A simple security analysis of phasematching measurementdevice independent quantum key distribution
Abstract
Variations of phasematching measurementdevice independent quantum key distribution (PMMDI QKD) protocols have been investigated before, but it was recently discovered that this type of protocol (under the name of twinfield QKD) can beat the linear scaling of the repeaterless bound on secret key rate capacity. We propose a variation of PMMDI QKD protocol, which reduces the sifting cost and uses nonphaserandomized coherent states as test states. We provide a security proof in the infinite key limit. Our proof is conceptually simple and gives tight key rates. We obtain an analytical key rate formula for the lossonly scenario, confirming the square root scaling and also showing the loss limit. We simulate the key rate for realistic imperfections and show that PMMDI QKD can overcome the repeaterless bound with currently available technology.
pacs:
I Introduction
Quantum key distribution (QKD) Bennett and Brassard (1984); Ekert (1991) protocols enable two distant parties (Alice and Bob) to establish informationtheoretically secure private keys using a quantum channel and an authenticated classical channel. There is a wealth of QKD protocols around (see Scarani et al. (2009) for a review). A bottleneck for QKD applications, be it as individual link or as part of a network, is the scaling of the generated secret key rate with the loss in the channel represented by the singlephoton transmissivity . The best known QKD protocols have a scaling of their key rate in the limit of infinite channel uses (infinite key limit) as , and by now we have bounds on repeaterless optical channels which show that this is the optimal rate scaling that can be achieved Takeoka et al. (2014); Pirandola et al. (2017). The tight bound on the performance of QKD in terms of secret key rate per employed optical mode is given by Pirandola et al. (2017), which can be saturated by continuous variable QKD protocols with Gaussian modulated coherent states Grosshans and Grangier (2002); Grosshans et al. (2003); Weedbrook et al. (2004). In principle, inserting intermediate stations performing some operations can improve the performance, and quantum repeaters Briegel et al. (1998) aim at this. The field of quantum repeater research is very active and made conceptual and practical advances over the recent years, but as of today, no quantum repeater has been demonstrated yet that would outperform the direct use of optical channels, and thus breaking the repeaterless bounds.
While proposals have been made for simplest possible devices that allow a demonstration of quantum repeater action by beating repeaterless bounds using a simple single node layout Luong et al. (2016), the corresponding quantum advantage has not been experimentally demonstrated yet. In a pleasant surprise to the field, the phasematching measurementdevice independent protocols (PMMDI) Tamaki et al. (2012); Ferenczi (2013) were recently shown to beat the repeaterless bound when using suitable test states Lucamarini et al. (2018). This important observation justifiably creates quite an interest in the community. In the original paper Lucamarini et al. (2018), it has been argued that the secret key rate in the infinite key limit indeed scales as , where we keep as the singlephoton transmissivity of the total distance, rather than that of a segment. It is interesting to see that an MDI protocol can achieve that performance without the use of any quantum memory or similar advanced components. Remarkably, the only difference to previous MDI QKD protocols that show a scaling of is the change from singlephoton signals (or mixture of photon number states) with twophoton interference events at the beamsplitter, to coherent states as signal states and singlephoton interference events at the beamsplitter.
So far, the security analyses Ma et al. (2018); Tamaki et al. (2018) of the PMMDI QKD protocols have been done in a framework based on the quantum error correction inspired approach by ShorPreskill Shor and Preskill (2000), which is improved by Koashi Koashi (2009). The goal of the present paper is twofold: we propose a variation of the PMMDI QKD protocol that clearly distinguishes between test states, meant to probe potential eavesdropping activities, and signal states, which are meant to establish secret keys. For this modified protocol we then execute a security analysis which is expected to be tight as it uses the framework by Renner Renner (2005). This framework is known to be flexible in terms of error correction and privacy amplification methods, and is general to be adaptable to any generic QKD protocol.
We will first analyze the security of the protocol in a setting with infinitely many different test states, similar to the initial discussion of decoy states in weak coherent pulse BB84 protocols Lo et al. (2005). In this setting, we can derive an analytical key rate formula for the scenario where Alice and Bob observe correlations coming from a lossonly scenario. We derive the general framework that includes also the noisy case, for which we then resort to numerical evaluations to demonstrate the stability of the proposed protocol.
This paper is organized as follows. Section II.1 describes our version of the PMMDI protocol. Section II.2 compares different variations of the PMMDI protocol. Section III describes the framework for our security proof and procedures for key rate calculation. Section IV simulates the key rates with the lossonly scenario and with realistic experimental imperfections. Section V summarizes our results and provides insights for future work. Some technical details relevant for the key rate calculation are presented in appendices.
Ii PMMDI QKD protocols
In this section, we first present an idealized version of PMMDI QKD in the sense that Alice and Bob use infinitely many coherent states as test states in the protocol, similar to the initial discussion of decoy states in weak coherent pulse BB84 protocols Lo et al. (2005). We will prove its security in this paper. Then, we will compare different variations of PMMDI QKD protocols. In the next section, when we prove the security of the idealized version of our protocol, we will also provide insights for the security analysis of a practical version of this protocol with a small number of choices of test states.
ii.1 Description of our protocol

Test/keygeneration mode selection. Alice (Bob) chooses a random bit () according to a priori probability distribution (). If , Alice then labels this round as in the keygeneration mode. If , Alice labels this round as in the test mode. Similarly for Bob.

State preparation. If the test mode is chosen, Alice (Bob) then randomly chooses a phase () and randomly chooses an intensity (). Then she (he) prepares a coherent state ( ) and sends it to the untrusted third party Charlie through the quantum channel.
If the keygeneration mode is chosen, Alice (Bob) randomly generates a bit value ( ) with a uniform probability distribution. Alice (Bob) chooses the preagreed intensity and sends a coherent state () to Charlie.

Measurements. For each round, Charlie performs a joint measurement on the signals received from Alice and Bob, and then makes an announcement about the measurement outcome. If Charlie is honest, he is supposed to perform the measurement as shown in Fig. LABEL:sub@fig:scheme_a and announces one of the following outcomes “Only detector clicks”, “Only detector clicks”, “No detectors click”, “Both detectors click”, which, for the later convenience of notation, we abbreviate as , respectively. We denote Charlie’s announcement as throughout this paper.
After steps 13 are repeated for many times, and after Charlie has made all the announcements, Alice and Bob then proceed with the following steps.

Sifting. Alice and Bob use an authenticated classical channel to communicate and sort all rounds into two disjoint sets, where one set is used for the key generation and the other is for the parameter estimation. To do so, they disclose the choices of and for each round and also use the announcement . If , that is, they both selected the keygeneration mode for a given round, and Charlie announced , they save their data corresponding to this round for the key generation. All remaining rounds are used for parameter estimation.

Parameter estimation. To perform parameter estimation, Alice and Bob disclose the choices of (also if they have chosen one for that round) for the rounds in the set labeled for parameter estimation and also use the announcement result for each of these rounds to estimate how Eve has interacted with the signals during their exchange in the protocol. If, from their analysis, they find out that Eve has learned too much about the signals and no secret keys can be generated, then they abort the protocol. Otherwise, they continue.

Key map. Alice forms a raw key using her bit value from each of the rounds saved for the key generation. (In principle, Bob does not need to do anything in this step since he can correctly determine Alice’s key by the error correction. In practice, depending on the choice of error correction code, it might be convenient for Bob to flip his bit value when the announcement is .)

Error correction and privacy amplification. Alice and Bob then apply the procedures of error correction and privacy amplification as in a typical QKD protocol to generate a secret key.
We remark that since this protocol uses an MDI setup, it is inherently immune to all side channels in the measurement devices once its security is proven. However, Alice and Bob’s sources have to be trusted and protected. In our security analysis, we assume that Alice and Bob’s devices are fully characterized and Eve has no access. This assumption needs to be justified in the experimental implementations of the protocol. In particular, we want to remark that the choices of and (also and ) should not be leaked to Eve by side channels before the announcement is made. In the implementation of the protocol, Alice and Bob need to make sure that Eve cannot distinguish the keygeneration mode from test mode by any classical side information leaked from their devices before Charlie’s announcement. Just like other MDI QKD protocols, this protocol can be vulnerable to sidechannel attacks on the sources.
We also comment on the the choices of parameters , . While values of , need to be optimized in the finitekey regime, in the infinite key limit, we can choose and arbitrarily close to 1 so that the sifting factor is asymptotically 1, like the efficient BB84 protocol Lo et al. (2004).
Finally, we remark on the choices of and and their corresponding probability distributions. Since states in the test mode essentially are used to perform a tomography on Eve’s attacks on the subspace of signal states used in the keygeneration mode, for the purpose of this paper, we initially use coherent states whose complex amplitudes cover the entire complex space. In the infinite key limit, the probability distribution (with no zeros) does not matter. We will remark on how a finite number of choices of test states can approximately accomplish the same task and the choices of and will then be closely related to the value of .
ii.2 Comparison of different variations of PMMDI QKD protocols
Many variations of the PMMDI QKD protocol have been proposed and investigated. Different names have been assigned to different variations, such as, phaseencoding scheme for MDI Tamaki et al. (2012), MDIB92 Ferenczi (2013), twinfield QKD (TFQKD) Lucamarini et al. (2018) and phasematching QKD (PMQKD) Ma et al. (2018). However, they all have the essential components needed to achieve the rate scaling of , namely, they all use coherent states as signal states and rely on singlephoton interference events at the beamsplitter of an untrusted intermediate node, even though not all variations can indeed achieve this scaling.
We first describe the common features of all those protocols and then discuss how each variation differs in the following two aspects: choices of signal states used for establishing secret keys and choices of test states used to probe Eve’s attacks.
In an ideal PMMDI QKD protocol, Alice and Bob will only establish keys from the rounds where each of them has selected a state from the set , where can be an arbitrary complex number. In other words, Alice and Bob will only establish keys from the rounds that satisfies the phasematching condition, that is, they have chosen the same global phase and same intensity for their states. We call two coherent states with only a phase difference as a phasematching pair. In addition, Alice and Bob may decide to send some states as test states to probe eavesdropping activities for randomly selected rounds and those rounds will be used in the parameter estimation step only. Alice and Bob will send their states to an untrusted party Charlie at the intermediate node for measurements. An honest Charlie will use the singlephoton interference events at the beamsplitter for his announcement.
Since this type of protocol is measurementdevice independent and generates keys when Alice and Bob use the same phasematching pair of coherent states, phasematching measurementdevice independent QKD is in our view a more descriptive name that captures important features of this type of protocol.
Now, we compare some variations of PMMDI QKD. Different variations may use different number of phasematching pairs as signal states and may use different types of states as test states, such as a mixture of photon number states (phaserandomized coherent states), partially phaserandomized coherent states, or coherent states without phase randomization. Some variations may use the same number of phasematching pairs as signal states, but differ in how to handle them. We present those variations just for the comparison purpose and we do not neither claim this is an exhausted list nor verify the security analysis of each work.

The variation proposed in Tamaki et al. (2012) is called phase encoding scheme I for MDI. This protocol essentially uses two phasematching pairs of coherent states. In the original description of the protocol, these two pairs are labeled as two bases, similar to a BB84type protocol, due to the proof technique adopted. In an abstract description, we can view this protocol as essentially using one phasematching pair of coherent states as signal states and an additional pair as test states. Due to the proof technique and a limited number of test states, the scaling was not found.

The variation studied in Ferenczi (2013) is called MDIB92 protocol. Ref. Ferenczi (2013) analyzes different types of measurements for the intermediate node. Under the investigation of unambiguous state discrimination attacks, it basically proposes a variation of PMMDI protocol with exactly one phasematching pair of coherent states as the signal states and no test states. Because there are no test states, this protocol is not expected to have the scaling .

The variation proposed in Lucamarini et al. (2018) has the name of TFQKD protocol. This protocol uses infinitely many phasematching pairs of coherent states (phaserandomized coherent states) as signal states. In addition, for the purpose of security analysis, each round is assigned to one of two bases to mimic a BB84type protocol. Instead of achieving the perfect phasematching conditions, this protocol allows some small errors in identifying whether Alice and Bob have chosen the same phasematching pair. To distill keys, Alice and Bob disclose some partial information about the global phases. If their global phases only differ by a small amount, they assume they have used the same phasematching pair. Due to the phasematching condition, the sifting cost of this protocol can be large, which affects the prefactor of key rate. In this protocol, states used as test states are effectively the same as states used for signal states. These test states are partially phaserandomized coherent states as Eve knows some partial information about the global phase. Ref. Lucamarini et al. (2018) argued that this type of protocol can have the rate scaling.

The variation investigated in Ma et al. (2018) uses the name PMQKD protocol. Similar to TFQKD Lucamarini et al. (2018), it also uses infinitely many phasematching pairs of coherent states as signal states and adopts a similar procedure as Lucamarini et al. (2018) in identifying whether Alice and Bob have chosen the same phasematching pair for each round. It also uses partially phaserandomized coherent states as test states. The difference from TFQKD is that there is no assignment of basis choice for each round. The security analysis does not use the standard decoy state methods.

The variation studied in Tamaki et al. (2018) is called TFQKD protocol. This protocol, similar to the original TFQKD protocol, uses infinitely many phasematching pairs as signal states and later postselects on rounds where the global phases are different by less than a small amount. Effectively, by allowing some errors, Alice and Bob assume that they have chosen the same phasematching pair when the difference in their global phases is small. This protocol also has an assignment of basis choice for each round in order to apply a BB84type security argument. Different from the original TFQKD protocol, this protocol uses a mixture of photon number states as test states. The security analysis applies the standard decoy state methods.

The variation proposed in Cui et al. (2018) is also called PMQKD protocol. It uses exactly one phasematching pair as signal states and uses a mixture of photon number states as test states.

The variation studied in Curty et al. (2018) is referred as a TFQKD type protocol. This variation essentially is the same as in Cui et al. (2018). It uses exactly one phasematching pair as signal states and uses a mixture of photon number states as test states. These two works differ by the security proof methods.

In this paper, we propose a modified PMMDI protocol. Our protocol uses exactly one phasematching pair as signal states and infinitely many different coherent states (without phase randomization) as test states. Our security analysis does not use the standard decoy state method since our test states are not mixtures of photon number states. We rely on the tomographic reconstruction of POVM elements using the coherent states as test states to prove the security.
In the end, we remark that the advantages of different types of test states. Using a mixture of photon number states as test states allows the standard decoy state analysis, which has been investigated and well understood. In addition, using a small number of decoy states as test states has been investigated in many other protocols and might be readily adapted to some variations of PMMDI QKD protocol. On the other hand, using coherent states as test states has the potential to give tighter key rates, as we will demonstrate in this paper when using infinitely many coherent states. Also, it does not require the phase randomization in the experimental implementations.
Iii Security proof
To prove the security of a QKD protocol, the ultimate goal is to provide a full security proof following the security definition of QKD Renner (2005); MüllerQuade and Renner (2009) in the framework of universal composability. Currently, there are welldeveloped techniques to simplify the problem, such as, the quantum de Finetti theorem Renner (2005), socalled postselection technique Christandl et al. (2009), or the entropy accumulation theorem Dupuis et al. (2016); Dupuis and Fawzi (2018). These techniques allow us to prove the security in a twostep procedure. In the first step we prove the security against collective attacks in the infinite key scenario, and in the second step we apply one of the mentioned techniques to extend the analysis to a full security proof against general attacks, including finite size effects. The scope of this paper is to prove the first step, namely the analysis of the collective attack in the infinite key limit. We leave technical details of the extension to the full security for the future work.
To prove the security of this protocol against collective attacks, we first apply the sourcereplacement scheme Curty et al. (2004); Ferenczi and Lütkenhaus (2012) to both Alice and Bob’s sources and convert this protocol to its equivalent entanglementbased protocol. Then we proceed to prove the security of the entanglementbased version by evaluating the secret key generation rate.
iii.1 Sourcereplacement scheme
For the purpose of clarifying notations, let us start with a more abstract view of the protocol. In each round, Alice chooses a state from the set of possible signal states according to a priori probability distribution and similarly, Bob chooses a state from the same set with a priori probability distribution . Then in the sourcereplacement scheme, Alice and Bob’s sources effectively prepare the following state
(1)  
where the register records the choices of states prepared in the register and similarly the register records the choices of states in the register . We introduce an orthonormal basis for the register system corresponding to states , and an orthonormal basis for the register system corresponding to states . It is crucial that Eve has no access to the registers and . Then, Alice keeps the register and sends the system to Charlie, and similarly, Bob keeps and sends . To learn their choices of states sent to Charlie for each round, Alice performs a local measurement described by a positiveoperator valued measure (POVM) on her register and likewise, Bob applies his POVM to his register .
Importantly, we only apply the sourcereplacement scheme for the signal states in the keygeneration mode since the test states in the test mode are only used to put constraints on how Eve acts in the subspace spanned by signal states. We denote the set of signal states in the keygeneration mode as , that is,
(2)  
where each state is a twomode coherent state coming from both Alice and Bob, and we dropped the subscript for the ease of writing. Since finitely many coherent states are linearly independent, we want to point out that is indeed a basis of .
iii.2 Description of Eve’s attack
As an MDI QKD protocol, Eve has a full control of both the quantum channels connecting Alice, Bob and the intermediate node Charlie, and the measurement devices at the intermediate node. Since measurement devices are neither characterized nor trusted, Eve is assumed to play the role of Charlie to perform the measurement. Therefore, in the PMMDI QKD protocol, we can view the protocol in an alternative and equivalent picture, as shown in the Fig. LABEL:sub@fig:scheme_b. In order to make an announcement strategy, Eve performs some measurement, which can be described by a POVM , directly on the states from Alice and Bob in the registers and . Moreover, without loss of generality, we can assume that only has four elements since only outcomes are meaningful for Alice and Bob, and all other outcomes are simply discarded in the protocol. (Even though Alice and Bob may only keep outcomes to distill keys, we are allowed to include outcomes for parameter estimation.) We write this POVM as , or abbreviate it as for . The probability of announcing the outcome is for an input state .
From Alice and Bob’s point of view, they can only know the probability of each announcement, not the postmeasurement states in Eve’s hand. They can infer what POVM that Eve applied from their observed correlations. However, Eve can perform a nondestructive measurement and keep her postmeasurement states for further analysis. That is, Eve applies a completely positive tracepreserving (CPTP) map on the input quantum states in the registers and . Her announcement about the measurement outcome is stored in the classical register and she keeps the postmeasurement state in the register . Here, we introduce an orthonormal basis for the register , each of which corresponds to every possible announcement outcome. In general, we can write as follows:
(3) 
where each is a completely positive trace nonincreasing map and is an arbitrary linear operator on the systems .
In the ChoiKraus representation, each can be written as
(4) 
with and the summation going over some index set that depends on . Without loss of generality we can use maps with a single Kraus operator . The reason for this is that the general case of Eqs. (3) and (4) can be represented as a concatenation of two maps, the first one using the case of , followed by a second channel operation that is conditioned on the classical register and uses Kraus operators . To see this we need only to verify two things: (a) the concatenation of both operations gives the general form, and (b) the Kraus operators for each value of define a valid CPTP map. The proof of (a) is trivial, and for (b) we need only to verify that , where is the projector onto the support of and is the corresponding pseudoinverse of . We insert the definition to find
(5)  
Clearly, since the general case can thus be considered as a twostep procedure, where the first step gives rise to the announcement and the second step acts only on Eve’s conditional states, it can only strengthen Eve’s position by not forcing her to do this second step. Without loss of generality, we can thus assume that Eve’s optimal strategy performs only the first step.
Since we assume the sources are protected, Eve cannot have the access to the registers and and cannot modify the states in those registers. Therefore, when Eve directly acts on the state shown in the Eq. (1) from the sourcereplacement scheme, the joint state shared by Alice, Bob and Eve along with the classical register for announcements is as follows:
(6)  
iii.3 Key rate evaluation with DevetakWinter formula
To distill keys from , Alice and Bob perform measurements using POVMs on the register and on the register , respectively. Upon measurements, Alice stores her measurement outcomes in a classical register and Bob stores his in a classical register . Alice then applies a key map that maps her measurement result in the register to a raw key bit in the register . We want to point out that the key map step is necessary, but the key map can be trivial, as it is in this PMMDI QKD protocol. The key map here is an identity map from the register to the register . Let denote the effective CPTP map that transforms to . In the end, we generate keys from the state , which has the form
(7)  
where is Eve’s conditional state conditioned on Alice holding in the register , Bob having in the register and the central node announcing . Here, is a marginal probability of the joint probability distribution and is a conditional probability.
Under collective attacks, we can evaluate the secret key generation rate using DevetakWinter formula Devetak and Winter (2005), which is expressed in terms of a singlecopy state shared by Alice, Bob and Eve.
As is typical in the MDI protocols, we can choose to generate keys from each announcement outcome independently as the announcement is available to all parties. We rewrite by defining conditional states of Alice, Bob and Eve conditioned on the announcement outcome as
(8) 
and
We adapt the DevetakWinter formula to a general case where the error correction is not necessarily performed at the Shannon limit. In that case the number of secret bits that we can distill from the state is , which is defined as
(9) 
where Leak is the amount of information leakage per signal during the error correction step for the rounds corresponding to the announcement outcome , and
(10) 
is the Holevo information, where is the von Neumann entropy. The states and are defined as:
(11)  
In the Shannon limit, we have and thus we recover the original DevetakWinter formula in the Eq. (9). Another important observation is that Leak is directly determined from the experimentally observed correlations.
The total number of secret bits that we can distill from the state , denoted by , is defined as
(12) 
From the Eq. (6), we can calculate Eve’s conditional states as
(13) 
where we define
(14) 
Then, by substituting Eq. (13) into Eq. (11), we can calculate the conditional states and , and evaluate in Eq. (10) to obtain in Eq. (9).
From the relation between and shown in Eq. (6), we notice that a full knowledge of gives us a full knowledge of and thus we can determine the key rate using Eq. (12). However, if we cannot uniquely determine , then we cannot uniquely determine . In that case, we have a set of compatible density operators , that is, . Thus, we need to consider the worstcase scenario by taking the minimum of over the set , or equivalently, over the set = .
In this situation, the asymptotic key rate should be expressed as
(15)  
The essential part of the optimization is to optimize the Holevo information by finding the all possible Eve’s conditional states, which are needed to evaluate the Eq. (10).
We remark that most of the discussion so far is general to a generic MDI QKD protocol. In the next section, we will adapt this procedure to our specific PMMDI QKD protocol.
iii.4 Determination of Eve’s POVM for PMMDI QKD
As discussed in the previous sections, knowing Eve’s POVM elements allows us to calculate the key rate, since the minimization in the Eq. (15) is now over a set containing only one element. We will now explain how our choice of test states (coherent states with a continuum of complex amplitudes) allows in principle to determine Eve’s POVM elements.
For simplicity, let us concentrate on the case of testing a measurement device acting on a single mode (rather than the twomode case of our protocol). Knowing some POVM element is equivalent to being able to predict the probability of the associated outcome for any input state as . We can now use the phasespace formalism of quantum mechanics (see for example Cahill and Glauber (1969a, b)) where we use the Pfunction representation of so that we have
(16) 
As we see from this equation, knowledge of the function allows the prediction of for all input states for which the Pfunction of the density matrix exists. So testing the measurement device with all possible coherent states and observing the corresponding probabilities is equivalent to knowing .
Actually, using results from Cahill and Glauber (1969a, b) one can reconstruct the operator explicitly also in cases where the Pfunction of may not exist. Let us go through the arguments directly for the POVM elements for the outcome in the twomode case. We adapt the equations (3.4)(3.6) from Cahill and Glauber (1969b) to our scenario.
By substituting the Eq. (3.4) and the Eq. (3.6) into the Eq. (3.5) from Cahill and Glauber (1969b), we obtain a power series for each as:
(17) 
where and their complex conjugated counterparts are treated as independent variables, and , are the annihilation and creation operators of the two modes. Since is a POVM element and thus has bounded eigenvalues, such series exist and converge Cahill and Glauber (1969a). Using the twomode test states and the associated observed probabilities thus uniquely determines .
Note that a full description of as shown above is more than what we actually need since we are only interested in how acts on the subspace , which is only a fourdimensional space.
For this, we need to be able to calculate offdiagonal elements of the form . It is an interesting question whether we can estimate these elements well enough with just a few number of coherent states. (The diagonal elements are directly accessible.) We present now the handle to attack this question.
We first notice that characterizing on is equivalent to the question whether the operator can be approximated to arbitrary precision in the HilbertSchmidt norm by the discrete diagonal coherent state representation Mukunda and Sudarshan (1978); Sharma et al. (1981):
(18) 
where we use sets of tensor products of coherent states and complex numbers .
Then, we can write as a sum of observed values as
(19)  
By appropriate choices of , we will be able to get a good approximation by terminating the summation at . From the approximation, we will then determine a set of POVMs compatible with experimental correlations, which is a neighborhood of the POVM that Eve actually performed. When we calculate the key rate in this case, we need to perform the minimization in the Eq. (15). In that case, we may apply numerical methods Coles et al. (2016); Winick et al. (accepted, in press, 2018) to perform the desired optimization. If such an approximation makes this set of compatible POVMs small enough, then the key rate with several choices of test states would be close to the key rate with infinite choices of test states. We leave the detailed analysis of finite choices of test states scenario to the future work.
In Appendix A, we will discuss how to represent in the fourdimensional subspace after knowing for .
Iv Simulation
We perform simulations to study the loss scaling of this PMMDI QKD protocol and also the stability of the protocol.
iv.1 Lossonly scenario
To show that the key rate of this protocol has a scaling of with the single photon transmissivity between Alice and Bob, we first study the lossonly scenario. We simulate the quantum channel as a lossy channel and we consider the normal situation where Charlie (Eve) performs the measurements so that the observed statistics during the parameter estimation step is compatible with Charlie performing the measurement shown in Fig. LABEL:sub@fig:scheme_a. That is, we calculate the POVM corresponding to the real setup. Our protocol can verify via test states in the test mode that this is the actual POVM performed by Eve in the lossonly scenario. For the purpose of our presentation, we consider a symmetric setup, that is, Charlie is at an equal distance from Alice and Bob, and the loss in each path is the same. For a total transmissivity between Alice and Bob, each path has a transmissivity .
In this situation, when Alice sends a coherent state and Bob sends a coherent state in the same optical mode, the state becomes after the lossy channel. When Charlie performs the measurement on this state, the probability for each announcement outcome can be calculated as follows:
(20)  
Specifically, the conditional probability of each announcement outcome for each state in the set is summarized in the Table 1. From this table, we can directly evaluate the classical mutual information as
(21)  
0  0  
0  0  
0  0  0  0 
Clearly, we cannot distill keys from and announcements. Also, we find since no error correction is needed in this lossonly scenario. Now, we only need to evaluate for and . We first find conditional states and defined in the Eq. (13).
As we can notice from Table 1, in the lossonly scenario, whenever Alice and Bob prepare coherent states with a phase difference, Charlie will never announce and whenever they prepare coherent states with the same phase, Charlie will never announce . Because and , each of the states and is a pure state so that .
Therefore, we only need to evaluate and . In this lossonly case,
(22)  
The eigenvalues of are and thus , where is the binary entropy function. Similarly, the eigenvalues of are and thus . Using the definition of in Eq. (14), we obtain
(23)  
Thus, we have . We provide explicit expressions of for this lossonly scenario in the section B.1 of Appendix B, using which the reader can check the result directly.
Finally, we obtain the expression of secret key generation rate as a function of and the intensity in this lossonly scenario as
(24) 
For small values of , . When we take the optimal value of , which is , then we find , thus confirming the rate scaling of .
In Fig. 2, the blue dashed line is the asymptotic key rate of this lossonly scenario as a function of the transmission distance , where we take and is optimized for each distance . The red solid line is the fundamental repeaterless bound Pirandola et al. (2017). This calculation gives an intuitive understanding on how the PMMDI QKD can beat the repeaterless key rate bound. We see that this PMMDI QKD protocol beats the repeaterless bound at around km. Our key rate expression in the Eq. (24) is tight for the lossonly scenario. Therefore, we expect this is the loss limit for PMMDI QKD.
iv.2 Realistic Imperfections
It is of practical interests to study how stable this protocol is in noisy scenarios. In particular, we simulate the scenario with realistic imperfections in experimental devices, including the dark counts of detectors, mode mismatch and phase mismatch, detector inefficiency, and error correction inefficiency. In this section, we briefly introduce sources of imperfections and corresponding simulation parameters, then explain the correlations that Alice and Bob would observe in our simulation model, and finally present the results of our key rate calculation. In the section B.2 of the Appendix B, we provide more detailed explanations for the physical model of each imperfection.
For the purpose of presentation, we assume that both detectors have the same detector efficiency and the same dark count probability . We remark that the simulation method described in the section B.2 is also applicable to more general situations.
In the ideal implementation of this protocol, Alice and Bob should prepare coherent states in the same optical mode, that is, with the same spectral, temporal profiles and the same polarization, in order to have singlephoton interference at the beamsplitter. In reality, since their states may come from different lasers and pass through different optical components before reaching the central node, the modes of their states are not necessarily perfectly matched. Thus, we consider the relative mode mismatch between their states with a simulation parameter . In our simulation, if without any mode mismatch, the state arriving at the central node from Alice and Bob is supposed to be , then with the mode mismatch, the state becomes in the original mode and in a second mode. Both modes enter Charlie’s devices independently.
Another source of imperfection considered in our simulation model is the phase mismatch. In the keygeneration mode, Alice and Bob are supposed to prepare states in the set , which are coherent states with the same global phase and with the encoding information in the relative phases. In reality, the global phase is not guaranteed to be the same when states reach the detectors. Therefore, we consider the situation where there is a relative phase mismatch between Alice’s signal state and Bob’s signal state. If without any phase mismatch, the state is supposed to be , then due to the phase mismatch, the state is changed to with a simulation parameter .
Table 2 lists the choice of parameters in our simulation. In particular, We choose the same values for the efficiency of a detector and the dark count probability of a detector as those used in the Ref. Ma et al. (2018) for comparison purpose. We also select pessimistic values for the mode mismatch and phase mismatch to demonstrate the feasibility of beating the repeaterless bound with currently available devices.
Detector efficiency  14.5% 

Detector dark count probability  
Mode mismatch ()  5% 
Phase mismatch  
Error correction efficiency  1.15 
We give the expressions for the probability of each announcement outcome given each choice of the input state in terms of the simulation parameters , , , and . We define the total transmissivity as , where is the channel transmission probability between Alice and Bob.
(25)  
where for the simplicity of writing, we have made the following definitions
(26)  
From the Eq. (25), it is straightforward to derive the conditional probability of each announcement outcome given the state in . Similar to the lossonly scenario, we also discover that the mutual information is zero for and since the probability of making those announcements is independent from the signal states sent by Alice and Bob in our simulation. Thus, we only generate keys from and outcomes.
We define error rates and given the announcement outcome and , respectively.
(27)  
where we define and .
To take the inefficiency of error correction into consideration, we take the following values for Leak and Leak:
(28)  
where is the efficiency of error correction.
The rest of the task is to find each of and