Phase-Matching Quantum Key Distribution

Quantum key distribution allows remote parties to generate information-theoretic secure keys. The bottleneck throttling its real-life applications lies in the limited communication distance and key generation speed, due to the fact that the information carrier can be easily lost in the channel. For all the current implementations, the key rate is bounded by the channel transmission probability, $\eta$. Rather surprisingly, by matching the phases of two coherent states and encoding the key information into the common phase, this linear key-rate constraint can be overcome---the secure key rate scales with the square root of the transmission probability, $O(\sqrt{\eta})$, as proposed in twin-field quantum key distribution [Nature (London) 557, 400 (2018)]. To achieve this, we develop an optical-mode-based security proof that is different from the conventional qubit-based security proofs. Furthermore, the proposed scheme is measurement device independent, i.e., it is immune to all possible detection attacks. The simulation result shows that the key rate can even exceed the transmission probability $\eta$ between two communication parties. In addition, we apply phase postcompensation to devise a practical version of the scheme without phase locking, which makes the proposed scheme feasible with the current technology. This means that quantum key distribution can enjoy both sides of the world---practicality and security.


I. INTRODUCTION
Quantum key distribution (QKD) [1,2] is the most successful application in the quantum information science, whose security was proved in the end of the last century [3][4][5].Since then, there has been a tremendous interest in developing this quantum technology for real-life applications, starting from the first 32-cm demonstration in the early 1990s [6] to the recent satellite QKD over 1200 km [7].In these implementations, photons are used as information carriers, owing to their fast transmission speed and robustness against decoherence from the environment.Besides, the optical quantum communication can be easily integrated with the current telecommunication network infrastructure.Now, the transmission loss of photons has become the major obstacle in practical implementations.The quantum channel transmission efficiency is characterized by the transmittance η, defined as the probability of a photon being successfully transmitted through the channel and being detected.For most of the current implemented schemes, such as the well-known Bennet-Brassard 1984 (BB84) protocol [1], single-photon sources [8] are employed for key information encoding.Since the photon carries the quantum information, when it is lost in the channel, no secure key can be distributed.Thus, the transmittance η becomes a natural upper bound of the key generation rate.More strict derivation shows a linear key rate bound with respect to the transmittance [9][10][11], R ≤ O(η).Since the transmittance η decays exponentially with the communication distance in the fiber-based network, this linear key rate bound severely limits the key generation rate.
The following two approaches to overcome this rate limit have been considered, quantum repeaters [12][13][14] and trusted relays.Unfortunately, using quantum repeater schemes with current technology is infeasible because they require high-quality quantum memory and complicated local entanglement distillation operations.The trusted-relay approach, however, relies on the assumption that the quantum relays between two users are trustworthy, which is difficult to ensure or verify practically; this severely undermines the primary goal of QKD, i.e., security.In 2012, the measurement-device-independent quantum key distribution (MDI-QKD) scheme is proposed to close all the detection loopholes [15], which enhances the security of a practical QKD system.Nevertheless, the key rate of MDI-QKD scheme is still bounded by O(η).Therefore, the linear key rate bound [10,11] was widely believed to hold for practical QKD systems without relays.
Significant efforts have been devoted to improve the key rate by proposing different schemes.Recently, Lucamarini et al. proposed a novel phase-encoding QKD protocol, called twin-field QKD [16], which shows the possibility to overcome the key rate limit and make a quadratic improvement.Note that the implementation of TF-QKD resembles Scheme I in phase-encoding MDI-QKD [17].In both schemes, single-photon detection is used, whereas coincident detection is required in other MDI-QKD schemes [15,18].From technical point of view, the single-photon detection is the key reason for the quadratic improvement.Unfortunately, a rigorous security proof is still missing at the moment.In fact, as shown later, the widely used photon number channel model [19] used in the security proof of MDI-QKD is proven to be invalid for this kind of settings.
Here, we propose a phase-matching quantum key distribution (PM-QKD) scheme that can surpass the linear key rate bound, inspired by the relative phase encoding arXiv:1805.05538v1[quant-ph] 15 May 2018 Bennett-1992 [20], phase-encoding MDI-QKD [17,18], passive differential-phase-shift [21], and twin-field [16] QKD schemes.The two communication parties prepare two coherent states independently, match phases with each other with post-selection, and encode the key information onto the common phase.Details are shown in Section II.By developing an optical-mode-based security proof, we show that the key rate of the proposed scheme scales with the square root of the transmittance, R = O( √ η), in Section III with technical details shown in Appendix A. Also, the proposed phasematching scheme falls into the MDI framework, which is immune to all possible detection attacks.In Section IV, we deal with related practical issues and develop a phase post-compensation technique to ease the experimental requirements.In Section V, we simulate the key rate performance of PM-QKD and compare it to former QKD protocols, with all the practical factors taken into account.Finally, in Section VI, we discuss possible future work directions.

II. PM-QKD PROTOCOL
In PM-QKD, the two communication parties, Alice and Bob, both send a phase-randomized coherent pulse to an untrusted Eve, who is expected to perform interference detection.Eve obtains a successful detection when one and only one of the two detectors clicks, denoted by L-click and R-click, thus revealing that the relative phase of the coherent pulses A and B is either 0 or π.Then, Alice and Bob match the phases of pulses by post-selection.In a way, the key information is encoded in the "global phase" of the two coherent pulses, which is expected to be secret to Eve.The PM-QKD scheme is detailed below and shown in Fig. 1.
State preparation: Alice randomly generates a key bit κ a and a random phase φ a ∈ [0, 2π) and then prepares the coherent state | √ µ a e i(φa+πκa) A .Similarly, Bob generates κ b and φ b ∈ [0, 2π) and then prepares | √ µ b e i(φ b +πκ b ) B .Measurement: Alice and Bob send their optical pulses, A and B, to an untrusted party, Eve, who is expected to perform an interference measurement and record the detector (L or R) that clicks.
Announcement: Eve announces her detection results.Then, Alice and Bob announce the random phases φ a and φ b , respectively.Parameter estimation: For all the raw data that they have retained, Alice and Bob analyze the gains Q µ and quantum bit error rates E Z µ .They then estimate E X µ using Eq.(2).Key distillation: Alice and Bob perform error correction and privacy amplification on the sifted key bits to generate a private key.
Notations: denote a coherent state in mode A to be | √ µe iφ A , where µ is the intensity and φ is the phase; µ a = µ b = µ/2; Alice's (Bob's) key bit κ a(b) ∈ {0, 1}; total gain Q µ ; phase error rate E X µ ; and bit error rate E Z µ .
The above implementation of our PM-QKD protocol clearly resembles the phase-encoding MDI-QKD protocol [17,18], where the key bits are encoded in the relative phase of two coherent pulses (the reference and signal pulses).However, in the PM-QKD protocol, the reference pulse can be regarded as being shared by Alice and Bob.Therefore, they no longer need to send the reference pulse, and the key becomes the global phase of the coherent signal pulses.Another significant difference between PM-QKD and the former phase encoding MDI-QKD scheme is that no basis switching is required.In this respect, it resembles the Bennett-1992 [20], and passive DPS [21] QKD protocols.

III. SECURITY OF PM-QKD
To provide an intuitive understanding of the manner in which PM-QKD works, we demonstrate its security by considering an equivalent scenario shown in Fig. 1

(b).
Here, a trusted party (Charlie) prepares a pure state |Ψ C , splits it using a 50-50 beam splitter, and sends to Alice and Bob separately.Alice and Bob encode their key information, κ a and κ b , into systems A and B by modulating the phases, and then send these to Eve who is supposed to tell whether |κ a − κ b | = 0 or 1.Thus, the four possible output states that could be sent to Eve can be expressed as |Ψ 0,0 , |Ψ 0,π , |Ψ π,0 , and |Ψ π,π .
Without the loss of generality, we consider the following case in which both encoded key bits are the same, κ a = κ b .Eve attempts to learn the key bit κ a(b) from the state sent to her, which is either |Ψ 0,0 or |Ψ π,π .Here, the phase, controlled by κ a and κ b and modulated into A and B, has become the "global phase" of the combined system A and B. a phase-randomized state | √ µe iφ C , it is equivalent for Charlie to prepare a Fock state |Ψ C = |k C with a probability of P (k) = e −µ µ k /k!.Thus, the PM-QKD protocol is secure if Eve cannot learn the phase φ.However, in the real PM-QKD protocol, the phase φ will eventually be announced during the sifting process.When this happens, Charlie's source |Ψ C can no longer be regarded as combinations of different photon-number states |k C .The key challenge of the security proof of PM-QKD lies in the fact that the quantum source cannot be regarded as a mixture of photon number states, after Alice and Bob announce the phases, φ a and φ b .That is, the photon number channel model [19] and the "tagging" method used in the GLLP security proof [22] cannot be applied here any more.In Appendix C, a beam-splitting attack is proposed to show that the GLLP formula is incorrect after the phase announcement.Therefore, one cannot simply reduce a randomized-phase coherent state protocol to a single-photon-based protocol.
Our security proof of PM-QKD is based on analyzing the distillable entanglement of its equivalent entanglement-based protocol.
Following the Shor-Preskill security argument [5], the key rate of PM-QKD protocol (for the sifted signals) is given by, where E Z µ is the quantum bit error rate (QBER) that can be directly estimated in the experiment; E X µ is the phase error rate, which reflects the information leakage; and H is the binary Shannon entropy function.We demonstrate in Appendix A that E X µ can be bounded by (2) Here, q k is the estimated ratio of the "k-photon signal" to the full detected signal: where Q µ is the total gain of the pulses, and Y k and e Z k are the yield and bit error rate, respectively, if Charlie's light source is a k-photon number state.Alice and Bob can estimate the yield and bit error rate via the decoy-state method [23][24][25].Note that the parameters Y k and e Z k can still be used to characterize Eve's behaviour even though the source is not actually a combination of photon-number states.
Unlike the existing security analysis of discretevariable QKD, our analysis is not single-qubit-based.For a long time, the sources in QKD implementations, such as weak coherent sources and spontaneous parametric down-conversion sources, have been fabricated as an approximation of single qubit, following the BB84 protocol [1].Here, we show the security of PM-QKD with a coherent light source by directly applying the Lo-Chau entanglement distillation argument [4] on analyzing the optical modes.This technique could be helpful for both new QKD scheme design and security analysis.
In the equivalent scenario considered above, shown in Fig. 1(b), a trusted party Charlie is introduced.We need to emphasize that the virtual Charlie will be removed in the real implementation in Section IV.If Charlie does exist, Eve may inject some probes after Charlie's outputs, and then measures them at the output of Alice and Bob to learn their operations.This is the main problem of detection-device-independent QKD [26,27].In the PM-QKD protocol shown in Fig. 1(a), Alice and Bob can simply isolate their light source and modulators in an optical circulator to prevent such trojan-horse-like attacks.Hence, the PM-QKD scheme, like other MDI-QKD schemes, is secure against trojan-horse-like attacks.

IV. PRACTICAL IMPLEMENTATION
Now we address a few practical issues.In the protocol shown in Fig. 1, Alice and Bob only retain their signals when their announced phases, φ a and φ b are either exactly the same or with a π-difference.However, since the announced phases are continuous, the successful sifting probability tends to zero.Moreover, we assume that Alice's and Bob's laser sources are perfectly locked, such that their phase references meet, but it is very challenging in practice to achieve such phase-locking.
To address these practical issues, we employ a phase post-compensation method [18], where Alice and Bob first divide the phase interval [0, 2π) into M slices {∆ j } for 0 ≤ j ≤ M −1, where ∆ j = [2πj/M, 2π(j+1)/M ).Instead of comparing the exact phases, Alice and Bob only compare the slice indexes.This makes the phase sifting step practical, but introduces an intrinsic misalignment error.Besides, Alice and Bob do not perform the phase sifting immediately in each round, and instead, they do it in data postprocessing.In the parameter estimation step, they perform the following procedures, as shown in Fig. 2.
1.For each bit, Alice announces the phase slice index j a and randomly samples a certain amount of key bits and announces them for QBER testing.Here, in the phase post-compensation step, Bob does not need to fix a j d for the whole experiment.Bob can group the raw data into data blocks, and then he is able to adjust the offset j d for different data blocks.Alternatively, Bob can also adjust j d in real time based on a prediction via data-fitting samples nearby.Detailed description of the operations and security arguments are presented in Appendix A 6. We emphasize that the fluctuation of phases will only introduce additional bit errors, but not affect the security.An alternative method to phase post-compensation is that, Alice and Bob can generate strong pulses independent of quantum signals for phase calibration.The two pulses are interfered at the measurement site so that Alice and Bob can identify the phase fluctuations between two channels.Note that the strong pulses can be set in an optical mode slightly deviated from the quantum signals to reduce cross-talks.According to the phase difference measured from the strong calibration pulses, Alice and Bob can estimate the offset j d accurately.This is a feasible way to replace the phase post-compensation method.
Another important issue is that how Alice and Bob set random phases φ a , φ b .In practice, it would be experimentally challenging to continuously set an accurate phase to a coherent state.As is discussed above, they only need to set the slice indexes j a , j b instead of exactly modulating phases.There are two methods to achieve this.
• Alice and Bob first generate strong laser pulses with (unknown) randomized phases, either by turning on/off the lasers or active phase randomization.They then split the pulses and apply homodyne detection on one beam to measure the phase φ a , φ b accurately enough to determine the slice indexes j a , j b .They use the rest beam for further quantum encoding.
• Alice and Bob first generate pulses with stable phases.Then, they actively randomize the phase using phase modulators.Alice and Bob can record the corresponding random numbers as for slice indexes j a , j b .Note that the phase randomization can be discrete, which has been proven to be secure and efficient with a few discrete phases [28].
With such methods, the final key rate formula can be expressed as: where the phase error rate E X µ is given by Eq. ( 2), 2/M is the sifting factor and f is the error correction efficiency.

V. SIMULATION RESULTS
We simulate the performance of PM-QKD with the parameters given in Fig. 3(b), assuming a lossy channel that is symmetrical for Alice and Bob.The dark count rate p d is from the work [29], and the other parameters are set to be typical values.The simulation formulas for Q µ , E Z µ and E X µ of PM-QKD are given in Eq. (B14), (B22), and (B27) in Appendix B 2, respectively.The simulation formulas for BB84 and MDI-QKD are listed in Appendix B 3.
The simulation results are shown in Fig. 3(a).From the figure, one can see that PM-QKD is able to exceed the linear key rate bound when l > 250 km with practical settings such as dark counts, misalignment errors, and sifting factors.Compared with MDI-QKD, PM-QKD can achieve a longer transmission distance of l = 450 km and the key rate is increased by 4 ∼ 6 orders of magnitude when l > 300 km.Moreover, if we set up a cut-off line of key rate R = 10 −8 as real-life consideration, then the longest practical transmission distance of PM-QKD is over 400 km, whereas the ones of BB84 and MDI-QKD are all lower than 250 km.
Several QKD schemes are compared in Fig. 3(c).The comparison shows that the PM-QKD scheme outperforms the existing protocols in the following aspects.First, the PM-QKD scheme has a quadratic improvement of key rate, O( √ η).In security aspect, PM-QKD enjoys the measurement-device-independent nature that is immune to all detection attacks.In practical aspect, it removes the requirement of basis switch, which can simplify the experiment apparatus and reduce the randomness consumption.Note that the security of recently proposed twin-field QKD protocol [16] can be reduced to the security of PM-QKD protocol if the two bases X, Y information is ignored in twin-field QKD.It remains an open problem whether we can reach a higher key rate by taking advantage of the basis information together.

VI. OUTLOOK
To enhance the performance of PM-QKD, there are a few interesting directions.First, there may be a room for improvement on security analysis.In above discussions, PM-QKD is treated as a single-basis scheme with phase randomization.In a dual viewpoint, we can regard the different global phases φ a , φ b as different bases, and naturally the phase matching step as basis sifting.This is interesting, since it shows the advantage of QKD using multi-nonorthogonal bases.Moreover, this multibases view may help us to generalize the phase-matching scheme to, for example, a polarization-based one.
Second, the phase sifting factor 2/M is very small, which undermine the advantage of PM-QKD for neardistance (i.e., l < 120 km) communication.One possible solution is to apply a biased phase randomization, i.e., the φ a(b) is not uniformly randomized in [0, 2π).
Third, we bound the total phase error E X µ by pessimistically considering the phase errors e X k for even photon number components to be 1 in Eq. (A33), as shown in Appendix A 5. There may be a scope to improve the bound of total phase error E X µ .For example, the twophoton error e Z 2 and e X 2 can be better estimated with more decoy states, which leads to a tighter bounds of E X µ .
Finally, since we can overcome the key rate linear bound, it is interesting to investigate a repeater-less secret key capacity bound for QKD; for example, whether it is possible to push the key rate to R = O(η 1/3 ) or O(η 1/4 ) without repeaters.For the considered simulation parameters, the key rate of PM-QKD surpasses that of the conventional BB84 protocol when l > 120 km and it exceeds the SKC bound [11] when l > 250 km.In addition, our protocol is also able to achieve a long transmission distance of l = 450 km.(b) Parameters used for simulation.(c) Comparison of different QKD protocols: phase-matching (PM) QKD; twin-field(TF) QKD [16]; measurement-device-independent (MDI) QKD [15]; passive differential phase-shift (DPS) QKD [21]; Bennett-1992 (B92) QKD [20].Key rate: dependence of the key rate on the channel transmittance η; Detection loophole: whether the protocol is immune to all detection loopholes; Qubit based: whether the security analysis is based on the single-qubit case; Basis switch: whether the source (measurement device) must prepare (measure) states in complementary bases; Phase locking: whether the protocol requires a fixed phase reference frame for the two users.*The security and performance of twin-field QKD can be reduced to our phase-matching scenario if the basis information X, Y is ignored.
Appendix A: Security Proof of PM-QKD In this section, we provide a security proof for the PM-QKD protocol via entanglement distillation [30].Note that the existing security proofs of discrete-variable QKD assume qubit (or qudit) states transmitted through the channel.Here, we develop a new security proof by exploring continuous optical modes directly.
The organization of the proof is presented as follows.First, we briefly review the main results of the Lo-Chau [4] and Shor-Preskill [5] security proofs in Section A 1.Then, we provide a virtual entanglement-based protocol (Protocol I) in Section A 2 and present a key result as Lemma 1.In Section A 3, we employ a few equivalency arguments, and eventually prove the security of PM-QKD in Section A 4. In Section A 5, we employ the decoy-state method to give tight bounds on phase error rates.In Section A 6, we solve the phase-reference issue with the phase post-compensation technique.
Here, we introduce some definitions and notations for later discussions.For an optical mode A, whose creation operator is a † , its Hilbert space is denoted as H A .Let D(H A ) denote the space of density operators acting on H A and L(H A ) denote the space of linear operators acting on H A .A Fock state |k A with k photons in mode A is defined as where |0 A is the vacuum state.A coherent state |α A is defined as The photon number of |α A follows a Poisson distribution, where µ = |α| 2 is the mean photon number or the light intensity.
Define the odd subspace, H A odd ⊆ H A , which is spanned by the odd Fock states {|k A }, where all the photon numbers, k's, are odd.Similarly, define the even subspace H A even ⊆ H A , where the photon numbers are even.Name a state ρ ∈ D(H A odd ) to be odd state and a state ρ ∈ D(H A even ) to be even state.Name a state ρ ∈ D(H A odd ) or ρ ∈ D(H A even ) to be parity state.Denote where are the normalization factors with c odd + c even = 1 and µ = |α| 2 is the light intensity.It is not hard to see that Denote the parity measurement {M odd , M even } as For a beam splitter (BS), we express the input optical modes as A, B with creation operators a † , b † , respectively, and the output optical modes as C, D, with creation operators c † , d † , respectively.The BS transforms modes A and B to C and D according to For a qubit system A , the Hilbert space is denoted by H A .The Pauli operators on H A are denoted as A control-phase gate, C π , from a qubit A to an optical mode A, is defined as where U A (φ) ≡ e iφa † a is a φ-phase shifter operation on the mode A.
Definition 1. Two QKD protocols are equivalent if the following criteria are satisfied: 1.The quantum states transmitted in the channel are the same.
2. All announced classical information is the same.
3. Alice and Bob perform the same measurement on the same quantum states to obtain the raw key bits.
4. Alice and Bob use the same postprocessing to extract secure key bits.
Obviously, equivalent QKD protocols will lead to identical key rates.

Security proof via entanglement distillation
Here, we briefly review the security proof based on entanglement distillation [4,5].Suppose that in QKD, Alice generates an l-bit key string S, and Bob generates an estimate of the key string S .Denote the space of S as S, whose dimension is 2 l .An adversary, Eve, attempts to learn about S from the information leakage.
After QKD, Alice and Bob should share the same key privately.A key S is called correct, if S = S for any strategy of Eve, and is called cor -correct, if To define a private key, consider the quantum state ρ AE that describes the correlation between Alice's classical key S and Eve's system E (for any attacks).A key S is called sec -private from E if [31,32] min where Here, we consider the case where Alice and Bob share an m-pair-of-qubits gigantic state ρ where |Φ + (m) A B is the state of m perfect EPR pairs |Φ + = (|00 + |11 )/ √ 2, and 0 ≤ l ≤ 1.Then it can be shown that it is l -private and l -correct, then it is 2 lsecure.That is, to show the security of a QKD protocol, we only need to show that the state for key extraction ρ Here is the intuition of the Lo-Chau security proof [4].Suppose Alice and Bob share an n-pair-of-qubit gigantic state, ρ A B , at the beginning.If they perform an efficient entanglement distillation protocol (EDP) to distill m EPR pairs, then they will be able to share nearly m bit correct and private keys.Now the task becomes how to find the right EDP.
Bennett, DiVincenzo, Smolin, and Wootters (BDSW) show that [30], if an n-pair-of-qubit state ρ (n) A B can be written as a classical mixture of Bell state products, is one of the four Bell states labeled by b i ∈ {0, 1, 2, 3} on the i-th qubit, then one can distill entanglement by employing EDPs.In the one-way hashing method [30], a specific type of one-way EDP, Alice measures a series of commuting operators based on some random-hashing matrix on her n qubits, and sends the results to Bob. Bob measures the same operators on his n qubits and infers the locations and types of the errors from the difference in the measurement results.After that, Alice and Bob correct the errors and obtain m (m ≤ n, almost perfect) EPR pairs.
In general, of course, the initial state ρ (n) A B can deviate from Bell-diagonal states and become highly entangled between different pairs.In the Lo-Chau security proof [4], it has been shown that, for the one-way hashing EDP introduced above, the error syndrome and EDP performance of such ρ (n) A B is the same as that of the state after dephasing between pairs, where |b 1 , b 2 , ..., b n is defined in Eq. (A13).Therefore, one can reduce the EDP for general ρ (n) A B (i.e., the case with coherent attacks) to the case in Eq. (A13).
In the Shor-Preskill security proof [5], the one-way EDP protocol is reduced to a "prepare-and-measure" QKD protocol, by employing the CSS code [33].Later, other techniques of decoupling X-error correction and Z-error correction are introduced for this reduction.For a one-way EDP protocol based on the CSS code, the distillation rate of EPR pairs, r ≡ lim n→∞ m/n, is given by, where E Z and E X are the Z-error rate and X-error rate, respectively, and is the binary Shannon entropy function.The error rates can defined as measurement results on ρ where A (B ) is the Pauli X operator and Z (j) A (B ) is the Pauli Z operator, on j-th pair-of-qubits system A (B ).Since the bit value is measured in the Z-basis and the phase value is measured in the X-basis, we also call the Z-basis error as bit error and the X-basis error as phase error.
Following the Shor-Preskill security proof, distillable entanglement of the one-way EDP protocol is the key rate for some prepare-and-measure QKD protocols such as BB84 [1].In the BB84 protocol, we can estimate E Z , E X by randomly measuring the qubits in the X-and Z-basis.In the PM-QKD protocol, on the other hand, Alice and Bob can only measure in the Z-basis.In the following sections, we will introduce entanglement-based PM-QKD protocols and discuss how to infer the value of E X .

Entanglement-based PM-QKD protocol
We first introduce an entanglement-based PM-QKD protocol, called Protocol I, as shown in Fig. 4.
Protocol I

Key distillation: Alice and Bob apply a standard
EDP when the error rates are below a certain threshold.The distillation ratio, r, is given by Eq. (A15).Once Alice and Bob obtain nr (almost) pure EPR pairs, they both perform local Z measurements on the qubits to generate private keys.
Our first observation is that, if the state ρ prepared by Charlie is a parity state, namely, ρ ∈ D(H C odd ) or ρ ∈ D(H C even ), then the X-error rate and Z-error rate are correlated.Here, we denote the Z-error rate and X-error rate for an odd state ρ odd as e Z odd and e X odd , respectively, and similarly, denote for an even state ρ even as e Z even and e X even .Lemma 1.In Protocol I, for ρ ∈ D(H C odd ), e X odd = e Z odd ; and for ρ ∈ D(H C even ), e X even = 1 − e Z even .
Proof.First consider the case when ρ is a Fock state, |k C , defined in Eq. (A1).After passing through the BS, as shown in Fig. 4, the state on modes A and B becomes, The joint state on system A , B , A, B before the C π operations is (A18) After the C π operations, this state becomes, if k is even.

(A19)
As shown in Fig. 4(b), the X-basis measurement on A or B is realized by a Hadamard gate followed by the Z-basis measurement.Denote the state after local Hadamard gates as if k is even. (A20) In other words, the X-error rate, e X k , can be understood as the error rate by performing the Z-basis measurement on the state of |Ψ  , and hence e Z odd = e X odd .With the same argument, we have e Z even = 1−e X even .For general parity states, we can regard them as mixtures of pure parity states, This is equivalent that Charlie sends out |ψ odd(even) with probability p i .For each pure state component, we have e X odd(i) = e Z odd(i) and e X even(i) = 1 − e Z even(i) .Thus the relations hold for all (mixed) parity states.
In general, Charlie might not use a parity state.Consider the case that Charlie performs the parity measurement {M odd , M even }, defined in Eq. (A7), before sending to Alice and Bob.Denote the measurement outcome probabilities for the odd and even parity to be p odd and p even , respectively.This is equivalent for Charlie to prepare an odd state ρ odd and an even state ρ even with probabilities p odd and p even , respectively.Then, the state can be written as, that is, ρ ∈ D(H C odd ⊕ H C even ).Suppose Charlie announces the parity information publicly to Alice and Bob.Then, they can label the sifted qubits with "odd" and "even".Denote q odd and q even , with q odd + q even = 1, to be the fractions of "odd"and "even"-labeled states in the sifted n-pairs of qubit states A , B , respectively.Then, according to Lemma 1, the total X-error rate can be calculated by E X = q odd e X odd + q even e X even = q odd e Z odd + q even (1 − e Z even ). (A24) Here, the parameters q odd , q even , e Z odd , and e Z even can be evaluated according to Charlie's parity announcement.When the parity information is missing, Alice and Bob need to estimate these parameters, which will be described later in Section A 5.

Coherent state protocol and equivalent process
From Protocol I to the PM-QKD protocol, there are a few practical issues need to be addressed.First, the trusted party Charlie and the BS should be removed.In order to do this, we consider a special case where Charlie prepares a coherent state | √ µ C , as the photon source.
In addition, Charlie adds a random phase φ ∈ {0, π} with equal probabilities to the coherent state, the density matrix can be written as, defined in Eq. (A25) going through the BS.Thus, this new protocol (Protocol II) is equivalent to Protocol I with the input state ρ( √ µ, − √ µ).
Protocol II runs as follows, as shown in Fig. 5 A B to estimate E Z and infer E X by Eq. (A24).

Key distillation: Alice and Bob apply a standard
EDP when the error rates are below a certain threshold.The distillation ratio, r, is given by Eq. (A15).Once Alice and Bob obtain nr (almost) pure EPR pairs, they both perform local Z measurements on the qubits to generate private keys.
From Protocol II to the PM-QKD protocol, there are still some missing links.
1. Alice and Bob need to add a same random phase φ ∈ {0, π} to their states, which would cost them a private bit; 2. They use Eq.(A24) to infer E X , which needs information on the parameters of q odd , q even , e Z odd and e Z even .
3. The phase references of Alice and Bob's coherent states are locked.That is, the phases of the initial coherent states, | √ µ a and | √ µ b , are the same, and hence remote phase locking is required.
We shall remove the simultaneous phase randomisation requirement in Section A 4, bound q odd , q even , e Z odd and e Z even in Section A 5, and remove the phase-locking requirement in Section A 6.

Security with phase announcement
To remove the simultaneous phase randomization requirement in Protocol II, a straightforward idea is that, Alice and Bob add random phases φ a(b) ∈ {0, π} independently (with equal probability 1/2); during the sifting step, they announce the phases φ a , φ b and post select the bits only for φ a = φ b , as shown in Fig. 6.All the other steps remain unchanged.Here, there are two modifications need to be analyzed, phase announcement of φ a , φ b and post-selection of φ a = φ b .
We deal with the phase announcement of φ a , φ b first.Consider Protocol IIa, as shown in Fig. 6, where Alice and Bob announce the random phase φ in Protocol II during postprocessing.
Protocol IIa 1. State preparation: Same as Protocol II.
4. Sifting: the first part is the same as Protocol II.
After that, Alice and Bob announce the random phase φ.
5. Parameter estimation: same as Protocol II.
6. Key distillation: same as Protocol II.
Note that the only difference between Protocol II and IIa is that Alice and Bob announce their phase φ after Eve's announcement.Since the classical information announced during postprocessing is different, according to Definition 1, Protocol II and IIa are not equivalent.In fact, from some specific attacks (see Section C), one can see that the security of the two protocols with and without phase announcement can be very different.
In Protocol II, as shown in Fig. 6, due to phase randomization, one can always assume that Alice and Bob (or Eve) perform the total parity measurement {M t odd , M t even }, which is defined as, similar to Eq. (A7), Here, {|k 1 k 2 AB } are the Fock states on mode A, B, with k 1 photons on A and k 2 photons on B. That is, in Protocol II, the photon source can be regarded as a mixture of odd states and even states.The parity state channel model is similar to the photon number channel used in the security proof of the decoy-state method [19,24].In Protocol IIa, as shown in Fig. 6, on the other hand, no such parity measurement is allowed because it does not commute with the phase announcement.A B by different measurement/announcement strategies.We emphasize that Eve announces before the phase announcement in Protocol IIa.Then, her strategy cannot depend on the phase announcement.Therefore, in all these three protocols, the state ρ (n) A B remains the same.This is crucial to our security analysis.From Observation 1, we can have the following Corollary.

Corollary 1. Both the X-and Z-error patterns of the joint states ρ (n)
A B in Protocol II and IIa are the same.Then, the X-error rate E X of Protocols II and IIa are the same, as given by Eq. (A24).Now, we deal with the post-selection of φ a = φ b .Regardless the values of φ a , φ b , due to control-phase gates C π , the state ρ AB sent to Eve is where ρ( µ/2, − µ/2) is defined in Eq. (A25).The state ρ AB is independent of φ a , φ b , hence Eve's attack cannot depend on φ a , φ b , and the sifted qubits are also independent of the value of φ a (= φ b ).
Furthermore, we notice that discarded qubits with |φ a − φ b | = π can also be used for entanglement distillation.Here, adding a phase π to system B is equivalent to performing a Pauli Y -gate to system B for a paritystate source in Protocols I, II and IIa.Thus, for the qubits with |φ a − φ b | = π, Bob performs Y -gate on qubit B .
Therefore, if Alice and Bob randomize their phases φ a , φ b ∈ {0, π} independently and perform phase postselection operations after Eve's announcement, shown in Fig. 6, it is equivalent to Protocol IIa.We call this protocol as Protocol III.
Protocol III runs as follows, as shown in Fig. 6.Here µ a = µ b = µ/2.A B to estimate E Z and infer E X by Eq. (A24).

Key distillation: Alice and Bob apply a standard
EDP when the error rates are below a certain threshold.The distillation ratio, r, is given by Eq. (A15).Once Alice and Bob obtain nr (almost) pure EPR pairs, they both perform local Z measurements on the qubits to generate private keys.

Decoy-state method and phase randomization
Here, we introduce a method to estimate q odd , q even , e Z odd and e Z even .Without loss of generality, we mainly discuss the decoy-state method in Protocol I. Similar arguments can be applied to Protocol II, IIa, and III.
Recall that in Protocol I, if Charlie prepares coherent state | √ µ and adds a random phase {0, π} on it, it is equivalent to preparing odd-and even-parity states with probabilities p µ odd = c odd and p µ even = c even , respectively, as defined in Eq. (A5).Define the yield Y µ odd (Y µ even ) as the probability of successful detection conditional on the odd (even) parity state.The fraction of odd and even parity states in the final detected signal is given by where Q µ is the total gain of the signals.For signals with intensity µ, we have where E Z µ , e Z,µ add (e Z,µ even ) are the quantum bit error rate (QBER) and the Z-error rate of odd-(even-)state signals with total a intensity of µ, respectively.
If we directly estimate q µ odd , q µ even , e Z,µ odd and e Z,µ even from Eq. (A29), Eq. (A30) and the constriant that q µ odd , q µ even , e Z,µ odd , e Z,µ even , Y µ odd , Y µ even ∈ [0, 1], (A31) then the estimation is too loose to bound the X-error E X in Eq. (A24).Now, we introduce a more efficient method to estimate q odd , q even , e Z odd and e Z even .Essentially, we employ the idea of the decoy-state method [24].That is, in Protocol I, Charlie adjusts the intensity, µ, of his prepared coherent lights.After Eve's announcement, Charlie announces the value of µ.Furthermore, Charlie randomizes the phase φ on state | √ µe iφ continuously from [0, 2π).
In this case, the state prepared by Charlie can be written as That is, in Protocol I, if Charlie prepares | √ µe iφ with random phase φ, this is equivalent to preparing the Fock states {|k } with probability P (k).Obviously, Fock states {|k } are parity states.Then, by directly applying Lemma 1, we can estimate the X-error by where q 0 is the detection caused by the vacuum signal (i.e.dark counts) and e Z 0 = e 0 = 1/2 is the vacuum Zerror rate.
The source components are Fock states {|k }, whose yields {Y k } and Z-error rates {e Z k } are independent of µ.The fractions q µ k of "k-photon component" in the final detected signals are given by The overall gain and QBER are given by The main idea of the decoy-state method is that Alice and Bob can obtain a set of linear equations in the form of Eq. ( A34) and (A35) by using a few values of µ.When an infinite amount of decoy states are used, Alice and Bob can estimate all the parameters Y k and e Z k accurately.Then, they can estimate q µ k and e Z k accurately, and then upper bound the X-error by Eq. (A33).
To apply the decoy-state method to Protocol II and III, we modify the phase randomization requirements accordingly.In the decoy-state version of Protocol III, the phases φ a , φ b should be randomized independently in [0, 2π) rather than {0, π}.Also, there will be an additional phase sifting condition, |φ a − φ b | = 0 or π.Such random-phase announcement and post-selection would not affect the security, with the following reasons, similar to argument of the equivalence between Protocol II and III.In particular, Observation 1 in Section A 4 still holds.
First, we want to argue that the random-phase postselection of |φ a − φ b | = 0 or π would not affect the security.In fact, any phase post-selection would not be affected by Eve's announcement.Note that the random phases φ a , φ b are determined by Alice and Bob locally.Thus, the sifted qubit pairs, ρ Second, we want to argue that the random-phase announcement would not affect the security.Eve announces the detection events before Alice and Bob's randomphase announcement.Thus, her hacking strategy cannot depend on the random phases.Note that with the postselection of |φ a − φ b | = 0 or π, the announced phase φ a (or φ b ) can be regarded as the phase reference in Protocol Third, we apply infinite decoy states to estimate q µ k and e Z k accurately.In practical implementations, it is interesting to explore if finite decoy states, such as the widely applied vacuum and weak decoy states is enough to make a valid estimation.Now, we can modify Protocol III with continuous phase randomization φ a , φ b and the decoy-state method, namely Protocol IV, as shown in Fig. 7(a).
Protocol IV  A B to estimate E Z and infer E X by Eq. (A33).

Key distillation: Alice and Bob apply a standard
EDP when the error rates are below a certain threshold.The distillation ratio, r, is given by Eq. (A15).Once Alice and Bob obtain nr (almost) pure EPR pairs, they both perform local Z measurements on the qubits to generate private keys.
Finally, we need to reduce the entanglement-based protocol to a prepare-and-measure protocol.Following the Shor-Preskill argument, we move the key measurement in Step 6 before the EDP, the parameter estimation and the C π gates.That is, they measure the systems A and B at the beginning.Therefore, the entanglement-based protocol (Protocol IV) becomes the PM-QKD protocol, as shown in Fig. 7(b).
PM-QKD protocol 2. Measurement: the two optical pulses, A and B, are sent to an untrusted party, Eve, who is supposed to perform interference measurement and record which detector (L or R) clicks.
3. Announcement: Eve announces the detection result, L/R-click or failure, for each round.5. Parameter estimation: after many rounds of the above steps, Alice and Bob end up with a joint n pairs of raw key.They then perform random sampling on this raw key.With Eq. (A34), (A35), they estimate q k and e Z k .
6. Key distillation: Alice and Bob apply classical communication for error correction and privacy amplification.The key distillation ratio, r, is given by Eq. (A15).
Note that the PM-QKD protocol mentioned above is the exact PM-QKD protocol mentioned in the main text with decoy-state method contained.
Here, in Protocol IV and the PM-QKD protocol, there are some unrealistic assumptions remaining.
1.The phase of Alice and Bob's coherent state is locked, that is, the phase reference of Alice's and Bob's coherent state is the same.
2. The phase sifting condition, φ a = φ b , can be satisfied with an acceptable probability.
We will discuss how to remove these two requirements in Section A 6, and hence make the protocol practical.

Phase Post-Compensation
Here, we modify the PM-QKD protocol to remove the requirement of phase locking between Alice and Bob, and also relax the post-selection condition of |φ a − φ b | = 0 or π.The method is shown in Fig. 2.
First, we relax the post-selection condition of |φ a − φ b | = 0 or π by dividing the phase interval [0, 2π) into M slices {∆ j } for 0 ≤ j ≤ M − 1, where ∆ j = [2πj/M, 2π(j + 1)/M ).We change the phase matching condition of φ a = φ b to slice matching j a = j b .Here j a , j b are defined as where [•] is the round function to output the nearest integer.That is, Alice announces the j a -th slice ∆ ja where her random phase φ a falls into.Similarly, Bob announces j b .The sifting condition is |j b − j a | = 0 or M/2.This technique is first used in the phase-encoding measurement-device-independent quantum key distribution (MDI-QKD) [18].Announcing the phase slices j a and j b rather than the exact phase φ a and φ b will only leak less information to Eve.Thus, all the security proof results from previous subsections apply here.Applying Eq. (A15), we also need to add a phase sifting factor 2/M .Therefore, the final key rate is given by where Q µ is the total gain of the pulses, E Z µ is the overall QBER, the phase error rate E X µ is given by Eq. (A33), and f is the error correction efficiency.We need to point out that when M is too small, the misalignment caused by phase slices ∆ ja and ∆ j b would be big and result in a large QBER E Z µ .Second, we remove the requirement of phase locking.In the phase post-selection step, one of Alice and Bob announces the random phase is sufficient.Without loss of generality, we assume Alice announces the phase and Bob performs the sifting of |j b − j a | = 0 or M/2.With less information announced, the key rate still holds.Suppose that the difference between Alice's and Bob's phase references, denoted by φ 0 ∈ [0, 2π), is fixed but unknown.In sifting, Bob needs to figure out the value of φ 0 .Define an offset, 0 ≤ j 0 ≤ M − 1, During sifting, Bob can estimate the offset j 0 for each pulse.The estimation accuracy would not affect the security.In fact, in the security proofs, we assume Eve knows the phase references ahead.Suppose Bob compensates the offset by j d , and he has the freedom to choose j d from {0, 1, • • • , M − 1}.In a practical scenario, normally the phase references (and hence the offset j 0 ) change slowly with time.Then, Bob can figure out the proper phase compensation offset j d by minimizing the QBER from random sampling, as shown in Fig. 2.
For the case where phase reference difference φ 0 varies, we can treat the changing caused by Eve.Such deviation will introduce bit errors, but not help Eve learn key information, since the variation of φ 0 is independent of the key κ a , κ b .Note that in the security proof, we assume that Eve knows the phase references accurately.
With all the modifications above, we propose the following practical version of PM-QKD protocol.
PM-QKD protocol with phase post-compensation 1.State preparation: Alice randomly generates a key bit κ a ∈ {0, 1}, a random phase φ a ∈ [0, 2π), and a random intensity Similarly, Bob generates a key bit κ b and prepares 2. Measurement: the optical pulses, systems A and B, are sent to an untrusted party, Eve, who is supposed to perform interference measure and record which detector (L or R) clicks.
3. Announcement: Eve announces the detection results, L/R-click or failure, for each round.5. Parameter estimation: Alice and Bob run the above procedures many times and then run the following procedures.
(a) For each bit, Alice announces the phase slice index j a , given in Eq. (A36), and she randomly samples a certain amount of key bits and announces them for QBER testing.6. Key distillation: Alice and Bob apply error correction and privacy amplification.The key rate, R, is given by Eq. (A37).
Here, in the phase post-compensation, Bob does not need to fix a j d for the whole experiment.Instead, he can adjust j d in real time.Given the total number of slices M , define the phase-stable time, τ M , to be the time period during which the phase fluctuation is smaller than π/M .Roughly speaking, Bob adjusts j d for every τ M .In practice, Bob would randomly sample some detections for tests.Here, in order to obtain a good estimation of j d , Bob should sample enough detections for the offset test within τ M .Then, the phase post-compensation method would put a requirement on the detection rate.Now, we consider a practical example.Consider the slice number M = 16, the tolerable fluctuation should be about π/M = 0.196 rad.The phase of a continuous-wave (CW) laser pulse usually fluctuates randomly, whose behavior can be modeled as a random walk.In an experimental test performed 10 years ago [34], for a 36.5 km Mach-Zehnder interferometer, when the time duration 0.2 ms, the mean phase fluctuation is about 0.15 rad, which is less than π/M .Then, in this case, one can set τ M = 0.2 ms for testing.Consider a GHz QKD system, there are 2 × 10 5 signals sent out within τ M .Using the same parameters for a longer transmission distance of 150 km from Alice to Eve (same distance for Bob) using standard telecom fibre (0.2 dB/km), the transmission loss is η = 30dB = 10 −3 , there will be 200 data left for post-processing, which is sufficient for sampling tests.From here, one can see that our phase post-compensation method is feasible by current technology.

Appendix B: Model and Simulation
Here, we show the details for the simulations different QKD schemes.We mainly follow the simulation model used in literature [19,35].We calculate the detection probabilities of PM-QKD in Section B 1, and then evaluate the yields, gains, and error rates in Section B 2. In simulation, we also compare the performance of PM-QKD with the decoy-state BB84 [1], MDI-QKD [15], and the linear key rate bound [10,11].We list the used formulas and simulation parameters in Section B 3.

Detection probabilities
The channel is assumed to be a pure loss one and symmetric for Alice and Bob with transmittance η (with detector efficiency η d taken into account).We suppose that the lights from Alice and Bob faithfully interfered and measured with dark-count rate p d .Without loss of generality, we only consider the case where κ a = κ b = 0, j a = j b = 0.
In PM-QKD, the global phases φ a , φ b are divided into M slices.Without phase locking, the phase references for Alice and Bob can differ.Therefore, even if the announced slices meet, |j a − j b | = 0, there may be a considerable difference φ δ ≡ φ b − φ a between the two global phases φ a , φ b .
First, for a fixed φ δ , we calculate the detection probability in the single-photon case.After Alice and Bob's encoding, the state becomes Here, the transmittance η includes channel losses and detection efficiencies, which transfer a † , b † according to where s † , t † are the modes coupled to the environment.Before Eve's interference, the state is and after Eve's interference, the state becomes B4) where l † and r † are the creation operators for the modes to L-and R-detectors, respectively.Then, the detection probabilities are given by p (B8) Then, the detection click probabilities are, ) ), ) ), where P µ (L) and P µ ( L) are the probabilities of the Lclick and no-L-click, respectively, P µ (R) and P µ ( R) are for the R-detector.These probabilities are similar to Eq. (B7).The difference is that the probabilities in Eq. (B7) are mutually exclusive, while in Eq. (B9), the probabilities, P µ (L) and P µ (R), are independent.
All the above probability formulas are functions of the phase difference φ δ .In the simulation, one needs to integrate φ δ over its probability distribution f φ δ (φ).Recall that the phase reference deviation between Alice and Bob is φ 0 .Here, with the phase post-compensation method introduced in Section A 6, we assume φ 0 is uniformly distributed in [−π/M, π/M ), denoted by, In this case, φ a and φ b are uniformly distributed in [0, 2π/M ) and [φ 0 , 2π/M + φ 0 ), respectively, For a fixed φ 0 , the probability distribution of the phase difference φ δ is given by Furthermore, in the simulation, one needs to take another integration of φ 0 over [−π/M, π/M ) to get the yields, gain, and error rates.

Yields, gain, and error rates
We first analyze the yield {Y k } for k ≥ 0 and the total gain Q µ according to the probability formulas given in Section B 1. Note that in PM-QKD, both no-click and double-click events are regarded as failure detection.The yield Y k of the k-photon state is given by, Eq. (B5), (B6), and (B7),

Dark count condition
Contributions to the overall click probabilities L-dark count R-dark count no-click Here, in the first approximation, we take the first order of a small φ δ and ignore sin 2 ( φ δ 2 ) = 0.In the second approximation, we omit the higher order term p d (1 − The total gain Q µ is given by Eq. (B9), ) )] where the two approximations are the same as the ones used in Eq. (B13).Since φ δ does not affect the yields Y k and gain Q µ much with the first-order approximation, the average yields Y k and gain Q µ over φ δ ∈ [−π/M, π/M ) can be regarded as the ones when φ δ = 0. Also, the results of Eq. (B13) and (B14) are consistent with the ones presented in the regular QKD model [35], as shown in Eq. (B29) and (B30).Then, we calculate the bit error rate for the k-photon signal e Z k and the QBER E Z µ with coherent states input µ a = µ b = µ/2.The bit error rate e Z k (φ δ ) is given by where are given by Eq. (B5), (B6), and (B7).The average bit error rate of e Z k over φ δ is given by the following integral, where f φ δ (φ) is given by Eq. (B12).For the case k = 1, we explicitly calculate the error rate e Z 1 , given by Eq. (B5), (B6), (B7), and (B15), and integrate Eq. (B17) by Eq. (B16), where can be regarded as the misalignment error rate.
Eq. (B18) can be understood that if a signal causes a click, the error rate is e δ ; and if a dark count causes a click, the error rate is e 0 = 1/2.Since the double-click events are discarded, when both a signal and a dark count cause clicks, the error rate is e δ .Then, we can approximate e Z k with the same spirit, for the contributions in Y k , given in Eq. (B13), Here, note that in Eq. (B20), we ignore the double clicks caused by multi-photon signals, which would further reduce the misalignment error and hence the value of e Z k .The QBER E Z µ (φ δ ) for a given φ δ is given by substituting Eq. (B9), (B21) similar to Eq. (B18), where e δ is given in Eq. (B19).The results of Eq. (B22) and (B18) are consistent with the one presented in the regular QKD model [35], as shown in Eq. (B29) and (B30), with a slight difference.The difference is caused by how the double-click events are processed.In BB84, Alice and Bob need to randomly assignment a bit to double-clicks, while PM-QKD, double-clicks are discarded.Now, we can evaluate the key rate with the above model.Let us restate the key rate formula, Eq. (A37), where the phase error rate is given by Eq. (A33), In simulation, Q µ and E Z µ are given by Eq. (B14) and (B22).The fractions, {q k } with k ≥ 0, of different photon components k contributing to the valid detections (L/Rclicks) are given by For the odd-photon-number component, we have To simplify the simulation, we explicitly calculate the e Z k and q k for 0 ≤ k ≤ 5. Further zoom the Eq.(B24), we have ≤ q 0 e Z 0 + (q 1 e Z 1 + q 3 e Z 3 + q 5 e Z 5 ) + (1 − q 0 − q 1 − q 3 − q 5 ), (B27) where e Z k and q k are given by Eq. (B15) and (B25), respectively.

Simulation formulas for BB84 and MDI-QKD protocol and simulation parameters
We compare our derived key rate with that of the prepare-and-measure BB84 [1] protocol, whose key rate is given by the GLLP-decoy method [22].
The key rate of the decoy-state BB84 protocol is given by [24], where 1/2 is the basis sifting factor.In the simulation, the yield and error rates of the kphoton component are given by [19], where e d is the intrinsic misalignment error rate caused by phase reference mismatch.The gain and QBER are given by where Y 0 = 2p d and e 0 = 1/2.
The key rate of MDI-QKD is given by [15], ) where Q 11 = µ a µ b e −µa−µ b Y 11 and 1/2 is the basis sifting factor.We take this formula from Eq. (B27) in Ref. [18].In simulation, the gain and error rates are given by, where µ denotes the average number of photons reaching Eve's beam-splitter, and We take these formulas from Eq. (A9, A11) and (B7, B28-B31) in [18].The linear key rate bound used in the main text in given by [10,11], Appendix C: Beam-splitting Attack: Invalidation of the photon number channel model Here, we argue that the tagging technique does not work for PM-QKD, by showing that the lower bound of the key rate from naively employing the tagging technique can be higher than a upper bound derived from a specific attack, in some parameter regime.The failure of the tagging technique stems from the failure of the photon number channel model used in the security proof [19].In other words, the photon number channel model does not hold for the case when the random phases are announced during postprocessing.
1. Key rate with/without the photon number channel Assuming the existence of the photon number channel model in PM-QKD, we can apply the tagging method and obtain a key rate formula following the GLLP analysis [22,24], where q 1 is the single photon detection ratio, e X 1 and E Z µ are the single-photon phase error rate and total QBER, and f is the error correction efficiency.

Beam-splitting attack
Now we consider a beam-splitting (BS) attack where Eve sets beam splitters with transmittance η on both Alice and Bob's side to simulate a lossy channel.She intercepts the pulses on A and B, regardless of the keys and bases of the pulses, store the reflected lights on her quantum memories, modes A0 and B0.Eve interferes the two transmitted pulses, modes A1 and B1 and announces the results.After Alice's and Bob's phase an-nouncements, Eve performs an unambiguous state discrimination (USD) [36] on the states on modes A0 and B0 separately to guess the key information.Since the states on A0(B0) and A1(B1) are uncorrelated due to the beam splitting of coherent states, the BS attack will not introduce any error or other detectable effects.Apparently, this BS attack is an individual attack.We will calculate Eve's successful probability for guessing the key bits unambiguously, and calculate the mutual information I(κ a(b) : E), from which we can derive an upper bound on the secure key rate.

(C5)
Suppose Eve performs interfere systems A1 and B1, then the total gain Q µ is given by, Here, we consider the signal with φ a = φ b , and Eve holds perfect single-photon detectors.Without loss of generality, we consider Eve's attack on system A0.If Eve cannot get the sifted phase information φ a , then no matter the value of key phases κ a , the state on A0 from Eve's perspective is In this case, Eve cannot obtain any information about κ a .While in PM-QKD, the phase φ a will be announced.
In this case, Eve can first rotate the states on system A0 by −φ a .Now, the state becomes

(C9)
Then, Eve only needs to determine whether the phase κ a is 0 or π to obtain the key information.As shown in [36], if two pure states |p and |q are prepared with the same a priori 1/2, the maximum probability of unambiguous discrimination is: Here, the third equality is based on Eq. (C6).

Comparison
Now we make a simulation to compare the key rate in the following cases: with "tagging" method, by our security proof and upper bound under BS attack.In the discussion, we neglect the misalignment error and dark counts.
First, under BS attack, the yield is given by and the fraction of the k-photon component is Note that q 0 = 0. Second, in the BS attack scenario, Eve's operations will not introduce any error, hence e Z k = 0, ∀k ≥ 0, E Z µ = 0, (C17) then Eq. (C1), (A15) and (B27) can be simplified to We compare the key rate formula r GLLP , r P M in Eq. (C18) with the key rate upper bound by BS attack r BS in Eq. (C14).We set the total light intensity to be a typical value µ = 0.5, and adjust η to compare the key rate performance.As shown in Fig. 8, the GLLP "tagging" formula for the "single-photon" component cannot hold under the BS attack for a transmittance η < 0.6.If we fix the transmittance η = 0.2 and adjust µ, the Fig. 9 shows that the GLLP "tagging" formula cannot hold under the BS attack.The BS-attack results serve to invalidate the "tagging" method even the "single-photon" component cannot ex-ist, since the announcement of phase φ a , φ b will leak more information of the key bits κ a and κ b .
Recently, Wang et al. proposed an eavesdropping strategy to the twin-field QKD protocol [37].The attack can also be performed against the PM-QKD protocol.Under such an attack, Eve can learn all the key bits.The key rate provided by the GLLP formula, Eq. (C1), is 0.5 (for all the clicked signals) while that given by our security proof is strictly 0. This also shows the invalidation of GLLP key rate formula, and our security proof is still valid under such an attack.

Sifting:
Alice and Bob repeat the above steps many times.When Eve announces a successful detection, (a click from exactly one of the detectors L or R), Alice and Bob keep κ a and κ b as their raw key bits.Bob flips his key bit κ b if Eve's announcement was R-click.Then, Alice and Bob keep their raw key bit only if |φ a − φ b | = 0 or π. Bob flips his key bit κ b if |φ a − φ b | = π.
FIG. 1.(a) Schematic diagram of PM-QKD.Alice's and Bob's roles are symmetric.First, Alice generates a coherent state, | √ µae i(φa+πκa) , while Bob prepares | √ µ b e i(φ b +πκ b ) .Their coherent states interfere at an untrusted measurement site.If the phase difference |(φa + πκa) − (φ b + πκ b )| is 0, detector L clicks; if the phase difference is π, detector R clicks.After Eve announces her measurement result, Alice and Bob publicly announce φa and φ b .(b) Equivalent scenario when the phases are matched.A trusted party (Charlie) prepares |Ψ C , splits it and sends it to both Alice and Bob.Without loss of generality, we consider the case where Alice and Bob both modulate this by the same phase 0 or π to create the systems A and B. If |Ψ C only contains odd-or even-photon number components, we can see that |Ψ0 = |Ψπ .

FIG. 2 .
FIG. 2. Illustration of phase post-compensation.Without loss of generality, here we consider the case κa = κ b .Denote the phase references of Alice and Bob as φa0 and φ b0 , and hence the reference deviation is φ0 = φ b0 − φa0 mod 2π.Bob can figure out the proper phase compensation offset j d by minimizing the QBER from random sampling as follows.Bob sets up a j d , sifts the bits by |j b + j d − ja| = 0, and evaluates the sample QBER.He tries all possible j d ∈ {0, 1, • • • , M − 1} and figures out the proper j d to minimize the sample QBER.And then he announces the sifted locations of unsampled bits to Alice.As shown in figure, we set M = 12, and the reference deviation φ0 = 70 • , hence Bob can set j d = 2 to compensate the effect of φ0.
FIG. 4. (a) Schematic diagram of Protocol I. (b) Equivalent view of Protocol I, where the X-basis measurement on A or B is realized by a Hadamard gate followed by the Z-basis measurement.
(b).Here, µ a = µ b = µ/2.1.State preparation: Alice and Bob prepare coherent states | √ µ a and | √ µ b on optical modes A and B, respectively.They initialize the qubits A and B in |+i .They add a same random phase φ ∈ {0, π} on the optical modes A and B. Alice applies the control gate C π , defined in Eq. (A9), to qubit A and optical pulse A. Similarly, Bob applies C π to B and B. 2. Measurement: the two optical pulses, A and B, are sent to an untrusted party, Eve, who is supposed to perform interference measurement and record which detector (L or R) clicks.3. Announcement: Eve announces the detection result, L/R-click or failure, for each round.4. Sifting: when Eve announces an L/R-click, Alice and Bob keep the qubits of systems A and B .In addition, Bob applies a Pauli Y -gate to his qubit if Eve's announcement is an R-click. 5. Parameter estimation: after many rounds of the above steps, Alice and Bob end up with a joint 2nqubit state, denoted by ρ (n) A B .They then perform random sampling on the remaining ρ

1 .
State preparation: Alice and Bob prepare coherent states | √ µ a and | √ µ b on optical modes A, B, separately.They initial their qubits A , B in |+i .They independently add random phases φ a , φ b ∈ {0, π} on optical modes A, B. Alice applies the control gate C π , defined in Eq. (A9), to qubit A and optical pulse A. Similarly, Bob applies C π to B and B.

FIG. 6 .
FIG.6.The schematic diagram of Protocol II, IIa, and III.In Protocol II, Alice and Bob add a same phase φ ∈ {0, π} on their coherent state µ/2.In Protocol IIa, Alice and Bob announce the phase φ after Eve's announcement.In Protocol III, Alice and Bob add phases φa and φ b , independently.They announce φa and φ b after Eve's announcement.

2 .
Measurement: the two optical pulses, A and B, are sent to an untrusted party, Eve, who is supposed to perform interference measurement and record which detector (L or R) clicks.3. Announcement: Eve announces the detection result, L/R-click or failure, for each round.4. Sifting: when Eve announces an L/R-click, Alice and Bob keep the qubits of systems A and B .Bob applies a Pauli Y -gate to his qubit if Eve's announcement is R-click.After Eve's announcement, Alice and Bob announce their encoded phase φ a , φ b .Bob applies a Pauli Y -gate to his qubit if |φ a − φ b | = π. 5. Parameter estimation: after many rounds of the above steps, Alice and Bob end up with a joint 2nqubit state, denoted by ρ (n) A B .They then perform random sampling on the remaining ρ (n) would be the same in the two cases: 1) Alice and Bob independently randomize the phases, φ a , φ b , and employ this phase post-selection |φ a −φ b | = 0 or π; 2) Charlie randomizes the same phases, φ a = φ b , to A and B.

4 .
Sifting: when Eve announces an L/R-click, Alice and Bob keep the qubits of systems A and B .Bob applies a Pauli Y -gate to his qubit if Eve's announcement is R-click.After Eve's announcement, Alice and Bob announce their encoded intensities µ a , µ b and phases φ a , φ b .They keep the signal if µ a = µ b and |φ a − φ b | = 0 (or π).Bob applies a Pauli Y -gate to his qubit if |φ a − φ b | = π. 5. Parameter estimation: after many rounds of the above steps, Alice and Bob end up with a joint 2nqubit state, denoted by ρ (n) A B .They then perform random sampling on the remaining ρ (n)

4 .
Sifting: when Eve announces an L/R-click, Alice and Bob keep the key bits, κ a and κ b .Bob flips his key bit κ b if Eve's announcement is R-click.After Eve's announcement, Alice and Bob announce their encoded intensities and phases µ a , φ a ; µ b , φ b .They maintain the signal if µ a = µ b and |φ a − φ b | = 0 or π. Bob applies a Pauli Y -gate to his qubit if |φ a − φ b | = π.

4 .
Sifting: when Eve announces an L/R click, Alice and Bob keep the key bits, κ a and κ b .Bob flips his key bit κ b if Eve's announcement is R-click.After Eve's announcement, Alice and Bob announce their encoded intensities µ a and µ b , respectively.They keep the bits if µ a = µ b .
(b) (Phase post-compensation method) Given an offset compensation j d ∈ {0, 1, ..., M/2 − 1}, Bob sifts the sampled bits with the phase matching condition |j b + j d − j a | mod M = 0 or M/2.For the case of M/2, Bob flips the key bit κ b .After sifting, Bob calculates the QBER E Z with Alice's sampling key bits.Bob tries all possible j d ∈ {0, 1, • • • , M − 1}, and figures out the proper j d to minimize the sampling QBER.Using the phase matching condition with the proper j d , Bob sifts (and flips if needed) the unsampled bits and announces the locations to Alice.Alice sifts her key bits accordingly.(c) Alice and Bob analyze the overall gain Q µi and QBER E Z µi for different values of intensities µ a = µ b = µ i /2.They estimate the phase error rate E (X) µ by Eq. (A33).

FIG. 8 .FIG. 9 .
FIG.8.Key rate comparison with fixed light intensity µ = 0.5.Here we can see that the GLLP "tagging" formula for the "single-photon" component cannot hold under the BS attack when the transmittance η < 0.6.
is the equally mixed key state over all possible keys in space S and || • || 1 is the trace norm.A QKD protocol is called secure if the generated key is both correct and private.It is calledsecure if the generated key is cor -correct and sec -private with = cor + sec .
That is, Eve can distinguish whether or not Alice and Bob perform {M t odd , M t even } after the announcement of phases φ a and φ b .In other words, the quantum signals sent by Alice and Bob can no longer be regarded as a mixture of ρ odd and ρ even in Protocol IIa.To analyze the security of Protocol IIa, we notice the following observation.
Alice applies the control gate C π , defined in Eq. (A9), to qubit A and optical pulse A. Similarly, Bob applies C π to B and B.
1. State preparation: Alice and Bob randomly select µ a , µ b from a given set {µ 0 , µ 1 , ...}/2.They prepare coherent state | √ µ a and | √ µ b on optical modes A, B, separately.They initial their qubits A , B in |+i and independently add random phase φ a , φ b ∈ [0, 2π) on the optical modes A, B.

TABLE I .
Probability table of clicks with dark counts present.