Finite-key analysis for coherent-one-way quantum key distribution

,


I. INTRODUCTION
Quantum theory has been playing a significant role in the field of communications, leading to the development of primitives such as quantum repeaters [1-3], quantum conference key agreement [4][5][6][7][8][9][10], quantum secret sharing [11][12][13][14][15][16][17][18], and quantum digital signatures [19][20][21][22].Among these primitives, quantum key distribution (QKD) [23,24] has received considerable attention due to its ability to provide two remote users with a secret key with unconditional security guaranteed by the laws of quantum mechanics.Since the first QKD protocol, the Bennett-Brassard 1984 protocol [23] was proposed, various QKD schemes have been developed [25][26][27] to improve its practicality.Among these developments, measurement-device-independent QKD [28,29] is of vital importance for its immunity against one of the most threatening attacks, detector attacks [30], which enable experimental operations over a long distance [31,32].However, due to channel loss, the key rates of most QKD protocols are bounded by the secretkey capacity of repeaterless QKD [33][34][35][36].A protocol called the twin-field QKD [37] and its variants [38][39][40][41][42][43], which are based on single-photon interference instead of two-photon interference, break this bound and increase the secure distance to 833 km [44] and 1002 km [45] experimentally.Moreover, the recently proposed asynchronous measurement-device-independent QKD [46,47] (also named mode-pairing QKD) has become a practical approach for long-distance quantum communication systems [48][49][50][51] because it breaks the linear bound with its simple experimental implementation compared * hlyin@ruc.edu.cn† zbchen@nju.edu.cn with twin-field QKD.The photon number splitting attack [52] is another critical limitation of practical QKD that has been overcome by several means like decoy-state methods [53][54][55], nonorthogonal coding methods [56][57][58], strong reference methods [59], and distributed-phasereference methods [60][61][62][63], including differential-phaseshift (DPS) QKD and coherent-one-way (COW) QKD.DPS protocol [60,61] is becoming more significant for its excellent key rate performance achieved by the simple setup of equipment.The experimental progress [64][65][66][67] shows the status of DPS-QKD as a promising protocol for realizing the quantum communication process in the real world.Theoretically, long-term security analyses of DPS-QKD have been proposed to establish a solid foundation to guarantee its unconditional security in reality.Assuming a single photon to be in each of the blocks, the analysis in Ref. [68] provided security proof of DPS-QKD, and this impractical assumption was changed to use a blockwise phase-randomized coherent photon source in later developments [69,70].Furthermore, recently proposed proofs [71][72][73] give more practical analyses, removing the requirement of a special photon source and covering more general cases.Finally, Refs.[74,75] provide information-theoretic secure analyses to show the practicability of DPS-QKD in the finite-key regime, which builds a complete theoretic scheme for this protocol.We note that the security proof in Ref. [74] results in a key rate that scales in the order of O(η 2 ) without relativistic constraint and has immunity against coherent attacks, which is of vital importance in realistic implementation.
COW-QKD [62] is another type of distributed-phasereference protocol that has been implemented in practical quantum information processing [76] with its easily achievable experimental requirements [77][78][79][80][81][82][83][84], which are similar to those of DPS-QKD.Contrary to the DPS-QKD, the security proof for the COW protocol remains incomplete, primarily due to the absence of a finite-key secure analysis that simultaneously offers robust key rate performance and security against coherent attacks.Typically, the security of COW-QKD is proven by measuring the interference visibility to estimate information leakage [85,86].However, when considering the zero-error attack [87,88], which enables eavesdropping by Eve without introducing bit errors, COW-QKD is insecure if its key rate scales as O(η) [89], which is the scale of the key rate used in many COW-QKD experiments [79,[81][82][83][84]90].In Ref. [91], the authors introduced an innovative method for calculating the key rate of a variant of COW-QKD, resulting in an improved key rate in high-loss channels.However, the security of this protocol in the finitekey regime, particularly its immunity to coherent attacks, has yet to be proven.This is a crucial step in ensuring its practicality in real-world environments.In summary, the lack of a finite-key analysis for COW-QKD that offers both a high key rate and security against coherent attacks remains a significant challenge in enhancing the practicality of this technology.Recently, a security proof for COW-QKD was proposed [92] based on an innovative practical implementation that retains the simplicity of the original version.By estimating the upper bound on the phase error rate instead of measuring the visibility of interference, it was shown that the secure transmission distance can be over 100 km, and an analytic formula for the key rate was provided.Nevertheless, a practical QKD protocol only involves finite resources, which means only a finite number of states are sent, leading to statistical fluctuations between observed values and expected values.Consequently, before we promote this protocol into reality, finite key analysis must be completed to lay the theoretical foundation.The uncertainty relation of smooth entropies [93] has been utilized to prove the finitekey security of the BB84 protocol [94] with composable security [95] against general attacks.This entropic uncertainty relation framework has been further extended to other finite-key cases of QKD, even with imperfect light sources [96,97].This demonstrates its robust capability to underpin finite-key security analysis for various protocols.
In this paper, we extend the security proof in Ref. [92] to the finite-key domain with composable security [95] to demonstrate its real-world applicability.We employ the quantum leftover hash lemma [98] and the entropic uncertainty relation [93,94] to derive a formula for the secure key length in the finite-key regime.When dealing with correlated random variables, we apply Kato's inequality [99] to estimate statistical fluctuations, ensuring security against coherent attacks and resulting in a higher key rate compared to Azuma's inequality [100].We simulate the performance of the key rate under different conditions, such as varying values of misalignment error and different choices of basis, to demonstrate the flexibility of our protocol.The simulation results and comparison with existing analyses and another similar protocol confirm the advantages of our approach.Additionally, our protocol is employed to show the exceptional Compared to the original version of COW QKD, our protocol adds state |0⟩ 2k−1 |0⟩ 2k as another decoy state, which maintains the requirements for experimental equipment.We note that on the monitoring line, Bob is only required to record the clicks that occur within specific time windows.These clicks are a result of interference involving two pulses from the same round, as illustrated in the provided figure .capability of Kato's inequality in providing significantly tighter bounds when addressing events with an extremely low probability of occurrence.The comparison of key rates with previous COW variants and a summary of differences in many aspects are presented as well, serving to clearly highlight the unique advantages of our protocol.
This paper is organized as follows: Section II introduces the assumptions on devices and our COW-QKD protocol scheme.Section III presents details of the key rate calculation.Numerical simulations of key rate performance under different conditions and some comparisons are shown in Sec.IV, and we conclude in Sec.V.

II. ASSUMPTIONS AND PROTOCOL DESCRIPTIONS A. Assumptions on devices
For the completeness of this paper, the assumptions on the devices of sender Alice and receiver Bob are introduced here before we describe our variant of the COW-QKD.In this protocol, Alice encodes a random bit with a quantum state consisting of two pulses sent in adjacent time windows and extracts a string of secret bits from these states together with Bob.

Assumptions on Alice's devices
The assumptions on Alice's devices are presented below: 1. Alice employs her sending equipment, which includes a mode-locked continuous-wave laser and an intensity modulator, to create weak coherent pulses.Alternatively, she can completely block the output to generate a vacuum state; 2. In our variant of COW-QKD, Alice randomly selects her initial bit string and encodes each bit into a two-pulse state.Additionally, she randomly determines which two adjacent time windows will be used to transmit decoy states.Consequently, the probability of the emitted state being a weak coherent pulse or a vacuum state in each time window is independent of the states sent previously.

Assumptions on Bob's devices
The assumptions on Bob's devices are summarised as follows: 1. Bob's detection devices receive optical pulses transmitted through a quantum channel with a transmittance of η.These incoming states are then divided into a data line or a monitoring line using a beam splitter with a transmittance of t B .Alternatively, an optical switch can be used in place of the beam splitter, allowing Bob to actively distribute the quantum states; 2. On the data line, the quantum states are directly transmitted to a single-photon detector which measures the arrival time of the pulses.On the monitoring line, Bob utilizes an asymmetric Mach-Zehnder interferometer, which includes a one-bit delay and two single-photon detectors, to record which detector clicks within certain time windows.We note that all the single-photon detectors are threshold detectors, designed to simply determine the presence or absence of a photon.
3. We assume the detection efficiency η d and darkcount rate p d of each detector to be the same and reasonable values of them are employed in Sec.IV to numerically present the performance of our protocol.
Here we use |0⟩ to denote the vacuum state and |α⟩ to denote the coherent state whose mean photon number is µ = |α| 2 .As shown in Fig. 1, the COW-QKD scheme used in this paper takes both two-pulse coherent state |α⟩ 2k−1 |α⟩ 2k and two-pulse vacuum state |0⟩ 2k−1 |0⟩ 2k as decoy states to estimate the phase error rate instead of using visibility to reflect the broken coherence.
The detailed steps of this scheme are: 1. Alice randomly sends a sequence of pulses that consists of states respectively, where the superscript M i refers to the clicking detectors on the monitoring line.By applying Kato's inequality, she can estimate the upper bound on phase error rate E p .The bit error rate E z can be calculated by revealing some bits from the raw key.If either E p or E z exceeds the preset values, the protocol aborts.

After an error correction step is performed, at most
leak EC bits of information are revealed.Then Alice and Bob verify whether the error correction step succeeds and perform privacy amplification to get the final key string.

A. Security definition
Before we present the security proof in the finite-key regime, we introduce the universally composable framework of QKD [95].Typically, performing a QKD protocol either generates a pair of bit strings ŜA and ŜB for Alice and Bob, respectively, or aborts so ŜA = ŜB = ∅.A secure QKD protocol must satisfy the two criteria below.
The first is the correctness criterion which is met if two bit strings are the same, i.e., ŜA = ŜB .In practical experiments, however, as it is not always possible to perfectly satisfy the correctness criterion, a small degree of error is typically allowed.Instead, we require that the probability of the two bit strings not being identical does not exceed a predetermined value, denoted as ε cor , In this case, we say that the protocol is ε cor -correct.
The second is the secrecy criterion which is met if there is no correlation between the system of the eavesdropper Eve and the bit strings of Alice.We assume the orthonormal basis which consists of Alice's quantum system and corresponds to each possible bit string of Alice to be {|s⟩} s .The secrecy criterion requires the joint quantum state of Alice and Eve to be |S| |s⟩⟨s| is a uniform mixture which indicates that the probability of generating each possible bit string of Alice is uniformly distributed, and ρ E is Eve's system, which does not correlate with Alice's system.However, it is not always possible to perfectly satisfy this criterion in practice.This means that a small deviation between the actual joint quantum state of Alice and Eve and the ideal state is permissible.The trace distance measures the difference and we say the protocol is ε sec -secret if the trace distance between the actual joint quantum state ρ AE and the ideal state ρ ideal AE does not exceed ∆, i.e., and(1 − p abort )∆ ≤ ε sec , where p abort is the probability for aborting this protocol and ∥ • ∥ 1 denotes the trace norm.
Finally, a protocol is ε s -secure if it is both ε cor -correct and ε sec -secret with ε cor + ε sec ≤ ε s .

B. Security proof
Here, a virtual entanglement-based protocol is introduced to obtain the secure key rate in the finite-key regime, which is based on the virtual entanglement-based protocol in Ref. [92].To simplify the presentation, we ignore the label k and express the state sent in the k-th round as |0 z ⟩ and N − be the logic bits 0 and 1 in the X basis, where N ± = 2(1 ± e −µ ) are the normalization factors.In the virtual entanglement-based protocol, Alice prepares K pairs of the entangled state where |±x⟩ and |±z⟩ are the eigenstates of the Pauli matrices X and Z, respectively, and subscripts A and A ′ denote different quantum systems possessed by Alice.Then Alice measures the qubits in the system A randomly in the Pauli X or Z basis to obtain the raw key XA from the X basis and ẐA from the Z basis.Bob's experimental implementation is the same as the practical COW-QKD.He obtains his raw key ẐB of the Z basis on the data line by measuring the click time just like the original protocol.He also records a bit value 0(1) in the X basis when detector D M0 (D M1 ) on the monitoring line clicks to obtain the raw key XB .ẐA and ẐB are used to extract the final key so the error-correction step and error-verification step are performed to them.If these steps succeed, Alice and Bob obtain the same bit string which we denote as Ẑ.All the information that the eavesdropper Eve possesses up to the error-correction step and error-verification step is denoted as E ′ .The smooth minentropy H ε min ( Ẑ|E ′ ) characterizes the mean probability that Eve can guess Ẑ successfully with all information she owns using the optimal strategy [101].The smooth max-entropy H ε max ( ẐA | ẐB ) quantifies the number of bits required to reconstruct ẐA from ẐB [102].
According to the quantum leftover hashing lemma [98], a ∆-secret key of length l can be extracted from Ẑ when a random universal 2 hash function to Ẑ, where parameter ∆ satisfies Letting , the length l of the secret key is [103] A chain-rule inequality for these smooth entropies is used to describe the error-correction step and errorverification step.That is, (5) where leak EC and log 2 ( 2 εcor ) are the numbers of bits that are revealed during the error-correction and errorverification procedure, respectively, to generate a ε corcorrect key, and Ê denotes all the information that Eve possesses before the error-correction step and errorverification step.The lower bound on the smooth minentropy can be obtained by the entropic uncertainty relation [93].We denote the binary Shannon entropy as h A and X′ B be the bit strings that Alice and Bob would have obtained if Alice had measured in the X basis, which is actually measured in the Z basis in the virtual protocol.So, we have , where n z is the size of ẐA and E x is the bit error rate in the X basis.By exploiting the the entropic uncertainty relation, we have and the final key length is

C. Phase error rate
The phase error rate formula is derived by the same method in Ref. [92].For the completeness of this paper, a brief deduction is presented here.We consider a prepare-and-measure protocol which is equivalent to the entanglement-based protocol in Sec.III B. In this protocol, when Alice prepares her optical signals, she randomly chooses the Z or X basis.If she chooses the Z basis, she prepares states |0 z ⟩ and |1 z ⟩ with the same probability.If she chooses the X basis, she prepares states |0 x ⟩ and |1 x ⟩ with probability N + 4 and N − 4 , respectively.She sends her states to Bob, and Bob uses the same implementation as the practical protocol to measure these states in the Z basis (data line) or in the X basis (monitoring line) distributed by a beam splitter.
It is obvious that the density matrices of the X and Z basis are the same.That is, Therefore, the bit error rate of the X basis can be obtained as follows: which is equal to the bit error rate in the virtual entanglement-based protocol, where Q Mi s x(z) refers to the gain of the event which Alice prepares state |s x(z) ⟩ (s = 0, 1) and Bob get a click with detector D Mi (i = 0, 1) on the monitoring line.The relation ) is used in the second equation, which can be obtained from Eq. ( 8).Because the density matrices of the Z basis and X basis are the same, the eavesdropper Eve cannot distinguish whether the prepare-and-measure protocol or the practical COW-QKD protocol is actually performed by Alice and Bob.The phase error rate in the practical COW-QKD protocol is equal to the bit error rate of the X basis in the prepare-and-measure protocol. and where Q Mi w (w = αα, 00) denotes the gain of the event which Alice sends state |α⟩ |α⟩ or |0⟩ |0⟩, respectively, where we also omit the subscripts of states |α⟩ 2k−1 |α⟩ 2k and |0⟩ 2k−1 |0⟩ 2k and Bob gets a click with detector D Mi (i = 0, 1).The details of how to obtain Eqs.(10) and ( 11) can be found in Ref. [92].

D. Statistical fluctuations
Given the impact of finite-key effects, it is crucial to ensure the security of our protocol within the finite-key regime if we want to facilitate the practical application of this technology.This involves taking into account the statistical fluctuations between observed and expected values and estimating the lower bound of the final key length using a concentration inequality [99,100].
Typically, Azuma's inequality [100] is applied to convert observed values to the upper or lower bound on corresponding expected values and vice versa.As shown in Ref. [74], it can be concluded that a loose bound will be obtained when using Azuma's inequality to estimate the statistical fluctuations of events that occur with a very small probability.Specifically, the estimation of the gains of decoy states |0⟩ 2k−1 |0⟩ 2k is loose when using Azuma's inequality.Instead, we use a concentration inequality named Kato's inequality [99] to make our estimation tighter so a higher key rate can be obtained.Here we introduce the general form of Kato's inequality which has been employed in some finite key analyses [74,104] ) where E(•) refers to the expected value.Another form of Kato's inequality can be derived by replacing n i → 1−n i and a → −a, which is The details of how to use Kato's inequality to accomplish parameter estimation tasks are shown in the Appendix .In the description below, we let O * be the expected value of O.
After performing the COW-QKD protocol, observed values n Mi αα and n Mi 00 (i = 0, 1) are obtained, which stand for the total click counts of detector M i when state |0⟩ |0⟩ or |α⟩ |α⟩ is sent, respectively.Q Mi sz (s = 0, 1) and the click count of detector D T , which we express as n z , can be directly calculated as well.First, we use these four observed values to estimate their upper bounds on corresponding expected values by Kato's inequality as follows: where w = 00, αα and i = 0, 1.The statistical fluctuation parameters here are obtained in the way presented in the Appendix .Similarly, two lower bounds n M0 * w (w = 00, αα) need to be calculated as follows: We set the failure probability for estimating each of the six bounds above to be ε 1 .The total number of rounds performed is set to be N .So, we can denote the number of state |α⟩ |α⟩ sent by Alice as N αα = N × p d1 and the number of state |0⟩ |0⟩ as N 00 = N × p d2 .We calculate the upper and lower bounds on gains of each event as follows: Then, by applying Eq. ( 10) and (11) in the expected case, we obtain the expected values as follows: ) Finally, by applying Eq. ( 9) and considering the bit error rate in the X basis to be equal to the phase error rate in the Z basis in the expected value case [32], the expected upper bound on the phase error rate is We use Kato's inequality again but in a different form which is explained in the Appendix to calculate the upper bound on phase error rate in the observed value case.The expected number of clicks corresponding to phase errors is n * p = N × E * p .So, the upper bound on the observed value is where ∆ p = 1 2 n z ln ε −1 2 and ε 2 is the failure probability for estimating n p .So, the upper bound on the phase error rate is

E. Composable security
Considering the failure probability for estimating the statistical fluctuations described in Sec, the practical protocol has a total secrecy of ε sec = 2ε+ε 0 +6ε 1 +ε 2 , where we take ε = ε 0 = ε 1 = ε 2 = ε sec /10.So, the final key length is denoted as ) and the COW-QKD protocol in this paper is ε s -secret, where ε s = ε cor + ε sec .

IV. NUMERICAL SIMULATION AND DISCUSSION
To numerically simulate the key rate performance of our protocol in the finite-key regime, we assume that the We present the performance of the key rate of COW-QKD with different total numbers of rounds compared with the key rate of infinite limit [92], where the misalignment error rate is fixed to e d = 1%.As shown in Fig. 2, we can conclude that if the state-sending step of our protocol is repeated for N = 10 11 rounds, the key rate is close to that of infinite limit, showing the practicality of our protocol in the finite-key regime.When choosing N = 10 11 , a 3-Mbit key can be obtained through 34 km fiber by Alice and Bob if they run our protocol with a laser operating at 1 GHZ for only 30 seconds, which presents the superiority of this protocol in shortdistance communication.The results also demonstrate that our security analysis guarantees an unconditionally secure communication range exceeding 100km for COW-QKD, given its straightforward experimental setup.
We demonstrate the flexibility of our protocol by presenting its key rate performance under different conditions.First, the beam splitter used to passively distribute optical pulses into the data or monitoring lines can be replaced by an optical switch that actively divides incoming states into different lines.This is referred to as the passive and active basis choice, respectively.A comparison of the key rate between passive and active basis choice is presented in Fig. 3, along with the estimated upper bound on the phase error rate E p when using an active basis, demonstrating the applicability of our analysis with an active basis.Our protocol also exhibits robustness when faced with varying values of the misalignment error rate, as shown in Fig. 4. The results show that even with a large misalignment error, the key rates are not significantly affected.This indicates the practicality of our protocol in constructing quantum communication systems under different experimental conditions.We compare our protocol with DPS-QKD [71], whose equipment requirements are similar to that of COW-QKD.The finite-key security analysis of it in Ref. [74]  shows a tighter bound on phase error rate can be obtained by Kato's inequality.To simulate under the same experimental conditions, we follow the choice in Ref. [74] and fix the security bounds of both correctness and secrecy to 2 −28 to get a total secrecy of 2 −27 ≈ 10 −8.1 .The misalignment error e d is set to 0.01 and the dark-count rate is 0, so we can ensure the bit error rate is 1% as chosen in Ref. [74].The correction efficiency f is 1.16, and we have simulated the key rate under varying values of overall channel transmittance, taking into account both optical fiber loss and detection efficiency.We note that in our COW-QKD protocol, Alice sends two pulses in each round, whereas the DPS-QKD protocol requires three pulses.For comparison, we need to ensure that the total number of pulses N pulse is the same for both protocols.We compare the key rates of the two protocols Key rate (per pulse) DPS-QKD in Ref. [74] N pulse =3 10 11   DPS-QKD in Ref. [74] N pulse =3 12   COW-QKD in this paper N pulse =3 11   COW-QKD in this paper N pulse =3 12   FIG. 5. Comparison of key rates of our protocol and the DPS-QKD protocol in Ref. [74].Two protocols have similar experimental settings and both belong to the distributedphase-reference QKD protocols.The bit error rate is 1% and the correction efficiency f is 1.16.For convenience, the security bounds of both correctness and secrecy are fixed to 2 −28 as in Ref. [74].We compare the key rates when the numbers of pulses are N pulse = 3 × 10 11 and N pulse = 3 × 10 12 and conclude that our protocol has advantages on the secure transmission distance and key rate performance.
when N pulse is set to 3 × 10 11 and 3 × 10 12 , so one of the results for DPS-QKD is consistent with that reported in Ref. [74].The simulation is shown in Fig. 5.The results reveal that the key rates of our protocol are significantly higher than those reported in Ref. [74].
Following the approach proposed in Ref. [74], our protocol demonstrates an enhancement of Kato's inequality over Azuma's inequality as well.In our protocol, the gain of the decoy states |0⟩ 2k−1 |0⟩ 2k , represented as Q Mi 00 , is entirely attributed to the non-zero dark count rate, which is approximately on the scale of 10 −8 .However, the fluctuations estimated by Azuma's inequality between observed and expected values exhibit a linear dependence on √ N 00 .These statistical fluctuations dominate the estimation of the upper limit on Q Mi * 00 , resulting in a decrease in Q M0 * 0x and an increase in Q M1 * 0x according to Eqs. ( 18) and (19).This gives rise to a higher phase error rate as per Eq. ( 20), consequently leading to a diminished key rate.To compare the results, we conduct a numerical simulation of our protocol's key rates, using Azuma's or Kato's inequalities to estimate the upper bound on Q Mi * 00 .The results are depicted in Fig. 6 together with a detailed comparison of the upper bounds on Q M0 * 00 obtained by two inequalities.Compared with other security analyses of previous variants of COW-QKD, our protocol has notable advantages because its key rate performance is better when considering the highest security standard, i.e., the security against both zero-error attack and coherent attacks.For the completeness of this paper, in Fig. 7 we compare  18)- (20) and result in lower key rates.
the key rates in the asymptotic case of our COW protocol with the variants proposed in Refs.[86,89] that have the immunity against these two attacks.To fairly compare, the parameter choices in Refs.[86,89] are adopted, which fix the dark count rate p d to 10 −7 and set the detection efficiency η d to 99%.In our numerical simulation of the variant presented in Ref. [86], we opt for a scenario where each three-signal block, comprising six optical pulses, shares the same phase.This modification to the experimental setup has inevitably altered the simplicity of the original protocol.Both of these previous variants are with an active basis choice.It can Key rate (per pulse) COW-QKD in this paper, passive-basis COW-QKD in this paper, active-basis Variant of COW-QKD in Ref. [86], active-basis Variant of COW-QKD in Ref. [89], active-basis FIG. 7. Secret key rates of our protocol compared with previous variants in Refs.[86,89].The dark count rate p d is fixed to 10 −7 and the efficiency of detectors is set to 99%.The experimental requirements for the variant in Ref. [86] are more complex compared to the original protocol.However, both the variant in Ref. [89] and our protocol maintain the simplicity of the setup.Under certain channel transmission values, our protocol with passive basis choice can still outperform the previous variants that use active basis choice in terms of key rate performance.
be concluded that our protocol not only outperforms in terms of key rates and transmission distance but also preserves the original simplicity of the COW-QKD setting.
Moreover, we have summarized the differences with several previous works on COW-QKD in aspects such as experimental setting and key rate performance in Table I.As previously discussed, our protocol exhibits superior key rate performance compared to variants [86,89] that share an equivalent security level.A method for calculating the lower bound on the secure key rate of a COW variant was proposed in Ref. [91] recently, which shows significantly improved key rate performance.However, the absence of finite-key regime analysis and immunity against coherent attacks pose significant challenges to the practical implementation of this theoretical protocol.Earlier works such as Refs.[80,85] presented security proofs that could achieve high key rates scaling as O(η).However, these variants have been demonstrated to be insecure when confronting zero-error attacks [87,88].Since our security proof provides the analytical formulas of the key rate, the extension of analyzing performance with finite key length can be completed as presented in Sec.III.With the help of Kato's inequality, our analysis gives a tight bound on the key rate and guarantees security against coherent attacks, establishing foundations for further practical applications.

V. CONCLUSION
In this paper, we present a finite-key analysis for the COW-QKD protocol proposed in Ref. [92].We apply the quantum leftover hashing lemma and entropic uncertainty relation to derive an analytic formula for the key length.When dealing with correlated random variables, we use Kato's inequality to ensure security against coherent attacks and achieve a higher key rate.By considering the failure probabilities for estimating statistical fluctuations between observed and expected values, we complete the security proof within the universally composable framework.Our finite-key analysis shows that the key transmission distance can exceed 100 km in specific cases, providing a feasible approach for the secure implementation of quantum communication processes.In short-distance communication, the numerical simulation in Fig. 2 has shown that our protocol can generate a 3-Mbit secret key over 34km fiber by running this protocol for only 30 seconds with a photon source operating at 1 GHZ repetition rate.We also present numersimulations of key rates under different conditions, demonstrating the practicality and flexibility of our protocol.Compared to the finite-key analysis of DPS-QKD in Ref. [74], our protocol obtains a significantly higher key rate with almost the same experimental setup.Additionally, we show that our COW-QKD protocol can also be used to show the superiority of Kato's inequality when estimating events with a small probability of occurrence.Furthermore, we present the comparison of key rates with previous COW variants in the asymptotic scenario and summarize the differences in many aspects to clearly illustrate the distinct advantages of our protocol.In conclusion, our protocol lays a theoretical foundation for applying COW-QKD in real-world scenarios by offering both a high key rate and unconditional security against coherent attacks and completes the intact security proof for this protocol.Our protocol may be employed in future quantum communication with minuscule devices like chips and quantum information networks due to the simple experimental setup and excellent key rate performance.lem.To demonstrate, we let ε a be the failure probability for estimating the upper bounds, i.e., exp −2(b 2 −a 2 ) (1+ 4a With the fixed values a 1 and b 1 , we get the upper bound on expected value as follows according to Eq. ( 12): √ k and we use the expected value Γ * k to denote k u=1 E(n u |f u−1 ).Similarly, Eq. ( 13) can be applied to estimate the lower bound on expected values, where we need to solve another optimization problem.
That is, The solutions are in the main text can be done, where w = 00, αα and i = 0, 1.The failure probability for each estimation is ε a , which is considered when explaining the composable security of our protocol.When converting expected values to observed values, Kato's inequality is available as well.However, to get specific values of the optimal a i , b i and the deviation ∆ i where i = 1, 2, the observed value Γ k needs to be employed, which is not known.So, we follow the method used in Ref. [104].Let a = 0 and set the failure probabilities in Eqs. ( 12) and ( 13) to be ε b .We obtain the inequalities below: where ∆ = 1 2 k ln ε −1 b .This is how the estimation procedure of Eq. ( 21) is done.

FIG. 1 .
FIG. 1. Experimental implementation of COW-QKD protocol in this paper.With an intensity modulator (IM), Alice can prepare quantum states |0⟩ and |α⟩ in each time window experimentally to randomly sends a sequence of pulses that consists of states |0⟩ 2k−1 |α⟩ 2k , |α⟩ 2k−1 |0⟩ 2k , |α⟩ 2k−1 |α⟩ 2k , and |0⟩ 2k−1 |0⟩ 2k to Bob.After passively distributing these states into the data line or the monitoring line with a beam splitter of transmittance tB, Bob records the detector's click in each round.DT , DM 0 , and DM 1 are single-photon detectors.Compared to the original version of COW QKD, our protocol adds state |0⟩ 2k−1 |0⟩ 2k as another decoy state, which maintains the requirements for experimental equipment.We note that on the monitoring line, Bob is only required to record the clicks that occur within specific time windows.These clicks are a result of interference involving two pulses from the same round, as illustrated in the provided figure.

11 FIG. 2 .
FIG. 2.Secret key rate with different values of the total number of rounds, N = 10 9 , 10 10 , and 10 11 , using passive basis choice.The misalignment error e d is set to 1%.When N = 10 11 , which is reasonable in experimental implementation, the key rate is quite close to the performance in the asymptotic case.The key rate performance also shows that the security of our protocol ensures a secure distance exceeding 100km for COW-QKD in practical implementation.

FIG. 3 .
FIG. 3. Comparison of key rates using passive basis and active basis when N = 10 9 and N = 10 11 .The upper bound on the phase error rate Ep using active basis choice is presented by the dashed red line.The misalignment error e d is set to 1%.(a) The total number of rounds is N = 10 9 .(b) The total number of rounds is N = 10 11 .

FIG. 4 .
FIG. 4.Secret key rate simulation in the finite-key case with different values of misalignment error when using passive basis.When a large misalignment error is employed, the key rates do not drop significantly, which is an important advantage in constructing quantum information systems.(a) The total number of rounds is N = 10 9 .(b) The total number of rounds is N = 10 11 .

FIG. 6 .
FIG. 6.(a) Finite secret key rate simulation of our protocol using Azuma's or Kato's inequalities to estimate the upper bound on Q M 0 * 00 with N = 10 10 and N = 10 11 .The misalignment error e d is set to 1%.It can be concluded that significantly higher key rates are obtained by utilizing Kato's inequality.(b) The detailed estimated values of Q M 0 * 00 when applying Azuma's or Kato's inequalities.Statistical fluctuations dominate the estimation of the upper bound, leading to significantly higher values.Consequently, higher phase error rates are calculated as per Eqs.(18)-(20) and result in lower key rates.
and |0⟩ 2k−1 |0⟩ 2k with probability p z , p z , p d1 , and p d2 , respectively, to Bob where p z = 1 2 (1 − p d1 − p d2 ).She records her choice of sending in each round.This step is repeated for N rounds so we have k = 1, 2, • • • , N .2. Bob uses a beam splitter of transmittance t B to passively distribute incoming states into the data line or the monitoring line.On the data line, he measures the click time of each signal to determine which logic bit Alice encodes in this round and gets the raw key.On the monitoring line, he records which detector clicks in each round.As illustrated in Fig. 1, the clicks that are recorded are specifically those resulting from interference involving two pulses from the same round.Any other clicks should be disregarded.Here we note that if multiple detectors click in one round, Bob records one of these detector clicks randomly.3. Bob announces in which round he records a click on the data line.Alice only keeps her logic bits in those rounds and discards the rest to get the raw key. 4. Bob announces his click records of the monitoring line.Alice calculates the following click counts: n Mi 0α , n Mi α0 , n Mi αα , and n Mi 00 In practical COW-QKD protocol, states |0 x ⟩ and |1 x ⟩ are not sent, so we can not calculate Q M1 0x and Q M0 0x directly.The decoy states |α⟩ 2k−1 |α⟩ 2k and |0⟩ 2k−1 |0⟩ 2k are used to estimate Q M1 0x and Q M0 0x , where O and O are the upper and lower bounds on value O, respectively.The expressions are which is called the natural filtration of this sequence of random variables.For any k, a ∈ R and any b s.t.b ≥ |a|, according to Kato's inequality we have that
a b This protocol only considers restricted types of collective attacks.