Almosttight and versatile security analysis of
measurementdeviceindependent quantum key distribution
Abstract
Measurementdeviceindependent quantum key distribution (MDIQKD) is the only known QKD scheme that can completely overcome the problem of detection sidechannel attacks. Yet, despite its practical importance, there is no standard approach towards computing the security of MDIQKD. Here, we present a simple numerical method that can efficiently compute almosttight security bounds for any discretely modulated MDIQKD protocol. To demonstrate the broad utility of our method, we use it to analyze the security of coherentstate MDIQKD, decoystate MDIQKD with leaky sources, and a variant of twinfield QKD called phasematching QKD. In all of the numerical simulations (using realistic detection models) we find that our method gives significantly higher secret key rates than those obtained with current security proof techniques. Interestingly, we also find that phasematching QKD using only two coherent test states is enough to overcome the fundamental ratedistance limit of QKD. Taken together, these findings suggest that our security proof method enables a versatile, fast, and possibly optimal approach towards the security validation of practical MDIQKD systems.
I Introduction
Quantum key distribution (QKD) is an emerging quantum technology that enables the exchange of cryptographic keys in an untrusted network Bennett and Brassard (1984); Ekert (1991). The key feature of the technology is that it is provably secure. More specificially, its security is based solely on the laws of quantum mechanics and not on how powerful the adversary could be. For this reason, secret keys generated by QKD systems can be safely used in any cryptographic applications which require longterm security assurance.
A hugely popular QKD configuration is the prepareandmeasure (P&M) scheme. As its name suggest, P&MQKD involves the preparation of a quantum state that is randomly drawn from a preagreed set of states by the protagonist, whom we call Alice. Then, she will send the prepared state to her distant associate, whom we call Bob, to be measured in a basis that is randomly drawn from a preagreed set. Since Eve could not perfectly discriminate the traversing signals, any attempt to learn its identity will inevitably modify the quantum state itself. Thus, the secrecy of the secret key is guaranteed by quantum theory and such is the main appeal of QKD.
Despite the rigorous mathematical validation of QKD, present physical implementations of QKD are vulnerable to numerous sidechannel attacks. In particular, it was demonstrated that the adversary could exploit the imperfections of singlephoton detectors to steal some information about the secret key without introducing noise into the quantum channel Fung et al. (2007); Qi et al. (2007); Zhao et al. (2008); Xu et al. (2010); Lydersen et al. (2010); Gerhardt et al. (2011). Consequently, these demonstrations necessitate the search for a QKD protocol that is robust against detection sidechannel attacks: the measurementdeviceindependent QKD (MDIQKD) Lo et al. (2012); Braunstein and Pirandola (2012).
The MDIQKD scheme (see Fig. 1) requires both Alice and Bob to each prepare a quantum state, which, like the P&M scheme, is randomly drawn from a preagreed set of states, to be sent to a potentially untrusted node connecting them. Ideally, the node will perform a Bellstate measurement jointly on the prepared states, whose outcome will determine if both Alice and Bob will keep the indices of the prepared quantum states for key distillation. This process is equivalent to a protocol where Alice and Bob each prepares a bipartite entangled state and measuring a part of it Bennett et al. (1992) while sending the other to the node for entanglement swapping. Hence, it is as though Alice and Bob are making local measurements on a shared entangled state. Subsequently, Alice and Bob would sample their bit strings to evaluate their security against any potential adversary. Such security analysis is made assuming that Eve has full access and control of the node, and hence, any attack based on imperfect detectors is part of the untrusted quantum channel.
An innovation is only as good as its feasibility and the same applies to QKD protocols. With practicality in mind, MDIQKD was designed to be implementable with existing hardware. Although the security of MDIQKD relies mainly on instances when singlephoton states are transmitted from Alice and Bob to the node, employing the decoystate method Lo et al. (2005) gives good security performances using phaserandomized coherent states as signals. Due to its merits, efforts to progress MDIQKD were made on both theoretical Curty et al. (2014); Tamaki et al. (2012); Coles et al. (2016); Winick et al. (2018); Tamaki et al. (2014); Ma et al. (2012); Xu et al. (2014) and experimental Rubenok et al. (2013); Liu et al. (2013); Da Silva et al. (2013); Tang et al. (2014a, b); Pirandola et al. (2015); Wang et al. (2015); Comandar et al. (2016); Tang et al. (2016); Yin et al. (2016) fronts.
Evolving from the original protocol, MDIQKD could also be performed with coherent states without phase randomization and hence the decoystate method. In this case, Alice and Bob encode the key information in the phases of the coherent states. The modified protocol can be proven secure using the socalled quantum coin method Tamaki et al. (2012), which was based on earlier research in P&MQKD with imperfect devices Gottesman et al. (2004). However, it is not known if this approach would lead to optimal secret key rates.
Here, we introduce a versatile, fast and almost optimal framework to compute the security of discretely modulated MDIQKD. This technique is based on the observation that the Gram matrix of Eve’s quantum side information translates to the characterization of Eve’s attack in a compact way. We apply this characterization technique to three different types of MDIQKD protocols: (1) the original polarization (or timephase) encoding decoystate MDIQKD Lo et al. (2012), (2) phaseencoding MDIQKD using nonphaserandomized coherent states Tamaki et al. (2012), and (3) a variant of twinfield QKD Lucamarini et al. (2018) called phasematching MDIQKD Lin and Lütkenhaus (2018). The proposed proof technique demonstrates significant advantages over the known bounds on secret key rates for all of the considered MDIQKD protocols.
Ii Method
In this section, we outline a general security framework that works for any MDIQKD protocol, provided the encoded states are pure and their innerproducts are known. In practice, one can characterize the encoded states by performing state tomography and thus their innerproducts can be easily obtained. Suppose the states that Alice prepares are and those prepared by Bob are where and are the bit values while and are the basis choices of Alice and Bob respectively. We denote the innerproduct of the code states by . Note that could be complex.
Since the joint input states are pure, we can describe the quantum channel and the untrusted measurement by the central node as a quantumtoclassical map. Such maps can be described by an isometry acting on the input states giving
(1) 
where is the classical announcement made by the central node. For concreteness, we consider the case where , which indicates whether the Bell state measurement is successful or not. The vectors are subnormalized states corresponding to the quantum side information that Eve holds. Now, one can construct a Gram matrix for the adversary’s quantum side information and it is clear that such matrix is positive semidefinite, i.e., .
Moreover, since the channel is described by an isometric transformation, the innerproduct information is preserved at the output states as well. More specifically, we have the following constraint on the Gram matrix :
(2) 
Furthermore, other observable constraints such as the biterror rate and the probability of successful Bell state measurement can be expressed in terms of linear constraints on the Gram matrix. For example, the probability of successful Bell state measurement when Alice and Bob both choose the basis , denoted by , is given by
(3) 
where is the probability of Alice and Bob both choosing the basis and is the joint probability that Alice chooses and Bob chooses . Similarly, the biterror rate in the basis, denoted by , can be expressed as
(4) 
Now, to prove the security of the protocol, we consider a virtual protocol illustrated in Fig. 1. For concreteness, we suppose that Alice and Bob extract secret key from the basis and they use the basis (which is mutuallyunbias to ) to estimate Eve’s information. In this virtual protocol, to generate secret key, Alice and Bob first prepare the entangled states
(5) 
where the systems and are qubits. From the point of view of Eve, this is equivalent to the actual protocol since after tracing out systems and , the marginal states are the same as if Alice and Bob prepare the states and randomly based on the random bit and given by their random number generator. Furthermore, Alice and Bob can obtain the random bit and , simply by measuring systems and in the basis.
After the central node successfully perform a Bell state projection, the qubitqubit system are now entangled due to the entanglement swapping operation. Depending on the outcome of the Bell state measurement , Bob will need to perform a local unitary to rotate the state into the target state. Then, to estimate the side information that Eve has, Alice and Bob can measure the systems and respectively in the basis. This will give Alice and Bob the socalled phaseerror rate in their virtual qubitqubit system. Shor and Preskill Shor and Preskill (2000) proved that, for this type of QKD protocol, the lower bound on the asymptotic secret key rate is given by
(6) 
where is the binary entropy function.
At this point, a few remarks are in order. Firstly, the measurement in the basis when Alice and Bob prepare the entangled states and are counterfactual measurements that are not performed in the actual protocol. The actual test states that Alice and Bob send are and whose virtual analogue is measuring the qubit systems of some other entangled states and in the basis. As such, the phaseerror rate is not accessible in the actual protocol. However, Alice and Bob can employ the knowledge of the test states (i.e., the innerproduct information), the observed error rate, and the success probability to constrain the virtual protocol phaseerror rate, , as we will show later.
Secondly, like the biterror rate , the phaseerror rate is also a linear function of the Gram matrix . The explicit expression of , in general depends on the choice of entangled state that Alice and Bob prepares, the virtual measurements that steer the states, as well as the target state of the qubit pairs shared between Alice and Bob.
With all these in mind, here is the crucial observation. The Gram matrix depends on the isometry performed by Eve. Secondly, the constraints on the Gram matrix , imposed by the innerproduct information and the observed statistics, are linear. Moreover, one can obtain a lower bound on the secret key rate by obtaining an upper bound on the phaseerror rate , which is a linear objective function, allowing us to use semidefinite programming (SDP) techniques to completely characterize Eve’s strategies. This will be explained in more details in section III.
Lastly, to show that our method gives a tighter lower bound on the key rate as compared to the quantum coin approach, we will analyze MDIQKD protocols based on coherent states and Trojan horse attacks. These are the scenarios in which the quantum coin approach was used in the literature. The outcomes of the simulation are presented in section IV.
Iii Characterizing Eve’s strategy using semidefinite programming
SDP is a class of convex optimization problem with a linear objective function over a cone of positive semidefinite matrices Boyd and Vandenberghe (2004). One can think of such optimization problem as linear programming with linear matrix inequalities as constraints. Just like any other optimization problems, we can define the primal problem and the dual problem of an SDP. If the primal problem is a minimization problem, then its dual would be a maximization problem and vice versa. Furthermore, if the primal problem is a maximization problem, then the weak duality theorem states that the optimal primal value and the optimal dual value satisfy the following relationship
(7) 
and the opposite is true if the primal problem is a minimization problem. When , we say that strong duality holds and it implies that is the optimal solution to the SDP.
Previously, there have been some proof techniques of QKD that are based on SDP Wang et al. (2018); Coles et al. (2016); Winick et al. (2018). One of the appeals of such numerical approaches is that they are highly versatile and can be used to analyze a wide range of QKD protocols without relying on the specific structure of the underlying design. Here we propose another SDPbased technique of analyzing the security of MDIQKD that is versatile, simple and almosttight. Importantly, we highlight that our method does not rely on any semidefinite relaxation (such as the one proposed in Ref. Wang et al. (2018)).
Our method exploits the fact that the Gram matrix is both positive semidefinite and linearly constrained. As such, obtaining an upper bound to the phaseerror rate is equivalent to solving the dual problem of an SDP. In other words, the solution of the SDP characterizes the optimal attack that Eve can perform on the quantum channel and with the untrusted central node. Thus, the security analysis of any MDIQKD protocol is equivalent to solving the following SDP
(8)  
where is the basis choice of Alice and Bob and is a linear function of the Gram matrix , which is protocol dependent. In order to obtain a reliable upper bound on , one has to optimize the dual problem of optimization (8).
Furthermore, due to the weak duality theorem, any feasible solution of the dual problem gives a reliable upper bound on the phaseerror rate. Moreover, when the strong duality condition holds, our upper bound on the phaseerror rate is tight. Remarkably, in practice, the duality gap (the difference between the primal and dual value) is usually very small. Hence, our upper bound on the phaseerror rate is almost tight, even when the strong duality condition is not met.
Drawing the connection to the isometry performed by the eavesdropper, since the Gram matrix characterizes , solving the SDP (8) is equivalent to finding the isometry that gives Eve the maximum knowledge about the bits that Alice and Bob possess, considering the statistics that Alice and Bob observe. Lastly, we remark that SDPs can be efficiently solved with standard solvers that are readily accessible. Therefore, our method can be implemented easily even with personal computers (which is the case for the simulations presented in this work).
Iv Examples
In this section, we apply our technique to coherent state based protocols, namely the phaseencoding coherent state MDIQKD Tamaki et al. (2012) and a variant of the recently proposed twinfield QKD (TFQKD) protocol Lucamarini et al. (2018), as well as the decoystate protocols Lo et al. (2012) with Trojan horse attacks. We also analyze these protocols with the quantum coin method and show that our technique achieves significantly higher secret key rate. For simplicity, we assume that the central node is equidistant to Alice and Bob. Consequently, we can also assume that the set of states that Alice prepares is the same to that of Bob. Although these assumptions are not necessary for our method to work, they will simplify the calculations greatly.
For the simulations of phaseencoding coherent state MDIQKD as well as the decoystate MDIQKD, the parameters that we use are listed in Table 1. Parameter 2 will also be used for the simulation of TFQKD.
(dB/km)  

Parameter 1  14.5%  0.20  1.5%  
Parameter 2  85%  0.20  1.5% 
iv.1 Phaseencoding coherent state MDIQKD
We first analyze the phaseencoding coherent state MDIQKD protocols. With a simpler architecture and fewer components and their related flaws, this class of MDIQKD protocols can, in principle, provide economic and highspeed QKD systems. However, they have not been implemented experimentally due to other technical challenges such as phaselocking two independent lasers at a distance. Furthermore, based on the quantum coin approach, the secret key rate achieved by these protocols is not favorable. However, the interest in coherent state MDIQKD protocols has been revived recently due to the introduction of twinfieldQKD (TFQKD) protocols, also known as phasematching MDIQKD Lucamarini et al. (2018); Ma et al. (2018a); Tamaki et al. (2018); Cui et al. (2018); Curty et al. (2018); Lin and Lütkenhaus (2018). Remarkably, TFQKD enables the distribution of secret key with rate that overcomes the socalled repeaterless bound Takeoka et al. (2014); Pirandola et al. (2017) due to singlephoton interference. As such, we foresee that there will be endeavours in implementing phaselocking techniques in QKD systems in the near future. Furthermore, as we shall see, we can prove that the secret key rate of coherent state protocols can be significantly improved using our method. Interestingly, as we demonstrate later, the secret key rate phaseencoding coherent state protocols can even be higher than that of standard decoystate MDIQKD protocols at short distances. Therefore, it will be interesting to study this class of protocols.
In Ref. Tamaki et al. (2012), Alice and Bob prepare the states where is the mean photon number of the coherent states. They use the basis to generate key and the basis for parameter estimation. On the other hand, the untrusted central node will announce depending on whether the outcome of Bell state measurement is , or unsuccessful respectively. Furthermore, to improve the efficiency of the protocol, whenever the central node announces , Bob will flip the value of his bit.
We note that in Bell state measurements of coherent states, the outcome cannot be distinguished from the outcome and similarly, the outcome cannot be distinguished from the outcome as mentioned in Ref. Tamaki et al. (2012). Consequently, there will be intrinsic phaseerror rate even if the biterror rate is zero. However, the probability of obtaining and is higher than the probability of obtaining and respectively when the intensity of the coherent states is small (which is typically the case for QKD). Hence, we choose to label the conclusive outcomes as and .
Here, we generalize the protocol to allow Alice and Bob to choose from possible bases. Thus, the protocol proposed in Ref. Tamaki et al. (2012) corresponds to the case where . The case where is known in the literature as the MDIB92 protocol and was studied in Ref. Ferenczi (2013). In this section, we will also study the case where .
For the generalized protocol, Alice and Bob independently prepare one of the states of the form
(9) 
where is her (his) bit value, and with as her (his) choice of basis.
In the following simulations, for each given distance, we choose the value of the mean photon number that maximize the lower bound on the secret key rate. The result of the simulation is shown in Fig. 2
Surprisingly, the threebasis protocol does not give noticeable improvement from the twobasis protocol in terms of the lower bound on the secret key rate. The intuition behind this is that one can estimate the statistics of the 4 test states in the threebasis protocol with the 2 test states in the twobasis protocol when we require all the intensities of the code states to be the same. Interestingly, when we remove that constraint, increasing the number of test states can give significant improvement in the secret key rate, as we shall see when we discuss about TFQKD later.
To compare our method with the quantum coin method, we consider the twobasis protocol. Additionally, we will also evaluate the performance of the two techniques when Eve performs Trojan horse attack on the sources of Alice and Bob. For the model of the Trojan horse attack, we extend the model proposed by Ref. Lucamarini et al. (2015). The authors of Ref. Lucamarini et al. (2015) consider Trojan horse attack on prepareandmeasure QKD but it is rather straightforward to extend the model to MDIQKD where Eve attacks both Alice’s and Bob’s sources. In the presence of Trojan horse attack, the output of Alice’s source can be written as
(10) 
where is the intensity of the leaked light. Here, for simplicity of notation, we replace the pair with a single index. We assume that the Trojan horse system is only accessible to Eve and the probability of successful Bell state measurement is not affected by the Trojan horse attack. The output of Bob’s source is modeled similarly. The results of the simulations are shown in Fig. 3.
As we can see from the figure, our method gives a tighter bound on the secret key rate than the quantum coin method. This is because the inequality that was used in the quantum coin approach is, in general, not tight. On the contrary, our SDP gives an almost tight approximation of the phaseerror rate, owing to the small duality gap. Furthermore, our method is also more robust against the Trojan horse attack. This is because for a given distance, our method predicts higher optimal intensity than the one predicted by the quantum coin method. As a result, the ratio of the intensity of the signal states to the intensity of the leaked light is higher when computed with our method. Remarkably, even in the absence of Trojan horse attack (when ), our method gives a significantly higher lower bound on the secret key rate.
iv.2 Decoystate MDIQKD with Trojan horse attacks
We now consider the decoystate MDIQKD protocol Lo et al. (2012). For concreteness, we consider the timephase encoding but our results can be transferred to other encoding scheme such as the polarization encoding. Combined with the measurementdeviceindependent architecture which protects us against any detector sidechannel attacks, the decoystate method prevents a certain sidechannel attack on the sources of Alice and Bob, namely the photonnumbersplitting attack Lütkenhaus and Jahma (2002). Nevertheless, decoystate MDIQKD is still vulnerable to other attacks on the sources. One possible attack that Eve can perform with current technology is the Trojan horse attack. As such, it would be interesting to study how decoystate MDIQKD protocols fare when subjected to practical Trojan horse attacks.
For simplicity, we follow Ref. Lucamarini et al. (2015)’s assumption that the Trojan horse attack does not affect the decoystate implementation but only leaks the information about which of the signal states are being prepared by Alice and Bob. However, we note that our method can also be applied when the Trojan horse leaks the information of the decoy setting as discussed in Ref. Tamaki et al. (2016). Such technical extension is out of the scope of this paper and will be left for future work.
To apply our technique to decoystate MDIQKD, we first estimate the singlephoton yield as well as the singlephoton quantum biterror rate (QBER) where denotes the basis choice of Alice and Bob. Then, we can apply our method to estimate the singlephoton phaseerror rate and hence, the secret key rate. In the absence of Trojan horse attack, the singlephoton phaseerror rate is simply the singlephoton QBER in the basis, . Nevertheless, when Eve performs Trojan horse attack, the singlephoton phaseerror rate is no longer measured by Alice and Bob and can only be estimated using techniques like the quantum coin method or our proposed method. Here, we show that our method gives a tighter estimation of the singlephoton phaseerror rate than the quantum coin method.
Following the model of Ref. Lucamarini et al. (2015), Alice’s singlephoton signals when affected by the Trojan horse attack can be written as
(11) 
where is the canonical basis and , and is the vacuum state. Bob’s singlephoton signals can be written down in similar fashion.
For the simulation, suppose that two decoystates are used alongside the signal state. At the end of the protocol, Alice and Bob will have an estimate of the total gain and the total QBER where are the intensity setting of Alice and Bob respectively. To simulate the statistics observed in the experiment, we follow Ref. Ma and Razavi (2012)’s model for the total gain and total QBER. Then, we use the Gaussian elimination method to estimate the singlephoton yield and QBER. Assuming that , the lower bound on the singlephoton yield and the upper bound on the singlephoton QBER is given in Ref. Xu et al. (2014). Other methods such as linear programming will yield similar results.
After we obtain and , it is straightforward to apply our method or the quantum coin argument to lower bound the singlephoton phaseerror rate . For decoystate protocols, the lower bound on the asymptotic secret key rate is given by
(12) 
where is the singlephoton gain in the basis.
Furthermore, we assume that Alice’s and Bob’s intensity modulators that choose the decoy settings have finite extinction ratio such that the intensity of the second decoystate cannot be set to zero. In this case, we assume that the intensity of the second decoystate is 1000 times smaller than that of the signal, i.e. . Thus, for each point, the remaining free parameters in the optimization are the signal intensity and the first decoystate intensity . The result of the simulation is given in Fig. 4.
Referring to Fig. 4, we again see an improvement in the lower bound on the secret key rate compared to the secret key rate obtained from the quantum coin technique. This confirms that our technique is able to give tighter secret key rate as compared to the quantum coin approach.
Although it is not an entirely fair comparison, one might be interested to compare the two protocols that we have analyzed. Fig. 5 gives the superimposed plot of the key rate of the two protocols. When there are no leakages, as one would probably guess, the decoystate protocol has a longer range than the coherent state protocol. However, rather surprisingly, we find that at short distances, the coherent state protocol gives a higher lower bound on the secret key rate than the decoystate protocol.
A closer inspection reveals that for short distances, the coherent state protocol has significantly higher probability for successful Bell state measurement as compared to the singlephoton gain of the decoystate protocol. This is possible because the coherent state protocols rely on singlephoton interference whereas decoystate protocols are based on twophoton interference. Therefore, despite having higher phaseerror rate, the coherent state protocol can give higher secret key rate than the decoystate protocol at short distances. Nevertheless, at long distances, the fact that coherent state protocols have higher phaseerror rate dominates and decoystate protocols yield higher secret key rate in that regime. Drawing another connection to TFQKD, singlephoton interference is also an important feature of TFQKD.
Interestingly, the coherent state protocols are more robust against Trojan horse attacks in the sense that the range of coherent state protocols suffers less penalty from Trojan horse attacks as compared to the range of decoystate protocols. We also note that since we neglect the effect of leakages on the decoystate implementation in the security analysis, the performance of the decoystate protocol would suffer even more when we consider leakages in the intensity settings .
iv.3 Phasematching MDIQKD with finite number of test states
To demonstrate the versatility of our method, we will analyze a variant of the recently proposed twinfield QKD (TFQKD) protocol called the phasematching MDIQKD Lin and Lütkenhaus (2018). As mentioned previously, there is a growing interest in TFQKD. Indeed, after the original proposal of TFQKD protocol Lucamarini et al. (2018), other variants of the protocol have been proposed alongside with their respective security analyses Ma et al. (2018a); Lin and Lütkenhaus (2018); Tamaki et al. (2018); Curty et al. (2018); Cui et al. (2018). Remarkably, TFQKD protocols are able to overcome the repeaterless bounds Takeoka et al. (2014); Pirandola et al. (2017). However, many variants of the TFQKD protocols (including the original proposal Lucamarini et al. (2018)) require phaserandomization of two independent phaselocked lasers with the notable exception of Ref. Lin and Lütkenhaus (2018). There, the protocol uses nonphaserandomized coherent states which form phasematching pairs. However, the results presented in Ref. Lin and Lütkenhaus (2018) require Alice and Bob to send infinitely many coherent states, leaving the practical case where a finite number of test states is used as an open problem. Here, we show that a finite number of test states is indeed enough to overcome the repeaterless bound.
Remarkably, one can see phasematching MDIQKD as a generalization of the phaseencoding MDIQKD that we have considered earlier in Section IV.1. There, we assumed that the signal and test states share the same intensity. Here, we vary the intensity of different phasematching pairs. More explicitly, in this protocol, Alice prepares states of the form
(13) 
where are defined in similar way as in the phaseencoding MDIQKD protocol and now the intensity of the coherent state depends on which basis Alice and Bob choose. By optimizing the intensity of each phasematching pair, we show that we can overcome the repeaterless bound.
For comparison with the Ref. Lin and Lütkenhaus (2018)’s result as well as the repeaterless bound, we will show the ideal performance of our protocol, i.e. when there are no dark counts or misalignment errors. For the repeaterless bound, we choose the secret key capacity given in Ref. Pirandola et al. (2017), also known as the PirandolaLaurenzaOttavianiBanchi (PLOB) bound
(14) 
where is the total transmittivity of the quantum channel. On the other hand, Ref. Lin and Lütkenhaus (2018) proved that the secret key rate obtained when infinitely many test states are used in the loss only scenario, denoted by , is given by
(15) 
Lastly, it will also be interesting to see how the protocol fare in the presence of imperfections such as dark counts and misalignment errors. To that end, we will also use Parameter 2 of Table 1 in our simulation. Furthermore, for fair comparison with PLOB bound, we plot the key rate against total loss (in dB), which includes the loss in the detector, instead of treating the loss in the fiber and in the detector separately. The plots of the key rate for the ideal and imperfect scenario as well as the PLOB and the key rate for the ideal infinite test states scenario are given in Fig. 6. Remarkably, two test states are sufficient to overcome the PLOB bound in the ideal scenario whereas in the noisy scenario, four test states are sufficient to overcome the PLOB bound. Furthermore, we emphasize that in our simulation, we use the states with the structure given by equation (13) and optimize (using a coarsegrained exhaustive search) the intensity of each test state. We leave the question of whether optimizing the global phases can significantly increase the secret key rate as an open problem.
V Conclusion
To conclude, we have developed a new numerical technique to analyze the security of MDIQKD protocols. This is done by employing SDP to obtain an almosttight upper bound on the phaseerror rate, hence the significant improvement in the distilled secret key rate compared to the quantum coin method. Additionally, our method also reveals that phaseencoding coherent state MDIQKD might outperform decoystate MDIQKD at short distances. Furthermore, our method is highly efficient and can be applied to any protocols with discretely modulated, pure, input states including continuousvariable MDIQKD protocols with discrete modulation Ma et al. (2018b). Due to the versatility of our technique, it can also be applied to MDIQKD protocols which lack symmetry. For example, by applying our method to phasematching MDIQKD protocol, we also showed that the repeaterless bound can be overcome with only a few test states. It is also interesting to extend the results presented in this paper to allow mixed input states and to MDIQKD networks where we have multiple transmitters as well as to include finitekey analysis.
Acknowledgements
This research is supported by the National Research Foundation (Singapore), the Ministry of Education (Singapore), the National University of Singapore, and the Asian Office of Aerospace Research and Development.
References
 Bennett and Brassard (1984) C. H. Bennett and G. Brassard, in Proc. of IEEE Int. Conf. on Comp., Syst. and Signal Proc., Bangalore, India, Dec. 1012, 1984 (1984).
 Ekert (1991) A. K. Ekert, Physical Review Letters 67, 661 (1991).
 Fung et al. (2007) C.H. F. Fung, B. Qi, K. Tamaki, and H.K. Lo, Physical Review A 75, 032314 (2007).
 Qi et al. (2007) B. Qi, C.H. F. Fung, H.K. Lo, and X. Ma, Quantum Information and Computation 7, 073 (2007).
 Zhao et al. (2008) Y. Zhao, C.H. F. Fung, B. Qi, C. Chen, and H.K. Lo, Physical Review A 78, 042333 (2008).
 Xu et al. (2010) F. Xu, B. Qi, and H.K. Lo, New Journal of Physics 12, 113026 (2010).
 Lydersen et al. (2010) L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, Nature Photonics 4, 686 (2010).
 Gerhardt et al. (2011) I. Gerhardt, Q. Liu, A. LamasLinares, J. Skaar, C. Kurtsiefer, and V. Makarov, Nature Communications 2, 349 (2011).
 Lo et al. (2012) H.K. Lo, M. Curty, and B. Qi, Physical Review Letters 108, 130503 (2012).
 Braunstein and Pirandola (2012) S. L. Braunstein and S. Pirandola, Physical Review Letters 108, 130502 (2012).
 Bennett et al. (1992) C. H. Bennett, G. Brassard, and N. D. Mermin, Physical Review Letters 68, 557 (1992).
 Lo et al. (2005) H.K. Lo, X. Ma, and K. Chen, Physical Review Letters 94, 230504 (2005).
 Curty et al. (2014) M. Curty, F. Xu, W. Cui, C. C. W. Lim, K. Tamaki, and H.K. Lo, Nature Communications 5, 3732 (2014).
 Tamaki et al. (2012) K. Tamaki, H.K. Lo, C.H. F. Fung, and B. Qi, Physical Review A 85, 042307 (2012).
 Coles et al. (2016) P. J. Coles, E. M. Metodiev, and N. Lütkenhaus, Nature Communications 7, 11712 (2016).
 Winick et al. (2018) A. Winick, N. Lütkenhaus, and P. J. Coles, Quantum 2, 77 (2018).
 Tamaki et al. (2014) K. Tamaki, M. Curty, G. Kato, H.K. Lo, and K. Azuma, Physical Review A 90, 052314 (2014).
 Ma et al. (2012) X. Ma, C.H. F. Fung, and M. Razavi, Physical Review A 86, 052305 (2012).
 Xu et al. (2014) F. Xu, H. Xu, and H.K. Lo, Physical Review A 89, 052333 (2014).
 Rubenok et al. (2013) A. Rubenok, J. A. Slater, P. Chan, I. LucioMartinez, and W. Tittel, Physical Review Letters 111, 130501 (2013).
 Liu et al. (2013) Y. Liu, T.Y. Chen, L.J. Wang, H. Liang, G.L. Shentu, J. Wang, K. Cui, H.L. Yin, N.L. Liu, L. Li, X. Ma, J. S. Pelc, M. M. Fejer, C.Z. Peng, Q. Zhang, and J.W. Pan, Physical Review Letters 111, 130502 (2013).
 Da Silva et al. (2013) T. F. Da Silva, D. Vitoreti, G. Xavier, G. Do Amaral, G. Temporao, and J. Von Der Weid, Physical Review A 88, 052303 (2013).
 Tang et al. (2014a) Y.L. Tang, H.L. Yin, S.J. Chen, Y. Liu, W.J. Zhang, X. Jiang, L. Zhang, J. Wang, L.X. You, J.Y. Guan, D.X. Yang, Z. Wang, H. Liang, Z. Zhang, N. Zhou, X. Ma, T.T. Chen, Q. Zhang, and J.W. Pan, Physical Review Letters 113, 190501 (2014a).
 Tang et al. (2014b) Z. Tang, Z. Liao, F. Xu, B. Qi, L. Qian, and H.K. Lo, Physical Review Letters 112, 190503 (2014b).
 Pirandola et al. (2015) S. Pirandola, C. Ottaviani, G. Spedalieri, C. Weedbrook, S. L. Braunstein, S. Lloyd, T. Gehring, C. S. Jacobsen, and U. L. Andersen, Nature Photonics 9, 397 (2015).
 Wang et al. (2015) C. Wang, X.T. Song, Z.Q. Yin, S. Wang, W. Chen, C.M. Zhang, G.C. Guo, and Z.F. Han, Physical Review Letters 115, 160502 (2015).
 Comandar et al. (2016) L. Comandar, M. Lucamarini, B. Fröhlich, J. Dynes, A. Sharpe, S.B. Tam, Z. Yuan, R. V. Penty, and A. Shields, Nature Photonics 10, 312 (2016).
 Tang et al. (2016) Y.L. Tang, H.L. Yin, Q. Zhao, H. Liu, X.X. Sun, M.Q. Huang, W.J. Zhang, S.J. Chen, L. Zhang, L.X. You, Z. Wang, Y. Liu, C.Y. Lu, M. X. Jiang, Xiao, Q. Zhang, T.Y. Chen, and J.W. Pan, Physical Review X 6, 011024 (2016).
 Yin et al. (2016) H.L. Yin, T.Y. Chen, Z.W. Yu, H. Liu, L.X. You, Y.H. Zhou, S.J. Chen, Y. Mao, M.Q. Huang, H. Zhang, WeiJun Chen, M. J. Li, D. Nolan, F. Zhou, X. Jiang, Z. Wang, Q. Zhang, X.B. Wang, and J.W. Pan, Physical Review Letters 117, 190501 (2016).
 Gottesman et al. (2004) D. Gottesman, H.K. Lo, N. Lütkenhaus, and J. Preskill, Quantum Information & Computation 4, 325 (2004).
 Lucamarini et al. (2018) M. Lucamarini, Z. Yuan, J. Dynes, and A. Shields, Nature 557, 400 (2018).
 Lin and Lütkenhaus (2018) J. Lin and N. Lütkenhaus, Physical Review A 98, 042332 (2018).
 Shor and Preskill (2000) P. W. Shor and J. Preskill, Physical Review Letters 85, 441 (2000).
 Boyd and Vandenberghe (2004) S. Boyd and L. Vandenberghe, Convex Optimization (Cambridge university press, 2004).
 Wang et al. (2018) Y. Wang, I. W. Primaatmaja, A. Varvitsiotis, and C. C. W. Lim, arXiv preprint arXiv:1803.04796 (2018).
 Ma et al. (2018a) X. Ma, P. Zeng, and H. Zhou, Physical Review X 8, 031043 (2018a).
 Tamaki et al. (2018) K. Tamaki, H.K. Lo, W. Wang, and M. Lucamarini, arXiv preprint arXiv:1805.05511 (2018).
 Cui et al. (2018) C. Cui, Z.Q. Yin, R. Wang, W. Chen, S. Wang, G.C. Guo, and Z.F. Han, arXiv preprint arXiv:1807.02334 (2018).
 Curty et al. (2018) M. Curty, K. Azuma, and H.K. Lo, arXiv preprint arXiv:1807.07667 (2018).
 Takeoka et al. (2014) M. Takeoka, S. Guha, and M. M. Wilde, Nature Communications 5, 5235 (2014).
 Pirandola et al. (2017) S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi, Nature Communications 8, 15043 (2017).
 Ferenczi (2013) A. Ferenczi, Security proof methods for quantum key distribution protocols, Ph.D. thesis, University of Waterloo (2013).
 Lucamarini et al. (2015) M. Lucamarini, I. Choi, M. B. Ward, J. F. Dynes, Z. Yuan, and A. J. Shields, Physical Review X 5, 031030 (2015).
 Lütkenhaus and Jahma (2002) N. Lütkenhaus and M. Jahma, New Journal of Physics 4, 44 (2002).
 Tamaki et al. (2016) K. Tamaki, M. Curty, and M. Lucamarini, New Journal of Physics 18, 065008 (2016).
 Ma and Razavi (2012) X. Ma and M. Razavi, Physical Review A 86, 062319 (2012).
 Ma et al. (2018b) H.X. Ma, P. Huang, D.Y. Bai, T. Wang, S.Y. Wang, W.S. Bao, and G.H. Zeng, arXiv preprint arXiv:1812.05254 (2018b).
*
Appendix A The phaseerror rate of phaseencoding coherent state MDIQKD
In the main text, we give a general framework to obtain the expression for the phaseerror rate for any MDIQKD protocol. Here, we illustrate how this can be done. As a concrete example, we consider the phaseencoding coherent state MDIQKD. In the virtual protocol, let the entangled states that Alice and Bob prepare for the key basis be denoted by
(16) 
It is easy to see that measuring the qubit systems in the basis is equivalent to sending the states randomly. Now, the quantum channel is an isometry that maps the system to where the register stores Eve’s quantum side information and the classical register stores the result of the Bell state measurement. The states are associated to the respective Bell states, whereas the state is associated to the case where the Bell state measurement fails to give a conclusive outcome. After the isometry, the global state is given by
(17) 
Postselecting on the successful Bell state measurements,
(18) 
Let the target state be . Conditioned on the outcome of the Bell state measurement, Bob applies the following correction on his qubit:

: apply

: apply
where is the identity operator and are the usual Pauli operators. After the corrections, the global state becomes
(19) 
Since the target state is the state and key is extracted by Alice and Bob by performing measurement on each of their qubits, the phaseerror rate can be computed by using
(20) 
where is simply
(21) 
and therefore, we have
(22) 
Thus, we obtain the phaseerror rate of the phaseencoding coherent state MDIQKD protocol. The phaseerror rate of other protocols can be obtained through a similar procedure.