Decoy-State Formulation in QKD

• Decoy state formulation is a method for estimating photon yields in quantum key distribution by mixing signal and decoy intensities to counteract photon-number-splitting attacks.
• It employs linear programming and analytic inversion techniques to derive tight bounds on single-photon parameters, ensuring rigorous security even with practical imperfections.
• Advanced protocols, including passive and biased implementations, integrate finite-size corrections and convex optimization to enhance key rates over long-distance quantum channels.

A decoy state formulation is a parameter estimation and security analysis methodology in quantum key distribution (QKD), allowing secure operation with practical light sources subject to multi-photon emission and photon-number-splitting (PNS) attacks. The decoy-state approach underpins modern QKD protocols including BB84, measurement-device-independent QKD (MDI-QKD), and variants using biased or passive state preparation, enabling rigorous bounds on single-photon yields and error rates in the presence of statistical fluctuations, imperfect devices, and general attacks. Decoy-state methods employ a mixture of signal and decoy intensities (often supplemented by vacuum states), derive constraints on photon-number-resolved parameters via convex linear programming or algebraic inversion, and insert these into composable key-rate formulas, including finite-size corrections and security parameters.

1. Physical Motivation and Principles

In practical QKD systems, weak coherent pulses (WCPs) are used instead of true single-photon sources. The photon number $n$ in each pulse follows a Poisson distribution $P_n(\mu) = e^{-\mu}\mu^n/n!$, where $\mu$ is the mean intensity. Multiphoton ($n \geq 2$) signals are vulnerable to the PNS attack: an adversary (Eve) can split off one photon undetected, acquiring full information about the key bit without increasing the quantum bit error rate (QBER). The decoy-state method, introduced by Lo, Ma, and Chen (Kamin et al., 16 Apr 2025), Hwang, and subsequent works, mitigates this vulnerability by randomly varying pulse intensities among signal ($\mu_s$), one or more decoy ($\mu_d$), and possibly vacuum levels ($\mu_0=0$). Since Eve cannot distinguish the intensity before measurement (a core security assumption (Chen et al., 2021)), she must treat all pulses identically, allowing the extraction of photon-number-resolved statistics through observable gains and error rates at different intensities.

2. Mathematical Formulation and Photon Statistics

Let Alice send pulses with intensity $\mu_k$ chosen from a finite set. For each photon number $n$, define the yield $Y_n$ (probability of detection) and error rate $e_n$ (conditional error probability). Observables for each intensity: $$Q(\mu_k) = \sum_{n=0}^{\infty} P_n(\mu_k) Y_n, \quad E(\mu_k) Q(\mu_k) = \sum_{n=0}^{\infty} P_n(\mu_k) Y_n e_n$$ where $Q(\mu_k)$ is the gain, and $E(\mu_k)$ is the QBER. The central analytical task is bounding $Y_1$ and $e_1$ (single-photon parameters) from measured $Q(\mu_k)$, $E(\mu_k)$ by solving a truncated (or infinite) linear system, often via linear programming or analytic inversion (scaled Vandermonde matrices for $M$ intensities) (Chau, 2017, Trushechkin et al., 2021).

For sources with arbitrary photon-number statistics, the same linear combinations apply, with $P_n(\mu)$ replaced by $p_n(\mu)$—e.g., thermal, binomial, and Poisson weights are all accommodated (Foletto et al., 2021).

3. Security Bounds and Parameter Estimation

From observed yields/gains and QBERs, tight lower- and upper-bounds on $Y_1$ and $e_1$ are constructed:

• Two-decoy/three-intensity protocol: Bounds involve combining $Q(\mu)$, $Q(\nu)$, $Q(0)$ and corresponding error statistics, eliminating unknown multi-photon contributions: $$Y_1 \ge ... \text{(see explicit formulae in [2002.06530, 2101.10128])} \quad e_1 \le ...$$
• Finite-size analysis: Statistical fluctuations are incorporated via Chernoff, Hoeffding, or Serfling bounds, allowing conversion between observed counts and expected value bounds with tunable failure probability $\varepsilon$. Phase-error estimation uses hypergeometric sampling and analytic one-sided bounds (Yin et al., 2020, Zhou et al., 2014).
• Passive decoy state protocols: The photon number is post-selected via local measurement of an "idler" arm; triggered and non-triggered pulses yield distinct, provably secure decoy distributions without active modulation, sidestepping side-channel risks (Sun et al., 2014).
• Biased-basis designs: Decoy sources and measurement bases are chosen with unequal probabilities to optimize sifting and key rate. Yield assignments must be basis-conditional, i.e., yields for Fock components are equated only if measured in the same basis; this is critical when detector asymmetry or channel bias is present (Yu et al., 2015, Wei et al., 2013).
• MDI-QKD and device-independent settings: Decoy-state analysis is extended to the joint emission statistics of Alice and Bob, with lower bounds on the double-single-photon yield $Y_{11}$ and upper bounds on the phase-flip error $e_{11}$ constructed via similar multi-observable linear programs (Sun et al., 2013, Yu et al., 2013, Zhang et al., 2014).

4. Advanced Frameworks and Numerical Techniques

For rigorous finite-size and composable security under general coherent attacks, recent work utilizes Rényi entropy-based frameworks—specifically the Marginal-Constrained Entropy-Accumulation Theorem (MEAT) and sandwiched conditional Rényi entropies (Kamin et al., 16 Apr 2025). The decoy-state constraints form a convex cone ("QKD-cone") in yield/error parameter space, and security proofs reduce to single-round convex optimization programs (solved numerically via Frank–Wolfe or semidefinite programming algorithms (Wang et al., 2021)). These techniques generalize the linear decoy-state bound and provide near-optimal key rates especially at small block sizes, outperforming previous analytic or Gaussian-approximation finite-key analyses (Yin et al., 2020).

Fine-grained statistics (tracking all input/output state pairs rather than collapsed rate/error totals) are incorporated to enhance robustness against drifting basis misalignment and to increase key rates without altering the physical protocol (Wang et al., 2021).

5. Practical Variants and Experimental Implementations

• Passive decoy-state QKD: In spontaneous parametric down-conversion sources (SPDCS), post-selection on idler detection realizes decoy distributions inherently; triggered "signal" and non-triggered "decoy" data are separately analyzed for yields and error rates. This approach closes side-channels associated with active modulation (Sun et al., 2014, Zhou et al., 2014).
• Homodyne detection: The decoy-state formalism is adapted to continuous-variable QKD, where Bob 'clicks' are replaced by quadrature thresholding, and error/yield calculations involve integrating over displaced Gaussian or Fock-state distributions (Mousavi et al., 2014).
• Multivariate and M>3 intensities: Employing more than three decoy intensities (e.g., up to five) yields tighter yield/error bounds, with numerically stable Vandermonde inversions or greedy linear programs yielding 20–30% increased rates over three-intensity designs (Chau, 2017, Zhang et al., 2014).
• Biased-basis and four-intensity protocols: Using two intensities in each basis (without true vacuum) with basis bias (e.g., $p_Z\gg p_X$) substantially increases key rate at practical distances and reduces experimental complexity (Yu et al., 2015, Wei et al., 2013).
• Arbitrary photon statistics: Decoy-state parameter estimation is universal, provided the photon-number weights $p_n(u)$ are known and the source is phase-randomized (Foletto et al., 2021). Binomial, thermal, and Poissonian sources are all compatible, with minor performance differences.

6. Security Assumptions, Side-Channels, and Controversies

A critical assumption is that Eve cannot distinguish signal and decoy states except by their photon-number statistics—a premise validated (to within small probabilities) by explicit Bayesian decision models and attack simulations (Chen et al., 2021). Any physical or implementation imperfection that leaks distinguishing information, e.g., timing, spectral, or side-band correlations, opens side-channels that quantitatively degrade security bounds; trace-distance leakage models and calibration techniques define worst-case reductions in $Y_1$ and elevate $e_1$, but with careful receiver calibration, much of the loss is recoverable (Huang et al., 2017).

Passive decoy-state methods mitigate tagging side-channels by never modulating the channel optical field; only local statistics are used (Sun et al., 2014).

7. Key-Rate Formulas and Optimization

The final secret-key rate per pulse is given, in the asymptotic regime, by: $$R \ge Y_1 \cdot [1 - h_2(e_1)] - Q(\mu)f(E(\mu))h_2(E(\mu))$$ where $h_2(x)$ is the binary entropy, $f(E)$ is the efficiency of error correction, and all parameters are lower-bounded/upper-bounded as described above. In biased-basis or MDI protocols, the formula is generalized to double indices, multiple sources, and phase-error rates, with optimization over all protocol parameters (intensities, probabilities, block sizes) yielding practical rates and distances (e.g., secure reach $\sim$180 km for $10^{10}$ sifted bits in finite-size passive decoy QKD) (Zhou et al., 2014, Chau, 2017, Yu et al., 2015).

Summary Table: Decoy-State Formulation Features Across Protocols

Protocol Type	Decoy Implementation	Parameter Estimation Method
BB84 (active)	Mean intensity modulation	Linear program or analytic inversion (Trushechkin et al., 2021, Yin et al., 2020)
Passive decoy-state	SPDCS source, idler post-selection	Statistical bounding, Serfling inequalities (Sun et al., 2014, Zhou et al., 2014)
MDI-QKD	Multi-party source modulations	Multivariate linear program over joint photon probabilities (Sun et al., 2013, Yu et al., 2013)
Biased-basis	Four intensities, no vacuum	Correction for measurement-basis dependence (Yu et al., 2015)
Arbitrary statistics	Any phase-randomized weights	Linear-combination bounds, numerical stability (Foletto et al., 2021)

The decoy-state formulation provides a mathematically rigorous and experimentally practical foundation for secure QKD. Through tight analytic bounds, convex programming, or entropy-based (Rényi) security frameworks, it enables quantum communication protocols to operate securely at realistic rates and distances, even in the presence of device imperfections and arbitrary attacks.