V in an asymmetric interferometer configuration.Under these assumptions, one can also calculate q from the observed visibility, see Appendix D. In particular, the value V = 0.0019 recently measured in Ref. [21] for a state-of-the-art 5 GHz source corresponds to q = 0.992407; in Fig. 1, we have included the key rate obtainable for this value, which is quite close to that of the ideal scenario.
While l c = 1 might be a good approximation to the phase distribution of many gain-switched laser sources, nonnegligible correlations could in principle exist beyond immediately adjacent pulses, especially in high-speed setups.Further work is needed to develop characterisation tests that can rigorously determine the value of l c and q for any implementation.Since the asymptotic key rate offered by our proof is robust when decreasing the value of q, as evidenced by Fig. 1, and independent of l c , it is well placed to guarantee the security of practical implementations while retaining key rates close to the ideal scenario, and we hope that the present paper will stimulate the experimental interest required to achieve this goal.

NOTE
The security of decoy-state QKD with imperfect phase randomisation has also been recently investigated in Refs.[26,57].These works introduced insightful ideas that sparked the development of our security proof, and we recognise these important contributions.That being said, their security analysis contains some conceptual flaws that invalidate its application in the presence of phase correlations; see Appendix E. We note that the claims made in Refs.[26,57] have been amended in [27].

DATA AVAILABILITY STATEMENT
No new data were created or analysed in this study.

STATEMENT
This is the Accepted Manuscript version of an article accepted for publication in Quantum Science and Technology.IOP Publishing Ltd is not responsible for any errors or omissions in this version of the manuscript or any version derived from it.This Accepted Manuscript is published under a CC BY licence.The Version of Record is available online at 10.1088/2058-9565/ad141c. which is the equality in Eq. ( 2).Let G ¬i w be the set of rounds in G w , except the i-th round.We have that, for all i ∈ G w , where in the second to last equality we have used G w G ¬i w = {N, ..., i + 1, i − 1, ..., 1} and Eq.(A1); and in the last equality we have used {i + l c , ..., i + 1, i − 1, ..., i − l c } / ∈ G ¬i w .Combining Eqs.(A1) and (A2), we obtain This implies that the phases in G w are conditionally independent of each other given knowledge of the phases in G w , i.e.Eq. ( 4).Also, combining Eq. (A2) and Assumption (A2), we obtain Eq. ( 7).
Proof of Eq. ( A1) (A4) where in the equality marked by an asterisk, we have used and in the equalities marked by a cross, we have used Assumption (A1).
APPENDIX B: Obtaining the required bounds using SDPs Here, we show how to obtain the bounds q L λ1,w and e λ1,µs,U ph,w using semidefinite programming techniques, and employ these to derive an asymptotic lower bound on the secret-key rate.To do so, for simplicity, we assume that Eve performs a collective attack.However, the set of bounds we obtain, and thus the overall security proof, is also valid for general attacks, due to the extension of the quantum de Finetti theorem [58] to infinite-dimensional systems [59].We note that, as an alternative to the SDP approach presented here, which uses ideas from Refs.[26,27], one could also obtain these bounds using linear programming techniques, by using the trace distance inequality to account for the dependence of the eigenstates |λ µ n ⟩ on the intensity µ (see Refs. [23,[32][33][34]).However, according to our preliminary numerical simulations, this would result in much more pessimistic bounds.
Eve's collective attack can be described as a quantum channel Λ acting separately on each of Alice's emitted photonic systems.Let us assume that, in a given round, Bob performs a POVM that contains some element Γ.The probability that Bob obtains the outcome associated to Γ when Alice sends him a quantum state σ can be expressed as where {E l } are the set of Kraus operators of the operator-sum representation [60] for the channel Λ, and We denote Bob's Z and X basis POVMs as, respectively, Note that the element associated to an inconclusive result, Γ f , is the same for both bases, due to Assumption (A8) (basis-independent detection efficiency).
1. Lower bound on q λ 1 ,w To estimate the fraction q λ1,w , we need to estimate the yield Y Z,w λ1,µs , see Eq. ( 12).Substituting σ where we have defined Substituting first ρ → |λ µs 1 ⟩⟨λ µs 1 | and then ρ → ρ µ model in Eq. (B3), we obtain This implies that we can express a lower bound on Y Z,w λ1,µs as the SDP min However, as explained in the main text, one cannot solve this SDP numerically because (1) it is infinitely dimensional and (2) the eigendecomposition of ρ µ model is unknown.To overcome these problems, we consider the projection of the state ρ µ model onto the subspace with up to M photons, and numerically find its eigendecomposition, where the decomposition has M + 1 terms because the projection is in a space of dimension M + 1.
Let J * be the operator that minimises the SDP in Eq. (B6).We have that where in the last inequality we have used Eqs.(B10) and (B16) and the fact that G − is increasing with respect to its second argument.On the other hand, we have that where Y ′Z,w,L λ1,µs is the solution of the SDP min and J * * is the operator that minimises this SDP.In Eq. (B21), ρ ′µ model is given by Eq. (B7), and in the first inequality of Eq. (B21), we have used Eqs.(B8) and (B16).Equation (B20) holds because the constraints of Eq. (B21) are looser than those of Eq. (B6), i.e. all operators that satisfy the constraints of Eq. (B6), including J * , also satisfy the constraints of Eq. (B21).Note that the states ρ ′µ model and |λ ′µs 1 ⟩ live in the finite subspace spanned by {|0⟩ , ..., |M ⟩}, and therefore, the action of J outside this finite subspace is irrelevant as far as the optimisation problem in Eq. (B21) is concerned.As a consequence, we can restrict the optimisation search to operators J that act only on this finite subspace, i.e.Eq. (B21) is actually a finite-dimensional SDP that we can solve numerically.
Combining Eqs.(B19) and (B20), and using the fact that G − is increasing with respect to its first argument, we obtain the bound Y Z,w λ1,µs ≥ G − Y ′Z,w,L λ1,µs , F µs vec,λ1 =: Y Z,w,L λ1,µs .(B22) Using Eqs.(B9) and (B22), we finally obtain the bound 2. Upper bound on e λ 1 ,µs ph,w The phase-error rate is given by Eq. ( 15).We can express each term in the numerator of this equation as where in the second equality we have used Eq.(B1) with the substitutions Γ → where Q (β⊕1) X µ,bω A ,w is the observed rate at which Bob obtains the result (β ⊕ 1) X conditioned on Alice choosing intensity µ, basis ω A and bit b, Bob choosing the X basis, and the round being in G w .This means that an upper bound on p virβ Y (β⊕1) X virβ can be expressed as the SDP max As before, we need to find a finite-dimensional relaxation of Eq. (B26) that we can solve numerically.Let L ⋆ (β⊕1) X be the operator that maximises the SDP in Eq. (B26), and let We have that where |Ψ Z ⟩ is defined in Eq. ( 13).Now, let us define the entangled state and the unnormalised states We have that where the inequality is due to Eq. (B10).Therefore, applying the bound in Eq. (B16), and using the fact that G + is a decreasing function with respect to its second argument, On the other hand, we have that where Ỹ ′(β⊕1) X virβ is the solution to the following SDP max and L * * (β⊕1) X is the operator that maximises this SDP.In Eq. (B34), ρ ′µ model is given by Eq. (B7), and in the first inequality of Eq. (B34), we have used Eqs.(B8) and (B16).Note that the inequality in Eq. (B33) holds because L * (β⊕1) X satisfies the constraints of Eq. (B34).Combining Eqs.(B28), (B32) and (B33), and using the fact that G + is increasing with respect to its first argument, we obtain the bound (B36)

Secret-key rate
Putting all together, a lower bound on the fraction of the w-th sifted subkey that can be turned into a secret key is given by where E Z µs,w is the error rate conditioned on Alice choosing the intensity µ s , both users choosing the Z basis, and the round being in G w ; and a lower bound on the secret-key rate obtainable per emitted w-group pulse is given by By assuming that p µs , p Z A and p Z B all approach one, which is optimal when N → ∞, and substituting q L λ1,w by its definition in Eq. (B23), we obtain Eq. ( 17).
For completeness, we note that the procedure presented above can be used to obtain bounds on q λn,w and e λn,µs ph,w for any n, not just n = 1.In fact, a more general lower bound on the fraction of the w-th sifted key that can be turned into a secret key is given by where N denotes the set of values of n for which one obtained bounds on q λn,w and e λn,µs ph,w .According to our simulations, by obtaining bounds for n = 0, one can obtain a small key-rate improvement in some scenarios (particularly, for low attenuations and relative low values of q), but we have not found any scenario in which one can obtain a positive key-rate contribution for any n > 1.In any case, for simplicity, in our simulations we obtain bounds only for n = 1.Let ρ be a density matrix, and let ρ ′ = ΠρΠ Tr [ΠρΠ] , where Π is a projector.Then, where in the last equality we have used Thus, we have that Eq. (B9) Using Theorem 2 in Appendix A of Ref. [26], we have that Eq. (B10) Using Theorem 3 in Appendix A of Ref. [26], we find that where δ 0 = p ′ λ0|µ − p ′ λ1|µ − ϵ µ val and for n > 1, Eq. (B16) We use the following result from Ref. [29].Let |u⟩ and |v⟩ be two pure states, and let 0 ≤ E ≤ I.Then, where This result can be easily extended to mixed states.Let σ and σ ′ be any two density matrices acting on some system S, and let |σ⟩ S ′ S and |σ ′ ⟩ S ′ S be purifications of these states satisfying which exist due to Uhlmann's theorem [61].Then, for any 0 ≤ M ≤ I S , we have that Substituting |u⟩ → |σ⟩ S ′ S , |v⟩ → |σ ′ ⟩ S ′ S and E → I S ′ ⊗ M in Eq. (B46), and then using Eqs.(B49) and (B50), we obtain Eq. (B16), i.e.

On the dimension of the SDPs
To input the SDPs in Eqs.(B21) and (B34) into a computer solver, we need to use a matrix representation for the states {ρ ′µ model } µ and their eigenvectors; for this, we need to choose a particular orthonormal basis in which to express these states, with the natural choice being {|0⟩ , ..., |M ⟩}.First, we find the expression Then, we numerically find the eigenvalues {p ′ λn|µ } n and eigenvectors { |λ ′µ n ⟩} n of Π M ρ µ model Π M , with the latter expressed in the Fock basis Finally, we renormalise Eq. (B52) to obtain the expression for ρ ′µ model , and substitute everything into the SDPs in Eqs.(B21) and (B34).
Note that, while the SDP in Eq. (B21) does not depend on the encoding operators { V0 Z , V1 Z , V0 X , V1 X }, the SDP in Eq. (B34) does depend on the form of these operators.Typically, the output space of these operators has a larger dimension than the input space.For example, in our simulations, for simplicity, we assume that these are ideal Zand X-basis BB84 operators, whose output space consists of two modes of light and whose action in the Fock basis is 2 Note that Eq. (B55) represents ideal Z-and X-basis BB84 operators regardless of the physical degree of freedom used for the encoding.
For time-bin encoding, the first ket would represent, say, the early time bin, and the second ket would represent the late time bin; while for polarization encoding, the first ket would represent, say, the horizontally-polarized mode, and the second ket would represent the vertically-polarized mode.Also, note that it is perhaps more standard to define BB84 encoding operators as unitary, rather than just isometric, by adding an extra input mode initialized in an arbitrary pure state, say |0⟩, such that the ideal operators become V0 Z |m⟩ |0⟩ = |m⟩ |0⟩, V1 Z |m⟩ |0⟩ = |0⟩ |m⟩, and so on.However, defining { V0 Z , V1 Z , V0 X , V1 X } as unitary operators with two input and two output modes throughout the manuscript would make many formulas more cumbersome and result in the analysis being less general, since it would no longer cover non-standard encoding operations in which the output encoding space is, say, one or three modes of light, rather than two.
w-group test data to obtain an upper bound e λ1,µs,U ph,w on e λ1,µs ph,w , the phase-error rate of the bits for which n = 1, such that Pr[e λ1,µs ph,w > e λ1,µs,U ] → 0 as N → ∞.Let N w sift be the size of the w-th sifted key, and let q λ1,w be the fraction of its bits such that n = 1.By assuming that these bits have at most q λ1,w N w sift e λ1,µs,U ph,w phase errors, Alice and Bob can define a candidate set of phase-error patterns T w of size |T w | ≤ 2 H w ph , where such that Pr[x w / ∈ T w ] = Pr[e λ1,µs ph,w > e λ1,µs,U ] approaches zero as N → ∞.This implies that the w-th subkey key is secret if Alice and Bob sacrifice at least H w ph bits in the privacy amplification step.In the actual protocol, Alice and Bob do not know which bits have a tag n = 1, and thus cannot know the value of q λ1,w .However, they can find a lower bound q L λ1,w such that Pr[q λ1,w < q L λ1,w ] → 0 as N → ∞, and then sacrifice H w,U ph bits in the privacy amplification step, where H w,U ph is computed by substituting q λ1,w by q L λ1,w in Eq. (C2).The probability that this bound is incorrect just adds to the overall failure probability of the estimation process.Thus, the problem of proving the secrecy of the w-th subkey is reduced to the problem of obtaining the bounds q L λ1,w and e λ1,µs,U ph,w using the w-group test data.In Appendix B, we have shown how to obtain these bounds using semidefinite programming techniques.
Note that Alice and Bob can attempt to estimate the phase-error rate for values of n other than n = 1.In this case, the users should sacrifice bits, where N is the set of values of n for which Alice and Bob obtain bounds q L λn,w and e λn,µs,U ph,w on, respectively, q λn,w and e λn,µs ph,w .As explained in Appendix B, our semidefinite programming approach can be trivially modified to obtain bounds for any n, but in our simulations, for simplicity, we obtain bounds only for n = 1.
APPENDIX D: Estimation of q under the assumption lc = 1 Ref. [20] argues that, when using a gain-switched laser, the phase difference ϕ d between two consecutive pulses follows a Gaussian distribution, i.e. its PDF is where the central value φd can be assumed to be fixed throughout the experiment.The standard deviation σ, on the other hand, can be estimated by measuring the fringe visibility V of the interference between consecutive pulses using an asymmetric interferometer.In particular, it is shown in Ref. [20] that V = |⟨e iϕ d ⟩|, where This means that V = exp −σ 2 /2 , or equivalently In the above description, the phase difference ϕ d follows a Gaussian distribution, and therefore can take any value in {−∞, ∞}.This makes sense from an physical perspective: if we see the phase randomisation as a process that shifts the phase randomly from the central value φd , one can distinguish a shift by π rad from a shift by 3π rad, the former being in principle more likely than the latter.However, note that, from the point of view of Eve, a pulse with a phase ϕ is indistinguishable from a pulse with a phase ϕ + 2π, and so on.Thus, from the perspective of the security proof, the conditional PDF f (ϕ i |ϕ i−1 ) should be defined for ϕ i ∈ [0, 2π) only, and to compute the probability density on some point ϕ i , one should sum the contributions that would fall on ϕ i ± 2π, ϕ i ± 4π, and so on.Thus, we have that, if the PDF of the physical phase difference between consecutive pulses is given by Eq. (D1), the conditional PDF f (ϕ i |ϕ i−1 ) is given by where f WG is the PDF of a wrapped Gaussian distribution.
Ref. [20] implicitly assumes that the probability distribution of a given phase depends only on the value of the previous phase, i.e. l c = 1, and the same implicit assumption is made in Ref. [21], indicating that this is believed to be a good approximation for many scenarios.Here, we show that, under this assumption, one can estimate the parameter q needed to apply our security proof, which is defined as see Eq. ( 2).We have that where in the second to last step we have used f (ϕ i+1 |ϕ i , ϕ i−1 ) = f (ϕ i+1 |ϕ i ) due to l c = 1, see Eq. ( 1); and in the last step we have used Eq.(D4).The denominator in Eq. (D6) satisfies where in (1) and (3) we have used f WG (x; µ, σ) = f WG (x + a; µ + a, σ); in (2) we have defined ϕ ′ i−1 = ϕ i−1 + φd and ϕ ′′ i+1 = ϕ i+1 − φd ; and in (4) we have used the fact that the convolution between two Gaussian PDFs f G (x, µ 1 , σ 1 ) and f Substituting Eq. (D7) in Eq. (D6), we have that where we have again used f WG (x; µ, σ) = f WG (x + a; µ + a, σ) and the definition of ϕ ′ i−1 and ϕ ′′ i+1 .Finally, our desired parameter q in Eq. (D5) can be expressed as Ref. [21] has recently reported a fringe visibility of V = 0.0019 for a practical decoy-state QKD source run at a repetition rate of 5 GHz.Using this value, from Eq. (D3), we obtain σ = 3.54003.Substituting this in Eq. (D10) and finding the exact minimum using Mathematica's Minimize function, we obtain q = 0.992407.(D11) The minimum occurs when APPENDIX E: On the security analysis in Refs.[26,57] The security of decoy-state QKD with imperfect phase randomisation has also been recently investigated by Refs.[26,57].These works introduced novel and insightful ideas to approach the problem that have been indispensable in the development of our security proof.However, we believe that their overall security analysis contains an important flaw that invalidates its application in the presence of correlations.Here, we summarise the arguments of Refs.[26,57] and point out what we believe to be the problem.We focus on Ref. [26], where the arguments are elaborated on in much more detail.

a. Argument
For simplicity, Ref. [26] considers a laser source that emits N pulses with correlated phases and a fixed intensity µ, whose state is given by One can express the probability distribution as and consider the following bound The argument of Ref. [26] is that, instead of generating ρ µ laser , Alice could have alternatively generated N copies of the following model state and then applied a map E that consists of "N phase shifters that shift the phase of the i-th laser pulse by ϕ i with probability [density] f (ϕi|ϕ1...ϕi−1)−q/2π 1−q ".In doing so, one obtains "a correlated state from an IID state by applying a map that is correlated; the action of the i-th phase shifter depends on the action of all the (i − 1) phase shifters before it".As a result, we have that Importantly, this implies that, to prove the security, one can assume that Alice generates ρ µ ⊗N model rather than ρ µ laser , since the operation E can be assumed to be part of Eve's attack.

b. Our interpretation of the argument and its problem
Given the phase probability distribution f (ϕ 1 . . .ϕ N ), we have that, from the point of view of Eve, these phases could have been selected by Alice using a sequential process: she chooses ϕ 1 according to the PDF f (ϕ 1 ), she chooses ϕ 2 according to the conditional PDF f (ϕ 2 |ϕ 1 ), and so on, as indicated by Eq. (E2).The assumption is that f (ϕ i |ϕ 1 . . .ϕ i−1 ) ≥ q/2π for some q.
Alternatively, Alice could have decided the phase ϕ i using the following equivalent process.She flips a biased coin C i that outputs C i = 0 with probability q.If C i = 0, Alice chooses ϕ model i according to a uniform distribution on [0, 2π).
The argument of Ref. [26] seems to be that, since ϕ model i is chosen uniformly randomly with probability q, and ϕ model i = 0 with probability 1 − q, the above process is equivalent to assuming that Alice first generates the state given by Eq. (E4) for each of the rounds, and then shifts the phase of the i-th pulse by ϕ shift i , according to the conditional PDF in Eq. (E6).The action of the combined phase shifts ϕ shift 1 ...ϕ shift N can be represented as an overall global quantum operation E, and thus Eq. (E5) holds.
However, we believe this argument has the following flaw.In order to apply the i-th phase shift according to the conditional PDF in Eq. (E6), one needs to know the previous overall phases ϕ 1 ...ϕ i−1 .These depend not only on the previous i − 1 phase shifts ϕ shift cannot be perfectly retrieved from the first (i − 1) copies of this state, since two coherent states with different phases are not orthogonal, and therefore not perfectly distinguishable.This seems to imply that the operation E in Eq. (E5) does not exist in general.
In contrast, the operation E w , which is needed in our security proof, is shown to exist in the main text.Importantly, unlike E in Eq. (E5), Eve only needs to know the probability density function f (ϕ 1 ...ϕ N ) to apply E w .She does not need to perform any measurement on the signals emitted by Alice.c. Information about the i-th phase is leaked into the following pulses In addition to the above, the idea of relating how close the i-th pulse is to a perfect PR-WCP by lower bounding the PDF of the i-th phase conditioned on the previous phases seems to have a fundamental problem.Namely, it does not take into account that, in the presence of phase correlations, information about the i-th phase is leaked into the following pulses.To demonstrate this, we show an example in which, using this idea, one could conclude that half of the emissions are perfect PR-WCPs, when this is clearly not the case.More specifically, as discussed above, the argument of Ref. [26] is that, if for some round i one can obtain a bound then one could substitute the i-th pulse by the generation of the state ρ µ,(i) followed by a phase shift such that the i-th emitted pulse ends up being identical as in the original scenario.To prove the security, it is useful to consider that the emitted state is the same for all rounds.Thus, Ref. [26] considers instead the bound q := min and assumes that all emissions are replaced by the generation of the same IID state given by Eq. (E4) followed by the appropriate phase shift operation for each pulse.Now, let us consider a scenario in which Alice has a special source such that: 1. if i is odd, the emitted pulse has a uniformly distributed phase that is independent of the phases of all previous pulses; 2. if i is even, the emitted pulse has a phase that is identical to that of the previous odd pulse.
For this scenario, we have that: (1) if i is odd, q i = 1 and (2) if i is even, q i = 0. Thus, the replacement in Eqs.(E4) and (E9) cannot be directly used to prove the security of this case, since q = 0.However, we could instead consider the security of the odd and even pulses separately.Using the argument in Eqs.(E7) and (E8), we could assume that, in the odd rounds, Alice prepares the PR-WCP ρ µ,odd model = ρ µ PR ; (E10) and in the even rounds, she prepares ρ µ,even model = | √ µ⟩⟨ √ µ|.Then, we could simply discard all data obtained in the even rounds, and apply the standard decoy-state method to the data obtained in the odd rounds.In doing so, we could conclude that the secret-key rate obtainable using this source would be half of that obtainable using a source that produces perfect PR-WCPs in all rounds.
However, the argument above has a crucial flaw: it does not take into account the fact that information about the phase of a given odd pulse i is leaked into the following even pulse, and that Eve could in principle learn some of this information and use it to attack the i-th pulse.Thus, from Eve's point of view, the i-th pulse is not necessarily a PR-WCP even if its distribution is uniform when conditioned on all the previous (but not following) phases.This invalidates the argument in Eqs.(E7) and (E8), which seems to be at the core of the approach in Ref. [26].
Note that leaked information about the i-th phase is only useful to Eve if she can actually use it to alter the detection statistics of the i-th pulse.To prevent Eve from doing so, one option could be to run the protocol very slowly, such that Alice only emits the (i + 1)-th pulse once Bob has finished his measurement of the i-th pulse.It could be possible that the security bounds derived in Ref. [26] are correct for this scenario.However, if the protocol is run very slowly, one does not expect that it will suffer from phase correlations, since these are mainly a problem in high-speed QKD systems.
B35)Then, using Eqs.(B22) and (B35), we finally obtain the bound on the phase-error rate of the w-th sifted subkey,