Security evaluation of quantum key distribution with weak basis-choice flaws

Abstract

Quantum key distribution (QKD) can share an unconditional secure key between two remote parties, but the deviation between theory and practice will break the security of the generated key. In this paper, we evaluate the security of QKD with weak basis-choice flaws, in which the random bits used by Alice and Bob are weakly controlled by Eve. Based on the definition of Li et al. (Sci Rep 5:16200, 2015) and GLLP’s analysis, we obtain a tight and analytical bound to estimate the phase error and key rate for both the single photon source and the weak coherent source. Our approach largely increases the key rate from that of the original approach. Finally, we investigate and confirm the security of BB84-QKD with a practical commercial devices.

Introduction

Based on the principle of quantum mechanics, “quantum cryptography” is a possible means of implementing unconditional secure communication. One famous quantum cryptography approach is quantum key distribution (QKD) combined with One-Time pad. Since the proposal of the first QKD protocol BB84¹, QKD has attracted much interest. The unconditional security of QKD had been proven in both perfect² and imperfect^3,4 devices. QKD has also been experimentally demonstrated in fibers^5,6, free space^7,8, and satellites^9,10. Multi-user quantum networks based on these results have become available in many countries^11–14.

However, because practical devices are imperfect, some assumptions of the theoretical analysis may be violated in practical situations. If the gap between theory and practice is exploited by an eavesdropper (Eve), the security of the final key may be broken. In fact, many loopholes have been discovered in practical QKD systems^15–21. These loopholes are closed by two main approaches: device-independent QKD protocols and security patches. The former include full-device-independent QKD^22,23, measurement-device-independent QKD^24–26, and semi-device-independent QKD²⁷. Security patches account for the parameters of practical devices (as many as possible) in the security model. Although device-independent QKD can remove all or a portion of the loopholes, the task remains technologically challenging, especially in practical commercial QKD networks. Thus, most practical QKD systems implement security patches.

In the BB84 protocol, both Alice and Bob must determine how to prepare and measure the quantum states. For this purpose, they require random bits. In practical situations, the random bits may be weakly known or controlled by Eve, and the security of the generated key is compromised. A typical attack that exploits the weak randomness of QKD is wavelength attack^16,17. The security of QKD with weak randomness was first studied by Li et al.²⁸, and has since been applied to different cases^29,30. In Li’s analysis, if the legitimate parties use the “one-step post processing method” to distill the final key, even a small degree of non-randomness will rapidly reduce the final key rate. The key rate can be improved if the legitimate parties adopt the “two-step post processing method”, or biased basis protocol, in which Alice and Bob distill the key from the rectilinear and diagonal bases, respectively. However, to maximize Eve’s information, they must perform global optimization, which is hampered by at least two disadvantages: large time cost and convergence to a local optimum. The time cost is incurred by the complexity or cost of post processing, and local (rather than global) optimization compromises the security of the generated key.

To mitigate these problems, we develop an analytical formula that estimates the key rate for both the single photon source (SPS) and the weak coherent source (WPS). In numerical simulations, our method significantly increased the key rate over the original method of Li et al.²⁸. For example, the original method of Ref.²⁸ can generate no secure key for a SPS with a basis-choice flaw of 0.1 when the bit error rate exceeds 3.4%, but our method achieves a final key rate of 0.45 under these conditions. Furthermore, to evaluate the performance of QKD under wavelength attack, we also estimate the key rate of a practical QKD system with a passive basis-choice.

Results

Weak randomness and one-step post processing

This section briefly reviews the analysis of Ref.²⁸. Alice determines her quantum state from two random bits: $x_0$ for bit and $x_1$ for basis. Meanwhile, Bob chooses his basis from a random bit, y. As the final key is distilled only when Alice and Bob choose the same basis ($x_1=y$), the following analysis is limited to the case $x_1=y$. In a practical QKD system, $x_0$ ($x_1$) may be weakly controlled by Eve with a hidden variable ${\lambda }_0$ (${\lambda }_1$). Setting k and $k^{\prime }$ = [0, 1] as the values of $x_0$ and $x_1$, respectively, the probabilities of obtaining $x_0=k$ and $x_1=k^{\prime }$ are respectively given by

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill p\left(x_0,=,k\right)& =\sum _i{p}_{{\lambda }_0=i}p\left(x_0,=k|,{\lambda }_0,=,i\right),\hfill \\ \hfill p\left(x_1,=,k^{\prime }\right)& =\sum _j{p}_{{\lambda }_1=j}p\left(x_1,=,k^{\prime },|,{\lambda }_1,=,j\right).\hfill \end{array}\end{array}$$ 1

Here ${\sum }_i{p}_{{\lambda }_0=i}={\sum }_j{p}_{{\lambda }_1=j}=1$. Due to the existence of the hidden variable ${\lambda }_0$, we cannot guarantee that $p(x_0=0|{\lambda }_0=i)=p(x_0=1|{\lambda }_0=i)=1/2$ holds for all i, even if $p(x_0=0)=p(x_0=1)=1/2$ holds. The same conclusion is reached for $p(x_1=k^{\prime })$. To evaluate the weak randomness of $x_0$ and $x_1$, the deviations is defined as

$$\begin{array}{c}\hfill \begin{array}{c}\hfill \left|p,\left(x_0,=k|,{\lambda }_0,=,i\right),-,\frac{1}{2}\right|\le {\epsilon }_0,\\ \hfill \left|p,\left(x_1,=,k^{\prime },|,{\lambda }_1,=,j\right),-,\frac{1}{2}\right|\le {\epsilon }_1,\end{array}\end{array}$$ 2

respectively. Here, $0\le {\epsilon }_0,{\epsilon }_1\le 1$ define the amount of prior information known to Eve.

When the hidden variables ${\lambda }_0=i$ and ${\lambda }_1=j$ are given, the quantum state shared by Alice and Bob can be written as²⁸

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\rho }_{\mathit{AB}}^{i,j}=& \sum _{\mu ,\nu }{q}_{\mu ,\nu }\left\{p,\left(x_1,=0|,{\lambda }_1,=,j\right),I,\otimes ,X^{\mu },Z^{\nu },|\phi ⟩,\left.〈{\left(\phi \right|}_{{\lambda }_0=i},Z^{\nu },X^{\mu },\otimes ,I\right)\right)\hfill \\ \hfill & +p\left(x_1,=1|,{\lambda }_1,=,j\right)I\otimes H{X}^{\mu }{Z}^{\nu }H|\phi ⟩\left.〈{\left(\phi \right|}_{{\lambda }_0=i},H,Z^{\nu },X^{\mu },H,\otimes ,I\right\},\hfill \end{array}\end{array}$$ 3

with

$$\begin{array}{c}\hfill {|\phi ⟩}_{{\lambda }_0=i}=\sqrt{p\left(x_0,=0|,{\lambda }_0,=,i\right)}|00⟩+\sqrt{p\left(x_0,=1|,{\lambda }_0,=,i\right)}|11⟩.\end{array}$$ 4

Here, $\mu ,\nu \in \{0,1\}$, and $q_{\mu ,\nu }$ is the probability that Eve performs different operators on the quantum state ${|\phi ⟩}_{{\lambda }_0=i}$. These probabilities satisfy ${\sum }_{\mu ,\nu }{q}_{\mu ,\nu }=1$. I is the unity matrix, X and Z are Pauli matrices, and $H=\frac{1}{\sqrt{2}}\left[\begin{array}{cc}1& 1\\ 1& -1\end{array}\right].$

In the following, we first discuss the case of SPS, then expand our results to WPS. In SPS, the total key rate is given by

$$\begin{array}{c}\hfill R\ge \sum _{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}{R}^{i,j}.\end{array}$$ 5

The key rate for a given i, j is

$$\begin{array}{c}\hfill R_{\mathit{sps}}^{i,j}\ge 1-H(e_{\mathit{phase}}^{i,j})-H(e_{\mathit{bit}}^{i,j}),\end{array}$$ 6

where $e_{\mathit{bit}}^{i,j}$ ($e_{\mathit{phase}}^{i,j}$) is the bit error (phase error) of the given i, j. Because an experiment reveals only the total bit error $e_{\mathit{bit}}={\sum }_{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}{e}_{\mathit{bit}}^{i,j}$, Eq. (5) can be rewritten as

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill R_{\mathit{sps}}& =\sum _{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}\left[1,-,H,(e_{\mathit{phase}}^{i,j}),-,H,(e_{\mathit{bit}}^{i,j})\right]\hfill \\ \hfill & \ge 1-H(\sum _{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}{e}_{\mathit{phase}}^{i,j})-H(e_{\mathit{bit}})\hfill \\ \hfill & \equiv 1-H(e_{\mathit{phase}})-H(e_{\mathit{bit}}).\hfill \end{array}\end{array}$$ 7

Here $e_{\mathit{phase}}$ is the total phase error, and the second inequality uses the Jensen inequality because H(x) is concave. Before obtaining the lower bound of the key rate, we should estimate the upper bound of $e_{\mathit{phase}}$. The authors of²⁸ proved that for the density matrix given by Eq. (3), the upper bound of the phase error can be written as

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill e_{\mathit{phase}}^{i,j}& \le e_{\mathit{bit}}^{i,j}+\delta ,\hfill \\ \hfill e_{\mathit{phase}}=\sum _{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}{e}_{\mathit{phase}}^{i,j}& \le \sum _{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}{e}_{\mathit{bit}}^{i,j}+\delta =e_{\mathit{bit}}+\delta ,\hfill \end{array}\end{array}$$ 8

where

$$\begin{array}{c}\hfill \delta =max\left\{{\delta }_0,\equiv ,\frac{1}{2},-,\sqrt{\frac{1}{4}-{\epsilon }_0^2},,,,{\delta }_1,\equiv ,2,{\epsilon }_1\right\}.\end{array}$$ 9

The final key rate of a SPS (Eq. 7) is then rewritten as

$$\begin{array}{c}\hfill R_{\mathit{sps}}^o\ge 1-H(e_{\mathit{bit}}+\delta )-H(e_{\mathit{bit}}).\end{array}$$ 10

In this expression, the superscript o distinguishes the original method from our proposed method, which is introduced later. Most practical QKD systems use a WPS. Following GLLP’s analysis³¹, the key rate of Eq. (5) is then written as

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill R_{\mathit{wps}}^o& \ge \sum _{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}{R}^{i,j}\hfill \\ \hfill & \ge \sum _{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}\left\{-,Q_s^{i,j},f,(E_{s,bit}^{i,j}),H,(E_{s,bit}^{i,j}),+,Q_{s,1}^{i,j},\left[1,-,H,(,e_{1,bit}^{i,j},+,\delta ,)\right]\right\}\hfill \\ \hfill & \ge -Q_{s}f(E_s)H(\sum _{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}{E}_{s,bit}^{i,j})+Q_{s,j}\left[1,-,H,(,\sum _{i,j},p_{{\lambda }_0=i},p_{{\lambda }_1=j},e_{1,bit}^{i,j},+,\delta ,)\right]\hfill \\ \hfill & \equiv -Q_{s}f(E_{s,bit})H(E_{s,bit})+Q_{s,1}[1-H(e_{1,bit}+\delta )].\hfill \end{array}\end{array}$$ 11

Here the subscript s denotes the key generated from the signal state with intensity s. $Q_s^{i,j}$ ($E_{s,bit}^{i,j}$) is the total gain (bit error) for a given i, j, and $Q_{s,1}^{i,j}$ ($e_{1,bit}^{i,j}$) is the yield (bit error) of the single photon pulse for the given i, j. The terms $Q_s={\sum }_{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}{Q}_s^{i,j}$ ($Q_{s,1}={\sum }_{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}{Q}_{s,1}^{i,j}$) and $E_{s,bit}={\sum }_{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}{E}_{s,bit}^{i,j}$ ($e_{1,bit}={\sum }_{i,j}{p}_{{\lambda }_0=i}{p}_{{\lambda }_1=j}{e}_{1,bit}^{i,j}$) are the total gain and error, respectively, for all i, j. $f(E_{s,bit})=f(E_{s,bit}^{i,j})=1.22$ is the efficiency of the error correction, which can be considered constant. In the third inequality, we recognize that $Q_s\ge Q_s^{i,j}\ge 0$ and $Q_{s,1}\ge Q_{s,1}^{i,j}\ge 0$ for all i, j. The gain $Q_s$ and error $E_{s,bit}$ in the equality can be directly measured in experiments, and the contributions of the single photon pulse ($Q_{s,1}$ and $e_{1,bit}$) should be estimated by the decoy state method^32–34.

Our method with one-step post processing

In this section, we show that the upper bound of the phase error (Eq. 8) is suboptimal, and that the key rate can be improved by imposing a tight bound. Given the density matrix ${\rho }_{\mathit{AB}}^{i,j}$ (Eq. 3), the bit error rate and phase error rate are respectively written as

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill e_{\mathit{bit}}^{i,j}& =⟨{\varphi }_2|{\rho }_{\mathit{AB}}^{i,j}|{\varphi }_2⟩+⟨{\varphi }_4|{\rho }_{\mathit{AB}}^{i,j}|{\varphi }_4⟩=q_{01}p(x_1=1|{\lambda }_1=j)+q_{10}p(x_1=0|{\lambda }_1=j)+q_{11}\hfill \\ \hfill & \ge \left(\frac{1}{2},-,{\epsilon }_1\right)(q_{01}+q_{10})+q_{11}\equiv e_{bit,low}^{i,j},\hfill \\ \hfill e_{\mathit{phase}}^{i,j}& =⟨{\varphi }_3|{\rho }_{\mathit{AB}}^{i,j}|{\varphi }_3⟩+⟨{\varphi }_4|{\rho }_{\mathit{AB}}^{i,j}|{\varphi }_4⟩\hfill \\ \hfill & =q_{00}{\delta }_0+q_{11}(1-{\delta }_0)+q_{01}\left\{\frac{1}{2},+,\left[p,(x_1=0|{\lambda }_1=j),-,p,(x_1=1|{\lambda }_1=j)\right],(\frac{1}{2}-{\delta }_0)\right\}\hfill \\ \hfill & +q_{10}\left\{\frac{1}{2},+,[p(x_1=1|{\lambda }_1=j)-p(x_1=0|{\lambda }_1=j)],(\frac{1}{2}-{\delta }_0)\right\}.\hfill \end{array}\end{array}$$ 12

Here, $|{\varphi }_1⟩=(|00⟩+|11⟩)/\sqrt{2}$, $|{\varphi }_2⟩=(|01⟩+|10⟩)/\sqrt{2}$,$|{\varphi }_3⟩=(|00⟩-|11⟩)/\sqrt{2}$,$|{\varphi }_4⟩=(|01⟩-|10⟩)/\sqrt{2}$ are the four Bell states. Thus we have

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill e_{\mathit{phase}}^{\mathit{ij}}-e_{\mathit{bit}}^{i,j}& =q_{00}{\delta }_0-q_{11}{\delta }_0+(q_{01}-q_{10})(1-{\delta }_0)[2p(x_1=0|{\lambda }_1=j)-1]\hfill \\ \hfill & \le q_{00}{\delta }_0+q_{11}{\delta }_0+2{\epsilon }_1{q}_{01}+2{\epsilon }_1{q}_{10}\hfill \\ \hfill & =(q_{00}+q_{11}){\delta }_0+2{\epsilon }_1\frac{e_{bit,low}^{i,j}-q_{11}}{1/2-{\epsilon }_1}\hfill \\ \hfill & =\frac{4{\epsilon }_1}{1-2{\epsilon }_1}{e}_{bit,low}^{i,j}-q_{11}\frac{4{\epsilon }_1}{1-2{\epsilon }_1}+(q_{00}+q_{11}){\delta }_0\hfill \\ \hfill & \le \frac{4{\epsilon }_1}{1-2{\epsilon }_1}{e}_{\mathit{bit}}^{i,j}+{\delta }_0,\hfill \end{array}\end{array}$$ 13

where ${\delta }_0$ is defined in Eq. (9), and $0\le q_{\mu \nu }\le 1$ for all $q_{\mu \nu }$. Thus, the upper bound of the phase error can be written as

$$\begin{array}{c}\hfill e_{\mathit{phase}}^{i,j}\le \frac{1+2{\epsilon }_1}{1-2{\epsilon }_1}{e}_{\mathit{bit}}^{i,j}+\frac{1}{2}-\sqrt{\frac{1}{4}-{\epsilon }_0^2}.\end{array}$$ 14

Submitting the above inequality into Eq. (5) and applying the method described in “Weak randomness and one-step post processing”, the final key rate is rewritten as

$$\begin{array}{c}\hfill R^t\ge \left\{\begin{array}{cc}1-H\left(\frac{1+2{\epsilon }_1}{1-2{\epsilon }_1},e_{\mathit{bit}},+,{\delta }_0\right)-H(e_{\mathit{bit}})\hfill & \text{for SPS}\hfill \\ -Q_{s}f(E_{s,bit})H(E_{s,bit})+Q_{s,1}\left[1,-,H,\left(\frac{1+2{\epsilon }_1}{1-2{\epsilon }_1},e_{1,bit},+,{\delta }_0\right)\right]\hfill & \text{for WPS}\hfill \end{array}\right).\end{array}$$ 15

Figure 1 compares the numerical simulation results of the method in Ref.²⁸ (Eqs. 10, 11) and our method (Eq. 15). Our method significantly improved the key rate for both SPS and WPS (the simulation method is given in “ Formulations of simulation”. For example, in the SPS case with ${\epsilon }_0={\epsilon }_1=0.1$, the maximal tolerable error rate was only 3.4% in the method of Ref.²⁸, but was increased to 8.5% by our method. In the WPS case with ${\epsilon }_0={\epsilon }_1=0.1$, no secure key was generated by the method in Ref.²⁸, but a final key of fiber length 132 km was generated by our method.

Figure 1.

Key rates in the original analysis²⁸ (red lines) and the method proposed in this paper (blue lines). Results are plotted for SPS (left) and WPS (right). The black solid line is the result of the ideal case without basis-choice flaws. To simplify the simulation, we assume ${\epsilon }_0={\epsilon }_1$ and infinite decoy states. The WPS case employs the experimental results of GYS³¹; thus, the signal state intensity is $s=0.48$ and the other parameters are set as follows: dark count rate $Y_0=1.7\times {10}^{-6}$, background error rate $e_0=0.5$, fiber loss 0.21 dB/km, Bob’s transmittance ${\eta }_{\mathit{Bob}}=0.045$, and error rate of optical devices $e_{\mathit{det}}=3.3\%$. The method of Ref.²⁸ generates no key in the case of WPS with ${\epsilon }_0={\epsilon }_1=0.1$.

To evaluate the security of practical QKD with weak randomness flaws, we test the performance of commercial BS which may suffer from the wavelength attack. The experimental scheme and results are given in “Formulations of simulation”, and the estimated key rate is listed in Table 1.

Table 1.

Key rates estimated by our method.

T	$-5^{\circ }$	${18}^{\circ }$	${25}^{\circ }$	${40}^{\circ }$	${70}^{\circ }$
${\epsilon }_1$	0.0253	0.0235	0.0250	0.0274	0.0275
$\gamma$ (SPS)$@e_{\mathit{bit}}=3\%$	0.0259	0.0239	0.0255	0.0281	0.0282
$\gamma$ (SPS)$@e_{\mathit{bit}}=5\%$	0.0521	0.0482	0.0514	0.0566	0.0567
$\gamma$ (SPS)$@e_{\mathit{bit}}=7\%$	0.1017	0.0941	0.1004	0.1105	0.1108
$\gamma$ (WPS)$@L=10\text{km}$	0.0445	0.0411	0.0438	0.0483	0.0484
$\gamma$ (WPS)$@L=50\text{km}$	0.0454	0.0420	0.0448	0.0493	0.0495
$\gamma$ (WPS)$@L=100\text{km}$	0.0548	0.0507	0.0541	0.0596	0.0597

Here $\gamma =(R_{\mathit{ideal}}-R_{\mathit{prac}})/R_{\mathit{ideal}}$defines the practical key rate ($R_{\mathit{prac}}$) relative to the ideal key rate without basis-choice flaws ($R_{\mathit{ideal}}$). In the simulations, we set ${\epsilon }_0=0$, and the other parameters were those assumed in Fig. 1.

Biased base QKD protocol

In some practical QKD systems, two bases (Z and X) can deliver different gain or error rate performances. Therefore, to improve the total key rate, we let Alice and Bob observe bases Z and X, respectively. In this section, we analyze the security of biased base QKD with weak randomness. When Alice and Bob distill the key from their respective bases, the key rate becomes

$$\begin{array}{c}\hfill R_{\mathit{SPS}}^{\mathit{two}}\ge p_{\mathit{rec}}[1-H(e_{\mathit{rec}}^b)-H(e_{\mathit{rec}}^p)]+p_{\mathit{dia}}[1-H(e_{\mathit{dia}}^b)-H(e_{\mathit{dia}}^p)].\end{array}$$ 16

Here $e_{\mathit{rec}}^b$ and $e_{\mathit{rec}}^p$ ($e_{\mathit{dia}}^b$ and $e_{\mathit{dia}}^p$) are the bit error and phase error rates, respectively, in the rectilinear (diagonal) basis. Their values are given by

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill e_{\mathit{rec}}^p& =\frac{p_{rec1}{e}_{b01}+p_{rec2}{e}_{b11}}{p_{\mathit{rec}}}+\frac{1}{2}-\sqrt{-{ϵ}_0^2+\frac{1}{4}},\hfill \\ \hfill e_{\mathit{dia}}^p& =\frac{p_{\text{dial}}{e}_{b00}+p_{\text{dia}2}{e}_{b10}}{p_{\text{dia}}}+\frac{1}{2}-\sqrt{-{ϵ}_0^2+\frac{1}{4}}\hfill \\ \hfill e_{\mathit{rec}}^b& =\frac{p_{\text{rec1}}{e}_{b00}+p_{\text{rec}2}{e}_{b10}}{p_{\text{rec}}},\hfill \\ \hfill e_{\mathit{dia}}^b& =\frac{p_{\text{dial}},e_{b01}+p_{\text{dia}2}{e}_{b11}}{P_{\text{dia}}}.\hfill \end{array}\end{array}$$ 17

In these expressions, $e_{b00}$ and $e_{b01}$ ($e_{b10}$ and $e_{b11}$) are the bit error rates in the rectilinear and diagonal bases, respectively, given a hidden variable ${\lambda }_1=0$ (${\lambda }_1=1$). $p_{\mathit{rec}}$ and $p_{\mathit{dia}}$ are the probabilities that Bob obtains the outcome in the rectilinear and diagonal bases, respectively. They are calculated as

$$\begin{array}{c}\hfill p_{\mathit{rec}}=p_{rec1}+p_{rec2},p_{\mathit{dia}}=p_{dia1}+p_{dia2},\end{array}$$ 18

respectively, where $p_{rec1}=p_{{\lambda }_1=0}p\left(x_1,=0|,{\lambda }_1,=,0\right)$, $p_{rec2}=p_{{\lambda }_1=1}p\left(x_1,=0|,{\lambda }_1,=,1\right)$, $p_{dia1}=p_{{\lambda }_1=0}p\left(x_1,=1|,{\lambda }_1,=,0\right)$, and $p_{dia2}=p_{{\lambda }_1=1}p\left(x_1,=1|,{\lambda }_1,=,1\right)$.

As the bit error rates $e_{\mathit{rec}}^b$ and $e_{\mathit{dai}}^b$ can be directly measured in experiments, we need only to estimate the upper bounds of the phase error rates $e_{\mathit{rec}}^p$ and $e_{\mathit{dai}}^p$. Using Eq. (17), the phase error $e_{\mathit{rec}}^p$ becomes

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill e_{\mathit{rec}}^p& =e_{\mathit{dia}}^b\frac{p_{\mathit{dia}}}{p_{\mathit{rec}}}\frac{p_{rec1}{e}_{b01}+p_{rec2}{e}_{b11}}{p_{dia1}{e}_{b01}+p_{dia2}{e}_{b11}}+{\delta }_0\hfill \\ \hfill & =e_{\mathit{dia}}^b\frac{p_{\mathit{dia}}}{p_{\mathit{rec}}}\frac{p_{{\lambda }_1=0}p(x_1=0|{\lambda }_1=0)e_{b01}+p_{{\lambda }_1=1}p(x_1=0|{\lambda }_1=1)e_{b11}}{p_{{\lambda }_1=0}p(x_1=1|{\lambda }_1=0)e_{b01}+p_{{\lambda }_1=1}p(x_1=1|{\lambda }_1=1)e_{b11}}+{\delta }_0\hfill \\ \hfill & \le e_{\mathit{dia}}^b\frac{p_{\mathit{dia}}(1/2+{\epsilon }_1)}{p_{\mathit{rec}}(1/2-{\epsilon }_1)}+{\delta }_0.\hfill \end{array}\end{array}$$ 19

By the above method, we also obtain

$$\begin{array}{c}\hfill e_{\mathit{dia}}^p\le e_{\mathit{rec}}^b\frac{p_{\mathit{rec}}(1/2+{\epsilon }_1)}{p_{\mathit{dia}}(1/2-{\epsilon }_1)}+{\delta }_0.\end{array}$$ 20

Here we assume that the bit weak randomness in Z-basis is the same as that of X-basis, thus the same ${\delta }_0$ is used in the equations above. But, by considering ${\delta }_0$ in the bases respectively, our analysis is also valid for the QKD system with different bit weak randomness.Then Eq. (16) can then be written as

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill R_{\mathit{SPS}}^{\mathit{two}}& \ge p_{\mathit{rec}}\left\{1,-,H,(e_{\mathit{rec}}^b),-,H,\left[e_{\mathit{dia}}^b,\frac{p_{\mathit{dia}}(1/2+{\epsilon }_1)}{p_{\mathit{rec}}(1/2-{\epsilon }_1)},+,{\delta }_0\right]\right\}\hfill \\ \hfill & +p_{\mathit{dia}}\left\{1,-,H,(e_{\mathit{dia}}^b),-,H,\left[e_{\mathit{rec}}^b,\frac{p_{\mathit{rec}}(1/2+{\epsilon }_1)}{p_{\mathit{dia}}(1/2-{\epsilon }_1)},+,{\delta }_0\right]\right\}.\hfill \end{array}\end{array}$$ 21

Applying the method above and GLLP’s analysis, the key rate given by Eq. (21) can be expanded to the WPS case as follows:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill R_{\mathit{wps}}^{\mathit{two}}& \ge p_{\mathit{rec}}\left\{-,Q_{s,rec},f,(E_{s,rec}^b),H,(E_{s,rec}^b),+,Q_{1,rec},\left[1,-,H,(,e_{1,dia}^b,\frac{p_{\mathit{dia}}(1/2+{\epsilon }_0)}{p_{\mathit{rec}}(1/2-{\epsilon }_1)},+,{\delta }_0,)\right]\right\}\hfill \\ \hfill & +p_{\mathit{dia}}\left\{-,Q_{s,dia},f,(E_{s,dia}^b),H,(E_{s,dia}^b),+,Q_{1,dia},\left[1,-,H,(,e_{1,rec}^b,\frac{p_{\mathit{rec}}(1/2+{\epsilon }_0)}{p_{\mathit{dia}}(1/2-{\epsilon }_1)},+,{\delta }_0,)\right]\right\},\hfill \end{array}\end{array}$$ 22

where $Q_{s,rec}$ ($Q_{s,rec}$) and $E_{s,dia}^b$ ($E_{s,dia}^b$) denote the total gain and bit error rate, respectively, in the rectilinear (diagonal) base, and $Q_{1,rec}$ ($Q_{1,rec}$) and $e_{1,dia}^b$ ($e_{1,dia}^b$) are the gain and bit error rate, respectively, of a single photon pulse in the rectilinear (diagonal) base.

Discussion

We evaluated the security of QKD with weak basis-choice flaws. The previous analysis of Li et al.²⁸ was extended by applying a tight analytical bound for estimating the phase error. The final key rate was significantly improved by the proposed approach. For example, when ${\epsilon }_0={\epsilon }_1=0.1$ and the bit error rate exceeded 3.4%, no final key was generated by the previous method, but a final key rate of 0.45 was achieved by our method. Applying our analysis, we evaluated the security of a practical QKD system in which Bob passively chooses his basis with a BS. In experiments using a practical BS with typical parameters, the key rate was reduced by less than 6%. Thus, the proposed method improves the QKD performance even in weak randomness scenarios.

Note that, although we analyze the weak randomness of basis-choice in this paper, there are other imperfections in source and detection. Thus, how to take all of these imperfections in one general mode is still an open question, and we will discuss it in our further works.

Methods

Formulations of simulation

This Appendix shows the simulation formulations of Fig. 1 and Table 1. In the absence of Eve, the total gain and error rate are respectively written as

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill Q_{\omega }& =1-(1-Y_0)e^{-\omega \eta }\hfill \\ \hfill and{E}_{\omega }{Q}_{\omega }& =e_0{Y}_0+e_{\mathit{det}}(1-e^{-\omega \eta }).\hfill \end{array}\end{array}$$ 23

Here, $\omega \in \{s\}$ and $\omega \in \{d\}$ are the intensities of the signal state (s) and decoy state (d), respectively, $Y_0$ is the dark count of the single photon detector, and $e_0$ is the background error rate. $\eta$ is the total transmittance of the system, which is given by

$$\begin{array}{c}\hfill \eta ={\eta }_{\mathit{Bob}}{10}^{-\alpha /10}.\end{array}$$ 24

In this expression, ${\eta }_{\mathit{Bob}}$ is the transmittance of Bob’s optical devices and the efficiency of single-photon detectors, and $\alpha$ is the channel loss. In QKD with a weak coherent source, photon-number-dependent attacks (such as photon-number splitting attacks) must be removed by the decoy state method. Assuming that Alice and Bob use infinite decoy states, the gain and quantum bit error rate of a single photon pulse are respectively given by

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill Q_{s,1}& =s{e}^{-s}[1-(1-Y_0)(1-\eta )]\equiv s{e}^{-s}{Y}_1,\hfill \\ \hfill e_1& =(e_0{Y}_0+e_{\mathit{det}}\eta )/Y_1.\hfill \end{array}\end{array}$$ 25

Experiment

In some practical QKD systems, Bob passively chooses his measured basis with a BS. Because this scheme requires no active modulator, it enables high-speed, low-cost, and low-complexity operations. However, (as is well known) the transmittance of the BS may depend on the wavelength of the light, opening a potential loophole for wavelength attack by Eve^16,17. In this section, we evaluate the performance of QKD with a passive BS by the above analysis.

The experimental scheme is shown in the left panel of Fig. 2. The BS was encased in a temperature box that controlled its working temperature. The input of the BS was a tunable laser (model JW3113; province, country), and the light output was measured by a dual-channel power meter (model JW8103D, province, country). In a perfect BS, the measured power of both power meters is identical. The performance of a real BS is defined by its deviation ratio as follows:

$$\begin{array}{c}\hfill \mathrm{\Delta }(T,\lambda )=\frac{P_0(T,\lambda )}{P_1(T,\lambda )}.\end{array}$$ 26

Here, $P_0$ and $P_1$ are the powers of the light measured by the two optical power meters, T is the working temperature of the BS, and $\lambda$ is the wavelength of the input light.

Figure 2.

Experimental scheme (left) and measured deviation ratio (right) of a practical commercial BS that evaluates the key rate under a weak measured basis flaw. The deviation ratio is determined by Eq. (26) and T is the working temperature of the BS, which is controlled by the temperature box.

The measured deviation ratio of the BS was measured at different wavelengths of the input light and different working temperatures. The results are shown in the right panel of Fig. 2. From the experimental results, the weak randomness in Bob’s basis-choice can be estimated as

$$\begin{array}{c}\hfill {\epsilon }_1=\underset{\lambda }{max}\left|\frac{P_0}{P_0+P_1},-,\frac{1}{2}\right|=\underset{\lambda }{max}\left|\frac{\mathrm{\Delta }}{1+\mathrm{\Delta }},-,\frac{1}{2}\right|.\end{array}$$ 27

The estimated key rates in the SPS and WPS cases are listed in Table 1 (see main text). At communication distances smaller than 100 km, the key rate was reduced by less than 6%. Topical subheadings are allowed. Authors must ensure that their “Methods” section includes adequate experimental and characterization data necessary for others in the field to reproduce their work.

Author contributions

S.-H.S. and M.-S.Z. finish the theoretical analysis. Z.-Y.T. gets the simulation with the help of S.-H.S. Y.M. conducted the experiment. All authors reviewed the manuscript.

Competing interests

The authors declare no competing interests.