Finite-key security analysis of quantum key distribution with imperfect light sources

The gist of quantum key distribution (QKD) [1–3] is that it allows two remote parties, Alice and Bob, to establish common secret keys in the presence of an adversary, Eve, who may have unlimited computing resources and technological advances. Today, three decades after its introduction, QKD has made enormous progress in both theory and practice, and is arguably on the verge of global commercialization. Having said that, however, there are still some issues, both theoretical and experimental, that need to be resolved before we can reach that level. Amongst those, the most pressing one is the mismatch between device models used in security proofs and actual devices used in QKD systems. In particular, such implementation loopholes can lead to side-channel attacks that break the security of QKD. Notably, it has been repeatedly demonstrated that the behaviour of single-photon detectors employed in QKD systems can be externally controlled, simply by exploiting their physics [4]. In this case, it is easy to verify that security cannot be achieved, since the measured data are not representative of the quantum channel [5]. Undoubtedly, such hacking demonstrations raise not only the importance of proper calibration of QKD systems, but also the importance in developing security proof techniques that can tackle modeling discrepancies. Indeed, in the past few years, much attention has been devoted towards the development of such proof techniques and side-channel countermeasures, particularly in the areas of security of finite-length keys [6–10] and detector side-channel attacks [11, 14, 15, 12, 13].

Amongst these theoretical results, only a few considered the issue of state preparation flaws—despite that it is a commonly faced experimental problem. More concretely, typical light sources used in QKD systems are not true single-photon sources and practical optical modulators employed to encode the light pulses are inherently limited in precision. The former can be resolved by using the decoy-state method [16–18], which allows QKD systems based on practical light sources to achieve the security performance of single-photon QKD. The latter, however, does not have an adequate solution. In particular, it has been firstly shown by Gottesman et al [19] that such inaccuracies in encoding can lead to very pessimistic secret key rates in the presence of high quantum channel loss. Also, other works show similar results [20]. This strong dependency on channel loss is primarily due to the fact that state preparation flaws can be seen as a form of basis information leakage, which gives Eve some advantage in formulating basis-dependent attacks. Crucially, as shown in [19, 20], Eve's advantage can be significantly enhanced by exploiting channel losses. Consequently, this heavily penalizes the secret key rate whenever the channel loss is substantial.

Very recently, a loss-tolerant QKD protocol [21] has been proposed by Tamaki et al as a means to overcome typical encoding flaws in QKD systems. More specifically, as briefly mentioned earlier, here we are considering encoding flaws due to imprecise alignment of optical modulators. For example, if the quantum states are encoded into the polarization degree-of-freedom of photons, an encoding flaw could be due to a misalignment in the wave-plate used to set the desired polarization. The protocol is similar to the Bennett–Brassard 1984 (BB84) QKD scheme [22], but instead of considering all the four BB84 states, it uses only three of them. Interestingly, by considering statistics beyond those of the BB84 protocol, the resulting secret key rate is the same as the one of BB84's [23–27]. More importantly, the secret key rate has the very nice property in that it is almost independent of encoding flaws. These results imply that the usual stringent demand on precise state preparation can be considerably relaxed and one only needs to know the prepared states. Additionally, it is useful to mention that most current BB84 QKD systems can easily switch to the loss-tolerant QKD protocol without much hardware modifications.

In anticipation that the loss-tolerant QKD protocol will be widely implemented in the near future, we extend the security analysis in [21] to the finite-key regime, i.e., we derive explicit bounds on the extractable secret key length (in [28], the authors have implemented the loss-tolerant protocol experimentally with careful verification of the qubit assumption used in the protocol. This paper also includes some finite-key analysis of the protocol. Unfortunately, however, its phase error rate estimation seems to be valid only against collective attacks). Furthermore, our bounds can be applied to a wide range of imperfect light sources —including typical cases whereby the intensity of the laser is fluctuating between a certain range⁶ .

Also, the security bounds are obtained within the so-called universal-composable framework [30], and thus secret keys generated using these bounds can be applied to other cryptographic tasks like the one-time-pad. In order to investigate the feasibility of our results, we consider a QKD system model that borrows parameters from recent fibre-based QKD experiments. With this realistic model, our numerical simulations show that provably-secure keys can be distributed up to a fibre length of about 120 km, even when only 10¹¹ signals are sent by Alice to Bob.

This paper is organized as follows. In section 2, we describe some assumptions that we made in our security analysis and after that we introduce our protocol. In section 3, we give the security definition of the protocol and provide the formulation of the extractable secret key length. In section 4, we present the results of the parameter estimation using the decoy-state method for two different cases: an exact intensity control case and an intensity-fluctuation case. Then, in section 5, we simulate the key generation rate for both scenarios. Finally, section 6 concludes the paper with a summary. The paper includes as well some appendixes with additional calculations.

2.1. Assumptions on Alice and Bob's devices

Prior to stating the actual protocol, we first describe the assumptions on the user's devices.

We consider that Alice's transmitter contains a laser source, an amplitude modulator and a phase modulator. See figure 1. The laser is single-mode and emits signals with a Poissonian photon number distribution. Also, we assume that Alice encodes the bit and the basis information in the relative phase ${\theta }_{{\rm{A}}}$ between a signal and a reference pulse, whose joint phase is perfectly randomized⁷ . Let us emphasize, however, that the security proof that we provide in this paper applies as well to other coding schemes like, for instance, the polarization or the time-bin coding schemes. Next we present the two types of imperfections that we consider for Alice's device.

Zoom In Zoom Out Reset image size

(1) Intensity fluctuations.

The fluctuation of the intensity of the emitted coherent light is typically due to the laser source and imperfections in the amplitude modulator. Here we shall consider that Alice does not have a full description of the probability density function of the fluctuations, but she only knows their range⁸ . That is, she knows that the intensity k of the emitted coherent light lies in an interval $k\in [{k}^{-},{k}^{+}]$ except with error probability ${\epsilon }_{\mathrm{inten}}$, where ${k}^{+(-)}$ is the upper (lower) intensity. Moreover, we assume that the intensities of the coherent pulses are not independent to each other, that is, they can be correlated in an arbitrary manner as long as they lie in the interval. For simplicity, we shall assume that ${\epsilon }_{\mathrm{inten}}=0$. If ${\epsilon }_{\mathrm{inten}}\gt 0$ this error probability can be directly taken into account through the security parameter ${\epsilon }_{\mathrm{sec}}$ whose definition is referred to equation (40). The intensities of the signal and reference pulses are ${k}^{\mathrm{sig}}:= {kV}$ and ${k}^{\mathrm{ref}}:= k(1-V)$ respectively, with $0\lt V\lt 1$.

In section 4. A we study the case where $k={k}^{-}={k}^{+}$, i.e., there are no intensity fluctuations. After that, in section 4. B, we evaluate the typical scenario where ${k}^{+}\gt {k}^{-}$.

(2) Imperfect encoding of the bit and basis information.

In our protocol, Alice chooses the relative phase ${\theta }_{{\rm{A}}}$ at random from $\{0,\pi /2,\pi \}$ to encode the bit and basis information. The phase ${\theta }_{{\rm{A}}}\in \{0,\pi \}$ corresponds to the Z basis states which are selected with equal probability, and ${\theta }_{{\rm{A}}}=\pi /2$ denotes the X basis state. Alice assigns a bit value y = 0 to ${\theta }_{{\rm{A}}}\in \{0,\pi /2\}$ and a bit value y = 1 to ${\theta }_{{\rm{A}}}=\pi$.

Due to the misalignment of the optical system, however, the actual relative phase prepared by Alice may deviate from the desired angle ${\theta }_{{\rm{A}}}$ by a factor ${\rm{\Delta }}{\theta }_{{\rm{A}}}$. Hence, we have that the actual state Alice sends to Bob can be typically described as

$$\begin{eqnarray}&&{\displaystyle \int }_{0}^{2\pi }p({\rm{\Delta }}{\theta }_{{\rm{A}}})P\left[{| \sqrt{{k}^{\mathrm{ref}}}{{\rm{e}}}^{{\rm{i}}\chi }\rangle }_{{\rm{r}}}{| \sqrt{{k}^{\mathrm{sig}}}{{\rm{e}}}^{{\rm{i}}(\chi +{\theta }_{{\rm{A}}}+{\rm{\Delta }}{\theta }_{{\rm{A}}})}\rangle }_{{\rm{s}}}\right]{\rm{d}}{\rm{\Delta }}{\theta }_{{\rm{A}}}.\end{eqnarray} \tag{ 1 }$$

Here, we define $P[\cdot ]=| \cdot \rangle \langle \cdot |$, the parameter $\chi \in [0,2\pi )$ is a random phase, the state ${| \alpha \rangle }_{{\rm{s}}({\rm{r}})}$ is the coherent state of the signal (reference) pulse, and $p({\rm{\Delta }}{\theta }_{{\rm{A}}})$ is the probability distribution of ${\rm{\Delta }}{\theta }_{{\rm{A}}}$.

Alice does not need to know the origin of the encoding errors ${\rm{\Delta }}{\theta }_{{\rm{A}}}$, but we assume that she knows $p({\rm{\Delta }}{\theta }_{{\rm{A}}})$. Also, we assume that $p({\rm{\Delta }}{\theta }_{{\rm{A}}})$ is independently and identically distributed for each run of the protocol. Moreover, we consider that there are no side-channels in Alice's device.

Assumptions on Bob's apparatus

We consider that the detection efficiency of Bob's detectors is independent of his measurement basis choice. A phase value ${\theta }_{{\rm{B}}}=0$ (${\theta }_{{\rm{B}}}=-\pi /2$) corresponds to a device parameter to choose the $Z\;(X)$ basis for the measurement. Also, like in the case of Alice, we consider that Bob uses an imperfect phase modulator that shifts the phase of the incoming signals by ${\theta }_{{\rm{B}}}+{\rm{\Delta }}{\theta }_{{\rm{B}}}$, where ${\rm{\Delta }}{\theta }_{{\rm{B}}}$ is the modulation error. Note, however, that this last assumption is not needed in the security proof; we use it only for simulating the resulting secret key rate. Furthermore, we assume that there are no side-channels in Bob's device.

2.2. Protocol description

We study a three-state protocol that uses one signal and two decoy settings. Also, we consider that the protocol employs an asymmetric coding, i.e., the Z and the X basis are chosen with probabilities p_z and ${p}_{x}=1-{p}_{z}$, respectively. The secret key is extracted only from those events where both Alice and Bob select the Z basis and the signal setting. In addition, we assume that Alice and Bob do not implement a random sampling procedure to estimate the bit error rate, but they perform error correction for a pre-established fixed value of it. The error verification step of the protocol (see step 5 below) informs them about whether or not the actual residual bit error rate exceeds the considered value.

The protocol runs as follows.

Actual protocol

First, Alice and Bob decide a security parameter ${\epsilon }_{\mathrm{sec}}$ whose definition is referred to equation (40). Then, they repeat the first three steps of the protocol for $i=1,\ldots ,N$ until the conditions in the sifting step are met.

(1) Preparation

For each i, Alice randomly chooses the intensity $k\in K=\{{k}_{{\rm{s}}},{k}_{{\rm{d}}1},{k}_{{\rm{d}}2}\}$ with probability ${p}_{{k}_{{\rm{s}}}}$, ${p}_{{k}_{{\rm{d}}1}}$ and ${p}_{{k}_{{\rm{d}}2}}=1-{p}_{{k}_{{\rm{s}}}}-{p}_{{k}_{{\rm{d}}1}}$, respectively. The intervals $[{k}^{-},{k}^{+}]$ where the different intensities lie have to satisfy ${k}_{{\rm{d}}1}^{-}\gt {k}_{{\rm{d}}2}^{+}$ and ${k}_{{\rm{s}}}^{-}\gt {k}_{{\rm{d}}1}^{+}+{k}_{{\rm{d}}2}^{-}$. Then, Alice randomly selects the basis $a\in \{Z,X\}$ with probabilities pz and px, respectively. Next, she chooses at random the signal phase ${\theta }_{{\rm{A}}}\in \{0,\pi \}$ when she selects the Z basis, and she chooses ${\theta }_{{\rm{A}}}=\pi /2$ when she selects the X basis. Finally, she generates the signal and reference pulses following these specifications and sends them to Bob via the quantum channel.

(2) Measurement

Bob measures the incoming signal and reference pulses using the measurement basis $b\in \{Z,X\}$,which he randomly selects with probabilities pz and px, respectively. The outcome is recorded in $d\in \{0,1,\perp ,\varnothing \}$, where ⊥ and ∅ represent the double click event and the no click event, respectively. If $d=\perp$, Bob assigns a random bit to it9. As a result, he obtains $y^{\prime} =\{0,1,\varnothing \}$.

(3) Sifting

Alice and Bob announce their bases and intensity choices over an authenticated public channel and identify the following sets: ${Z}_{k}:= \{i| a=b=Z\;\wedge \;\mathrm{Intensity}=k\;\wedge \;y^{\prime} \ne \varnothing \},{X}_{k}^{j}:= \{i| a=b=X\;\wedge \;\mathrm{Intensity}=k\;\wedge \;y^{\prime} =j\}$, ${Z}^{0(1)}{X}_{k}^{j}:= \{i| a=Z\;\wedge \;b=X\;\wedge \;\mathrm{Intensity}=k\;\wedge \;y=0(1)\;\wedge \;y^{\prime} =j\}$ and ${{XZ}}_{k}^{j}:= \{i| a=X\;\wedge \;b=Z\;\wedge \;\mathrm{Intensity}=k\;\wedge \;y^{\prime} =j\}$ with $j\in \{0,1\}$ and $k\in K$. Then, they check if the following conditions are met: $| {Z}_{k}| \geqslant {N}_{{Z}_{k}}$, $| {X}_{k}^{j}| \geqslant {N}_{{X}_{k}^{j}},| {Z}^{0(1)}{X}_{k}^{j}| \geqslant {N}_{{Z}^{0(1)}{X}_{k}^{j}}$ and $| {{XZ}}_{k}^{j}| \geqslant {N}_{{{XZ}}_{k}^{j}}$ for all $j\in \{0,1\}$, all $k\in K$, and for certain pre-established values ${N}_{{Z}_{k}}$, ${N}_{{X}_{k}^{j}}$, ${N}_{{Z}^{0(1)}{X}_{k}^{j}}$ and ${N}_{{{XZ}}_{k}^{j}}$,where $| \ast |$ represents the length of the set *.

We denote by N the number of pairs of coherent states (i.e., signal and reference pulses) sent by Alice until these conditions are fulfiled. We denote Alice and Bob's sifted keys as $({Z}_{{\rm{A}}},{Z}_{{\rm{B}}})$; their size is $| {Z}_{{\rm{A}}}| =| {Z}_{{\rm{B}}}| =| {Z}_{{k}_{{\rm{s}}}}|$.

(4) Parameter estimation

They estimate the number of events ${m}_{0(1)}$, where Alice emitted the vacuum (the single-photon) state within the set ${Z}_{{k}_{{\rm{s}}}}$. Their expression is given by equations (12) and (18) for the scenario without intensity fluctuations, and by equations (23) and (28) for the case with intensity fluctsuations. Also, Alice and Bob estimate ${N}_{\mathrm{ph}}$, i.e., the number of the so-called phase errors in the single-photon emissions within the set ${Z}_{{k}_{{\rm{s}}}}$ (see equation (36)). They check if the phase error rate ${e}_{\mathrm{ph}}:= {N}_{\mathrm{ph}}/{m}_{1}$ is lower than a predetermined threshold value $\bar{{e}_{\mathrm{ph}}}$, which corresponds to the phase error rate associated with a zero secret key rate (see equation (2)). If ${e}_{\mathrm{ph}}\geqslant \bar{{e}_{\mathrm{ph}}}$ they abort the protocol; otherwise they proceed to step 5.

(5) Postprocessing

Alice and Bob perform error correction over an authenticated public channel for $({Z}_{{\rm{A}}},{Z}_{{\rm{B}}})$. This step consumes at most ${\lambda }_{\mathrm{EC}}$ bits. Finally, they implement an error verification step and, after that, they perform privacy amplification using a hash function that extracts a secret key pair $({S}_{{\rm{A}}},{S}_{{\rm{B}}})$, where $| {S}_{{\rm{A}}}| =| {S}_{{\rm{B}}}| ={\ell }$ bits.

The security of a QKD protocol is characterized by its correctness and secrecy. That is, following the universal composable security framework [30], the protocol is called ${\epsilon }_{\mathrm{sec}}$-secure if it is both ${\epsilon }_{{\rm{c}}}$-correct and ${\epsilon }_{{\rm{s}}}$-secret, where ${\epsilon }_{\mathrm{sec}}={\epsilon }_{{\rm{c}}}+{\epsilon }_{{\rm{s}}}$. Here, the correctness criterion is met whenever the output keys, ${S}_{{\rm{A}}}$ and ${S}_{{\rm{B}}}$, are identical. More generally, for some small error ${\epsilon }_{{\rm{c}}}$ in the correctness, we say that the protocol is ${\epsilon }_{{\rm{c}}}$-correct if $\mathrm{Pr}[{S}_{{\rm{A}}}\;\ne \;{S}_{{\rm{B}}}]\leqslant {\epsilon }_{{\rm{c}}}$ is met. For the secrecy criterion, it is met whenever the joint classical-quantum state describing Alice's output key and Eve's quantum system is of the following form, ${U}_{{\rm{A}}}\otimes {\rho }_{{\rm{E}}}$, where ${U}_{{\rm{A}}}$ is the uniform distribution over all bit strings, and ${\rho }_{{\rm{E}}}$ is an arbitrary quantum state held by Eve. Likewise, for some small error ${\epsilon }_{{\rm{s}}}$, we say the protocol is ${\epsilon }_{{\rm{s}}}$-secret if

$$\begin{eqnarray*}&&\displaystyle \frac{1}{2}{\parallel {\rho }_{{{\rm{S}}}_{{\rm{A}}}{\rm{E}}}-{U}_{{\rm{A}}}\otimes {\rho }_{{\rm{E}}}\parallel }_{1}\leqslant {\epsilon }_{{\rm{s}}},\end{eqnarray*}$$

where ${\rho }_{{{\rm{S}}}_{A}{\rm{E}}}$ is the joint state shared by Alice and Eve. Note that $| | \cdot | {| }_{1}$ is the trace norm defined as $| | \cdot | {| }_{1}=\mathrm{Tr}\sqrt{{\cdot }^{\dagger }\cdot }$. Using these security definitions, it can be shown (see appendix A for details) that a lower bound on the secret key length for the protocol described above

$$\begin{eqnarray}&&{\ell }\geqslant \left\lfloor {m}_{0}^{{\rm{L}}}+{m}_{1}^{{\rm{L}}}[1-h({e}_{\mathrm{ph}}^{{\rm{U}}})]-{\mathrm{log}}_{2}\displaystyle \frac{2}{{\epsilon }_{{\rm{s}}}^{2}-\eta }-{\lambda }_{\mathrm{EC}}-{\mathrm{log}}_{2}\displaystyle \frac{2}{{\epsilon }_{{\rm{c}}}}\right\rfloor ,\end{eqnarray} \tag{ 2 }$$

where $h(x)=-x{\mathrm{log}}_{2}x-(1-x){\mathrm{log}}_{2}(1-x)$ is the binary entropy function, ${m}_{0(1)}^{{\rm{L}}}$ is a lower bound on ${m}_{0(1)}$, ${e}_{\mathrm{ph}}^{{\rm{U}}}:= {N}_{\mathrm{ph}}^{{\rm{U}}}/{m}_{1}^{{\rm{L}}}$ is an upper bound on the phase error rate, and η is the sum of the failure probabilities when estimating m₀ and ${e}_{\mathrm{ph}}$. This last parameter is upper bounded by $\eta \leqslant 1-{E}_{Z,0}{E}_{Z,1}{E}_{\mathrm{ph}}$, where ${E}_{Z,0}$, ${E}_{Z,1}$ and ${E}_{\mathrm{ph}}$ are the failure probabilities associated to the estimation of ${m}_{0}^{{\rm{L}}}$, ${m}_{1}^{{\rm{L}}}$ and to the upper bound on the number of the phase errors ${N}_{\mathrm{ph}}^{{\rm{U}}}$, respectively.

In this section, we briefly describe the estimation procedure to obtain ${m}_{0}^{{\rm{L}}}$ and ${m}_{1}^{{\rm{L}}}$. Also, we provide an expression for ${N}_{\mathrm{ph}}^{{\rm{U}}}$. The detailed calculations are included in appendix D.

As mentioned in section 2.2, we assume that the phase of each pulse generated by the laser is perfectly randomized. This means, in particular, that we can regard the signals sent by Alice as a classical mixture of Fock states, each of them representing the total number of photons contained both in the signal and in the reference pulse. That is, the probability that Alice emits a pulse with n photons conditioned on the fact that she selects the intensity setting $k\in K$ is written as

$$\begin{eqnarray}&&p(n| k)={{\rm{e}}}^{-k}\displaystyle \frac{{k}^{n}}{n!}.\end{eqnarray} \tag{ 3 }$$

Also, from the property of the decoy state method we have that the total number of detection events when both Alice and Bob use the Z basis is given by

$$\begin{eqnarray}&&| {Z}_{\mathrm{tot}}| := \displaystyle \sum _{k\in K}| {Z}_{k}| =\displaystyle \sum _{n=0}^{\infty }\;{S}_{Z,n},\end{eqnarray} \tag{ 4 }$$

where ${S}_{Z,n}$ represents the number of detection events when Alice and Bob used the Z basis and Alice emitted an n-photon state.

4.1. Estimation of the number of vacuum and single-photon contributions for the exact intensity control case

We consider first the scenario without intensity fluctuations in the source, i.e., when $k={k}^{-}={k}^{+}$.

Owing to the use of decoy-states [16–18], it can be shown that Eve cannot obtain any useful information about Alice's intensity choice if she observes an n-photon state in the quantum channel. Therefore, it can be demonstrated that the actual protocol, where Alice chooses the intensity of each signal before she actually sends it to Bob, is equivalent to a counterfactual protocol described as follows. First, Alice prepares and sends n-photon states to Bob. Then, Bob measures all the signals received from Alice. Afterwards, Alice decides the intensity setting for each signal. Due to this equivalence between the actual and the counterfactual protocols, we have that the number of detection events $| {Z}_{k}|$ for setting $k\in K$ within $| {Z}_{\mathrm{tot}}|$ has the form

$$\begin{eqnarray}&&| {Z}_{k}| =\langle {Z}_{k}\rangle +{\delta }_{k},\end{eqnarray} \tag{ 5 }$$

except with certain error probability that will be introduced later on, and where $\langle {Z}_{k}\rangle$ denotes the mean value of $| {Z}_{k}|$ given by

$$\begin{eqnarray}&&\langle {Z}_{k}\rangle =\displaystyle \sum _{n=0}^{\infty }\;p(k| n){S}_{Z,n}.\end{eqnarray} \tag{ 6 }$$

Here, $p(k| n)$ is the conditional probability of choosing the intensity k given that Alice prepared a n-photon state. The parameter ${\delta }_{k}$ that appears in equation (5) denotes the deviation between the experimentally obtained quantity $| {Z}_{k}|$ and its expected value. The convergence of ${\delta }_{k}$ is discussed in appendix B.

4.1.1. Estimation of the number of vacuum contributions

At first, we calculate a lower bound on m₀, the number of events in ${Z}_{{k}_{{\rm{s}}}}$ that originate from a vacuum state sent by Alice. We define the mean value of m₀ as ${\mu }_{0}=p({k}_{{\rm{s}}}| 0){S}_{Z,0}$. Now, by applying lemma 1 from appendix B we obtain that

$$\begin{eqnarray}&&{m}_{0}\geqslant {\mu }_{0}-{{\rm{\Delta }}}_{Z,0},\end{eqnarray} \tag{ 7 }$$

except with certain error probability ${\epsilon }_{Z,0}$, where the deviation ${{\rm{\Delta }}}_{Z,0}$ is given by ${{\rm{\Delta }}}_{Z,0}={g}_{{\rm{C}}}({\mu }_{0},{\epsilon }_{Z,0})$ with ${g}_{{\rm{C}}}(x,y)=\sqrt{2x\mathrm{ln}1/y}$. So far, the lower bound on m₀ depends on the unknown mean value ${\mu }_{0}$ which cannot be directly observed in the experiment. According to the definition of ${\mu }_{0}$, however, this problem can be solved by estimating a lower bound on ${S}_{Z,0}$. For this, we use a result from [8]. In particular, we have that

$$\begin{eqnarray}&&{S}_{Z,0}\geqslant \displaystyle \frac{p(0)}{{k}_{{\rm{d}}1}-{k}_{{\rm{d}}2}}\left(\displaystyle \frac{{k}_{{\rm{d}}1}{{\rm{e}}}^{{k}_{{\rm{d}}2}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle -\displaystyle \frac{{k}_{{\rm{d}}2}{{\rm{e}}}^{{k}_{{\rm{d}}1}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle \right)\;=:\;{S}_{Z,0}^{{\rm{L}}},\end{eqnarray} \tag{ 8 }$$

where $p(0)={\displaystyle \sum }_{k\in K}{p}_{k}p(0| k)$. To estimate the mean values $\langle {Z}_{{k}_{{\rm{d}}1}}\rangle$ and $\langle {Z}_{{k}_{{\rm{d}}2}}\rangle$, we can employ either lemmas 2 or 3 introduced in appendix B, such that the fluctuation is minimized. In so doing, we obtain a lower bound on $\langle {Z}_{{k}_{{\rm{d}}2}}\rangle$ together with an upper bound on $\langle {Z}_{{k}_{{\rm{d}}1}}\rangle$ given by

$$\begin{eqnarray}&&\langle {Z}_{{k}_{{\rm{d}}2}}^{-}\rangle := | {Z}_{{k}_{{\rm{d}}2}}| -\mathrm{min}\left\{{g}_{{\rm{M}}}\left(| {Z}_{k{\rm{d}}2}| ,{({\epsilon }_{Z,0}^{{k}_{{\rm{d}}2}})}^{3/2}\right),{g}_{{\rm{H}}}(| {Z}_{\mathrm{tot}}| ,{\epsilon }_{Z,0}^{{k}_{{\rm{d}}2}})\right\},\end{eqnarray} \tag{ 9 }$$

$$\begin{eqnarray}&&\langle {Z}_{{k}_{{\rm{d}}1}}^{+}\rangle := | {Z}_{{k}_{{\rm{d}}1}}| +\mathrm{min}\left\{{g}_{{\rm{M}}}\left(| {Z}_{k{\rm{d}}1}| ,{({\epsilon }_{Z,0}^{{k}_{{\rm{d}}1}})}^{4}/16\right),{g}_{{\rm{H}}}(| {Z}_{\mathrm{tot}}| ,{\epsilon }_{Z,0}^{{k}_{{\rm{d}}1}})\right\},\end{eqnarray} \tag{ 10 }$$

where ${g}_{{\rm{M}}}(x,y)=\sqrt{2x\mathrm{ln}1/y}$ and ${g}_{{\rm{H}}}(x,y)=\sqrt{x/2\mathrm{ln}1/y}$. The failure probability associated with the estimation of $\langle {Z}_{k}\rangle$, with $k\in \{{k}_{{\rm{d}}1},{k}_{{\rm{d}}2}\}$, is either given by ${\varepsilon }_{Z,0}^{k}={\epsilon }_{Z,0}^{k}$ or by ${\varepsilon }_{Z,0}^{k}={\epsilon }_{Z,0}^{k}+{\epsilon }_{{\rm{H}},Z,0}^{k}$, depending on which lemmas (2 or 3) we use. As a result we find that

$$\begin{eqnarray}&&{\mu }_{0}\geqslant p({k}_{{\rm{s}}}| 0){S}_{Z,0}^{{\rm{L}}}\geqslant \displaystyle \frac{{p}_{{k}_{{\rm{s}}}}{{\rm{e}}}^{-{k}_{{\rm{s}}}}}{{k}_{{\rm{d}}1}-{k}_{{\rm{d}}2}}\left(\displaystyle \frac{{k}_{{\rm{d}}1}{{\rm{e}}}^{{k}_{{\rm{d}}2}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}^{-}\rangle -\displaystyle \frac{{k}_{{\rm{d}}2}{{\rm{e}}}^{{k}_{{\rm{d}}1}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}^{+}\rangle \right)\;=:\;{\mu }_{0}^{{\rm{L}}},\end{eqnarray} \tag{ 11 }$$

which only depends on known parameters. Note that in equation (11) we have used the fact that $p({k}_{{\rm{s}}}| 0)={p}_{{k}_{{\rm{s}}}}p(0| {k}_{{\rm{s}}})/p(0)={p}_{{k}_{{\rm{s}}}}{{\rm{e}}}^{-{k}_{{\rm{s}}}}/p(0)$ in combination with equation (8). We finally obtain, therefore, that

$$\begin{eqnarray}&&{m}_{0}\geqslant {\mu }_{0}^{{\rm{L}}}-{{\rm{\Delta }}}_{Z,0}\;=:\;{m}_{0}^{{\rm{L}}},\end{eqnarray} \tag{ 12 }$$

except with error probability ${\varepsilon }_{Z,0}={\epsilon }_{Z,0}+{\varepsilon }_{Z,0}^{{k}_{{\rm{d}}1}}+{\varepsilon }_{Z,0}^{{k}_{{\rm{d}}2}}$.

4.1.2. Estimation of the number of single-photon contributions

Here, we calculate a lower bound on the number of single-photon pulses sent by Alice that contribute to ${Z}_{{k}_{{\rm{s}}}}$. For this, we use a similar technique to the one described in the previous section. In particular, let ${\mu }_{1}$ be the mean value of m₁, which is given by ${\mu }_{1}=p({k}_{{\rm{s}}}| 1){S}_{Z,1}$. Then we have that

$$\begin{eqnarray}&&{m}_{1}\geqslant {\mu }_{1}-{{\rm{\Delta }}}_{Z,1},\end{eqnarray} \tag{ 13 }$$

except with error probability ${\epsilon }_{Z,1}$, where ${{\rm{\Delta }}}_{Z,1}={g}_{{\rm{C}}}({\mu }_{1},{\epsilon }_{Z,1})$. From [8], we have that

$$\begin{eqnarray}{S}_{Z,1} & \geqslant & \displaystyle \frac{p(1){k}_{{\rm{s}}}}{({k}_{{\rm{d}}1}-{k}_{{\rm{d}}2})({k}_{{\rm{s}}}-{k}_{{\rm{d}}1}-{k}_{{\rm{d}}2})}\left[\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle -\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle \right.\\ & & +\left.\displaystyle \frac{{k}_{{\rm{d}}1}^{2}-{k}_{{\rm{d}}2}^{2}}{{k}_{{\rm{s}}}^{2}}\left(\displaystyle \frac{{S}_{Z,0}^{{\rm{L}}}}{p(0)}-\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{s}}}}\langle {Z}_{{k}_{s}}\rangle }{{p}_{{k}_{{\rm{s}}}}}\right)\right]\;=:\;{S}_{Z,1}^{{\rm{L}}},\end{eqnarray} \tag{ 14 }$$

where $p(1)={\displaystyle \sum }_{k\in K}{p}_{k}p(1| k)$. As before, by using lemmas 2 and 3 from appendix B we obtain a lower bound on $\langle {Z}_{{k}_{{\rm{d}}1}}\rangle$, and an upper bound on $\langle {Z}_{{k}_{{\rm{d}}2}}\rangle$ and $\langle {Z}_{{k}_{{\rm{s}}}}\rangle$. They are given by

$$\begin{eqnarray}&&\langle {Z}_{{k}_{{\rm{d}}1}}^{-}\rangle := | {Z}_{{k}_{{\rm{d}}1}}| -\mathrm{min}\left\{{g}_{{\rm{M}}}\left(| {Z}_{k{\rm{d}}1}| ,{({\epsilon }_{Z,1}^{{k}_{{\rm{d}}1}})}^{3/2}\right),{g}_{{\rm{H}}}(| {Z}_{\mathrm{tot}}| ,{\epsilon }_{Z,1}^{{k}_{{\rm{d}}1}})\right\},\end{eqnarray} \tag{ 15 }$$

$$\begin{eqnarray}&&\langle {Z}_{k}^{+}\rangle := | {Z}_{k}| +\mathrm{min}\left\{{g}_{{\rm{M}}}\left(| {Z}_{k}| ,{({\epsilon }_{Z,1}^{k})}^{4}/16\right),{g}_{{\rm{H}}}(| {Z}_{\mathrm{tot}}| ,{\epsilon }_{Z,1}^{k})\right\},\end{eqnarray} \tag{ 16 }$$

where the second equality holds for $k\in \{{k}_{{\rm{s}}},{k}_{{\rm{d}}2}\}$. The failure probability associated with the estimation of $\langle {Z}_{k}\rangle$ (with $k\in K$) is either given by ${\varepsilon }_{Z,1}^{k}={\epsilon }_{Z,1}^{k}$ or by ${\varepsilon }_{Z,1}^{k}={\epsilon }_{Z,1}^{k}+{\epsilon }_{{\rm{H}},Z,1}^{k}$, depending again on which lemma (2 or 3) we apply. By employing the relation $p({k}_{{\rm{s}}}| 1)={p}_{{k}_{{\rm{s}}}}p(1| {k}_{{\rm{s}}})/p(1)={p}_{{k}_{{\rm{s}}}}{k}_{{\rm{s}}}{{\rm{e}}}^{-{k}_{{\rm{s}}}}/p(1)$, we obtain a lower bound on ${\mu }_{1}$, which only depends on known parameters

$$\begin{eqnarray}{\mu }_{1} & \geqslant & p({k}_{{\rm{s}}}| 1){S}_{Z,1}^{{\rm{L}}}\\ & \geqslant & \displaystyle \frac{{p}_{{k}_{{\rm{s}}}}{k}_{{\rm{s}}}^{2}{{\rm{e}}}^{-{k}_{{\rm{s}}}}}{({k}_{{\rm{d}}1}-{k}_{{\rm{d}}2})({k}_{{\rm{s}}}-{k}_{{\rm{d}}1}-{k}_{{\rm{d}}2})}\left[\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}^{-}\rangle -\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}^{+}\rangle \right.\\ & & +\left.\displaystyle \frac{{k}_{{\rm{d}}1}^{2}-{k}_{{\rm{d}}2}^{2}}{{k}_{{\rm{s}}}^{2}}\left(\displaystyle \frac{{\mu }_{0}^{{\rm{L}}}}{p({k}_{{\rm{s}}}\;\wedge \;0)}-\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{s}}}}\langle {Z}_{{k}_{{\rm{s}}}}^{+}\rangle }{{p}_{{k}_{{\rm{s}}}}}\right)\right]\;=:\;{\mu }_{1}^{L}.\end{eqnarray} \tag{ 17 }$$

Therefore, we have that

$$\begin{eqnarray}&&{m}_{1}\geqslant {\mu }_{1}^{{\rm{L}}}-{{\rm{\Delta }}}_{Z,1}\;=:\;{m}_{1}^{{\rm{L}}},\end{eqnarray} \tag{ 18 }$$

except with error probability ${\varepsilon }_{Z,1}={\displaystyle \sum }_{n=0}^{1}({\varepsilon }_{Z,n}^{{k}_{{\rm{d}}1}}+{\varepsilon }_{Z,n}^{{k}_{{\rm{d}}2}})+{\epsilon }_{Z,1}+{\varepsilon }_{Z,1}^{{k}_{{\rm{s}}}}$, where the parameters ${\varepsilon }_{Z,0}^{{k}_{{\rm{d}}1}}$ and ${\varepsilon }_{Z,0}^{{k}_{{\rm{d}}2}}$ come from the estimation of ${\mu }_{0}^{{\rm{L}}}$.

4.2. Estimation of the number of vacuum and single-photon contributions for the intensity-fluctuation case

We now evaluate the scenario where the laser suffers from intensity fluctuations. As introduced above, here we shall assume that Alice only knows the range $[{k}^{-},{k}^{+}]$ where the intensity value k lies. Below we introduce the final expressions for the different parameters; the detailed derivations are referred to appendix C.

4.2.1. Estimation of the number of vacuum contributions

Here, we present the result for the estimation of the lower bound on ${T}_{Z,0}$. Here, ${T}_{Z,0}$ is the sum of the conditional probability that Bob detects a signal in the Z basis conditioned that Alice chooses the signal intensity and sends a vacuum state in the Z basis (see equation (60)). It is given by

$$\begin{eqnarray}&&{T}_{Z,0}\geqslant \displaystyle \frac{1}{{k}_{{\rm{d}}1}^{-}-{k}_{{\rm{d}}2}^{+}}\left(\displaystyle \frac{{k}_{{\rm{d}}1}^{-}{{\rm{e}}}^{{k}_{{\rm{d}}2}^{-}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle -\displaystyle \frac{{k}_{{\rm{d}}2}^{+}{{\rm{e}}}^{{k}_{{\rm{d}}1}^{+}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle \right)\;=:\;{T}_{Z,0}^{{\rm{L}}}.\end{eqnarray} \tag{ 19 }$$

To calculate the mean values $\langle {Z}_{{k}_{{\rm{d}}1}}\rangle$ and $\langle {Z}_{{k}_{{\rm{d}}2}}\rangle$ we employ Azuma's inequality, which is described in Lemma 4 (see appendix B). Importantly, note that this inequality holds without assuming independence of the trials. As a result, we obtain a lower bound on $\langle {Z}_{{k}_{{\rm{d}}1}}\rangle$ together with an upper bound on $\langle {Z}_{{k}_{{\rm{d}}2}}\rangle$. They are given by

$$\begin{eqnarray}&&\langle {Z}_{{k}_{{\rm{d}}2}}^{-}\rangle := | {Z}_{{k}_{{\rm{d}}2}}| -{g}_{{\rm{A}}}({N}_{z},{\epsilon }_{Z,0}^{{k}_{{\rm{d}}2}}),\end{eqnarray} \tag{ 20 }$$

$$\begin{eqnarray}&&\langle {Z}_{{k}_{{\rm{d}}1}}^{+}\rangle := | {Z}_{{k}_{{\rm{d}}1}}| +{g}_{{\rm{A}}}({N}_{z},{\epsilon }_{Z,0}^{{k}_{{\rm{d}}1}}),\end{eqnarray} \tag{ 21 }$$

where ${g}_{{\rm{A}}}(x,y)=\sqrt{2x\mathrm{ln}(1/y)}$, and N_z is the number of events where Alice and Bob use the Z basis within N trials.

In so doing, we find a lower bound on ${\mu }_{0}$ that only depends on parameters that are directly observed in the experiment. It has the form

$$\begin{eqnarray}&&{\mu }_{0}\geqslant {p}^{-}({k}_{{\rm{s}}}\;\wedge \;0){T}_{Z,0}^{{\rm{L}}}\geqslant \displaystyle \frac{{p}_{{k}_{{\rm{s}}}}{{\rm{e}}}^{-{k}_{{\rm{s}}}^{+}}}{{k}_{{\rm{d}}1}^{-}-{k}_{{\rm{d}}2}^{+}}\left(\displaystyle \frac{{k}_{{\rm{d}}1}^{-}{{\rm{e}}}^{{k}_{{\rm{d}}2}^{-}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}^{-}\rangle -\displaystyle \frac{{k}_{{\rm{d}}2}^{+}{{\rm{e}}}^{{k}_{{\rm{d}}1}^{+}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}^{+}\rangle \right)=:{\mu }_{0}^{{\rm{L}}},\end{eqnarray} \tag{ 22 }$$

where the ${p}^{-}({k}_{{\rm{s}}}\;\wedge \;0)$ is a lower bound on $p({k}_{{\rm{s}}}\;\wedge \;0)$.

Finally, we obtain a lower bound on m₀ which is given by

$$\begin{eqnarray}&&{m}_{0}\geqslant {\mu }_{0}^{{\rm{L}}}-{{\rm{\Delta }}}_{Z,0}\;=:\;{m}_{0}^{{\rm{L}}},\end{eqnarray} \tag{ 23 }$$

except with error probability ${\varepsilon }_{Z,0}={\epsilon }_{Z,0}+{\epsilon }_{Z,0}^{{k}_{{\rm{d}}1}}+{\epsilon }_{Z,0}^{{k}_{{\rm{d}}2}}$.

4.2.2. Estimation of the number of single-photon contributions

Here, we introduce a lower bound on ${T}_{Z,1}$. Here, ${T}_{Z,1}$ is the sum of the conditional probability that Bob detects a signal in the Z basis conditioned that Alice chooses the signal intensity and sends a single-photon state in the Z basis (see equation (69)).

It is given by

$$\begin{eqnarray}{T}_{Z,1} & \geqslant & \displaystyle \frac{{k}_{{\rm{s}}}^{-}}{({k}_{{\rm{d}}1}^{+}-{k}_{{\rm{d}}2}^{-})({k}_{{\rm{s}}}^{-}-{k}_{{\rm{d}}1}^{+}-{k}_{{\rm{d}}2}^{-})}\left[\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{-}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle -\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{+}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle \right.\\ & & -\left.\displaystyle \frac{{({k}_{{\rm{d}}1}^{+})}^{2}-{({k}_{{\rm{d}}2}^{-})}^{2}}{{({k}_{{\rm{s}}}^{-})}^{2}}\left(\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{s}}}^{+}}}{{p}_{{k}_{{\rm{s}}}}}\langle {Z}_{{k}_{s}}\rangle -{T}_{Z,0}^{{\rm{L}}}\right)\right]=:{T}_{Z,1}^{{\rm{L}}}.\end{eqnarray} \tag{ 24 }$$

Again, to estimate the mean values $\langle {Z}_{{k}_{{\rm{d}}1}}\rangle ,\langle {Z}_{{k}_{{\rm{d}}2}}\rangle$ and $\langle {Z}_{{k}_{{\rm{s}}}}\rangle$ we employ lemma 4. This way we obtain a lower bound on $\langle {Z}_{{k}_{{\rm{d}}1}}\rangle$ and an upper bound on $\langle {Z}_{{k}_{{\rm{d}}2}}\rangle$ and $\langle {Z}_{{k}_{{\rm{s}}}}\rangle$ as

$$\begin{eqnarray}&&\langle {Z}_{{k}_{{\rm{d}}1}}^{-}\rangle := | {Z}_{{k}_{{\rm{d}}1}}| -{g}_{{\rm{A}}}({N}_{z},{\epsilon }_{Z,1}^{{k}_{{\rm{d}}1}}),\end{eqnarray} \tag{ 25 }$$

$$\begin{eqnarray}&&\langle {Z}_{k}^{+}\rangle := | {Z}_{k}| +{g}_{{\rm{A}}}({N}_{z},{\epsilon }_{Z,1}^{k}),\end{eqnarray} \tag{ 26 }$$

where the second equality holds for $k\in \{{k}_{{\rm{s}}},{k}_{{\rm{d}}2}\}$.

Hence, a lower bound on ${\mu }_{1}$ can be directly written as

$$\begin{eqnarray}{\mu }_{1} & \geqslant & {p}^{-}({k}_{{\rm{s}}}\;\wedge \;1){T}_{Z,1}^{{\rm{L}}}\\ & \geqslant & \displaystyle \frac{{p}_{{k}_{{\rm{s}}}}{{\rm{e}}}^{-{k}_{{\rm{s}}}^{-}}{({k}_{{\rm{s}}}^{-})}^{2}}{({k}_{{\rm{d}}1}^{+}-{k}_{{\rm{d}}2}^{-})({k}_{{\rm{s}}}^{-}-{k}_{{\rm{d}}1}^{+}-{k}_{{\rm{d}}2}^{-})}\left[\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{-}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}^{-}\rangle -\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{+}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}^{+}\rangle \right.\\ & & -\left.\displaystyle \frac{{({k}_{{\rm{d}}1}^{+})}^{2}-{({k}_{{\rm{d}}2}^{-})}^{2}}{{({k}_{{\rm{s}}}^{-})}^{2}}\left(\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{s}}}^{+}}}{{p}_{{k}_{{\rm{s}}}}}\langle {Z}_{{k}_{{\rm{s}}}}^{+}\rangle -\displaystyle \frac{{\mu }_{0}^{{\rm{L}}}}{{p}^{-}({k}_{{\rm{s}}}\;\wedge \;0)}\right)\right]=:{\mu }_{1}^{{\rm{L}}},\end{eqnarray} \tag{ 27 }$$

where ${p}^{-}({k}_{{\rm{s}}}\;\wedge \;1)$ is a lower bound on $p({k}_{{\rm{s}}}\;\wedge \;1)$.

Finally, we obtain ${m}_{1}^{{\rm{L}}}$ as

$$\begin{eqnarray}&&{m}_{1}\geqslant {\mu }_{1}^{{\rm{L}}}-{{\rm{\Delta }}}_{Z,1}\;=:\;{m}_{1}^{{\rm{L}}},\end{eqnarray} \tag{ 28 }$$

except with error probability ${\varepsilon }_{Z,1}={\displaystyle \sum }_{n=0}^{1}({\epsilon }_{Z,n}^{{k}_{{\rm{d}}1}}+{\epsilon }_{Z,n}^{{k}_{{\rm{d}}2}})+{\epsilon }_{Z,1}+{\epsilon }_{Z,1}^{{k}_{{\rm{s}}}}$.

4.3. Estimation of the number of phase errors

In this section we present an upper bound on ${N}_{\mathrm{ph}}$, which is the number of phase errors in the single-photon emissions within the set ${Z}_{{k}_{{\rm{s}}}}$. As already mentioned in section 2.1, the states sent by Alice are given by equation (1), and we assume that the distribution $p({\rm{\Delta }}{\theta }_{{\rm{A}}})$ is known to Alice. We denote the single-photon part of equation (1) as $\rho ({\theta }_{{\rm{A}}})$. Note that from equation (1) the state $\rho ({\theta }_{{\rm{A}}})$ can be written as $\rho ({\theta }_{{\rm{A}}})={\displaystyle \int }_{0}^{2\pi }p({\rm{\Delta }}{\theta }_{{\rm{A}}})P[({| 1\rangle }_{{\rm{r}}}{| 0\rangle }_{{\rm{s}}}+\gamma {{\rm{e}}}^{{\rm{i}}({\theta }_{{\rm{A}}}+{\rm{\Delta }}{\theta }_{{\rm{A}}})}{| 0\rangle }_{{\rm{r}}}{| 1\rangle }_{{\rm{s}}})/\sqrt{1+{\gamma }^{2}}]{\rm{d}}{\rm{\Delta }}{\theta }_{{\rm{A}}}$, where the parameter $\gamma =\sqrt{{k}^{\mathrm{sig}}/{k}^{\mathrm{ref}}}$ and the state ${| n\rangle }_{{\rm{r}}({\rm{s}})}$ denotes an n-photon number state of the reference (signal) pulse. The state $\rho ({\theta }_{{\rm{A}}})$ can be expressed as a function of the Pauli operators as follows:

$$\begin{eqnarray}\rho ({\theta }_{{\rm{A}}}) & = & {\displaystyle \int }_{0}^{2\pi }p({\rm{\Delta }}{\theta }_{{\rm{A}}})\displaystyle \frac{1}{2}\left[{\sigma }_{I}+\displaystyle \frac{2\gamma }{1+{\gamma }^{2}}\left(\mathrm{cos}({\theta }_{{\rm{A}}}+{\rm{\Delta }}{\theta }_{{\rm{A}}}){\sigma }_{Z}+\mathrm{sin}({\theta }_{{\rm{A}}}+{\rm{\Delta }}{\theta }_{{\rm{A}}}){\sigma }_{X}\right)\right.\\ & & +\left.\displaystyle \frac{1-{\gamma }^{2}}{1+{\gamma }^{2}}{\sigma }_{Y}\right]{\rm{d}}{\rm{\Delta }}{\theta }_{{\rm{A}}}.\end{eqnarray} \tag{ 29 }$$

Here we define the eigenvectors of the Pauli operators ${\sigma }_{Y},{\sigma }_{Z}$ and ${\sigma }_{X}$ as: $| {0}_{y}\rangle ={| 1\rangle }_{{\rm{r}}}{| 0\rangle }_{{\rm{s}}},| {1}_{y}\rangle ={| 0\rangle }_{{\rm{r}}}{| 1\rangle }_{{\rm{s}}}$, $| {0}_{z}\rangle =(| {0}_{y}\rangle +| {1}_{y}\rangle )/\sqrt{2},| {1}_{z}\rangle =(-i| {0}_{y}\rangle +i| {1}_{y}\rangle )/\sqrt{2}$ and $| {i}_{x}\rangle =(| {0}_{z}\rangle +{(-1)}^{i}| {1}_{z}\rangle )/\sqrt{2}$ with $i\in \{0,1\}$.

With this notation, the single-photon part of the three states sent by Alice can be expressed as ${\rho }_{0z}=\rho (0)$, ${\rho }_{1z}=\rho (\pi )$ and ${\rho }_{0x}=\rho (\pi /2)$. Let ${\rho }_{S}=({\sigma }_{I}+\vec{\sigma }\cdot {\vec{V}}_{S})/2$, where $\vec{\sigma }=[{\sigma }_{X},{\sigma }_{Y},{\sigma }_{Z}]$ and the Bloch vector ${\vec{V}}_{S}=[{V}_{X}^{S},{V}_{Y},{V}_{Z}^{S}]$ is a real three-dimensional vector that satisfies $| {\vec{V}}_{S}| \leqslant 1$ with $S\in \{0z,1z,0x\}$. From [21] we have that if ${V}_{Y}\ne 0$ the phase error rate of ${\rho }_{0z}$ and ${\rho }_{1z}$ is equivalent to that obtained after the application of the following filter operation¹⁰ ,

$$\begin{eqnarray}&&{F}_{Y}=\sqrt{1-{V}_{Y}}P[| {0}_{y}\rangle ]+\sqrt{1+{V}_{Y}}P[| {1}_{y}\rangle ].\end{eqnarray} \tag{ 30 }$$

Note that the success probability $p=1-{V}_{Y}^{2}$ of this filter operation is the same for all the states that have the same V_Y. This means, in particular, that we can restrict ourselves to the estimation of the phase error rate of the states ${\tilde{\rho }}_{S}$ which lie in the ${\sigma }_{X}$–${\sigma }_{Z}$ plane

$$\begin{eqnarray}&&{\tilde{\rho }}_{S}:= \displaystyle \frac{{F}_{Y}{\rho }_{S}{F}_{Y}^{\dagger }}{\mathrm{Tr}[{F}_{Y}^{\dagger }{F}_{Y}{\rho }_{S}]}=\displaystyle \frac{({\sigma }_{I}+{r}_{x}^{S}{\sigma }_{X}+{r}_{z}^{S}{\sigma }_{Z})}{2},\end{eqnarray} \tag{ 31 }$$

where the parameters r^S_x and r^S_z are given by ${r}_{x}^{S}={V}_{X}^{S}f({V}_{Y})$ and ${r}_{z}^{S}={V}_{Z}^{S}f({V}_{Y})$ with $f({V}_{Y})=1/\sqrt{1-{V}_{Y}^{2}}$. The states ${\tilde{\rho }}_{S}$ given by equation (31) can also be decomposed as

$$\begin{eqnarray}&&{\tilde{\rho }}_{S}={P}_{0}^{S}P[| {\phi }_{0}^{S}\rangle ]+{P}_{1}^{S}P[| {\phi }_{1}^{S}\rangle ],\end{eqnarray} \tag{ 32 }$$

where the probabilities P^S_i have the form

$$\begin{eqnarray}&&{P}_{i}^{S}=\displaystyle \frac{1}{2}\left(1-{(-1)}^{i}\sqrt{{({r}_{x}^{S})}^{2}+{({r}_{z}^{S})}^{2}}\right),\end{eqnarray} \tag{ 33 }$$

and the eigenvectors $| {\phi }_{i}^{S}\rangle$ are given by

$$\begin{eqnarray}| {\phi }_{i}^{S}\rangle =\left\{\begin{array}{ll}\displaystyle \frac{1}{{\mathcal{N}}}\left(\displaystyle \frac{{r}_{z}^{S}-{(-1)}^{i}\sqrt{{({r}_{x}^{S})}^{2}+{({r}_{z}^{S})}^{2}}}{{r}_{x}^{S}}| {0}_{z}\rangle +| {1}_{z}\rangle \right) & ({r}_{x}^{S}\ne 0)\\ | {i}_{z}\rangle & ({r}_{x}^{S}=0\;\wedge \;{r}_{z}^{S}\lt 0)\\ | i\oplus {1}_{z}\rangle & ({r}_{x}^{S}=0\;\wedge \;{r}_{z}^{S}\gt 0),\end{array}\right.\end{eqnarray} \tag{ 34 }$$

$$\begin{eqnarray}&&=:\;{a}_{i}^{S}| {0}_{z}\rangle +{b}_{i}^{S}| {1}_{z}\rangle ,\end{eqnarray} \tag{ 35 }$$

for $i\in \{0,1\}$, and where ${\mathcal{N}}$ is the normalization factor of the state.

After some lengthy calculations (see appendix D for details), we obtain that ${N}_{\mathrm{ph}}$ is upper bounded by

$$\begin{eqnarray}{N}_{\mathrm{ph}} & \leqslant & \displaystyle \sum _{s=0}^{1}\;\displaystyle \frac{P(s+1)}{2\{1+{(-1)}^{s}(\sqrt{{P}_{0}^{0z}{P}_{0}^{1z}}\left\langle{\phi }_{0}^{0z}| {\phi }_{0}^{1z}\right\rangle+\sqrt{{P}_{1}^{0z}{P}_{1}^{1z}}\left\langle{\phi }_{1}^{0z}| {\phi }_{1}^{1z}\right\rangle)\}}\left[{N}_{{M}_{{Xs}}}(3)+{N}_{{M}_{{Xs}}}(4)\right.\\ & & +\left.{(-1)}^{s}\displaystyle \sum _{t=0}^{1}\sqrt{{P}_{t}^{0z}{P}_{t}^{1z}}\left\{{C}_{t,0}{N}_{{M}_{{Xs}}}(3)+{C}_{t,1}{N}_{{M}_{{Xs}}}(4)+{C}_{t,2}{N}_{{M}_{{Xs}}}(5)\right\}\right]+{{\rm{\Delta }}}_{{\rm{A}},s+1}^{s\oplus 1}\\ & =: & {N}_{\mathrm{ph}}^{{\rm{U}}},\end{eqnarray} \tag{ 36 }$$

except with error probability ${\varepsilon }_{\mathrm{ph}}$. Here, the terms ${N}_{{M}_{{Xs}}}(j)$ with $j\in \{3,4,5\}$ are defined in equations (96)–(98); the quantities P(1) and P(2) are given by equation (81); the parameters ${C}_{t,l}$ have the form ${C}_{t,l}:= ({a}_{t}^{0z}{a}_{t}^{1z}+{b}_{t}^{0z}{b}_{t}^{1z}){A}_{0,l}^{-1}+({a}_{t}^{0z}{b}_{t}^{1z}+{b}_{t}^{0z}{a}_{t}^{1z}){A}_{1,l}^{-1}+({a}_{t}^{0z}{a}_{t}^{1z}-{b}_{t}^{0z}{b}_{t}^{1z}){A}_{2,l}^{-1}$ for $l\in \{0,1,2\}$; the coefficients ${A}_{i,j}^{-1}$ are the (i, j) element of the following matrix

$$\begin{eqnarray}{A}^{-1}:= \displaystyle \frac{2}{Q}\left(\begin{array}{ccc}{r}_{x}^{1z}{r}_{z}^{0x}-{r}_{x}^{0x}{r}_{z}^{1z} & {r}_{x}^{0x}{r}_{z}^{0z}-{r}_{x}^{0z}{r}_{z}^{0x} & {r}_{x}^{0z}{r}_{z}^{1z}-{r}_{x}^{1z}{r}_{z}^{0z}\\ {r}_{z}^{1z}-{r}_{z}^{0x} & {r}_{z}^{0x}-{r}_{z}^{0z} & {r}_{z}^{0z}-{r}_{z}^{1z}\\ {r}_{x}^{0x}-{r}_{x}^{1z} & {r}_{x}^{0z}-{r}_{x}^{0x} & {r}_{x}^{0z}-{r}_{x}^{0x}\end{array}\right),\end{eqnarray} \tag{ 37 }$$

where $Q:= {r}_{x}^{1z}({r}_{z}^{0x}-{r}_{z}^{0z})+{r}_{x}^{0x}({r}_{z}^{0z}-{r}_{z}^{1z})+{r}_{x}^{0z}({r}_{z}^{1z}-{r}_{z}^{0x})$; and the fluctuation term ${{\rm{\Delta }}}_{{\rm{A}},s+1}^{s\oplus 1}$ is given by equation (95).

In this section, we show the simulation result for a fibre-based QKD system. Alice chooses the intensity of the laser from the set $\{{k}_{{\rm{s}}},{k}_{{\rm{d}}1},{k}_{{\rm{d}}2}\}$, where we fix the intensity of the weakest decoy state to ${k}_{{\rm{d}}2}=2\times {10}^{-4}$. This is so because, in practice, it is difficult to generate a vacuum state due to the imperfect extinction of the amplitude modulator. Also, we assume that Bob uses an active measurement setup with two single-photon detectors with detection efficiency ${\eta }_{\mathrm{det}}=15\%$ and a dark count probability ${p}_{{\rm{d}}}=5\times {10}^{-7}$. The attenuation coefficient of the optical fibre is 0.2 dB km⁻¹ and its transmittance is ${\eta }_{\mathrm{ch}}={10}^{-0.2D/10}$ with D denoting the fibre length. The overall misalignment error of the optical system is fixed to be ${e}_{\mathrm{mis}}=1\%$. In addition, we assume an error correction leakage ${\lambda }_{\mathrm{EC}}={f}_{\mathrm{EC}}| {Z}_{{k}_{{\rm{s}}}}| h({e}_{z})$, where e_z is the bit error rate of the sifted key $({Z}_{{\rm{A}}},{Z}_{{\rm{B}}})$. Moreover, for simplicity, we consider that the error correction efficiency of the protocol is a constant number ${f}_{\mathrm{EC}}$=1.16 which does not depend on the size of ${Z}_{{k}_{{\rm{s}}}}$. For simplicity, we model the imperfection of Alice's (Bob's) phase modulator as ${\rm{\Delta }}{\theta }_{{\rm{A}}}=\xi {\theta }_{{\rm{A}}}/\pi$ (${\rm{\Delta }}{\theta }_{{\rm{B}}}=-{\rm{\Delta }}{\theta }_{{\rm{A}}}$). Also, we consider that the intensity fluctuation of the laser source lies in the interval $[{k}^{-},{k}^{+}]$ with ${k}^{-}=(1-r)k$ and ${k}^{+}=(1+r)k$ for a fixed value r.

In these conditions, we simulate the secret key generation rate $R={\ell }/N$ for a fixed value of the correctness coefficient ${\epsilon }_{{\rm{c}}}={10}^{-15}$. For this, we perform a numerical optimization of the resulting secure key rate over the free parameters ${p}_{z},{p}_{{k}_{{\rm{s}}}},{p}_{{k}_{{\rm{d}}1}},{k}_{{\rm{s}}}$ and ${k}_{{\rm{d}}1}$.

5.1. Key generation rate for the exact intensity control case

The resulting secret key rate for this scenario, i.e. when r = 0, is shown in figure 2. The security parameter is ${\epsilon }_{\mathrm{sec}}={10}^{-10}$ and the total number of signals sent by Alice is $N={10}^{s}$ with $s=9,10,11$ and 12. We consider two possible cases: $\xi =0$ (i.e., the perfect encoding case) and $\xi =0.147$, which is equivalent to a phase modulation error of $8.42^\circ$. For comparison, figure 2 also includes the asymptotic secret key rate (i.e., the key rate in the limit of infinitely large keys) with two decoy settings.

Zoom In Zoom Out Reset image size

As a result, we find that the effect of state preparation flaws on the key generation rate is almost negligible. Also, we have that if the total number of signals sent by Alice is about $N={10}^{12}$, Alice and Bob can exchange secret keys over 150 km both when $\xi =0$ and $\xi =0,147$.

Finally, figure 3 shows the postprocessing block size $| {Z}_{{k}_{{\rm{s}}}}|$ which is the length of the bit string to be processed in error correction and privacy amplification as a function of the distance when $N={10}^{s}$ with $s=9,10,11$ and 12. This value is an essential parameter in actual experiments, as it gives us the length of the bit strings needed for the classical post-processing step of the protocol. As shown in figure 3, the size of $| {Z}_{{k}_{{\rm{s}}}}|$ decreases linearly in logarithmic scale with the distance because the successful detection probability decreases exponentially with the distance.

Zoom In Zoom Out Reset image size

5.2. Key generation rate for the intensity-fluctuation case

In this section we evaluate the resulting secret key rate when the laser source suffers from intensity fluctuations. We study two cases: r = 0.02 and r = 0.05, where r is the deviation rate from the expected value of the intensity. The results are shown in figures 4 and 6. Here we consider that $N=\{{10}^{14},{10}^{15}\}$, and the term ξ takes again the values $\xi =0$ and $\xi =0.147$. The security parameter is ${\epsilon }_{\mathrm{sec}}={10}^{-10}$ in figure 4 and ${\epsilon }_{\mathrm{sec}}={10}^{-8}$ in figure 6.

Zoom In Zoom Out Reset image size

For comparison, these two figures also show the asymptotic secret key rate when Alice and Bob use two decoy settings. In this asymptotic case, we find that the degradation on the achievable key rate, when compared to the scenario r = 0, is only about 10 km (20 km) when r = 0.02 (r = 0.05).

In the finite-key regime, however, we obtain that the presence of intensity fluctuations seems to strongly limit the key generation rate if Alice and Bob do not know their probability distribution but only know the interval where the fluctuations lie in. For instance, when $N={10}^{11}$ and r = 0 (see figure 2) Alice and Bob can distribute a secret key over more than 100 km. However, to achieve a similar secret key rate performance when the intensity fluctuation of the source is 2% (i.e., the parameter r = 0.02) they need to exchange about $N={10}^{15}$ signals. The main technical reason for this behaviour seems to be the fact that Azuma's inequality [36] has a relatively slow convergence speed when compared to the Chernoff bound [34] and the Multiplicative Chernoff bound [13].

As a side remark, let us mention that when r = 0.05 and $N={10}^{14}$ we find that the achievable secret key rate is basically zero unless we increase the security parameter ${\epsilon }_{\mathrm{sec}}$ from ${\epsilon }_{\mathrm{sec}}={10}^{-10}$ to ${\epsilon }_{\mathrm{sec}}={10}^{-8}$. This is illustrated in figure 6.

Finally, figures 5 and 7 show the postprocessing block size $| {Z}_{{k}_{{\rm{s}}}}|$ as a function of the distance when $N={10}^{s}$ with $s=\{14,15\}$ for the 2% intensity fluctuation case and for the 5% intensity fluctuation case, respectively.

Zoom In Zoom Out Reset image size

Zoom In Zoom Out Reset image size

Zoom In Zoom Out Reset image size

In summary, we have provided explicit security bounds for the loss-tolerant QKD protocol in the finite-key regime. On the application front, our results constitute an important step towards practical QKD with imperfect light sources, in that the resulting security performance is robust against encoding inaccuracies like, for instance, optical misalignments. Furthermore, our results take into account intensity fluctuations in the light source, which is a common experimental fact. Our results highlight the importance of the stable control of the intensity modulator as well as the need for a precise estimation of its intensity, which is not often sufficiently emphasized in the experiments. On a more general outlook, it would be of great practical interest to incorporate our results into measurement-device-independent QKD (mdiQKD) [11].

We thank Lo H-K, Xu F, Kato G, Azuma K, Ikuta R, Nagamatsu Y, Takeuchi Y and Matsuki K for valuable discussions on the security analysis and parameter estimation procedure, and Yoshino K, Fujiwara M, Sasaki M, and Tomita A for fruitful discussions on practical QKD systems. AM acknowledges support from the JSPS Grant-in-Aid for Scientific Research(A) 25247068. MC thanks the Galician Regional Government (program 'Ayudas para proyectos de investigacion desarrollados por investigadores emergentes', and consolidation of Research Units: AtlantTIC), and the Spanish Government (project TEC2014-54898-R) for financial support. KT acknowledges support from the National Institute of Information and Communications Technology (NICT) of Japan (Project 'Secure Photonic Network Technology' as part of Project UQCC).

Here we present the calculations for the security bound given by equation (2). The security analysis is based on the universal composable security framework [30].

Recall that after privacy amplification, the joint state shared by Alice, Bob and Eve is described by the following classical-quantum state

$$\begin{eqnarray}&&{\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}{\rm{E}}}^{\mathrm{actual}}=\displaystyle \sum _{{s}_{{\rm{A}}},{s}_{{\rm{B}}}}\;p({s}_{{\rm{A}}},{s}_{{\rm{B}}})| {s}_{{\rm{A}}},{s}_{{\rm{B}}}\rangle {\langle {s}_{{\rm{A}}},{s}_{{\rm{B}}}| }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}}\otimes {\rho }_{{\rm{E}}}^{{s}_{{\rm{A}}},{s}_{{\rm{B}}}},\end{eqnarray} \tag{ 38 }$$

where ${s}_{{\rm{A}}}$ and ${s}_{{\rm{B}}}$ are the classical bit strings for the keys, associated with orthonormal states $| {s}_{{\rm{A}}}\rangle$ and $| {s}_{{\rm{B}}}\rangle$ in a Hilbert space. Here, $p({s}_{{\rm{A}}},{s}_{{\rm{B}}})$ denotes the distribution of the keys and ${\rho }_{{\rm{E}}}^{{s}_{{\rm{A}}},{s}_{{\rm{B}}}}$ is the quantum state of Eve's system conditioned on ${S}_{{\rm{A}}}={s}_{{\rm{A}}}$ and ${S}_{{\rm{B}}}={s}_{{\rm{B}}}$. In the ideal scenario, the joint state is described by

$$\begin{eqnarray}&&{\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}{\rm{E}}}^{\mathrm{ideal}}=\displaystyle \frac{1}{{2}^{| s| }}\displaystyle \sum _{s}\;| s,s\rangle {\langle s,s| }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}}\otimes {\rho }_{{\rm{E}}},\end{eqnarray} \tag{ 39 }$$

where ${S}_{{\rm{A}}}={S}_{{\rm{B}}}=s$ and ${\rho }_{{\rm{E}}}$ is an arbitrary quantum state held by Eve. Using the security definition stated in the main text, a ${\epsilon }_{\mathrm{sec}}$-secure QKD protocol satisfies

$$\begin{eqnarray}&&\displaystyle \frac{1}{2}{\| {\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}{\rm{E}}}^{\mathrm{actual}}-{\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}{\rm{E}}}^{\mathrm{ideal}}\| }_{1}\leqslant {\epsilon }_{\mathrm{sec}}.\end{eqnarray} \tag{ 40 }$$

Furthermore, if the security parameter ${\epsilon }_{\mathrm{sec}}$ is appropriately chosen, it can be seen as the sum of errors in the correctness and secrecy, i.e., ${\epsilon }_{\mathrm{sec}}={\epsilon }_{{\rm{s}}}+{\epsilon }_{{\rm{c}}}$. To see this, let us introduce an intermediate state

$$\begin{eqnarray}&&{\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{A}}}{\rm{E}}}^{\mathrm{inter}}=\displaystyle \sum _{{s}_{A}}\;p({s}_{{\rm{A}}})| {s}_{{\rm{A}}},{s}_{{\rm{A}}}\rangle {\langle {s}_{{\rm{A}}},{s}_{{\rm{A}}}| }_{{S}_{{\rm{A}}}{S}_{{\rm{A}}}}\otimes {\rho }_{{\rm{E}}}^{{s}_{{\rm{A}}}},\end{eqnarray} \tag{ 41 }$$

which is just a trivial classical extension of Alice's state. Then, by using the triangle inequality property of the trace distance metric, we have

$$\begin{eqnarray*}&&\displaystyle \frac{1}{2}{\| {\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}{\rm{E}}}^{\mathrm{actual}}-{\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}{\rm{E}}}^{\mathrm{ideal}}\| }_{1}\leqslant \displaystyle \frac{1}{2}{\| {\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}{\rm{E}}}^{\mathrm{actual}}-{\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{A}}}{\rm{E}}}^{\mathrm{inter}}\| }_{1}+\displaystyle \frac{1}{2}{\| {\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{A}}}{\rm{E}}}^{\mathrm{inter}}-{\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}{\rm{E}}}^{\mathrm{ideal}}\| }_{1}.\end{eqnarray*}$$

Fixing the first term on the rhs to ${\epsilon }_{{\rm{c}}}$ gives

$$\begin{eqnarray*}&&{\epsilon }_{{\rm{c}}}=\displaystyle \frac{1}{2}{\| {\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}{\rm{E}}}^{\mathrm{actual}}-{\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{A}}}{\rm{E}}}^{\mathrm{inter}}\| }_{1}\geqslant \displaystyle \frac{1}{2}{\| {\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}}^{\mathrm{actual}}-{\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{A}}}}^{\mathrm{inter}}\| }_{1}=\mathrm{Pr}[{S}_{{\rm{A}}}\rlap{/}{=}{S}_{{\rm{B}}}],\end{eqnarray*}$$

where the inequality is due to the fact that the trace distance metric is contractive under any trace-preserving operation (in our case, the partial trace operation). Similarly, by fixing the second term to ${\epsilon }_{{\rm{s}}}$ we have

$$\begin{eqnarray*}&&{\epsilon }_{{\rm{s}}}=\displaystyle \frac{1}{2}{\| {\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{A}}}{\rm{E}}}^{\mathrm{inter}}-{\rho }_{{S}_{{\rm{A}}}{S}_{{\rm{B}}}{\rm{E}}}^{\mathrm{ideal}}\| }_{1}\geqslant \displaystyle \frac{1}{2}{\| {\rho }_{{S}_{{\rm{A}}}{\rm{E}}}^{\mathrm{inter}}-{\rho }_{{S}_{{\rm{A}}}{\rm{E}}}^{\mathrm{ideal}}\| }_{1}.\end{eqnarray*}$$

Therefore, fixing ${\epsilon }_{\mathrm{sec}}={\epsilon }_{{\rm{s}}}+{\epsilon }_{{\rm{c}}}$ gives the desired decomposition.

From [32], the lower bound on the secret key length of our protocol is written as

$$\begin{eqnarray}&&{\ell }\geqslant \left\lfloor {m}_{0}^{{\rm{L}}}+{m}_{1}^{{\rm{L}}}[1-{\rm{\Gamma }}]-{\lambda }_{\mathrm{EC}}-{\mathrm{log}}_{2}\displaystyle \frac{2}{{\epsilon }_{{\rm{c}}}}\right\rfloor ,\end{eqnarray} \tag{ 42 }$$

where ${m}_{0}^{{\rm{L}}}$ and ${m}_{1}^{{\rm{L}}}$ are the lower bounds on the detection events of the vacuum and the single-photon emission, respectively, and ${m}_{1}^{{\rm{L}}}{\rm{\Gamma }}={m}_{1}^{{\rm{L}}}(h({e}_{\mathrm{ph}}^{{\rm{U}}})+\delta )$ is the number of rounds performing the random hashing to correct the phase error, which is equivalent to the number of bits sacrificed in the privacy amplification step of the protocol. The parameter ${\lambda }_{\mathrm{EC}}$ denotes the number of bits consumed in bit error correction, and $\lceil {\mathrm{log}}_{2}1/{\epsilon }_{{\rm{c}}}\rceil \leqslant {\mathrm{log}}_{2}2/{\epsilon }_{{\rm{c}}}$ is the length of the hash that Alice sends to Bob for the error verification using the universal₂ hash functions. From [7] and [33], we have that ${\epsilon }_{{\rm{s}}}$ can be bounded by ${\epsilon }_{{\rm{s}}}\leqslant \sqrt{1-(1-\eta )(1-{2}^{-{m}_{1}^{{\rm{L}}}\delta +1})}\leqslant \sqrt{\eta +{2}^{-{m}_{1}^{{\rm{L}}}\delta +1}}$. Therefore, the secret key length is obtained as

$$\begin{eqnarray}&&{\ell }\geqslant \left\lfloor {m}_{0}^{{\rm{L}}}+{m}_{1}^{{\rm{L}}}[1-h({e}_{\mathrm{ph}}^{{\rm{U}}})]-{\mathrm{log}}_{2}\displaystyle \frac{2}{{\epsilon }_{{\rm{s}}}^{2}-\eta }-{\lambda }_{\mathrm{EC}}-{\mathrm{log}}_{2}\displaystyle \frac{2}{{\epsilon }_{{\rm{c}}}}\right\rfloor ,\end{eqnarray} \tag{ 43 }$$

where we consider η as a fixed value in this paper.

In this appendix we introduce four different concentration inequalities which are used throughout this paper. First, we introduce the stochastic model that is assumed in lemmas1, 2 and 3.

Stochastic model in lemmas 1, 2 and 3. Let ${X}_{1},{X}_{2}...,{X}_{N}$ be a set of independent Bernoulli random variables that satisfy ${\rm{P}}({X}_{i}=1)={p}_{i}$, and let $X:= {\displaystyle \sum }_{i=1}^{N}{X}_{i}$. The expected value of X is denoted as $\mu := E[X]={\displaystyle \sum }_{i=1}^{N}{p}_{i}$. An observed outcome of X is represented as x.

Lemma 1. Chernoff bound [34].

This bound requires the knowledge of μ. It relates x with μ as

$$\begin{eqnarray}&&x=\mu +{\delta }_{{\rm{C}}},\end{eqnarray} \tag{ 44 }$$

except with error probability ${\epsilon }_{{\rm{C}}}+{\hat{\epsilon }}_{{\rm{C}}}$, where the fluctuation term ${\delta }_{{\rm{C}}}$ lies in the interval ${\delta }_{{\rm{C}}}\in [-{{\rm{\Delta }}}_{{\rm{C}}},{\hat{{\rm{\Delta }}}}_{{\rm{C}}}]$ with ${{\rm{\Delta }}}_{{\rm{C}}}={g}_{{\rm{C}}}(\mu ,{\epsilon }_{{\rm{C}}})$ and ${\hat{{\rm{\Delta }}}}_{{\rm{C}}}={\hat{g}}_{{\rm{C}}}(\mu ,{\hat{\epsilon }}_{{\rm{C}}})$, where ${g}_{{\rm{C}}}(x,y)=\sqrt{2x\mathrm{ln}1/y}$ and ${\hat{g}}_{{\rm{C}}}(x,y)=\sqrt{3x\mathrm{ln}1/y}$. Here the parameter ${\epsilon }_{{\rm{C}}}\;({\hat{\epsilon }}_{{\rm{C}}})$ denotes the probability that $x\lt \mu -{{\rm{\Delta }}}_{{\rm{C}}}\;(x\gt \mu +{\hat{{\rm{\Delta }}}}_{{\rm{C}}})$. Equation (44) holds if both $0\lt {g}_{{\rm{C}}}(1/\mu ,{\epsilon }_{{\rm{C}}})\lt 1$ and $0\lt {\hat{g}}_{{\rm{C}}}(1/\mu ,{\hat{\epsilon }}_{{\rm{C}}})\lt 1$ are met.

Lemma 2. Hoeffding bound [35].

This bound does not require the knowledge of μ. It relates μ and x as

$$\begin{eqnarray}&&\mu =x+{\delta }_{{\rm{H}}},\end{eqnarray} \tag{ 45 }$$

except with error probability ${\epsilon }_{{\rm{H}}}+{\hat{\epsilon }}_{{\rm{H}}}$, where the fluctuation term ${\delta }_{{\rm{H}}}$ lies in the interval ${\delta }_{{\rm{H}}}\in [-{{\rm{\Delta }}}_{{\rm{H}}},{\hat{{\rm{\Delta }}}}_{{\rm{H}}}]$ with ${{\rm{\Delta }}}_{{\rm{H}}}={g}_{{\rm{H}}}(N,{\epsilon }_{{\rm{H}}})$ and ${\hat{{\rm{\Delta }}}}_{{\rm{H}}}={g}_{{\rm{H}}}(N,{\hat{\epsilon }}_{{\rm{H}}})$, and where ${g}_{{\rm{H}}}(x,y)=\sqrt{x/2\mathrm{ln}1/y}$.

Lemma 3. Multiplicative Chernoff bound [13].

This bound does not require the knowledge of μ. It combines lemmas 1 and 2 above. It uses Lemma 2 to estimate a lower bound on μ that is then basically used in combination with lemma 1. In particular, let ${\mu }_{{\rm{L}}}=x-\sqrt{N/2\mathrm{ln}1/{\epsilon }_{{\rm{H}}}}$ for certain ${\epsilon }_{{\rm{H}}}\gt 0$. Then, if the following two conditions are satisfied: ${(2{\hat{\epsilon }}_{{\rm{M}}}^{-1})}^{1/{\mu }_{{\rm{L}}}}\leqslant \mathrm{exp}(9/32)$ and ${\epsilon }_{{\rm{M}}}^{-1/{\mu }_{{\rm{L}}}}\lt \mathrm{exp}(1/3)$ with ${\hat{\epsilon }}_{{\rm{M}}},\;{\epsilon }_{{\rm{M}}}\gt 0$, this lemma states that μ and x can be related as

$$\begin{eqnarray}&&\mu =x+{\delta }_{{\rm{M}}},\end{eqnarray} \tag{ 46 }$$

except with error probability ${\epsilon }_{{\rm{H}}}+{\epsilon }_{{\rm{M}}}+{\hat{\epsilon }}_{{\rm{M}}}$, where ${\delta }_{{\rm{M}}}$ lies in the interval $[-{{\rm{\Delta }}}_{{\rm{M}}},{\hat{{\rm{\Delta }}}}_{{\rm{M}}}]$ with ${\hat{{\rm{\Delta }}}}_{{\rm{M}}}={g}_{{\rm{M}}}(x,{\hat{\epsilon }}_{{\rm{M}}}^{4}/16)$ and ${{\rm{\Delta }}}_{{\rm{M}}}={g}_{{\rm{M}}}(x,{\epsilon }_{{\rm{M}}}^{3/2})$, and where ${g}_{{\rm{M}}}(x,y)=\sqrt{2x\mathrm{ln}({y}^{-1})}$.

Lemma 4. Azuma's inequality [36, 37].

Note that lemmas 1, 2 and 3 apply only to independent random variables, however, Azuma's inequality is applicable to any random variables (including dependent ones, i.e., random variables which can be correlated in any way) as long as two particular conditions (i.e., a Martingale and a Bounded difference condition (BDC), see below) are satisfied. In general, Eve's attacks can be coherent attacks, i.e., Eve can first make all the pulses sent by Alice to interact in a coherent way with an ancilla system in her hands and then measure the ancilla only after she has learned all the information distributed by Alice and Bob through the classical channel. In this general scenario, therefore, one cannot assume that each sending pulse is independent of each other. Hence, in order to analyse the security of the loss-tolerant protocol against coherent attacks in the finite-key regime, we use Azuma's inequality.

In particular, a sequence of random variables ${X}^{(0)},{X}^{(1)},\ldots$ is called a Martingale if and only if $E[{X}^{(l+1)}| {X}^{(0)},{X}^{(1)},\ldots ,{X}^{(l)}]={X}^{(l)}$ for all non-negative integer l, where $E[\cdot ]$ represents the expectation value. On the other hand, ${X}^{(0)},{X}^{(1)},\ldots$ is said to fulfil the BDC if there exists ${c}^{(l)}\gt 0$ such that $| {X}^{(l+1)}-{X}^{(l)}| \leqslant {c}^{(l)}$ for all non-negative integer l.

Let us consider N trials of a random variable ${X}^{(l)}$, where l refers to the lth trial. If ${X}^{(l)}$ is a Martingale and satisfies the BDC with ${c}^{(l)}=1$ then Azuma's inequality guarantees that

$$\begin{eqnarray}&&\mathrm{Pr}[| {X}^{(N)}-{X}^{(0)}| \gt N\delta ]\leqslant 2{{\rm{e}}}^{-\frac{N{\delta }^{2}}{2}}\end{eqnarray} \tag{ 47 }$$

for any $\delta \in (0,1)$.

Let us now define the following random variable for the lth trial

$$\begin{eqnarray}&&{X}^{(l)}:= {{\rm{\Lambda }}}^{(l)}-\displaystyle \sum _{u=1}^{l}P(u{| \xi }_{0},\ldots ,{\xi }_{u-1}),\end{eqnarray} \tag{ 48 }$$

where ${{\rm{\Lambda }}}^{(l)}$ represents the actual number of events of the form ${X}^{(l)}=1$ observed amongst the first l trials, and $P(u| {\xi }_{0},\ldots ,{\xi }_{u-1})$ is the conditional probability of having the event '1' in the uth trial conditioned on the first $u-1$ outcomes ${\xi }_{0},\ldots ,{\xi }_{u-1}$. In this scenario, it is straightforward to show that the random variables given by equation (48) are Martingale and satisfy the BDC with ${c}^{(l)}=1$. Hence, by applying Azuma's inequality we have that

$$\begin{eqnarray}&&\mathrm{Pr}[| {{\rm{\Lambda }}}^{(N)}-\displaystyle \sum _{u=1}^{N}\;P(u{| \xi }_{0},\ldots ,{\xi }_{u-1})| \gt N\delta ]\leqslant 2{{\rm{e}}}^{-\frac{N{\delta }^{2}}{2}}.\end{eqnarray} \tag{ 49 }$$

This means, in particular, that

$$\begin{eqnarray}&&{{\rm{\Lambda }}}^{(N)}=\displaystyle \sum _{u=1}^{N}\;P(u| {\xi }_{0},\ldots ,{\xi }_{u-1})+{\delta }_{{\rm{A}}}\end{eqnarray} \tag{ 50 }$$

except with error probability ${\epsilon }_{{\rm{A}}}+{\hat{\epsilon }}_{{\rm{A}}}$, where the parameter ${\delta }_{{\rm{A}}}$ lies in the interval ${\delta }_{{\rm{A}}}\in [-{{\rm{\Delta }}}_{{\rm{A}}},{\hat{{\rm{\Delta }}}}_{{\rm{A}}}]$ with ${{\rm{\Delta }}}_{{\rm{A}}}={g}_{{\rm{A}}}(N,{\epsilon }_{{\rm{A}}})$ and ${\hat{{\rm{\Delta }}}}_{{\rm{A}}}={g}_{{\rm{A}}}(N,{\hat{\epsilon }}_{{\rm{A}}})$, and where ${g}_{{\rm{A}}}(x,y)=\sqrt{2x\mathrm{ln}(1/y)}$.

In this appendix we first present the detail of the decoy-state analysis for the intensity fluctuation case and then we summarize all the equations for the decoy-state analysis, including those for the exact intensity control case. More precisely, we describe the estimation procedure that we use in order to obtain a lower bound on the number of vacuum contributions ${T}_{Z,0}$, and both a lower and an upper bound on the number of single-photon contributions ${T}_{Z,1}$.

C.1. Intensity fluctuation case

Here, we generalize the decoy-state method to cover the case where the source suffers from intensity fluctuations. For this, as already mentioned previously, we shall consider that Alice and Bob only know the interval $[{k}^{-},{k}^{+}]$ where the intensity k lies.

We begin by calculating the mean value $\langle {Z}_{k}\rangle$. Our starting point is the random variable ${X}_{k}^{(i| \overrightarrow{i-1})}$ for the ith trial when both Alice and Bob select the Z basis. This random variable takes the value 1 if Alice chooses the intensity k and, moreover, the generated signal is detected by Bob; otherwise it is 0. The term $\overrightarrow{i-1}$ reflects the fact that ${X}_{k}^{(i| \overrightarrow{i-1})}$ may depend on all the previous $i-1$ trials. With this notation, $\langle {Z}_{k}\rangle$ can be expressed as

$$\begin{eqnarray}&&\langle {Z}_{k}\rangle =\displaystyle \sum _{i=1}^{{N}_{z}}\;E\left[{X}_{k}^{(i| \overrightarrow{i-1})}\right]=\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(k\;\wedge \;\mathrm{det}| Z),\end{eqnarray} \tag{ 51 }$$

where N_z is the number of events where both Alice and Bob select the Z basis. The probability ${p}^{(i| \overrightarrow{i-1})}(\ast )$ denotes the conditional probability that the event * occurs in the ith trial conditioned on the results obtained in the previous $i-1$ trials, and the term $k\;\wedge \;\mathrm{det}| Z$ represents the event where Alice selects the intensity k and Bob detects the generated signal given that both of them have chosen the Z basis. By using Bayes rule, we can rewrite equation (51) as

$$\begin{eqnarray}&&\langle {Z}_{k}\rangle =\displaystyle \frac{1}{{p}_{z}^{2}}\displaystyle \sum _{i=1}^{{N}_{z}}\;\displaystyle \sum _{n=0}^{\infty }\;\;{p}^{(i| \overrightarrow{i-1})}(k\;\wedge \;Z\;\wedge \;n\;\wedge \;\mathrm{det}),\end{eqnarray} \tag{ 52 }$$

$$\begin{eqnarray}&&=\;\displaystyle \frac{1}{{p}_{z}^{2}}\displaystyle \sum _{i=1}^{{N}_{z}}\;\displaystyle \sum _{n=0}^{\infty }\;{p}^{(i)}(k\;\wedge \;Z\;\wedge \;n){p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| k\;\wedge \;Z\;\wedge \;n),\end{eqnarray} \tag{ 53 }$$

$$\begin{eqnarray}&&=\;{p}_{k}\displaystyle \sum _{i=1}^{{N}_{z}}\;\displaystyle \sum _{n=0}^{\infty }\;\;{p}^{(i)}(n| k\;\wedge \;Z){p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| Z\;\wedge \;n),\end{eqnarray} \tag{ 54 }$$

where p_k is the probability that Alice chooses the intensity k; n denotes an n-photon signal; p_z represents the probability of selecting the Z basis; and ${p}^{(i)}(\ast )$ is the probability that the event * occurs in the ith trial. For instance, ${p}^{(i)}(n| k\;\wedge \;Z)$ is the conditional probability that Alice emits an n-photon state in the ith trial given that she has chosen the intensity k and both Alice and Bob have selected the Z basis in the ith trial. Note that in the transformation from equation (53) to (54) we have used the property of the decoy-state method i.e., ${p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| k\;\wedge \;Z\;\wedge \;n)={p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| Z\;\wedge \;n)$.

In so doing, we obtain that $\langle {Z}_{k}\rangle$ is upper bounded by

$$\begin{eqnarray}&&\langle {Z}_{k}\rangle \leqslant {p}_{k}\displaystyle \sum _{i=1}^{{N}_{z}}\;\displaystyle \sum _{n=0}^{\infty }\;\displaystyle \frac{{{\rm{e}}}^{-{k}^{-}}{({k}^{+})}^{n}}{n!}{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| Z\;\wedge \;n).\end{eqnarray} \tag{ 55 }$$

Similarly, we find that

$$\begin{eqnarray}&&\langle {Z}_{k}\rangle \geqslant {p}_{k}\displaystyle \sum _{i=1}^{{N}_{z}}\;\displaystyle \sum _{n=0}^{\infty }\;\displaystyle \frac{{{\rm{e}}}^{-{k}^{+}}{({k}^{-})}^{n}}{n!}{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| Z\;\wedge \;n).\end{eqnarray} \tag{ 56 }$$

Lower bound on the number of vacuum contributions.

To obtain this bound, we first rewrite equations (55) and (56) for the cases $k={k}_{{\rm{d}}2}$ and $k={k}_{{\rm{d}}1}$, respectively. We obtain the following two inequalities

$$\begin{eqnarray}\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{-}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle & \leqslant & \displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 0\;\wedge \;Z)+\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z){k}_{{\rm{d}}2}^{+}\\ & & +\displaystyle \sum _{i=1}^{{N}_{z}}\;\displaystyle \sum _{n\geqslant 2}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\displaystyle \frac{{({k}_{{\rm{d}}2}^{+})}^{n}}{n!}.\end{eqnarray} \tag{ 57 }$$

$$\begin{eqnarray}\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{+}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle & \geqslant & \displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 0\;\wedge \;Z)+\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z){k}_{{\rm{d}}1}^{-}\\ & & +\displaystyle \sum _{i=1}^{{N}_{z}}\;\displaystyle \sum _{n\geqslant 2}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\displaystyle \frac{{({k}_{{\rm{d}}1}^{-})}^{n}}{n!},\end{eqnarray} \tag{ 58 }$$

Next, we multiply equation (57) by ${k}_{{\rm{d}}1}^{-}$ and equation (58) by ${k}_{{\rm{d}}2}^{+}$, and we add both expressions. In so doing, we find that

$$\begin{eqnarray*}&&({k}_{{\rm{d}}1}^{-}-{k}_{{\rm{d}}2}^{+})\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 0\;\wedge \;Z)\geqslant \displaystyle \frac{{k}_{{\rm{d}}1}^{-}{{\rm{e}}}^{{k}_{{\rm{d}}2}^{-}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle -\displaystyle \frac{{k}_{{\rm{d}}2}^{+}{{\rm{e}}}^{{k}_{{\rm{d}}1}^{+}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle \end{eqnarray*}$$

$$\begin{eqnarray*}&&+{k}_{{\rm{d}}1}^{-}{k}_{{\rm{d}}2}^{+}\displaystyle \sum _{i=1}^{{N}_{z}}\;\displaystyle \sum _{n\geqslant 2}\;\displaystyle \frac{{({k}_{{\rm{d}}1}^{-})}^{n-1}-{({k}_{{\rm{d}}2}^{+})}^{n-1}}{n!}{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\end{eqnarray*}$$

$$\begin{eqnarray}&&\geqslant {k}_{{\rm{d}}1}^{-}\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{-}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle -{k}_{{\rm{d}}2}^{+}\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{+}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle ,\end{eqnarray} \tag{ 59 }$$

where the second inequality holds because ${k}_{{\rm{d}}1}^{-}\gt {k}_{{\rm{d}}2}^{+}$.

As a result, we find that ${T}_{Z,0}$ is lower bounded by

$$\begin{eqnarray}&&{T}_{Z,0}:= \displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 0\;\wedge \;Z)\geqslant \displaystyle \frac{1}{{k}_{{\rm{d}}1}^{-}-{k}_{{\rm{d}}2}^{+}}\left({k}_{{\rm{d}}1}^{-}\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{-}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle -{k}_{{\rm{d}}2}^{+}\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{+}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle \right).\end{eqnarray} \tag{ 60 }$$

To estimate the expectation values $\langle {Z}_{{k}_{{\rm{d}}1}}\rangle$ and $\langle {Z}_{{k}_{{\rm{d}}2}}\rangle$, we use Azuma's inequality because each trial of the random variables ${X}_{{k}_{{\rm{d}}1}}^{(i| \overrightarrow{i-1})}$ and ${X}_{{k}_{{\rm{d}}2}}^{(i| \overrightarrow{i-1})}$ may depend on the previous ones.

Lower bound on the number of single-photon contributions.

Here, we first particularize equations (55) and (56) for the cases $k={k}_{{\rm{d}}1}$ and $k={k}_{{\rm{d}}2}$, respectively. We have that

$$\begin{eqnarray}\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{-}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle & \leqslant & \displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 0\;\wedge \;Z)+\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z)({k}_{{\rm{d}}1}^{+})\\ & & +\displaystyle \sum _{n\geqslant 2}\;\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\displaystyle \frac{{({k}_{{\rm{d}}1}^{+})}^{n}}{n!}.\end{eqnarray} \tag{ 61 }$$

$$\begin{eqnarray}\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{+}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle & \geqslant & \displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 0\;\wedge \;Z)+\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z)({k}_{{\rm{d}}2}^{-})\\ & & +\displaystyle \sum _{n\geqslant 2}\;\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\displaystyle \frac{{({k}_{{\rm{d}}2}^{-})}^{n}}{n!},\end{eqnarray} \tag{ 62 }$$

Next, we add both expressions and we obtain

$$\begin{eqnarray}&&\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{+}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle +\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z)({k}_{{\rm{d}}1}^{+})+\displaystyle \sum _{n\geqslant 2}\;\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\displaystyle \frac{{({k}_{{\rm{d}}1}^{+})}^{n}}{n!}\\ &&\geqslant \displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{-}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle +\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z)({k}_{{\rm{d}}2}^{-})+\displaystyle \sum _{n\geqslant 2}\;\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\displaystyle \frac{{({k}_{{\rm{d}}2}^{-})}^{n}}{n!}.\end{eqnarray} \tag{ 63 }$$

This last equation can be rewritten as

$$\begin{eqnarray}({k}_{{\rm{d}}1}^{+}-{k}_{{\rm{d}}2}^{-})\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z) & \geqslant & \displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{-}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle -\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{+}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle \\ & & +\displaystyle \sum _{n\geqslant 2}\;\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\displaystyle \frac{{({k}_{{\rm{d}}2}^{-})}^{n}-{({k}_{{\rm{d}}1}^{+})}^{n}}{n!}.\end{eqnarray} \tag{ 64 }$$

Next, we evaluate the third term on the rhs of equation (64). This term is lower bounded by

$$\begin{eqnarray}&&\displaystyle \sum _{n\geqslant 2}\;\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\displaystyle \frac{{({k}_{{\rm{d}}2}^{-})}^{n}-{({k}_{{\rm{d}}1}^{+})}^{n}}{n!}\\ &&\geqslant \displaystyle \frac{{({k}_{{\rm{d}}2}^{-})}^{2}-{({k}_{{\rm{d}}1}^{+})}^{2}}{{({k}_{{\rm{s}}}^{-})}^{2}}\displaystyle \sum _{n\geqslant 2}\;\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\displaystyle \frac{{({k}_{{\rm{s}}}^{-})}^{n}}{n!},\end{eqnarray} \tag{ 65 }$$

because when the conditions $n\geqslant 2$, ${k}_{{\rm{d}}1}^{+}\gt {k}_{{\rm{d}}2}^{-}$ and ${k}_{{\rm{s}}}^{-}\gt {k}_{{\rm{d}}1}^{+}+{k}_{{\rm{d}}2}^{-}$ are satisfied we have that ${({k}_{{\rm{d}}2}^{-})}^{n}-{({k}_{{\rm{d}}1}^{+})}^{n}\geqslant [{({k}_{{\rm{d}}2}^{-})}^{2}-{({k}_{{\rm{d}}1}^{+})}^{2}]{({k}_{{\rm{s}}}^{-})}^{n-2}$. If we now use equation (56) for $k={k}_{{\rm{s}}}$, we have that

$$\begin{eqnarray}&&\displaystyle \sum _{n\geqslant 2}\;\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\displaystyle \frac{{({k}_{{\rm{s}}}^{-})}^{n}}{n!}\leqslant \displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{s}}}^{+}}}{{p}_{{k}_{{\rm{s}}}}}\langle {Z}_{{k}_{{\rm{s}}}}\rangle \\ &&-\displaystyle \sum _{i=1}^{{N}_{z}}\;\left({p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 0\;\wedge \;Z)+{k}_{{\rm{s}}}^{-}{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z)\right).\end{eqnarray} \tag{ 66 }$$

The rhs of equation (65) can be lower bounded using the rhs of equation (66). This is so because ${k}_{{\rm{d}}1}^{+}\gt {k}_{{\rm{d}}2}^{-}$ and therefore the term $[{({k}_{{\rm{d}}2}^{-})}^{2}-{({k}_{{\rm{d}}1}^{+})}^{2}]/{({k}_{{\rm{s}}}^{-})}^{2}\lt 0$ in equation (65). Hence, we have that the third term on the rhs of equation (64) is lower bounded by

$$\begin{eqnarray}&&\displaystyle \sum _{n\geqslant 2}\;\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\displaystyle \frac{{({k}_{{\rm{d}}2}^{-})}^{n}-{({k}_{{\rm{d}}1}^{+})}^{n}}{n!}\geqslant \displaystyle \frac{{({k}_{{\rm{d}}2}^{-})}^{2}-{({k}_{{\rm{d}}1}^{+})}^{2}}{{({k}_{{\rm{s}}}^{-})}^{2}}\left[\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{s}}}^{+}}}{{p}_{{k}_{{\rm{s}}}}}\langle {Z}_{{k}_{{\rm{s}}}}\rangle \right.\\ &&-\left.\displaystyle \sum _{i=1}^{{N}_{z}}\;\left({p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 0\;\wedge \;Z)+{k}_{{\rm{s}}}^{-}{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z)\right)\;\right].\end{eqnarray} \tag{ 67 }$$

That is, if we now combine equations (64) and (67) we find that

$$\begin{eqnarray}({k}_{{\rm{d}}1}^{+}-{k}_{{\rm{d}}2}^{-})\left\{\displaystyle \frac{{k}_{{\rm{s}}}^{-}-({k}_{{\rm{d}}1}^{+}+{k}_{{\rm{d}}2}^{-})}{{k}_{{\rm{s}}}^{-}}\right\}\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z) & \geqslant & \displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{-}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle -\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{+}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle \\ & & -\displaystyle \frac{{({k}_{{\rm{d}}1}^{+})}^{2}-{({k}_{{\rm{d}}2}^{-})}^{2}}{{({k}_{{\rm{s}}}^{-})}^{2}}\left(\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{s}}}^{+}}}{{p}_{{k}_{{\rm{s}}}}}\langle {Z}_{{k}_{{\rm{s}}}}\rangle -{T}_{Z,0}^{{\rm{L}}}\right),\end{eqnarray} \tag{ 68 }$$

which directly gives us a lower bound on ${T}_{Z,1}$,

$$\begin{eqnarray}{T}_{Z,1}\;: & = & \displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z)\\ & \geqslant & \displaystyle \frac{{k}_{{\rm{s}}}^{-}}{({k}_{{\rm{d}}1}^{+}-{k}_{{\rm{d}}2}^{-})({k}_{{\rm{s}}}^{-}-{k}_{{\rm{d}}1}^{+}-{k}_{{\rm{d}}2}^{-})}\left[\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{-}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle -\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{+}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle \right.\\ & & \left.-\displaystyle \frac{{({k}_{{\rm{d}}1}^{+})}^{2}-{({k}_{{\rm{d}}2}^{-})}^{2}}{{({k}_{{\rm{s}}}^{-})}^{2}}\left(\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{s}}}^{+}}}{{p}_{{k}_{{\rm{s}}}}}\langle {Z}_{{k}_{{\rm{s}}}}\rangle -{T}_{Z,0}^{{\rm{L}}},)\right)\right].\end{eqnarray} \tag{ 69 }$$

Here, the lower bound on $\langle {Z}_{{k}_{{\rm{d}}1}}\rangle$ and the upper bound on $\langle {Z}_{{k}_{{\rm{s}}}}\rangle$ and $\langle {Z}_{{k}_{{\rm{d}}2}}\rangle$ are estimated using Azuma's inequality. Upper bound on the number of single-photon contributions.

By adding equations (57) and (58), we have that

$$\begin{eqnarray}({k}_{{\rm{d}}1}^{-}-{k}_{{\rm{d}}2}^{+})\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z) & \leqslant & \displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{+}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle \\ & & -\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{-}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle +\displaystyle \sum _{n\geqslant 2}\;\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| n\;\wedge \;Z)\displaystyle \frac{{({k}_{{\rm{d}}2}^{+})}^{n}-{({k}_{{\rm{d}}1}^{-})}^{n}}{n!}\\ & \leqslant & \displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{+}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle -\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{-}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle ,\end{eqnarray} \tag{ 70 }$$

where the second inequality holds because ${k}_{{\rm{d}}1}^{-}\gt {k}_{{\rm{d}}2}^{+}$. This means, in particular, that ${T}_{Z,1}$ is upper bounded by

$$\begin{eqnarray}&&{T}_{Z,1}=\displaystyle \sum _{i=1}^{{N}_{z}}\;{p}^{(i| \overrightarrow{i-1})}(\mathrm{det}| 1\;\wedge \;Z)\leqslant \displaystyle \frac{1}{{k}_{{\rm{d}}1}^{-}-{k}_{{\rm{d}}2}^{+}}\left(\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{+}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {Z}_{{k}_{{\rm{d}}1}}\rangle -\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{-}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {Z}_{{k}_{{\rm{d}}2}}\rangle \right),\end{eqnarray} \tag{ 71 }$$

where the upper bound on $\langle {Z}_{{k}_{{\rm{d}}1}}\rangle$ and the lower bound on $\langle {Z}_{{k}_{{\rm{d}}2}}\rangle$ are estimated using Azuma's inequality.

C.2. Summary of the decoy-state analysis

Here, we summarize all the equations needed in the decoy-state method, including those for the exact intensity control case.

Lower bound on the number of vacuum contributions.

Let $\underline{{\mathrm{Decoy}}_{0}}({ay},{by}^{\prime} )$ denote a lower bound on the number of events where Alice generates a vacuum state using the signal intensity and the basis setting $a\in \{Z,X\}$ to encode a bit value $y\in \{0,1\}$, and Bob observes the bit value $y^{\prime} \in \{0,1\}$ when he measures the received signal using the basis $b\in \{Z,X\}$.

$$\begin{eqnarray}&&\;\underline{{\mathrm{Decoy}}_{0}}({ay},{by}^{\prime} )=\displaystyle \frac{{p}^{-}({k}_{{\rm{s}}}\;\wedge \;0)}{{k}_{{\rm{d}}1}^{-}-{k}_{{\rm{d}}2}^{+}}\left(\displaystyle \frac{{k}_{{\rm{d}}1}^{-}{{\rm{e}}}^{{k}_{{\rm{d}}2}^{-}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {a}^{y}{{b}_{{k}_{{\rm{d}}2}}^{{y}^{\prime }}}^{-}\rangle -\displaystyle \frac{{k}_{{\rm{d}}2}^{+}{{\rm{e}}}^{{k}_{{\rm{d}}1}^{+}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {a}^{y}{{b}_{{k}_{{\rm{d}}1}}^{{y}^{\prime }}}^{+}\rangle \right),\end{eqnarray} \tag{ 72 }$$

where the parameters $\langle {a}^{y}{{b}_{{k}_{{\rm{d}}2}}^{y^{\prime} }}^{-}\rangle$ and $\langle {a}^{y}{{b}_{{k}_{{\rm{d}}1}}^{{y}^{\prime }}}^{+}\rangle$ are defined in a similar way like equations (9) and (10) for the exact intensity control case and like equations (20) and (21) for the intensity-fluctuation case, respectively. The probability ${p}^{-}({k}_{{\rm{s}}}\;\wedge \;0)$ is a lower bound on $p({k}_{{\rm{s}}}\;\wedge \;0)$ which denotes the probability that Alice selects the signal intensity setting and sends a vacuum state.

Lower bound on the number of single-photon contributions.

Let $\underline{{\mathrm{Decoy}}_{1}}({ay},{by}^{\prime} )$ denote a lower bound on the number of events where Alice prepares a single-photon state using the signal intensity and the basis setting $a\in \{Z,X\}$ to encode a bit value $y\in \{0,1\}$, and Bob observes the bit value $y^{\prime} \in \{0,1\}$ when he measures the received signal using the basis $b\in \{Z,X\}$.

$$\begin{eqnarray}\;\underline{{\mathrm{Decoy}}_{1}}({ay},{by}^{\prime} ) & = & \displaystyle \frac{{p}^{-}({k}_{{\rm{s}}}\;\wedge \;1){k}_{{\rm{s}}}^{-}}{({k}_{{\rm{d}}1}^{+}-{k}_{{\rm{d}}2}^{-})({k}_{{\rm{s}}}^{-}-{k}_{{\rm{d}}1}^{+}-{k}_{{\rm{d}}2}^{-})}\left[\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{-}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {{a}^{y}{b}^{{y}^{\prime }}}_{{k}_{{\rm{d}}1}}^{-}\rangle -\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{+}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {a}^{y}{{b}_{{k}_{{\rm{d}}2}}^{{y}^{\prime }}}^{+}\rangle \right.\\ & & +\left.\displaystyle \frac{{({k}_{{\rm{d}}1}^{+})}^{2}-{({k}_{{\rm{d}}2}^{-})}^{2}}{{({k}_{{\rm{s}}}^{-})}^{2}}\left(\displaystyle \frac{\underline{{\mathrm{Decoy}}_{0}}({ay},{by}^{\prime} )}{{p}^{-}({k}_{{\rm{s}}}\;\wedge \;0)}-\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{s}}}}\langle {a}^{y}{{b}_{{k}_{{\rm{s}}}}^{{y}^{\prime }}}^{+}\rangle }{{p}_{{k}_{{\rm{s}}}}}\right)\right],\end{eqnarray} \tag{ 73 }$$

where the probability ${p}^{-}({k}_{{\rm{s}}}\;\wedge \;1)$ is a lower bound on $p({k}_{{\rm{s}}}\;\wedge \;1)$ which denotes the probability that Alice selects the signal intensity setting and sends a single-photon state.

Upper bound on the number of single-photon contributions.

Let $\bar{{\mathrm{Decoy}}_{1}}({ay},{by}^{\prime} )$ denote an upper bound on the number of events where Alice prepares a single-photon state using the signal intensity and the basis setting $a\in \{Z,X\}$ to encode a bit value $y\in \{0,1\}$, and Bob observes the bit value $y^{\prime} \in \{0,1\}$ when he measures the received signal using the basis $b\in \{Z,X\}$.

$$\begin{eqnarray}&&\bar{{\mathrm{Decoy}}_{1}}({ay},{by}^{\prime} )=\displaystyle \frac{{p}^{+}({k}_{{\rm{s}}}\;\wedge \;1)}{{k}_{{\rm{d}}1}^{-}-{k}_{{\rm{d}}2}^{+}}\left(\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}1}^{+}}}{{p}_{{k}_{{\rm{d}}1}}}\langle {a}^{y}{{b}_{{k}_{{\rm{d}}1}}^{{y}^{\prime }}}^{+}\rangle -\displaystyle \frac{{{\rm{e}}}^{{k}_{{\rm{d}}2}^{-}}}{{p}_{{k}_{{\rm{d}}2}}}\langle {a}^{y}{{b}_{{k}_{{\rm{d}}2}}^{{y}^{\prime }}}^{-}\rangle \right),\end{eqnarray} \tag{ 74 }$$

where the probability ${p}^{+}({k}_{{\rm{s}}}\;\wedge \;1)$ is an upper bound on $p({k}_{{\rm{s}}}\;\wedge \;1)$.

In this appendix we explain how to derive equation (36). That is, we obtain an upper bound on the number of phase errors associated to the single-photon pulses emitted by Alice when she selects the signal intensity setting, both Alice and Bob use the Z basis, and Bob obtains a successful detection event (i.e., $y^{\prime} \ne \varnothing$). As we are interested in the phase error rate defined in the single-photon emission events and all the statistics associated with the single-photons can be estimated using the decoy state method, in the virtual protocol we only consider the cases where Alice emits single photons.

To begin with, we first review briefly the main idea that we use to derive the phase error rate; it is based on the results introduced in [21], which follow the security analysis presented by Koashi in [26] based on a complementarity argument. This method [21] requires to estimate the transmission rates (i.e., detection probabilities) that Bob would obtain if he would measure some virtual states (see equation (78) below) in a complementary basis to the key generation basis. Importantly, it turns out that these transmission rates can be written as a liner combination of the transmission rates of the actual states sent by Alice (i.e., ${\rho }_{0z},{\rho }_{1z}$ and ${\rho }_{0x}$). To obtain these last transmission rates, we use the detection events that correspond to basis mismatch events (i.e., the detection events where Alice and Bob's basis choices are different). From these results, we can then calculate the exact value of the transmission rates associated to the virtual states (and, therefore, the phase error rate).

Based on this idea, we expand the security analysis introduced in [21] to accommodate the finite-key size effect in the following. For this, in the security proof we consider a virtual protocol that based on the complementarity argument [26] is equivalent to the actual protocol. In the virtual scheme, Alice prepares an ancilla qubit which is entangled with the pulse that she sends to Bob. Importantly, from Eve's viewpoint both protocols are completely indistinguishable because they emit the same quantum states and announce the same classical information.

In addition, as already mentioned in the main text, here we will consider the filtered states ${\tilde{\rho }}_{{jz}}$ and ${\tilde{\rho }}_{0x}$ only for convenience, as they allow us to simplify the mathematical derivation of the transmission rates associated to the virtual states. Note that due to the action of the filter operation we can concentrate only on those states that lie in the X–Z plane rather than in the whole Bloch sphere. Most importantly, we have that the relation derived for the filtered states holds as well for the actual states because all the states, which have the same ${\sigma }_{Y}$ component, have the same probability of passing the filter. Indeed, one could obtain exactly the same mathematical expression for the main result of this section (see equation (103) below) without considering a filter operation, but the analysis is more cumbersome.

Let us start our analysis by introducing the following joint states, which we shall denote as ${| {\tilde{\psi }}_{{j}_{z}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}$. They are a purification of the signals ${\tilde{\rho }}_{{jz}}$ with $j\in \{0,1\}$ (see equation (32)),

$$\begin{eqnarray}&&{| {\tilde{\psi }}_{{j}_{z}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}=\sqrt{{P}_{0}^{{j}_{z}}}{| 0\rangle }_{{{\rm{A}}}_{1}}{| {\phi }_{0}^{{j}_{z}}\rangle }_{{\rm{B}}}+\sqrt{{P}_{1}^{{j}_{z}}}{| 1\rangle }_{{{\rm{A}}}_{1}}{| {\phi }_{1}^{{j}_{z}}\rangle }_{{\rm{B}}},\end{eqnarray} \tag{ 75 }$$

where the index ${{\rm{A}}}_{1}$ represents the ancilla system and the index B is the system that Alice sends to Bob. In addition, we define the state:

$$\begin{eqnarray}&&{| {\tilde{{\rm{\Psi }}}}_{z}\rangle }_{{{\rm{A}}}_{1},{{\rm{A}}}_{2},{\rm{B}}}=\displaystyle \frac{1}{\sqrt{2}}\left({| 0\rangle }_{{{\rm{A}}}_{2}}{| {\tilde{\psi }}_{{0}_{z}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}+{| 1\rangle }_{{{\rm{A}}}_{2}}{| {\tilde{\psi }}_{{1}_{z}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}\right),\end{eqnarray} \tag{ 76 }$$

where the ancilla system ${{\rm{A}}}_{2}$ stores the bit information. The aim of the virtual protocol is to quantify how accurately Bob can estimate Alice's measurement outcome if she would measure system ${{\rm{A}}}_{2}$ in the complementarity basis (i.e., if she would use the POVM ${M}_{X,{{\rm{A}}}_{2}}=\{| +\rangle \langle +| ,| -\rangle \langle -| \}$, where $| \pm \rangle =1/\sqrt{2}(| 0\rangle \pm | 1\rangle )$). This way one can characterize the information that Eve could have obtained about the raw key [26]. Note that equation (76) can be rewritten as

$$\begin{eqnarray}{| {\tilde{{\rm{\Psi }}}}_{z}\rangle }_{{{\rm{A}}}_{1},{{\rm{A}}}_{2},{\rm{B}}} & = & \sqrt{\displaystyle \frac{1+\langle {\tilde{\psi }}_{{0}_{z}}| {\tilde{\psi }}_{{1}_{z}}{\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}}{2}}{| +\rangle }_{{{\rm{A}}}_{2}}{| {\tilde{\psi }}_{{0}_{x}}^{\mathrm{vir}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}\\ & & +\sqrt{\displaystyle \frac{1-\langle {\tilde{\psi }}_{{0}_{z}}| {\tilde{\psi }}_{{1}_{z}}{\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}}{2}}{| -\rangle }_{{{\rm{A}}}_{2}}{| {\tilde{\psi }}_{{1}_{x}}^{\mathrm{vir}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}},\end{eqnarray} \tag{ 77 }$$

where the normalized virtual states ${| {\tilde{\psi }}_{{j}_{x}}^{\mathrm{vir}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}$, with $j\in \{0,1\}$, are defined as

$$\begin{eqnarray}&&{| {\tilde{\psi }}_{{j}_{x}}^{\mathrm{vir}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}=\displaystyle \frac{{| {\tilde{\psi }}_{{0}_{z}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}+{(-1)}^{j}{| {\tilde{\psi }}_{{1}_{z}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}}{\sqrt{2\left[1+{(-1)}^{j}\langle {\tilde{\psi }}_{{0}_{z}}| {\tilde{\psi }}_{{1}_{z}}{\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}\right]}}.\end{eqnarray} \tag{ 78 }$$

Let us now introduce some additional notation before we describe in detail the different steps of the virtual protocol. In particular, the states prepared by Alice in the virtual protocol are given by

$$\begin{eqnarray}&&{| \phi \rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}=\displaystyle \sum _{c=1}^{5}\sqrt{P(c)}{| c\rangle }_{\mathrm{sh}}{| {\phi }^{(c)}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}},\end{eqnarray} \tag{ 79 }$$

where the shield system sh belongs to Alice's laboratory, the states ${| {\phi }^{(c)}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}$ have the form

$$\begin{eqnarray}{| {\phi }^{(1)}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}} & = & {| {\tilde{\psi }}_{{0}_{x}}^{\mathrm{vir}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}},\\ {| {\phi }^{(2)}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}} & = & {| {\tilde{\psi }}_{{1}_{x}}^{\mathrm{vir}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}},\\ {| {\phi }^{(3)}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}} & = & {| {\tilde{\psi }}_{{0}_{z}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}},\\ {| {\phi }^{(4)}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}} & = & {| {\tilde{\psi }}_{{1}_{z}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}},\\ {| {\phi }^{(5)}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}} & = & {| {\tilde{\psi }}_{{0}_{x}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}},\end{eqnarray} \tag{ 80 }$$

and the probabilities P(c) are given by

$$\begin{eqnarray}P(1) & = & \displaystyle \frac{{p}_{z}^{2}}{2}\left(1+{\langle {\tilde{\psi }}_{{0}_{z}}| {\tilde{\psi }}_{{1}_{z}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}\right),\\ P(2) & = & \displaystyle \frac{{p}_{z}^{2}}{2}\left(1-{\langle {\tilde{\psi }}_{{0}_{z}}| {\tilde{\psi }}_{{1}_{z}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}\right),\\ P(3) & = & P(4)=\displaystyle \frac{{p}_{z}{p}_{x}}{2},\\ P(5) & = & {p}_{x}.\end{eqnarray} \tag{ 81 }$$

Also, we define Bob's POVM for the Z and the X basis measurement as ${M}_{Z,{\rm{B}}}=\{{M}_{Z0},{M}_{Z1},{M}_{Z{\rm{f}}}\}$ and ${M}_{X,{\rm{B}}}=\{{M}_{X0},{M}_{X1},{M}_{X{\rm{f}}}\}$, respectively. Here, the operator ${M}_{Z(X){\rm{f}}}$ corresponds to the inconclusive outcome in the $Z\;(X)$ basis. Importantly, in the security analysis we assume that this operator is the same for both bases, i.e., ${M}_{{\rm{f}}}:= {M}_{Z{\rm{f}}}={M}_{X{\rm{f}}}$. Note that this assumption is met in all those actual experiments where the detection probability for any state is independent of Bob's basis choice, and this allows us to conceptually delay Bob's measurement basis choice until he is certain to obtain a conclusive result. That is, we can consider that Bob first conducts a filter operation with Kraus operators $D=\{\sqrt{I-{M}_{{\rm{f}}}},\sqrt{{M}_{{\rm{f}}}}\}$ followed by the Z or X basis measurement, which we redefine as $\{{M}_{Z0},{M}_{Z1}\}$ and $\{{M}_{X0},{M}_{X1}\}$, respectively.

Next we present the steps of the virtual protocol in detail.

Virtual protocol

Alice repeats the first step n1 times, where n1 is the number of single-photon emissions generated by Alice in the actual protocol within the set $| {Z}_{{k}_{{\rm{s}}}}|$.

(1) Preparation

Alice prepares the state ${| \phi \rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}$ given by equation (79). Afterwards, she sends Bob system B over a quantum channel and delays her measurement on system sh until step 3.

(2) Filter operation

Bob performs on system B the filter operation D and, if this operation succeeds, he stores this system in a quantum memory. We will denote the set of successful filter results as ${\bf{S}},\mathrm{and}\;| {\bf{S}}| ={N}_{1}$.

(3) Collective measurement

Alice and Bob perform on the states in the set ${\bf{S}}$ a collective measurement characterized by the POVM elements ${F}_{{\rm{\Omega }},s},\mathrm{with}\;{\rm{\Omega }}\in \{1,2,\ldots ,6\}\;\mathrm{and}\;s\in \{0,1\}$ (see equation (84)) on the states in the set ${\bf{S}}$.

(4) Classical communication

Alice announces the $Z(X)$ basis choice over an authenticated public channel when the result of her measurement in step 3 is ${\rm{\Omega }}=1,2,3,4({\rm{\Omega }}=5,6)$. Then, Bob announces the $Z(X)$ basis choice, also over an authenticated public channel, when the measurement outcome in step 3 is ${\rm{\Omega }}=1,2,6({\rm{\Omega }}=3,4,5)$ to ensure that the classical information declared in both the actual and the virtual protocols coincide (see the main text below for further details). In addition, Bob declares the value of $s\;\mathrm{when}\;{\rm{\Omega }}=3,4,5,6$.

(5) Estimation of the number of phase errors

Alice and Bob calculate an upper bound on the number of phase errors. This upper bound is given by

$$\begin{eqnarray}&&{N}_{\mathrm{ph}}^{{\rm{U}}}=\bar{{{\rm{\Lambda }}}_{1,1}^{({N}_{1})}}+\bar{{{\rm{\Lambda }}}_{2,0}^{({N}_{1})}},\end{eqnarray} \tag{ 82 }$$ where ${{\rm{\Lambda }}}_{{\rm{\Omega }},s}^{({N}_{1})}$ denotes the number of outcomes associated to the operator ${F}_{{\rm{\Omega }},s}\;{\text{}}{after}\;{N}_{1}$ trials, and $\bar{{{\rm{\Lambda }}}_{{\rm{\Omega }},s}^{({N}_{1})}}$ is an upper bound on ${{\rm{\Lambda }}}_{{\rm{\Omega }},s}^{({N}_{1})}$.

The size of the set ${\bf{S}}$ (see step 2 of the virtual protocol) is upper bounded by

$$\begin{eqnarray}&&| {\bf{S}}| ={N}_{1}\leqslant \displaystyle \sum _{a,b\in \{Z,X\}}\displaystyle \sum _{y,y^{\prime} \in \{0,1\}}\bar{{\mathrm{Decoy}}_{1}}({ay},{by}^{\prime} ),\end{eqnarray} \tag{ 83 }$$

where the parameter $\bar{{\mathrm{Decoy}}_{1}}({ay},{by}^{\prime} )$ is defined in appendix C. Also, the POVM elements ${F}_{{\rm{\Omega }},s}$ of Alice and Bob's collective measurement are given by

$$\begin{eqnarray}{F}_{{\rm{\Omega }},s} & = & P[{| {\rm{\Omega }}\rangle }_{\mathrm{sh}}]\otimes {M}_{{Xs}}\quad \quad \mathrm{when}{\rm{\Omega }}\in \{1,2,3,4\},\\ {F}_{5,s} & = & P[{| 5\rangle }_{\mathrm{sh}}]\otimes {p}_{x}{M}_{{Xs}},\\ {F}_{6,s} & = & P[{| 5\rangle }_{\mathrm{sh}}]\otimes {p}_{z}{M}_{{Zs}}.\end{eqnarray} \tag{ 84 }$$

These POVM elements satisfy ${\displaystyle \sum }_{s\in \{\mathrm{0,1}\}}{\displaystyle \sum }_{{\rm{\Omega }}\in \{1,\ldots ,6\}}{F}_{{\rm{\Omega }},s}={I}_{\mathrm{sh}}\otimes {I}_{{\rm{B}}}$.

It is easy to demonstrate that from Eve's viewpoint the virtual protocol described above is completely equivalent to the actual protocol. Indeed, the quantum states that Alice sends to Bob are exactly the same in both protocols. Also, both schemes declare precisely the same classical information. To see this last point, let us further clarify the fourth step of the virtual protocol. In particular, note that when ${\rm{\Omega }}=1(2)$ the state that Alice sends to Bob in the virtual protocol is ${\mathrm{Tr}}_{{{\rm{A}}}_{1}}P[{| {\tilde{\psi }}_{0(1)x}\rangle }_{{{\rm{A}}}_{1}{\rm{B}}}]$ and Bob uses the $X$ basis. However, in this case, Alice and Bob announce the $Z$ basis. In so doing, the actual and virtual protocols are indistinguishable. This is so because in the actual protocol the events ${\rm{\Omega }}=1\;\mathrm{or}\;2$ are used to generate a secret key, i.e., in these events both Alice and Bob select, and therefore also declare, the $Z$ basis. Then, the virtual protocol has to do the same declaration, otherwise it could be distinguished from the actual protocol. That is, with our definition of the virtual protocol we guarantee that it produces precisely the same classical information as the actual protocol.

Next, we present the estimation method that we use in order to upper bound the quantities ${{\rm{\Lambda }}}_{1,1}^{({N}_{1})}\;\mathrm{and}\;{{\rm{\Lambda }}}_{2,0}^{({N}_{1})}$ using experimentally observed values. For this, we consider the sequence of random variables ${X}_{{\rm{\Omega }},s}^{(l)}$, with $l=1,\ldots ,{N}_{1}$, given by

$$\begin{eqnarray}&&{X}_{{\rm{\Omega }},s}^{(l)}={{\rm{\Lambda }}}_{{\rm{\Omega }},s}^{(l)}-\displaystyle \sum _{u=1}^{l}{P}_{{\rm{\Omega }},s}(u| {\xi }_{0},\ldots ,{\xi }_{u-1}),\end{eqnarray} \tag{ 85 }$$

where ${P}_{{\rm{\Omega }},s}(u| {\xi }_{0},\ldots ,{\xi }_{u-1})$ is the conditional probability of obtaining the values ${\rm{\Omega }}\;\mathrm{and}\;s$ in the collective measurement performed in the $u$ th trial of the third step of the virtual protocol, conditioned on the first $u-1$ measurement outcomes from the collective measurements ${\xi }_{0},\ldots ,{\xi }_{u-1}$. To obtain this conditional probability we use the following joint state in ${N}_{1}$ trials

$$\begin{eqnarray}&&{| {\rm{\Phi }}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}={| {\phi }_{\overrightarrow{u-1}}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}{| {\phi }_{u}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}{| {\phi }_{\overrightarrow{{N}_{1}-u}}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}},\end{eqnarray} \tag{ 86 }$$

where ${| {\phi }_{\overrightarrow{u-1}}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}{\text{}},{| {\phi }_{u}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}$, and ${| {\phi }_{\overrightarrow{{N}_{1}-u}}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}$ represent, respectively, Alice's prepared states in the first $u-1$ trials, in the $u$ th trial, and in the rest of trials.

Let ${U}_{\mathrm{BE}}$ denote Eve's unitary transformation on Bob's system B and on her system E. We have that

$$\begin{eqnarray}&&{U}_{\mathrm{BE}}{| {\rm{\Phi }}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}{| 0\rangle }_{{\rm{E}}}=\displaystyle \sum _{t}{B}_{t,{\rm{B}}}{| {\rm{\Phi }}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}{| t\rangle }_{{\rm{E}}},\end{eqnarray} \tag{ 87 }$$

where ${B}_{t,{\rm{B}}}$ denotes the Kraus operator which acts on system B depending on Eve's measurement outcome of her ancilla. Now we consider Alice and Bob's collective measurement. In particular, let ${M}_{{\mathrm{sh}}_{v},{s}_{v}}$ represent the Kraus operator associated with the $v\mathrm{th}(1\leqslant v\leqslant u)$ measurement outcome of Alice's system sh and Bob's system. Also, let ${{\mathcal{O}}}_{u-1,\mathrm{sh},{\rm{B}}}$ denote Alice and Bob's joint measurement operator up to $u-1$ trials. It can be written as

$$\begin{eqnarray}&&{{\mathcal{O}}}_{u-1,\mathrm{sh},{\rm{B}}}=\underset{v=1}{\overset{u-1}{\displaystyle \otimes }}{M}_{{\mathrm{sh}}_{v},{s}_{v}}({I}_{\mathrm{sh}}\otimes \sqrt{1-{M}_{{\rm{f}}}}).\end{eqnarray} \tag{ 88 }$$

We shall denote the measurement outcomes of the first $u-1$ trials as ${O}_{u-1}$. Then, after Eve's intervention and conditioned on the fact of obtaining the measurement results ${O}_{u-1}$, we have that the normalized $u$ th state of Alice's system sh and Bob's system B, which we shall represent as ${\rho }_{u| \overrightarrow{u-1}}^{\mathrm{sh},{\rm{B}}}$, is given by

$$\begin{eqnarray}&&{\rho }_{u| \overrightarrow{u-1}}^{\mathrm{sh},{\rm{B}}}=\displaystyle \frac{{\sigma }_{u| {O}_{u-1}}^{\mathrm{sh},{\rm{B}}}}{\mathrm{Tr}\left({\sigma }_{u| {O}_{u-1}}^{\mathrm{sh},{\rm{B}}}\right)},\end{eqnarray} \tag{ 89 }$$

where the state ${\sigma }_{u| {O}_{u-1}}^{\mathrm{sh},{\rm{B}}}$ has the form

$$\begin{eqnarray}&&{\sigma }_{u| {O}_{u-1}}^{\mathrm{sh},{\rm{B}}}:= \displaystyle \sum _{t}{\mathrm{Tr}}_{\bar{u}}\;\left(P[{{\mathcal{O}}}_{u-1,\mathrm{sh},{\rm{B}}}{B}_{t,{\rm{B}}}{| {\rm{\Phi }}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}]\right).\end{eqnarray} \tag{ 90 }$$

Here, ${\mathrm{Tr}}_{\bar{u}}$ is the trace over all systems except for the $u$ th systems sh and B. Equation (90) can be rewritten as follows:

$$\begin{eqnarray}{\sigma }_{u| {O}_{u-1}}^{\mathrm{sh},{\rm{B}}} & = & \displaystyle \sum _{t}\displaystyle \sum _{\overrightarrow{u-1},\overrightarrow{{N}_{1}-u}}{\mathrm{Tr}}_{{{\rm{A}}}_{1}}^{(u)}\left(P[\langle \overrightarrow{u-1}| \langle \overrightarrow{{N}_{1}-u}| {{\mathcal{O}}}_{u-1,\mathrm{sh},{\rm{B}}}{B}_{t,{\rm{B}}}{| {\phi }_{\overrightarrow{u-1}}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}{| {\phi }_{u}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}{| {\phi }_{\overrightarrow{{N}_{1}-u}}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}]\right)\\ & = & \displaystyle \sum _{t}\displaystyle \sum _{\overrightarrow{u-1},\overrightarrow{{N}_{1}-u}}{\mathrm{Tr}}_{{{\rm{A}}}_{1}}^{(u)}\left(P[{A}_{t,{\rm{B}}| {O}_{u-1}}^{\overrightarrow{u-1},\overrightarrow{{N}_{1}-u}}{| {\phi }_{u}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}]\right),\end{eqnarray} \tag{ 91 }$$

where ${\mathrm{Tr}}_{{{\rm{A}}}_{1}}^{(u)}$ represents the trace over the $u{\mathrm{thA}}_{1}$ system, the states $| \overrightarrow{u-1}\rangle \;\mathrm{and}\;| \overrightarrow{{N}_{1}-u}\rangle$ denote an orthogonal basis for the first $u-1$ systems and the last ${N}_{1}-u$ systems, respectively, and

$$\begin{eqnarray}&&{A}_{t,{\rm{B}}| {O}_{u-1}}^{\overrightarrow{u-1},\overrightarrow{{N}_{1}-u}}:= \langle \overrightarrow{u-1}| \langle \overrightarrow{{N}_{1}-u}| {{\mathcal{O}}}_{u-1,\mathrm{sh},{\rm{B}}}{B}_{t,{\rm{B}}}{| {\phi }_{\overrightarrow{u-1}}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}{| {\phi }_{\overrightarrow{{N}_{1}-u}}\rangle }_{\mathrm{sh},{{\rm{A}}}_{1},{\rm{B}}}\end{eqnarray} \tag{ 92 }$$

is the Kraus operator acting on the $u$ th system conditioned on the measurement outcomes ${O}_{u-1}$.

Therefore, we obtain that the conditional probability defined in equation (85) for ${\rm{\Omega }}\in \{1,\ldots ,6\}$ is given by

$$\begin{eqnarray}{P}_{{\rm{\Omega }},s}(u| {\xi }_{0},\ldots ,{\xi }_{u-1}) & = & \mathrm{Tr}\left\{{F}_{{\rm{\Omega }},s}\displaystyle \frac{{\mathcal{E}}({\rho }_{u| \overrightarrow{u-1}}^{\mathrm{sh},{\rm{B}}})}{\mathrm{Tr}\left[{\mathcal{E}}({\rho }_{u| \overrightarrow{u-1}}^{\mathrm{sh},{\rm{B}}})\right]}\right\}\\ & = & \displaystyle \frac{Q({\rm{\Omega }})}{\mathrm{Tr}\left[{\mathcal{E}}({\rho }_{u| \overrightarrow{u-1}}^{\mathrm{sh},{\rm{B}}})\right]\mathrm{Tr}({\sigma }_{u| {O}_{u-1}}^{\mathrm{sh},{\rm{B}}})}\mathrm{Tr}\left[{{\mathcal{M}}}_{{Xs}}^{(u| \overrightarrow{u-1})}{\mathrm{Tr}}_{{{\rm{A}}}_{1}}P[{| {\phi }^{({\rm{\Omega }})}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}]\right]\\ & =: & Q({\rm{\Omega }}){T}_{{M}_{{Xs}}}^{(u| \overrightarrow{u-1})}\left[{\mathrm{Tr}}_{{{\rm{A}}}_{1}}P[{| {\phi }^{({\rm{\Omega }})}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}]\right],\end{eqnarray} \tag{ 93 }$$

where ${\mathcal{E}}(\rho ):= ({I}_{\mathrm{sh}}\otimes \sqrt{I-{M}_{{\rm{f}}}})\rho {({I}_{\mathrm{sh}}\otimes \sqrt{I-{M}_{{\rm{f}}}})}^{\dagger }$, the probability $Q({\rm{\Omega }})=P({\rm{\Omega }})\mathrm{for}{\rm{\Omega }}\in \{1,2,3,4\}{\text{}},Q(5)={p}_{x}P(5)\;\mathrm{and}\;Q(6)={p}_{z}P(5)$, the operator ${{\mathcal{M}}}_{{Xs}}^{(u| \overrightarrow{u-1})}:=$ ${\displaystyle \sum }_{t}{\displaystyle \sum }_{\overrightarrow{u-1},\overrightarrow{{N}_{1}-u}}$ ${(\sqrt{I-{M}_{{\rm{f}}}}\;{A}_{t,{\rm{B}}| {O}_{u-1}}^{\overrightarrow{u-1},\overrightarrow{{N}_{1}-u}})}^{\dagger }$ ${M}_{{Xs}}(\sqrt{I-{M}_{{\rm{f}}}}\;{A}_{t,{\rm{B}}| {O}_{u-1}}^{\overrightarrow{u-1},\overrightarrow{{N}_{1}-u}})$, the states ${| {\phi }^{({\rm{\Omega }})}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}$ are defined in equation (80), and ${T}_{{M}_{{Xs}}}^{(u| \overrightarrow{u-1})}\left[{\mathrm{Tr}}_{{A}_{1}}P[{| {\phi }^{({\rm{\Omega }})}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}]\right]$ is the $u$ th conditional probability that Bob's measurement outcome in the $X$ basis is $s\in \{0,1\}$ given that Alice sends him the state ${\mathrm{Tr}}_{{A}_{1}}P[{| {\phi }^{({\rm{\Omega }})}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}]$ and the filter operation succeeds conditioned on the first $u-1$ measurement results. For convenience, we shall refer to ${T}_{{M}_{{Xs}}}^{(u| \overrightarrow{u-1})}[A]$ as the transmission rate of $A$.

If we apply Azuma's inequality (see lemma 4 in appendix B), we obtain

$$\begin{eqnarray}&&\left|\displaystyle \sum _{u=1}^{{N}_{1}}{P}_{{\rm{\Omega }},s}(u| {\xi }_{0},\ldots ,{\xi }_{u-1})-{{\rm{\Lambda }}}_{{\rm{\Omega }},s}^{({N}_{1})}\right|\leqslant {{\rm{\Delta }}}_{{\rm{A}},{\rm{\Omega }}}^{s},\end{eqnarray} \tag{ 94 }$$

except with error probability ${\epsilon }_{{\rm{A}},{\rm{\Omega }}}^{s}$, where ${{\rm{\Delta }}}_{{\rm{A}},{\rm{\Omega }}}^{s}={g}_{{\rm{A}}}({N}_{1},{\epsilon }_{{\rm{A}},{\rm{\Omega }}}^{s})$.

By combining this result with that from equation (93), we have that

$$\begin{eqnarray}&&\displaystyle \frac{{{\rm{\Lambda }}}_{{\rm{\Omega }},s}^{({N}_{1})}-{{\rm{\Delta }}}_{{\rm{A}},{\rm{\Omega }}}^{s}}{Q({\rm{\Omega }})}\leqslant \displaystyle \sum _{u=1}^{{N}_{1}}{T}_{{M}_{{Xs}}}^{(u| \overrightarrow{u-1})}\left[{\mathrm{Tr}}_{{{\rm{A}}}_{1}}P[{| {\phi }^{({\rm{\Omega }})}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}]\right]\leqslant \displaystyle \frac{{{\rm{\Lambda }}}_{{\rm{\Omega }},s}^{({N}_{1})}+{{\rm{\Delta }}}_{{\rm{A}},{\rm{\Omega }}}^{s}}{Q({\rm{\Omega }})}.\end{eqnarray} \tag{ 95 }$$

Note that the parameters ${{\rm{\Lambda }}}_{{\rm{\Omega }},s}^{({N}_{1})}$, with ${\rm{\Omega }}\in \{3,4,5\}$, can be upper and lower bounded using the decoy-state method. We shall denote the failure probability of this estimation as ${\epsilon }_{Z0,{Xs}}{\text{}},{\epsilon }_{Z1,{Xs}}\;\mathrm{and}\;{\epsilon }_{X0,{Xs}}$, respectively.

As a result, we obtain bounds on ${\displaystyle \sum }_{u=1}^{{N}_{1}}{T}_{{M}_{{Xs}}}^{(u| \overrightarrow{u-1})}\left[{\mathrm{Tr}}_{{A}_{1}}P[{| {\phi }^{({\rm{\Omega }})}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}]\right]$ that maximize the number of phase errors ${N}_{\mathrm{ph}}$ in the single-photon emissions within the set $| {Z}_{{k}_{{\rm{s}}}}|$. They are denoted as ${N}_{{M}_{{Xs}}}({\rm{\Omega }})$ and have the form

$$\begin{eqnarray}&&{N}_{{M}_{{Xs}}}(3):= \left\{\displaystyle \frac{\underline{{\mathrm{Decoy}}_{1}}(Z0,{Xs})-{{\rm{\Delta }}}_{{\rm{A}},3}^{s}}{Q(3)}\;\mathrm{or}\;\displaystyle \frac{\bar{{\mathrm{Decoy}}_{1}}(Z0,{Xs})+{{\rm{\Delta }}}_{{\rm{A}},3}^{s}}{Q(3)}\right\},\end{eqnarray} \tag{ 96 }$$

$$\begin{eqnarray}&&{N}_{{M}_{{Xs}}}(4):= \left\{\displaystyle \frac{\underline{{\mathrm{Decoy}}_{1}}(Z1,{Xs})-{{\rm{\Delta }}}_{{\rm{A}},4}^{s}}{Q(4)}\;\mathrm{or}\;\displaystyle \frac{\bar{{\mathrm{Decoy}}_{1}}(Z1,{Xs})+{{\rm{\Delta }}}_{{\rm{A}},4}^{s}}{Q(4)}\right\},\end{eqnarray} \tag{ 97 }$$

$$\begin{eqnarray}&&{N}_{{M}_{{Xs}}}(5):= \left\{\displaystyle \frac{\underline{{\mathrm{Decoy}}_{1}}(X0,{Xs})-{{\rm{\Delta }}}_{{\rm{A}},5}^{s}}{Q(5)}\;\mathrm{or}\;\displaystyle \frac{\bar{{\mathrm{Decoy}}_{1}}(X0,{Xs})+{{\rm{\Delta }}}_{{\rm{A}},5}^{s}}{Q(5)}\right\}.\end{eqnarray} \tag{ 98 }$$

When ${\rm{\Omega }}\in \{1,2\}$, the quantity ${T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}\left[{\tilde{\rho }}_{{sx}}^{\mathrm{vir}}\right]$, with $s\in \{0,1\}$, represents the transmission rate of the virtual states ${\tilde{\rho }}_{{sx}}^{\mathrm{vir}}={\mathrm{Tr}}_{B}(P[{| {\tilde{\psi }}_{{s}_{x}}^{\mathrm{vir}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}])$, with ${| {\tilde{\psi }}_{{s}_{x}}^{\mathrm{vir}}\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}$ given by equation (78). This quantity can be decomposed into the transmission rate of the Pauli operators ${\sigma }_{I},{\sigma }_{X}\;\mathrm{and}\;{\sigma }_{Z}$. However, for later convenience, we will decompose it as a function of ${\tilde{\rho }}_{0z}\;\mathrm{and}\;{\tilde{\rho }}_{1z}$, together with ${\sigma }_{I},{\sigma }_{X}\;\mathrm{and}\;{\sigma }_{Z}$. Here, the states ${\tilde{\rho }}_{0z}\;\mathrm{and}\;{\tilde{\rho }}_{1z}$ are defined in equation (31). In particular, from equation (78) we find that

$$\begin{eqnarray}{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}\left[{\tilde{\rho }}_{{sx}}^{\mathrm{vir}}\right] & = & \displaystyle \frac{1}{2\left[1+{(-1)}^{s}\langle {\tilde{\psi }}_{{0}_{z}}| {\tilde{\psi }}_{{1}_{z}}{\rangle }_{{{\rm{A}}}_{1},{\rm{B}}}\right]}\left\{{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{0z}]+{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{1z}]\right.\\ & & +{(-1)}^{s}\left({T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}\left[{\mathrm{Tr}}_{B}(P[| {\tilde{\psi }}_{{0}_{z}}\rangle {\langle {\tilde{\psi }}_{{1}_{z}}| }_{{{\rm{A}}}_{1},{\rm{B}}}])\right]\right.\\ & & +\left.\left.{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}\left[{\mathrm{Tr}}_{B}(P[| {\tilde{\psi }}_{{1}_{z}}\rangle {\langle {\tilde{\psi }}_{{0}_{z}}| }_{{{\rm{A}}}_{1},{\rm{B}}}])\right]\right)\right\}\\ & = & \displaystyle \frac{1}{2\{1+{(-1)}^{s}(\sqrt{{P}_{0}^{0z}{P}_{0}^{1z}}\left\langle{\phi }_{0}^{0z}| {\phi }_{0}^{1z}\right\rangle+\sqrt{{P}_{1}^{0z}{P}_{1}^{1z}}\left\langle{\phi }_{1}^{0z}| {\phi }_{1}^{1z}\right\rangle)\}}\\ & & \left[{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{0z}]+{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{1z}]\right.\\ & & +{(-1)}^{s}\displaystyle \sum _{t=0}^{1}\sqrt{{P}_{t}^{0z}{P}_{t}^{1z}}\left\{({a}_{t}^{0z}{a}_{t}^{1z}+{b}_{t}^{0z}{b}_{t}^{1z}){T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\sigma }_{I}]\right.\\ & & +({a}_{t}^{0z}{b}_{t}^{1z}+{a}_{t}^{0z}{b}_{t}^{1z}){T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\sigma }_{X}]\\ & & +\left.({a}_{t}^{0z}{a}_{t}^{1z}-{b}_{t}^{0z}{b}_{t}^{1z}){T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\sigma }_{Z}]\right],\end{eqnarray} \tag{ 99 }$$

where we have used equation (75) in the second equality and see equation (35) for the definition of ${a}_{t}^{S}\;\mathrm{and}\;{b}_{t}^{S}$.

In addition, we have that the transmission rate of ${\tilde{\rho }}_{0z},{\tilde{\rho }}_{1z}\;\mathrm{and}\;{\tilde{\rho }}_{0x}$ can be decomposed using the Pauli operators as follows

$$\begin{eqnarray}&&\left(\begin{array}{c}{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{0z}]\\ {T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{1z}]\\ {T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{0x}]\end{array}\right)\\ =\;\left(\begin{array}{ccc}1/2 & {r}_{x}^{0z}/2 & {r}_{z}^{0z}/2\\ 1/2 & {r}_{x}^{1z}/2 & {r}_{z}^{1z}/2\\ 1/2 & {r}_{x}^{0x}/2 & {r}_{z}^{0x}/2\end{array}\right)\left(\begin{array}{c}{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\sigma }_{I}]\\ {T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\sigma }_{X}]\\ {T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\sigma }_{Z}]\end{array}\right)\;=:\;A\left(\begin{array}{c}{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\sigma }_{I}]\\ {T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\sigma }_{X}]\\ {T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\sigma }_{Z}]\end{array}\right).\end{eqnarray} \tag{ 100 }$$

Hence, the transmission rate of the Pauli operators can be described as

$$\begin{eqnarray}&&\left(\begin{array}{c}{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\sigma }_{I}]\\ {T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\sigma }_{X}]\\ {T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\sigma }_{Z}]\end{array}\right)={A}^{-1}\left(\begin{array}{c}{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{0z}]\\ {T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{1z}]\\ {T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{0x}]\end{array}\right),\end{eqnarray} \tag{ 101 }$$

where the inverse matrix ${A}^{-1}$ is given in equation (37).

Now, if we combine equations (99), (101) and (95), we obtain that ${N}_{\mathrm{ph}}$ is upper bounded by

$$\begin{eqnarray}{N}_{\mathrm{ph}} & = & {{\rm{\Lambda }}}_{1,1}^{({N}_{1})}+{{\rm{\Lambda }}}_{2,0}^{({N}_{1})}\leqslant \displaystyle \sum _{s=0}^{1}P(s+1)\displaystyle \sum _{u=1}^{{N}_{1}}{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}\left[{\tilde{\rho }}_{{sx}}^{\mathrm{vir}}\right]+{{\rm{\Delta }}}_{{\rm{A}},s+1}^{s\oplus 1}\\ & = & \displaystyle \sum _{s=0}^{1}\displaystyle \frac{P(s+1)}{2\{1+{(-1)}^{s}(\sqrt{{P}_{0}^{0z}{P}_{0}^{1z}}\left\langle{\phi }_{0}^{0z}| {\phi }_{0}^{1z}\right\rangle+\sqrt{{P}_{1}^{0z}{P}_{1}^{1z}}\left\langle{\phi }_{1}^{0z}| {\phi }_{1}^{1z}\right\rangle)\}}\\ & & \left[\displaystyle \sum _{u=1}^{{N}_{1}}{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{0z}]+\displaystyle \sum _{u=1}^{{N}_{1}}{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{1z}]\right.\\ & & +{(-1)}^{s}\displaystyle \sum _{t=0}^{1}\sqrt{{P}_{t}^{0z}{P}_{t}^{1z}}\left\{{C}_{t,0}\displaystyle \sum _{u=1}^{{N}_{1}}{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{0z}]+{C}_{t,1}\displaystyle \sum _{u=1}^{{N}_{1}}{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{1z}]\right.\\ & & \left.\left.+{C}_{t,2}\displaystyle \sum _{u=1}^{{N}_{1}}{T}_{{M}_{{Xs}\oplus 1}}^{(u| \overrightarrow{u-1})}[{\tilde{\rho }}_{0x}]\right\}\right]+{{\rm{\Delta }}}_{{\rm{A}},s+1}^{s\oplus 1}.\end{eqnarray} \tag{ 102 }$$

Finally, by using the results given by equations (96)–(98), we find that

$$\begin{eqnarray}{N}_{\mathrm{ph}} & \leqslant & \displaystyle \sum _{s=0}^{1}\displaystyle \frac{P(s+1)}{2\{1+{(-1)}^{s}(\sqrt{{P}_{0}^{0z}{P}_{0}^{1z}}\left\langle{\phi }_{0}^{0z}| {\phi }_{0}^{1z}\right\rangle+\sqrt{{P}_{1}^{0z}{P}_{1}^{1z}}\left\langle{\phi }_{1}^{0z}| {\phi }_{1}^{1z}\right\rangle)\}}\left[[,{N}_{{M}_{{Xs}}}(3)+{N}_{{M}_{{Xs}}}(4)\right.\\ & & +\left.{(-1)}^{s}\displaystyle \sum _{t=0}^{1}\sqrt{{P}_{t}^{0z}{P}_{t}^{1z}}\left\{\{,{C}_{t,0}{N}_{{M}_{{Xs}}}(3)+{C}_{t,1}{N}_{{M}_{{Xs}}}(4)+{C}_{t,2}{N}_{{M}_{{Xs}}}(5),\}\right\},]\right]+{{\rm{\Delta }}}_{{\rm{A}},s+1}^{s\oplus 1}\end{eqnarray} \tag{ 103 }$$

$$\begin{eqnarray}&&=:\;{N}_{\mathrm{ph}}^{{\rm{U}}},\end{eqnarray} \tag{ 104 }$$

except with error probability

$$\begin{eqnarray}{\varepsilon }_{\mathrm{ph}} & = & {\epsilon }_{{\rm{A}},1}^{1}+{\epsilon }_{{\rm{A}},2}^{0}+\displaystyle \sum _{s\in \{0,1\},{\rm{\Omega }}\in \{3,4,5\}}{\epsilon }_{{\rm{A}},{\rm{\Omega }}}^{s}\\ & & +\displaystyle \sum _{s\in \{0,1\}}({\epsilon }_{Z0,{Xs}}+{\epsilon }_{Z1,{Xs}}+{\epsilon }_{X0,{Xs}}),\end{eqnarray} \tag{ 105 }$$

where ${\epsilon }_{{\rm{A}},{\rm{\Omega }}}^{s}$ is the failure probability that equation (94) does not hold for ${\rm{\Omega }}\in \{1,\ldots ,5\}\;\mathrm{and}\;s\in \{0,1\}$. Also, ${\epsilon }_{Z0(1),{Xs}}\;\mathrm{and}\;{\epsilon }_{X0,{Xs}}$ are the failure probabilities of the decoy state method i.e., the failure probabilities of the estimation of ${{\rm{\Lambda }}}_{3(4),s}^{({N}_{1})}\;\mathrm{and}\;{{\rm{\Lambda }}}_{5,s}^{({N}_{1})}$, respectively.

In this appendix we present the calculations used to obtain figures 2, 4 and 6 in the main text.

In particular, we consider that Alice sends Bob pairs of coherent states of the form ${| \sqrt{{k}_{\mathrm{ref}}}{{\rm{e}}}^{{\rm{i}}\chi }\rangle }_{{\rm{r}}}{| \sqrt{{k}_{\mathrm{sig}}}{{\rm{e}}}^{{\rm{i}}(\chi +{\theta }_{{\rm{A}}}+{\rm{\Delta }}{\theta }_{{\rm{A}}})}\rangle }_{{\rm{s}}}$, and we set Alice's (Bob's) phase modulation error to ${\rm{\Delta }}{\theta }_{{\rm{A}}}=\xi {\theta }_{{\rm{A}}}/\pi$ (${{\rm{\Delta }}}_{{\rm{B}}}=-{{\rm{\Delta }}}_{{\rm{A}}}$). Also, we assume a Gaussian distribution for the intensity fluctuations of the laser within an interval $[{k}^{-},{k}^{+}]$. That is, we consider that the probability density function of the fluctuations is given by ${p}_{{\rm{G}}}(k)=A\mathrm{exp}[{-(k-\mu )}^{2}/2{\sigma }^{2}]$, where $\mu$ is the desired value (e.g., ${k}_{{\rm{s}}},{k}_{{\rm{d}}1}$, and ${k}_{{\rm{d}}2}$), the dispersion ${\sigma }^{2}$ has the form ${\sigma }^{2}=r\mu /5$, and the normalization factor $A$ is such that ${\displaystyle \int }_{{k}^{-}}^{{k}^{+}}{p}_{{\rm{G}}}(k){\rm{d}}k=1$.

Calculation of the parameters ${m}_{0}^{{\rm{L}}}\;\mathrm{and}\;{m}_{1}^{{\rm{L}}}$.

For this, we need to obtain $| {Z}_{k}|$ for all $k\in K$. Afterwards, we simply apply the procedure described in section 4.1 (for the exact intensity control case) and in section 4.2 (for the intensity fluctuation case).

We consider that the total number of pulses sent by Alice using the intensity setting $k$ is given by ${N}_{k}={{Np}}_{k}$, where $N$ denotes the total number of transmissions until the conditions in the Sifting step of the protocol are met. The total system loss ${\eta }_{\mathrm{sy}}:= {\eta }_{\mathrm{det}}{\eta }_{\mathrm{ch}}$ includes the channel loss and the detection efficiency of Bob's detectors. The conditional probability ${p}^{(k)}({Zj}| {Zi})$ that Bob obtains the bit $j\in \{0,1\}$ using the $Z$ basis given that Alice sends him a bit $i$ encoded with the intensity $k$ and also in the $Z$ basis can be written as

$$\begin{eqnarray}&&{p}^{(k)}(Z0| Z0)={\displaystyle \int }_{{k}^{-}}^{{k}^{+}}{p}_{{\rm{G}}}(k)\left[1-(1-{p}_{{\rm{d}}}){{\rm{e}}}^{-{\eta }_{\mathrm{sy}}k}\right]{\rm{d}}k,\end{eqnarray} \tag{ 106 }$$

$$\begin{eqnarray}&&{p}^{(k)}(Z1| Z0)={p}_{{\rm{d}}},\end{eqnarray} \tag{ 107 }$$

$$\begin{eqnarray}&&{p}^{(k)}({Zj}| Z1)={\displaystyle \int }_{{k}^{-}}^{{k}^{+}}{p}_{{\rm{G}}}(k)\left[1-(1-{p}_{{\rm{d}}})\mathrm{exp}\left(-\displaystyle \frac{{\eta }_{\mathrm{sy}}k(1-{(-1)}^{j}\mathrm{cos}\xi )}{2}\right)\right]{\rm{d}}k.\end{eqnarray} \tag{ 108 }$$

The conditional probability ${p}^{(k)}({Zj}\;\wedge \;\bar{{Zj}\oplus 1}| {Zi})$ that Bob interprets the bit value $j$ (after a random assignment of double click events to single clicks events) when he uses the $Z$ basis given that Alice sends him a pulse with the intensity $k$, prepared in the $Z$ basis, and encoding the bit value $i$ is written as

$$\begin{eqnarray}{p}^{(k)}({Zj}\;\wedge \;\bar{{Zj}\oplus 1}| {Zi}) & = & {p}^{(k)}({Zj}| {Zi})(1-{p}^{(k)}({Zj}\oplus 1| {Zi}))\\ & & +\displaystyle \frac{1}{2}{p}^{(k)}({Zj}| {Zi}){p}^{(k)}({Zj}\oplus 1| {Zi}).\end{eqnarray} \tag{ 109 }$$

To simulate the misalignment in the optical system we transform this probability as

$$\begin{eqnarray}&&{P}^{(k)}({Zj}\;\wedge \;\bar{{Zj}\oplus 1}| {Zj})={p}^{(k)}({Zj}\;\wedge \;\bar{{Zj}\oplus 1}| {Zj})(1-{e}_{\mathrm{mis}}),\end{eqnarray} \tag{ 110 }$$

$$\begin{eqnarray}&&{P}^{(k)}({Zj}\oplus 1\;\wedge \;\bar{{Zj}}| {Zj})={p}^{(k)}({Zj}\;\wedge \;\bar{{Zj}\oplus 1}| {Zj}){e}_{\mathrm{mis}}+{p}^{(k)}({Zj}\oplus 1\;\wedge \;\bar{{Zj}}| {Zj}).\end{eqnarray} \tag{ 111 }$$

In so doing, we obtain

$$\begin{eqnarray}&&| {Z}_{k}| ={N}_{k}{p}_{z}^{2}\displaystyle \sum _{i,j\in \{0,1\}}{P}^{(k)}({Zj}\;\wedge \;\bar{{Zj}\oplus 1}| {Zi}).\end{eqnarray} \tag{ 112 }$$

The bit error rate in the $Z$ basis when Alice sends Bob a pulse using the signal intensity is given by

$$\begin{eqnarray}&&{e}_{z}=\displaystyle \frac{{\displaystyle \sum }_{j\in \{\mathrm{0,1}\}}{P}^{({k}_{{\rm{s}}})}({Zj}\oplus 1\;\wedge \;\bar{{Zj}}| {Zj})}{{\displaystyle \sum }_{i,j\in \{\mathrm{0,1}\}}{P}^{({k}_{{\rm{s}}})}({Zj}\;\wedge \;\bar{{Zj}\oplus 1}| {Zi})}.\end{eqnarray} \tag{ 113 }$$

Calculation of the parameter ${N}_{\mathrm{ph}}$.

According to equation (36), we have that ${N}_{\mathrm{ph}}$ is upper bounded by

$$\begin{eqnarray}{N}_{\mathrm{ph}} & \leqslant & \displaystyle \frac{1-\mathrm{sin}\displaystyle \frac{\xi }{2}}{2}{\left(\displaystyle \frac{{p}_{z}}{{p}_{x}}\right)}^{2}(\bar{{\mathrm{Decoy}}_{1}}(X0,X1)+{{\rm{\Delta }}}_{{\rm{A}},5}^{1})\\ & & +\displaystyle \frac{{p}_{z}}{{p}_{x}}(\bar{{\mathrm{Decoy}}_{1}}(Z0,X0)+\bar{{\mathrm{Decoy}}_{1}}(Z1,X0)+{{\rm{\Delta }}}_{{\rm{A}},3}^{0}+{{\rm{\Delta }}}_{{\rm{A}},4}^{0})\\ & & -\displaystyle \frac{1-\mathrm{sin}\displaystyle \frac{\xi }{2}}{2}{\left(\displaystyle \frac{{p}_{z}}{{p}_{x}}\right)}^{2}(\underline{{\mathrm{Decoy}}_{1}}(X0,X0)+{{\rm{\Delta }}}_{{\rm{A}},5}^{0})+{{\rm{\Delta }}}_{{\rm{A}},1}+{{\rm{\Delta }}}_{{\rm{A}},2}.\end{eqnarray} \tag{ 114 }$$

To obtain $\bar{{\mathrm{Decoy}}_{1}}(X0,X1)\;\mathrm{and}\;\underline{{\mathrm{Decoy}}_{1}}(X0,X0)$ we first calculate the probability ${p}^{(k)}({Xj}\;\wedge \;\bar{{Xj}\oplus 1}| X0)$ that Bob obtains the bit $j$ with the $X$ basis given that Alice sends him a pulse of intensity $k$ using the $X$ basis and encoding the bit value $0$. For this, we have that

$$\begin{eqnarray}&&{p}^{(k)}({Xj}| X0)={\displaystyle \int }_{{k}^{-}}^{{k}^{+}}{p}_{{\rm{G}}}(k)\left[1-\mathrm{exp}[-\displaystyle \frac{{\eta }_{\mathrm{sy}}k(1+{(-1)}^{j}\mathrm{cos}\xi )}{2}](1-{p}_{{\rm{d}}})\right]{\rm{d}}k.\end{eqnarray} \tag{ 115 }$$

Then, by using equation (109) we find

$$\begin{eqnarray}{p}^{(k)}({Xj}\;\wedge \;\bar{{Xj}\oplus 1}| X0) & = & {p}^{(k)}({Xj}| X0)(1-{p}^{(k)}({Xj}\oplus 1| X0))\\ & & +\displaystyle \frac{1}{2}{p}^{(k)}(X0| X0){p}^{(k)}(X1| X0).\end{eqnarray} \tag{ 116 }$$

Finally, we include the effect of the misalignment in the optical systems. That is, we transform ${p}^{(k)}({Xj}\;\wedge \;\bar{{Xj}\oplus 1}| {Xi})$ as

$$\begin{eqnarray}&&{P}^{(k)}(X0\;\wedge \;\bar{X1}| X0)={p}^{(k)}(X0\;\wedge \;\bar{X1}| X0)(1-{e}_{\mathrm{mis}}),\end{eqnarray} \tag{ 117 }$$

$$\begin{eqnarray}&&{P}^{(k)}(X1\;\wedge \;\bar{X0}| X0)={p}^{(k)}(X0\;\wedge \;\bar{X1}| X0){e}_{\mathrm{mis}}+{p}^{(k)}(X1\;\wedge \;\bar{X0}| X0).\end{eqnarray} \tag{ 118 }$$

The number $| {X}_{k}^{j}|$ is therefore given by

$$\begin{eqnarray}&&| {X}_{k}^{j}| ={N}_{k}{p}_{x}^{2}{P}^{(k)}({Xj}\;\wedge \;\bar{{Xj}\oplus 1}| X0).\end{eqnarray} \tag{ 119 }$$

Next, we calculate $\bar{\mathrm{Decoy}{}_{1}}(Z0,X0)\;\mathrm{and}\;\bar{\mathrm{Decoy}{}_{1}}(Z1,X0)$. For this we need to obtain $| {Z}^{i}{X}_{k}^{j}|$. We have that the probability ${p}^{(k)}({Xj}| {Zi})$ that Bob obtains the bit $j$ with the $X$ basis given that Alice sends him a pulse of intensity $k$, prepared in the $Z$ basis, and encoding the bit value $i$ is given by

$$\begin{eqnarray}&&{p}^{(k)}({Xj}| Z0)={\displaystyle \int }_{{k}^{-}}^{{k}^{+}}{p}_{{\rm{G}}}(k)\left[1-\mathrm{exp}\left(\displaystyle \frac{-{\eta }_{\mathrm{sy}}k(1+{(-1)}^{j}\mathrm{sin}\xi /2)}{2}\right)(1-{p}_{{\rm{d}}})\right]{\rm{d}}k,\end{eqnarray} \tag{ 120 }$$

$$\begin{eqnarray}&&{p}^{(k)}({Xj}| Z1)={\displaystyle \int }_{{k}^{-}}^{{k}^{+}}{p}_{{\rm{G}}}(k)\left[1-\mathrm{exp}\left(\displaystyle \frac{-{\eta }_{\mathrm{sy}}k(1-{(-1)}^{j}\mathrm{sin}3\xi /2)}{2}\right)(1-{p}_{{\rm{d}}})\right]{\rm{d}}k.\end{eqnarray} \tag{ 121 }$$

In this scenario the probability ${P}^{(k)}({Xj}\;\wedge \;\bar{{Xj}\oplus 1}| {Zi})$ has the form

$$\begin{eqnarray}{P}^{(k)}({Xj}\;\wedge \;\bar{{Xj}\oplus 1}| {Zi}) & = & {p}^{(k)}({Xj}| {Zi})(1-{p}^{(k)}({Xj}\oplus 1| {Zi}))\\ & & +\displaystyle \frac{1}{2}{p}^{(k)}({Xj}| {Zi}){p}^{(k)}({Xj}\oplus 1| {Zi}),\end{eqnarray} \tag{ 122 }$$

and therefore the quantity $| {Z}^{i}{X}_{k}^{j}|$ can be written as

$$\begin{eqnarray}&&| {Z}^{i}{X}_{k}^{j}| ={N}_{k}\displaystyle \frac{{p}_{x}{p}_{z}}{2}{P}^{(k)}({Xj}\;\wedge \;\bar{{Xj}\oplus 1}| {Zi}).\end{eqnarray} \tag{ 123 }$$