Improving key rates of the unbalanced phase-encoded BB84 protocol using the flag-state squashing model

All phase-encoded BB84 implementations have signal states with unbalanced amplitudes in practice. Thus, the original security analyses a priori do not apply to them. Previous security proofs use signal tagging of multi-photon pulses to recover the behaviour of regular BB84. This is overly conservative, as for unbalanced signals, the photon-number splitting attack does not leak full information to Eve. In this work, we exploit the flag-state squashing model to preserve some parts of the multi-photon generated private information in our analysis. Using a numerical proof technique, we obtain significantly higher key rates compared with previously published results in the low-loss regime. It turns out that the usual scenario of untrusted dark counts runs into conceptual difficulties in some parameter regime. Thus, we discuss the trusted dark count scenario in this paper as well. We also report a gain in key rates when part of the total loss is known to be induced by a trusted device. We highlight that all these key rate improvements can be achieved without modification of the experimental setup.


I. INTRODUCTION
The earliest phase-encoding quantum key distribution (QKD) scheme was proposed by Bennett [1] in 1992 as a demonstration that any two non-orthogonal states can be used for generating shared secret keys between two parties.Later, Townsend [2] and then Hughes et al. [3] proposed a more practical phase-encoding BB84 protocol which uses two Mach-Zehnder interferometers.In practice, the phase-modulator in each Mach-Zehnder unit will introduce photon loss, thereby causing an asymmetry between the intensities of the phaseencoded pulse and the reference pulse even if the typical observations do not directly reveal this.This asymmetric loss was addressed in Refs.[4][5][6] which model the loss caused by an imperfect phase-modulator with a beam splitter (BS) of the same transmission probability.
The first attempt in giving security proofs for this protocol was made by Ref. [4].Formal security proofs were later on provided by Refs.[5,6] which both used qubitbased reduction proof techniques.Despite being a deviation from the standard BB84 protocol, Ref. [6] confirms that the old security analysis for the balanced protocol still holds in the unbalanced case.This calls for a revision of the security statement made by Ref. [5], which we will discuss in detail in Sec.VI.Both Refs.[5] and [6] use decoy states [7][8][9], signal tagging [10,11], and the qubit squashing model [10,[12][13][14] to convert the full security analysis into an effective qubit-to-qubit security analysis problem.Due to the asymmetric intensities of the signal states, the photon number splitting (PNS) attack [15] will not leak full information of the signal's multi-photon part to Eve since in this case, a single photon obtained in the PNS attack will be in one of two non-orthogonal states, even after basis announcements.Thus, the tagging approach, which pessimistically assumes that all multi-photon signals leak their full information to an adversary, simplifies the security proof but underestimates the secure key rate of this protocol.
In this paper, we will answer the following questions: Could we improve the key rates in Ref. [6] if we keep the multi-photon part of the signals?Could the multiphoton part of the signal contribute significantly to key rates when the total loss or the asymmetry is large?
To highlight the differences between our approach and Refs.[5,6]'s, we apply the numerical analysis formulated in [16] which involves optimisations over finite-dimensional matrices to obtain reliable lower bounds on the key rates.On the source side, we treat lower photon numbers explicitly, while turning to tagging again for higher photon numbers.On the receiver side, we know that the qubit squashing model converts the multi-click events caused by the multi-photon part of the signals into additional qubit errors [5,13,14].The convenience of reaching a qubit picture may thus cost a reduction in key rate.Therefore, we use the flag-state squashing model [17] to circumvent this problem, especially for low-loss channels.The flag-state squashing model preserves any measurement on a low photonnumber subspace, while tagging the arriving signals of higher photon numbers.As a result, we obtain secret key rates that can exceed the ones quoted in Refs.[5,6].
During our investigations, we noticed a problem with the common approach which attributes all observed errors to an adversary and describes Bob's detection device by an idealised set-up.Once the actual detectors have some dark count rate, this approach may lead in some circumstances to unphysical constraints, meaning that such an ideal device could not lead to the actual observations.For that reason, we will also introduce results for trusted detector noises, especially dark counts, for which this problem does not exist.
The rest of this paper is outlined as follows.We first revisit the protocol in Sec.II and describe the mathematical model of the protocol in Sec.III.We will then justify our security proof techniques and state the methods that allow us to speed up our key rate computations in Sec.

State preparation:
Alice prepares a phaserandomised coherent state with mean photon number |α| 2 where α ∈ C and chooses a random phase φ x from the set {0, π 2 , π, 3π 2 } with equal probabilities in each round.Alice also sends a small portion of decoy coherent states with different mean photon numbers {|α i | 2 : ∀α i ∈ C} i∈N .
2. Measurement: Once Bob receives the signal state, he chooses a random phase φ B from the set {0, π 2 } with equal probabilities and records all events coming from the two detectors at any of the three time slots.A click is termed "outside" if it is not in the 2nd (middle) time slot.
3. Testing: After repeating steps 1 & 2 for many times, Alice and Bob jointly announce a random subset of their data (including events coming from decoy states) and decide whether they should abort or proceed with the rest of the protocol.
4. Announcement, sifting and post-selection: For each round, Alice announces the basis to be "even" if she picks her phase from {0, π} or she announces "odd" if her phase is in { π 2 , 3π 2 }. Bob announces "even" if he picks φ B = 0 or "odd" if φ B = π 2 .In addition to basis announcements, Bob also announces "discard" for events that have only outside clicks or no click.Alice keeps the φ x 's only for the rounds where Bob did not announce "discard" and where her bases match with Bob's.Bob keeps a detection event if his basis matches Alice's and the event is not to be discarded.

Direct reconciliation key map: Alice maps φ (j)
x in the j-th kept rounds to the j-th bit z j of the raw key as (1) 6. Error correction and privacy amplification: Alice and Bob perform standard error correction so that Bob also obtains a copy of the key map register.They then proceed with a privacy amplification protocol to obtain a shared secret key.
We point out that our method generalises to any asymmetric basis choice (i.e.probabilities of choosing "even" and "odd" bases are not equal).It was shown in Ref. [18] that the probability of choosing one basis can be set arbitrarily close to 1 without affecting the asymptotic security analysis.Note that the formalism described here would also allow one to consider the reverse reconciliation approach, where in step 5 of the protocol Bob performs a key map instead of Alice.Then, Alice and Bob would have to swap their respective roles in step 6.

A. Optical Models
We start by identifying two equivalent optical models for the Mach-Zehnder component that appears in both Alice's and Bob's apparatus.The descriptions for the two models are illustrated in Fig. 2. Instead of having the loss in one arm of the interferometer, the equivalent model places a loss element in front of the Mach-Zehnder component, which then has an asymmetric beam splitter at the entry [5].
This replacement picture tells us that Alice's loss can be absorbed into the rescaled amplitude of the incoming single laser pulse, whereas Bob's loss can be absorbed into the channel's action.FIG. 2. Equivalence relationship between a lossy phase modulator in the encoding device and an uneven BS with transmissivity 1 2ξ followed by another uneven BS with transmissivity ξ and a perfect phase modulator, where ξ = 1 1+κ [5].

B. State preparation
We use the source-replacement scheme [19,20] to represent a prepare-and-measure scheme with an entanglement-based scheme.Since Alice's signal state is mixed, we will introduce a purifying "shield" system that will be left behind in the source so that the existing source-replacement framework can be applied.We will provide a detailed description of the entangled pure state prepared by Alice below.
To prepare the output signal state, Alice's laser first creates a phase-randomised coherent state where p n (β) = e −|β| 2 |β| 2n n! is the Poissonian distribution in photon number n.She then sends it through her encoding device set at a phase φ x which outputs a time-bin signal with two modes, where |ψ x (α) = |αe iθ , √ κ αe i(θ−φ x ) .In the following steps, we will express the state σ x (α) in a two-mode Fock basis {|s x n (ξ) } which is defined later in Eqn.(8).Let a † 1 and a † 2 be the creation operators of the two output time modes of the signal.We define a rescaled amplitude α : 1+κ and a new mode creation operator We define a set of two-mode Fock states for n ∈ N as The state |ψ x (α) can be rewritten in the new basis as ) which is a coherent state with amplitude α.The phaserandomised signal state is therefore a Poissonian mixture of the new Fock states as in Since the signal state σ x (α) is mixed, Alice can purify the state by introducing an ancillary system A S such that the following is a pure state where the register A is the signal system.Note that the probability p n ( α) is independent of Alice's choice x.
We can thus summarise the source description as Alice preparing an entangled pure state where {|x A } x=0,...,3 is an orthonormal basis of Alice's register A for x corresponding to the phase φ x = π 2 x and p x = 1  4 for all x ∈ {0, 1, 2, 3}.Note that registers A and A S are private to Alice, and Eve only has access to the signal system A .We call the purifying system A S a "shield" system for it to be inaccessible to Eve (i.e.Eve only gets the mixed state σ x (α) but not the pure state |σ x (α) A S A ).

C. Measurements
In the prepare-and-measure scheme, the action of Alice randomly choosing the phase φ x in the signal state is equivalent to a measurement on |Ψ AA S A with POVM {|x x| A } x=0,...,3 .Alice's measurement can be performed before or after Bob performs his measurement.
We start out by describing the POVM of Bob's measurement assuming ideal devices, especially without dark counts of the detectors.We will later on derive the POVM of devices with specified dark counts.To characterise all of Bob's possible measurement outcomes, we construct his POVM using the creation and annihilation operators for six optical modes arriving at 3 different time slots and at 2 detectors.Ignoring global phases, the six annihilation operators of a fixed phase φ B , which correspond to the six "click" locations depicted in Fig. 1, where a 1 and a 2 are annihilation operators of the two incoming time modes of the signal.Since b 1 = b 4 and b 3 = b 6 , the POVM elements corresponding to click events at 1 and 4 (3 and 6) are the same.Hence, each pair can be combined into a single timemode annihilation operator.The corresponding operators for the two pairs are where t 1 and t 3 denote the 1st and 3rd time slots in Fig 1.
This is equivalent to coarse-grain the outside-only click POVM elements and outcome probabilities but without losing information about the relative phase, φ x − φ B .This reduces the redundancy in constraints for the optimisation which will be described in Sec.IV C. As Bob's measurement outcomes consist of all combinations of click events at different time slots, detectors, and basis choices, his POVM elements are obtained by summing weighted projectors of all possible states that could lead to a particular click pattern.Based on the fact that Bob uses threshold detectors for detection, all POVM elements are block-diagonal in total photon number basis [12,13].
These allow the construction of Bob's POVM elements in terms of the modes impinging on the detectors by first restricting to the n-total photon subspace of Bob's entire system, and defining the following operators corresponding to different click events: • single-click: (for n ≥ 1) • double-click: (for n ≥ 2) • triple-click: (for n ≥ 3) • all-click: (for n ≥ 4) with , where p(φ B ) is the probability of choosing the phase φ B and b } are the mode creation operators for a fixed phase φ B , with b † i µ = b † i ν for all µ = ν and µ, ν ∈ {1, 2, 3, 4}.We can express Bob's POVM elements in terms of the incoming modes, a 1 and a 2 , by substituting the final modes with Eqns.( 14) - (17).
To obtain Bob's POVM elements for the full Hilbert space, one simply sums over all contributions from all photon number subspaces to get where k labels the 16 possible click patterns (Bob's measurement outcomes) and the two measurement bases.
For n to be less than the minimum photon number to trigger the click event k, F n k is a zero operator.If k is the no-click event, F n k is a zero operator for all n ≥ 1.To reduce the number of linearly dependent POVM elements for better numerical performance in calculating key rates [21], we combine the pairs of φ Bindependent POVM elements of the two measurement bases into one by summing the two elements together.This reduces the cardinality of Bob's POVM from 32 to 28 since the following 4 click patterns: no-click, t 1 -only, t 3 -only, and t 1 &t 3 are basis-independent.
In a trusted dark-count scenario where dark counts are not controlled by Eve, we incorporate the effect of dark counts into Bob's POVM by applying a classical post-processing map, P, on Bob's POVM elements {F k }.The output of the map is a new POVM {P k } with each element corresponding to a linear combination of the original POVM such that P k = ∑ i P k,i F i where P k,i are the matrix elements of the linear map P. We illustrate the action of the map P with the new POVM elements in Eqns.(A3)-(A9).Since the map P acts the same on all photon-number subspaces, it also holds that The map P models the effect of dark counts as a classical noise in the sense that for each detector and at each detection time window, a no-click event flips to a click event with probability, p d .We can recover Bob's darkcount free POVM {F k } by setting the dark-count probability p d = 0 in the case with untrusted dark counts.

A. Flag-state squashing model
In order to numerically compute the secure key rate, we need to reduce the dimension of Bob's state from infinite to finite so that numerical SDP solvers can be used.Since Bob uses threshold detectors, his POVM elements are block-diagonal, so the qubit squashing model [5,[12][13][14] can be applied.However, by reassigning the multiclick events to single-click events randomly, the squashing model introduces additional qubit errors to the original data.Instead, the flag-state squashing model [17] is used here to circumvent this problem.
We set a finite photon-number cutoff N B and define the (n ≤ N B )and (n > N B )-photon subspaces to be two Hilbert spaces containing Fock states of at most N B and at least N B + 1 photons respectively.The flag-state squashing map Λ first projects Bob's state ρ onto the two subspaces.It then applies an identity map to the projected state ρ n≤N B and measures the projected state ρ n>N B with the POVM {P k } to give the squashed state Bob's corresponding flag-state squashed POVM elements are where N B is a finite-number photon cutoff and k labels Bob's detection events.The joint POVM of Alice's and Bob's measurements in the flag-state squashing model is {|x x| A ⊗ P k } where x ∈ {0, ..., 3} and k ∈ {1, ..., 28}.
Since the measurement channel acting on the (n > N B )-photon subspace is entanglement breaking [22], one needs to lower bound Tr(Π n≤N B ρ) with Bob's measurement statistics to ensure that some entanglement between Alice and Bob is preserved in order for them to establish a secret key [20].For trusted dark counts, we show in Appendix A that the lower bound for the weight of the (n ≤ N B )-photon signal subspace conditioned on Alice choosing signal x is given by , ( 27) where the conditional cross-click probability, p(cc|x), is the sum of the observed probabilities of all events excluding no-click events, events with clicks only in time slot t 2 (inside-only), and events with clicks only in time slots t 1 , t 3 (outside-only) given that Alice picks signal x.
We also show in Appendix A that the bound in ( 27) is always tighter than the dark-count free bound (p d = 0) derived by Narashimhachar [14], so we could also obtain a lower bound of the secure key rate using that dark-count free bound.For untrusted dark counts, one simply has to use that bound.

B. Decoy state & key rate decomposition
In this article, we prove the security of the protocol against any collective attack.Since the signal states and measurements are permutation invariant between different rounds, the quantum de Finetti theorem [23] or the postselection technique [24] can be applied to uplift our security statement to the security against coherent attacks, which will both lead to the same asymptotic key rate.From that we obtain a composable -security proof [25] of the protocol under Eve's general attacks with the same asymptotic key rate as under the collective attack.
Let R be the key register held by Alice in direct reconciliation, E be Eve's quantum and classical register, B be Bob's quantum register, B and B be Bob's classical registers for his measurement outcomes and announcements respectively.The Devetak-Winter formula [26] for asymptotic secure key rate can be expressed as where p pass is the probability of passing the sifting and post-selection steps, S is the set of all density matrices that satisfy Alice's and Bob's joint statistics.
The key rate formula (30) can be converted into an alternative form, as shown in Refs.[16,27], using the relative entropy (31) where G and Z are two maps that will be discussed below.The formula includes a privacy amplification (PA) term as the first term and an error correction term δ EC = f EC H(R|B) with a heuristic classical error-correction efficiency factor f EC ≥ 1.
The G map is a completely positive trace nonincreasing map capturing the effects of sifting, postselection and announcement on Alice's and Bob's joint state, which takes the form [16,28] with the Kraus operators of this protocol defined as and K denotes Bob's postselected outcomes.The Z map captures the effect of the key map, and is given by with register C encapsulates all registers except R.
Since Alice is sending a Poissonian mixture of Fock states, Eve can, in principle, perform a QND measurement on Alice's signal to learn its photon number without disturbing the signal itself.We show in Appendix B that as a direct consequence of this the state ρ AA S B is block-diagonal in Alice's output photon number n.Therefore, without loss of generality, we can restrict the minimisation in Eqn.(31) to be taken over a smaller set ∈ S} where {ρ n AB } are the normalised states conditioned on Alice sending out n photons.This allows one to split the PA term into a probabilistic combination of PA terms associated with different n as in (36) See Appendix B for the proof of the decomposition.
For our analysis, we assume a decoy-state scenario [7][8][9], which means that in addition to the usual signal states, Alice prepares also decoy states that are represented by dephased laser pulses with different intensity levels |α i | 2 .More precisely, we assume for simplicity the infinite-decoy scenario, where a countably infinite number of decoy intensities are used so that a decoy data analysis can reveal to Alice and Bob the conditional probabilities of any observable, where the condition is with respect to Alice's output photon number n.
These conditional probabilities constrain the feasible set of normalised states S n for each of Alice's output photon number n independently, which further restricts the minimisation in Eqn.(36) to be taken over a smaller set Given that the probability distribution {p n } n∈N is fixed by the intensity of the signal, the minimisation over S can be pulled into the summation and split into minimisations over individual S n , resulting in the following key rate formula (37) We remark that the inclusion of a finite number of decoy states would be a natural extension of this work, in which case the description of each set S n would depend on other sets {S n : n = n}.Hence, a more careful treatment of the PA term would be needed.
The major benefit of breaking down the PA term into individual minimisations is to avoid the need of keeping the infinite-dimensional shield system A S in the argument of the optimisation as seen in Eqn.(31).Instead of optimising over the set of infinite-dimensional states, we convert our problem into an infinite number of optimisations with finite-dimensional arguments.
Notice that when Alice sends out vacuum (0 photons), Eve learns nothing about Alice's choice x, so each key bit z ∈ {0, 1} is equally likely to Eve, which implies that H(R|E) = H(R) = 1.Therefore, the first term in the summation in Eqn.(37) is equal to p n=0 pass which is the contribution from Alice sending out vacuum to the probability of passing sifting and post-selection.By Klein's inequality, quantum relative entropy is non-negative for all positive semidefinite matrices (i.e.D(A||B) ≥ 0 if A, B ≥ 0 and Tr(A) ≥ Tr(B) [29]), so Thus, omitting any terms in the summation will only reduce the total value on the right-hand side of Eqn.(37).In fact, omitting an n-photon term is the same as treating all n-photon output signals as being tagged for which the encoded state is fully known to Eve.Since we can only optimise a finite number of terms in the infinite sum, we can truncate the infinite sum at n = N A where N A is a positive finite integer to obtain a lower bound for the key rate.The choice of N A = 1 corresponds to the tagging as used in Refs.[5,6].We then have the key rate expression as (38) This allows us to reduce the number of finitedimensional optimisations from infinity to a finite number that corresponds to the computational resources available to us.

C. The SDP problem
To optimise individual PA terms in Eqn.(38), the primal SDP problem is formulated as The first line in the constraints demands the shared state ρ n AB conditioned on Alice sending out n photons to satisfy Alice's and Bob's joint measurement outcome probabilities conditioned on n photons in the received signal, which are obtained from the infinite-decoy analysis.The second line lower bounds the weight of ρ n AB in the (n ≤ N B )-photon subspace by Eqn.(27).The third line demands that Alice's reduced density matrix is unchanged.The last two lines ensure that ρ n AB is a valid, normalised density matrix.

D. Implementation of numerical security analysis
Following the procedure in Ref. [16], suboptimal solutions of the primal SDP problems in the form of (39) for 1 ≤ n ≤ N A are obtained numerically using the MAT-LAB optimisation package CVX and the Frank-Wolfe algorithm.These suboptimal solutions infer the upper bound for the individual privacy amplification terms in Eqn.(38).A linearisation of each of the primal problems at their suboptimal solution is then converted into a dual SDP problem.Using the CVX numerical solver again, the dual suboptimal solutions for 1 ≤ n ≤ N A provide a reliable lower bound on the whole privacy amplification term.
Solving the primal optimisation problem is computationally demanding in terms of time and memory even if the flag-state squashing model is applied to reduce the dimension of the matrix variables ρ n AB .One can further utilise the structure of the flag-state squashed state as described in Eqn.(25) to reduce the number of complex variables in the allowed matrices ρ n AB .Bob's flag-state squashed POVM elements also enable us to split multiplications between constraint matrices and the state variable ρ n AB .In addition, the objective function of the SDP problem in (39) can be evaluated much faster if the computation is restricted only to the non-zero subspaces in the images of the maps G and Z.With these three techniques, we managed to reduce the computation time of the primal optimisation by a significant amount.See Appendix C for the technical details.
We utilise the fact that the SDP problem specified in (39) is independent of the mean photon number |α| 2 of Alice's phase-randomised coherent state because the minimisations in Eqn.(37) are over each set S n separately.In other words, the choice of |α| 2 only affects the photon number distribution {p n } and the errorcorrection term δ EC in the key rate formula (38).Therefore, we can maximise the key rate lower bound over the signal intensity |α| 2 efficiently once we have the dual suboptimal solutions as the error-correction term can be directly calculated from the observables of the corresponding simulation.

V. SIMULATION OF EXPERIMENTS
In the absence of experimental data, we have to perform a simulation of an experiment to obtain realistic probability distributions which replace the experimental data as input of our security analysis.Note that the details of the simulation model are independent of the actual security proof.

A. Channel simulations & detection efficiency
We simulate the quantum channel between Alice and Bob with a loss-only channel which is essentially an uneven beam splitter.We also assume that both detectors of Bob have equal detection efficiency η det , where each detector can be modelled as a beam splitter with a transmission rate η det followed by an ideal detector.In this simple model, a single parameter η which we call the total transmissivity describes the combined loss caused by the following three effects: the inefficiency in the process of coupling the signal light to the optical fibre, the absorption and scattering processes of light in transmission through the fibre, and the detection efficiency of Bob's threshold detectors.
We also investigate the case where we assume the detection efficiency η det to be outside of Eve's control, as a trusted, characterized loss element of the receiver.In that case, we keep the beam splitter with transmissivity η det in Bob's apparatus, which in turn modifies the POVM elements described in Sec.III C. Bob's POVM with known detection efficiency can be obtained with a similar approach used in Ref. [17].

B. Dark counts
To simulate our statistics when dark counts are present, we generate the outcome probabilities with Bob's classically post-processed POVM described in Sec.III C and Appendix A, which is associated with a darkcount probability, p d , for each detector and at each detection time window.
If dark counts are assumed to be trusted in the sense that they are not in Eve's control, we use the classically post-processed flag-state POVM { P k } as the constraint matrices in the SDP problem (39) to calculate the privacy amplification term.This approach guarantees the SDP problem to be feasible since measurement probabilities correspond directly to a quantum state in the simulation.
However, if we consider untrusted dark counts, that is, if we pessimistically attribute the effect of dark count noise to Eve, the flag-state POVM of dark-count free detectors is used as the SDP constraint matrices instead.Note that unlike the existence of a physical model for pulling out the equal detection efficiency into the channel, this approach is not covered by any physical equiv-alence model that allows one to outsource the dark counts to Eve.Therefore, it is possible that no quantum states could have led to the classically post-processed statistics if the measurement is assumed to be darkcount free.In that case, the SDP problem becomes infeasible due to unphysical constraints.This is what we encounter in some parameter regime of our calculation, as we will point out in the next section.

VI. KEY RATES
Before diving into our main results, we start by stating the parameters used throughout this section.We set Bob's flag-state photon number cutoff to be N B = 4 so that the SDP optimisations can be solved within a reasonable amount of time.The maximum number of terms kept in the PA summation in Eqn. ( 38) is set to be N A = 3 since we observe that the key rate in the lowloss regime does not improve even if we keep more than 3 terms.Furthermore, we set the dark count probability to be p d = 8.5 × 10 −7 and the error-correction efficiency to be f EC = 1.22 as quoted in Ref. [30].
In Fig. 3(a), we present lower bounds for the secure key rates per clock cycle corresponding to different values of the phase-modulator transmissivity κ and the total transmissivity η in the two scenarios with trusted and untrusted dark counts.The total transmissivity η captures both the transmission efficiency of the lossonly channel and the detection efficiency of Bob's detectors.We obtain these bounds by maximising the lower bounds for key rates over the mean photon number |α| 2 as specified in Sec.IV D. The optimal |α| 2 for each point in Fig. 3(a) are shown in Fig. 3(b).
Let us expand on the SDP infeasibility issue with untrusted dark counts mentioned in Sec.V B. In the highloss regime where the total transmissivity η ≤ 0.2, the SDP problem for some parameters becomes infeasible meaning that no physical states can satisfy the constraints that are imposed by observed statistics.This is a somehow surprising observation since many previous security analyses (e.g.[5,6,10,31]) assume dark counts to be untrusted but did not encounter any issue with infeasible constraints.Most of these analyses use coarsegrained statistics (e.g.bit/phase error rate) to bound Eve's knowledge.However, the use of refined statistics in our SDP constraints poses more stringent conditions on the feasible set which makes it less robust against infeasibility issues.Therefore, at least when infeasibility is detected, we cannot outsource the dark counts simulated by a classical noise model entirely to Eve as previous literature did.In the case of having infeasible data, we allow the SDP numerical solver to relax the satisfiability of constraints in the sense that we are enlarging the search set to the degree where it is feasible.Due to large constraint violations and a minimisation over an enlarged search set, we expect the key rate lower bound obtained by this method to be much lower than the true value.As for the feasible cases, Fig. 3 shows that turning dark counts from untrusted to trusted increases the key rates.In the remaining of this section, if we make statements about the key rates without mentioning whether dark counts are trusted or untrusted, then the statement applies to both cases.
In the design view of a QKD security analysis, the goal is to optimise over all parameters and find the optimal setting of the experimental setup.Here, we seek the optimal asymmetric transmission parameter κ and the corresponding optimal signal intensity |α| 2 that gives the highest key rate at different total transmissivity η.We see that the smaller the value of κ, the lower the key rates in Fig. 3(a) because Alice would need to send more photons (as one can see from Fig. 3(b)) in order to maintain an adequate proportion of middle-click detection events, which allow Bob to infer the relative phase φ x − φ B .Therefore, one should always aim at reducing the loss at the phase modulator in order to increase the overall key rate.
To elaborate more on the optimality of the intensities in Fig. 3(b), we point out the two competing factors for using more photons in the signal.First, sending higher intensity signals causes more photons to pass through Eve's domain, which allows her to gain more information about the signal, thereby reducing the key rate.Second, as more information can be transmitted from Alice to Bob via multi-photon signals, the key rate may increase if the cost of error correction increases less than the information gain by Eve.
These two factors pull the key rate into opposite directions, so there is an optimal point for the key rate to be maximised, of which the corresponding optimal mean photon number is shown in Fig. 3(b).These values appear to be higher than the optimal values for the key rates in [6].This indicates that some multi-photon signals carry useful information from Alice to Bob of which Eve does not possess full knowledge, and hence favours signals with higher intensity.
At this point, we would like to compare our results with previous results in [5,6] which both contain valid secure proofs that make use of the single-photon components only.Note that although the technical analysis of [5] is correct, the conclusion that the key rate of the unbalanced BB84 protocol will be overestimated if one blindly uses the security analysis of a balanced protocol is not.While [5] has shown that the key rate for unbalanced signals is lower than that for balanced ones, the authors of [6] correctly point out that the drop in key rate is due to a smaller success rate of the unbalanced protocol, followed by the same key reduction during privacy amplification as for a balanced protocol.So in effect, during the operation of an unbalanced protocol, the use of privacy amplification terms from a balanced BB84 protocol still gives valid secret key rates.Therefore, it is incorrect for Ref. [5] to conclude that the drop in secure key rates for the unbalanced cases is due to the application of a new security analysis.Since Ref. [6] provides a known analytical key rate of this scenario, we use that result as the baseline of our investigations to show that in fact the secret key rate is underestimated by this security analysis, and thus less privacy amplification is required in this situation.
We compare our key rates with [6]'s in Fig. 4, which shows that our analysis provides higher key rates for total transmissivity η > 0.1 (<10 dB), especially for small κ values.Our method shows advantage in lowloss cases because the PA components from the multiphoton part of Alice's signals are larger in the low-loss regime, which are pessimistically set to zero in [6].This can be understood as Eve does not learn too much of the multi-photon signals, thereby allowing more information to reach Bob.
When the total transmissivity satisfies η ≤ 0.2, we encounter the issue with SDP infeasibility with untrusted dark counts.We recover approximately the same key rates in [6] for most cases, but some of our lower bounds for the key rates (obtained from maximising the dual SDP problem) in the untrusted noise scenario appear to be slightly lower than [6]'s.To understand the gaps Percentage change in key rates comparing our optimal lower bounds for key rates with [6]'s optimal key rates versus total transmissivity η.We label the changes for trusted (untrusted) dark counts with solid (dotted) lines.A positive change means that our key rate is higher.between our key rate upper bounds (which are on par with [6]'s key rates) and lower bounds (see Sec. IV D for the meaning of the two bounds), we recall that our way of getting around the infeasibility issue with untrusted noise is to relax the required precision for the constraints to be satisfied in the numerical solver.The primal suboptimal solution to the relaxed problem will naturally suffer from stronger SDP constraint violations which lead to a larger penalty term in the calculation of the dual suboptimal solution [16].
Notice that when the asymmetric loss parameter reaches κ = 0.3, the percentage increase of our key rate relative to [6]'s is the least compared to other values of κ.This phenomenon is also observed when we make the following choices of parameters: flag-state photon cutoff N B ∈ {1, 2, 3, 4}, dark count probability p d ∈ {0, 10 −5 , 10 −4 }, and total transmissivity η = 1.As our numerical data suggest, the ratio between the optimal values of the privacy amplification terms attributed to Alice sending out 1-photon and 2-photon signals, reaches its smallest value when κ ≈ 0.3.This can be interpreted as the amount of private information carried by 2-photon signals relative to the amount carried by 1-photon signals is the least when κ ≈ 0.3.Note that the ratio r 21 hits minimum when κ ≈ 0.3, which corresponds to the points with the least key rate improvement.
As a remark, the optimal signal intensities | α opt | 2 's for [6]'s optimal key rates (corresponding to Eqn. ( 6) in [6]), which we compare with in Fig. 4, are slowly decreasing as η increases.They satisfy where |α opt | 2 is the corresponding optimal intensity of our analysis as plotted in Fig. 3(b).This means that [6]'s optimal signal intensity is always smaller than our optimal intensity |α opt | 2 .It is also true that [6]'s optimal intensity increases as κ reduces for all tested values of η.
In the post-processing view, the goal is to determine the amount of key reduction from privacy amplification that guarantees a secure final key for a given set of experimental parameters.Particularly, in the case where the attenuation of the laser has already been set to [6]'s optimal intensity for a chosen set of parameters, we compare the privacy amplification term from our analysis with the one from [6]'s.To see this, we first show in Fig. 5 that our method still gives higher key rates than [6]'s in the low-loss regime (η > 0.15) even when our signal intensities are set to [6]'s.We then make the connection between this result and the difference in privacy amplification with two observations: 1) the probability of passing post-selection p pass is equal for both methods and 2) the costs of error correction are approximately equal when the same signal intensity is used in both approaches.It follows that the difference in key rates translates to the difference in the privacy amplification terms in the key rate formula.Thus, our method requires less key reduction from privacy amplification compared to [6] for low-loss scenarios.This allows us to extract more secret key out of these unbalanced protocols than previously thought.Percentage change in key rates comparing our lower bounds for key rates per clock cycle evaluated at [6]'s optimal α opt with [6]'s optimal key rates versus total transmissivity η.
We label the changes for trusted (untrusted) dark counts with solid (dotted) lines.A positive change means that our key rate is higher.
We now turn to study the effect of trusted loss on the key rates.Previously, we assume that the quantum channel contributes completely to the total loss.However, if we know that a certain part of the total loss is caused by some trusted components (e.g.Bob's detectors), the key rate can be improved since the channel loss is effectively smaller.The key rate improvement has already been shown in both active and passive BB84 protocol [17] where the detection efficiency of the receiver's detectors is assumed to be beyond Eve's control.We will present a similar behaviour of the key rates of this pro-tocol under different trusted loss conditions.
We fix the total transmissivity to be η = 0.1 and assume dark counts to be trusted, and then we vary the detection efficiency of Bob's trusted detectors η det .Indeed, Fig. 6(a) shows that the lower bound of our optimal key rate increases with the proportion of the trusted loss component coming from Bob's detectors to the total loss, which takes the form 1−η det 1−η .The optimal mean photon numbers corresponding to the optimal key rates are displayed in Fig. 6(b).To summarise this section, we report a significant gain in key rates in the low-loss regime (≤10 dB) with our analysis.To be precise, with our security analysis, higher key rates can be obtained when the signal intensities are set to our optimal and [6]'s optimal values.We emphasise that the reported improvement can be attained without any modification to the experimental setup.Lastly, we show that the key rates can be increased if we know that the detection inefficiency contributes a considerable amount to the total loss.

VII. SUMMARY & OUTLOOK
This work provides a new numerical security proof for the unbalanced phase-encoded BB84 protocol.Using the newly developed flag-state squashing model [17], we are able to derive additional private information from the multi-photon components of the signal states.We compare our key rates with the key rates proved in Ref. [6] under the same simulation parameters and show that our analysis results in significantly higher key rates in the low-loss regime.In the design view, we find that a balanced protocol (κ = 1) gives a higher key rate than an unbalanced protocol so that a design cannot take advantage of an artificial induction of asymmetry.In the post-processing view, our method requires less key reduction from privacy amplification compared to [6] for low-loss cases.We prove that our key rates are still better than [6]'s even when their optimal mean signal photon numbers are used.Hence, any experiments that are already implementing the optimal settings of [6] can profit from our higher key rates.We also explore the advantage of characterising the receiver's detection inefficiency as a trusted loss, which is not allowed by [5,6]'s proof technique.Our results suggest that the key rate can be improved when the proportion of trusted loss due to detection inefficiency to the total loss is significant.
Let us conclude by pointing out some future directions of investigations: It is important to find a formal way of incorporating untrusted dark counts into the security analysis without leading to unphysical constraints.As mentioned in Sec.IV B, to extend our analysis to the use of a finite number of decoy states, one must consider the dependence among different feasible conditional state sets when handling the privacy amplification term.Finally, some of our proof techniques can be transferred to a finite-key analysis.It would be worth comparing the key rates from a finite-key analysis with the asymptotic key rates reported here.
Appendix A: Derivation of the lower bound for the weight of (n ≤ N B )-photon signal subspace We aim at lower bounding the weight of the (n ≤ N B )-photon signal subspace, p(n≤N B ), with Bob's observed statistics.In this Appendix, we use the crossclick probability to derive a lower bound for p(n≤N B ) in the following steps.The cross-click probability for any signal satisfies In the second line, p min (cc|n) denotes the minimal cross-click probability given that Bob receives an nphoton signal.In the last two lines, we define p(n≤ (A2) We will show that the minimum cross-click probabilities indeed satisfy the monotonicity and the strict inequality conditions.
To obtain the minimum conditional probabilities p min (cc|0) and p min (cc|N B + 1), we start by considering the new POVM elements after classical post-processing due to dark counts as mentioned in Sec.III C which are We first group the pre-processed POVM elements into two coarse-grained POVM elements: outside-only (t 1 , t 3 , t 1 &t 3 ) and inside-only (2, 5, 2&5).Using Eqns.( 19) and ( 20), the two elements can be expressed as Similarly, the two coarse-grained post-processed POVM elements can be found to be where the pre-processed no-click POVM element is F 0 = |0, 0 0, 0|.Therefore, the post-processed coarse-grained POVM elements for inside-only and outside-only clicks are diagonal in the two-mode Fock basis {|i, n − i : i = 0, ..., n} for all n ∈ N. The cross-click POVM element is which is also diagonal in the two-mode Fock basis.Since P cc is already diagonal, it is straightforward to find P cc 's minimum eigenvalue restricted to the n-photon subspace, which corresponds to the minimum cross-click probability for any n-photon input states, analytically.For an eigenstate |i, n − i , the associated cross-click probability (the eigenvalue of P cc ) can be found using Eqns.(A3) -(A14) as for n ≥ 1, and for the vacuum state |0, 0 to be as stated in Eqn.(28).Since there is only one eigenvalue in the vacuum subspace, we need not minimise the conditional probability (i.e.p min (cc|0) = p(cc|0)).
We exclude the case where the phase modulator has zero transmissivity (κ = 0), then ξ = 1 1+κ ∈ [ 1 2 , 1), so the minimum cross-click probability for any (n ≥ 1)-photon input state is as stated in Eqn.(29), which is valid for photon number n ≥ 1.Notice that p min (cc|n) is monotonically increasing with n which agrees with our intuition that crossclick events are likely with more incoming photons.
As we further restrict the dark count probability to p d ∈ [0, 1), it is analytically straightforward to verify that for all n ≥ 1 and ξ ∈ [ 1 2 , 1), p(cc|0) ≤ p min (cc|n) < p min (cc|n + 1), (A16) so the monotonicity and the strict inequality conditions for (A2) to hold are satisfied.The inequality (A2) is of the same form as (27) in Sec.IV A except that the observed cross-click probability in ( 27) is conditioned on Alice's signal choice x.
We now move on to prove that the lower bound in the inequality (A2) is tighter than the lower bound derived in Ref. [14] for no dark counts.We use the fact that and all probabilities are positive to show that . ( A18) With (29), we can further show that Thus, the lower bound in (A2) is larger than the lower bound derived in Ref. [14] which is the expression in (29) for zero dark-count rate as in (A20) The secure key rate should only reduce as we loosen the lower bound for the (n≤N B )-photon subspace since the flag-state squashing map can be more entanglementbreaking and so Eve could gain more information from purification.As a result, we can use the dark-count-free lower bound blindly on Bob's measurement data to obtain a secure key rate even if the dark-count rate is assumed to be zero.

Appendix B: Proof of Decomposing the Privacy Amplification term
In Sec.III B, Eqns.( 8), ( 11) and ( 12) together describe the entangled pure state that Alice prepares to be where we simplify the notation here with p n := p n ( α √ ξ ).Since the phase-randomised coherent signal states are block-diagonal in total photon number basis in Eve's point of view, Eve can, without loss of generality, perform QND measurements to determine the total photon number in the signal states.This allows her to keep an extra classical register that tells her the total number of photons in the signal without degrading her eavesdropping power as we will see below.
To see why allowing Eve to measure the total photon number in the signal state will not affect our security statement, we first consider the most general scenario where we do not assume anything about Eve's attack.By Stinespring's dilation theorem, the action of a quantum channel on the signal state can be described by an isometry V A →BE that takes Alice's signal system, A , to Bob's system, B, and Eve's purifying system, E, such that the pure state shared among all parties is Eve's general reduced state conditioned on Alice's measurement outcome x is In the alternative scenario, we assume that Eve performs the QND measurement and could perform adaptive attack according to her knowledge of the photon number.Let Eve's purifying system of the signal be E and the extra register for recording the photon number in Alice's signal be E. Again by Stinespring's dilation theorem, one can describe the action of a quantum channel on the signal state by an isometry V A →BE E which takes the form where V n A →BE is Eve's isometry for purifying Bob's quantum state given that she learns the total photon number n and Π A n is a projector which projects onto the n-total photon subspace of the signal system A .The shared pure state between Alice, Bob and Eve before any announcements is and Eve's reduced state conditioned on Alice's measurement outcome x is (B4) If we further trace out Eve's register E, her reduced state ρ x E clearly contains the general attack in (B1) where Eve performs the same purification (i.e.V n A →BE = V A →BE ) for all n ∈ N. Therefore, the assumption that Eve can measure the photon number of the signal and the pure state shared by all parties to be (B3) will not affect the security statement of our proof.
To decompose the relative entropy in Eqn.(31), we can assume the pure state shared by all parties to be (B3) as argued above.Hence, the state shared by Alice and Bob is B5) where the quantum channel between Alice and Bob is defined as for N to be the substitute for the maps G and Z • G.
Taking the matrix logarithm gives us log N (ρ (B8) By the definition of relative entropy, we decompose the PA term into which completes the proof.

Appendix C: Justifications for speeding up SDP optimisations 1. Reducing the number of variables in SDP
To speed up the convex optimisation for the SDP problem specified in (39), we make use of the structure of the flag-state squashed state.The joint state shared between Alice and Bob ρ AB can be expressed as where E i,j = |i j| with {|i } being an orthonormal basis and ρ n,m i,j ∈ C ∀ i, j, k, l, n, m.Recall that the flag-state squashing map takes the form of ( 25) and since the dimension of the 2-mode (n ≤ N B )-photon subspace is Tr(Π n≤N B ) = (N B +1)(N B +2) 2 , the joint state after squashing can be written as where we define and M B to be the number of POVM elements.Since ρ AB is Hermitian, we also know that

Speedup in checking constraints
In the SDP optimisation problem (39), to impose each of the SDP constraints require explicit evaluation of the inner product between the updated squashed state ρ and each constraint matrix Γ µ .As the squashed state and all the constraint matrices in (39) admit a blockdiagonal structure, we only need to consider the matrix elements of ρ and {Γ µ } that are contained in these blocks to calculate the inner product.We will show that by defining new optimisation variables of smaller dimensions, the SDP problem (39) can be restructured so that each constraint can be checked faster.By doing so, the SDP optimisation problem can be solved quicker.
Let Γ be a squashed constraint matrix, which is Hermitian and can be expressed in the squashed basis as C5) where Γ n,m i,j ∈ C, and satisfy (Γ n,m i,j ) * = Γ m,n j,i ∀ i, j, n, m.We can split Tr(Γ ρ AB ) into three terms as in where we define where the free variables for the numerical optimisation are ρ n≤N B ∈ D(C d A Tr(Π n≤N B ) ), | c diag ∈ R d A M B , and Since the equality and inequality constraints (133 constraints in (39)) have to be checked for each run of the SDP optimisation, reducing the time and memory used in matrix multiplications of {Γ µ } (and { Γ ν }) with the squashed state ρ AB substantially improves the runtime of the whole key rate calculation.

Speedup in evaluating D(G(ρ AB )||Z (G(ρ AB )))
Recall the definitions of the G and Z maps as stated in Eqns.(32) -(35).Using the form of the shared state ρ AB specified in Eqn.(C2) with i, j ∈ {0, 1, 2, 3} and M B = 28, the state G(ρ AB ) can be expanded into where σ i,j := F B α(i) ∑ Tr(Π n≤N B ) n,m=1 ρ n,m i,j E n,m F B α(i) + F B α(i) ∑ 28 k=1 c k i,j E k,k F B α(i) with α(i) = i mod 2. Apply the Z map to G(ρ AB ) will get ) for i ∈ {0, 1} and β ∈ {n ≤ N B , flag}.Therefore, the expression in (C14) can be computed much quicker than if we simply calculate the relative entropy with the full matrices G(ρ AB ) and Z (G(ρ AB )).

Speedup in evaluating the perturbed objective function
In the step of linearising the SDP problem, the gradient of the objective function has to be evaluated at the suboptimal point obtained from the first step [16].As pointed out in Sec.3.2 of Ref. [16], the gradient is undefined if the matrix G(ρ AB ) is not full rank.Besides, due to the finite numerical precision of a computer, the computed matrix G(ρ AB ) may have negative eigenvalues for which the objective function is undefined.In these cases, we perform a perturbation on the matrix G(ρ AB ) by applying a depolarising channel which gives the perturbed map G (ρ AB ), as defined in [16], G (ρ AB ) := (1 − )G(ρ AB ) + with β ∈ {n ≤ N B , flag}.Since we can break down the evaluation of the perturbed objective function into calculations on restricted subspaces, the speedup described in Appendix C 3 applies here.

FIG. 3 .
FIG. 3. (a)Our optimal lower bounds and (b) the corresponding mean photon numbers for secure key rates per clock cycle for both trusted (solid lines) and untrusted dark counts (dotted lines) versus total transmissivity η.For clarity, we omit labelling the lines for trusted and untrusted dark counts in the cases where the two lines are indistinguishable.
FIG.4.Percentage change in key rates comparing our optimal lower bounds for key rates with[6]'s optimal key rates versus total transmissivity η.We label the changes for trusted (untrusted) dark counts with solid (dotted) lines.A positive change means that our key rate is higher.
FIG.5.Percentage change in key rates comparing our lower bounds for key rates per clock cycle evaluated at[6]'s optimal α opt with[6]'s optimal key rates versus total transmissivity η.We label the changes for trusted (untrusted) dark counts with solid (dotted) lines.A positive change means that our key rate is higher.

FIG. 6 .
FIG.6.Assuming trusted dark counts, (a) our lower bounds for key rates and (b) the mean photon numbers plotted against the proportion (in percentage) of the trusted loss coming from the detection inefficiency of Bob's detectors to a fixed total loss corresponding to total transmissivity η = 0.1.
0≤n≤N B p min (cc|n) and C min n>N B := min n>N B p min (cc|n).If p min (cc|n) is monotonically increasing with n, then C min n≤N B = p min (cc|0) and C min n>N B = p min (cc|N B + 1).If we also have strict inequality C min n>N B > C min n≤N B , then we can turn the inequality in (A1) into the desired lower bound . The expression (C6) requires much fewer calculations in tracing the matrix product in the flag-state subspace (i.e.span{ E k,l }).Define a function R(σ) = D(G(σ)||Z (G(σ))) and an operator-valued function M which maps ρ n≤N B , | c diag and | c off to the density matrix ρ AB of the form in (C3) where the coefficients can be retrieved from c k i,i = i, i, k| c diag and c k i,j = i, j, k| c off with |i, j, k := |i ⊗ |j ⊗ |k .The SDP problem can be restructured into minimise R M ρ n≤N B , | c diag , | c off subject to Tr