Differential phase encoded measurement-device-independent quantum key distribution

Abstract

We present a measurement-device-independent quantum key distribution (MDI-QKD) using single photons in a linear superposition of three orthogonal time-bin states, for generating the key. The orthogonal states correspond to three distinct paths in the delay line interferometers used by two (trusted) sources. The key information is decoded based on the measurement outcomes obtained by an untrusted third party Charles, who uses a beamsplitter to measure the phase difference between pulses traveling through different paths of the two delay lines. The proposed scheme combines the best of both differential-phase-shift (DPS) QKD and MDI-QKD. It is more robust against phase fluctuations, and also ensures protection against detector side-channel attacks. We prove unconditional security by demonstrating an equivalent protocol involving shared entanglement between the two trusted parties. We show that the secure key rate for our protocol compares well to existing protocols in the asymptotic regime. For the decoy-state variant of our protocol, we evaluate the secure key rate by using a phase-post-selection technique. Finally, we estimate the bit error rate and the phase error rate, in the finite key regime.

1 Introduction

Quantum key distribution (QKD) is proven to be unconditionally secure in theory [1,2,3,4,5]. However, QKD protocols may be rendered insecure in practice, because of the difference in the behavior of practical devices and the respective theoretical models used in security proofs. For example, the standard protocols and their security proofs fail to take into account side-channel attacks on the detectors [6,7,8,9,10,11,12,13,14,15], thereby compromising security.

Various solutions have been proposed to counteract side-channel attacks. One solution is to develop precise mathematical models of devices used in the QKD experiments and incorporate these models into new security proofs [16,17,18]. However, the complex nature of devices makes this approach very challenging to realize in practice. The other solution is to develop counter measures against known side-channel attacks [19, 20], but the QKD system still remains vulnerable to unanticipated attacks. Device independent QKD (DI-QKD) [21, 22] is another viable candidate against side-channel attacks. The security of DI-QKD relies on the violations of Bell inequality. However, the requirement of a loophole-free Bell test, and an extremely low key rate at long distances, makes this unfeasible with current technology [23, 24]. Measurement-device-independent QKD (MDI-QKD) [25, 26] was introduced as a practical solution to side-channel attacks on the measurement unit.

In an MDI-QKD protocol, Alice and Bob encode their respective classical key bits into quantum states and send it to a potentially untrusted party, Charles. It is assumed that the measurement unit is under complete control of Charles, who carries out the measurement and announces the results. This is followed by sifting, error correction and privacy amplification, as carried out in standard QKD protocols. The first MDI-QKD scheme was designed for a polarization-based implementation of BB84 [25]. Various variants of the original polarization-based MDI protocol exist in the literature [27,28,29]. MDI protocols employing time-bin [30, 31] and phase-based encodings [32,33,34,35,36] also exist in the literature—see [37] for a recent review. However, random phase and polarization fluctuations are a major hindrance in long distance implementations of polarization and phase-based MDI-QKD schemes.

Here, we propose a differential-phase-shifted MDI-QKD (DPS MDI-QKD) scheme, as a potential candidate for alleviating random phase fluctuations. Random polarization fluctuations that occur over milli-second timescales do not affect such a differential phase-based protocol. In a differential phase-encoded QKD protocol, the classical key is encoded in the phase difference between successive optical pulses which are a few nano-seconds apart, thus making the protocol resilient to the effects of environmental phase fluctuations. There are a few variants of differential-phase-shifted keying proposed in the literature [38]. For example, the sender Alice could use a phase modulator in combination with a random number generator to apply a phase of either 0 or \(\pi \), randomly, on a sequence of successive pulses generated by a weak coherent source (WCS) [39]. Alternately, the phase modulation may be done on a single photon pulse converted into a superposition of three orthogonal states corresponding to three different time-bins, via a delay line interferometer [40].

Here, we make use of the 3-pulse protocol, whose security is based on the fact that the eavesdropper has to distinguish between a set of four non-orthogonal quantum states. While the coherent-state DPS protocol is provably secure against individual attacks [41], the single-photon based 3-pulse protocol is shown to be unconditionally secure [42]. However, this security proof assumes infinitely long keys, whereas experimental implementations are constrained by the finite computational power of Alice and Bob, resulting in keys of finite length.

Effect of the finiteness of the key size on security parameters was first studied in [43]. Subsequently, the security of BB84 [44] and decoy state protocols [45,46,47] against collective attacks in the finite-key regime was established. Techniques used for the finite-key analysis of conventional QKD have also been applied to MDI-QKD, but for specific attacks [48]. More recently, a rigorous security proof of MDI-QKD against general attacks for a finite key length was demonstrated [49].

In this paper, we present a MDI-QKD scheme which incorporates the advantages of differential phase encoding. We show unconditional security of our protocol by mapping it to an equivalent entanglement-based protocol. An upper bound for the phase error rate of our scheme, in terms of the bit error rate, is then used to carry out the asymptotic and finite-key analysis of our scheme. We demonstrate that our protocol generates secure keys over reasonable distances, even under system imperfections. We also propose a decoy-state variant of our protocol and use phase-post-selection technique to show that our scheme offers reasonable security, thereby making it an attractive choice for practical implementations that use a weak coherent source (WCS).

In Sect. 2, we briefly review the 3-pulse DPS-QKD protocol and its security aspects. We discuss our DPS-MDI protocol in Sect. 3 and show that it maps to an entanglement-based protocol. We obtain the secure key rate using an ideal single-photon source as well as a WCS for the protocol. Finally, we present the finite-key analysis of our scheme in Sect. 4. The details of the calculation of the secure key rates for our scheme, and the mapping of our protocol to an equivalent entanglement-based protocol are presented in “Appendix A and B”, respectively. We explicitly calculate the phase error rate for our protocol in terms of the bit error rate in “Appendix C”, and finally, calculate the parameters involved in the asymptotic key analysis in “Appendix D”.

Fig. 1

Schematic of 3-pulse differential-phase-shift QKD. WCS = Weak Coherent Source, PM = Phase Modulator, D0, D1 = Single-photon Detectors

2 Preliminaries

Starting with the original proposal to implement the B92 protocol [50], differential phase or distributed-phase protocols have been well-studied in the QKD literature [38]. Such protocols are popular because they are relatively easy to implement (compared to polarization-based protocols) and are robust against phase fluctuations. Most phase-based schemes use weak coherent pulses for encoding the key. However, in this paper, we use the single-photon scheme proposed in [40]. We shall henceforth refer to this scheme as the 3-pulse DPS-QKD protocol and provide a brief description below.

2.1 3-pulse differential-phase-shift keying

In a 3-pulse DPS-QKD protocol, the sender (Alice) throws a single photon into a superposition of three time-bins, corresponding to the three distinct paths of a delay line interferometer, and then uses a phase modulator to introduce a relative phase between successive time-bins, as shown schematically in Fig. 1. Alice encodes her random key bit \(\{0,1\}\) as a random phase \(\{0,\pi \}\) between successive pulses. The receiver (Bob) thus gets one of the four non-orthogonal quantum states given below, corresponding to the four possible phase-differences, i.e.,

$$\begin{aligned} |\psi (\pm , \pm ) \rangle = \frac{1}{\sqrt{3}}\left( \, |100\rangle _{a} \pm |010\rangle _{a} \pm |001\rangle _{a} \,\right) . \end{aligned}$$

(1)

Here, \(|100\rangle _a\), \(|010\rangle _a\) or \(|001\rangle _a\) indicate that the photon travelled with equal probability via paths 1, 2 or 3, respectively, in Alice’s set-up.

Bob’s decoding setup comprises of a delay line interferometer (DLI) and two single-photon detectors. The path lengths are chosen such that the longer arm of Bob’s DLI introduces a time delay \(\varDelta t\) which is exactly equal to the difference in time taken by the photon to traverse two successive arms of Alice’s 3-path delay line. Thus, Bob can detect the incoming photon in one of the four possible time-bins, which we label as \(t_{1}\), \(t_{2}\), \(t_{3}\), \(t_{4}\), each separated from its previous bin by a time of \(\varDelta t\). Detections at times \(t_{1}\) and \(t_{4}\) do not provide any phase information, whereas detections at times \(t_{2}\) and \(t_{3}\) provide information about the relative phases \(\theta _{12}\) and \(\theta _{23}\) respectively (see Fig. 1). Specifically, Bob decodes the key bit associated with a given time-slot as a 0, or 1, if detector D0, or D1, clicks. By publicly announcing his detection times, Bob performs key-reconciliation with Alice and it is easy to see that the sifted key rate for this 3-pulse protocol is 1/2.

An alternate form of phase-encoded QKD is the pulse-train DPS-QKD [39], which is a variant of the original B92 protocol [50]. In the pulse-train protocol, Alice generates a train of coherent pulses and applies a phase of 0 or \(\pi \) to the pulses randomly, to encode the key bits 0 or 1, respectively. These phase modulated pulse trains are sent to Bob, who passes the incoming pulses through a DLI. Depending upon the phase difference between two successive pulses, constructive or destructive interference happens. An MDI-QKD protocol based on the coherent-state pulse-train DPS protocol was also proposed in [33].

We refer to [51] for a detailed analysis of the secure key rate for the 3-pulse DPS protocol, assuming individual attacks. A simple comparison with the pulse-train DPS protocol [52] shows that the 3-pulse variant offers better security against individual attacks, in the following sense: an eavesdropper introduces a higher error rate and also has a lower learning rate in the 3-pulse protocol [51].

Finally, we note that the 3-pulse DPS-QKD protocol can be extended to an n-pulse protocol by increasing the number of possible paths that the single photon can take at the sender’s set-up. In fact, the single-photon DPS protocol using n such paths has been shown to be unconditionally secure against general attacks for any \(n\ge 3\) [42]. Experimental realization of n path DPS protocol would involve generating a photon in a superposition of n paths/time-bins using passive beam splitters (or beam combiners). As we increase the number of paths/time-bins, the insertion loss of passive beam splitters reduces the sifted key rate by a factor of n. Scaling of n in an experimental realization thus reduces the sifted key rate, in fact, the \(n=3\) protocol is shown to achieve the optimal secure key rate per pulse [42, 53]. Note that \(n=3\) is the smallest n that allows Alice and Bob to encode the key information in a non-orthogonal set of states using only two phase values, 0 and \(\pi \).

3 DPS-MDI-QKD

We now describe our MDI-QKD protocol based on the 3-pulse phase encoding scheme, using an ideal single-photon source. Apart from the fact that this scheme offers better security against individual attacks, compared to other DPS protocols, there are other practical considerations that motivate our use of the 3-path superposition in our protocol.

1. 1.

   When Alice and Bob both use an ideal-single-photon source to implement a pulse-train protocol using two phase values (0 and \(\pi \)) for encoding key bits, the phase-independent nature of Hong—Ou-Mandel interference [54] makes the key extraction difficult.

2. 2.

   Using only two phase values (0 and \(\pi \)) makes the states in a two-pulse protocol orthogonal, making them perfectly distinguishable [42].

Hence, we need at least 3-paths in the superposition to implement an MDI protocol using only a pair of phases (0, \(\pi \)) for the encoding. An MDI protocol based on a two-path superposition, and four phase values \((0,\frac{\pi }{2},\pi ,\frac{3\pi }{2})\) was proposed in [34]. This scheme yields a phase-encoded version of BB84, with a sifted key rate of 1/2, but it needs four different voltage levels for driving the phase modulator in order to encode the key information. Now, increasing the number of voltage levels in a high-speed phase modulator driver circuit leads to an increase in amplitude fluctuations, consequently increasing the quantum bit error rate [55]. Our proposed DPS MDI protocol reduces the complexity of the key encoding process by using only two phase values (0, \(\pi \)), with a sifted key rate of 4/9, explained in Sect. 3.1 below.

A simple schematic is shown in Fig. 2. As before, Alice and Bob generate single-photon pulses that pass through their respective DLIs, each creating the superposition state described in Eq. (1). Alice and Bob then encode the random key bits \(\{0,1\}\) by assigning a relative phase difference of \(\{0,\pi \}\) between two successive pulses, and send their encoded signal states to the measurement unit (Charles). Charles’ measurement set-up comprises of a beamsplitter and two single-photon detectors, labeled \(D_{c}\) and \(D_{d}\) as indicated in Fig. 2. For every photon detected by his setup, he notes which detector clicked (\(D_{c}\) or \(D_{d}\) or both), and the corresponding time-bin (\(t_{1}\), \(t_{2}\) or \(t_{3}\)) at which the click was observed. Based on this information, which is made public by Charles, Alice and Bob extract a sifted key.

3.1 Sifting and reconciliation

We may use the form of the encoded 3-pulse state in Eq. (1) to represent the input to the Charles’ measurement module as,

$$\begin{aligned} |\psi (\phi _{a_{1}}, \phi _{a_{2}}, \phi _{b_{1}}, \phi _{b_{2}} ) \rangle _{\text {in}}= & {} \frac{1}{\sqrt{3}} \left( \, |100\rangle _{a} + e^{i\phi _{{a}_{1}}} |010\rangle _{a} + e^{i\phi _{{a}_{2}}} |001\rangle _{a} \, \right) \nonumber \\&\otimes \frac{1}{\sqrt{3}} \left( \, |100\rangle _{b} + e^{i\phi _{{b}_{1}}} |010\rangle _{b} + e^{i\phi _{{b}_{2}}} |001\rangle _{b} \, \right) . \end{aligned}$$

(2)

As before, 1 and 0 indicate the presence or absence of a photon in a particular path. Similarly, \(|100\rangle _{a}\) is the 3-pulse superposition state corresponding to the photon traversing path \(1_{a}\) in Alice’s set-up, \(|010\rangle _{b}\) is a 3-pulse state corresponding to photon traversing path \(2_{b}\) in Bob’s set-up, and likewise for other terms in Eq. (2). For the sake of brevity, we represent tensor products of the form \(|100\rangle _{a} \otimes |100\rangle _{b}\) as \(|100,100\rangle _{ab}\) in the rest of the paper. In DPS-MDI, Alice and Bob encode classical information as phase differences between first and second time-bins, and second and third time-bins. In our analysis, we assume the phase of the first time-bin as the reference phase, and apply a suitable phase (0 or \(\pi \) relative to the reference phase) on the second and third time-bins to encode the key information.

Fig. 2

Schematic of differential phase encoded MDI-QKD. Here, PM \(=\) Phase Modulator, \(D_{c},D_{d}\) = Single-photon detectors

Corresponding to every pair of photons generated by the sources, there are three distinct time-bins (\(t_{1}, t_{2}, t_{3}\)) at which Charles’ detectors click, corresponding to paths \(1_{a}, 2_{a}, 3_{a}\) and \(1_{b}, 2_{b}, 3_{b}\) in Alice’s and Bob’s set-up respectively. We first rewrite Charles’ input state by grouping pairs of pulses that arrive in the same time-bin:

$$\begin{aligned} |\psi \rangle _{\text {in}}= & {} \frac{1}{3}\left[ \; |100,100\rangle _{ab} + e^{i\phi _{{a}_{1}}}|010,100\rangle _{ab}+ e^{i\phi _{{a}_{2}}}|001,100\rangle _{ab}\right. \nonumber \\&+e^{i\phi _{{b}_{1}}} |100,010\rangle _{ab} + e^{i\phi _{{b}_{2}}}|100,001\rangle _{ab} + e^{i(\phi _{{a}_{1}}+\phi _{{b}_{1}})}|010,010\rangle _{ab} \nonumber \\&+e^{i(\phi _{{a}_{1}}+\phi _{{b}_{2}})} |010,001\rangle _{ab}+ e^{i(\phi _{{a}_{2}}+\phi _{{b}_{1}})} |001,010\rangle _{ab}\nonumber \\&+\left. e^{i(\phi _{{a}_{2}}+\phi _{{b}_{2}})} |001,001\rangle _{ab} \right] . \end{aligned}$$

(3)

Note that the pairs of photons that traverse through identical paths in Alice’s and Bob’s interferometer (such as \((1_{a}, 1_{b})\) or \((2_{a}, 2_{b})\) or \((3_{a}, 3_{b})\)) do not contribute to the sifted key. Such a pair of photons would bunch together due to Hong–Ou–Mandel interference [54] and come out at the same port of the beamsplitter.

Using a beamsplitter transformation, we can write down the final two-photon state after the action of Charles’ beamsplitter. We refer to “Appendix A” for the details of the calculation, with the form of the final state after Charles’ measurement given in Eq. (28). We observe that depending on the values of the relative phases \(\varDelta \phi _{1} = \phi _{a_{1}}-\phi _{b_{1}}\) and \(\varDelta \phi _{2} = \phi _{a_{2}}-\phi _{b_{2}}\), and the path traversed by Alice’s and Bob’s photons, Charles may have the same or different detectors click at two different time-bins.

Finally, Alice and Bob perform key reconciliation once Charles announces his measurement outcomes. Based on which detector (\(D_{c}\) or \(D_{d}\)) clicks and the time-bins (\(t_{1}\), \(t_{2}\) and \(t_{3}\)) corresponding to the clicks for each pair of signal states, Alice and Bob can generate the sifted key using either \(\varDelta \phi _{1}\) or \(\varDelta \phi _{2}\) as listed in Table 1.

Table 1 Key reconciliation scheme for the proposed protocol

It follows immediately that the the sifted key rate of our protocol is,

$$\begin{aligned} R_{\mathrm{sift}} = \frac{2}{3}\times \frac{2}{3}=\frac{4}{9}. \end{aligned}$$

(4)

We discard the clicks that occur when photons from Alice and Bob fall on the beam splitter in the same time-bin. The terms \(|100,100\rangle _{ab}\), \(|010,010\rangle _{ab}\) and \(|001,001\rangle _{ab}\) in Eq. (3) correspond to such a scenario. Photons arriving at the same time-bin causes Hong–Ou–Mandel interference which leads to two photons falling on the same detector in the same time-bin, thereby making key extraction difficult. Comparing Eqs. (3) and (24), we see that one-third of the incoming photons have to be discarded due to Hong–Ou–Mandel interference. This leads to the first factor of \(\frac{2}{3}\). Next, we observe from the key reconciliation table that two-thirds of Charles’ measurements contribute to the raw key, thus leading to a sifted key rate of \(\frac{4}{9}\). We note that the MDI protocol based on 3-pulse encoding offers a lower key rate compared to the one based on coherent-state pulse-train encoding [33]. However, the use of single-photon sources in our protocol allows us to carry out a finite key analysis using the framework presented in [56]. Our protocol is also immune against eavesdropping attacks which target multi-photon pulses.

3.2 An equivalent entanglement-based protocol

To analyze the security of DPS-MDI, we first map it to a protocol that involves shared entangled pairs between Alice and Bob. Such a mapping of a phase-encoded protocol to an entanglement-based protocol has been shown earlier [42]. Following a similar approach, we now show there exists an equivalent, entanglement-based protocol to our proposed DPS-MDI-QKD protocol. The equivalent description of DPS-MDI, in terms of entangled states, allows us to demonstrate the unconditional security of our protocol and also perform the key rate analyses.

We first represent Alice’s single-photon pulse in a linear superposition of three orthogonal states,

$$\begin{aligned} |\psi \rangle _{\text {a}}=\frac{1}{\sqrt{3}}\sum _{k=1}^{3} a_{k}^{\dagger }|0\rangle . \end{aligned}$$

(5)

Here, \(a_{k}^{\dagger }\) denotes the creation operator for the photon in the \(k^{\mathrm{th}}\) time-bin. Alice uses a quantum random number generator to generate a random 2-bit integer j, written in binary notation as \((j_{1}j_{2})_{2}\). She encodes this random integer in the single-photon pulse, such that the encoded state is written as,

$$\begin{aligned} |\psi _{j_1j_2}\rangle _{\text {a}}= & {} \frac{1}{\sqrt{3}}\left( a^{\dagger }_{1}|0\rangle +(-1)^{j_{1}}a^{\dagger }_{2}|0\rangle +(-1)^{j_{2}}a^{\dagger }_{3}|0\rangle \right) . \end{aligned}$$

(6)

Alice prepares and stores 2 qubits corresponding to each encoded block in her quantum memory. She prepares \(|j_1\rangle \) in \(|0\rangle \) (\(|1\rangle \)) state when she applies a phase of 0 (\(\pi \)) to her second time-bin. Similarly, she prepares \(|j_2\rangle \) in \(|0\rangle \) (\(|1\rangle \)) state when she applies a phase of 0 (\(\pi \)) to her third time-bin. In this way, she entangles her two qubits to the encoded single-photon state as

$$\begin{aligned} |\psi \rangle _{\text {Alice}}=\frac{1}{2}\sum _{j_1,j_2\in \{0,1\}}|j_{1}j_{2}\rangle _{A_1A_2}\otimes |\psi _{j_1j_2}\rangle _{\text {a}}. \end{aligned}$$

(7)

Bob also carries out a similar encoding procedure to get his own register of qubits entangled with his encoding blocks. Along the lines of Eqs. (6) and (7), Bob’s state is written as,

$$\begin{aligned} |\psi \rangle _{\text {Bob}}=\frac{1}{2}\sum _{\tilde{j_1},\tilde{j_2}\in \{0,1\}} |\tilde{j}_{1}\tilde{j}_{2}\rangle _{B_1B_2}\otimes |\psi _{\tilde{j}_1 \tilde{j}_2}\rangle _{\text {b}}, \end{aligned}$$

(8)

where \(\tilde{j_1}\) or \(\tilde{j_1}\) are the random integers used by Bob to encode his single-photon pulse.

Alice and Bob send their encoded states across to Charles. He first applies a quantum non-demolition (QND) measurement to find the number of photons in a given state and throws away the ones which have more than one photon in the same time-bin. He sends the rest through his beamsplitter. He then publicly announces the time-bin (say \(k=1,2,\,\text {or}\,3\)), as well as the detector (\(D_{c}\) or \(D_{d}\)), at which the photon was detected. As explained in Table 1, based upon Charles’ measurement outcome, Alice and Bob use either \(\varDelta \phi _{1}\) or \(\varDelta \phi _{2}\) to extract the key.

When their shared key is established using \(\varDelta \phi _{i}\), Alice and Bob retain their corresponding ancilla qubits (\(A_{i}\) and \(B_{i}\), respectively) and discard the other ancilla qubit. As shown in “Appendix B”, for those time slots when they do not need to carry-out a bit flip operation, they share a perfectly correlated entangled state \(\frac{1}{\sqrt{2}}[|00\rangle _{A_{i}B_{i}} -|11\rangle _{A_{i}B_{i}}]\). On the other hand, corresponding to those time slots when they execute a bit-flip to extract the shared key, they share the anti-correlated Bell state \(\frac{1}{\sqrt{2}}[|01\rangle _{A_{i}B_{i}} -|10\rangle _{A_{i}B_{i}}]\). Thus, Charles measurement and filtering effectively implements a Bell state measurement, thereby entangling Alice’s and Bob’s ancilla qubits. A detailed discussion of the joint state after Charles’ measurement and key-reconciliation can be found in “Appendix B”.

3.3 Asymptotic secure key rate

Alice and Bob perform classical post-processing on the sifted key to extract the final secure key from it. The first step of this post-processing is to estimate the error rate in the sifted key, which involves Alice and Bob exposing a fraction of their sifted key bits to calculate the error rate. They abort the protocol and start again from the beginning (i.e., signal transmission to Charles) if their calculated error rate exceeds a pre-defined threshold. They define this threshold error rate by taking into account the error introduced in the key, both due to the system imperfections as well as any potential eavesdropping.

When the estimated error rate lies below the threshold error rate, they carry out the second step of post-processing, i.e., error correction. Alice and Bob apply a suitable error correction scheme on their sifted key to correct all the erroneous bits. The error estimation and correction happens over a classical channel, and we must assume that Eve is privy to all the information exchanged between Alice and Bob. Therefore, the final step of post-processing is privacy amplification, which aims to reduce Eve’s knowledge about the key well below an acceptable level. This is done by discarding a fraction of the error-free key. Alice and Bob typically use a hash function to carry out privacy amplification.

Using the sifted key rate obtained in Eq. (4) and following the analysis in [3, 25], we obtain the following asymptotic secure key rate for our MDI-DPS protocol,

$$\begin{aligned} R \ge Y_{11}[1-fh(e_{\text {b}})-h(e_{\text {p}})]. \end{aligned}$$

(9)

Here, \(Y_{11}\) is the probability of a successful Bell state measurement (BSM) when Alice and Bob transmit single photons. As per our mapping of DPS-MDI to an equivalent entangled-based protocol, a successful BSM corresponds to the cases tabulated in Table 1 where Charles’ measurement outcomes contribute to the sifted key. \(e_{\text {b}}\) is the quantum bit-error rate (QBER), \(e_{\text {p}}\) is the phase error rate, f represents the inefficiency of the error correction scheme employed by Alice and Bob, and h(x) is the binary entropy function.

We bound the phase error rate of our protocol in terms of the bit error rate in “Appendix C” as,

$$\begin{aligned} e_{\text {p}}\le e_{\text {b}}, \end{aligned}$$

(10)

and use this bound for all of the simulation results. We also explicitly calculate the parameters given in Eq. (9) for our protocol in “Appendix D”. We have taken phase misalignment, dark counts and different channel losses for the two channels into consideration while obtaining these parameters.

Fig. 3

Key rates for ideal, single-photon based protocols

We compare the asymptotic key rate of DPS-MDI with two other protocols - phase-encoded MDI protocol [34] and DPS QKD [42]. From Fig. 3, we observe that DPS-MDI offers a secure channel length which is nearly twice of the channel length of DPS QKD—a trademark of MDI protocols when compared with non-MDI protocols. We also see that our DPS-MDI protocol offers performance comparable to an existing phase-encoded MDI protocol in terms of secure channel length and key rate. The slightly higher key rate in [34] is attributed to its higher sifted key rate of \(\frac{1}{2}\) compared to DPS-MDI’s rate of \(\frac{4}{9}\).

We have obtained the non-MDI DPS QKD plot in Fig. 3 by using the key rate equation derived in [42]. We would like to point out the difference in the secure channel length for n=3 DPS QKD obtained in [42] and our simulation. The difference arises because we have used \(3\times 10^{-6}\) as the dark count probability in our simulation, which is 1000 times higher than the dark count probability used in [42]. Also, [42] assumes an ideal error correction step in their classical post-processing, while our simulations assume a non-ideal error correction step. We capture the inefficiency of error correction in our protocol using the parameter f (Eq. 9).

In experimental implementations, weak coherent sources (WCS) are typically used to generate pulses with mean photon number (\(\mu \)) of less than one so that the probability of generation of multi-photon pulses is significantly less than that of single-photon pulses. However, a WCS could still generate multi-photon pulses, and leak information to Eve. Hence, we use the decoy-state method to establish the security of our DPS-MDI protocol. The original decoy-state based QKD protocols have been proposed for BB84 schemes and secure key rates obtained in [57, 58]. Decoy state analysis for MDI-BB84 was done in [25]. In our case, we follow the approach in [25] along with the improved phase-post-selection technique employed in [34] to obtain the key rate as,

$$\begin{aligned} R \ge Q_{11}[1-h(e_{\text {p}})]+Q^{'}_{0\mu _{b}}-I_{\text {ec}}. \end{aligned}$$

(11)

Here, \(I_{\text {ec}}\) is the cost of error correction written as

$$\begin{aligned} I_{\text {ec}}=Q_{\mu _{a}\mu _{b}}fh(E_{\mu _{a}\mu _{b}}), \end{aligned}$$

(12)

where \(Q_{\mu _{a}\mu _{b}}(E_{\mu _{a}\mu _{b}})\) is the overall gain (QBER) when Alice and Bob use a WCS with mean photon numbers \(\mu _{a}\) and \(\mu _{b}\), respectively. \(Q_{11}(e_{\text {p}})\) is the gain (phase error rate) when both the sources generate single-photon states, and \(Q^{'}_{0\mu _{b}}=e^{- \mu _a}Q_{0\mu _{b}}\) is the probability that there is no photon from Alice’s side and a successful BSM occurs. We refer to “Appendix D” for formal definitions and a detailed evaluation of these parameters.

Our decoy-state analysis assumes a fully phase-randomized coherent source. The intrinsic QBER shoots up due to phase randomization of the coherent source. The overall phase of \([0,2\pi )\) can be sliced into N distinct slices as,

$$\begin{aligned} \bigg [\frac{m\pi }{N},\frac{(m+1)\pi }{N}\bigg )\cup \bigg [\frac{(m+N)\pi }{N}, \frac{(m+N+1)\pi }{N}\bigg ), \end{aligned}$$

(13)

where m ranges from 0 to \(N-1\). Instead of carrying out phase randomization over the entire interval \([0,2\pi )\), Alice and Bob randomly select one slice out of N, and then randomize the phase. Hence, an additional step of revealing the selected slice gets added in the decoy state version of our protocol. Alice and Bob keep the bits when both of them have selected the same phase slice. Figure 4 shows that dividing the interval \([0,2\pi )\) into slices reduces the intrinsic QBER from \(34\%\) to around \(1\%\) for \(N=16\).

Fig. 4

QBER comparison when phase randomization is a carried out over entire range (b) carried out in one of the N slices. We have used Eq. (94) for numerically evaluating the QBER

However, this phase-post-selection technique also changes the cost of error correction mentioned in Eq.  (12) to

$$\begin{aligned} I_{\text {ec}}=\sum \limits _{m}Q^{m}_{\mu _{a}\mu _{b}}fh(E^{m}_{\mu _{a}\mu _{b}}). \end{aligned}$$

(14)

From our numerical simulations, we observe that the key rate becomes negative upon using Eq. (14) in conjugation with Eq. (11). Hence, we assume that the gain and error rate of the single-photon states are evenly distributed over all the slices, thereby modifying the decoy MDI key rate equation to

$$\begin{aligned} R \ge \frac{1}{N}Q_{11}[1-h(e_{\text {p}})]+Q^{'}_{0\mu _{b}}-Q^{m}fh(E^{m})\vert _{m=0}. \end{aligned}$$

(15)

We refer to “Appendix D” for a detailed analysis of the effect of this phase-post-selection technique on the overall gain and QBER. We compare the key rate of our decoy-state DPS-MDI with [34] (see Fig. 5), where we used the parameters from [25] for our simulations. The quantum efficiency of the detectors was taken to be 14.5% with a misalignment error of 1.5%. N and f are taken to be 16 and 1.16 respectively. We assume a dark count rate of \(3\times 10^{-6}\) for the detector and an attenuation of 0.2 dB/km in the fiber channel.

Fig. 5

Key rate comparison for decoy-state MDI schemes

3.4 Practical implementation

As described above, Alice and Bob can share a secure key using the setup shown in Fig. 2. However, a practical implementation of the proposed scheme requires certain modifications to the set-up (see Fig. 6).

1. 1.

   Key generation requires detection of two time-synchronized photons by a single detector. In practice, this would be constrained by the finite dead-time of a single-photon detector. Hence, an acousto-optic deflector (AOD) is used to route the photon in each time-bin to different single-photon detectors. This results in a slight modification to the key-reconciliation step, namely, Charles now announces which pair of detectors clicked in each time-bin.

2. 2.

   Alice and Bob need a common phase reference, since they use independent laser sources for generating their single-photon pulses. The optical phase-locked loop (OPLL) technique [59, 60], commonly used in coherent detections, can be used to phase lock the sources used by Alice and Bob. The OPLL has a simple setup and requires only off-the-shelf components [61].

4 Finite key analysis of DPS-MDI-QKD

Finiteness of the key size constitutes a major chink in the security proofs of practical QKD protocols. Most of the theoretical proofs provide a bound on the secure key rate by assuming the key size as infinite. However, practical implementations cannot run forever. This gap in theory and practice is bridged by providing security bounds for a finite number of signal exchanges between Alice and Bob.

A perfect key is a uniformly distributed bit string, having no dependence on an adversary’s knowledge. Practical keys deviate from this ideal scenario, and this deviation is captured by a parameter \(\varepsilon \), interpreted as the maximum probability of a practical key differing from a completely random bit string. Following [62, 63], we say that a key K is \(\varepsilon \)-secure with respect to an eavesdropper E if,

$$\begin{aligned} \frac{1}{2}\parallel \rho _{KE}-\tau _{K}\otimes \rho _{E}\parallel _{1}\;\le \; \varepsilon . \end{aligned}$$

(16)

Fig. 6

Schematic of a practical 3-pulse DPS-MDI-QKD implementation. Alice and Bob use a phase modulators (PM) and a delay line interferometer each. Charlie’s set-up comprises a beamsplitter, four detectors and two acousto-optic deflectors (AODs)

Here, \(\rho _{KE}\) is the joint state of the ‘key system’ K and the adversary E, \(\rho _{E}\) is the state held by the adversary, and \(\tau _{K}\) is the completely mixed state on K.

In the asymptotic case, for any QKD protocol where Alice and Bob share entangled pairs, the secure key rate (R) can be bounded under the assumption of collective attacks as [1, 3, 64],

$$\begin{aligned} R = H(X \mid E)- H(X \mid Y), . \end{aligned}$$

(17)

Here, X and Y represent Alice and Bob’s key systems, respectively, E represents the eavesdropper, and \(H(.\mid .)\) is the conditional von Neumann entropy. Intuitively, Eq. (17) follows from the fact that the secure key rate is equal to Eve’s uncertainty about the raw key X minus Bob’s uncertainty. For our DPS-MDI protocol, the conditional entropy \(H (X \mid E)\) can be expressed as [65],

$$\begin{aligned} H(\tilde{X} \mid \tilde{E})=1-h(e_{\text {b}})-h(e_{\text {p}}), \end{aligned}$$

(18)

where \(e_{\text {b}}\) is the bit error rate, and \(e_{\text {p}}\) denotes the phase error rate.

We follow the finite-key analysis presented in [56, 65], involving a generalization of von Neumann entropy, called the smooth entropy. The objective of this smoothening of the regular entropic functions is to take into account the fluctuations arising from the finite signal size. As in the asymptotic case, Alice and Bob are assumed to share entangled pairs, which holds for our proposed scheme, as outlined in Sect. 3.2 above. The generalized form of Eq. (17) in the finite-key regime can be expressed as [56],

$$\begin{aligned} r = H_{\xi }(X \mid E)-(\text {leak}_{\text {EC}}+\varDelta )/n , \end{aligned}$$

(19)

where \(H_{\xi }(X \mid E)\) is the conditional smooth-min entropy, \(\text {leak}_{\text {EC}}\) is the number of bits needed to be shared over a classical channel for error correction and

$$\begin{aligned} \varDelta = 2\,\log _{2}\frac{1}{[2(\varepsilon -\bar{\varepsilon } - \varepsilon _{\text {EC}})]} + 7\sqrt{n\log _{2}(2/(\bar{\varepsilon }-\bar{\varepsilon }'))}. \end{aligned}$$

(20)

Here, \(\varepsilon _{\text {EC}}\) is the error probability, defined as the probability that Bob ends up with a wrong bit string after the error correction stage. \(\bar{\varepsilon }\) and \(\bar{\varepsilon }'\) are the smoothening parameters as mentioned in Lemma 2 of [56].

We calculate \(H_{\xi }(X \mid E)\) for our protocol using the asymptotic value of \(H(X \mid E)\) and bound the phase error rate in terms of the bit error rate. We have shown in “Appendix C” that the phase error rate of our protocol is bounded by the bit error rate as,

$$\begin{aligned} e_{\text {p}}\le e_{\text {b}}. \end{aligned}$$

(21)

In the finite-key regime Eq. (18) translates to,

$$\begin{aligned} H_{\xi }(X \mid E)=1-h(\tilde{e}_{\text {b}})-h(\tilde{e}_{\text {p}}). \end{aligned}$$

(22)

Fig. 7

Key rate r as a function of the number of exchanged quantum signals for different values of \(e_b\)

Finally, the bit error rate in the finite-key regime is expressed as \(\tilde{e}_{\text {b}}=e_{\text {b}}+\xi \;(n,d=9)\), where n is the number of raw key bits. Similarly, the phase error rate is given as \(\tilde{e}_{\text {p}}=e_{\text {p}}+\xi \; (m,d=9)\), where m is the number of bits used in parameter estimation and d is the number of possible POVM outcomes. \(d=9\) for our protocol as there are eight scenarios at the detection unit (see Table 1) which contribute to the key generation. The ninth POVM corresponds to the case when BSM fails. \(\xi \) is a non-negative parameter, (Lemma 3 of [56]) given by,

$$\begin{aligned} \xi =\sqrt{\frac{2\ln (1/\bar{\varepsilon }')+d\ln (m+1)}{m}}. \end{aligned}$$

(23)

Using Eqs. (20), (22), and (23) we estimate the sifted key rate described in Eq. (19). The performance of a practical error correcting code as analyzed in [56] gives \(\text {leak}_{\text {EC}}/n=1.2h(e_b)\), where, \(e_b\) is the quantum bit error rate. This helps in estimating the second term of Eq. (19). (\(N,\varepsilon ,\text {leak}_{\text {EC}},\varepsilon _{\text {EC}}\)) are protocol dependent parameters, whereas \(n,m,\bar{\varepsilon }\) and \(\bar{\varepsilon }'\) are selected so as to maximize the key rate per signal, \(r=(n/N)r'\) under the constraints \(n+m \le N\) and \(\varepsilon -\varepsilon _{\text {EC}}> \bar{\varepsilon } > \bar{\varepsilon }'\ge 0\).

Figure 7 shows the variation in key rate with the number of exchanged signals for our DPS-MDI protocol. We have used \(\varepsilon =10^{-5}\) and \(\varepsilon _{\text {EC}}=10^{-10}\) to generate the plots for different values of \(e_b\). As expected, the key rate per signal (r) approaches the sifted key rate of \(\frac{4}{9}\) in the asymptotic limit. This is a reflection of the fact that only \(\frac{4}{9}\) of the raw key bits can be used for key generation and the rest is used for parameter estimation.

5 Conclusions

In this paper, we have presented a 3-path superposition based DPS-MDI-QKD protocol. We have shown the necessity and advantages of having the 3-path superposition. The proposed protocol has been mapped to an entanglement-based protocol, thereby establishing its unconditional security. We have carried out a security analysis of our scheme in the asymptotic regime assuming system imperfections.

We have shown that our protocol generates secure keys even when the ideal single-photon source is replaced with a weak coherent source (WCS). The security of the WCS-based scheme is established using decoy states and a suitable phase-post-selection technique. Finally, we have determined an upper-bound for the phase error rate of our protocol in terms of the bit error rate. This allows us to carry out the key analysis of the protocol in both asymptotic as well as finite-key regimes. We have further simulated the variation in key rate with the number of exchanged signals of our protocol.

An interesting direction for future work is the finite-key analysis of the 3-path DPS-MDI using a weak coherent source. Such a coherent-state DPS-MDI protocol will also be free from the issues arising due to the probabilistic nature of photon generation in single-photon sources. Another interesting problem that can be addressed in the future works is the tightening of the bound used in obtaining the secure key rates of our protocol.

Appendices

Analysis of DPS-MDI-QKD protocol

Fig. 8

a and b are input ports, and c and d are the output ports of the beamsplitter

We start with the form of the input to Charles’ beamsplitter given in Eq. (3):

$$\begin{aligned} |\psi \rangle _{\text {in}}= & {} \frac{1}{3}\left[ \; |100,100\rangle _{ab} + e^{i\phi _{{a}_{1}}}|010,100\rangle _{ab}\right. \\&+e^{i\phi _{{a}_{2}}}|001,100\rangle _{ab}+ e^{i\phi _{{b}_{1}}} |100,010\rangle _{ab} \\&+ e^{i\phi _{{b}_{2}}}|100,001\rangle _{ab}+ e^{i(\phi _{{a}_{1}}+\phi _{{b}_{1}})}|010,010\rangle _{ab} + e^{i(\phi _{{a}_{1}}+\phi _{{b}_{2}})} |010,001\rangle _{ab} \\&\left. + e^{i(\phi _{{a}_{2}}+\phi _{{b}_{1}})} |001,010\rangle _{ab}+ e^{i(\phi _{{a}_{2}}+\phi _{{b}_{2}})} |001,001\rangle _{ab} \;\right] . \end{aligned}$$

We leave out the states that correspond to photons traversing identical paths in Alice’s and Bob’s set-up, since they do not contribute to the sifted key, and consider the (normalized) state,

$$\begin{aligned} |\psi \rangle _{\text {in}}= & {} \frac{1}{\sqrt{6}}\left[ \; e^{i\phi _{{a}_{1}}}|010,100\rangle _{ab}+ e^{i\phi _{{a}_{2}}}|001,100\rangle _{ab}\right. \nonumber \\&+ e^{i\phi _{{b}_{1}}} |100,010\rangle _{ab} + e^{i\phi _{{b}_{2}}}|100,001\rangle _{ab} \nonumber \\&\left. + e^{i(\phi _{{a}_{1}}+\phi _{{b}_{2}})} |010,001\rangle _{ab}+ e^{i(\phi _{{a}_{2}}+\phi _{{b}_{1}})} |001,010\rangle _{ab} \;\right] . \end{aligned}$$

(24)

Writing \(\phi _{a_{1}}-\phi _{b_{1}}=\varDelta \phi _{1}\) and \(\phi _{a_{2}}-\phi _{b_{2}}=\varDelta \phi _{2}\) as the phase differences between corresponding pulses from Alice and Bob, the input to Charles’ beamsplitter is written as,

$$\begin{aligned} |\tilde{\psi }\rangle _{\text {in}}= & {} \frac{1}{\sqrt{6}} e^{i(\phi _{{b}_{1}}+\phi _{{b}_{2}} )} \left[ \, e^{i\varDelta \phi _{1}} |010,001\rangle _{ab}\right. \nonumber \\&+ e^{i\varDelta \phi _{2}}|001,010\rangle _{ab}+ e^{-i\phi _{{b}_{1}}} \Big ( |100,001\rangle \nonumber \\&\left. + e^{i\varDelta \phi _{2}} |001,100\rangle \Big ) + e^{-i\phi _{{b}_{2}}} \Big ( \, |100,010\rangle + e^{i\varDelta \phi _{1}}|010,100\rangle _{ab} \Big ) \, \right] . \end{aligned}$$

(25)

Figure 8 shows a typical 50 : 50 beamsplitter. The action of the beamsplitter with input ports a, b and output ports c, d, when there is a photon incident on only one of the two ports is given by,

$$\begin{aligned} |1,0\rangle _{ab}\longrightarrow & {} \frac{1}{\sqrt{2}}\left( |1,0\rangle _{cd} + |0,1\rangle _{cd} \right) , \nonumber \\ |0,1\rangle _{ab}\longrightarrow & {} \frac{1}{\sqrt{2}}\left( |1,0\rangle _{cd} - |0,1\rangle _{cd} \right) . \end{aligned}$$

(26)

Using Eq. 26, we find that the beamsplitter transforms the terms present in the joint input state of Alice and Bob (Eq. 25) as shown below:

$$\begin{aligned} |010,001\rangle _{ab}\longrightarrow & {} \frac{1}{2}\Big (|011,000\rangle _{cd}-|010,001\rangle _{cd}+|001,010\rangle _{cd}-|000,011\rangle _{cd}\Big ) , \nonumber \\ |001,010\rangle _{ab}\longrightarrow & {} \frac{1}{2} \Big (|011,000\rangle _{cd}+|010,001\rangle _{cd} -|001,010\rangle _{cd}-|000,011\rangle _{cd}\Big ) , \nonumber \\ |100,001\rangle _{ab}\longrightarrow & {} \frac{1}{2} \Big (|101,000\rangle _{cd}-|100,001\rangle _{cd}+|001,100\rangle _{cd}-|000,101\rangle _{cd}\Big ) , \nonumber \\ |001,100\rangle _{ab}\longrightarrow & {} \frac{1}{2} \Big (|101,000\rangle _{cd}+|100,001\rangle _{cd}-|001,100\rangle _{cd}-|000,101\rangle _{cd}\Big ) ,\nonumber \\ |100,010\rangle _{ab}\longrightarrow & {} \frac{1}{2} \Big (|110,000\rangle _{cd}-|100,010\rangle _{cd}+|010,100\rangle _{cd}\,-|000,110\rangle _{cd}\Big ) , \nonumber \\ |010,100\rangle _{ab}\longrightarrow & {} \frac{1}{2} \Big (|110,000\rangle _{cd}+|100,010\rangle _{cd} -|010,100\rangle _{cd}-|000,110\rangle _{cd}\Big ) , \nonumber \\ |100,100\rangle _{ab}\longrightarrow & {} \frac{1}{\sqrt{2}} \Big (|200,000\rangle _{cd}-|000,200\rangle _{cd}\Big ) , \nonumber \\ |010,010\rangle _{ab}\longrightarrow & {} \frac{1}{\sqrt{2}} \Big (|020,000\rangle _{cd}-|000,020\rangle _{cd}\Big ) , \nonumber \\ |001,001\rangle _{ab}\longrightarrow & {} \frac{1}{\sqrt{2}} \Big (|002,000\rangle _{cd}-|000,002\rangle _{cd}\Big ) . \end{aligned}$$

(27)

Using Eq. (25) and Eq. (27), we get

$$\begin{aligned} |\psi \rangle _{\text {out}}= & {} \frac{1}{2\sqrt{6}}e^{i(\phi _{{b}_{1}}+\phi _{{b}_{2}})}\Big [ \,e^{i\varDelta \phi _{1}}\Big (|011,000\rangle _{cd}-|010,001\rangle _{cd}\nonumber \\&+|001,010\rangle _{cd}-|000,011\rangle _{cd}\Big )\nonumber \\&+e^{i\varDelta \phi _{2}}\Big (|011,000\rangle _{cd}+|010,001\rangle _{cd} -|001,010\rangle _{cd}-|000,011\rangle _{cd}\Big )\nonumber \\&+ e^{-i\phi _{{b}_{1}}}\Big \{\Big (|101,000\rangle _{cd}-|100,001\rangle _{cd}+|001,100\rangle _{cd} \,-|000,101\rangle _{cd}\Big )\nonumber \\&+e^{i\varDelta \phi _{2}}\Big (|101,000\rangle _{cd}+|100,001\rangle _{cd}-|001,100\rangle _{cd} -|000,101\rangle _{cd}\Big )\Big \}\nonumber \\&+ e^{-i\phi _{{b}_{2}}}\Big \{\Big (|110,000\rangle _{cd} \,-|100,010\rangle _{cd}+|010,100\rangle _{cd}\,-|000,110\rangle _{cd}\Big )\nonumber \\&+e^{i\varDelta \phi _{1}}\Big (|110,000\rangle _{cd}+|100,010\rangle _{cd} -|010,100\rangle _{cd}-|000,110\rangle _{cd}\Big )\Big \}\Big ].\nonumber \\ \end{aligned}$$

(28)

The output after the beamsplitter depends upon the random phase applied by Alice and Bob to their respective time-bins. We write down the four different final states realized, corresponding to the four possible values of \((\varDelta \phi _{1}, \varDelta \phi _{2})\). To help understand the key-reconciliation step, we have rewritten the final state by grouping together the states at each output port (c or d), corresponding to the three different time-bins (\(t_{1}\), \(t_{2}\) or \(t_{3}\)).

Case 1: When \(\varDelta \phi _{1}=\varDelta \phi _{2}=0\), the two-photon state after the beamsplitter is,

$$\begin{aligned} |\psi \rangle _{\text {out}}= & {} \frac{1}{\sqrt{6}}e^{i(\phi _{{b}_{1}}+\phi _{{b}_{2}})}\Big [ \Big (|011,000\rangle _{cd}-|000,011\rangle _{cd}\Big ) +e^{-i\phi _{{b}_{1}}}\Big (|101,000\rangle _{cd}\nonumber \\&-|000,101\rangle _{cd}\Big )+e^{-i\phi _{{b}_{2}}}\Big (|110,000\rangle _{cd}- |000,110\rangle _{cd}\Big )\Big ]. \end{aligned}$$

(29)

Case 2: When \(\varDelta \phi _{1}=\varDelta \phi _{2}=\pi \), the output state of the beamsplitter is,

$$\begin{aligned} |\psi \rangle _{\text {out}}= & {} \frac{1}{\sqrt{6}}e^{i(\phi _{{b}_{1}}+\phi _{{b}_{2}})}\Big [ \Big (|011,000\rangle _{cd}-|000,011\rangle _{cd} +e^{-i\phi _{{b}_{1}}}\Big (|001,100\rangle _{cd}\nonumber \\&-|100,001\rangle _{cd}\Big )+e^{-i\phi _{{b}_{2}}}\Big (|010,100\rangle _{d} -|100,010\rangle _{d}\Big )\Big ]. \end{aligned}$$

(30)

Case 3: When \(\varDelta \phi _{1}=0\) and \(\varDelta \phi _{2}=\pi \), the output state is,

$$\begin{aligned} |\psi \rangle _{\text {out}}= & {} \frac{1}{\sqrt{6}}e^{i(\phi _{{b}_{1}}+\phi _{{b}_{2}})}\Big [ \Big (|001,010\rangle _{cd}-|010,001\rangle _{cd}\Big )+e^{-i\phi _{{b}_{1}}} \Big (|001,100\rangle _{cd}\nonumber \\&-|100,001\rangle _{cd}\Big )+e^{-i\phi _{{b}_{2}}}\Big (|110,000\rangle _{cd} -|000,110\rangle _{cd}\Big )\Big ]. \end{aligned}$$

(31)

Case 4: When \(\varDelta \phi _{1}=\pi \) and \(\varDelta \phi _{2}=0\), the output state is,

$$\begin{aligned} |\psi \rangle _{\text {out}}= & {} \frac{1}{\sqrt{6}}e^{i(\phi _{{b}_{1}}+\phi _{{b}_{2}})}\Big [ \Big (|010,001\rangle _{cd}-|001,010\rangle _{cd}\Big )+e^{-i\phi _{{b}_{1}}} \Big (|101,000\rangle _{cd}\nonumber \\&-|000,101\rangle _{cd}\Big )+e^{-i\phi _{{b}_{2}}}\Big (|010,100\rangle _{cd} -|100,010\rangle _{cd}\Big )\Big ]. \end{aligned}$$

(32)

We now formulate the key reconciliation scheme (see Table 1) based on Eqs. (29)- (32), while noting that detector \(D_{c}\) detects the photons from port c of the beamsplitter and correspondingly detector \(D_{d}\) clicks when photons exits from port d.

Consider the two examples when Alice and Bob use \(\varDelta \phi _{1}\) to extract the key.

1. 1.

   When Charles announces the clicking of \(D_c\) in time-bins \(t_{1}\) and \(t_{2}\), this would indicate that \(\varDelta \phi _{1}\) and \(\varDelta \phi _{2}\) have taken values corresponding to Case 1 or Case 3 above, corresponding to \(\varDelta \phi _{1} = 0\) and \(\varDelta \phi _{2}= 0\) or \(\pi \). Alice and Bob therefore use only \(\varDelta \phi _{1}\) to extract the key.

2. 2.

   When Charles announces the clicking of \(D_c\) at \(t_{1}\) and \(D_d\) at \(t_{2}\), Alice and Bob again use \(\varDelta \phi _{1}\) to extract the key. However, they also need a bit flip operation to get the same key bits. Note that in this example also, \(\varDelta \phi _{1}=0\) and \(\varDelta \phi _{2}=0\) or \(\pi \).

A similar reasoning can be used to complete the key reconciliation scheme as described in Table 1.

DPS-MDI as an entanglement-based protocol

We start with Eqs. (7) and (8), to write the joint state of Alice and Bob after their encoding procedure. Recall that A and B indicate Alice and Bob’s signal states, whereas \(A_{i}\) and \(B_{i}\) indicate the \(i^{\mathrm{th}}\) pair of ancilla qubit in respective (ideal) quantum memories. The joint state thus reads as,

$$\begin{aligned} |\psi \rangle _{\text {Alice}}\otimes |\psi \rangle _{\text {Bob}}= & {} \frac{1}{4}\sum _{j_{1},j_{2}\in \{ 0,1 \}}(|j_{1}\rangle _{A_{1}}|j_{2}\rangle _{A_{2}})\otimes |\psi _{j_1j_2}\rangle _{a}\nonumber \\&\otimes \sum _{\tilde{j}_{1},\tilde{j}_{2} \in \{ 0,1 \}}(|\tilde{j}_{1}\rangle _{B_{1}}|\tilde{j}_{2}\rangle _{B_{2}})\otimes |\psi _{\tilde{j}_{1},\tilde{j}_{2}}\rangle _{b}, \nonumber \\= & {} \frac{1}{4}\sum _{j_{1},j_{2},\tilde{j}_{1},\tilde{j}_{2} \in \{ 0,1 \}} |j_{1}\rangle _{A_{1}}|\tilde{j}_{1}\rangle _{B_{1}}|j_{2}\rangle _{A_{2}}|\tilde{j}_{2}\rangle _{B_{2}}\nonumber \\&\otimes |\varPsi _{(j_{1}j_{2}\tilde{j}_{1}\tilde{j}_{2})}\rangle _{ab}. \end{aligned}$$

(33)

The state \(|\varPsi _{j_{1}j_{2}\tilde{j}_{1}\tilde{j}_{2}}\rangle _{ab}\), which eventually becomes the input to Charles’ beamsplitter, has the following form:

$$\begin{aligned} \vert \varPsi _{j_{1}j_{2}\tilde{j}_{1}\tilde{j}_{2}}\big \rangle _{ab}= & {} |\psi _{j_1j_2}\rangle _{a}\otimes |\psi _{\tilde{j_1}\tilde{j_2}}\rangle _{b}\nonumber \\= & {} \Big ( a^{\dagger }_{1}b_{1}^{\dagger } + \sum _{i=1}^{2}(-1)^{(j_{i}+\tilde{j}_{i})}a_{i+1}^{\dagger }b_{i+1}^{\dagger } + (-1)^{\tilde{j}_{1}}a_{1}^{\dagger }b_{2}^{\dagger } + (-1)^{ \tilde{j}_{2}}a_{1}^{\dagger }b_{3}^{\dagger } \nonumber \\&+ (-1)^{j_{1}}a_{2}^{\dagger }b_{1}^{\dagger } + (-1)^{j_{1}+ \tilde{j}_{2}}a_{2}^{\dagger }b_{3}^{\dagger } + (-1)^{j_{2}} a_{3}^{\dagger }b_{1}^{\dagger } \nonumber \\&+ (-1)^{(j_{2} + \tilde{j}_{1})}a_{3}^{\dagger }b_{2}^{\dagger } \Big ) \vert 0,0 \big \rangle _{ab} . \end{aligned}$$

(34)

Here, \(|0,0\rangle _{ab}=|0\rangle _a\otimes |0\rangle _b\), and denotes the vaccum at the input ports of the beamsplitter. \(a_{i}^{\dagger }\) and \(b_{i}^{\dagger }\) are the creation operators corresponding to a photon traversing through the \(i^{\mathrm{th}}\) arm in Alice and Bob’s delay lines respectively. As indicated above, there is no entanglement yet between Alice and Bob’s states; rather, each encoded state is entangled with their respective quantum memories.

To obtain the output state after measurement and key reconciliation, we first do a post-selection and discard input states which have photons arriving at the same time-bin from both Alice and Bob. As described in Sect. 3, such photons do not contribute to the final key, due to Hong–Ou–Mandel interference. Hence, we drop terms of the form \(a_{i}^{\dagger }b_{i}^{\dagger }\) in Eq. (34). When the photons arrive at different times, as represented by terms of the form \(a_{i}^{\dagger }b_{j}^{\dagger }\) for \(i\ne j\), they transform as,

$$\begin{aligned} a^{\dagger } \rightarrow \frac{1}{\sqrt{2}}(c^{\dagger } + d^{\dagger })\, ; \quad b^{\dagger } \rightarrow \frac{1}{\sqrt{2}}(c^{\dagger } -d^{\dagger }) . \end{aligned}$$

We may thus write down the final state after the action of the beamsplitter and post-selection as,

$$\begin{aligned} \vert \varPhi _{j_{1}j_{2}\tilde{j}_{1}\tilde{j}_{2}}\big \rangle _{cd}= & {} \frac{1}{2}\Big [ (-1)^{\tilde{j}_{1}}(c_{1}^{\dagger }+ d_{1}^{\dagger })(c_{2}^{\dagger } - d_{2}^{\dagger }) + (-1)^{ \tilde{j}_{2}}(c_{1}^{\dagger }+ d_{1}^{\dagger })(c_{3}^{\dagger } - d_{3}^{\dagger }) \nonumber \\&+ (-1)^{j_{1}}(c_{2}^{\dagger }+ d_{2}^{\dagger })\nonumber \\&\times (c_{1}^{\dagger } - d_{1}^{\dagger }) + (-1)^{(j_{1} + \tilde{j}_{2})}(c_{2}^{\dagger }+ d_{2}^{\dagger })(c_{3}^{\dagger } - d_{3}^{\dagger }) \nonumber \\&+ (-1)^{j_{2}} (c_{3}^{\dagger } + d_{3}^{\dagger })(c_{1}^{\dagger } - d_{1}^{\dagger }) \nonumber \\&+ (-1)^{(j_{2} + \tilde{j}_{1})}(c_{3}^{\dagger } + d_{3}^{\dagger })(c_{2}^{\dagger } - d_{2}^{\dagger }) \Big ]\vert 0,0\rangle _{cd} . \end{aligned}$$

(35)

The complete state, including the registers \(A_{1}, A_{2}\) and \(B_{1}, B_{2}\), is of the form,

$$\begin{aligned} |\chi \rangle _{A_{1}B_{1}A_{2}B_{2}cd} = \frac{1}{4}\sum _{j_{1},j_{2},\tilde{j}_{1},\tilde{j}_{2} \in \{ 0,1 \}} |j_{1}\rangle _{A_{1}}|\tilde{j}_{1}\rangle _{B_{1}}|j_{2}\rangle _{A_{2}}|\tilde{j}_{2}\rangle _{B_{2}} \otimes |\varPhi _{(j_{1}j_{2}\tilde{j}_{1}\tilde{j}_{2})}\rangle _{cd}. \end{aligned}$$

(36)

As discussed in Sect. 3.2 , Alice and Bob extract information about their relative phases \(\varDelta \phi _{1} = \phi _{a_{1}}-\phi _{b_{1}}\) and \(\varDelta \phi _{2} = \phi _{a_{2}}-\phi _{b_{2}}\) based on Charles’ measurement outcomes, and hence obtain the shared key. Expressing all the phases in terms of the binary variables \((j_{1}, j_{2})\) and \((\tilde{j}_{1}, \tilde{j}_{2})\), which characterize Alice and Bob’s qubit registers respectively, we have,

$$\begin{aligned} \phi _{a_{1}} = j_{1}\pi , \; \phi _{a_{2}} = j_{2} \pi , \; \phi _{b_{1}} = \tilde{j}_{1}\pi , \; \phi _{b_{2}} = \tilde{j}_{2} \pi . \end{aligned}$$

Thus the relative phases are given by,

$$\begin{aligned} \varDelta \phi _{1} = (j_{1} - \tilde{j}_{1})\pi , \; \; \varDelta \phi _{2} = ( j_{2} - \tilde{j}_{2} )\pi . \end{aligned}$$

It is now easy to show that the joint state of Alice and Bob’s registers collapses to an entangled state after Charles’ measurement and the reconciliation process described in Table 1. In particular, when Alice and Bob use the phases \(\phi _{a_{i}}, \phi _{b_{i}}\) to generate their secret key bits without a bit flip operation, they end up with the perfectly correlated Bell state \(\frac{1}{\sqrt{2}}[|00\rangle _{A_{i}B_{i}} -|11\rangle _{A_{i}B_{i}}]\). In those cases where they need to perform a bit flip operation, they end up sharing the anti-correlated entangled state \(\frac{1}{\sqrt{2}}[|10\rangle _{A_{i}B_{i}} -|01\rangle _{A_{i}B_{i}}]\).

For example, when Charles announces that the detector c has clicked in both \(t_{1}\) and \(t_{2}\) bins, Eq. (36) collapses to the post-measurement state,

$$\begin{aligned} |\chi ^{(1)}\rangle _{\mathrm{out}}= & {} \frac{1}{2\sqrt{2}} \Big [ |0000\rangle _{A_{1}B_{1}A_{2}B_{2}} - |0001\rangle _{A_{1}B_{1}A_{2}B_{2}} \nonumber \\&+|0010\rangle _{A_{1}B_{1}A_{2}B_{2}} - |0011\rangle _{A_{1}B_{1}A_{2}B_{2}} \nonumber \\&- |1100\rangle _{A_{1}B_{1}A_{2}B_{2}} + |1101\rangle _{A_{1}B_{1}A_{2}B_{2}} \nonumber \\&-|1110\rangle _{A_{1}B_{1}A_{2}B_{2}} +|1111\rangle _{A_{1}B_{1}A_{2}B_{2}} \Big ]\nonumber \\&\otimes |110,000\rangle _{cd}, \end{aligned}$$

(37)

where we have represented \(|j_1\rangle _{A_1}|\tilde{j_1}\rangle _{B_1}|j_2\rangle _{A_2}|\tilde{j_2}\rangle _{B_2}\) as \(|j_1\tilde{j}_1j_2\tilde{j}_2\rangle _{A_{1}B_{1}A_{2}B_{2}}\). We see that in Eq. (37), the first ancilla registers (\(A_{1}\) and \(B_{1}\)) of both Alice and Bob always have same bit value. Hence, Alice and Bob share the perfectly correlated Bell state, as shown explicitly below,

$$\begin{aligned} |\chi ^{(1)}\rangle _{\mathrm{out}}= & {} \frac{1}{2\sqrt{2}} \Big [|00\rangle _{A_{1}B_{1}} - |11\rangle _{A_{1}B_{1}} \Big ] \nonumber \\&\otimes \Big [ |00\rangle _{A_{2}B_{2}} - |01\rangle _{A_{2}B_{2}} + |10\rangle _{A_{2}B_{2}} - |11\rangle _{A_{2}B_{2}} \Big ]\nonumber \\&\otimes |110,000\rangle _{cd}. \end{aligned}$$

(38)

When Charles announces that the detector c clicked at \(t_{1}\) and d at \(t_{2}\), the state presented in Eq. (36) collapses to,

$$\begin{aligned} |\chi ^{(2)}\rangle _{\mathrm{out}}= & {} \frac{1}{2\sqrt{2}}\Big [-|0100\rangle _{A_{1}B_{1}A_{2}B_{2}}\nonumber \\&+|0101\rangle _{A_{1}B_{1}A_{2}B_{2}} - |0110\rangle _{A_{1}B_{1}A_{2}B_{2}} + |0111\rangle _{A_{1}B_{1}A_{2}B_{2}} \nonumber \\&-|1000\rangle _{A_{1}B_{1}A_{2}B_{2}} -|1001\rangle _{A_{1}B_{1}A_{2}B_{2}} \nonumber \\&+|1010\rangle _{A_{1}B_{1}A_{2}B_{2}} - |1011\rangle _{A_{1}B_{1}A_{2}B_{2}} \Big ]\nonumber \\&\otimes |100,010\rangle _{cd} . \end{aligned}$$

(39)

As seen from Eq. (39), the first ancilla registers (\(A_{1}\) and \(B_{1}\)) of Alice and Bob are now always opposite in the bit value. This implies they share an anti-correlated entangled state. Hence, they require a bit flip operation after Charles announcement so as to ensure that both of them end up with similar key bits. We can extend similar lines of reasoning to the other entries of Table 1 to show that Alice and Bob indeed share maximally entangled states.

Bounding of phase error rate in terms of bit error rate

In “Appendix B”, we show that Charles measurement entangles Alice’s and Bob’s ancilla qubits. However, the EPR pairs shared by Alice and Bob become corrupt due to channel noise and eavesdropping. Alice and Bob extract a small number of perfect EPR pairs from the corrupted EPR pairs using a suitable entanglement distillation protocol based on Calderbank–Shor–Steane (CSS) codes, provided the channel is not too noisy [3]. Alice and Bob determine the bit and the phase error rates. They continue with the entanglement distillation protocol if the error rates are nominal, else they abort the protocol. The bit error rates can be easily estimated by sharing a certain fraction of the raw key generated during the experiment. However, phase errors cannot be determined experimentally, and hence, need to be estimated indirectly using experimentally observed quantities. We upper bound the phase error rate for our scheme in terms of the bit error rate in this section.

We begin with \(|\psi \rangle ^{(l)}_{\text {out}}\), which is the state after Charles announces his measurement result for the lth time slot, and is related to the joint input state of Alice and Bob \(|\psi \rangle ^{(l)}_{\text {in}}\) as,

$$\begin{aligned} |\psi \rangle _{\text {out}}^{(l)}=F^{(l)}M^{(l)}E^{(l)}|\psi \rangle ^{(l)}_{\text {in}}. \end{aligned}$$

(40)

Here, \(M^{(l)}\) is the beamsplitter operator acting on the lth time slot, \(F^{(l)}\) is the filtering operator and \(E^{(l)}\) is a \(3 \times 3\)“noise” matrix representing the effects of noise and Eve’s most general attack in lth time slot. We assume that the noise and Eve affect the link connecting Alice to Charles and Bob to Charles independently. Hence, we decompose the overall noise matrix \(E^{(l)}\) as \(E_{a}^{(l)}\otimes E_b^{(l)}\). Both \(E_a^{(l)}\) and \(E_b^{(l)}\) are \(3\times 3\) matrices with matrix elements \((a)_{ij}\) and \((b)_{ij}\), respectively. \(\vert a_{ij}\vert ^2\) gives the probability of time-bin i getting affected given that the noise/Eve acts on time-bin j. We would like to clarify the terms “time-bin” and “time-slot” used here. We use the time-slot label to mark every single-photon state (in the ideal scenario) or weak coherent pulse (in a typical experiment) generated by the source, whether Alice or Bob. Each pulse labeled by a time-slot is eventually measured at one of three time-bins (\(i/j =1, 2, 3\)) by Charlie, depending on which path the photon traversed in the DLI at the source. The form of these matrices depends upon the type of noise in the channel. The matrix structure is dependent upon the eavesdropper’s attack too. Hereafter, in the interest of brevity, we drop the superscript (l).

For example, we can study a channel noise (or an attack) which flips the key bits. The key is encoded in the phase difference of the corresponding time-bins of Alice and Bob in our protocol. Hence, Eve would need to flip the phase of Alice’s time-bins or Bob’s time-bins. So different noise matrices that can lead to such an attack are

$$\begin{aligned} \begin{pmatrix} 1 &{}\quad 0 &{}\quad 0\\ 0 &{}\quad -1 &{}\quad 0\\ 0 &{}\quad 0 &{}\quad -1 \end{pmatrix}_{a}\otimes \begin{pmatrix} 1 &{}\quad 0 &{}\quad 0\\ 0 &{}\quad 1 &{}\quad 0\\ 0 &{}\quad 0 &{}\quad 1 \end{pmatrix}_{b}\quad \text {or} \quad \begin{pmatrix} 1 &{}\quad 0 &{}\quad 0\\ 0 &{}\quad 1 &{}\quad 0\\ 0 &{}\quad 0 &{}\quad 1 \end{pmatrix}_{a}\otimes \begin{pmatrix} 1 &{}\quad 0 &{}\quad 0\\ 0 &{}\quad -1 &{}\quad 0\\ 0 &{}\quad 0 &{}\quad -1 \end{pmatrix}_{b} \end{aligned}$$

(41)

Another example is of an attack where Eve just monitors the presence of a photon in the second time-bin of Alice’s signal. We can write Alice’s state as

$$\begin{aligned} |\psi \rangle _{\text {in}}=\frac{1}{\sqrt{3}} \left( \, |100\rangle _{a} + e^{i\phi _{{a}_{1}}} |011\rangle _{a} + e^{i\phi _{{a}_{2}}} |001\rangle _{a} \, \right) \end{aligned}$$

(42)

When Eve discovers no photon in the second time-bin, the state shown in Eq. (42) collapses to

$$\begin{aligned} |\psi \rangle _{\text {final}}=\frac{1}{\sqrt{2}} \left( \, |100\rangle _{a}+ e^{i\phi _{{a}_{2}}} |001\rangle _{a} \, \right) \end{aligned}$$

(43)

One such noise matrix that achieves this attack is

$$\begin{aligned} E_a=\begin{pmatrix} \frac{1}{\sqrt{6}} &{}\quad \frac{1}{\sqrt{6}} &{}\quad \frac{1}{\sqrt{6}}\\ 0 &{}\quad 0 &{}\quad 0\\ \frac{1}{\sqrt{6}} &{}\quad \frac{1}{\sqrt{6}} &{}\quad \frac{1}{\sqrt{6}} \end{pmatrix} \end{aligned}$$

(44)

From the above examples, we conclude that the elements of these noise matrices can be predicted only when we know the nature of Eve’s attack and the noise in the channel. Hence, by assuming a general form for these matrices, we can find the bit and phase error rates in our protocol for any general eavesdropping strategy.

Alice and Bob measure their EPR pairs in the Z (X) basis, which acts as a stabilizer for the bit (phase) error. Thus, the probability of obtaining a bit error in the lth time-slot is,

$$\begin{aligned} e{_{\text {b}}}=1-\frac{1}{2}\big (\langle \psi \vert I_{cd}\otimes Z_{A_{1}B_{1}}\otimes I_{A_{2}B_{2}}\vert \psi _{\text {out}}\rangle + \langle \psi _{\text {out}}\vert I_{cd}\otimes I_{A_{1}B_{1}}\otimes Z_{A_{2}B_{2}}\vert \psi _{\text {out}}\rangle \big ). \end{aligned}$$

(45)

Similarly, the probability of obtaining a phase error in the lth time-slot can be expressed as,

$$\begin{aligned} e_{\text {p}}=1-\frac{1}{2}\big (\langle \psi _{\text {out}}\vert I_{cd}\otimes X_{A_{1}B_{1}}\otimes I_{A_{2}B_{2}}\vert \psi _{\text {out}}\rangle + \langle \psi _{\text {out}}\vert I_{cd}\otimes I_{A_{1}B_{1}}\otimes X_{A_{2}B_{2}}\vert \psi _{\text {out}}\rangle \big ). \end{aligned}$$

(46)

Using Eq. (40), we rewrite the bit error rate as,

$$\begin{aligned} e{_{\text {b}}}= & {} 1-\frac{1}{2}\big (\langle \psi _{\text {in}}\vert E^{\dagger }M^{\dagger }F^{\dagger }_1 F_1M E\otimes Z_{A_{1}B_{1}}\otimes I_{A_{2}B_{2}}\vert \psi _{\text {in}}\rangle \nonumber \\&+ \langle \psi _{\text {in}}\vert E^{\dagger }M^{\dagger }F^{\dagger }_2 F_2ME\otimes I_{A_{1}B_{1}}\otimes Z_{A_{2}B_{2}}\vert \psi _{\text {in}}\rangle \big ). \end{aligned}$$

(47)

Here, \(F_{1}\) and \(F_{2}\) are the filtering operators corresponding to the instances where Charles measurement and its public announcement effectively results in entangling the first and second ancilla qubits of Alice and Bob, respectively.

1.1 Decomposing \(M^{(l)\dagger }F^{(l)\dagger }_1 F^{(l)}_1M^{(l)}\)

\(|100\rangle \), \(|010\rangle \) and \(|001\rangle \) form an orthonormal basis for Alice’s and Bob’s system, where e.g. \(|100\rangle \) represents a photon in the first time-bin. Using Eq. (27), for each time slot (l), we write,

$$\begin{aligned} M= & {} \frac{1}{2}\Big [\big (|100\rangle _c\langle 100|_a+|100\rangle _d\langle 100|_a\big )\otimes \big (|100\rangle _c\langle 100|_b-|100\rangle _d\langle 100|_b\big )\nonumber \\&+\big (|100\rangle _c\langle 100|_a+|100\rangle _d\langle 100|_a\big )\otimes \big (|010\rangle _c\langle 010|_b-|010\rangle _d\langle 010|_b\big )\nonumber \\&+\big (|100\rangle _c\langle 100|_a+|100\rangle _d\langle 100|_a\big )\otimes \big (|001\rangle _c\langle 001|_b-|001\rangle _d\langle 001|_b\big )\nonumber \\&+\big (|010\rangle _c\langle 010|_a+|010\rangle _d\langle 010|_a\big )\otimes \big (|100\rangle _c\langle 100|_b-|100\rangle _d\langle 100|_b\big )\nonumber \\&+\big (|010\rangle _c\langle 010|_a+|010\rangle _d\langle 010|_a\big )\otimes \big (|010\rangle _c\langle 010|_b-|010\rangle _d\langle 010|_b\big )\nonumber \\&+\big (|010\rangle _c\langle 010|_a+|010\rangle _d\langle 010|_a\big )\otimes \big (|001\rangle _c\langle 001|_b-|001\rangle _d\langle 001|_b\big )\nonumber \\&+\big (|001\rangle _c\langle 001|_a+|001\rangle _d\langle 001|_a\big )\otimes \big (|100\rangle _c\langle 100|_b-|100\rangle _d\langle 100|_b\big )\nonumber \\&+\big (|001\rangle _c\langle 001|_a+|001\rangle _d\langle 001|_a\big )\otimes \big (|010\rangle _c\langle 010|_b-|010\rangle _d\langle 010|_b\big )\nonumber \\&+\big (|001\rangle _c\langle 001|_a+|001\rangle _d\langle 001|_a\big )\otimes \big (|001\rangle _c\langle 001|_b-|001\rangle _d\langle 001|_b\big )\Big ].\nonumber \\ \end{aligned}$$

(48)

\(F_1\) acts as identity for the measurement results which contribute towards the key. Hence, it can be expressed as,

$$\begin{aligned} F_1= & {} |110\rangle _c\langle 110|_c\otimes |000\rangle _d\langle 000|_d+ |000\rangle _c\langle 000|_c\otimes |110\rangle _d\langle 110|_d\nonumber \\&|100\rangle _c\langle 100|_c\otimes |010\rangle _d\langle 010|_d+|010\rangle _c\langle 010|_c \otimes |100\rangle _d\langle 100|_d. \end{aligned}$$

(49)

Using Eq. (48) and Eq. (49), we get

$$\begin{aligned} M^{\dagger }F^{\dagger }_1F_1M=|100\rangle _a\langle 100|_a\otimes |010\rangle _b\langle 010|_b +|010\rangle _a\langle 010|_a\otimes |100\rangle _b\langle 100|_b . \end{aligned}$$

(50)

We express Eq. (50) in the basis of \(A\otimes B\). In a concise notation, we use \(|a_{i}b_{i}\rangle \) to denote the basis of the system \(A\otimes B\), where e.g. \(|a_{1}b_{1}\rangle \) equals \(|100\rangle _a\otimes |100\rangle _b\). Using a completeness relation, we can write Eq. (50) as,

$$\begin{aligned} M^{\dagger }F^{\dagger }_1 F_1M=|a_1b_2\rangle \langle a_1b_2|+|a_2b_1\rangle \langle a_2b_1|. \end{aligned}$$

(51)

By defining a suitable \(F_{2}\), we can write

$$\begin{aligned} M^{\dagger }F^{\dagger }_2 F_2M=|a_1b_3\rangle \langle a_1b_3|+|a_3b_1\rangle \langle a_3b_1|. \end{aligned}$$

(52)

1.2 Bit error rate (BER)

First, we evaluate one component of the bit error rate - \(\langle \psi _{\text {in}}\vert E^{\dagger }|a_1b_2\rangle \langle a_1b_2|E\otimes Z_{A_{1}B_{1}}\otimes I_{A_{2}B_{2}}\vert \psi _{\text {in}}\rangle \). We assume that Eve acts independently on the channels connecting Alice to Charles and Bob to Charles. Hence, we can write \(E=E_a\otimes E_b\). Using Eq. (33) and Eq. (34), we express \(\langle \psi _{\text {in}}\vert E^{\dagger }|a_1b_2\rangle \langle a_1b_2|E\otimes Z_{A_{1}B_{1}}\otimes I_{A_{2}B_{2}}\vert \psi _{\text {in}}\rangle \) as,

$$\begin{aligned}&\sum \limits _{|j\rangle =|0000\rangle }^{|1111\rangle }\Big (\langle a_1b_1| +(-1)^{j_1+\tilde{j_1}}\langle a_2b_2|+(-1)^{j_2+\tilde{j_2}}\langle a_3b_3|\nonumber \\&\quad +(-1)^{\tilde{j_1}}\langle a_1b_2|+(-1)^{\tilde{j_2}}\langle a_1b_3|\nonumber \\&\quad +(-1)^{j_1}\langle a_2b_1|+(-1)^{j_1+\tilde{j_2}}\langle a_2b_3|+(-1)^{j_2}\langle a_3b_1| +(-1)^{j_2+\tilde{j_1}}\langle a_3b_2|\Big )\nonumber \\&\quad \otimes \langle j_1\tilde{j_1}j_2\tilde{j_2}| E^{\dagger }_a\otimes E^{\dagger }_b |a_1b_2\rangle \langle a_1b_2|E_a\otimes E_b \otimes Z_{A_{1}B_{1}}\otimes I_{A_{2}B_{2}}\Big (|a_1b_1\rangle \nonumber \\&\quad +(-1)^{j_1+\tilde{j_1}}|a_2b_2\rangle +(-1)^{j_2+\tilde{j_2}}|a_3b_3\rangle +(-1)^{\tilde{j_1}} |a_1b_2\rangle +(-1)^{\tilde{j_2}}|a_1b_3\rangle \nonumber \\&\quad +(-1)^{j_1}|a_2b_1\rangle +(-1)^{j_1+\tilde{j_2}}|a_2b_3\rangle +(-1)^{j_2}|a_3b_1\rangle +(-1)^{j_2+\tilde{j_1}}|a_3b_2\rangle \Big )\nonumber \\&\quad \otimes |j_1\tilde{j_1}j_2\tilde{j_2}\rangle , \end{aligned}$$

(53)

where, \(|j\rangle =|j_{1}\tilde{j_1}j_2\tilde{j_2}\rangle \) is the state of the joint quantum memory of Alice and Bob. We define the \((a_{ij})^\text {th}\) matrix elements of \(E_a\) as \(\langle a_i|E_a|a_j\rangle \) and the \((b_{ij})^\text {th}\) element of \(E_b\) as \(\langle b_i|E_a|b_j\rangle \). Hence, we write Eq. (53) as,

$$\begin{aligned}&\sum \limits _{|j\rangle =|0000\rangle }^{|1111\rangle }(-1)^{(j_1+\tilde{j_1})} \Big [\Big (a_{11}^*b_{21}^*+(-1)^{j_1+\tilde{j_1}}a_{12}^*b_{22}^*+(-1)^{j_2 +\tilde{j_2}}a_{13}^*b_{23}^*\nonumber \\&\quad +(-1)^{\tilde{j_1}}a_{11}^*b_{22}^*\nonumber \\&\quad +(-1)^{\tilde{j_2}}a_{11}^*b_{23}^*+(-1)^{j_1}a_{12}^*b_{21}^*+(-1)^{j_1 +\tilde{j_2}}a_{12}^*b_{23}^*+(-1)^{j_2}a_{13}^*b_{21}^*\nonumber \\&\quad +(-1)^{j_2+\tilde{j_1}}a_{13}^*b_{22}^*\Big )\times \Big (a_{11}b_{21}+(-1)^{j_1 +\tilde{j_1}}a_{12}b_{22}+(-1)^{j_2+\tilde{j_2}}a_{13}b_{23}\nonumber \\&\quad +(-1)^{\tilde{j_1}}a_{11}b_{22}+(-1)^{\tilde{j_2}}a_{11}b_{23} +(-1)^{j_1}a_{12}b_{21} +(-1)^{j_1+\tilde{j_2}}a_{12}b_{23}\nonumber \\&\quad +(-1)^{j_2}a_{13}b_{21}+(-1)^{j_2+\tilde{j_1}}a_{13}b_{22}\Big )\Big ] . \end{aligned}$$

(54)

Eq. (54) can be factorised as,

$$\begin{aligned}&\sum \limits _{|j\rangle =|0000\rangle }^{|1111\rangle }(-1)^{j_1+\tilde{j_1}}\Big (a_{11}^*+(-1)^{j_1} a_{12}^*+(-1)^{j_2}a_{13}^*\Big )\Big (b_{21}^*+(-1)^{\tilde{j_1}}b_{22}^* +(-1)^{\tilde{j_2}}b_{23}^*\Big )\nonumber \\&\quad \times \Big (a_{11}+(-1)^{j_1}a_{12}+(-1)^{j_2}a_{13}\Big ) \Big (b_{21}+(-1)^{\tilde{j_1}}b_{22}+(-1)^{\tilde{j_2}}b_{23}\Big ), \end{aligned}$$

(55)

which further simplifies to,

$$\begin{aligned} 16\Big (\vert a_{12}\vert ^2+\vert a_{11}\vert ^2-\vert a_{12}-a_{11}\vert ^2\Big )\Big (\vert b_{22}\vert ^2+\vert b_{21}\vert ^2-\vert b_{22}-b_{21}\vert ^2\Big ). \end{aligned}$$

(56)

Now, we evaluate the remaining terms of Eq. (47) and obtain the total BER in each time slot as,

$$\begin{aligned} e_{\text {b}}= & {} 1-\frac{16}{2\times 144}\Bigg [\Big (\vert a_{12}\vert ^2+\vert a_{11}\vert ^2-\vert a_{12}-a_{11}\vert ^2\Big )\Big (\vert b_{22}\vert ^2+\vert b_{21}\vert ^2-\vert b_{22}-b_{21}\vert ^2\Big )\nonumber \\&+\Big (\vert a_{21}\vert ^2+\vert a_{22}\vert ^2-\vert a_{21}-a_{22}\vert ^2\Big )\Big (\vert b_{12}\vert ^2+\vert b_{11}\vert ^2-\vert b_{12}-b_{11}\vert ^2\Big )\nonumber \\&+\Big (\vert a_{13}\vert ^2+\vert a_{11}\vert ^2-\vert a_{13}-a_{11}\vert ^2\Big )\Big (\vert b_{33}\vert ^2+\vert b_{31}\vert ^2-\vert b_{33}-b_{31}\vert ^2\Big )\nonumber \\&+\Big (\vert a_{33}\vert ^2+\vert a_{31}\vert ^2-\vert a_{33}-a_{31}\vert ^2\Big )\Big (\vert b_{13}\vert ^2+\vert b_{11}\vert ^2-\vert b_{13}-b_{11}\vert ^2\Big )\Bigg ]. \end{aligned}$$

(57)

1.3 Phase error rate

We begin by calculating one component of the phase error rate in the lth time slot, \(\langle \psi _{\text {in}}\vert E^{\dagger }|a_1b_2\rangle \langle a_1b_2|E\otimes X_{A_{1}B_{1}}\otimes I_{A_{2}B_{2}}\vert \psi _{\text {in}}\rangle \) in this section. Similar to Eq.(55), we can factorize the phase error rate as,

$$\begin{aligned}&(a_{11}^*-(-1)^{j_1}a_{12}^*+(-1)^{j_2}a_{13}^*)(b_{21}^* -(-1)^{\tilde{j_1}}b_{22}^*+(-1)^{\tilde{j_2}}b_{23}^*)\nonumber \\&\quad \times \big (a_{11}+(-1)^{j_1}a_{12}+(-1)^{j_2}a_{13}\big )\big (b_{21}+ (-1)^{\tilde{j_1}}b_{22}+(-1)^{\tilde{j_2}}b_{23}\big ). \end{aligned}$$

(58)

We use the fact that X flips the qubit \(|j\rangle \), write \((-1)^{j+1}\) as \(-(-1)^j\), and get the expanded value of Eq. (58) as,

$$\begin{aligned} 16\Big (\vert a_{11}\vert ^2-\vert a_{12}\vert ^2+\vert a_{13}\vert ^2\Big )\Big (\vert b_{21}\vert ^2-\vert b_{22}\vert ^2+\vert b_{23}\vert ^2\Big ). \end{aligned}$$

(59)

We can also write Eq. (58) as,

$$\begin{aligned}&\big [(a_{11}^*+(-1)^{j_1}a_{12}^*+(-1)^{j_2}a_{13}^*)(b_{21}^*+(-1)^{\tilde{j_1}}b_{22}^* +(-1)^{\tilde{j_2}}b_{23}^*)-2((-1)^{j_1}a_{12}^*b_{21}^*\nonumber \\&\quad +(-1)^{j_1+\tilde{j_2}}a_{12}^*b_{23}^*+(-1)^{\tilde{j_1}}a_{11}^*b_{22}^* +(-1)^{\tilde{j_1}+j_2}a_{13}^*b_{22}^*)\big ]\big (a_{11}+(-1)^{j_1}a_{12}\nonumber \\&\quad +(-1)^{j_2}a_{13}\big )\big (b_{21}+(-1)^{\tilde{j_1}}b_{22}+(-1)^{\tilde{j_2}}b_{23}\big ). \end{aligned}$$

(60)

The above equation, when summed over all the possible values of \(|j\rangle =|j_1\tilde{j}_1j_2\tilde{j}_2\rangle \) gives

$$\begin{aligned}&\langle \psi _{\text {in}}\vert E^{\dagger }|a_1b_2\rangle \langle a_1b_2|E\otimes Z_{A_{1}B_{1}}\otimes I_{A_{2}B_{2}}\vert \psi _{\text {in}}\rangle -\frac{2\times 16}{2\times 144}\big [\vert a_{12}\vert ^2\big (\vert b_{21}\vert ^2+\vert b_{23}\vert ^2\big )\nonumber \\&\quad +\vert b_{22}\vert ^2\big (\vert a_{11}\vert ^2+\vert a_{13}\vert ^2\big )\big ]. \end{aligned}$$

(61)

Calculating the remaining three terms (cf. Eqs. (46), (51) and (52)) along the lines of Eq. (58) and Eq. (59), we get the total phase error rate as,

$$\begin{aligned}&1-\frac{16}{2\times 144}\Bigg [\Big (\vert a_{11}\vert ^2-\vert a_{12}\vert ^2+\vert a_{13}\vert ^2\Big )\Big (\vert b_{21}\vert ^2-\vert b_{22}\vert ^2+\vert b_{23}\vert ^2\Big )\nonumber \\&\quad +\Big (\vert a_{21}\vert ^2-\vert a_{22}\vert ^2+\vert a_{23}\vert ^2\Big ) \nonumber \\&\quad \times \Big (\vert b_{11}\vert ^2-\vert b_{12}\vert ^2+\vert b_{13}\vert ^2\Big )\Big (\vert a_{11}\vert ^2+\vert a_{12}\vert ^2-\vert a_{13}\vert ^2\Big )\Big (\vert b_{31}\vert ^2+\vert b_{32}\vert ^2-\vert b_{33}\vert ^2\Big )\nonumber \\&\quad +\Big (\vert a_{31}\vert ^2+\vert a_{32}\vert ^2-\vert a_{33}\vert ^2\Big )\Big (\vert b_{11}\vert ^2+\vert b_{12}\vert ^2-\vert b_{13}\vert ^2\Big )\Bigg ]. \end{aligned}$$

(62)

Along the lines of Eq. (61), we can express the phase error rate in terms of bit error rate as,

$$\begin{aligned} e_{\text {p}}= & {} e_{\text {b}}-\frac{2\times 16}{2\times 144}\Big [\big \{\vert a_{12}\vert ^2\big (\vert b_{21}\vert ^2+\vert b_{23}\vert ^2\big )+\vert b_{22}\vert ^2\big (\vert a_{11}\vert ^2+\vert a_{13}\vert ^2\big )\big \}\nonumber \\&+\big \{\vert a_{22}\vert ^2\Big (\vert b_{11}\vert ^2\nonumber \\&+\vert b_{13}\vert ^2\big )+\vert b_{12}\vert ^2\big (\vert a_{21}\vert ^2+\vert a_{23}\vert ^2\big )\big \}+\big \{\vert a_{13}\vert ^2\big (\vert b_{31}\vert ^2+\vert b_{32}\vert ^2\big )\nonumber \\&+\vert b_{33}\vert ^2\big (\vert a_{11}\vert ^2+\vert a_{12}\vert ^2\big )\big \}+\big \{\vert a_{33}\vert ^2\big (\vert b_{11}\vert ^2+\vert b_{12}\vert ^2\big )\nonumber \\&+\vert b_{13}\vert ^2\big (\vert a_{31}\vert ^2+\vert a_{32}\vert ^2\big )\big \}\Big ]. \end{aligned}$$

(63)

From Eq. (63) , we can bound the phase error in each time slot as,

$$\begin{aligned} e_{\text {p}}^{(l)}\le e_{\text {b}}^{(l)}, \forall \; l. \end{aligned}$$

(64)

Asymptotic key analysis of DPS-MDI

1.1 DPS-MDI key rate with single-photon states

We calculate the asymptotic key rate of the single-photon source based DPS-MDI, while taking into account the effects of channel loss, background counts, and misalignment errors. We model Alice’s and Bob’s lossy channels as beamsplitters with transmissivity \(\eta _{a}\) and \(\eta _{b}\), respectively. After passing through the lossy channels, the joint input state of Alice and Bob (Eq. (2)) appears as a mixed state to Charles, before he carries out the beamsplitter measurement :

$$\begin{aligned} \rho _{\text {in}}= & {} \frac{\eta _{a}\eta _{b}}{9}|\psi _{11}\rangle \langle \psi _{11}| +\frac{\eta _{a}(1-\eta _{b})}{3}|\psi _{10}\rangle \langle \psi _{10}|+\frac{(1-\eta _{a}) \eta _{b}}{3}|\psi _{01}\rangle \langle \psi _{01}|\nonumber \\&+(1-\eta _{a})(1-\eta _{b})|\psi _{00}\rangle \langle \psi _{00}|, \end{aligned}$$

(65)

where,

$$\begin{aligned} |\psi _{11}\rangle&= \left( \, |100\rangle _{a} + e^{i\phi _{{a}_{1}}} |010\rangle _{a} + e^{i\phi _{{a}_{2}}} |001\rangle _{a} \, \right) \nonumber \\&\quad \otimes \left( \, |100\rangle _{b} + e^{i\phi _{{b}_{1}}} |010\rangle _{b} + e^{i\phi _{{b}_{2}}} |001\rangle _{b} \, \right) , \nonumber \\ |\psi _{10}\rangle&= \left( \, |100\rangle _{a} + e^{i\phi _{{a}_{1}}} |010\rangle _{a} + e^{i\phi _{{a}_{2}}} |001\rangle _{a} \, \right) \otimes |000\rangle _{b},\nonumber \\ |\psi _{01}\rangle&= \, |000\rangle _{a} \otimes \left( \, |100\rangle _{b} + e^{i\phi _{{b}_{1}}} |010\rangle _{b} + e^{i\phi _{{b}_{2}}} |001\rangle _{b} \, \right) ,\nonumber \\ \text {and}\qquad |\psi _{00}\rangle&= \, |000\rangle _{a} \otimes |000\rangle _{b}. \end{aligned}$$

(66)

Here, \(|\psi _{11}\rangle \) corresponds to the scenario when photons from both Alice and Bob reach the measurement unit. \(|\psi _{10}\rangle \) (\(|\psi _{01}\rangle \)) is the joint input state of Alice and Bob when Bob’s (Alice’s) photon gets lost in the channel, and only Alice’s (Bob’s) photon reaches Charles. \(|\psi _{00}\rangle \) represents the case when both Alice as well as Bob’s photons get lost in the channel.

As per Eq. (27), the beamsplitter transforms \(|\psi _{11}\rangle \) into

$$\begin{aligned}&|\psi _{11}\rangle _{\text {out}}=\frac{1}{2}e^{i(\phi _{{b}_{1}}+\phi _{{b}_{2}})}\Big [ \,e^{i\varDelta \phi _{1}}\Big (|011,000\rangle _{cd}-|010,001\rangle _{cd}\nonumber \\&\quad +|001,010\rangle _{cd}-|000,011\rangle _{cd}\Big )\nonumber \\&\quad +e^{i\varDelta \phi _{2}}\Big (|011,000\rangle _{cd}+|010,001\rangle _{cd} -|001,010\rangle _{cd}-|000,011\rangle _{cd}\Big )\nonumber \\&\quad +e^{-i\phi _{{b}_{1}}}\Big \{\Big (|101,000\rangle _{cd}-|100,001\rangle _{cd}+ |001,100\rangle _{cd}-|000,101\rangle _{cd}\Big )\nonumber \\&\quad +e^{i\varDelta \phi _{2}}\Big (|101,000\rangle _{cd}+|100,001\rangle _{cd}- |001,100\rangle _{cd}-|000,101\rangle _{cd}\Big )\Big \}\nonumber \\&\quad +e^{-i\phi _{{b}_{2}}}\Big \{\Big (|110,000\rangle _{cd}-|100,010\rangle _{cd}+ |010,100\rangle _{cd}\,-|000,110\rangle _{cd}\Big )\nonumber \\&\quad +e^{i\varDelta \phi _{1}}\Big (|110,000\rangle _{cd}+|100,010\rangle _{cd} - |010,100\rangle _{cd}-|000,110\rangle _{cd}\Big )\Big \}\Big ]\nonumber \\&\quad +\frac{1}{\sqrt{2}}e^{i(\phi _{{b}_{1}}+\phi _{{b}_{2}})}\Big [\Big ( \, e^{-{i(\phi _{{b}_{1}}+\phi _{{b}_{2}})}}|200,000\rangle _{cd}-|000,200\rangle \Big ) +e^{i(\phi _{{a}_{1}}-\phi _{{b}_{2}})} \nonumber \\&\quad \times \Big (|020,000\rangle _{cd}-|000,020\rangle _{cd}\Big ) +e^{i(\phi _{{a}_{2}}-\phi _{{b}_{1}})}\Big (|002,000\rangle -|000,002\rangle \Big )\Big ]\nonumber \\ \end{aligned}$$

(67)

Similarly, the action of beamspitter on \(|\psi _{10}\rangle \), \(|\psi _{01}\rangle \) and \(|\psi _{00}\rangle \) are

$$\begin{aligned} |\psi _{10}\rangle _{\text {out}}= & {} \frac{1}{\sqrt{2}}\Big [ \, |100,000\rangle _{cd}+|000,100\rangle _{cd}\nonumber \\&+e^{\phi _{a_{1}}}\big (|010,000\rangle _{cd} +|000,010\rangle _{cd}\big )\nonumber \\&+e^{\phi _{a_{2}}}\big (|001,000\rangle _{cd} +|000,001\rangle _{cd}\big )\Big ], \end{aligned}$$

(68)

$$\begin{aligned} |\psi _{10}\rangle _{\text {out}}= & {} \frac{1}{\sqrt{2}}\Big [ |100,000\rangle _{cd}- |000,100\rangle _{cd}\nonumber \\&+e^{\phi _{a_{1}}}\big (|010,000\rangle _{cd}-|000,010\rangle _{cd}\big )\nonumber \\&+e^{\phi _{a_{2}}}\big (|001,000\rangle _{cd}-|000,001\rangle _{cd}\big )\Big ], \end{aligned}$$

(69)

$$\begin{aligned} \text {and} \quad |\psi _{00}\rangle _{\text {out}}= & {} |000,000\rangle _{cd}. \end{aligned}$$

(70)

Table 1 shows the instances corresponding to the successful measurement events. These outcomes correspond to successful BSMs as we have mapped the DPS-MDI to an equivalent entanglement-based protocol. The yield (\(Y_{11}\)) for our protocol is defined as the probability of a successful measurement provided both Alice and Bob send single-photon states. Using Eqs. (65)–(70), we determine the probability of a successful measurement for all the cases shown in Table 1 as,

$$\begin{aligned} {Y}_{11}^{c(t_1,t_2)}=(1-p_{\text {dark}})^4\Big [\frac{\eta _{a}\eta _{b}}{18}+ p_{\text {dark}}\Big (\frac{\eta _{a}+\eta _{b}}{3}-\frac{5\eta _{a}\eta _{b}}{9}\Big )+ p_{\text {dark}}^{2}(1-\eta _{a})(1-\eta _{b})\Big ], \end{aligned}$$

(71)

where, \(p_\text {dark}\) is the dark count probability, and \({Y}_{11}^{c(t_1,t_2)}\) represents the probability that detector c clicks in time-bins 1 and 2, given that both Alice and Bob send single-photon states. We use this notation to express the probability of a successful BSM for the other cases tabulated in Table 1.

$$\begin{aligned}&{Y}_{11}^{c(t_1,t_2)}={Y}_{11}^{c(t_1,t_3)}={Y}_{11}^{d(t_1,t_2)}={Y}_{11}^{d(t_1,t_3)} ={Y}_{11}^{c(t_1),d(t_2)}={Y}_{11}^{c(t_2),d(t_1)}={Y}_{11}^{c(t_1),d(t_3)}\nonumber \\&\quad ={Y}_{11}^{c(t_3),d(t_1)}. \end{aligned}$$

(72)

Hence, the yield (\(Y_{11}\)) is expressed as follows:

$$\begin{aligned} Y_{11}= & {} {Y}_{11}^{c(t_1,t_2)}+{Y}_{11}^{c(t_1,t_3)}+{Y}_{11}^{d(t_1,t_2)} +{Y}_{11}^{d(t_1,t_3)}+{Y}_{11}^{c(t_1),d(t_2)}+{Y}_{11}^{c(t_2),d(t_1)}\nonumber \\&+{Y}_{11}^{c(t_1),d(t_3)}+{Y}_{11}^{c(t_3),d(t_1)}\nonumber \\= & {} 8(1-p_{\text {dark}})^4\Big [\frac{\eta _{a}\eta _{b}}{18}+p_{\text {dark}} \Big (\frac{\eta _{a}+\eta _{b}}{3}-\frac{5\eta _{a}\eta _{b}}{9}\Big )+p_{\text {dark}}^{2} (1-\eta _{a})(1-\eta _{b})\Big ].\nonumber \\ \end{aligned}$$

(73)

There are different scenarios that lead to errors in the DPS-MDI protocol. For example, an error occurs when the detector c clicks in time-bins 1 and 2, but \(\varDelta \phi _{1}=\pi \). In general, an error arises when clicks corresponding to a successful partial BSM occur due to background noise, but \(\varDelta \phi _{i}\) (i=1, 2) is flipped (see Table 1). Dark counts of the single-photon detectors primarily contribute to this background noise. Thus, the error rate due to background noise is given by

$$\begin{aligned} e_{\text {b}}^{'}Y_{11}=8(1-p_{\text {dark}})^4\Big [p_{\text {dark}}\Big (\frac{\eta _{a} +\eta _{b}}{3}-\frac{5\eta _{a}\eta _{b}}{9}\Big )+p_{\text {dark}}^{2}(1-\eta _{a})(1- \eta _{b})\Big ]. \end{aligned}$$

(74)

We assume that the phase misalignment error is same for both \(\varDelta \phi _{1}\) and \(\varDelta \phi _{2}\), and denote this deviation of \(\varDelta \phi _{1}\) and \(\varDelta \phi _{2}\) by \(\varDelta _{\phi }\). Phase misalignment error arises due to the non-ideal nature of optical phase-locked loop and phase modulators used in the setup. Hence, considering phase misalignment errors, the total error rate is given by,

$$\begin{aligned} e_{\text {b}}Y_{11}=8(1-p_{\text {dark}})^4\Big [\frac{e_{d}\eta _{a}\eta _{b}}{18} +p_{\text {dark}}\Big (\frac{\eta _{a}+\eta _{b}}{3}-\frac{5\eta _{a}\eta _{b}}{9}\Big ) +p_{\text {dark}}^{2}(1-\eta _{a})(1-\eta _{b})\Big ], \end{aligned}$$

(75)

where \(e_{d}\) is the variance of \(\varDelta _{\phi }\).

1.2 DPS-MDI with decoy states

Here, we calculate the parameters defined in Eq. (11). We assume an infinite number of decoy states to get an accurate estimate of these parameters. Phase randomization is integral to decoy-state analysis. A coherent state is seen as a mixture of Fock states upon phase randomization. This prevents Eve from getting information from multi-photon pulses coming from WCS. Hence, Alice and Bob prepare phase randomized weak coherent states with intensities \(\mu _{a}\) and \(\mu _{b}\), respectively, of the form,

$$\begin{aligned} |e^{i\theta _{a}}\sqrt{\mu _{a}}\rangle ^{(a)}\otimes |e^{i\theta _{b}}\sqrt{\mu _{b}}\rangle ^{(b)}. \end{aligned}$$

(76)

Here, \(\theta _{a}\) and \(\theta _{b}\) (\(\in [0,2\pi ]\)) are the overall randomized phases. Alice and Bob pass their coherent states through their respective delay lines. The construction of the delay line is such that a photon has an equal probability of traversing through each path of the delay line. This implies that when a coherent state \(|\sqrt{\mu }\rangle \) with mean photon number \(\mu \) passes through a 3-path delay line, each path has a coherent state \(|\sqrt{\frac{\mu _{a}}{3}}\rangle \) with mean photon number \(\frac{\mu }{3}\) traversing through it. Hence, the joint state after the coherent state passing through the delay line and the phase modulator is given as,

$$\begin{aligned}&\left( \left| e^{i\theta _{a}}\sqrt{\frac{\mu _{a}}{3}}\right\rangle _{a_1}\left| e^{i(\phi _{a_{1}}+\theta _{a})}\sqrt{\frac{\mu _{a}}{3}}\right\rangle _{a_2}\left| e^{i(\phi _{a_{2}}+\theta _{a})}\sqrt{\frac{\mu _{a}}{3}}\right\rangle _{a_3}\right) \nonumber \\&\quad \otimes \left( \left| e^{i\theta _{b}}\sqrt{\frac{\mu _{b}}{3}}\right\rangle _{b_1}\left| e^{i(\phi _{b_{1}}+\theta _{b})}\sqrt{\frac{\mu _{b}}{3}}\right\rangle _{b_2}\left| e^{i(\phi _{b_{2}}+\theta _{b})}\sqrt{\frac{\mu _{b}}{3}}\right\rangle _{b_3}\right) . \end{aligned}$$

(77)

Here, \(|\mu \rangle _{a_1}\) represents a coherent state traversing through path 1 of Alice’s delay line (see Fig. 2). We model the lossy channels as beamsplitters and express the joint state arriving at Chales’s beamsplitter as,

$$\begin{aligned}&\left( \left| e^{i\theta _{a}}\sqrt{\frac{\eta _{a}\mu _{a}}{3}}\right\rangle _{a_{1}} \left| e^{i(\phi _{a_{1}}+\theta _{a})}\sqrt{\frac{\eta _{a}\mu _{a}}{3}}\right\rangle _{a_{2}} \left| e^{i(\phi _{a_{2}}+\theta _{a})}\sqrt{\frac{\eta _{a}\mu _{a}}{3}} \right\rangle _{a_{3}}\right) \nonumber \\&\quad \otimes \left( \left| e^{i\theta _{b}}\sqrt{\frac{\eta _{b}\mu _{b}}{3}}\right\rangle _{b_{1}}\left| e^{i(\phi _{b_{1}}+\theta _{b})}\sqrt{\frac{\eta _{b}\mu _{b}}{3}}\right\rangle _{b_{2}}\left| e^{i(\phi _{b_{2}}+\theta _{b})}\sqrt{\frac{\eta _{b}\mu _{b}}{3}}\right\rangle _{b_{3}}\right) . \end{aligned}$$

(78)

Coherent states can also be expressed as,

$$\begin{aligned} |\sqrt{\mu }\rangle = D(\sqrt{\mu })|0\rangle , \end{aligned}$$

(79)

where \(D(\sqrt{\mu })\) is the displacement operator, and is given as,

$$\begin{aligned} D(\sqrt{\mu })=e^{(\sqrt{\mu }{a^\dagger }-\sqrt{\mu }^{*}a)}. \end{aligned}$$

(80)

Here, a and \(a^\dagger \) are annihilation and creation operators, respectively. The beamsplitter transforms \(a^\dagger \) at the input mode as per Eq. (27). The output state of beamsplitter, when the input is Eq. (78) is,

$$\begin{aligned}&\left| e^{i\theta _{a}}\sqrt{\frac{\eta _{a}\mu _{a}}{6}}+e^{i\theta _{b}} \sqrt{\frac{\eta _{b}\mu _{b}}{6}}\right\rangle _{c_{1}}\left| e^{i\theta _{a}}\sqrt{\frac{\eta _{a}\mu _{a}}{6}}-e^{i\theta _{b}} \sqrt{\frac{\eta _{b}\mu _{b}}{6}}\right\rangle _{d_{1}}\nonumber \\&\quad \otimes \left| e^{i(\phi _{a_{1}}+\theta _{a})}\sqrt{\frac{\eta _{a}\mu _{a}}{6}} +e^{i(\phi _{b_{1}}+\theta _{b})}\sqrt{\frac{\eta _{b}\mu _{b}}{6}}\right\rangle _{c_{2}} \left| e^{i(\phi _{a_{1}}+\theta _{a})}\sqrt{\frac{\eta _{a}\mu _{a}}{6}}\right. \nonumber \\&\quad \left. -e^{i(\phi _{b_{1}} +\theta _{b})}\sqrt{\frac{\eta _{b}\mu _{b}}{6}}\right\rangle _{d_{2}}\nonumber \\&\quad \otimes \left| e^{i(\phi _{a_{2}}+\theta _{a})}\sqrt{\frac{\eta _{a}\mu _{a}}{6}} +e^{i(\phi _{b_{2}}+\theta _{b})}\sqrt{\frac{\eta _{b}\mu _{b}}{6}}\right\rangle _{c_{3}} \left| e^{i(\phi _{a_{2}}+\theta _{a})}\sqrt{\frac{\eta _{a}\mu _{a}}{6}}\right. \nonumber \\&\quad \left. -e^{i(\phi _{b_{2}} +\theta _{b})}\sqrt{\frac{\eta _{b}\mu _{b}}{6}}\right\rangle _{d_{3}}. \end{aligned}$$

(81)

Here, \(|\sqrt{\mu }\rangle _{c_{1}}\) denotes a coherent state of mean photon number \(\mu \) hitting the detector c in time-bin \(t_{1}\).

Hence, the probability of a detector clicking in a time-bin is given by,

$$\begin{aligned}&p_{c_1}=1-(1-p_{\text {dark}})\text {exp}\left( -\Big |e^{i\theta _{a}} \sqrt{\frac{\eta _{a}\mu _{a}}{6}}+e^{i\theta _{b}}\sqrt{\frac{\eta _{b}\mu _{b}}{6}} \Big |^{2}\right) , \nonumber \\&p_{d_1}=1-(1-p_{\text {dark}}) \text {exp}\left( -\Big |e^{i\theta _{a}} \sqrt{\frac{\eta _{a}\mu _{a}}{6}}-e^{i\theta _{b}}\sqrt{\frac{\eta _{b}\mu _{b}}{6}} \Big |^{2}\right) , \nonumber \\&p_{c_2}=1-(1-p_{\text {dark}})\text {exp}\left( -\Big |e^{i(\phi _{a_{1}}+\theta _{a})} \sqrt{\frac{\eta _{a}\mu _{a}}{6}}+e^{i(\phi _{b_{1}}+\theta _{b})}\sqrt{\frac{\eta _{b} \mu _{b}}{6}}\Big |^{2}\right) , \nonumber \\&p_{d_2}=1-(1-p_{\text {dark}})\text {exp}\left( -\Big |e^{i(\phi _{a_{1}}+\theta _{a})} \sqrt{\frac{\eta _{a}\mu _{a}}{6}}-e^{i(\phi _{b_{1}}+\theta _{b})}\sqrt{\frac{\eta _{b} \mu _{b}}{6}}\Big |^{2}\right) , \nonumber \\&p_{c_3}=1-(1-p_{\text {dark}})\text {exp}\left( -\Big |e^{i(\phi _{a_{2}}+\theta _{a})} \sqrt{\frac{\eta _{a}\mu _{a}}{6}}+e^{i(\phi _{b_{2}}+\theta _{b})}\sqrt{\frac{\eta _{b} \mu _{b}}{6}}\Big |^{2}\right) , \nonumber \\&p_{d_3}=1-(1-p_{\text {dark}})\text {exp}\left( -\Big |e^{i(\phi _{a_{2}}+\theta _{a})} \sqrt{\frac{\eta _{a}\mu _{a}}{6}}-e^{i(\phi _{b_{2}}+\theta _{b})}\sqrt{\frac{\eta _{b} \mu _{b}}{6}}\Big |^{2}\right) . \end{aligned}$$

(82)

We simplify Eq. (82) by defining following relations:

$$\begin{aligned}&\mu '=\eta _{a}\mu _{a}+\eta _{b}\mu _{b},\nonumber \\&\varDelta _{\theta }=\theta _{a}-\theta _{b},\nonumber \\&x=\sqrt{\eta _{a}\mu _{a}\eta _{b}\mu _{b}}/3, \nonumber \\&y=(1-p_{\text {dark}})e^{-\mu ^{`}/6}. \end{aligned}$$

(83)

Here, \(\mu '\) is the average number of photons reaching the measurement unit. \(\varDelta _{\theta }\) denotes the phase difference between the overall random phase applied by Alice and Bob. Using Eq. (83), we simplify Eq. (82) as

$$\begin{aligned} \begin{aligned}&p_{c_1}=1-ye^{-x \; cos\varDelta _{\theta }},\\&p_{c_2}= 1-ye^{-x \; cos(\varDelta _{\theta }+\varDelta \phi _{1})},\\&p_{c_3}=1-ye^{-x \; cos(\varDelta _{\theta }+\varDelta \phi _{2})}, \end{aligned} \quad \begin{aligned}&p_{d_1}=1-ye^{x \; cos\varDelta _{\theta }},\\&p_{d_2}=1-ye^{x \; cos(\varDelta _{\theta }+\varDelta \phi _{1})},\\&p_{d_3}=1-ye^{x \; cos(\varDelta _{\theta }+\varDelta \phi _{2})}. \end{aligned} \end{aligned}$$

(84)

\(Q_{\mu _{a}\mu _{b}}\) is the overall gain when Alice and Bob, respectively, use an average photon number of \(\mu _{a}\) and \(\mu _{b}\), and a successful measurement occurs. We can express \(Q_{\mu _{a}\mu _{b}}\) for our protocol as,

$$\begin{aligned}&p_{c_1}p_{c_2}\Big (1-p_{c_3}\Big )\Big (1-p_{d_1}\Big )\Big (1-p_{d_2}\Big ) \Big (1-p_{d_3}\Big )\Biggl \vert _{\varDelta \phi _{1}=0,\;\varDelta \phi _{2}=0\; \text {or}\;\pi }\nonumber \\&\quad +\,p_{c_1}\Big (1-p_{c_2}\Big )p_{c_3}\Big (1-p_{d_1}\Big )\Big (1-p_{d_2}\Big ) \Big (1-p_{d_3}\Big )\Biggl \vert _{\varDelta \phi _{2}=0,\;\varDelta \phi _{1}=0\; \text {or}\;\pi }\nonumber \\&\quad +\Big (1-p_{c_1}\Big )\Big (1-p_{c_2}\Big )\Big (1-p_{c_3}\Big )p_{d_1}p_{d_2} \Big (1-p_{d_3}\Big )\Biggl \vert _{\varDelta \phi _{1}=0,\;\varDelta \phi _{2}=0\; \text {or}\;\pi }\nonumber \\&\quad +\Big (1-p_{c_1}\Big )\Big (1-p_{c_2}\Big )\Big (1-p_{c_3}\Big )p_{d_1} \Big (1-p_{d_2}\Big )p_{d_3}\Biggl \vert _{\varDelta \phi _{2}=0,\;\varDelta \phi _{1}=0\; \text {or}\;\pi } \nonumber \\&\quad +\,p_{c_1}\Big (1-p_{c_2}\Big )\Big (1-p_{c_3}\Big )\Big (1-p_{d_1}\Big )p_{d_2} \Big (1-p_{d_3}\Big )\Biggl \vert _{\varDelta \phi _{1}=\pi ,\;\varDelta \phi _{2}=0\; \text {or}\;\pi } \nonumber \\&\quad +\Big (1-p_{c_1}\Big )p_{c_2}\Big (1-p_{c_3}\Big )p_{d_1}\Big (1-p_{d_2}\Big ) \Big (1-p_{d_3}\Big )\Biggl \vert _{\varDelta \phi _{1}=\pi ,\;\varDelta \phi _{2}=0\; \text {or}\;\pi } \nonumber \\&\quad +\,p_{c_1}\Big (1-p_{c_2}\Big )\Big (1-p_{c_3}\Big )\Big (1-p_{d_1}\Big ) \Big (1-p_{d_2}\Big )p_{d_3}\Biggl \vert _{\varDelta \phi _{2}=\pi ,\;\varDelta \phi _{1}=0\; \text {or}\;\pi } \nonumber \\&\quad +\Big (1-p_{c_1}\Big )\Big (1-p_{c_2}\Big )p_{c_3}p_{d_1}\Big (1-p_{d_2}\Big ) \Big (1-p_{d_3}\Big )\Biggl \vert _{\varDelta \phi _{2}=\pi ,\;\varDelta \phi _{1}=0\; \text {or}\;\pi }. \end{aligned}$$

(85)

We substitute Eq. (83) in Eq. (85), and obtain the overall gain for a given realization of \(\theta _{a}\), \(\theta _{b}\) as,

$$\begin{aligned} Q_{\mu _{a}\mu _{b}}=4y^{4}[e^{2x\;cos\varDelta _{\theta }}+e^{-2x\;cos\varDelta _{\theta }} -2ye^{x\;cos\varDelta _{\theta }}-2ye^{-x\;cos\varDelta _{\theta }}+2y^2]. \end{aligned}$$

(86)

We should average the overall gain obtained in Eq. (86) over the random phases \(\theta _{a}\) and \(\theta _{b}\). Integrating over \(\varDelta _{\theta }\) for Eq. (86) gives the overall gain as,

$$\begin{aligned} Q_{\mu _{a}\mu _{b}}=8y^4[I_{0}(2x)-2yI_{0}(x)+y^{2}]. \end{aligned}$$

(87)

Here, \(I_{0}(x)\) is the modified Bessel function of the first kind. Next, we evaluate the gain of the single-photon states (\(Q_{11}\)) for our protocol. \(Q_{11}\) is the probability of a successful BSM, given that both Alice and Bob use weak coherent states with intensities \(\mu _{a}\) and \(\mu _{b}\), respectively, and send single-photon pulses. We use the Poisson distribution of photon numbers in a coherent state to obtain \(Q_{11}\) as,

$$\begin{aligned} Q_{11}=\mu _{a}\mu _{b}e^{-\mu _a-\mu _b}Y_{11}, \end{aligned}$$

(88)

where \(Y_{11}\) is obtained through Eq. (73).

The error rate in the sifted key is quantified by the overall QBER (\(E_{\mu _{a}\mu _{b}}\)). Error occurs in our protocol when correct set of detectors click in the right time-bins (see Table 1) due to dark counts even when Alice and Bob have applied wrong \(\varDelta _{\phi _{i}}\) (i=1, 2). For example, clicking of detectors c and d when \(\varDelta _{\phi _{1}}=\pi \) leads to error. Hence, the overall QBER can be expressed as,

$$\begin{aligned}&p_{c_1}p_{c_2}\Big (1-p_{c_3}\Big )\Big (1-p_{d_1}\Big )\Big (1-p_{d_2}\Big ) \Big (1-p_{d_3}\Big )\Biggl \vert _{\varDelta \phi _{1}=\pi ,\;\varDelta \phi _{2}=0\; \text {or}\;\pi }\nonumber \\&\quad +\,p_{c_1}\Big (1-p_{c_2}\Big )p_{c_3}\Big (1-p_{d_1}\Big )\Big (1-p_{d_2}\Big ) \Big (1-p_{d_3}\Big )\Biggl \vert _{\varDelta \phi _{2}=\pi ,\;\varDelta \phi _{1}=0\; \text {or}\;\pi }\nonumber \\&\quad +\Big (1-p_{c_1}\Big )\Big (1-p_{c_2}\Big )\Big (1-p_{c_3}\Big )p_{d_1}p_{d_2} \Big (1-p_{d_3}\Big )\Biggl \vert _{\varDelta \phi _{1}=\pi ,\;\varDelta \phi _{2}=0\; \text {or}\;\pi }\nonumber \\&\quad +\Big (1-p_{c_1}\Big )\Big (1-p_{c_2}\Big )\Big (1-p_{c_3}\Big )p_{d_1} \Big (1-p_{d_2}\Big )p_{d_3}\Biggl \vert _{\varDelta \phi _{2}=\pi ,\;\varDelta \phi _{1}=0\; \text {or}\;\pi } \nonumber \\&\quad +\,p_{c_1}\Big (1-p_{c_2}\Big )\Big (1-p_{c_3}\Big )\Big (1-p_{d_1}\Big )p_{d_2} \Big (1-p_{d_3}\Big )\Biggl \vert _{\varDelta \phi _{1}=0,\;\varDelta \phi _{2}=0\; \text {or}\;\pi } \nonumber \\&\quad +\Big (1-p_{c_1}\Big )p_{c_2}\Big (1-p_{c_3}\Big )p_{d_1}\Big (1-p_{d_2}\Big ) \Big (1-p_{d_3}\Big )\Biggl \vert _{\varDelta \phi _{1}=0,\;\varDelta \phi _{2}=0\; \text {or}\;\pi } \nonumber \\&\quad +\,p_{c_1}\Big (1-p_{c_2}\Big )\Big (1-p_{c_3}\Big )\Big (1-p_{d_1}\Big ) \Big (1-p_{d_2}\Big )p_{d_3}\Biggl \vert _{\varDelta \phi _{2}=0,\;\varDelta \phi _{1}=0\; \text {or}\;\pi } \nonumber \\&\quad +\Big (1-p_{c_1}\Big )\Big (1-p_{c_2}\Big )p_{c_3}p_{d_1}\Big (1-p_{d_2}\Big ) \Big (1-p_{d_3}\Big )\Biggl \vert _{\varDelta \phi _{2}=0,\;\varDelta \phi _{1}=0\; \text {or}\;\pi }. \end{aligned}$$

(89)

Substituting Eq. (83) in Eq. (89),

$$\begin{aligned} E^{'}_{\mu _{a}\mu _{b}}Q_{\mu _{a}\mu _{b}}=8y^4[1-ye^{x\;cos\varDelta _{\theta }}-ye^{-x\;cos \varDelta _{\theta }}+y^2]. \end{aligned}$$

(90)

Averaging over \(\varDelta _{\theta }\) in Eq. 90, we get

$$\begin{aligned} E^{'}_{\mu _{a}\mu _{b}}Q_{\mu _{a}\mu _{b}}=8y^4[1-2yI_{0}(x)+y^2]. \end{aligned}$$

(91)

1.3 Phase randomization with post selection

As evident from Fig. 4, phase randomization leads to a high intrinsic QBER. To reduce the QBER, Alice and Bob divide the overall phase into different splices as per Eq. (13). They announce the segment that they used for phase randomization while sifting. This improved data processing [66] reduces the cost of error correction (cf. Eq. (12)).

$$\begin{aligned} I_{\text {ec}}=\sum \limits _{m=0}^{N-1}Q^mfH(E^{m}) \end{aligned}$$

(92)

We assume that Alice picks up one slice out of N slices randomly and Bob always select the first phase slice. Hence, for estimation the overall gain Eq. (86) needs to be averaged over \(\varDelta _{\theta }\) from \(\frac{m\pi }{N}\) to \(\frac{(m+1)\pi }{N}\), i.e.,

$$\begin{aligned} Q^m= & {} \frac{N}{\pi }\int \limits _{0}^{\pi /N}d\theta _{b}\frac{1}{\pi } \int \limits _{m\pi /N}^{(m+1)\pi /N}d\theta _{a}\times 4y^{4}\left[ e^{2x\;cos\varDelta _{\theta }} +e^{-2x\;cos\varDelta _{\theta }}\right. \nonumber \\&\left. -2ye^{x\;cos\varDelta _{\theta }}-2ye^{-x\;cos\varDelta _{\theta }}+2y^2\right] . \end{aligned}$$

(93)

Similarly, we can write the QBER as

$$\begin{aligned} E^{'m}_{\mu _{a}\mu _{b}}Q^{m}_{\mu _{a}\mu _{b}}=\frac{N}{\pi }\int \limits _{0}^{\pi /N}d \theta _{b}\frac{1}{\pi }\int \limits _{m\pi /N}^{(m+1)\pi /N}d\theta _{a}\times 8y^4[1-ye^{x\;cos\varDelta _{\theta }}-ye^{-x\;cos\varDelta _{\theta }}+y^2]. \end{aligned}$$

(94)

Finally, we perform a numerical integration to evaluate the QBER.