Security Analysis of Sending or Not-Sending Twin-Field Quantum Key Distribution with Weak Randomness

Xiao-Lei Jiang; Yang Wang; Yi-Fei Lu; Jia-Ji Li; Chun Zhou; Wan-Su Bao

doi:10.3390/e24101339

Security Analysis of Sending or Not-Sending Twin-Field Quantum Key Distribution with Weak Randomness

Jiang, Xiao-Lei;Wang, Yang;Lu, Yi-Fei;Li, Jia-Ji;Zhou, Chun;Bao, Wan-Su 2022-09-23 00:00:00 entropy Article Security Analysis of Sending or Not-Sending Twin-Field Quantum Key Distribution with Weak Randomness 1,2 1,2,3, 1,2 1,2 1,2 1,2, Xiao-Lei Jiang , Yang Wang * , Yi-Fei Lu , Jia-Ji Li , Chun Zhou and Wan-Su Bao * Henan Key Laboratory of Quantum Information and Cryptography, SSF IEU, Zhengzhou 450001, China Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei 230026, China National Laboratory of Solid State Microstructures, School of Physics and Collaborative Innovation Center of Advanced Microstructures, Nanjing University, Nanjing 210093, China * Correspondence: wy@qiclab.cn (Y.W.); bws@qiclab.cn (W.-S.B.) Abstract: Sending-or-not sending twin-ﬁeld quantum key distribution (SNS TF-QKD) has the advan- tage of tolerating large amounts of misalignment errors, and its key rate can exceed the linear bound of repeaterless quantum key distribution. However, the weak randomness in a practical QKD system may lower the secret key rate and limit its achievable communication distance, thus compromising its performance. In this paper, we analyze the effects of the weak randomness on the SNS TF-QKD. The numerical simulation shows that SNS TF-QKD can still have an excellent performance under the weak random condition: the secret key rate can exceed the PLOB boundary and achieve long transmission distances. Furthermore, our simulation results also show that SNS TF-QKD is more robust to the weak randomness loopholes than the BB84 protocol and the measurement-device-independent QKD (MDI-QKD). Our results emphasize that keeping the randomness of the states is signiﬁcant to the protection of state preparation devices. Citation: Jiang, X.-L.; Wang, Y.; Lu, Y.-F.; Li, J.-J.; Zhou, C.; Bao, W.-S. Security Analysis of Sending or Keywords: twin-ﬁeld quantum key distribution; weak randomness; asymptotic cases; ﬁnite-key Not-Sending Twin-Field Quantum Key Distribution with Weak Randomness. Entropy 2022, 24, 1339. https://doi.org/10.3390/ 1. Introduction e24101339 Quantum key distribution (QKD) has been widely proved to have information- Academic Editors: Leong Chuan theoretical security, which is guaranteed by the laws of physics between two authorized Kwek, Xiang-Bin Wang and users, Alice and Bob [1,2]. However, it is well known that the imperfections of practical Cong Jiang devices will compensate the security of the generated key. In fact, some quantum attacks have been discovered and demonstrated by exploiting these imperfections of practical Received: 28 August 2022 devices. An eavesdropper (Eve) could take advantage of any imperfections in practi- Accepted: 20 September 2022 cal system to collect secret information without being discovered, with methods such as Published: 23 September 2022 wavelength attack [3], the detector control attack [4,5], and the Trojan horse attack [6,7]. Publisher’s Note: MDPI stays neutral Therefore, researchers have to propose corresponding countermeasures to deal with these with regard to jurisdictional claims in security threats. published maps and institutional afﬁl- In order to remove side-channel attacks at detection, Lo et al. proposed [8] the iations. measurement-device-independent QKD (MDI-QKD) protocol, while the key rate of the MDI-QKD cannot be better than the linear scale of the channel transmittance. Fortunately, the twin-ﬁeld QKD (TF-QKD) [9] and the asynchronous MDI-QKD [10] were proposed and improved the key rate to the square root of the channel transmittance. The key rate Copyright: © 2022 by the authors. of them performs R O h (where h is the channel transmittance) and it can exceed the Licensee MDPI, Basel, Switzerland. Pirandola–Laurenza–Ottaviani–Banchi (PLOB) bound [11]. But the later announcement This article is an open access article of the phase information in the original TF-QKD [9] may cause security loopholes [12], distributed under the terms and conditions of the Creative Commons so many variants of TF-QKD have been proposed [12–15] to deal with these loopholes. Attribution (CC BY) license (https:// Particularly, the sending-or-not-sending (SNS) TF-QKD [12], as an efﬁcient protocol, can creativecommons.org/licenses/by/ tolerate large misalignment errors even up to 35% in the single-photon interference. In fact, 4.0/). Entropy 2022, 24, 1339. https://doi.org/10.3390/e24101339 https://www.mdpi.com/journal/entropy Entropy 2022, 24, 1339 2 of 16 the SNS TF-QKD protocol has made signiﬁcant progress in theory [16–25]. In addition, several experiments on the SNS protocol have also been performed so far [26–31]. In a practical QKD system, Eve may shift their target to quantum state preparation devices so that the bit encoding and measurement basis selection are non-randomly mod- ulated by Alice or Bob [32]. For the quantum state preparation vulnerability of the weak randomness, Li et al. proposed [33] a weak randomness model in the BB84 protocol. Un- der the model, the quantum states that Alice has prepared are divided into two parts: the random part and the non-random part, and the latter may lead to the leakage of information. Since then, the model has been further promoted and applied in other protocols [34–36]. In this paper, we generalize the weak randomness attack model to the SNS TF-QKD. In fact, the SNS TF-QKD possesses the property of measurement-device-independent and can be applied using the coherent source with the decoy-state method [37–39]. Moreover, the operation of sending or not sending states for Alice and Bob can be regarded as the bit encoding operation, and the operation of selecting time windows can be regarded as the basis selection operation [12]. We analyze the effect of weak randomness on the ﬁnal security key in the asymptotic and the ﬁnite-key size cases. Firstly, we will analytically derive the secret key rate formula based on the weak randomness model in the asymptotic case, and we then calculate the lower bound of the counting rate of the single-photon states and the upper bound of the phase error rate in ﬁnite-key cases [16]. In the security analysis of SNS TF-QKD with the weak randomness, we assume that Eve can interfere the quantum state preparation operation, and Eve is responsible for all weak randomness mentioned above. We also assume that the hidden variables x and z from Eve may determine the quantum states prepared by Alice and Bob, where x determines Alice’s quantum states and z determines Bob’s quantum states. The probability of non-random quantum states prepared by Alice is p and the probability of random quantum states is 1 p . The probability of non-random quantum states prepared by Bob is p and the 1 2 probability of random quantum states is 1 p . If p = 1 or p = 1, apparently, Eve 2 1 2 can acquire all the information, that is, R = 0. If p = p = 0, Eve may partly acquire 1 2 information. If 0 < p < 1, 0 < p < 1, the weak randomness model could be applied 1 2 to quantify the maximal amount of leaked information and explore the security of SNS TF-QKD with weak randomness. Using the experimental parameters, we demonstrate that the secret key rate of SNS TF-QKD still can exceed the PLOB bound and achieve long secure transmission distances under the weak random condition. We then compare the effect of weak randomness on the BB84 protocol and MDI-QKD protocol, and we deduce that SNS TF-QKD can tolerate more weak randomness vulnerability. The rest of paper is organized as follows: we describe a four-intensity decoy-state SNS TF-QKD protocol in Section 2. In Section 3, we analyze the effects of the weak randomness on the SNS TF-QKD protocol in the asymptotic and of the ﬁnite-key size cases. The numerical simulations are shown in Section 4 and the conclusion is made in Section 5. 2. Protocol Description In the practical QKD system, we usually choose the weak coherent state source instead of the single photon source. Here, we consider the four-intensity decoy-state SNS protocol [16], and the description of the protocol is presented as follows: 1. Preparation. At any times window i, Alice (Bob) independently determines whether it is a decoy window or a signal window with probabilities p and p . If it is a de- x z coy window, Alice (Bob) sends out to Charlie a decoy pulse in a phase-randomized E E p p 0 p p 0 id id id id A A B B coherent state m e , m e or 0 ( m e , m e or 0 ) with prob- j i j i a b a b abilities of p , p , p . We suppose m < m . If it is a signal window, Alice (Bob) m m 0 a b a b decides to send out to Charlie a signal pulse in phase-randomized coherent states p p id id A B m e or a vacuum statej0i ( m e orj0i) with probabilities of p and 1 p , z z z0 z0 where d is random in [0, 2p). Here, we assume that consecutive photons are A(B) well-separated in the decoy and the signal time windows. Note that a coherent state of intensity m and global phase d is a linear superposition of photon-number Entropy 2022, 24, 1339 3 of 16 p k m/2 id e ( me ) id states me = k . Whenever Alice or Bob sends a coherent state å j i k! k=0 of intensity m, it can be equivalently regarded as a probabilistic mixture of different m k p p 2p e m id id photon-number states me me dd/2p = jkihkj. 0 k! k=0 2. Measurement. Alice and Bob send the chosen states to Charlie. Charlie then performs interferometric measurements on the incoming quantum signals after taking phase compensation and announces the measurement results of which detector clicks to Alice and Bob. An effective event is deﬁned as follows: (1) if only one detector clicks corresponding to a time window i when both Alice and Bob have determined the signal window, it is deﬁned as an effective event. (2) If only one detector clicks corresponding to a time window i when both Alice and Bob have determined a decoy window and sent the coherent states with the same intensity, and in that time window, the pre-chosen values d and d satisfy post-selection criterion, which is: A B 1jcos(d d y )j jlj, (1) A B AB where d and d are the random phases of coherent states prepared by Alice and A B Bob, respectively. y could take an arbitrary value and it is set properly to acquire AB a satisfactory key rate, which will be different from time to time due to phase drift. The value of l is determined by the size of the phase slice D, which is chosen by Alice and Bob. In fact, Equation (1) is equivalent to: D D jq q y j ,jq q y pj . (2) A B AB A B AB 2 2 where jxj represents the minor angle enclosed by two rays, which enclose the rotational angle. 3. Sifting. Alice and Bob announce decoy windows and signal windows of each other. If both Alice and Bob choose the decoy window, it is deﬁned to be an X window. If both Alice and Bob choose the signal window, it is deﬁned to be a Z window. In an ˜ ˜ X window, it is an X window, which is a subset of X windows, when they choose the same intensity m . Additionally, it is an X window when Alice (Bob) determines a a(b) signal window, while Bob (Alice) determines a decoy window, or when both Alice and Bob determine the decoy window, but choose different intensities. According to the effective events criterion introduced above, Alice and Bob decide whether one-detector clicks event is an effective event. We deﬁne three kinds of sets: Z, X and X , which include all effective events in Z, X and X windows. 0 1 0 4. Parameter estimation. For the events in the set Z of the Z window, if Alice decides to send out a phased-randomized weak coherent state, she (he) denotes a bit 1 and if she (he) decides to send a vacuum state, she (he) denotes a bit 0. If Bob decides to send out a phased-randomized weak coherent state, she (he) denotes a bit 0 and if she (he) decides not to send a vacuum state, she (he) denotes a bit 0. We notice that it is the decision that determines the bit value rather than what they send. Then, Alice and Bob could obtain the n bit strings, and they will get an error bit if an effective event happens when both Alice and Bob decide to send or not send. Finally, adopting the decoy-state method, Alice and Bob could estimate the number of the single-photon ph states n and phase-ﬂip error rate e according to the events in Z windows. They ph could estimate the lower bound of n and upper bound of e according to the events in X and X windows. 1 0 5. Error correction. Alice and Bob perform an error correction scheme to correct bit strings obtained in the last step. To achieve this goal, it consumes at most leak EC bits of error correction data. Then, Alice and Bob exploit a random two-universal hash function to carry out an error veriﬁcation operation, which Alice sends a hash of length log (1/# ) to make sure that the key bits of Alice are the same as Bob. cor 2 Entropy 2022, 24, 1339 4 of 16 6. Private ampliﬁcation. In order to reduce Eve’s information of ﬁnal keys, Alice and Bob exploit the random two-universal hash function to extract two shorter strings of length l. Finally, Alice and Bob obtain the secret key strings S and S . A B 3. Security Analysis In this section, we may analyze the effects of the weak randomness on the decoy- state SNS TF-QKD in the asymptotic and the ﬁnite-key size cases. We may derive concise formulas for estimating the lower bound of the single-photon yield and the upper bound of the phase-ﬂip error rate. 3.1. Parameter Estimation in the Asymptotic Case As discussed above, the effective events that Alice decides to send and Bob decides not to send, or Alice decides not to send and Bob decides to send, in Z windows could generate the secret key. As a matter of fact, the selection of signal windows and decoy windows can be considered as the basis selection. In the decoy windows or the signal windows, sending or not sending a phase-randomized coherent state can be considered as the bit encoding. This assumption is reasonable by considering two cases. The ﬁrst one is that the random numbers may be leaked to Eve because of the imperfection of the random number generator devices. The other one is that the imperfect state modulation may be prepared by different laser diodes from Alice and Bob, and they can be partly distinguished through observing the properties of the spectrum and timing sequence. Therefore, the weak randomness attack model which is used in the BB84 protocol and the MDI-QKD protocol is still appropriate to the SNS TF-QKD protocol. Under the weak randomness model, we suppose that the quantum states prepared by Alice and Bob can be considered as the set S and T, and jSj and jTj represent the number of elements of the set S and T. For the set of quantum states prepared by Alice (Bob), S (T ) is the random part and S (T ) is 1 1 2 2 the non-random part. At this time, the probability of a non-random parameter at Alice jS j could be deﬁned as p = , and the probability of non-random parameter at Bob could jSj jT j be deﬁned as p = . Under the practical QKD system, although we can assume the jTj quantum devices at Alice and Bob are identical, the attack capabilities of Eve against Alice and Bob cannot be guaranteed same. That is, p = p is not necessary. In the model, we 1 2 can re-describe the quantum states prepared by Alice and Bob in the practical system: r = jaihaj jaihaj + (1 p )r j2ih2j , (3) å 1 Alice Alice Alice Eve Eve a=0,1 r = jbihbj jbihbj + (1 p )r j2ih2j . (4) å 2 Bob Bob Bob Eve Eve b=0,1 where the quantum states prepared by Alice and Bob can be divided into two parts: the ﬁrst part is prepared by a non-random set, and the second part is prepared by a random set. In the case in which the quantum states are in the ﬁrst part, the assistant quantum states of Eve are related to Alice’s (Bob’s) system. More precisely, if the auxiliary quantum state of Eve isjaihaj , Eve can obtain the secret key a of Alice; if the auxiliary quantum state of Eve Eve is b b , Eve can obtain the secret key b of Bob. In the case in which the quantum state j ih j Eve is prepared in the second part, if the auxiliary quantum state of Eve is j2ih2j , it indicates Eve that Alice and Bob prepared the phase-randomized coherent states, which is equivalent m k e m to a probabilistic mixture of different photon-number states r = jkihkj and Alice k! k=0 ¥ m e m r = å jkihkj and Eve can not distinguish encoding states. Therefore, Eve can Bob k! k=0 distinguish the random part and non-random part states of Alice and Bob by observing auxiliary quantum states. The practical QKD systems require perfect random numbers for preparing quantum states. Unfortunately, the weak randomness of state preparation in practical QKD systems is universal because of the imperfections of quantum devices. Entropy 2022, 24, 1339 5 of 16 Under the weak randomness model, Eve wants to get more information, so she (he) may perform the attenuation operation on the quantum states from a random part by a certain probability, but cannot perform that on the quantum states from a non-random part. The attacker ’s attenuation operation increases the non-randomness of the quantum states reaching Charlie, which leads to the increasing of the amount of information controlled by Eve. Because of the attenuation operation, we can assume that the bit error rate only happens in the random part, while the non-random part does not produce bit errors. As long as Eve controls the attenuation to make the ﬁnal error rate less than a reasonable value, Alice and Bob cannot detect the presence of Eve, so Eve implements a weak-random attack. In this case, the non-random probability on Charlie’s side can be ampliﬁed by considering the signal loss so that the maximal transmission distance may be seriously decreased and the single photon counting rate in Z windows s , which is used to generate the secret key, decreases, and the bit error rate in X windows e increases. Then, we estimate the parameters within the effects of weak randomness on SNS TF-QKD in the asymptotic case. Firstly, we may analyze the state preparation step under the weak randomness con- dition. In the case where both Alice and Bob choose a signal window, Alice then sends quantum states and Bob does not send quantum states, or Bob sends quantum states and Alice does not send quantum states, and the probability of the states prepared by Alice or Bob with randomness is 2 p (1 p )m e (1 p )(1 p ), and the probability with z0 z0 1 2 m m z z non-randomness is 2 p (1 p )m e (1 (1 p )(1 p )) = 2 p (1 p )m e ( p + z0 z0 z 1 2 z0 z0 z 1 p p p ). Here, the probability of quantum states with non-randomness prepared by 2 1 2 Alice is p , and the probability of quantum states with non-randomness prepared by Bob is p . In the practical QKD system, Eve can control the attenuation of the quantum states in the channel, and only attenuates the quantum states of the random part to ensure that the non-random part of the quantum states reach Charlie without attenuation. At the Charlie’s side, the proportion of non-random quantum states from the non-random part increases, and the proportion of quantum states from the random part decreases. In order to acquire more information, Eve may make the non-random scale of Charlie as large as possible. To ensure that she (he) may not be detected by both communicators, Eve must control the probability of attenuation or the attack will fail. Here, we calculate the probability of signal loss of the coherent states from the random set: s ( p + p p p ) 1 2 1 2 m 1 p = 2 p (1 p )m e , (5) loss1 z0 z0 z 1 ( p + p p p ) 1 2 1 2 From the Equation (5), we can conclude the proportion of quantum states reaching Charlie with non-randomness: p + p p p 1 2 1 2 p = , (6) nonrand1 The proportion of quantum states reaching Charlie with randomness is: s ( p + p p p ) 1 2 1 2 p = . (7) rand1 Since the quantum states of the random part are attenuated, the effective counting rate s in the Z window and the bit error rate e in the X window will change. In fact, the quantum states of the non-random set cannot generate the security key, and only the quantum states of the random set may generate the security key. The counting rate from the non-random set in Z windows that cannot generate the secret key is: Z m s ˜ = 2 p (1 p )m e ( p + p p p ), (8) z0 z0 z 2 2 1 1 1 Entropy 2022, 24, 1339 6 of 16 The counting rate from the random set in Z windows that can generate the secret key satisﬁes: 0 Z Z s = s s . (9) 1 1 1 Under the weak randomness condition, in order to obtain more information, Eve attenuates the random part of the quantum states to ensure that the ﬁnal error code only comes from the quantum states of the random part. The bit error rate in X windows after the attenuation operation is calculated: X X Z e e s 0 1 1 1 e = = , (10) s ( p + p p p ) rand1 1 2 1 2 Alice and Bob use the announced data from X windows to calculate the counting rate s , which is also the value for Z windows. The number of bits generated in Z windows could be calculated from this value. Moreover, the error rate of bits in X windows of intensity m and E , the counting rate of intensity m and S , and the counting rate of vacuum s can be m 0 observed, so we can calculate the upper bound value of the ﬂipping rate [12]: X 2m S E e s /2 m 0 X X,U e e = . (11) 2m Z 2me s ph In the asymptotical condition, the phase-ﬂip rate satisﬁes e = e . Similarly, under the ph weak randomness model, the phase-ﬂip rate satisﬁes e = e . Finally, we can distill the 1 1 ﬁnal key with an asymptotic key rate formula with weak randomness: h i ph m 0 R = 2 p (1 p )m e s 1 H(e ) f S H(E ). (12) z0 z0 Z Z 1 1 where H(x) = xlog (x) (1 x)log (1 x) is the binary entropy function, S is the 2 2 observed counting rate of Z windows, E is the corresponding bit-ﬂip error rate and f is the efﬁciency of error correction. 3.2. Parameter Estimation with the Finite-Key Size In a practical QKD system, the number of photons sent is ﬁnite and the intensities cannot be inﬁnite in Z windows or X windows. In this section, we consider the effects of the weak randomness on SNS TF-QKD with the ﬁnite-key size based on the universally composable framework [40]. To close the gap between the expected values and observed values, we exploit the Improved-Chernoff bound [41–43] to estimate the counting rate of ph single-photon states n and the phase-ﬂip error rate e . Firstly, we make an introduction of the universally composable framework [40]: Deﬁnition 1. If the ﬁnal key strings S and S of Alice and Bob satisfy the following conditions, A B the protocol is deﬁned to be #-secure: • Correctness. A protocol is # -correct if S and S of Alice and Bob are not identical with the cor A B maximal probability of # : cor Pr(S 6= S ) # , A B cor • Secrecy. The ﬁnal key strings S (S or S ) are said to be # -secret with respect to the Eve sec A B holding a quantum system E if: p kr r r k # , abort S U E sec where p denotes the probability of protocol failure aborted, r denotes the classical-quantum abort S states of the system for Alice (Bob) and system E, and r denotes the fully mixed states on S U A or S . B Entropy 2022, 24, 1339 7 of 16 The security against general attacks based on the entropic uncertainty relation for the smooth min-extropy in the SNS TF-QKD has been proven. According to the ﬁnite-key analysis based on the universally composable framework, the length of secret keys can be presented as follows [16,44]: h i 2 1 ph ` = n 1 H(e ) leak log 2log p . (13) 1 EC 2 2 cor 2# # ˆ PA According to the composable framework, the security coefﬁcient of the whole protocol is ˆ ¯ # = # + # , where # = 2# + 4# + # + # . # is the failure probability of error cor sec sec PA n1 cor tol correction; # ¯ and # are the failure probability for the estimation of the phase-ﬂip error rate PA and privacy ampliﬁcation; # is the failure probability for estimation of the lower bound n1 of the counting rate of single-photon states. leak = f n h(E ), where n is ﬁnal length of Ec t z t the secret key string, E is the corresponding error rate. In X windows, Alice and Bob do not announce any phase information. The coherent states sent out can be regarded as a classical mixture of different photon numbers. We denote r , r and r . Let N be the number of the events which Alice sends r and Bob v a b ab a sends r , where (a, b) 2 f(v, v), (v, a), (a, v), (v, b), (b, v)g. Here, we suppose that Alice and Bob repeat the Pre paration and Measurement step N times, so N can be expressed as ab follows [16]: h i 2 2 N = (1 p p ) (1 p ) +2(1 p p )(1 p ) p p N, (14) vv m m z m m z z a a a z0 h i N = N = (1 p p )(1 p ) p +(1 p ) p p p N, (15) va av m m z m z z z0 m a b a a h i N = N = (1 p ) (1 p p ) p +(1 p ) p p p N. (16) vb bv z m m m z z z0 m b b b let n be the number of effective events of one-detector heralded corresponding to the N . ab ab For (a, b) 2 f(v, v), (v, a), (a, v), (v, b), (b, v)g, n can be expressed as: ab n = 2 p (1 p )N , (17) vv vv d d h i hm /2 2 hm a a n = n = 2 (1 p )e (1 p ) e N , (18) va av va d d h i hm /2 hm b b n = n = 2 (1 p )e (1 p ) e N . (19) vb bv d d vb To close the gap between the expected values and observed values, we apply Improved- Chernoff bound [41–43] to obtain the upper and lower bound of the expected value of n ab considering independent event conditions: D E D E n n ab ab U L n = , n = . (20) ab ab 1 d 1 + d U L where we can obtain the values of d and d by solving the following equations: U L " # X/(1d ) e # = , (21) 1d (1 d ) " # X/(1+d ) e # = . (22) 1+d (1 + d ) where # is the failure probability, hxi is the expected value of x. From Equations (20)–(22), D E D E U L we can obtain the upper and lower bound of n , n and n . Then, we denote the ab ab ab counting rate of state r and state r as S , which can be expressed as: b ab Entropy 2022, 24, 1339 8 of 16 ab S = , (23) ab ab Obviously, from Equations (20) and (23), we can easily obtain the upper and lower bound of the expected value of S : ab D E D E U L D E D E n n ab ab U L S = , S = . (24) ab ab N N ab ab Similarly, in the case of the ﬁnite-key size, the probability of signal loss of the coherent states from the random set can be calculated as: n 2 p (1 p )m e ( p + p p p )N 1 z0 z0 z 1 2 1 2 p = , (25) loss2 N ( p + p p p )N 1 2 1 2 from the Equation (25), we can conclude the proportion of quantum states reaching Charlie with non-randomness: 2 p (1 p )m e ( p + p p p )N z0 z0 1 2 1 2 p = , (26) nonrand2 the proportion of quantum states reaching Charlie with randomness is: n 2 p (1 p )m e ( p + p p p )N 1 z0 z0 z 1 2 1 2 p = . (27) rand2 Due to the quantum states in the random part being attenuated, the number of the ph effective counting rate n and the phase-ﬂip error rate e in the Z window may change. The quantum states in the non-random set cannot generate the security key, and only the quantum states in the random set may generate the security key. The number of the effective events caused by single-photon states from the non-random set in Z windows that cannot generate the secret key is: m Z n ˜ = 2 p (1 p )m e s ˜ N, (28) z0 z0 z 1 1 The number of the effective events caused by single-photon states from the random set that can generate the secret key is: 0 m Z Z n = n n ˜ = 2 p (1 p )m e (s s ˜ )N. (29) 1 1 z0 z0 z 1 1 1 where the lower bound of the effective counting rate s of the ﬁnite-key size satisﬁes [16,17]: D E D E h D E D E D E D E D Ei Z,L Z 2 m L L 2 m U U 2 2 U s s = m e ( S + S ) m e ( S + S ) 2(m m ) S . (30) a a b va av b vv 1 1 vb bv 2m m (m m ) a a b b ph Moreover, in order to estimate the upper bound of e , we need to deﬁne two new subsets + D D C and C of X windows when jd d j and jd d pj , where we have 1 A B A B D D 2 2 supposed that y = 0. The number of instances in C and C is: AB D D 2 2 N + = N = (1 p ) p N, (31) z m D D a 2p Here, we denote the number of effective events of right detector from C and the number R L of effective events of left detector from C as n and n : D D R + n = (W (1 e ) + C e )N , (32) + a a d d D D Entropy 2022, 24, 1339 9 of 16 n = (W (1 e ) + C e )N . (33) a a d d D D where W and C is the average probability of correct counting and wrong counting, a a respectively, which can be given as: D/2 1 2 q 2hm sin 2 2hm a a W = (1 p )e dq (1 p ) e , (34) a d d D/2 D/2 1 2 2hm cos 2 2hm a a C = (1 p )e dq (1 p ) e . (35) a d d D/2 Considering independent event conditions, we apply the Improved-Chernoff bound [41–43] to obtain the upper and lower bound of the expected value of n . For the ﬁnite sample sizes, the number of effective events of the right and left detector from C and C satisﬁes: D D D E R D E R n n + + R,U D R,L D n = , n = , (36) + + D 0 D 0 1 d 1 + d U L D E L D E L n n L,U D L,L D n = , n = . (37) D 0 D 0 1 d 1 + d U L 0 0 With the failure probability #, we can obtain the values of d and d by solving the U L following equations: " # 0 X/(1d ) 0 U e # = , (38) 1d 0 2 (1 d ) " # X/(1+d ) 0 L e # = . (39) 1+d 0 L (1 + d ) We have the upper bound of the expected value of counting error rate from C and C : D D D E D E 0 1 R,U R,U D E D E D E n n 1 1 D D U U U @ A T = T + T = + , (40) D D D + 2 2 N N D D Eve may attenuate the random part of the quantum states to ensure that the ﬁnal error code only comes from the quantum states in the random part. The value of the counting error rate after the attenuation operation is calculated: U U Z T T s 0 D D 1 T = = . (41) s ( p + p p p ) rand2 1 2 1 2 The upper bound of the expected value of the phase-ﬂip error rate satisﬁes [16,17]: D E D E 0 1 2m L T e S ph ph,U D vv e e = D E , (42) 1 1 Z,L 2m 2m e s Furthermore, we are supposed to simulate the information leakage in the protocol. According to the events in Z windows, Alice and Bob can obtain a secret string of n bits. They do not care about which detector clicks as long as only one detector clicks. The length of the secret key string is n = n + n . The number of right bits n and wrong t signal error signal bits n can be given: error h i 2 hm /2 n = 4N p p (1 p ) (1 p )e , (43) z0 z0 signal z d Entropy 2022, 24, 1339 10 of 16 h i 2 2 hm /2 2 hm 2 2 z z n = 2N p (1 p ) (1 p )e I (hm )(1 p ) e + 2N p p (1 p ). (44) error z0 0 z z d d z z0 d where I (x) is the zero-order hyperbolic Bassel function of the ﬁrst kind. The error rate of error the ﬁnal key string is E = . Finally, combining the Equations (29), (42)–(44), we can calculate the length of ﬁnal security key in the SNS TF-QKD protocol with the weak randomness: h i 2 1 ph 0 0 ` = n 1 H(e ) leak log 2log p . (45) EC 1 1 2 2 cor 2# # ˆ PA 4. Numerical Simulations Here, we simulate the performance of effects of weak randomness on SNS TF-QKD in the asymptotic case and with the ﬁnite-key size. We use the linear model to numerically simulate the performance of the protocol. Firstly, we set the experimental parameters that we may exploit. Then, we set the results of the ﬁnal secret key rate and the analysis of results. aL/10 We deﬁne h = 10 as the ﬁber transmittance, where a = 0.2 (dB/km) is the ﬁber loss coefﬁcient and L is the length of ﬁber between Charlie and Alice (Bob). h = 80% is the detection efﬁciency of the relay Charlie, and p = 10 is the dark count of Charlie’s detectors. The failure probability of statistical ﬂuctuations analysis is ﬁxed to # = 10 , and f = 1.1 is the efﬁciency of error correction. R = ` N is the ﬁnal secret key rate, where N is the total number of transmitting signals sent by Alice and Bob. The numerical parameters are listed in Table 1. Here, we set # = # ˆ = # = #, # ¯ = 3#, and # = 4#. cor n PA Table 1. List of experimental parameters applied in the numerical simulation in the following table: a is the the ﬁber loss coefﬁcient (dB/km), f is the efﬁciency of error correction, h is the efﬁciency of the detectors, e is the probability of the optical misalignment error, p is the dark count rate, and # is d d the failure probability of statistical ﬂuctuation analysis. a f h e p # d d d 10 10 0.2 1.1 80% 0.15 1.0 10 1.0 10 Firstly, we analyze the results of weak randomness existing in only one party (Alice or Bob) in the asymptotic and the ﬁnite-key size cases in Figure 1. Here, p 6= 0, p = 0 means 1 2 that Eve just masters the randomness information of Alice, and p = 0, 10 (x = 6, 5, 4, 3) means that Eve has different abilities for controlling the randomness information. We then analyze the results of weak randomness existing in both parties in the asymptotic case and the ﬁnite-key size cases in Figure 2, where Eve masters the randomness information of both Alice and Bob. As illustrated in Figures 1 and 2, the dashed lines from right to 6 5 4 3 left are acquired for different weak randomness parameters p = 0, 10 , 10 , 10 , 10 with the inﬁnite number of total pulses, and the solid lines from right to left are acquired for different weak randomness parameters p = 0, 10 (x = 6, 5, 4, 3) with the ﬁxed ﬁnite number of total pulses N = 10 . In the Figure 1, compared with the perfect randomness p = p = 0, we can calculate that the achievable transmission distance declines 11.96%, 1 2 26.91%, 43.52%, 60.46% in asymptotic cases and declines 14.39%, 30.93%, 48.56%, 66.19% 6 5 4 3 with the ﬁnite-key size when p = 10 , 10 , 10 , 10 . In the Figure 2, compared with the perfect randomness p = p = 0, the achievable transmission distance declines 14.39%, 1 2 30.93%, 48.56%, 66.19% in asymptotic cases and declines 15.95%, 31.89%, 48.50%, 65.12% 6 5 4 3 with the ﬁnite-key size when p = 0, 10 , 10 , 10 , 10 . Nevertheless, we ﬁnd that the secret key rate can exceed the PLOB bound [11] when p ( p ) 10 with the ﬁnite-key 1 2 15 5 size N = 10 , and it can still exceed the PLOB bound [11] when p ( p ) 10 in the 1 2 asymptotic case. From the above calculation data, we can deduce that the ﬂuctuation Entropy 2022, 24, 1339 11 of 16 of the ﬁnite-key size is greater than asymptotic cases for the ﬁxed weak randomness parameters. Moreover, comparing with two simulation results, we can ﬁnd that although the randomness information mastered by Eve of the Figure 2 is twice as much as the randomness information mastered by Eve of the Figure 1, it does not decrease exponentially, which means that once Eve obtains part of the information, it can seriously affect the practical system security. N=10 ,p1=0,p2=0 N=Infinity,p1=0,p2=0 N=10 ,p1=10 ,p2=0 N=Infinity,p1=10 ,p2=0 N=10 ,p1=10 ,p2=0 N=Infinity,p1=10 ,p2=0 10 N=10 ,p1=10 ,p2=0 N=Infinity,p1=10 ,p2=0 N=10 ,p1=10 ,p2=0 N=Infinity,p1=10 ,p2=0 PLOB bound 0 100 200 300 400 500 600 Standard fiber link (km) Figure 1. (Color online) The optimal key rate (bits per pulse) in logarithmic scale versus transmission distance between Alice and Bob when the weak randomness exists for only one party (Alice or Bob) p = 10 (x = 6, 5, 4, 3), p = 0 (curves from right to left). The dashed lines are results of the 1 2 asymptotic case, and the solid lines are the results of the ﬁnite-key size N = 10 . The gray dotted line is the PLOB bound. N=10 ,p1=p2=0 N=Infinity,p1=p2=0 N=10 ,p1=p2=10 N=Infinity,p1=p2=10 N=10 ,p1=p2=10 N=Infinity,p1=p2=10 N=10 ,p1=p2=10 N=Infinity,p1=p2=10 N=10 ,p1=p2=10 N=Infinity,p1=p2=10 PLOB bound 0 100 200 300 400 500 600 Standard fiber link (km) Figure 2. (Color online)The optimal key rate (bits per pulse) in logarithmic scale versus transmission distance between Alice and Bob when the weak randomness exists for two parties p = p = 1 2 10 (x = 6, 5, 4, 3)(curves from right to left). The dashed lines are results of asymptotic cases and the solid lines are the results of the ﬁnite-key size N = 10 . The gray dotted line is the PLOB bound. Secret key rate (per pulse) Secret key rate (per pulse) Entropy 2022, 24, 1339 12 of 16 In order to perform a detailed simulation, we then research the results of the weak randomness for the different total numbers of transmitting signals N = 10 (x = 12, 13, 15). Corresponding simulation results are illustrated in Figure 3, the dashed lines from left to x 6 right are acquired for N = 10 (x = 12, 13, 15) with the ﬁxed p = p = 10 and the solid 1 2 lines from left to right are acquired for N = 10 (x = 12, 13, 15) with the ﬁxed p = p = 0. We can notice that the generation of the security key rate will be signiﬁcantly affected, even though the weak randomness parameter is small as 10 , which means that Eve will obtain amounts of information even with small proportions of weak randomness. As shown in Figure 3, the achievable transmission distance declines 104 km when N = 10 , 60 km 13 12 when N = 10 , and 10 km when N = 10 , so we deduce that the greater the number of total pulses, the more the secure transmission distance decreases. We ﬁnd that the secret 13 6 key rate cannot exceed the PLOB bound [11] when N 10 with the ﬁxed p = p = 10 . 1 2 The number of total pulse increases, so does the number of quantum states which may be attenuated. Eve may obtain more information due to the relation between the expected values and the observed values for the case with different modulated states in the practical QKD system. In this case, the number of modulated states distinguished by Eve may increase which leads to more leakage of the security key information so we are supposed to control the number of total pulses within a rational range rather than arbitrarily choosing. N=10 ,p1=p2=0 N=10 ,p1=p2=10 N=10 ,p1=p2=0 N=10 ,p1=p2=10 N=10 ,p1=p2=0 N=10 ,p1=p2=10 PLOB bound 0 100 200 300 400 500 600 Standard fiber link (km) Figure 3. (Color online)The optimal key rate (bits per pulse) in logarithmic scale versus transmis- sion distance between Alice and Bob with weak randomness p = p = 10 and without weak 1 2 randomness p = p = 0 for different N = 10 (x = 12, 13, 15) (curves from left to right), the dashed 1 2 lines are results of weak randomness for different N, and the solid lines are the results of non-weak randomness for different N. The gray dotted line is the PLOB bound. To further study the impacts of the weak randomness for different total numbers 13 15 of transmitting signals, we then research the secret key rate for N = 10 , 10 with p = p = 0, 10 (x = 6, 5, 4, 3) in Figure 4. As illustrated in Figure 4, the dashed 1 2 lines from right to left are acquired for different weak randomness parameters p = p = 1 2 x 13 0, 10 (x = 6, 5, 4, 3) with the ﬁxed N = 10 and the solid lines from right to left are acquired for different weak randomness parameters p = p = 0, 10 (x = 6, 5, 4, 3) 1 2 with the ﬁxed N = 10 . We can ﬁnd that the impact of the weak randomness on ﬁnal security key rate is greater than the ﬁnite total numbers of transmitting signals when p = p 10 and the security key rate lines of two different N are approximately 1 2 asymptotic. The impacts of the weak randomness on ﬁnal security key rate is weaker than the ﬁnite total numbers of transmitting signals when p = p 10 and the security key 1 2 rate lines of two different N are not asymptotic. Moreover, the secret key rate cannot exceed Secret key rate (per pulse) Entropy 2022, 24, 1339 13 of 16 the PLOB bound [11] when p ( p ) 10 with the ﬁnite-key size. In fact, temporal modes 1 2 of photons become stretched due to the chromatic dispersion in the ﬁber. This phenomenon will impact the detection time windows. That is, the longer the ﬁber, the wider the time window should be. The duration of the secret key generation depends on the transmission distance as well as on the number of photons per pulse. N=10 ,p1=p2=0 N=10 ,p1=p2=0 N=10 ,p1=p2=10 N=10 ,p1=p2=10 N=10 ,p1=p2=10 N=10 ,p1=p2=10 10 N=10 ,p1=p2=10 N=10 ,p1=p2=10 N=10 ,p1=p2=10 N=10 ,p1=p2=10 PLOB bound 0 100 200 300 400 500 600 Standard fiber link (km) Figure 4. (Color online) The optimal key rate (bits per pulse) in logarithmic scale versus transmission distance between Alice and Bob with weak randomness p = p = 0, 10 (x = 6, 5, 4, 3) (curves 1 2 13 15 13 from right to left) for different N = 10 , N = 10 , the dashed lines are results N = 10 with different weak randomness parameters, and the solid lines are the results of N = 10 with different weak randomness parameters. The gray dotted line is the PLOB bound. Finally, we compare and analyze the effects of weak randomness on different QKD protocols, BB84, MDI-QKD and SNS TF-QKD. We simulate the largest weak randomness vulnerability that different protocols can tolerate. As shown in Figure 5, the blue lines are results of MDI-QKD: the solid line is the result of both Alice and Bob existing the weak randomness and the dashed line is the result of one party existing the weak randomness. The black line is the result of the BB84 protocol. The red lines are results of SNS TF-QKD: the solid line is the result of both Alice and Bob existing the weak randomness and the dashed line is the result of one party existing the weak randomness. We ﬁnd that the largest weak randomness vulnerability that SNS TF-QKD can tolerate is 10 which is greater than the BB84 and MDI-QKD 10 . Moreover, the achievable transmission distance is also longer than the BB84 protocol and the MDI-QKD protocol. Actually, the probability that the states prepared by Alice (Bob) in the BB84 and the MDI-QKD reach the detector is h. For the SNS TF-QKD, it is h. Under the weak randomness model, in order to make sure not to be discovered, Eve may attenuate the quantum states from non-random part with a certain probability, which is related to the ﬁber transmittance h. The channel-loss dependence of the key rate in SNS TF-QKD is square root of channel transmittance R O h while it is linear in the BB84 and the MDI-QKD R O(h) , and that is why SNS TF-QKD can tolerate more weak randomness vulnerability than the BB84 protocol and the MDI-QKD. Compared with the BB84 protocol, the MDI-QKD is more sensitive to weak randomness which is rational since both Alice and Bob prepare quantum states. Compared with the MDI-QKD, the SNS TF-QKD is more robust to the weak randomness since just one party sends states and perform single photon interference in the quantum channel. Secret key rate (per pulse) Entropy 2022, 24, 1339 14 of 16 From the above simulation results, we can infer that SNS TF-QKD can still have the outstanding performance under the weak random condition. The secret key rate with the ﬁnite-key size is more sensitive to the weak randomness, and it performs differently for the different ﬁnite numbers of total pulses. Furthermore, SNS TF-QKD has an ad- vantage of tolerance to the weak randomness compared to the BB84 protocol and the MDI-QKD protocol. BB84, p=10 MDI p1=10 MDI p1=p2=10 SNS p1=10 SNS p1=p2=10 0 10 20 30 40 50 60 70 80 90 100 Standard fiber link (km) Figure 5. (Color online)The optimal key rate (bits per pulse) in logarithmic scale versus transmission distance between Alice and Bob with weak randomness in the BB84 protocol, the MDI-QKD and the SNS TF-QKD. The blue lines are results weak randomness parameters, and the solid lines are the results of N = 10 with different weak randomness parameters. 5. Conclusions In this paper, we study the inﬂuence of weak randomness on the security of SNS TF-QKD in the asymptotic and the ﬁnite-key size case. Our simulation results indicate that in both cases, SNS TF-QKD can still have the prominent performance under the weak random condition: the secret key rate can exceed the PLOB bound and achieve long secure transmission distances. Moreover, the ﬂuctuation of the ﬁnal key rate with the ﬁnite-key size is greater than that in asymptotic cases, and because of Eve’s attenuation operation, the greater the number of total pulses, the more reduced the secure transmission distance. Additionally, the impact of the weak randomness on the ﬁnal security key rate is greater than that with the ﬁnite total numbers of transmitting signals when p = p 10 , 1 2 and weaker when p = p 10 . Under the weak randomness condition, SNS TF-QKD 1 2 and MDI-QKD perform differently. The secret key rate of SNS TF-QKD still can surpass the PLOB bound when p ( p ) 10 with the ﬁnite-key size, and it cannot surpass the 1 2 PLOB bound when p ( p ) 10 in the asymptotic case. MDI-QKD cannot generate a 1 2 secure key when p ( p ) 10 , while SNS TF-QKD has an advantage of tolerating the weak randomness (up to 10 ). We conclude that to avoid such an attack in the actual QKD systems, two aspects can be taken into account: (1) to make sure that the random numbers we use to encode, select bases, select time windows, and send or not send quantum states are as perfect as possible. We are supposed to use a better random number generator or random number generation algorithm, and (2) at the source side, we should ensure the reduction of the risk of the side channels, so as to avoid the distinguishability of the quantum states preparation in all degrees of freedom, such as the distinguishability between signal states and decoy states, and the distinguishability between perfect random states and weak random states. We can use two independent laser sources so that Alice and Bob have no incidental light, Secret key rate (per pulse) Entropy 2022, 24, 1339 15 of 16 and hence there is no need to monitor the incident light as the implementations directly use seed light from Charlie. The imperfect IM will also produce the states distinguishability in the frequency domain. We can use more than one IM in the actual QKD systems. Furthermore, the narrow spectral ﬁlter and wavelength ﬁlter can also be used to the reduce states distinguishability and the threat of side channels. Author Contributions: Conceptualization, X.-L.J.; methodology, X.-L.J. and Y.W.; software, X.-L.J. and Y.W.; validation, X.-L.J.; formal analysis, X.-L.J., Y.W. and Y.-F.L.; investigation, X.-L.J.; writing— original draft preparation, X.-L.J. and Y.W.; writing—review and editing, C.Z., J.-J.L. and W.-S.B.; supervision, W.-S.B.; project administration, W.-S.B.; funding acquisition, W.-S.B. and Y.W. All authors have read and agreed to the published version of the manuscript. Funding: This research was funded by the National Natural Science Foundation of China (Grant No. 62101597), the National Key Research and Development Program of China (Grant No. 2020YFA0309702), the China Postdoctoral Science Foundation (Grant No. 2021M691536), the Natural Science Foundation of Henan (Grant No. 202300410534) and the Anhui Initiative in Quantum Information Technologies. Institutional Review Board Statement: Not applicable. Informed Consent Statement: Not applicable. Data Availability Statement: Not applicable. Conﬂicts of Interest: The authors declare no conﬂict of interest. References 1. Bennett, C.H.; Brassard, G. Quantum Cryptography: Public Key Distribution and Coin Tossing. In Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India, 9–12 December 1984; pp. 175–179. 2. Xu, F.; Ma, X.; Zhang, Q.; Lo, H.K.; Pan, J.W. Secure quantum key distribution with realistic devices. Rev. Mod. Phys. 2020, 92, 025002. [CrossRef] 3. Li, H.W.; Wang, S.; Huang, J.Z.; Chen, W.; Yin, Z.Q.; Li, F.Y.; Zhou, Z.; Liu, D.; Zhang, Y.; Guo, G.C.; et al. Attacking a practical quantum-key-distribution system with wavelength-dependent beam-splitter and multiwavelength sources. Phys. Rev. A 2011, 84, 062308. [CrossRef] 4. Lydersen, L.; Wiechers, C.; Wittmann, C.; Elser, D.; Skaar, J.; Makarov, V. Hacking commercial quantum cryptography systems by tailored bright illumination. Nat. Photonics 2010, 4, 686–689. [CrossRef] 5. Qian, Y.J.; He, D.Y.; Wang, S.; Chen, W.; Yin, Z.Q.; Guo, G.C.; Han, Z.F. Robust countermeasure against detector control attack in a practical quantum key distribution system. Optica 2019, 6, 1178–1184. [CrossRef] 6. Jain, N.; Anisimova, E.; Khan, I.; Makarov, V.; Marquardt, C.; Leuchs, G. Trojan-horse attacks threaten the security of practical quantum cryptography. New J. Phys. 2014, 16, 123030. [CrossRef] 7. Lucamarini, M.; Choi, I.; Ward, M.B.; Dynes, J.F.; Yuan, Z.; Shields, A.J. Practical security bounds against the trojan-horse attack in quantum key distribution. Phys. Rev. X 2015, 5, 031030. [CrossRef] 8. Lo, H.K.; Curty, M.; Qi, B. Measurement-device-independent quantum key distribution. Phys. Rev. Lett. 2012, 108, 130503. [CrossRef] 9. Lucamarini, M.; Yuan, Z.L.; Dynes, J.F.; Shields, A.J. Overcoming the rate–distance limit of quantum key distribution without quantum repeaters. Nature 2018, 557, 400–403. [CrossRef] 10. Xie, Y.M.; Lu, Y.S.; Weng, C.X.; Cao, X.Y.; Jia, Z.Y.; Bao, Y.; Wang, Y.; Fu, Y.; Yin, H.L.; Chen, Z.B. Breaking the rate-loss bound of quantum key distribution with asynchronous two-photon interference. PRX Quantum 2022, 3, 020315. [CrossRef] 11. Pirandola, S.; Laurenza, R.; Ottaviani, C.; Banchi, L. Fundamental limits of repeaterless quantum communications. Nat. Commun. 2017, 8, 1–15. [CrossRef] 12. Wang, X.B.; Yu, Z.W.; Hu, X.L. Twin-ﬁeld quantum key distribution with large misalignment error. Phys. Rev. A 2018, 98, 062323. [CrossRef] 13. Ma, X.; Zeng, P.; Zhou, H. Phase-matching quantum key distribution. Phys. Rev. X 2018, 8, 031043. [CrossRef] 14. Cui, C.; Yin, Z.Q.; Wang, R.; Chen, W.; Wang, S.; Guo, G.C.; Han, Z.F. Twin-ﬁeld quantum key distribution without phase postselection. Phys. Rev. Appl. 2019, 11, 034053. [CrossRef] 15. Curty, M.; Azuma, K.; Lo, H.K. Simple security proof of twin-ﬁeld type quantum key distribution protocol. npj Quantum Inf. 2019, 5, 1–6. [CrossRef] 16. Jiang, C.; Yu, Z.W.; Hu, X.L.; Wang, X.B. Unconditional security of sending or not sending twin-ﬁeld quantum key distribution with ﬁnite pulses. Phys. Rev. Appl. 2019, 12, 024061. [CrossRef] 17. Yu, Z.W.; Hu, X.L.; Jiang, C.; Xu, H.; Wang, X.B. Sending-or-not-sending twin-ﬁeld quantum key distribution in practice. Sci. Rep. 2019, 9, 1–8. [CrossRef] Entropy 2022, 24, 1339 16 of 16 18. Zhou, X.Y.; Zhang, C.H.; Zhang, C.M.; Wang, Q. Asymmetric sending or not sending twin-ﬁeld quantum key distribution in practice. Phys. Rev. A 2019, 99, 062316. [CrossRef] 19. Hu, X.L.; Jiang, C.; Yu, Z.W.; Wang, X.B. Sending-or-not-sending twin-ﬁeld protocol for quantum key distribution with asymmetric source parameters. Phys. Rev. A 2019, 100, 062337. [CrossRef] 20. Xu, H.; Yu, Z.W.; Jiang, C.; Hu, X.L.; Wang, X.B. Sending-or-not-sending twin-ﬁeld quantum key distribution: Breaking the direct transmission key rate. Phys. Rev. A 2020, 101, 042330. [CrossRef] 21. Lu, Y.F.; Wang, Y.; Jiang, M.S.; Zhang, X.X.; Liu, F.; Li, H.W.; Zhou, C.; Tang, S.B.; Wang, J.Y.; Bao, W.S. Sending or Not-Sending Twin-Field Quantum Key Distribution with Flawed and Leaky Sources. Entropy 2021, 23, 1103. [CrossRef] 22. Lu, Y.F.; Wang, Y.; Jiang, M.S.; Liu, F.; Zhang, X.X.; Bao, W.S. Finite-key analysis of sending-or-not-sending twin-ﬁeld quantum key distribution with intensity ﬂuctuations. Quantum Inf. Process. 2021, 20, 1–15. [CrossRef] 23. Jiang, C.; Yu, Z.W.; Hu, X.L.; Wang, X.B. Robust twin-ﬁeld quantum key distribution through sending-or-not-sending. Natl. Sci. Rev. 2022. [CrossRef] 24. Jiang, C.; Hu, X.L.; Yu, Z.W.; Wang, X.B. Composable security for practical quantum key distribution with two way classical communication. New J. Phys. 2021, 23, 063038. [CrossRef] 25. Jiang, C.; Hu, X.L.; Xu, H.; Yu, Z.W.; Wang, X.B. Zigzag approach to higher key rate of sending-or-not-sending twin ﬁeld quantum key distribution with ﬁnite-key effects. New J. Phys. 2020, 22, 053048. [CrossRef] 26. Liu, Y.; Yu, Z.W.; Zhang, W.; Guan, J.Y.; Chen, J.P.; Zhang, C.; Hu, X.L.; Li, H.; Jiang, C.; Lin, J.; et al. Experimental twin-ﬁeld quantum key distribution through sending or not sending. Phys. Rev. Lett. 2019, 123, 100505. [CrossRef] [PubMed] 27. Qiao, Y.; Chen, Z.; Zhang, Y.; Xu, B.; Guo, H. Sending-or-not-sending twin-ﬁeld quantum key distribution with light source monitoring. Entropy 2019, 22, 36. [CrossRef] [PubMed] 28. Chen, J.P.; Zhang, C.; Liu, Y.; Jiang, C.; Zhang, W.; Hu, X.L.; Guan, J.Y.; Yu, Z.W.; Xu, H.; Lin, J.; et al. Sending-or-not-sending with independent lasers: Secure twin-ﬁeld quantum key distribution over 509 km. Phys. Rev. Lett. 2020, 124, 070501. [CrossRef] [PubMed] 29. Pittaluga, M.; Minder, M.; Lucamarini, M.; Sanzaro, M.; Woodward, R.I.; Li, M.J.; Yuan, Z.; Shields, A.J. 600-km repeater-like quantum communications with dual-band stabilization. Nat. Photonics 2021, 15, 530–535. [CrossRef] 30. Liu, H.; Jiang, C.; Zhu, H.T.; Zou, M.; Yu, Z.W.; Hu, X.L.; Xu, H.; Ma, S.; Han, Z.; Chen, J.P.; et al. Field test of twin-ﬁeld quantum key distribution through sending-or-not-sending over 428 km. Phys. Rev. Lett. 2021, 126, 250502. [CrossRef] 31. Chen, J.P.; Zhang, C.; Liu, Y.; Jiang, C.; Zhang, W.J.; Han, Z.Y.; Ma, S.Z.; Hu, X.L.; Li, Y.H.; Liu, H.; et al. Twin-ﬁeld quantum key distribution over a 511 km optical ﬁbre linking two distant metropolitan areas. Nat. Photonics 2021, 15, 570–575. [CrossRef] 32. Li, H.W.; Yin, Z.Q.; Wang, S.; Qian, Y.J.; Chen, W.; Guo, G.C.; Han, Z.F. Randomness determines practical security of BB84 quantum key distribution. Sci. Rep. 2015, 5, 1–8. [CrossRef] 33. Li, H.W.; Xu, Z.M.; Cai, Q.Y. Small imperfect randomness restricts security of quantum key distribution. Phys. Rev. A 2018, 98, 062325. [CrossRef] 34. Sun, S.H.; Tian, Z.Y.; Zhao, M.S.; Ma, Y. Security evaluation of quantum key distribution with weak basis-choice ﬂaws. Sci. Rep. 2020, 10, 1–8. [CrossRef] [PubMed] 35. Zhang, C.M.; Wang, W.B.; Li, H.W.; Wang, Q. Weak randomness impacts the security of reference-frame-independent quantum key distribution. Opt. Lett. 2019, 44, 1226–1229. [CrossRef] [PubMed] 36. Jiang, X.L.; Deng, X.Q.; Wang, Y.; Lu, Y.F.; Li, J.J.; Zhou, C.; Bao, W.S. Weak Randomness Analysis of Measurement-Device- Independent Quantum Key Distribution with Finite Resources. Photonics 2022, 9, 356. [CrossRef] 37. Hwang, W.Y. Quantum key distribution with high loss: Toward global secure communication. Phys. Rev. Lett. 2003, 91, 057901. [CrossRef] 38. Wang, X.B. Beating the photon-number-splitting attack in practical quantum cryptography. Phys. Rev. Lett. 2005, 94, 230503. [CrossRef] 39. Lo, H.K.; Ma, X.; Chen, K. Decoy state quantum key distribution. Phys. Rev. Lett. 2005, 94, 230504. [CrossRef] 40. Müller-Quade, J.; Renner, R. Composability in quantum cryptography. New J. Phys. 2009, 11, 085006. [CrossRef] 41. Chernoff, H. A measure of asymptotic efﬁciency for tests of a hypothesis based on the sum of observations. Ann. Math. Stat. 1952, 23, 493–507. [CrossRef] 42. Curty, M.; Xu, F.; Cui, W.; Lim, C.C.W.; Tamaki, K.; Lo, H.K. Finite-key analysis for measurement-device-independent quantum key distribution. Nat. Commun. 2014, 5, 1–7. [CrossRef] [PubMed] 43. Zhang, Z.; Zhao, Q.; Razavi, M.; Ma, X. Improved key-rate bounds for practical decoy-state quantum-key-distribution systems. Phys. Rev. A 2017, 95, 012333. [CrossRef] 44. Tomamichel, M.; Lim, C.C.W.; Gisin, N.; Renner, R. Tight ﬁnite-key analysis for quantum cryptography. Nat. Commun. 2012, 3, 1–6. [CrossRef] [PubMed] http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Entropy Multidisciplinary Digital Publishing Institute http://www.deepdyve.com/lp/multidisciplinary-digital-publishing-institute/security-analysis-of-sending-or-not-sending-twin-field-quantum-key-2BAMsXnXmr

Loading next page...

References (47)

M. Curty, Koji Azuma, H. Lo (2018)
Simple security proof of twin-field type quantum key distribution protocol
npj Quantum Information, 5
(2005)
Decoy state quantum key distribution
Phys. Rev. Lett., 94
Yong-Jun Qian, De-Yong He, Shuang Wang, Wei Chen, Z. Yin, G. Guo, Z. Han (2019)
Robust countermeasure against detector control attack in a practical quantum key distribution system
Optica
C. Jiang, Zong-Wen Yu, Xiao-Long Hu, Xiang-Bin Wang (2021)
Robust twin-field quantum key distribution through sending or not sending
National Science Review, 10
Jiu-Peng Chen, Chi Zhang, Yang Liu, C. Jiang, Weijun Zhang, Xiao-Long Hu, Jian-Yu Guan, Zong-Wen Yu, Hai Xu, Jin Lin, Ming-Jun Li, Hao Chen, Hao Li, L. You, Zhen Wang, Xiang-Bin Wang, Qiang Zhang, Jian-Wei Pan (2019)
Sending-or-Not-Sending with Independent Lasers: Secure Twin-Field Quantum Key Distribution over 509 km.
Physical review letters, 124 7
S. Sun, Zhi-Yu Tian, Mei-sheng Zhao, Yan Ma (2020)
Security evaluation of quantum key distribution with weak basis-choice flaws
Scientific Reports, 10
Yang Liu, Zong-Wen Yu, Weijun Zhang, Jian-Yu Guan, Jiu-Peng Chen, Chi Zhang, Xiao-Long Hu, Hao Li, Teng-Yun Chen, L. You, Zhen Wang, Xiang-Bin Wang, Qiang Zhang, Jian-Wei Pan (2019)
Experimental Twin-Field Quantum Key Distribution Through Sending-or-Not-Sending
Physical review letters, 123 10
Xingyu Zhou, Chunhui Zhang, Chun-Hui Zhang, Qin Wang (2019)
Asymmetric sending or not sending twin-field quantum key distribution in practice
Physical Review A
Chunmei Zhang, Wen-bo Wang, Hongwei Li, Qin Wang (2019)
Weak randomness impacts the security of reference-frame-independent quantum key distribution.
Optics letters, 44 5
Yi-Fei Lu, Yang Wang, Mu-Sheng Jiang, Xiaoxu Zhang, Fan Liu, Hongwei Li, Chun Zhou, Shi-Biao Tang, Jia-Yong Wang, Wansu Bao (2021)
Sending or Not-Sending Twin-Field Quantum Key Distribution with Flawed and Leaky Sources
Entropy, 23
Chaohan Cui, Z. Yin, Rong Wang, Feng-Yu Lu, Wei Chen, Shuang Wang, G. Guo, Z. Han (2018)
Twin-Field Quantum Key Distribution without Phase Postselection
Physical Review Applied
S. Pirandola, Riccardo Laurenza, C. Ottaviani, L. Banchi (2015)
Fundamental limits of repeaterless quantum communications
Nature Communications, 8
Xiang-Bin Wang (2004)
Beating the PNS attack in practical quantum cryptography
Hongwei Li, Zheng-Mao Xu, Q. Cai (2018)
Small imperfect randomness restricts security of quantum key distribution
Physical Review A
Zhen Zhang, Qi Zhao, M. Razavi, Xiongfeng Ma (2016)
Improved key-rate bounds for practical decoy-state quantum-key-distribution systems
Physical Review A, 95
Quantum Cryptography: Public Key Distribution and Coin Tossing
Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing
Hongwei Li, Shuang Wang, Jing-Zheng Huang, Wei Chen, Z. Yin, Fang Li, Zheng-Wei Zhou, Dong Liu, Yang Zhang, G. Guo, Wansu Bao, Z. Han (2011)
Attacking a practical quantum-key-distribution system with wavelength-dependent beam-splitter and multiwavelength sources
Physical Review A, 84
C. Jiang, Xiao-Long Hu, Zong-Wen Yu, Xiang-Bin Wang (2021)
Composable security for practical quantum key distribution with two way classical communication
New Journal of Physics, 23
Feihu Xu, Xiongfeng Ma, Qiang Zhang, H. Lo, Jian-Wei Pan (2020)
Secure quantum key distribution with realistic devices
Reviews of Modern Physics, 92
Yuan-Mei Xie, Yu-Shuo Lu, Chenkai Weng, Xiao-Yu Cao, Zhao Jia, Yu Bao, Yang Wang, Yao Fu, Hua-Lei Yin, Zeng-Bing Chen (2021)
Breaking the Rate-Loss Bound of Quantum Key Distribution with Asynchronous Two-Photon Interference
PRX Quantum
Hui Liu, C. Jiang, Haonan Zhu, Mi Zou, Zong-Wen Yu, Xiao-Long Hu, Hai Xu, Shi-Zhao Ma, Zhi-Yong Han, Jiu-Peng Chen, Yunqi Dai, Shi-Biao Tang, Weijun Zhang, Hao Li, L. You, Zhen Wang, Yong Hua, Hongbo Hu, Hongbo Zhang, Fei Zhou, Qiang Zhang, Xiang-Bin Wang, Teng-Yun Chen, Jian-Wei Pan (2021)
Field Test of Twin-Field Quantum Key Distribution through Sending-or-Not-Sending over 428 km.
Physical review letters, 126 25
Xiao-Long Hu, C. Jiang, Zong-Wen Yu, Xiang-Bin Wang (2019)
Sending-or-not-sending twin-field protocol for quantum key distribution with asymmetric source parameters
Physical Review A
H. Lo, M. Curty, B. Qi (2011)
Measurement-device-independent quantum key distribution.
Physical review letters, 108 13
J. Müller-Quade, R. Renner (2009)
Composability in quantum cryptography
New Journal of Physics, 11
Yi-Fei Lu, Yang Wang, Mu-Sheng Jiang, Fan Liu, Xiaoxu Zhang, Wansu Bao (2021)
Finite-key analysis of sending-or-not-sending twin-field quantum key distribution with intensity fluctuations
Quantum Information Processing, 20
Bennett (1984)
175
Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing
Jiu-Peng Chen, Chi Zhang, Yang Liu, C. Jiang, Weijun Zhang, Zhi-Yong Han, Shi-Zhao Ma, Xiao-Long Hu, Yuhuai Li, Hui Liu, Fei Zhou, Haifeng Jiang, Teng-Yun Chen, Hao Li, L. You, Zhen Wang, Xiang-Bin Wang, Qiang Zhang, Jian-Wei Pan (2021)
Twin-field quantum key distribution over a 511 km optical fibre linking two distant metropolitan areas
Nature Photonics, 15
Hai Xu, Zong-Wen Yu, C. Jiang, Xiao-Long Hu, Xiang-Bin Wang (2019)
Sending-or-not-sending twin-field quantum key distribution: Breaking the direct transmission key rate
Physical Review A
N. Jain, E. Anisimova, I. Khan, V. Makarov, C. Marquardt, G. Leuchs (2014)
Trojan-horse attacks threaten the security of practical quantum cryptography
New Journal of Physics, 16
(2005)
Beating the photon-number-splitting attack in practical quantum cryptography
Phys. Rev. Lett., 94
Zong-Wen Yu, Xiao-Long Hu, C. Jiang, Hai Xu, Xiang-Bin Wang (2018)
Sending-or-not-sending twin-field quantum key distribution in practice
Scientific Reports, 9
L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, V. Makarov (2010)
Hacking commercial quantum cryptography systems by tailored bright illumination
Nature Photonics, 4
W. Hwang (2002)
Quantum key distribution with high loss: toward global secure communication.
Physical review letters, 91 5
Yucheng Qiao, Ziyang Chen, Yichen Zhang, Bingjie Xu, Hong Guo (2019)
Sending-or-Not-Sending Twin-Field Quantum Key Distribution with Light Source Monitoring
Entropy, 22
C. Jiang, Xiao-Long Hu, Hai Xu, Zong-Wen Yu, Xiang-Bin Wang (2019)
Zigzag approach to higher key rate of sending-or-not-sending twin field quantum key distribution with finite-key effects
New Journal of Physics, 22
C. Jiang, Zong-Wen Yu, Xiao-Long Hu, Xiang-Bin Wang (2019)
Unconditional Security of Sending or Not Sending Twin-Field Quantum Key Distribution with Finite Pulses
Physical Review Applied
Marco Lucamarini, I. Choi, M. Ward, J. Dynes, Zhiliang Yuan, A. Shields (2015)
Practical security bounds against the Trojan-horse attack in quantum key distribution
arXiv: Quantum Physics
M. Tomamichel, C. Lim, N. Gisin, R. Renner (2011)
Tight finite-key analysis for quantum cryptography
Nature Communications, 3
M. Pittaluga, M. Minder, Marco Lucamarini, M. Sanzaro, R. Woodward, Ming-Jun Li, Zhiliang Yuan, A. Shields (2020)
600-km repeater-like quantum communications with dual-band stabilization
Nature Photonics, 15
M. Curty, Feihu Xu, W. Cui, C. Lim, K. Tamaki, H. Lo (2013)
Finite-key analysis for measurement-device-independent quantum key distribution
Nature Communications, 5
H. Chernoff (1952)
A Measure of Asymptotic Efficiency for Tests of a Hypothesis Based on the sum of Observations
Annals of Mathematical Statistics, 23
Sellami Ali (2010)
DECOY STATE QUANTUM KEY DISTRIBUTION
IIUM Engineering Journal, 10
Xiongfeng Ma, Pei Zeng, Hongyi Zhou (2018)
Phase-Matching Quantum Key Distribution
Physical Review X
Hongwei Li, Z. Yin, Shuang Wang, Yong-Jun Qian, Wei Chen, G. Guo, Z. Han (2015)
Randomness determines practical security of BB84 quantum key distribution
Scientific Reports, 5
Marco Lucamarini, Z. Yuan, J. Dynes, A. Shields (2018)
Overcoming the rate–distance limit of quantum key distribution without quantum repeaters
Nature, 557
Xiao-Lei Jiang, Xiao-Qin Deng, Yang Wang, Yi-Fei Lu, Jia-Ji Li, Chun Zhou, Wansu Bao (2022)
Weak Randomness Analysis of Measurement-Device-Independent Quantum Key Distribution with Finite Resources
Photonics
Xiang-Bin Wang, Zong-Wen Yu, Xiao-Long Hu (2018)
Twin-field quantum key distribution with large misalignment error
Physical Review A

Publisher: Multidisciplinary Digital Publishing Institute
Copyright: © 1996-2022 MDPI (Basel, Switzerland) unless otherwise stated Disclaimer The statements, opinions and data contained in the journals are solely those of the individual authors and contributors and not of the publisher and the editor(s). MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. Terms and Conditions Privacy Policy
ISSN: 1099-4300
DOI: 10.3390/e24101339
Publisher site: See Article on Publisher Site

Abstract

entropy Article Security Analysis of Sending or Not-Sending Twin-Field Quantum Key Distribution with Weak Randomness 1,2 1,2,3, 1,2 1,2 1,2 1,2, Xiao-Lei Jiang , Yang Wang * , Yi-Fei Lu , Jia-Ji Li , Chun Zhou and Wan-Su Bao * Henan Key Laboratory of Quantum Information and Cryptography, SSF IEU, Zhengzhou 450001, China Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei 230026, China National Laboratory of Solid State Microstructures, School of Physics and Collaborative Innovation Center of Advanced Microstructures, Nanjing University, Nanjing 210093, China * Correspondence: wy@qiclab.cn (Y.W.); bws@qiclab.cn (W.-S.B.) Abstract: Sending-or-not sending twin-ﬁeld quantum key distribution (SNS TF-QKD) has the advan- tage of tolerating large amounts of misalignment errors, and its key rate can exceed the linear bound of repeaterless quantum key distribution. However, the weak randomness in a practical QKD system may lower the secret key rate and limit its achievable communication distance, thus compromising its performance. In this paper, we analyze the effects of the weak randomness on the SNS TF-QKD. The numerical simulation shows that SNS TF-QKD can still have an excellent performance under the weak random condition: the secret key rate can exceed the PLOB boundary and achieve long transmission distances. Furthermore, our simulation results also show that SNS TF-QKD is more robust to the weak randomness loopholes than the BB84 protocol and the measurement-device-independent QKD (MDI-QKD). Our results emphasize that keeping the randomness of the states is signiﬁcant to the protection of state preparation devices. Citation: Jiang, X.-L.; Wang, Y.; Lu, Y.-F.; Li, J.-J.; Zhou, C.; Bao, W.-S. Security Analysis of Sending or Keywords: twin-ﬁeld quantum key distribution; weak randomness; asymptotic cases; ﬁnite-key Not-Sending Twin-Field Quantum Key Distribution with Weak Randomness. Entropy 2022, 24, 1339. https://doi.org/10.3390/ 1. Introduction e24101339 Quantum key distribution (QKD) has been widely proved to have information- Academic Editors: Leong Chuan theoretical security, which is guaranteed by the laws of physics between two authorized Kwek, Xiang-Bin Wang and users, Alice and Bob [1,2]. However, it is well known that the imperfections of practical Cong Jiang devices will compensate the security of the generated key. In fact, some quantum attacks have been discovered and demonstrated by exploiting these imperfections of practical Received: 28 August 2022 devices. An eavesdropper (Eve) could take advantage of any imperfections in practi- Accepted: 20 September 2022 cal system to collect secret information without being discovered, with methods such as Published: 23 September 2022 wavelength attack [3], the detector control attack [4,5], and the Trojan horse attack [6,7]. Publisher’s Note: MDPI stays neutral Therefore, researchers have to propose corresponding countermeasures to deal with these with regard to jurisdictional claims in security threats. published maps and institutional afﬁl- In order to remove side-channel attacks at detection, Lo et al. proposed [8] the iations. measurement-device-independent QKD (MDI-QKD) protocol, while the key rate of the MDI-QKD cannot be better than the linear scale of the channel transmittance. Fortunately, the twin-ﬁeld QKD (TF-QKD) [9] and the asynchronous MDI-QKD [10] were proposed and improved the key rate to the square root of the channel transmittance. The key rate Copyright: © 2022 by the authors. of them performs R O h (where h is the channel transmittance) and it can exceed the Licensee MDPI, Basel, Switzerland. Pirandola–Laurenza–Ottaviani–Banchi (PLOB) bound [11]. But the later announcement This article is an open access article of the phase information in the original TF-QKD [9] may cause security loopholes [12], distributed under the terms and conditions of the Creative Commons so many variants of TF-QKD have been proposed [12–15] to deal with these loopholes. Attribution (CC BY) license (https:// Particularly, the sending-or-not-sending (SNS) TF-QKD [12], as an efﬁcient protocol, can creativecommons.org/licenses/by/ tolerate large misalignment errors even up to 35% in the single-photon interference. In fact, 4.0/). Entropy 2022, 24, 1339. https://doi.org/10.3390/e24101339 https://www.mdpi.com/journal/entropy Entropy 2022, 24, 1339 2 of 16 the SNS TF-QKD protocol has made signiﬁcant progress in theory [16–25]. In addition, several experiments on the SNS protocol have also been performed so far [26–31]. In a practical QKD system, Eve may shift their target to quantum state preparation devices so that the bit encoding and measurement basis selection are non-randomly mod- ulated by Alice or Bob [32]. For the quantum state preparation vulnerability of the weak randomness, Li et al. proposed [33] a weak randomness model in the BB84 protocol. Un- der the model, the quantum states that Alice has prepared are divided into two parts: the random part and the non-random part, and the latter may lead to the leakage of information. Since then, the model has been further promoted and applied in other protocols [34–36]. In this paper, we generalize the weak randomness attack model to the SNS TF-QKD. In fact, the SNS TF-QKD possesses the property of measurement-device-independent and can be applied using the coherent source with the decoy-state method [37–39]. Moreover, the operation of sending or not sending states for Alice and Bob can be regarded as the bit encoding operation, and the operation of selecting time windows can be regarded as the basis selection operation [12]. We analyze the effect of weak randomness on the ﬁnal security key in the asymptotic and the ﬁnite-key size cases. Firstly, we will analytically derive the secret key rate formula based on the weak randomness model in the asymptotic case, and we then calculate the lower bound of the counting rate of the single-photon states and the upper bound of the phase error rate in ﬁnite-key cases [16]. In the security analysis of SNS TF-QKD with the weak randomness, we assume that Eve can interfere the quantum state preparation operation, and Eve is responsible for all weak randomness mentioned above. We also assume that the hidden variables x and z from Eve may determine the quantum states prepared by Alice and Bob, where x determines Alice’s quantum states and z determines Bob’s quantum states. The probability of non-random quantum states prepared by Alice is p and the probability of random quantum states is 1 p . The probability of non-random quantum states prepared by Bob is p and the 1 2 probability of random quantum states is 1 p . If p = 1 or p = 1, apparently, Eve 2 1 2 can acquire all the information, that is, R = 0. If p = p = 0, Eve may partly acquire 1 2 information. If 0 < p < 1, 0 < p < 1, the weak randomness model could be applied 1 2 to quantify the maximal amount of leaked information and explore the security of SNS TF-QKD with weak randomness. Using the experimental parameters, we demonstrate that the secret key rate of SNS TF-QKD still can exceed the PLOB bound and achieve long secure transmission distances under the weak random condition. We then compare the effect of weak randomness on the BB84 protocol and MDI-QKD protocol, and we deduce that SNS TF-QKD can tolerate more weak randomness vulnerability. The rest of paper is organized as follows: we describe a four-intensity decoy-state SNS TF-QKD protocol in Section 2. In Section 3, we analyze the effects of the weak randomness on the SNS TF-QKD protocol in the asymptotic and of the ﬁnite-key size cases. The numerical simulations are shown in Section 4 and the conclusion is made in Section 5. 2. Protocol Description In the practical QKD system, we usually choose the weak coherent state source instead of the single photon source. Here, we consider the four-intensity decoy-state SNS protocol [16], and the description of the protocol is presented as follows: 1. Preparation. At any times window i, Alice (Bob) independently determines whether it is a decoy window or a signal window with probabilities p and p . If it is a de- x z coy window, Alice (Bob) sends out to Charlie a decoy pulse in a phase-randomized E E p p 0 p p 0 id id id id A A B B coherent state m e , m e or 0 ( m e , m e or 0 ) with prob- j i j i a b a b abilities of p , p , p . We suppose m < m . If it is a signal window, Alice (Bob) m m 0 a b a b decides to send out to Charlie a signal pulse in phase-randomized coherent states p p id id A B m e or a vacuum statej0i ( m e orj0i) with probabilities of p and 1 p , z z z0 z0 where d is random in [0, 2p). Here, we assume that consecutive photons are A(B) well-separated in the decoy and the signal time windows. Note that a coherent state of intensity m and global phase d is a linear superposition of photon-number Entropy 2022, 24, 1339 3 of 16 p k m/2 id e ( me ) id states me = k . Whenever Alice or Bob sends a coherent state å j i k! k=0 of intensity m, it can be equivalently regarded as a probabilistic mixture of different m k p p 2p e m id id photon-number states me me dd/2p = jkihkj. 0 k! k=0 2. Measurement. Alice and Bob send the chosen states to Charlie. Charlie then performs interferometric measurements on the incoming quantum signals after taking phase compensation and announces the measurement results of which detector clicks to Alice and Bob. An effective event is deﬁned as follows: (1) if only one detector clicks corresponding to a time window i when both Alice and Bob have determined the signal window, it is deﬁned as an effective event. (2) If only one detector clicks corresponding to a time window i when both Alice and Bob have determined a decoy window and sent the coherent states with the same intensity, and in that time window, the pre-chosen values d and d satisfy post-selection criterion, which is: A B 1jcos(d d y )j jlj, (1) A B AB where d and d are the random phases of coherent states prepared by Alice and A B Bob, respectively. y could take an arbitrary value and it is set properly to acquire AB a satisfactory key rate, which will be different from time to time due to phase drift. The value of l is determined by the size of the phase slice D, which is chosen by Alice and Bob. In fact, Equation (1) is equivalent to: D D jq q y j ,jq q y pj . (2) A B AB A B AB 2 2 where jxj represents the minor angle enclosed by two rays, which enclose the rotational angle. 3. Sifting. Alice and Bob announce decoy windows and signal windows of each other. If both Alice and Bob choose the decoy window, it is deﬁned to be an X window. If both Alice and Bob choose the signal window, it is deﬁned to be a Z window. In an ˜ ˜ X window, it is an X window, which is a subset of X windows, when they choose the same intensity m . Additionally, it is an X window when Alice (Bob) determines a a(b) signal window, while Bob (Alice) determines a decoy window, or when both Alice and Bob determine the decoy window, but choose different intensities. According to the effective events criterion introduced above, Alice and Bob decide whether one-detector clicks event is an effective event. We deﬁne three kinds of sets: Z, X and X , which include all effective events in Z, X and X windows. 0 1 0 4. Parameter estimation. For the events in the set Z of the Z window, if Alice decides to send out a phased-randomized weak coherent state, she (he) denotes a bit 1 and if she (he) decides to send a vacuum state, she (he) denotes a bit 0. If Bob decides to send out a phased-randomized weak coherent state, she (he) denotes a bit 0 and if she (he) decides not to send a vacuum state, she (he) denotes a bit 0. We notice that it is the decision that determines the bit value rather than what they send. Then, Alice and Bob could obtain the n bit strings, and they will get an error bit if an effective event happens when both Alice and Bob decide to send or not send. Finally, adopting the decoy-state method, Alice and Bob could estimate the number of the single-photon ph states n and phase-ﬂip error rate e according to the events in Z windows. They ph could estimate the lower bound of n and upper bound of e according to the events in X and X windows. 1 0 5. Error correction. Alice and Bob perform an error correction scheme to correct bit strings obtained in the last step. To achieve this goal, it consumes at most leak EC bits of error correction data. Then, Alice and Bob exploit a random two-universal hash function to carry out an error veriﬁcation operation, which Alice sends a hash of length log (1/# ) to make sure that the key bits of Alice are the same as Bob. cor 2 Entropy 2022, 24, 1339 4 of 16 6. Private ampliﬁcation. In order to reduce Eve’s information of ﬁnal keys, Alice and Bob exploit the random two-universal hash function to extract two shorter strings of length l. Finally, Alice and Bob obtain the secret key strings S and S . A B 3. Security Analysis In this section, we may analyze the effects of the weak randomness on the decoy- state SNS TF-QKD in the asymptotic and the ﬁnite-key size cases. We may derive concise formulas for estimating the lower bound of the single-photon yield and the upper bound of the phase-ﬂip error rate. 3.1. Parameter Estimation in the Asymptotic Case As discussed above, the effective events that Alice decides to send and Bob decides not to send, or Alice decides not to send and Bob decides to send, in Z windows could generate the secret key. As a matter of fact, the selection of signal windows and decoy windows can be considered as the basis selection. In the decoy windows or the signal windows, sending or not sending a phase-randomized coherent state can be considered as the bit encoding. This assumption is reasonable by considering two cases. The ﬁrst one is that the random numbers may be leaked to Eve because of the imperfection of the random number generator devices. The other one is that the imperfect state modulation may be prepared by different laser diodes from Alice and Bob, and they can be partly distinguished through observing the properties of the spectrum and timing sequence. Therefore, the weak randomness attack model which is used in the BB84 protocol and the MDI-QKD protocol is still appropriate to the SNS TF-QKD protocol. Under the weak randomness model, we suppose that the quantum states prepared by Alice and Bob can be considered as the set S and T, and jSj and jTj represent the number of elements of the set S and T. For the set of quantum states prepared by Alice (Bob), S (T ) is the random part and S (T ) is 1 1 2 2 the non-random part. At this time, the probability of a non-random parameter at Alice jS j could be deﬁned as p = , and the probability of non-random parameter at Bob could jSj jT j be deﬁned as p = . Under the practical QKD system, although we can assume the jTj quantum devices at Alice and Bob are identical, the attack capabilities of Eve against Alice and Bob cannot be guaranteed same. That is, p = p is not necessary. In the model, we 1 2 can re-describe the quantum states prepared by Alice and Bob in the practical system: r = jaihaj jaihaj + (1 p )r j2ih2j , (3) å 1 Alice Alice Alice Eve Eve a=0,1 r = jbihbj jbihbj + (1 p )r j2ih2j . (4) å 2 Bob Bob Bob Eve Eve b=0,1 where the quantum states prepared by Alice and Bob can be divided into two parts: the ﬁrst part is prepared by a non-random set, and the second part is prepared by a random set. In the case in which the quantum states are in the ﬁrst part, the assistant quantum states of Eve are related to Alice’s (Bob’s) system. More precisely, if the auxiliary quantum state of Eve isjaihaj , Eve can obtain the secret key a of Alice; if the auxiliary quantum state of Eve Eve is b b , Eve can obtain the secret key b of Bob. In the case in which the quantum state j ih j Eve is prepared in the second part, if the auxiliary quantum state of Eve is j2ih2j , it indicates Eve that Alice and Bob prepared the phase-randomized coherent states, which is equivalent m k e m to a probabilistic mixture of different photon-number states r = jkihkj and Alice k! k=0 ¥ m e m r = å jkihkj and Eve can not distinguish encoding states. Therefore, Eve can Bob k! k=0 distinguish the random part and non-random part states of Alice and Bob by observing auxiliary quantum states. The practical QKD systems require perfect random numbers for preparing quantum states. Unfortunately, the weak randomness of state preparation in practical QKD systems is universal because of the imperfections of quantum devices. Entropy 2022, 24, 1339 5 of 16 Under the weak randomness model, Eve wants to get more information, so she (he) may perform the attenuation operation on the quantum states from a random part by a certain probability, but cannot perform that on the quantum states from a non-random part. The attacker ’s attenuation operation increases the non-randomness of the quantum states reaching Charlie, which leads to the increasing of the amount of information controlled by Eve. Because of the attenuation operation, we can assume that the bit error rate only happens in the random part, while the non-random part does not produce bit errors. As long as Eve controls the attenuation to make the ﬁnal error rate less than a reasonable value, Alice and Bob cannot detect the presence of Eve, so Eve implements a weak-random attack. In this case, the non-random probability on Charlie’s side can be ampliﬁed by considering the signal loss so that the maximal transmission distance may be seriously decreased and the single photon counting rate in Z windows s , which is used to generate the secret key, decreases, and the bit error rate in X windows e increases. Then, we estimate the parameters within the effects of weak randomness on SNS TF-QKD in the asymptotic case. Firstly, we may analyze the state preparation step under the weak randomness con- dition. In the case where both Alice and Bob choose a signal window, Alice then sends quantum states and Bob does not send quantum states, or Bob sends quantum states and Alice does not send quantum states, and the probability of the states prepared by Alice or Bob with randomness is 2 p (1 p )m e (1 p )(1 p ), and the probability with z0 z0 1 2 m m z z non-randomness is 2 p (1 p )m e (1 (1 p )(1 p )) = 2 p (1 p )m e ( p + z0 z0 z 1 2 z0 z0 z 1 p p p ). Here, the probability of quantum states with non-randomness prepared by 2 1 2 Alice is p , and the probability of quantum states with non-randomness prepared by Bob is p . In the practical QKD system, Eve can control the attenuation of the quantum states in the channel, and only attenuates the quantum states of the random part to ensure that the non-random part of the quantum states reach Charlie without attenuation. At the Charlie’s side, the proportion of non-random quantum states from the non-random part increases, and the proportion of quantum states from the random part decreases. In order to acquire more information, Eve may make the non-random scale of Charlie as large as possible. To ensure that she (he) may not be detected by both communicators, Eve must control the probability of attenuation or the attack will fail. Here, we calculate the probability of signal loss of the coherent states from the random set: s ( p + p p p ) 1 2 1 2 m 1 p = 2 p (1 p )m e , (5) loss1 z0 z0 z 1 ( p + p p p ) 1 2 1 2 From the Equation (5), we can conclude the proportion of quantum states reaching Charlie with non-randomness: p + p p p 1 2 1 2 p = , (6) nonrand1 The proportion of quantum states reaching Charlie with randomness is: s ( p + p p p ) 1 2 1 2 p = . (7) rand1 Since the quantum states of the random part are attenuated, the effective counting rate s in the Z window and the bit error rate e in the X window will change. In fact, the quantum states of the non-random set cannot generate the security key, and only the quantum states of the random set may generate the security key. The counting rate from the non-random set in Z windows that cannot generate the secret key is: Z m s ˜ = 2 p (1 p )m e ( p + p p p ), (8) z0 z0 z 2 2 1 1 1 Entropy 2022, 24, 1339 6 of 16 The counting rate from the random set in Z windows that can generate the secret key satisﬁes: 0 Z Z s = s s . (9) 1 1 1 Under the weak randomness condition, in order to obtain more information, Eve attenuates the random part of the quantum states to ensure that the ﬁnal error code only comes from the quantum states of the random part. The bit error rate in X windows after the attenuation operation is calculated: X X Z e e s 0 1 1 1 e = = , (10) s ( p + p p p ) rand1 1 2 1 2 Alice and Bob use the announced data from X windows to calculate the counting rate s , which is also the value for Z windows. The number of bits generated in Z windows could be calculated from this value. Moreover, the error rate of bits in X windows of intensity m and E , the counting rate of intensity m and S , and the counting rate of vacuum s can be m 0 observed, so we can calculate the upper bound value of the ﬂipping rate [12]: X 2m S E e s /2 m 0 X X,U e e = . (11) 2m Z 2me s ph In the asymptotical condition, the phase-ﬂip rate satisﬁes e = e . Similarly, under the ph weak randomness model, the phase-ﬂip rate satisﬁes e = e . Finally, we can distill the 1 1 ﬁnal key with an asymptotic key rate formula with weak randomness: h i ph m 0 R = 2 p (1 p )m e s 1 H(e ) f S H(E ). (12) z0 z0 Z Z 1 1 where H(x) = xlog (x) (1 x)log (1 x) is the binary entropy function, S is the 2 2 observed counting rate of Z windows, E is the corresponding bit-ﬂip error rate and f is the efﬁciency of error correction. 3.2. Parameter Estimation with the Finite-Key Size In a practical QKD system, the number of photons sent is ﬁnite and the intensities cannot be inﬁnite in Z windows or X windows. In this section, we consider the effects of the weak randomness on SNS TF-QKD with the ﬁnite-key size based on the universally composable framework [40]. To close the gap between the expected values and observed values, we exploit the Improved-Chernoff bound [41–43] to estimate the counting rate of ph single-photon states n and the phase-ﬂip error rate e . Firstly, we make an introduction of the universally composable framework [40]: Deﬁnition 1. If the ﬁnal key strings S and S of Alice and Bob satisfy the following conditions, A B the protocol is deﬁned to be #-secure: • Correctness. A protocol is # -correct if S and S of Alice and Bob are not identical with the cor A B maximal probability of # : cor Pr(S 6= S ) # , A B cor • Secrecy. The ﬁnal key strings S (S or S ) are said to be # -secret with respect to the Eve sec A B holding a quantum system E if: p kr r r k # , abort S U E sec where p denotes the probability of protocol failure aborted, r denotes the classical-quantum abort S states of the system for Alice (Bob) and system E, and r denotes the fully mixed states on S U A or S . B Entropy 2022, 24, 1339 7 of 16 The security against general attacks based on the entropic uncertainty relation for the smooth min-extropy in the SNS TF-QKD has been proven. According to the ﬁnite-key analysis based on the universally composable framework, the length of secret keys can be presented as follows [16,44]: h i 2 1 ph ` = n 1 H(e ) leak log 2log p . (13) 1 EC 2 2 cor 2# # ˆ PA According to the composable framework, the security coefﬁcient of the whole protocol is ˆ ¯ # = # + # , where # = 2# + 4# + # + # . # is the failure probability of error cor sec sec PA n1 cor tol correction; # ¯ and # are the failure probability for the estimation of the phase-ﬂip error rate PA and privacy ampliﬁcation; # is the failure probability for estimation of the lower bound n1 of the counting rate of single-photon states. leak = f n h(E ), where n is ﬁnal length of Ec t z t the secret key string, E is the corresponding error rate. In X windows, Alice and Bob do not announce any phase information. The coherent states sent out can be regarded as a classical mixture of different photon numbers. We denote r , r and r . Let N be the number of the events which Alice sends r and Bob v a b ab a sends r , where (a, b) 2 f(v, v), (v, a), (a, v), (v, b), (b, v)g. Here, we suppose that Alice and Bob repeat the Pre paration and Measurement step N times, so N can be expressed as ab follows [16]: h i 2 2 N = (1 p p ) (1 p ) +2(1 p p )(1 p ) p p N, (14) vv m m z m m z z a a a z0 h i N = N = (1 p p )(1 p ) p +(1 p ) p p p N, (15) va av m m z m z z z0 m a b a a h i N = N = (1 p ) (1 p p ) p +(1 p ) p p p N. (16) vb bv z m m m z z z0 m b b b let n be the number of effective events of one-detector heralded corresponding to the N . ab ab For (a, b) 2 f(v, v), (v, a), (a, v), (v, b), (b, v)g, n can be expressed as: ab n = 2 p (1 p )N , (17) vv vv d d h i hm /2 2 hm a a n = n = 2 (1 p )e (1 p ) e N , (18) va av va d d h i hm /2 hm b b n = n = 2 (1 p )e (1 p ) e N . (19) vb bv d d vb To close the gap between the expected values and observed values, we apply Improved- Chernoff bound [41–43] to obtain the upper and lower bound of the expected value of n ab considering independent event conditions: D E D E n n ab ab U L n = , n = . (20) ab ab 1 d 1 + d U L where we can obtain the values of d and d by solving the following equations: U L " # X/(1d ) e # = , (21) 1d (1 d ) " # X/(1+d ) e # = . (22) 1+d (1 + d ) where # is the failure probability, hxi is the expected value of x. From Equations (20)–(22), D E D E U L we can obtain the upper and lower bound of n , n and n . Then, we denote the ab ab ab counting rate of state r and state r as S , which can be expressed as: b ab Entropy 2022, 24, 1339 8 of 16 ab S = , (23) ab ab Obviously, from Equations (20) and (23), we can easily obtain the upper and lower bound of the expected value of S : ab D E D E U L D E D E n n ab ab U L S = , S = . (24) ab ab N N ab ab Similarly, in the case of the ﬁnite-key size, the probability of signal loss of the coherent states from the random set can be calculated as: n 2 p (1 p )m e ( p + p p p )N 1 z0 z0 z 1 2 1 2 p = , (25) loss2 N ( p + p p p )N 1 2 1 2 from the Equation (25), we can conclude the proportion of quantum states reaching Charlie with non-randomness: 2 p (1 p )m e ( p + p p p )N z0 z0 1 2 1 2 p = , (26) nonrand2 the proportion of quantum states reaching Charlie with randomness is: n 2 p (1 p )m e ( p + p p p )N 1 z0 z0 z 1 2 1 2 p = . (27) rand2 Due to the quantum states in the random part being attenuated, the number of the ph effective counting rate n and the phase-ﬂip error rate e in the Z window may change. The quantum states in the non-random set cannot generate the security key, and only the quantum states in the random set may generate the security key. The number of the effective events caused by single-photon states from the non-random set in Z windows that cannot generate the secret key is: m Z n ˜ = 2 p (1 p )m e s ˜ N, (28) z0 z0 z 1 1 The number of the effective events caused by single-photon states from the random set that can generate the secret key is: 0 m Z Z n = n n ˜ = 2 p (1 p )m e (s s ˜ )N. (29) 1 1 z0 z0 z 1 1 1 where the lower bound of the effective counting rate s of the ﬁnite-key size satisﬁes [16,17]: D E D E h D E D E D E D E D Ei Z,L Z 2 m L L 2 m U U 2 2 U s s = m e ( S + S ) m e ( S + S ) 2(m m ) S . (30) a a b va av b vv 1 1 vb bv 2m m (m m ) a a b b ph Moreover, in order to estimate the upper bound of e , we need to deﬁne two new subsets + D D C and C of X windows when jd d j and jd d pj , where we have 1 A B A B D D 2 2 supposed that y = 0. The number of instances in C and C is: AB D D 2 2 N + = N = (1 p ) p N, (31) z m D D a 2p Here, we denote the number of effective events of right detector from C and the number R L of effective events of left detector from C as n and n : D D R + n = (W (1 e ) + C e )N , (32) + a a d d D D Entropy 2022, 24, 1339 9 of 16 n = (W (1 e ) + C e )N . (33) a a d d D D where W and C is the average probability of correct counting and wrong counting, a a respectively, which can be given as: D/2 1 2 q 2hm sin 2 2hm a a W = (1 p )e dq (1 p ) e , (34) a d d D/2 D/2 1 2 2hm cos 2 2hm a a C = (1 p )e dq (1 p ) e . (35) a d d D/2 Considering independent event conditions, we apply the Improved-Chernoff bound [41–43] to obtain the upper and lower bound of the expected value of n . For the ﬁnite sample sizes, the number of effective events of the right and left detector from C and C satisﬁes: D D D E R D E R n n + + R,U D R,L D n = , n = , (36) + + D 0 D 0 1 d 1 + d U L D E L D E L n n L,U D L,L D n = , n = . (37) D 0 D 0 1 d 1 + d U L 0 0 With the failure probability #, we can obtain the values of d and d by solving the U L following equations: " # 0 X/(1d ) 0 U e # = , (38) 1d 0 2 (1 d ) " # X/(1+d ) 0 L e # = . (39) 1+d 0 L (1 + d ) We have the upper bound of the expected value of counting error rate from C and C : D D D E D E 0 1 R,U R,U D E D E D E n n 1 1 D D U U U @ A T = T + T = + , (40) D D D + 2 2 N N D D Eve may attenuate the random part of the quantum states to ensure that the ﬁnal error code only comes from the quantum states in the random part. The value of the counting error rate after the attenuation operation is calculated: U U Z T T s 0 D D 1 T = = . (41) s ( p + p p p ) rand2 1 2 1 2 The upper bound of the expected value of the phase-ﬂip error rate satisﬁes [16,17]: D E D E 0 1 2m L T e S ph ph,U D vv e e = D E , (42) 1 1 Z,L 2m 2m e s Furthermore, we are supposed to simulate the information leakage in the protocol. According to the events in Z windows, Alice and Bob can obtain a secret string of n bits. They do not care about which detector clicks as long as only one detector clicks. The length of the secret key string is n = n + n . The number of right bits n and wrong t signal error signal bits n can be given: error h i 2 hm /2 n = 4N p p (1 p ) (1 p )e , (43) z0 z0 signal z d Entropy 2022, 24, 1339 10 of 16 h i 2 2 hm /2 2 hm 2 2 z z n = 2N p (1 p ) (1 p )e I (hm )(1 p ) e + 2N p p (1 p ). (44) error z0 0 z z d d z z0 d where I (x) is the zero-order hyperbolic Bassel function of the ﬁrst kind. The error rate of error the ﬁnal key string is E = . Finally, combining the Equations (29), (42)–(44), we can calculate the length of ﬁnal security key in the SNS TF-QKD protocol with the weak randomness: h i 2 1 ph 0 0 ` = n 1 H(e ) leak log 2log p . (45) EC 1 1 2 2 cor 2# # ˆ PA 4. Numerical Simulations Here, we simulate the performance of effects of weak randomness on SNS TF-QKD in the asymptotic case and with the ﬁnite-key size. We use the linear model to numerically simulate the performance of the protocol. Firstly, we set the experimental parameters that we may exploit. Then, we set the results of the ﬁnal secret key rate and the analysis of results. aL/10 We deﬁne h = 10 as the ﬁber transmittance, where a = 0.2 (dB/km) is the ﬁber loss coefﬁcient and L is the length of ﬁber between Charlie and Alice (Bob). h = 80% is the detection efﬁciency of the relay Charlie, and p = 10 is the dark count of Charlie’s detectors. The failure probability of statistical ﬂuctuations analysis is ﬁxed to # = 10 , and f = 1.1 is the efﬁciency of error correction. R = ` N is the ﬁnal secret key rate, where N is the total number of transmitting signals sent by Alice and Bob. The numerical parameters are listed in Table 1. Here, we set # = # ˆ = # = #, # ¯ = 3#, and # = 4#. cor n PA Table 1. List of experimental parameters applied in the numerical simulation in the following table: a is the the ﬁber loss coefﬁcient (dB/km), f is the efﬁciency of error correction, h is the efﬁciency of the detectors, e is the probability of the optical misalignment error, p is the dark count rate, and # is d d the failure probability of statistical ﬂuctuation analysis. a f h e p # d d d 10 10 0.2 1.1 80% 0.15 1.0 10 1.0 10 Firstly, we analyze the results of weak randomness existing in only one party (Alice or Bob) in the asymptotic and the ﬁnite-key size cases in Figure 1. Here, p 6= 0, p = 0 means 1 2 that Eve just masters the randomness information of Alice, and p = 0, 10 (x = 6, 5, 4, 3) means that Eve has different abilities for controlling the randomness information. We then analyze the results of weak randomness existing in both parties in the asymptotic case and the ﬁnite-key size cases in Figure 2, where Eve masters the randomness information of both Alice and Bob. As illustrated in Figures 1 and 2, the dashed lines from right to 6 5 4 3 left are acquired for different weak randomness parameters p = 0, 10 , 10 , 10 , 10 with the inﬁnite number of total pulses, and the solid lines from right to left are acquired for different weak randomness parameters p = 0, 10 (x = 6, 5, 4, 3) with the ﬁxed ﬁnite number of total pulses N = 10 . In the Figure 1, compared with the perfect randomness p = p = 0, we can calculate that the achievable transmission distance declines 11.96%, 1 2 26.91%, 43.52%, 60.46% in asymptotic cases and declines 14.39%, 30.93%, 48.56%, 66.19% 6 5 4 3 with the ﬁnite-key size when p = 10 , 10 , 10 , 10 . In the Figure 2, compared with the perfect randomness p = p = 0, the achievable transmission distance declines 14.39%, 1 2 30.93%, 48.56%, 66.19% in asymptotic cases and declines 15.95%, 31.89%, 48.50%, 65.12% 6 5 4 3 with the ﬁnite-key size when p = 0, 10 , 10 , 10 , 10 . Nevertheless, we ﬁnd that the secret key rate can exceed the PLOB bound [11] when p ( p ) 10 with the ﬁnite-key 1 2 15 5 size N = 10 , and it can still exceed the PLOB bound [11] when p ( p ) 10 in the 1 2 asymptotic case. From the above calculation data, we can deduce that the ﬂuctuation Entropy 2022, 24, 1339 11 of 16 of the ﬁnite-key size is greater than asymptotic cases for the ﬁxed weak randomness parameters. Moreover, comparing with two simulation results, we can ﬁnd that although the randomness information mastered by Eve of the Figure 2 is twice as much as the randomness information mastered by Eve of the Figure 1, it does not decrease exponentially, which means that once Eve obtains part of the information, it can seriously affect the practical system security. N=10 ,p1=0,p2=0 N=Infinity,p1=0,p2=0 N=10 ,p1=10 ,p2=0 N=Infinity,p1=10 ,p2=0 N=10 ,p1=10 ,p2=0 N=Infinity,p1=10 ,p2=0 10 N=10 ,p1=10 ,p2=0 N=Infinity,p1=10 ,p2=0 N=10 ,p1=10 ,p2=0 N=Infinity,p1=10 ,p2=0 PLOB bound 0 100 200 300 400 500 600 Standard fiber link (km) Figure 1. (Color online) The optimal key rate (bits per pulse) in logarithmic scale versus transmission distance between Alice and Bob when the weak randomness exists for only one party (Alice or Bob) p = 10 (x = 6, 5, 4, 3), p = 0 (curves from right to left). The dashed lines are results of the 1 2 asymptotic case, and the solid lines are the results of the ﬁnite-key size N = 10 . The gray dotted line is the PLOB bound. N=10 ,p1=p2=0 N=Infinity,p1=p2=0 N=10 ,p1=p2=10 N=Infinity,p1=p2=10 N=10 ,p1=p2=10 N=Infinity,p1=p2=10 N=10 ,p1=p2=10 N=Infinity,p1=p2=10 N=10 ,p1=p2=10 N=Infinity,p1=p2=10 PLOB bound 0 100 200 300 400 500 600 Standard fiber link (km) Figure 2. (Color online)The optimal key rate (bits per pulse) in logarithmic scale versus transmission distance between Alice and Bob when the weak randomness exists for two parties p = p = 1 2 10 (x = 6, 5, 4, 3)(curves from right to left). The dashed lines are results of asymptotic cases and the solid lines are the results of the ﬁnite-key size N = 10 . The gray dotted line is the PLOB bound. Secret key rate (per pulse) Secret key rate (per pulse) Entropy 2022, 24, 1339 12 of 16 In order to perform a detailed simulation, we then research the results of the weak randomness for the different total numbers of transmitting signals N = 10 (x = 12, 13, 15). Corresponding simulation results are illustrated in Figure 3, the dashed lines from left to x 6 right are acquired for N = 10 (x = 12, 13, 15) with the ﬁxed p = p = 10 and the solid 1 2 lines from left to right are acquired for N = 10 (x = 12, 13, 15) with the ﬁxed p = p = 0. We can notice that the generation of the security key rate will be signiﬁcantly affected, even though the weak randomness parameter is small as 10 , which means that Eve will obtain amounts of information even with small proportions of weak randomness. As shown in Figure 3, the achievable transmission distance declines 104 km when N = 10 , 60 km 13 12 when N = 10 , and 10 km when N = 10 , so we deduce that the greater the number of total pulses, the more the secure transmission distance decreases. We ﬁnd that the secret 13 6 key rate cannot exceed the PLOB bound [11] when N 10 with the ﬁxed p = p = 10 . 1 2 The number of total pulse increases, so does the number of quantum states which may be attenuated. Eve may obtain more information due to the relation between the expected values and the observed values for the case with different modulated states in the practical QKD system. In this case, the number of modulated states distinguished by Eve may increase which leads to more leakage of the security key information so we are supposed to control the number of total pulses within a rational range rather than arbitrarily choosing. N=10 ,p1=p2=0 N=10 ,p1=p2=10 N=10 ,p1=p2=0 N=10 ,p1=p2=10 N=10 ,p1=p2=0 N=10 ,p1=p2=10 PLOB bound 0 100 200 300 400 500 600 Standard fiber link (km) Figure 3. (Color online)The optimal key rate (bits per pulse) in logarithmic scale versus transmis- sion distance between Alice and Bob with weak randomness p = p = 10 and without weak 1 2 randomness p = p = 0 for different N = 10 (x = 12, 13, 15) (curves from left to right), the dashed 1 2 lines are results of weak randomness for different N, and the solid lines are the results of non-weak randomness for different N. The gray dotted line is the PLOB bound. To further study the impacts of the weak randomness for different total numbers 13 15 of transmitting signals, we then research the secret key rate for N = 10 , 10 with p = p = 0, 10 (x = 6, 5, 4, 3) in Figure 4. As illustrated in Figure 4, the dashed 1 2 lines from right to left are acquired for different weak randomness parameters p = p = 1 2 x 13 0, 10 (x = 6, 5, 4, 3) with the ﬁxed N = 10 and the solid lines from right to left are acquired for different weak randomness parameters p = p = 0, 10 (x = 6, 5, 4, 3) 1 2 with the ﬁxed N = 10 . We can ﬁnd that the impact of the weak randomness on ﬁnal security key rate is greater than the ﬁnite total numbers of transmitting signals when p = p 10 and the security key rate lines of two different N are approximately 1 2 asymptotic. The impacts of the weak randomness on ﬁnal security key rate is weaker than the ﬁnite total numbers of transmitting signals when p = p 10 and the security key 1 2 rate lines of two different N are not asymptotic. Moreover, the secret key rate cannot exceed Secret key rate (per pulse) Entropy 2022, 24, 1339 13 of 16 the PLOB bound [11] when p ( p ) 10 with the ﬁnite-key size. In fact, temporal modes 1 2 of photons become stretched due to the chromatic dispersion in the ﬁber. This phenomenon will impact the detection time windows. That is, the longer the ﬁber, the wider the time window should be. The duration of the secret key generation depends on the transmission distance as well as on the number of photons per pulse. N=10 ,p1=p2=0 N=10 ,p1=p2=0 N=10 ,p1=p2=10 N=10 ,p1=p2=10 N=10 ,p1=p2=10 N=10 ,p1=p2=10 10 N=10 ,p1=p2=10 N=10 ,p1=p2=10 N=10 ,p1=p2=10 N=10 ,p1=p2=10 PLOB bound 0 100 200 300 400 500 600 Standard fiber link (km) Figure 4. (Color online) The optimal key rate (bits per pulse) in logarithmic scale versus transmission distance between Alice and Bob with weak randomness p = p = 0, 10 (x = 6, 5, 4, 3) (curves 1 2 13 15 13 from right to left) for different N = 10 , N = 10 , the dashed lines are results N = 10 with different weak randomness parameters, and the solid lines are the results of N = 10 with different weak randomness parameters. The gray dotted line is the PLOB bound. Finally, we compare and analyze the effects of weak randomness on different QKD protocols, BB84, MDI-QKD and SNS TF-QKD. We simulate the largest weak randomness vulnerability that different protocols can tolerate. As shown in Figure 5, the blue lines are results of MDI-QKD: the solid line is the result of both Alice and Bob existing the weak randomness and the dashed line is the result of one party existing the weak randomness. The black line is the result of the BB84 protocol. The red lines are results of SNS TF-QKD: the solid line is the result of both Alice and Bob existing the weak randomness and the dashed line is the result of one party existing the weak randomness. We ﬁnd that the largest weak randomness vulnerability that SNS TF-QKD can tolerate is 10 which is greater than the BB84 and MDI-QKD 10 . Moreover, the achievable transmission distance is also longer than the BB84 protocol and the MDI-QKD protocol. Actually, the probability that the states prepared by Alice (Bob) in the BB84 and the MDI-QKD reach the detector is h. For the SNS TF-QKD, it is h. Under the weak randomness model, in order to make sure not to be discovered, Eve may attenuate the quantum states from non-random part with a certain probability, which is related to the ﬁber transmittance h. The channel-loss dependence of the key rate in SNS TF-QKD is square root of channel transmittance R O h while it is linear in the BB84 and the MDI-QKD R O(h) , and that is why SNS TF-QKD can tolerate more weak randomness vulnerability than the BB84 protocol and the MDI-QKD. Compared with the BB84 protocol, the MDI-QKD is more sensitive to weak randomness which is rational since both Alice and Bob prepare quantum states. Compared with the MDI-QKD, the SNS TF-QKD is more robust to the weak randomness since just one party sends states and perform single photon interference in the quantum channel. Secret key rate (per pulse) Entropy 2022, 24, 1339 14 of 16 From the above simulation results, we can infer that SNS TF-QKD can still have the outstanding performance under the weak random condition. The secret key rate with the ﬁnite-key size is more sensitive to the weak randomness, and it performs differently for the different ﬁnite numbers of total pulses. Furthermore, SNS TF-QKD has an ad- vantage of tolerance to the weak randomness compared to the BB84 protocol and the MDI-QKD protocol. BB84, p=10 MDI p1=10 MDI p1=p2=10 SNS p1=10 SNS p1=p2=10 0 10 20 30 40 50 60 70 80 90 100 Standard fiber link (km) Figure 5. (Color online)The optimal key rate (bits per pulse) in logarithmic scale versus transmission distance between Alice and Bob with weak randomness in the BB84 protocol, the MDI-QKD and the SNS TF-QKD. The blue lines are results weak randomness parameters, and the solid lines are the results of N = 10 with different weak randomness parameters. 5. Conclusions In this paper, we study the inﬂuence of weak randomness on the security of SNS TF-QKD in the asymptotic and the ﬁnite-key size case. Our simulation results indicate that in both cases, SNS TF-QKD can still have the prominent performance under the weak random condition: the secret key rate can exceed the PLOB bound and achieve long secure transmission distances. Moreover, the ﬂuctuation of the ﬁnal key rate with the ﬁnite-key size is greater than that in asymptotic cases, and because of Eve’s attenuation operation, the greater the number of total pulses, the more reduced the secure transmission distance. Additionally, the impact of the weak randomness on the ﬁnal security key rate is greater than that with the ﬁnite total numbers of transmitting signals when p = p 10 , 1 2 and weaker when p = p 10 . Under the weak randomness condition, SNS TF-QKD 1 2 and MDI-QKD perform differently. The secret key rate of SNS TF-QKD still can surpass the PLOB bound when p ( p ) 10 with the ﬁnite-key size, and it cannot surpass the 1 2 PLOB bound when p ( p ) 10 in the asymptotic case. MDI-QKD cannot generate a 1 2 secure key when p ( p ) 10 , while SNS TF-QKD has an advantage of tolerating the weak randomness (up to 10 ). We conclude that to avoid such an attack in the actual QKD systems, two aspects can be taken into account: (1) to make sure that the random numbers we use to encode, select bases, select time windows, and send or not send quantum states are as perfect as possible. We are supposed to use a better random number generator or random number generation algorithm, and (2) at the source side, we should ensure the reduction of the risk of the side channels, so as to avoid the distinguishability of the quantum states preparation in all degrees of freedom, such as the distinguishability between signal states and decoy states, and the distinguishability between perfect random states and weak random states. We can use two independent laser sources so that Alice and Bob have no incidental light, Secret key rate (per pulse) Entropy 2022, 24, 1339 15 of 16 and hence there is no need to monitor the incident light as the implementations directly use seed light from Charlie. The imperfect IM will also produce the states distinguishability in the frequency domain. We can use more than one IM in the actual QKD systems. Furthermore, the narrow spectral ﬁlter and wavelength ﬁlter can also be used to the reduce states distinguishability and the threat of side channels. Author Contributions: Conceptualization, X.-L.J.; methodology, X.-L.J. and Y.W.; software, X.-L.J. and Y.W.; validation, X.-L.J.; formal analysis, X.-L.J., Y.W. and Y.-F.L.; investigation, X.-L.J.; writing— original draft preparation, X.-L.J. and Y.W.; writing—review and editing, C.Z., J.-J.L. and W.-S.B.; supervision, W.-S.B.; project administration, W.-S.B.; funding acquisition, W.-S.B. and Y.W. All authors have read and agreed to the published version of the manuscript. Funding: This research was funded by the National Natural Science Foundation of China (Grant No. 62101597), the National Key Research and Development Program of China (Grant No. 2020YFA0309702), the China Postdoctoral Science Foundation (Grant No. 2021M691536), the Natural Science Foundation of Henan (Grant No. 202300410534) and the Anhui Initiative in Quantum Information Technologies. Institutional Review Board Statement: Not applicable. Informed Consent Statement: Not applicable. Data Availability Statement: Not applicable. Conﬂicts of Interest: The authors declare no conﬂict of interest. References 1. Bennett, C.H.; Brassard, G. Quantum Cryptography: Public Key Distribution and Coin Tossing. In Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India, 9–12 December 1984; pp. 175–179. 2. Xu, F.; Ma, X.; Zhang, Q.; Lo, H.K.; Pan, J.W. Secure quantum key distribution with realistic devices. Rev. Mod. Phys. 2020, 92, 025002. [CrossRef] 3. Li, H.W.; Wang, S.; Huang, J.Z.; Chen, W.; Yin, Z.Q.; Li, F.Y.; Zhou, Z.; Liu, D.; Zhang, Y.; Guo, G.C.; et al. Attacking a practical quantum-key-distribution system with wavelength-dependent beam-splitter and multiwavelength sources. Phys. Rev. A 2011, 84, 062308. [CrossRef] 4. Lydersen, L.; Wiechers, C.; Wittmann, C.; Elser, D.; Skaar, J.; Makarov, V. Hacking commercial quantum cryptography systems by tailored bright illumination. Nat. Photonics 2010, 4, 686–689. [CrossRef] 5. Qian, Y.J.; He, D.Y.; Wang, S.; Chen, W.; Yin, Z.Q.; Guo, G.C.; Han, Z.F. Robust countermeasure against detector control attack in a practical quantum key distribution system. Optica 2019, 6, 1178–1184. [CrossRef] 6. Jain, N.; Anisimova, E.; Khan, I.; Makarov, V.; Marquardt, C.; Leuchs, G. Trojan-horse attacks threaten the security of practical quantum cryptography. New J. Phys. 2014, 16, 123030. [CrossRef] 7. Lucamarini, M.; Choi, I.; Ward, M.B.; Dynes, J.F.; Yuan, Z.; Shields, A.J. Practical security bounds against the trojan-horse attack in quantum key distribution. Phys. Rev. X 2015, 5, 031030. [CrossRef] 8. Lo, H.K.; Curty, M.; Qi, B. Measurement-device-independent quantum key distribution. Phys. Rev. Lett. 2012, 108, 130503. [CrossRef] 9. Lucamarini, M.; Yuan, Z.L.; Dynes, J.F.; Shields, A.J. Overcoming the rate–distance limit of quantum key distribution without quantum repeaters. Nature 2018, 557, 400–403. [CrossRef] 10. Xie, Y.M.; Lu, Y.S.; Weng, C.X.; Cao, X.Y.; Jia, Z.Y.; Bao, Y.; Wang, Y.; Fu, Y.; Yin, H.L.; Chen, Z.B. Breaking the rate-loss bound of quantum key distribution with asynchronous two-photon interference. PRX Quantum 2022, 3, 020315. [CrossRef] 11. Pirandola, S.; Laurenza, R.; Ottaviani, C.; Banchi, L. Fundamental limits of repeaterless quantum communications. Nat. Commun. 2017, 8, 1–15. [CrossRef] 12. Wang, X.B.; Yu, Z.W.; Hu, X.L. Twin-ﬁeld quantum key distribution with large misalignment error. Phys. Rev. A 2018, 98, 062323. [CrossRef] 13. Ma, X.; Zeng, P.; Zhou, H. Phase-matching quantum key distribution. Phys. Rev. X 2018, 8, 031043. [CrossRef] 14. Cui, C.; Yin, Z.Q.; Wang, R.; Chen, W.; Wang, S.; Guo, G.C.; Han, Z.F. Twin-ﬁeld quantum key distribution without phase postselection. Phys. Rev. Appl. 2019, 11, 034053. [CrossRef] 15. Curty, M.; Azuma, K.; Lo, H.K. Simple security proof of twin-ﬁeld type quantum key distribution protocol. npj Quantum Inf. 2019, 5, 1–6. [CrossRef] 16. Jiang, C.; Yu, Z.W.; Hu, X.L.; Wang, X.B. Unconditional security of sending or not sending twin-ﬁeld quantum key distribution with ﬁnite pulses. Phys. Rev. Appl. 2019, 12, 024061. [CrossRef] 17. Yu, Z.W.; Hu, X.L.; Jiang, C.; Xu, H.; Wang, X.B. Sending-or-not-sending twin-ﬁeld quantum key distribution in practice. Sci. Rep. 2019, 9, 1–8. [CrossRef] Entropy 2022, 24, 1339 16 of 16 18. Zhou, X.Y.; Zhang, C.H.; Zhang, C.M.; Wang, Q. Asymmetric sending or not sending twin-ﬁeld quantum key distribution in practice. Phys. Rev. A 2019, 99, 062316. [CrossRef] 19. Hu, X.L.; Jiang, C.; Yu, Z.W.; Wang, X.B. Sending-or-not-sending twin-ﬁeld protocol for quantum key distribution with asymmetric source parameters. Phys. Rev. A 2019, 100, 062337. [CrossRef] 20. Xu, H.; Yu, Z.W.; Jiang, C.; Hu, X.L.; Wang, X.B. Sending-or-not-sending twin-ﬁeld quantum key distribution: Breaking the direct transmission key rate. Phys. Rev. A 2020, 101, 042330. [CrossRef] 21. Lu, Y.F.; Wang, Y.; Jiang, M.S.; Zhang, X.X.; Liu, F.; Li, H.W.; Zhou, C.; Tang, S.B.; Wang, J.Y.; Bao, W.S. Sending or Not-Sending Twin-Field Quantum Key Distribution with Flawed and Leaky Sources. Entropy 2021, 23, 1103. [CrossRef] 22. Lu, Y.F.; Wang, Y.; Jiang, M.S.; Liu, F.; Zhang, X.X.; Bao, W.S. Finite-key analysis of sending-or-not-sending twin-ﬁeld quantum key distribution with intensity ﬂuctuations. Quantum Inf. Process. 2021, 20, 1–15. [CrossRef] 23. Jiang, C.; Yu, Z.W.; Hu, X.L.; Wang, X.B. Robust twin-ﬁeld quantum key distribution through sending-or-not-sending. Natl. Sci. Rev. 2022. [CrossRef] 24. Jiang, C.; Hu, X.L.; Yu, Z.W.; Wang, X.B. Composable security for practical quantum key distribution with two way classical communication. New J. Phys. 2021, 23, 063038. [CrossRef] 25. Jiang, C.; Hu, X.L.; Xu, H.; Yu, Z.W.; Wang, X.B. Zigzag approach to higher key rate of sending-or-not-sending twin ﬁeld quantum key distribution with ﬁnite-key effects. New J. Phys. 2020, 22, 053048. [CrossRef] 26. Liu, Y.; Yu, Z.W.; Zhang, W.; Guan, J.Y.; Chen, J.P.; Zhang, C.; Hu, X.L.; Li, H.; Jiang, C.; Lin, J.; et al. Experimental twin-ﬁeld quantum key distribution through sending or not sending. Phys. Rev. Lett. 2019, 123, 100505. [CrossRef] [PubMed] 27. Qiao, Y.; Chen, Z.; Zhang, Y.; Xu, B.; Guo, H. Sending-or-not-sending twin-ﬁeld quantum key distribution with light source monitoring. Entropy 2019, 22, 36. [CrossRef] [PubMed] 28. Chen, J.P.; Zhang, C.; Liu, Y.; Jiang, C.; Zhang, W.; Hu, X.L.; Guan, J.Y.; Yu, Z.W.; Xu, H.; Lin, J.; et al. Sending-or-not-sending with independent lasers: Secure twin-ﬁeld quantum key distribution over 509 km. Phys. Rev. Lett. 2020, 124, 070501. [CrossRef] [PubMed] 29. Pittaluga, M.; Minder, M.; Lucamarini, M.; Sanzaro, M.; Woodward, R.I.; Li, M.J.; Yuan, Z.; Shields, A.J. 600-km repeater-like quantum communications with dual-band stabilization. Nat. Photonics 2021, 15, 530–535. [CrossRef] 30. Liu, H.; Jiang, C.; Zhu, H.T.; Zou, M.; Yu, Z.W.; Hu, X.L.; Xu, H.; Ma, S.; Han, Z.; Chen, J.P.; et al. Field test of twin-ﬁeld quantum key distribution through sending-or-not-sending over 428 km. Phys. Rev. Lett. 2021, 126, 250502. [CrossRef] 31. Chen, J.P.; Zhang, C.; Liu, Y.; Jiang, C.; Zhang, W.J.; Han, Z.Y.; Ma, S.Z.; Hu, X.L.; Li, Y.H.; Liu, H.; et al. Twin-ﬁeld quantum key distribution over a 511 km optical ﬁbre linking two distant metropolitan areas. Nat. Photonics 2021, 15, 570–575. [CrossRef] 32. Li, H.W.; Yin, Z.Q.; Wang, S.; Qian, Y.J.; Chen, W.; Guo, G.C.; Han, Z.F. Randomness determines practical security of BB84 quantum key distribution. Sci. Rep. 2015, 5, 1–8. [CrossRef] 33. Li, H.W.; Xu, Z.M.; Cai, Q.Y. Small imperfect randomness restricts security of quantum key distribution. Phys. Rev. A 2018, 98, 062325. [CrossRef] 34. Sun, S.H.; Tian, Z.Y.; Zhao, M.S.; Ma, Y. Security evaluation of quantum key distribution with weak basis-choice ﬂaws. Sci. Rep. 2020, 10, 1–8. [CrossRef] [PubMed] 35. Zhang, C.M.; Wang, W.B.; Li, H.W.; Wang, Q. Weak randomness impacts the security of reference-frame-independent quantum key distribution. Opt. Lett. 2019, 44, 1226–1229. [CrossRef] [PubMed] 36. Jiang, X.L.; Deng, X.Q.; Wang, Y.; Lu, Y.F.; Li, J.J.; Zhou, C.; Bao, W.S. Weak Randomness Analysis of Measurement-Device- Independent Quantum Key Distribution with Finite Resources. Photonics 2022, 9, 356. [CrossRef] 37. Hwang, W.Y. Quantum key distribution with high loss: Toward global secure communication. Phys. Rev. Lett. 2003, 91, 057901. [CrossRef] 38. Wang, X.B. Beating the photon-number-splitting attack in practical quantum cryptography. Phys. Rev. Lett. 2005, 94, 230503. [CrossRef] 39. Lo, H.K.; Ma, X.; Chen, K. Decoy state quantum key distribution. Phys. Rev. Lett. 2005, 94, 230504. [CrossRef] 40. Müller-Quade, J.; Renner, R. Composability in quantum cryptography. New J. Phys. 2009, 11, 085006. [CrossRef] 41. Chernoff, H. A measure of asymptotic efﬁciency for tests of a hypothesis based on the sum of observations. Ann. Math. Stat. 1952, 23, 493–507. [CrossRef] 42. Curty, M.; Xu, F.; Cui, W.; Lim, C.C.W.; Tamaki, K.; Lo, H.K. Finite-key analysis for measurement-device-independent quantum key distribution. Nat. Commun. 2014, 5, 1–7. [CrossRef] [PubMed] 43. Zhang, Z.; Zhao, Q.; Razavi, M.; Ma, X. Improved key-rate bounds for practical decoy-state quantum-key-distribution systems. Phys. Rev. A 2017, 95, 012333. [CrossRef] 44. Tomamichel, M.; Lim, C.C.W.; Gisin, N.; Renner, R. Tight ﬁnite-key analysis for quantum cryptography. Nat. Commun. 2012, 3, 1–6. [CrossRef] [PubMed]

Journal

Entropy – Multidisciplinary Digital Publishing Institute

Published: Sep 23, 2022

Keywords: twin-field quantum key distribution; weak randomness; asymptotic cases; finite-key

Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Security Analysis of Sending or Not-Sending Twin-Field Quantum Key Distribution with Weak Randomness

Security Analysis of Sending or Not-Sending Twin-Field Quantum Key Distribution with Weak Randomness

Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Security Analysis of Sending or Not-Sending Twin-Field Quantum Key Distribution with Weak Randomness

Security Analysis of Sending or Not-Sending Twin-Field Quantum Key Distribution with Weak Randomness

References (47)

Abstract

Journal

Recommended Articles

There are no references for this article.

Our policy towards the use of cookies