## Abstract

In theory, quantum key distribution (QKD) offers information-theoretic security. In practice, however, it does not due to the discrepancies between the assumptions used in the security proofs and the behavior of the real apparatuses. Recent years have witnessed a tremendous effort to fill the gap, but the treatment of correlations among pulses has remained a major elusive problem. Here, we close this gap by introducing a simple yet general method to prove the security of QKD with arbitrarily long-range pulse correlations. Our method is compatible with those security proofs that accommodate all the other typical device imperfections, thus paving the way toward achieving implementation security in QKD with arbitrary flawed devices. Moreover, we introduce a new framework for security proofs, which we call the reference technique. This framework includes existing security proofs as special cases, and it can be widely applied to a number of QKD protocols.

## INTRODUCTION

Quantum key distribution (QKD) allows two distant parties, Alice and Bob, to securely exchange cryptographic keys in the presence of an eavesdropper, Eve (*1*). Despite notable progress made in recent years, there is still a big gap between the information-theoretic security promised by the security proofs and the actual security offered by the practical implementations of QKD. The most pressing problem is the discrepancy between the idealized device models used in the security proofs and the functioning of the real devices used in the experiments. This is so because typical security proofs rely on assumptions to describe the behavior of these devices and ignore their inherent imperfections. In practice, any deviation from these theoretical models might open security loopholes that could lead to side-channel attacks, thus compromising the security of QKD. A possible solution to this problem is to construct more realistic security proofs that can take into account device flaws. Lately, there have been notable advances in this direction. This includes, e.g., the proposal of the decoy-state method (*2*–*4*), allowing the use of practical light sources while maintaining a high secret key rate. In addition, measurement device–independent QKD (MDI-QKD) (*5*) can effectively eliminate all detector side channels and is practical with the current technology (*6*–*11*). The missing step toward achieving implementation security in QKD is to better characterize and secure the parties’ sources.

Security loopholes in the source could emerge from three main causes: from state preparation flaws (SPFs) due to the finite precision of the modulation devices, from information leakage either due to side channels arising from mode dependencies or due to Trojan horse attacks (THAs) (*12*–*16*), or they could be caused by undesired classical correlations between the generated pulses. Mode dependencies of the emitted signals occur when the optical mode of a pulse depends on Alice’s setting choices. That is, Alice’s setting choices might be encoded in various degrees of freedom of the generated signals, not only on the desired one. Moreover, Eve can perform a THA by sending bright light into the source and then observing the back-reflected light to obtain partial information about Alice’s internal settings. Last, pulse correlations imply that the state of each pulse depends on the previous setting choices, such as bit and basis choices.

SPFs can be efficiently treated with the original loss-tolerant (LT) protocol (*17*). This is so because in this scheme, the resulting secret key rate is almost independent of the source’s flaws. Its main drawback is the requirement that the states of the pulses are described by qubit states, which is hard to guarantee in practice because of unavoidable potential side channels. To address this limitation, a generalization of the LT protocol was put forward recently (*18*). This latter protocol encompasses SPFs, mode dependencies, and THAs without requiring detailed information about the state of the side channels, which simplifies their experimental characterization. There are also other techniques that can deal with mode dependencies and THAs, such as the Gottesman-Lo-Lütkenhaus-Preskill (GLLP) type security proofs involving the quantum coin idea (*19*–*21*) (from now onward, we shall refer to them as GLLP type security proofs) or the numerical approaches introduced in (*22*–*24*).

The final piece toward guaranteeing implementation security is, thus, to consider pulse correlations among the emitted signals. These pulse correlations are purely classical, and they arise from the limitations of practical modulators. In general, due to memory effects of these modulation devices, the state of a pulse depends not only on the current modulation setting but also on the previous ones, meaning that the secret key information, i.e., the bit and the basis choices, is encoded not only into a single pulse but also between subsequent pulses. Theoretically, it is believed that this correlation is very hard to model because the dimensionality of the state space becomes very large. All existing security proofs circumvent this imperfection by simply neglecting it, which means that they cannot guarantee the security of practical implementations. We remark that a few recent works (*25*–*27*) have incorporated in their analysis certain pulse correlations between the emitted signals. However, all these works only consider restricted scenarios. In particular, the results in (*25*, *26*) and in (*27*) only consider setting choice–independent pulse correlations and intensity correlations between neighboring pulses, respectively. Therefore, none of them can deal with pulse correlations in terms of the secret key information nor with long-range correlations. Another reason why these correlations have been ignored so far is because one expects that, in practice, they are small. However, a small imperfection does not necessarily mean a small impact on the secret key rate, as Eve could, in principle, enhance such imperfection by exploiting, say, channel loss, resulting in a poor secret key rate (*19*–*21*). Therefore, we note that pulse correlations could be a serious threat to the security of QKD.

Here, we present a general and simple framework to guarantee the security of QKD in the presence of arbitrary classical pulse correlations. The key idea is very easy yet very useful, that is, we regard the leaked information encoded into the correlations of subsequent pulses as a side channel for each of the pulses. The key features of our method include the following: (i) When combined with the generalized LT (GLT) protocol (*18*) or with the reference technique (RT) introduced in this work, it can analytically guarantee the security of QKD with practical devices that suffer from typical source imperfections, i.e., SPFs and side channels (including mode dependencies, THAs, and pulse correlations), even if the state of the side channels is totally unknown; (ii) due to its simplicity, our method is compatible with many other security proofs including those based on the inner product structure of the emitted pulses such as, for instance, the GLLP type security proofs (*19*–*21*) and the numerical techniques in (*22*–*24*); and (iii) our method can be applied to many QKD protocols such as, e.g., the BB84 scheme (*28*), the six-state protocol (*29*), the SARG04 protocol (*30*), distributed-phase-reference protocols (*31*–*33*), and MDI-QKD (*5*). Our results indicate the feasibility of secure QKD with arbitrary flawed devices, and therefore, they constitute an essential step toward closing the big gap between theory and practice in QKD.

In addition, a second contribution of this work is a new framework for security proofs, the RT, that can provide high performance in the presence of source imperfections. More precisely, this is a parameter estimation technique that includes existing security proofs as special cases (see the Supplementary Materials). The RT incorporates the original LT protocol and can reproduce the GLT protocol and the GLLP type security proofs. The key idea is to consider some reference states, which are close to the actual states prepared by the protocol of interest, and use them to simplify the estimation of the parameters needed to guarantee the security of the protocol. More precisely, by bounding the maximum deviation between the probabilities associated with the reference states and those associated with the actual states, one can obtain a relationship for the probabilities involving the actual states based on those of the reference states. In doing so, one can estimate the parameters needed to guarantee the security of the actual protocol from the estimation that uses the reference states. We remark that the freedom to choose the reference states is very useful when dealing with source imperfections. In particular, this freedom allows us to analytically prove the security of a QKD protocol without any information on the side-channel states. This is important for achieving implementation security since a full characterization of the side-channel states, which, in principle, could live in unknown physical modes, is certainly very challenging in practice. In this work, we consider three special cases of the RT and evaluate their secret key rate in the presence of pulse correlations and SPFs.

## RESULTS

Pulse correlations occur, for instance, when the emitted signals depend on the previous values of the encoding device (e.g., a phase modulator). In other words, subsequent pulses leak information about Alice’s former encoding choices. The key idea of our work to evaluate this complex scenario is to interpret these correlations as a side channel. By realistically modeling the source, we can bound this passive leakage of information and ensure secure QKD after performing enough privacy amplification. In what follows, we first outline the assumptions used in our security analysis, which is presented afterwards.

### Assumptions on Alice’s and Bob’s devices

For simplicity, we consider a three-state protocol in which modulation devices are used to encode the bit and the basis choices. We do not explicitly consider the use of the decoy-state method (*2*–*4*); however, we remark that our framework could be combined with that method and also incorporate the effect of correlated intensity modulators and other imperfections of the intensity modulators (*15*). Furthermore, we assume an asymptotic scenario where Alice sends Bob an infinite number of pulses. We note, however, that the work presented here also applies to other protocols that use more than three states, as discussed in the next section.

Additional assumptions might be required depending on the particular security proof technique that is combined with our method. For instance, if the RT based on the GLT protocol (*18*) or the RT based on the original LT protocol (*17*), which we will present below, are used, then one also needs to assume that certain information about the states prepared by Alice is known. To be precise, for a setting choice *j* ∈ {0* _{Z}*,1

*,0*

_{Z}*}, the state of the*

_{X}*k*

^{th}pulse is in general purified into systems

*C*and expressed as

_{k}B_{k}EHere, we take *a _{j}* as a non-negative number satisfying 0 ≤

*a*≤ 1, which is possible by appropriately choosing the global phase of the states. The subscript

_{j}*C*stands for all the systems, which include not only the

_{k}B_{k}E*k*

^{th}qubit (system

*B*) that Alice sends to Bob over the quantum channel but also the system

_{k}*C*, which is needed for purifying the state of system

_{k}*B*, and

_{k}*E*is a system that includes Eve’s system. System

*E*includes the systems sent by Alice over the quantum channel, such as the back-reflected light from a possible THA and the ancilla systems kept in Eve’s laboratory. As we will discuss further later, in general, this system also includes Alice’s ancilla systems used in the virtual entanglement-based protocol, which is equivalent to the actual protocol. Some of the latter systems store the setting information for all the pulses sent before the

*k*

^{th}pulse. This means, in particular, that ∣λ〉

*could depend on the setting choices for all the previous pulses. If it is not possible to find such a state, then*

_{E}*a*becomes simply zero. From construction, Eq. 1 is the most general state that can be prepared in a QKD protocol. In other words, Eq. 1 simply decomposes a state ∣ψ

_{j}*〉*

_{j}*in a given Hilbert space into two states, each of which belongs to an orthogonal space. Precisely, one of them is the qubit state ∣ϕ*

_{CkBkE}*〉*

_{j}*∣λ〉*

_{CkBk}*(as the set of states {∣ϕ*

_{E}*〉*

_{j}*∣λ〉*

_{CkBk}*}*

_{E}*constitutes a qubit space), with ∣λ〉*

_{j}*being a state independent of the*

_{E}*k*

^{th}setting choice, and the other is the setting-dependent side-channel state

*a*with 0 ≤

_{j}*a*≤ 1. The characterization of

_{j}*〉*

_{j}*and*

_{CkBkE}*j*. To use the RT, we only need to know a lower bound on the coefficient

*a*in Eq. 1 and a full characterization of the density operator of the qubit

_{j}*B*. The main contribution of our work is to show that one can accommodate the effect of pulse correlations through the parameter

_{k}*a*in Eq. 1.

_{j}The assumptions on Bob’s devices also depend on the security proof. For example, in the case of the RT based on the GLT protocol or based on the original LT protocol, one assumes that Bob measures the incoming pulses in the *Z* or the *X* basis. More precisely, Bob’s measurements are represented by the positive operator–valued measures (POVMs) *Z*, *X*}, and *34*, *35*); however, it is not necessary in MDI-QKD, to which our framework also applies. Furthermore, we emphasize that our method to deal with pulse correlations could be used as well with security proofs where the basis-independent efficiency condition is not guaranteed, such as in (*36*).

### Security analysis in the presence of pulse correlations

In this section, we present the security analysis of QKD with pulse correlations. For this, we consider a security proof with the following properties. It uses an entanglement-based virtual protocol where Alice prepares pulses in an entangled state, and she (Bob) measures the local (incoming) systems to distill a secret key. In addition, it considers a particular detected pulse to estimate the phase error rate (or the phase error rate as a bound of the min-entropy). For simplicity, in what follows, we shall explicitly mention only the phase error rate, but it applies to both cases. Security against coherent attacks can then be guaranteed with the help of Azuma’s inequality (*37*), Kato’s inequality (*38*), or by applying the techniques in (*39*, *40*). Moreover, we assume that the security proof can be generalized such that it applies to a particular pulse with a side channel. That is, it can be used to prove the security of QKD in the presence of active and/or passive information leakage. Thanks to the reduction technique presented below, a particular pulse affected by correlations can be regarded as a pulse with a side channel, and therefore, the security of QKD with pulse correlations is guaranteed. As an example, we now demonstrate that running a three-state protocol in the presence of nearest-neighbor pulse correlations can be regarded as a three-state protocol in which each of the pulses entails side channels. We emphasize, however, that it is straightforward to generalize this reduction technique to an *m*-state protocol, as discussed below, and to arbitrarily long-range correlations (see Materials and Methods for more details).

*Nearest-neighbor pulse correlations*. Let * _{j}*〉

*with probability*

_{B}*p*and sends the pulse prepared in the chosen state to Bob over the quantum channel. As for Bob’s measurements, as already mentioned above, the assumptions vary according to the selected security proof. In an entanglement-based picture with nearest-neighbor pulse correlations, the transmission of

_{j}*n*pulses by Alice can be described by first preparing

*n*ancilla systems

*A*and

*n*pulses in the state

*B*to Bob. In Eq. 2,

*A*=

*A*

_{1},

*A*

_{2}, …,

*A*(

_{n}*B*=

*B*

_{1},

*B*

_{2}, …,

*B*) refers to the composite system of Alice’s ancilla systems (Bob’s pulses), where

_{n}*A*(

_{k}*B*) for

_{k}*k*∈ {1,2, …,

*n*} denotes Alice’s

*k*

^{th}ancilla system (Bob’s

*k*

^{th}pulse), the index

*j*∈ {0

_{k}*,1*

_{Z}*,0*

_{Z}*}, and {∣*

_{X}*j*〉

_{k}*}*

_{Ak}_{jk ∈ {0Z,1Z,0X}}is a set of unnormalized orthogonal states in a three-dimensional Hilbert space with

_{jk∣jk − 1}〉

*represents any nearest-neighbor classical pulse correlation, namely, this is the state of the*

_{Bk}*k*

^{th}emitted pulse when Alice selects the setting

*j*, given that her previous setting choice was

_{k}*j*

_{k − 1}.

Now, suppose that after Alice sends Bob system *B*, Bob obtains click events for some of the received signals. Then, Alice and Bob perform fictitious measurements on their systems to generate the raw data in the experiment in order. We are interested in the state of their *k*^{th} systems only before the fictitious measurements, which resulted in a click at Bob’s detectors. To obtain this state, recall that any operations and measurements on system *B*, including the detection measurements on the pulses received by Bob, commute with Alice’s measurements. Hence, we can assume that Alice has already measured her first *k* − 1 ancillas before sending system *B*. Then, we have the resulting state as*j*_{1}′, ⋯, *j*′_{k − 1} represent the outcomes of Alice’s measurement on her first *k* − 1 ancillas. To simplify this state, we introduce the following definition*j*_{k + 1}〉_{Ak + 1, ⋯, An, Bk + 2, ⋯, Bn}}_{jk + 1 = 0Z,1Z,0X}. In addition, we define the state

By using the above two states, we can rewrite Eq. 3 as

As a reference, recall that if there were no pulse correlations in the three-state protocol, then the resulting state, instead of being in the form given by Eq. 6, would become_{Ak + 1, ⋯, An, Bk + 1, ⋯, Bn} is independent of Alice’s setting choice *j _{k}* and can be expressed as

In the security proof for the three-state protocol without pulse correlations, one typically obtains the phase error rate by considering any attack on system *B _{k}* in

*j*is encoded not only on system

_{k}*B*but also on the systems

_{k}*B*

_{k + 1}, ⋯,

*B*, and the state ∣λ

_{n}*〉*

_{jk}_{Ak + 1, ⋯, An, Bk + 1, ⋯, Bn,}serves as side-channel information about the state

*B*and

_{k}*B*

_{k + 1}, ⋯,

*B*in

_{n}*k*and sends systems

*B*,

_{k}*B*

_{k + 1}, ⋯,

*B*to Bob.

_{n}Note that our framework is also valid for the case where Alice emits mixed states instead of pure states. The emission of mixed states might happen because of imperfections in Alice’s devices or when the prepared pure states are entangled with Eve’s systems because of, say, a THA. To treat this latter scenario, the mixed states can be purified by introducing an ancilla system *C _{k}*, with

*k*∈ {1,2, ⋯,

*n*}, which contains Alice’s and Eve’s systems. As a result, Eq. 6 becomes

Again, if a security proof for the three-state protocol without pulse correlations shows that one can estimate the phase error rate for Σ* _{jk}*∣

*j*〉

_{k}*∣ψ*

_{Ak}*〉*

_{jk}*, then it follows that*

_{CkBk}*A*

_{k + 1}, ⋯,

*A*(which, in reality, are inaccessible by Eve) besides the composite systems

_{n}*B*and

_{k}*B*

_{k + 1}, ⋯,

*B*. Note that the number of systems that we include as side channels does not matter, but what matters is how much the state ∣λ

_{n}*〉*

_{jk}_{Ak + 1, ⋯, An, Bk + 1, ⋯, Bn}depends on Alice’s information

*j*. Therefore, this fictitious attack on

_{k}*A*

_{k + 1}, ⋯,

*A*should not result, in general, in a lower key rate because these ancillas do not directly entail information about

_{n}*j*.

_{k}Last, we remark that all the discussions in this section and also in the next one do not require *j _{k}* to be chosen from only three possibilities, i.e., {0

*,1*

_{Z}*,0*

_{Z}*}. That is, by only considering*

_{X}*j*∈ {1,2,3, ⋯,

_{k}*m*}, our method applies for an

*m*-state protocol.

### Particular device model

Having stated the framework for the security proof in the presence of pulse correlations, we now consider a particular device model with only nearest-neighbor pulse correlations. The purpose of this section is to show how to obtain the parameters needed in Eq. 1 for a particular example of device model. Once this is achieved, one can directly apply the RT to guarantee the security of practical QKD implementations. We remark that for simplicity, below, we do not consider THAs or mode dependencies. However, they could readily be included by using the method in (*18*). In addition, we assume that a single-photon source is available, and as a concrete example for modeling pulse correlations, we select the following instance of nearest-neighbor pulse correlation*j _{k}* ∈ {0

*,1*

_{Z}*,0*

_{Z}*}, ∣ϕ*

_{X}*〉*

_{jk}*is a qubit state, the parameter ϵ intuitively quantifies the strength of the correlation, θ*

_{Bk}_{jk ∣ j′k − 1}represents how the

*k*

^{th}state depends on the previous information

*j*′

_{k − 1}, and

*〉*

_{jk}*. Note that, when there are no pulse correlations, i.e., ϵ = 0, the state*

_{Bk}*〉*

_{jk}*, which does not depend on the previous setting*

_{Bk}*〉, since it becomes dependent on the previous setting choice. The physical intuition of this model derives from the functioning of a phase modulator. To be precise, the state of an emitted pulse is typically affected by the modulation of the previous pulses such that there is a deviation depending on its preselected phase, which is quantified in the example given in Eq. 10 by*

_{jk}Below, we show how to derive the state in the form of Eq. 1 for this particular example starting from Eq. 10. For this, we follow the idea introduced in the previous section and obtain the states _{jk + 1}∣*j*_{k + 1}〉_{Ak + 1, ⋯, An, Bk + 2, ⋯, Bn}∣ϕ_{jk + 1}〉_{Bk+1} is a normalized state independent of the information *j _{k}*, and

*〉*

_{jk}*for any*

_{Bk}*k*. We emphasize once again that the parameter ϵ and the state

*18*), not only pulse correlations. This comes from the generality of Eq. 1.

Now, our formalism to deal with pulse correlations can be used directly with the RT since the states in Eq. 11 are in the form of Eq. 1. For the RT (described in the next section), we only require to know a lower bound on the coefficient 1 − ϵ and a full characterization of the state ∣ϕ* _{jk}*〉

*. We remark, however, that this framework can also be applied to the numerical techniques in (*

_{Bk}*22*–

*24*) if, in addition, the form of the state

*j*.

_{k}Here, we restricted the discussion to the case of nearest-neighbor pulse correlations, but our analysis also applies to arbitrarily long-range correlations. For instance, these correlations could be characterized by*w* and *k* with *w* < *k*. That is, the correlation could be characterized through the response according to the change of the *w*^{th} index. In other words, we can quantify the correlation represented by ϵ_{k − w}, where *k–w* is the range of the correlation, by looking at the distinguishability of the states. Here, *k–w* can be any non-negative number, meaning that our method can incorporate arbitrary long-range correlations. One can show that from this model, it is straightforward to obtain the three states in the form given by Eq. 1 (see Materials and Methods) and consequently apply the RT.

### RT based on the original LT protocol

In this section, we introduce a new framework for security proofs, the RT, which results in a high secret key rate in the presence of source imperfections. In what follows, we outline the intuition behind the key idea of the RT by applying it to the original LT protocol (*17*). A full description of the RT, including the detailed security proof, is presented in Materials and Methods. To simplify the discussion, here, we shall assume collective attacks; however, our analysis can be generalized to coherent attacks (see Materials and Methods for more details). Only as an example, we consider a protocol with a single-photon source in the presence of side-channel information, such as pulse correlations, in which Alice prepares the following three states for each pulse emission*B* denotes the system to be sent to Bob. We remark that this subscript *B* could be replaced with *A*_{k + 1}, ⋯, *A _{n}*,

*B*,

_{k}*B*

_{k + 1}, ⋯,

*B*and then we would recover Eq. 11. However, in this section, we prefer to use Eq. 14 rather than Eq. 11 for simplicity of notation. Note that, here, we analyze the case of nearest-neighbor pulse correlations, but the RT is also applicable to arbitrary long-range pulse correlations. In Eq. 14, ∣ϕ

_{n}*〉*

_{jk}*is a qubit state while*

_{B}*j*∈ {0

_{k}*,1*

_{Z}*,0*

_{Z}*} that lives in any dimensional Hilbert space and is orthogonal to ∣ϕ*

_{X}*〉*

_{jk}*for each setting choice*

_{B}*j*. However, we do not assume any relationship between

_{k}*〉*

_{jk}*can be defined as in (*

_{B}*18*) such that

*〉, ∣1*

_{Z}*〉} is a qubit basis and δ( ≥ 0) is the deviation of the phase modulation from the intended value due to SPFs (*

_{Z}*18*). That is, when there is no side-channel information, the states of the single photons sent by Alice have the form given by Eq. 15, but in the presence of side-channel information, however, these states are defined by Eqs. 14 and 15.

To prove the security of this protocol, we need to evaluate its phase error rate. The key idea of the RT is to consider the phase error rate estimation that we would obtain if we replace the actual set of states of the protocol, *41*, *42*) is not possible. This allows us to use directly the original LT protocol (*17*) to estimate precisely some quantities associated with the reference states and their relationship as an intermediate step toward obtaining the phase error rate associated with the actual states.

As an example, we select the reference states to be *Z* basis satisfy *Z* basis, and * _{X}* in the actual protocol. The probabilities

*17*) and get a simple relationship between these probabilities and the probabilities associated with the reference states. To see this, first, note that in a qubit space, the following expressions hold

*a*,

*b*, and

*c*are defined in Materials and Methods. We remark that if there are no SPFs, then the coefficients become

*a*=

*b*=

*c*= 1. Then, by substituting Eq. 18 into Eq. 17, we obtain an expression for the probability of a phase error in terms of the reference states

In the RT, we call Eq. 19 the reference formula since it is used as a reference to obtain a similar expression in terms of the actual states. Note that we cannot use the reference formula directly in the security proof because it entails probabilities associated with the reference states, rather than the actual states.

Fortunately, by evaluating the deviation between the reference and the actual states, we can obtain bounds on the probabilities associated with the actual states and, consequently, the phase error rate of the actual protocol. This part of the RT corresponds to the deviation evaluation part (see Materials and Methods for further details). By following the analysis in the Supplementary Materials, we have that this deviation is quantified by using*A* and *R* are any normalized states associated with the actual and reference states, respectively. Here, the functions *g ^{L}*(

*x*,

*y*) and

*g*(

^{U}*x*,

*y*) are defined as

No measurement, including any measurement performed by Eve, can induce a larger deviation between the probabilities because Eq. 20 holds for any *15*); however, for the problem at hand, that bound is loose, and therefore, we use a tighter bound. That is, we use the knowledge of the probability associated with the observable events in the actual protocol, i.e.,

Now, we apply Eq. 20 to the first three terms and the last line of Eq. 19 separately, thus converting Eq. 19 into an expression for the probability of a phase error in terms of the actual states. For instance, note that the last line can be expressed by *C* is an ancilla that stores the classical information associated with Alice’s and Bob’s setting choices, and * _{Z}* and prepares the state

*. Last, by solving Eq. 25 with respect to*

_{X}*P*(ph∣Act), we obtain the probability of a phase error of the actual protocol. The phase error rate is then defined as

*e*=

_{X}*P*(ph∣Act)/

*Y*, where

_{Z}*Y*≔

_{Z}*P*(

*q*

_{0z,0z}∣Act) +

*P*(

*q*

_{0z,1z}∣Act) +

*P*(

*q*

_{1z,0z}∣Act) +

*P*(

*q*

_{1z,1z}∣Act) is the yield in the

*Z*basis, i.e., the joint probability that Alice and Bob choose the

*Z*basis and Bob obtains a detection event.

### Simulation of the secret key rate

To show the performance of QKD in the presence of pulse correlations, we now present the simulation results. For simplicity of discussion, here, we apply our framework to two different cases of the RT: the RT based on the GLT protocol (*18*) and the RT described in the previous section. We remark that the GLLP type security proofs (*19*–*21*) are also regarded as a special case of the RT where we select the actual states as the reference states and skip the reference formula part (see the Supplementary Materials for the proof of this claim). However, they involve four states, rather than three states, and analytical or numerical optimization is required. The comparison between the RT based on the GLLP type security proofs and the RT based on the original LT protocol is presented in the Supplementary Materials.

The main difference between the RT based on the GLT protocol and the RT based on the original LT protocol is that, in the former, a different bound is used to estimate the probabilities associated with the actual states. More precisely, the RT based on the GLT protocol essentially uses an inequality involving eigenvalues, instead of Eq. 20, which has the form

Here, *C _{jk}* = 1 − (1 − ϵ)

^{2}. The inequality in Eq. 26 is valid for any

*18*) for more details]. We emphasize that pulse correlations are not taken into account in (

*18*); however, we can apply our method to deal with pulse correlations to this security analysis. In doing so, we simply consider a QKD protocol with the states in Eqs. 14 and 15 and apply the RT based on the GLT protocol. That is, besides pulse correlations, we also include the effect of SPFs by assuming δ > 0 in Eq. 15. Furthermore, recall that system

*B*in Eqs. 14, 15, and 26 can include more systems, not only those sent to Bob. In these equations, the subscript

*B*could be replaced by

*A*

_{k + 1}, ⋯,

*A*,

_{n}*B*,

_{k}*B*

_{k + 1}, ⋯,

*B*, allowing us to consider pulse correlations as the side channel. Note that to simplify the mathematical analysis, we do not trace out Alice’s subsequent systems

_{n}*A*

_{k + 1}, ⋯,

*A*. Since these systems are independent of the setting

_{n}*j*, they do not provide any relevant information to Eve, and therefore, they do not affect our estimation of the phase error rate.

_{k}For the simulations, we assume the asymptotic regime where the secret key rate formula for a single-photon source can be expressed as*Y _{Z}* is the yield in the

*Z*basis and

*e*is the phase error rate. The term

_{X}*e*is the bit error rate,

_{Z}*f*is the error correction efficiency. Note that

*Y*and

_{Z}*e*are directly observed in a practical implementation of the protocol, but in the simulations, a channel model [see (

_{Z}*18*) for more details] is used instead. The experimental parameters used are as follows: dark count rate of Bob’s detectors

*p*= 10

_{d}^{−7},

*f*= 1.16, and the probabilities for Alice and Bob to select the

*Z*basis are, for simplicity,

^{−3}and 10

^{−6}to evaluate this imperfection. In addition, to investigate how the length of the pulse correlations affects the secret key rate, we consider the nearest-neighbor correlation ϵ

_{1}, as well as correlations among two subsequent pulses, ϵ

_{2}, and among 10 subsequent pulses, ϵ

_{10}(see Eq. 13 for the definitions of these ϵ parameters). Regarding SPFs, we choose δ = 0 and δ = 0.063 according to the experimental results reported in (

*43*–

*45*). The results for the RT based on the GLT protocol and for the RT based on the original LT protocol are illustrated in Fig. 1.

As expected, this figure shows that when the magnitude of pulse correlations characterized by ϵ* _{i}* increases, the secret key rate decreases. In addition, as the length of the correlations, taken into account, increases, the secret key rate drops. We note, however, that even when long-range correlations are considered, a secret key can still be obtained. Namely, Fig. 1 shows that for ϵ = 10

^{−6}, one can generate a secret key even when there are correlations between 10 subsequent pulses. For a smaller value of the parameter ϵ

*, longer correlations can be included. If ϵ*

_{i}*is small enough, then one can consider a very long range of pulse correlations while guaranteeing the security of QKD.*

_{i}We emphasize that the security proof selected highly affects the results obtained, and this is also illustrated in Fig. 1, where we apply our technique to two different cases of the RT. To compare the RT based on the GLT protocol and the RT based on the original LT protocol as a function of pulse correlations, one can examine panels (A) and (B) or (C) and (D) of Fig. 1. Noticeably, as the magnitude of the pulse correlation ϵ* _{i}* increases, the secret key rate deteriorates for both of them. However, the RT based on the LT protocol outperforms the RT based on the GLT protocol in all the parameter regimes investigated. In addition, by comparing panels (A) and (C) or (B) and (D) of Fig. 1, one can see the effect of SPFs. As expected, the RT based on the GLT protocol and the RT based on the LT protocol are barely affected by this imperfection since they inherit, from the GLT protocol and the original LT protocol, respectively, high tolerance against SPFs with channel loss. The big difference observed in Fig. 1 between these two cases of the RT arises because of the following reason. Recall that we need to evaluate the deviation between the probabilities associated with the reference states and those associated with the actual states. For this, the bound used in the RT based on the GLT protocol is obtained by calculating certain eigenvalues, and thus, they entail square root terms, which deteriorate the secret key rate. Note that in the trace distance argument (

*15*), square root terms are also present, resulting in loose bounds. On the other hand, the RT based on the original LT provides a tighter estimation of the phase error rate thanks to the bound in Eq. 20. More precisely, the square root terms in Eq. 20 include detection probabilities, which decrease as the channel loss increases, while for the other two bounds, the square root terms are constant, and thus, the high performance is maintained by using the bound in Eq. 20. Last, we remark again that the RT framework is general and can be applied to other QKD protocols as well, as shown in the Supplementary Materials.

## DISCUSSION

Security proofs of QKD have to consider source imperfections in the theoretical models. Fortunately, SPFs, THAs (*12*–*16*), and mode dependencies have been considered together very recently in (*18*). In this work, we have introduced a general framework to deal with pulse correlations, which are the last pieces required for securing the source. Our framework is compatible with those security proofs that incorporate other source imperfections, and therefore, it can be used to guarantee implementation security with flawed devices by combining it with MDI-QKD (*5*) and the results in (*18*). We remark that the decoy-state method (*2*–*4*) has not been considered in this work, and therefore, the imperfections of the intensity modulator have not been addressed. However, these imperfections could be straightforwardly included in our framework. The key idea for dealing with pulse correlations is interpreting the information encoded in the subsequent pulses as side-channel information. By doing so, we have shown that, as long as the magnitude of the correlations is small, a secret key can still be obtained even when there are correlations over a long range of pulses. Moreover, our framework can be directly applied in combination with existing security proofs such as the GLT protocol (*18*), the GLLP type security proofs involving the quantum coin idea (*19*–*21*), and the numerical techniques recently introduced in (*22*–*24*).

Furthermore, we have proposed a new framework for security proofs, which we call the RT. It uses reference states that are similar to the states sent in the actual protocol, thus allowing us to determine the parameters needed to prove the security of the latter. The RT is very general, and it can be applied to many QKD protocols. Moreover, it already includes the LT protocol, the GLT protocol, and the GLLP type security proofs as special cases. That is, we are able to reconstruct these security proofs by applying the RT, as shown in the Supplementary Materials. We have demonstrated that most of the source imperfections can be incorporated simultaneously into the RT, and therefore, this technique has been proven to be very useful for guaranteeing the security of practical QKD protocols. In particular, we have shown that for the RT based on the original LT, no information about the side-channel states is required, yet it is an analytical security proof, resulting in a much simpler characterization of the source. In addition, we emphasize that the RT can be applied together with analytical or numerical optimization to estimate an upper bound on the phase error rate, which could result in a higher performance. In this work, we have rigorously proven the security of the RT, and we have provided the sufficient conditions to apply this technique to other QKD protocols (see the Supplementary Materials). We remark that, for the security proof, we have not considered the probabilities to be conditional on the detection events, which is usually important for high performance in the finite-key scenario. Fortunately, thanks to the recently developed Kato’s inequality (*38*), this is not a problem anymore, and it does not affect the performance of the secret key rate even in the finite-key size regime.

In addition, in the Supplementary Materials, we have compared the RT based on the original LT protocol with the RT based on the GLLP type security proofs. We remark, however, that this comparison might be considered unfair because the RT based on the GLLP type security proofs requires four states and analytical or numerical optimization. Last, we note that if a better inequality to evaluate the deviation between the probabilities associated with the reference states and those associated with the actual states is available, then it could replace the inequality in Eq. 20, resulting in even higher secret key rates for the RT. In addition, our method could be applied to other problems in quantum information theory where one needs to estimate summed probabilities. In this sense, our work not only proves the security of practical QKD systems but also has a potential to contribute to quantum information theory in general.

## MATERIALS AND METHODS

### Reference technique

The RT is a new framework to prove the security of QKD protocols. It is general and can reproduce the GLLP type security proofs involving the quantum coin idea (*19*–*21*) and the original LT protocol (*17*). Moreover, it can be applied to many different protocols. To see this, we refer the reader to the Supplementary Materials where we demonstrate that the GLLP type security proofs can be reconstructed from the RT. In addition, we outline the sufficient conditions to use the RT and prove the security of an *m*-state protocol. In this section, however, we present the key idea of the RT and show that it can be seen as a generalization of the LT protocol. For concreteness of the explanation, we concentrate on a particular example, the three-state protocol considered in Results.

Usually, to prove the security of QKD protocols, a relationship among the probabilities associated with the actual states needs to be established. Quite often, it is not straightforward to construct such a relationship, and the RT could be very useful to overcome this difficulty. The key idea is to consider a set of states, which we call the reference states, instead of the actual states. These reference states can be chosen freely, but they should be selected such that it is easy to derive a relationship among the probabilities associated with them. For this, it may be convenient to select the reference states in a structured space, such as a qubit space, and importantly, it is preferential that the resulting relationship is resilient against some imperfections in the space, such as the SPFs. Note that this relationship is associated with the reference states, and, therefore, it cannot be used directly in the security proof. However, since the reference states are chosen to be similar to the actual states, we can obtain a relationship associated with the actual states by slightly modifying the relationship for the reference states. In summary, the RT consists mainly of two parts:

1) Reference formula part: Here, we construct a relationship among the probabilities associated with the reference states.

2) Deviation evaluation part: Here, we transform the relationship for the reference states into a relationship for the actual states by evaluating the deviation between the probabilities associated with the reference states and those associated with the actual states.

We emphasize that the reference states are purely a mathematical tool to construct the reference formula, and we do not need to consider or imagine their practical implementation. Below, we show how to apply the RT in practice by presenting a rigorous security proof against coherent attacks for the three-state protocol.

*Security proof of the three-state protocol with side channels*. Let us assume a three-state protocol where Alice chooses a normalized state ∣ψ* _{j}*〉

*from the set {∣ψ*

_{B}*〉*

_{j}*}*

_{B}_{j = 0Z,1Z,0X}with probability

*p*for each pulse emission. For simplicity of discussion, we assume that

_{j}*Z*or in the

*X*basis with probabilities

*Z*-basis (

*X*-basis) measurement is represented by the POVM

*j*= 0

*,1*

_{Z}*, i.e., the*

_{Z}*Z*basis and the bit values obtained by Bob’s

*Z*-basis measurement.

Now, we write the states sent by Alice in the form of Eq. 1. That is, we expand the states ∣ψ* _{j}*〉

*by using an orthonormal basis, and in doing so, we select a qubit space that is common over the three states. This suggests that ∣ψ*

_{B}*〉*

_{j}*can be, most generally, decomposed into*

_{B}*〉*

_{j}*represents the qubit part of the state ∣ψ*

_{B}*〉*

_{j}*and the state*

_{B}*〉*

_{j}*. We stress that this orthogonality is needed only for each setting choice*

_{B}*j*but not between different choices of

*j*. Examples of these states were presented in Eq. 14; however, for generality, we do not restrict ourselves only to that scenario. In the security proof, we assume that the qubit parts {∣ϕ

*〉*

_{j}*}*

_{B}_{j = 0Z,1Z,0X}, which are to be adopted as the reference states, are perfectly characterized and stable in time, but we do not require any knowledge about the side-channel states

*satisfying 0 ≤ ϵ*

_{j}*≤ 1 quantifies the deviation of the state ∣ψ*

_{j}*〉*

_{j}*(*

_{B}*j*∈ {0

*,1*

_{Z}*,0*

_{Z}*}) from the qubit space. That is, the states ∣ψ*

_{X}*〉*

_{j}*are ideally qubit states; however, due to the presence of side channels, such as THA or pulse correlations, they deviate from this perfect scenario. Note that if ϵ*

_{B}*= 1, then it means that it is impossible to find such a qubit space for particular*

_{j}*j*. In our example, we assume that we know an upper bound ϵ on ϵ

*, i.e., ϵ*

_{j}*≤ ϵ for all*

_{j}*j*. Furthermore, we shall assume that the qubit states ∣ϕ

*〉*

_{j}*are those defined in Eq. 15. To summarize, even if there is no information about the side-channel state*

_{B}*〉*

_{j}*as the reference states and they are perfectly characterized and stable in time, and we know ϵ (or more generally, ϵ*

_{B}*). In particular, this means that the state*

_{j}*〉*

_{j}*emitted by Alice’s source do not need to be regarded as independently and identically distributed. This point will become clearer after Eq. 55. We remark, however, that if we select the reference states containing side-channel states, then they will no longer be perfectly known or stable in time. In this case, to make the mathematical analysis simpler, one could use analytical or numerical optimization to consider the worst-case scenario for the side-channel states, i.e., the case that maximizes the phase error rate. This maximization removes the potential dependence on the previous pulses and thus effectively provides pulses that are independent and stable in time. This is a purely mathematical step, and it does not require any extra assumptions on Alice’s source, e.g., the states ∣ψ*

_{B}*〉*

_{j}*do not need to be regarded as independently and identically distributed.*

_{B}Having finished the description of the states, we move on to the security proof using the RT. We are interested in proving the security of the bit values generated from the *Z*-basis events. From Eve’s perspective, this instance is equivalent to the one in which Alice selects the *Z* basis, prepares systems *A* and *B* in the state*B* to Bob while keeping system *A* in her laboratory, and then both Alice and Bob perform their measurements in the *Z* basis. To prove the security of the *Z*-basis events, we need to estimate the phase errors (*17*, *46*), which are defined in the *X* basis. That is, we consider the errors that Alice and Bob would have obtained if Alice had performed the *X*-basis measurement {∣0* _{X}*〉

*, ∣1*

_{A}*〉*

_{X}*} (with*

_{A}*Z*basis (a suitable choice under the basis independent efficiency condition may be the

*X*basis used in the actual protocol) for the measurement on the joint state defined in Eq. 29. This leads us to consider a virtual protocol in which Alice sends the virtual states

*17*) to Bob with probabilities

*Z*basis. Here,

*Z*basis and prepares the normalized virtual state

*X*-basis measurement.

In the security proof, it is convenient to represent the actual protocol in terms of a virtual entanglement-based protocol. As explained above, in this virtual protocol, we consider replacing Alice’s and Bob’s bases with the *X* basis when both of them select the *Z* basis. From Eve’s viewpoint, the actual protocol with this replacement can be equivalently described by Alice and Bob fictitiously preparing the following entangled state*C*, which is associated with Alice’s and Bob’s setting choices. In particular, ∣0_{z, A}, *X _{B}*〉

_{C}*(the virtual state for 1*

_{Z}*) and Bob chooses the*

_{X}*X*basis. Note that there are six states of system

*C*that store different classical information related with Alice’s and Bob’s setting choices, and they are all normalized and orthogonal to each other. After Alice prepares the entangled state in Eq. 31, we imagine that she performs an orthogonal measurement that projects system

*C*onto one of these six states, and Bob performs the measurement according to the basis directed by the measurement outcome. We remark that the first four terms in Eq. 31 correspond to the actual events that occur in the actual protocol, while the last two terms correspond to the virtual events. That is, the last two terms represent the events in which Alice and Bob select the

*Z*basis in the actual protocol; however, their basis choice is replaced by the

*X*basis for the security proof. The virtual events and the actual events are clearly defined in system

*C*, and they correspond to disjoint events. The actual protocol can then be regarded as, repeatedly, say,

*N*times, preparing systems

*B*and

*C*in the state ∣ψ〉

*followed by the measurements by Alice and Bob. Now, following the steps of the RT introduced above, we can estimate the phase errors associated with this protocol.*

_{CB}*Reference formula part*. As an example, we choose the reference states to be the qubit part of the actual states. For the actual states defined in Eq. 28, this corresponds to selecting the set

Note that Eq. 32 is analogous to Eq. 29, but the actual states have been replaced with their respective reference states. Then, we may imagine that Alice measures system *A* in the *X* basis and sends Bob the virtual states

Here, *Z* basis and prepares the normalized virtual state *X*-basis measurement. Now, we mathematically replace all the actual and virtual states in Eq. 31 with their respective reference states

Again, we emphasize that this entanglement-based protocol with the reference states is purely a mathematical tool for the security proof, and we do not need to consider or imagine its practical implementation. The reason why we have selected *17*), we can obtain a relationship between the reference states and the virtual states, which is expected to be LT against SPFs. More concretely, below, we consider that the reference states used are the ones defined in Eq. 15, and, in this case, we can express the virtual states for the reference states as in Eq. 18. We rewrite it here for convenience*a*, *b*, *c* ≥ 0 are given by

We remark that, in Eq. 35, we have highly exploited the properties of a qubit space, i.e., even with a negative sign in front of the coefficient *c*,

We now consider the following quantity*k*^{th} pulse when using the reference states and where *k*^{th} pulse after a coherent attack in the actual protocol, that is, *k*^{th} pulse is subjected to. This operator is obtained by Eve’s coherent attack that acts, in general, on all the pulses sent by Alice simultaneously and by considering all the *k* − 1 previous measurements by Alice and Bob. Here, *k* − 1 previous measurement outcomes obtained by Alice and Bob. The goal now is to transform the quantities associated with the reference states in Eq. 37 into those associated with the actual states for the *k*^{th} pulse

Using Eq. 35, we can express Eq. 37 as

Here, we emphasize that Eq. 40 is derived on the basis of the idea of the LT protocol, and therefore, it entails the robustness against the SPFs in the qubit space. That is, if there are no side channels, i.e., ϵ = 0, then Eq. 40, which is exactly the expression that is used in the original LT protocol (*17*), results in a secret key rate that is LT against SPFs. Therefore, this shows that the RT includes the LT protocol in the reference formula part. Next, we transform the relationship for the reference states in Eq. 40 into a relationship for the actual states. That is, we enter the deviation evaluation part of the RT.

*Deviation evaluation part*. For the transformation of Eq. 40, we use the bound in Eq. 20. We rewrite it here for convenience*R*⟩ (∣*A*⟩) is any normalized state associated with the reference (actual) states and

Note that −*g ^{L}*(

*x*,

*y*) and

*g*(

^{U}*x*,

*y*) are concave with respect to 0 ≤

*x*≤ 1 for any fixed 0 ≤

*y*≤ 1, and ∂

_{y}*g*(

^{L}*x*,

*y*) ≥ 0 and ∂

_{y}*g*(

^{U}*x*,

*y*) ≤ 0 hold. For more details on the derivation of Eq. 41, see the Supplementary Materials. Now, we consider the first three terms in Eq. 40, which are reexpressed as

*⟨*

_{CB}*A*

_{+}∣

*R*

_{+}⟩

*∣ = 1 − ϵ. Here, note that to calculate this inner product, we need to calculate the terms*

_{CB}*〈ψ*

_{B}*∣ϕ*

_{j}*〉*

_{j}*rather than*

_{B}Here, *P*^{(k)}(*q*_{0z,0x}∣Act) is the joint probability that Alice selects the setting 0* _{Z}*, and Bob’s measurement outcome is 0

*at the*

_{X}*k*

^{th}instance, conditional on the first

*k*− 1 measurements by Alice and Bob in the entanglement-based protocol for the actual protocol. The other probabilities are defined in a similar manner. This finishes the transformation of the first three terms with respect to the probabilities associated with the actual protocol.

Next, we consider the last three terms in Eq. 40, which are reexpressed as*p _{ZA}* ≔

*p*

_{0Z}+

*p*

_{1Z}is the normalization factor. The term Tr[ · ] in Eq. 49 can be expressed as

Here, we have used the fact that the state

As a result, we have transformed the last three terms in Eq. 40 into* _{CB}*⟨

*A*

_{−}∣

*R*

_{−}⟩

*∣ = 1 − ϵ. As before, to calculate this inner product, we need to calculate the terms*

_{CB}*〈ψ*

_{B}*∣ ϕ*

_{j}*〉*

_{j}*rather than*

_{B}*P*

^{(k)}(ph∣Act) and the fact that the states

Now, we combine Eqs. 40, 47, 53, and 54 to obtain a relationship for the *k*^{th} pulse associated with the actual states* _{CB}*⟨

*A*

_{+}∣

*R*

_{+}⟩

*∣ and ∣*

_{CB}*⟨*

_{CB}*A*

_{−}∣

*R*

_{−}⟩

*∣ have the value of 1 − ϵ. Therefore, Eq. 55 does not depend on the inner products of the side-channel states or on the inner products between the side-channel states and the qubit states. In particular, this means that our security proof works even if we do not know anything about the side-channel states, and, thus, they can vary in time and depend on the previous pulses, as discussed above. Note that Eq. 55 is the required relationship for the actual states. This finishes the deviation evaluation part.*

_{CB}Last, we have to convert Eq. 55 into a relationship in terms of numbers rather than probabilities. The procedure for this step is quite standard (*17*, *18*, *26*, *47*). For this, first, note that *g ^{U}*(

*x*,

*y*) and −

*g*(

^{L}*x*,

*y*) are concave functions with respect to 0 ≤

*x*≤ 1 for any fixed 0 ≤

*y*≤ 1. In addition, recall that the use of Azuma’s inequality (

*37*) or Kato’s inequality (

*38*) converts the summed probabilities into the corresponding number in the asymptotic limit of a large number of pulses sent. That is, for

*N*→ ∞,

*N*(

*q*

_{j,jB}∣ Act) is the number of events with Alice’s setting choice equal to

*j*and Bob’s outcome equal to

*j*in the experiment after

_{B}*N*runs of the quantum communication protocol. Here, we emphasize that the use of Azuma’s or Kato’s inequality can deal with any correlations between Alice and Bob’s measurement outcomes, making our proof valid against coherent attacks. Now, we take a summation over

*k*∈ {1,2, ⋯,

*N*} in Eq. 55, and together with the two ingredients mentioned above, we find the final expression as

This inequality involves only the number of events defined in the actual protocol, and by solving this with respect to *N*(ph∣Act), the security proof is done. We emphasize that our proof is valid for any coherent attack because Eqs. 55 and 56 hold for any

### Arbitrarily long-range pulse correlations

In this section, we show how to extend our analysis to accommodate arbitrarily long-range correlations between the pulses. To simplify the discussion, we consider the three-state protocol, but this formalism can be easily extended to any number of states. Our starting point is the assumption in Eq. 13. We rewrite it here for convenience*k* ∈ {1,2, ⋯, *n*} and 1 ≤ *w* ≤ *k* − 1. Note that the difference between both states is in the *j _{k}*,

*j*

_{k − 1}, ⋯,

*j*

_{1}and ~

*j*

*, and the term*

_{w}*k*−

*w*is associated with the correlation under consideration. For example, when

*k*−

*w*= 1, it refers to the nearest-neighbor pulse correlation considered in Results. Furthermore, without loss of generality, we can assume the relation

*j*⟩

_{w}*. Using these assumptions, an extension of our framework is now presented. That is, we show how to obtain a lower bound on the parameter*

_{Aw}*a*in Eq. 1 starting from Eq. 57. More generally, the entangled state prepared by Alice, shown in Eq. 2, can now be written as

_{j}*j*

_{ζ}∈ {0

*,1*

_{Z}*,0*

_{Z}*} and ζ ∈ {1,2, ⋯,*

_{X}*n*}. Note that

*j*

_{0}represents having no condition, and the state ∣ψ

_{jζ ∣ jζ − 1, ⋯, j1}⟩

_{Bζ}represents the long-range pulse correlations, that is, the state of the ζ

^{th}pulse depends on all the previous setting choices. As before, we suppose that Alice measures her ancilla systems up to the

*k*

^{th}pulse. More precisely, she measures the first

*k*− 1 systems of {

*A*

_{ζ}}

_{ζ = {1,2, ⋯, n}}by using the computational basis. The whole (unnormalized) state can then be expressed as

To clarify, after Alice’s measurement, the state ∣Ψ〉* _{AB}* in Eq. 59 becomes the state

Now, similar to our analysis for the nearest-neighbor pulse correlations, to see how the information *j _{k}* is encoded in the state

*j*but

_{k}*j*. Furthermore, note that

_{k}Next, we obtain a lower bound on the coefficient *j _{k}*. One of these choices could be

*n − k*) systems in Eq. 60 with only the

*k*

^{th}index of

*. This state is independent of*

_{X}*j*. Since

_{k}In the second equality, we use the result given by Eq. 58, and the inequality comes from Eq. 57.

## SUPPLEMENTARY MATERIALS

Supplementary material for this article is available at http://advances.sciencemag.org/cgi/content/full/6/37/eaaz4487/DC1

This is an open-access article distributed under the terms of the Creative Commons Attribution-NonCommercial license, which permits use, distribution, and reproduction in any medium, so long as the resultant use is **not** for commercial advantage and provided the original work is properly cited.

## REFERENCES AND NOTES

**Acknowledgments:**We thank G. Currás Lorenzo and Á. Navarrete for very valuable discussions. We also thank an anonymous referee for finding a mistake in a previous version of this manuscript.

**Funding:**This work was supported by the Spanish Ministry of Economy and Competitiveness (MINECO), the Fondo Europeo de Desarrollo Regional (FEDER) through the grant TEC2017-88243-R, and the European Union’s Horizon 2020 research and innovation program under the Marie Skłodowska-Curie grant agreement no. 675662 (project QCALL). K.T. acknowledges support from JSPS KAKENHI grant nos. JP18H05237 18H05237 and JST-CREST JPMJCR 1671.

**Author contributions:**M.P. and K.T. conceived the initial idea of how to deal with pulse correlations. K.T. constructed the RT through discussions with all the other authors. Then, G.K., A.M., and M.C. contributed to the development and discussion of the initial idea and the RT with M.P. and K.T. M.P. performed the numerical simulations. All authors contributed to writing the manuscript.

**Competing interests:**The authors declare that they have no competing interests.

**Data and materials availability:**All data needed to evaluate the conclusions in the paper are present in the paper and/or the Supplementary Materials. Additional data related to this paper may be requested from the authors.

- Copyright © 2020 The Authors, some rights reserved; exclusive licensee American Association for the Advancement of Science. No claim to original U.S. Government Works. Distributed under a Creative Commons Attribution NonCommercial License 4.0 (CC BY-NC).