Quantum key distribution (QKD) allows the generation of random secure keys between distant communication parties, of which the security is guaranteed by quantum physical laws. Apart from its theoretical advances, QKD is also one of the few quantum information processing technologies that can be robustly deployed in the field, where photonic systems are considered the most suitable carriers of QKD operation. In general, two types of QKD protocols exist based on the detection methods: discrete-variable (DV) QKD [1,2] uses the single-photon detector or photon-number-resolving detector to generate discrete detection information, while continuous-variable (CV) QKD [3–5] applies optical homodyne or heterodyne detection to generate continuous measurement information.

CV QKD has its advantages over DV QKD in short distances, mainly attributing to the distinct features of the coherent detectors used. The homodyne and heterodyne detectors are compatible with the standard classical communication and can be operated in much milder conditions than single-photon detectors. The spatial-temporal filtering of the local oscillators (LOs) allows dense wavelength-division multiplexing with intense classical channels [6–8], and the high quantum efficiency and operation rate give CV QKD high key rates in metropolitan distances [9–11]. Moreover, the feasibility of on-chip implementations of the coherent detectors [12] promises large-scale integrated quantum networks. CV QKD is therefore considered highly practical and promising.

However, there exist two major limitations to the reliability of CV QKD. First, the transmission of the strong local oscillators is usually necessary to set up the phase reference between the communication parties, yet this complicates the implementation in the multiplexing separation and the relative phase shift calibration with the signals [13]. The LO transmission also opens up security loopholes where the eavesdropper Eve can affect the estimation of the signal variance by manipulating the LO intensity [14,15], input time [16], and wavelength [17]. The “local” local oscillator scheme [13,18] is a valid solution, yet it still requires the transmission of pilot pulses and compensation in the classical post-processing layer, which increases the experimental complexity. Second, the security of CV QKD in the finite-data regime under coherent attacks is still incomplete. In fact, for the traditional entanglement-distillation approach [19], the finite-size coherent attack security is only tackled for Gaussian-modulated CV QKD [20], which is, however, impractical since continuous modulation is never possible in reality.

Recently, several remarkable works on CV QKD have been proposed, aiming at closing its security loopholes. In Refs. [5,21], Koashi et al. proposed a DV-like security analysis for the binary phase shift keying CV QKD. Their analysis covers the finite size and coherent attack intrinsically since it follows the phase-error complementarity approach [22], yet their protocol still assumes the transmission of local oscillators. Qi [23] and Primaatmaja et al. [24] proposed CV QKD protocols with two-mode encoding, generating dual-rail qubits that do not require global references. Their security analyses, however, do not cover the finite-data regime and coherent attacks. In fact, Qi’s analysis requires repeated measurements and is only valid for individual attacks, and Primaatmaja et al.’s analysis is based on the Devetak-Winter formula [19] and is only valid for collective attacks. Hence, the gap in CV QKD between theory and practice is still a challenging problem to be tackled.

In this work, we close this gap by proposing a new time-bin-encoding CV QKD protocol that enjoys both simple security proof and practical implementation. We remove the necessity of LO transmission by the two-mode encoding, hence closing the security loophole while simplifying the experimental setups. We follow the phase-error complementarity approach [22,25,26] so that the security naturally covers the general coherent-attack case. What is more, the intensity-based encoding allows phase randomization to be applied, where we can group the received signals based on the transmitted photon numbers and restore the tagging-based security analysis [27,28] and the decoy-state method [29,30]. Instead of generating secure key bits from all raw key bits, we can thus take advantage of the photon-number tags and distill key bits from the rounds with a low phase-error rate. Our tagging-based security analysis builds a direct connection between CV QKD and the normal Bennett-Brassard-1984 (BB84) protocol: we clearly show how the multi-photon components in the CV QKD protocol contribute to a higher key rate in short distances. Compared with a similar protocol in Ref. [24] with numerical optimization under collective attacks, our protocol generates higher key rates under coherent attacks with simpler parameter estimation using four decoy levels, while also demonstrating good finite-size performance with a data size of $N={10}^{10}$.

We will start with the protocol description of the time-bin-encoding CV QKD in Section 2. We present its security analysis based on phase-error correction [22,25,26] in Section 3, identifying an equivalent protocol squashing the optical modes into qubits with identical key mapping statistics [5,27,31] in Section 3.A. We exploit the block-diagonal structures of both the source and the receiver in Section 3.B, thus invoking the photon-number tagging technique [27,28] standard in DV QKD in this CV protocol. In Section 3.C, we calculate the parameters in the key-rate formula with quantities on optical modes. The estimation of these quantities will be explained in Section 4 with homodyne tomography [32] and a decoy method [29,30]. We finally simulate the asymptotic and finite-size performances of the time-bin CV QKD under realistic fiber-channel setups in Section 5.

We present the proposed time-bin-encoding CV QKD protocol in Table 1 and depict its schematic diagram in Fig. 1. The two communication parties, Alice and Bob, employ the time-bin degree of freedom to encode keys. They use the $Z$-basis for key generation and $X$-basis for parameter estimation. At the moment, we do not present the details of the $X$-basis parameter settings. We will specify the choices of the random phase factors, ${\phi }_a^1,{\phi }_a^2,{\phi }_b^1$ and ${\phi }_b^2$, and the light intensity, ${\mu }_a\in \{\mu ,{\nu }_1,{\nu }_2,0\}$, in Section 4.Table 1.

Phase-Randomized Time-Bin-Encoding CV QKD

Here, we briefly explain the idea behind the protocol design. The source states of our scheme resemble the ones in the time-bin-encoding BB84 protocol with coherent states [1], where the light intensities of the consecutive pulses naturally encode the key-bit information. As the key information is encoded in the relative intensity between the two modes, Alice does not need to send a pilot phase reference as in common CV QKD. The source states also resemble those in the coherent-one-way (COW) protocol [33,34]. The difference is that we randomize the phase of the coherent state pulses and employ homodyne detection for the measurement devices.

In our scheme, Bob decodes the key bit information, namely, the $Z$-basis information, by measuring the light intensity of the pulses using the homodyne detectors. For instance, when Bob observes $q_1$ to be close to zero and $q_2$ to be far away from zero, he may naturally guess that the original state sent by Alice corresponds to $k_a=0$. However, unlike the key decoding with photon-number detectors, the result of measuring a coherent state’s quadrature is subjected to a Gaussian distribution rather than a fixed value. The inherent shot noise of the homodyne detection introduces an intrinsic error in distinguishing a vacuum state from a pulse with a non-zero intensity [35]. To suppress the bit error, we introduce a threshold value, $\tau$, in key decoding. The pulse intensity will be considered non-zero only when the quadrature magnitude is larger than $\tau$. So a bit 0 will be decoded if $|q_1|<\tau$ and $|q_2|>\tau$ and bit 1 if $|q_1|>\tau$ and $|q_2|<\tau$. The choice of $\tau$ should be optimized with respect to the channel transmittance and pulse intensity. As we will show in Appendix A, although this key mapping scheme can be further optimized, the performance of the simple key mapping scheme is already near-optimal.

The $X$-basis is designed to estimate the information leakage of different photon-number components of the $Z$-basis. Thanks to the phase randomization for both the sources and the detectors, the $Z$-basis states are block-diagonal on the total photon-number basis on the two optical modes after being emitted from the source and before being measured by the homodyne detectors. As we will clarify in Section 3, we can equivalently introduce total photon-number measurements at these two locations. As a result, Eve’s eavesdropping strategy is effectively “twirled” to a photonic channel that only acts on the states incoherently with respect to the total photon numbers. One can thus virtually tag the emitted and received pulses according to the photon-number space, allowing the Gottesman-Lütkenhaus-Lo-Preskill (GLLP) framework [27] for analyzing the key privacy contained in each photon-number subspace. In particular, dealing with photon-number spaces effectively brings our security analysis to the DV regime. In Section 3, we shall construct observables to estimate the $m$-photon component phase-error rates $e_{m,m}^X$ for privacy estimation. Intuitively, the phase-error rates $e_{m,m}^X$ provide upper bounds on the key information leakage to the eavesdropper, Eve.

To estimate the $m$-photon component phase-error rates, $e_{m,m}^X$, ideally, we need a source emitting the photon-number cat states, $(|0⟩|m⟩\pm |m⟩|0⟩)/\sqrt{2}$, and photon-number-resolving measurements that distinguish the cat states. While this is not directly implementable, we can use only coherent states and homodyne measurements to establish unbiased estimators of $e_{m,m}^X$, as shown in Table 2. On the source side, we employ a generalized decoy-state method to estimate the behaviors of photon-number-cat states using coherent states with various intensities [29,30], which shall be discussed in Section 4.B. On the detection side, ideally, we also want to measure the photon-number-cat states to obtain unbiased estimation of the phase-error rates, $e_{m,m}^X$. While this is not directly measurable in practice, we employ the homodyne tomography technique and estimate the photon-number-cat state measurement via quadrature measurement results [36–41], which shall be discussed in Section 4.A.Table 2.

State Preparation and Detection Settings in the Ideal Implementation and the Realistic Implementation^a

We briefly remark on the performance of homodyne detection. In key decoding, one may consider the homodyne detection as ill-performed single-photon detectors that introduce an inevitable bit-error rate. On the other hand, homodyne detection allows for more efficient parameter estimation than single-photon detection. As we shall discuss later, the set of all quadrature operators spans the underlying mode, thus allowing one to express any linear operator in terms of the quadrature operators. Therefore, with proper transformation of the quadrature measurement results, homodyne detection allows one to obtain an unbiased estimation of linear operator expectations. This is the reason for accurately estimating phase-error rates with repeated homodyne measurements, including those of the multi-photon components. In comparison, as the single-photon detection is not information-complete, estimation of multi-photon observables requires more complex setups such as sequential beam splitting [42], and one can only obtain upper and lower bounds rather than an unbiased estimation.

We analyze the security of our phase-randomized time-bin-encoding CV QKD protocol along the complementarity approach [22,26,27]. As outlined in Fig. 2, we shall set up a series of equivalent protocols of the realistic implementation that do not change the statistics of any observer, with which we define the phase-error observable and estimate the key privacy. In Section 3.A, we shall prove that raw key generation can be effectively regarded as qubit measurements on a pair of entangled qubits, which allows us to borrow the mature complementarity-based security analysis in the DV regime. In brief, on the source side, we transform the preparation of key states to an entanglement-based protocol [25,26], where a qubit measurement controls the key-encoding process, as shown in Fig. 2(b). On the detection side, we prove that the homodyne measurement can be squashed into an effective qubit measurement, as shown in Fig. 2(c). Moreover, in Section 3.B, we shall rigorously prove that phase randomization twirls the photonic modes into diagonal states on the Fock basis and explain how to apply the tagging idea of the GLLP framework [27,28]. We also show how to estimate the phase-error rates for different photon-number components from Fock-basis observables in Section 3.C. Later in Section 4, we show that the estimation can be realized in the realistic implementation with coherent states and homodyne detection.

To focus on the essence of security analysis, we present the result in a single-round analysis in this section, where one can interpret it as the quantum Shannon limit under collective attacks. Namely, Eve applies the same attacking strategy to the quantum signal of Alice and Bob in each round. At the end of the protocol, Eve applies an optimal joint operation to guess the users’ final key. Note that a collective attack is stronger than an individual attack, where Eve must measure her side information before the classical post-processing in an individual attack. Nevertheless, the complementarity-based security analysis is inherently adapted to the most general case, namely, the coherent attack, where the statistics over the rounds may not be independent and identically distributed (i.i.d.) [43]. Unlike the collective attack, Eve may vary her attacking strategies in different rounds. Readers may refer to Ref. [44] for a detailed discussion on the various types of attacks. We will discuss the parameter estimation with non-i.i.d. finite statistics in Section 4.C.

Here, we show the equivalence of the time-bin CV QKD protocol to a qubit-based entanglement distribution protocol, where the protocols generate the same transmitted quantum states and measurement statistics. The latter protocol enables us to simplify the security analysis and estimate the information leakage from phase-error rates.

We first focus on the key-generation rounds in the protocol where both users choose the $Z$-basis, of which the whole procedure is depicted in Fig. 2(a). In the realistic implementation, Alice prepares phase-randomized coherent states, $${\int }_0^{2\pi }\frac{\mathrm{d}{\phi }_a}{2\pi }|\mathrm{\Psi }{(k_a)}_{{\phi }_a}{⟩}_{A_1{A}_2}⟨\mathrm{\Psi }{(k_a)}_{{\phi }_a}|,$$(1)where $$|\mathrm{\Psi }{(k_a)}_{{\phi }_a}{⟩}_{A_1{A}_2}=\{\begin{array}{cc}{|0⟩}_{A_1}{|\sqrt{\mu }{e}^{i{\phi }_a}⟩}_{A_2},& \mathrm{if}{k}_a=0,\\ {|\sqrt{\mu }{e}^{i{\phi }_a}⟩}_{A_1}{|0⟩}_{A_2},& \mathrm{if}{k}_a=1.\end{array}$$(2)We denote the optical modes sent to Bob as $A_1$ and $A_2$, which are CV systems. Throughout this paper, we treat the phase of optical modes, ${\phi }_a$, as fully randomized over $[0,2\pi )$. Finite phase randomization, ${\phi }_a\in {\{2j\pi /D\}}_{j\in [D]}$, suffices for a practical implementation, where its difference from the full phase randomization is negligible when $D$ is sufficiently large [45]. This is also the case in later discussions on the detector phase randomization. Alice’s key-state preparation can be effectively seen as an entanglement-based protocol [25,26]. Given the phase value, ${\phi }_a$, Alice first prepares the following entangled state: $$\begin{gathered} {|{\mathrm{\Psi }}_{{\phi }_a}⟩}_{A^{\prime }{A}_1{A}_2}=\frac{1}{\sqrt{2}}({|0⟩}_{A^{\prime }}|\mathrm{\Psi }{(k_a=0)}_{{\phi }_a}{⟩}_{A_1{A}_2} \\ +{|1⟩}_{A^{\prime }}|\mathrm{\Psi }{(k_a=1)}_{{\phi }_a}{⟩}_{A_1{A}_2}), \end{gathered}$$(3)where system $A^{\prime }$ is a qubit system that superposes the two possible key states. The entangled state can be prepared by the quantum circuit in Fig. 2(b). Up to phase randomization, systems $A^{\prime }$ and $A_1{A}_2$ are initialized in $|+⟩$ and $|0⟩|\sqrt{\mu }⟩$, and a control-swap operation is then applied from the qubit system to the optical modes. Alice obtains raw key bit $k_a$ by measuring system $A^{\prime }$ on the computational basis, and the optical modes are prepared into the corresponding key state, $|\mathrm{\Psi }{(k_a)}_{{\phi }_a}⟩$. The complementary observable of Alice’s key-generation measurement can thus be defined over qubit system $A^{\prime }$, which measures the complementary basis of $\{|+⟩,|-⟩\}≔\{(|0⟩\pm |1⟩)/\sqrt{2}\}$.

At the detection side in Fig. 2(a), Bob receives two optical modes $B_1$ and $B_2$, takes homodyne measurements, and maps the quadratures to a raw key or an abort signal. This process can be described by a trace-non-preserving completely positive map, $$\begin{gathered} {\mathcal{F}}_{\mathrm{rand}}^{B_1{B}_2\to B^{\prime }}({\widehat{\rho }}_{B_1{B}_2})={\int }_0^{2\pi }\frac{\mathrm{d}{\phi }_b}{2\pi }{\int }_{{\mathbf{R}}_0}\mathrm{d}{q}_1\mathrm{d}{q}_2 \\ {\widehat{K}}^{(q_1,q_2,{\phi }_b)}{\widehat{\rho }}_{B_1{B}_2}{\widehat{K}}^{(q_1,q_2,{\phi }_b)⏧}, \end{gathered}$$(4)where $$\begin{gathered} {\widehat{K}}^{(q_1,q_2,{\phi }_b)}≔{|0⟩}_{B^{\prime }}⟨q_1({\phi }_b),q_2({\phi }_b){|}_{B_1,B_2} \\ +{|1⟩}_{B^{\prime }}⟨q_2({\phi }_b),q_1({\phi }_b){|}_{B_1,B_2}, \end{gathered}$$(5)$|q(\phi )⟩$ is the rotated position eigenstate of quadrature observable $${\widehat{Q}}_{\phi }=\widehat{a}{e}^{-i\phi }+{\widehat{a}}^{†}{e}^{i\phi },$$(6)with $\widehat{a}$ and ${\widehat{a}}^{†}$ denoting the annihilation and creation operators, respectively, and ${\mathbf{R}}_0\in {\mathbb{R}}^2$ records the region that decodes the real-valued tuple, $(q_1,q_2)$, as $k_b=0$. Note that in our protocol, ${\mathbf{R}}_0=\{|q_1|<\tau \}\times \{|q_2|>\tau \}$, and the region decodes the quadratures to $k_b=1$ under the mapping $(q_1,q_2)\mapsto (q_2,q_1)$, which we denote as ${\mathbf{R}}_1=\{|q_1|>\tau \}\times \{|q_2|<\tau \}$. The LOs of homodyne measurements are synchronically randomized, as denoted by ${\phi }_b$ in Eq. (4). As the key-decoding region does not cover the entire parameter space, ${\mathcal{F}}_{\mathrm{rand}}^{B_1{B}_2\to B^{\prime }}$ is hence not trace-preserving, where $\mathrm{Tr}[{\mathcal{F}}_{\mathrm{rand}}^{B_1{B}_2\to B^{\prime }}({\widehat{\rho }}_{B_1{B}_2})]$ gives the probability of obtaining raw key bit $k_b\in \{0,1\}$. Bob’s raw key can be equivalently seen as obtained by measuring the squashed sub-normalized qubit on the computational basis, and the probabilities are given by $$\begin{gathered} \mathrm{Pr}(k_b=0)=⟨0|{\mathcal{F}}_{\mathrm{rand}}^{B_1{B}_2\to B^{\prime }}({\widehat{\rho }}_{B_1{B}_2})|0⟩ \\ ={\int }_0^{2\pi }\frac{\mathrm{d}{\phi }_b}{2\pi }{\int }_{{\mathbf{R}}_0}\mathrm{d}{q}_1\mathrm{d}{q}_2⟨q_1({\phi }_b),q_2({\phi }_b)|{\widehat{\rho }}_{B_1{B}_2}{|q}_1({\phi }_b),q_2({\phi }_b)⟩, \\ \mathrm{Pr}(k_b=1)=⟨1|{\mathcal{F}}_{\mathrm{rand}}^{B_1{B}_2\to B^{\prime }}({\widehat{\rho }}_{B_1{B}_2})|1⟩ \\ ={\int }_0^{2\pi }\frac{\mathrm{d}{\phi }_b}{2\pi }{\int }_{{\mathbf{R}}_1}\mathrm{d}{q}_1\mathrm{d}{q}_2⟨q_1({\phi }_b),q_2({\phi }_b)|{\widehat{\rho }}_{B_1{B}_2}|q_1({\phi }_b),q_2({\phi }_b)⟩. \end{gathered}$$(7)Similar to the treatment to $A^{\prime }$, we can define the complementary observable of Bob’s key generation measurement on qubit system $B^{\prime }$.

In the last section, we have shown that raw keys can be equivalently seen as generated from qubit measurements on $A^{\prime }$ and $B^{\prime }$. Should Alice and Bob instead measure the qubit system on the complementary bases, the probability that they obtain different results, or the phase-error rate, $e^X$, could be used to upper-bound the average privacy amplification cost per round as $h(e^X)$, where $h(p)=-p\log p-(1-p)\log (1-p)$ is the binary entropy function. Nevertheless, the actual privacy leakage may be less than the direct calculation. Note that the above privacy leakage estimation is averaged over the overall quantum state transmitted from Alice to Bob. The contribution to the privacy leakage of different components in quantum signals can differ. For instance, Eve can apply the photon-number-splitting (PNS) attack in the rounds in which Alice transmits two photons and Bob receives only a single photon [46,47]; hence no privacy should be expected, rendering the phase-error probability to be 1/2 in these rounds. If Alice and Bob can distinguish such rounds from the others, they can simply discard them in privacy amplification. The GLLP framework makes the above statement rigorous [27,28]. Suppose Alice and Bob can categorize the transmitted quantum signals into different groups, or tags, and evaluate phase-error probabilities separately. The privacy amplification cost can be evaluated by $\sum _i{Q}_{i}h(e_i^X)$, where $Q_i$ is the probability that a signal in the $i$th group is transmitted and detected, namely, the gain, and $e_i^X$ is the phase-error probability of the group. Due to the concavity of the entropy function, this estimation is no larger than $h(\sum _i{Q}_i{e}_i^X)$.

In DV QKD, the tagging idea has been well practiced. In the coherent-state-based BB84 protocol, phase randomization on the source side diagonalizes the quantum signals on the Fock basis [29,30], and an ideal single-photon detector naturally distinguishes the single-photon components from other detected Fock components, allowing Alice and Bob to tag the quantum states with respect to the photon number [48]. Similarly, we now prove that the photon-number tag can also be applied to the phase-randomized CV QKD protocol in Table 1. On the source side, the phase randomization diagonalizes the state on the joint Fock basis, $$\begin{gathered} {\widehat{\rho }}^Z={\int }_0^{2\pi }\frac{\mathrm{d}{\phi }_a}{2\pi }\frac{1}{2}{|0⟩}_{A_1}⟨0|\otimes {|\sqrt{\mu }{e}^{i{\phi }_a}⟩}_{A_2}⟨\sqrt{\mu }{e}^{i{\phi }_a}| \\ +\frac{1}{2}{|\sqrt{\mu }{e}^{i{\phi }_a}⟩}_{A_1}⟨\sqrt{\mu }{e}^{i{\phi }_a}|\otimes {|0⟩}_{A_2}⟨0| \\ =\sum _{m=0}^{\infty }{\mathrm{Pr}}_{\mu }(m)\frac{1}{2}({|0m⟩}_{A_1{A}_2}⟨0m|+{|m0⟩}_{A_1{A}_2}⟨m0|), \end{gathered}$$(8)where ${\mathrm{Pr}}_{\mu }(m)=e^{-\mu }{\mu }^m/m!$ is the Poisson distribution. Consequently, one can virtually insert a photon-number measurement after phase randomization to measure the total photon number on the two modes without changing the state, as shown in Fig. 2(b). On the detection side, when Bob takes the $Z$-basis measurement, the phase-randomized homodyne detector POVM elements can be expanded on the Fock basis [24], $$\begin{gathered} \widehat{\mathrm{\Pi }}(q_1,q_2)={\int }_0^{2\pi }\frac{\mathrm{d}{\phi }_b}{2\pi }{|q_1({\phi }_b)⟩}_{B_1}⟨q_1({\phi }_b)|\otimes {|q_2({\phi }_b)⟩}_{B_2}⟨q_2({\phi }_b)| \\ =\sum _{n=0}^{\infty }\sum _{k_0=0}^n\sum _{l_0=0}^n{\psi }_{k_0}(q_1){\psi }_{l_0}(q_1){\psi }_{n-k_0}(q_2){\psi }_{n-l_0}(q_2) \\ {|k_0,n-k_0⟩}_{B_1{B}_2}⟨l_0,n-l_0|, \end{gathered}$$(9)where $${\psi }_n(q_j)=\frac{1}{\sqrt{2^{n}n!\sqrt{2\pi }}}{H}_n(q_j/\sqrt{2})e^{-q_j^2/4}$$(10)is the coordinate representation of Fock state $|n⟩$, with $H_n$ being the $n$th Hermite polynomial. Therefore, one can virtually insert another photon-number measurement after phase randomization before the squashing channel [Eq. (4)] on the detection side to measure the total photon number of the received state, as shown in Fig. 2(d).

Based on the above results, we depict a virtual quantum circuit of the protocol when both Alice and Bob choose the $Z$-basis in Fig. 2(e). We denote the photon-number measurement results on the source side and the detection side as $m$ and $n$, respectively. Alice and Bob can thus distill secrete keys separately based on the photon-number tag of $(m,n)$.

A lower bound on the key rate can then be given by [27,28] $$r\ge \sum _{m=0}^{\infty }{Q}_{m,m}[1-h(e_{m,m}^X)]-f{Q}^{Z}h(e^Z),$$(11)where $Q_{m,m}$ and $e_{m,m}^X$ denote the gain and the phase-error rate in the rounds where $m$ photons are sent and $m$ photons are accepted, $Q^Z$ is the $Z$-basis gain, $e^Z$ is the bit-error rate, and $f$ is the efficiency of information reconciliation (note not to confuse the gains with quadrature observables). In addition, since Bob’s key decoding succeeds probabilistically where he only accepts quadratures above the threshold, we use the term “accepting” to represent receiving a certain state and passing the post-selection. All the gains and error rates in the key-rate formula are restricted to the rounds with light intensity ${\mu }_a=\mu$. We discard the rounds where the total photon number decreases after state transmission, as the photons that are lost may come from Eve’s interception, with which Eve can apply a PNS attack. The corresponding phase-error probability is 1/2; hence these rounds do not contribute to key generation. In addition, as the transmission channel is naturally lossy in a usual setting, we do not account for the terms where the total photon number increases.

Note that the key-rate formula in Eq. (11) assumes forward reconciliation, where Bob reconciles his raw keys to Alice’s, $k_a$, and then the users perform privacy amplification. The rounds where Alice sends a non-vacuum state while Bob receives a vacuum state are hence insecure, since the information carriers are lost through the channel. Instead, if reverse reconciliation is used, where Alice reconciles her raw keys to Bob’s, the rounds where Bob receives a vacuum state become secure. One can interpret Bob’s raw keys in these rounds as generated from local random numbers, and no information is known a priori in transmission. This is a common practice in usual CV QKD and in accordance with the observation in Ref. [23]. The fact that the vacuum component can also contribute to the key-rate formula was first observed in Ref. [49]. We present as Theorem 1 the key-rate lower bound with reverse reconciliation as the main key-rate formula to be used throughout this paper.

Theorem 1. For the time-bin CV QKD protocol in Table 1 with reverse reconciliation, in the asymptotic limit of an infinite data size, the distillable secure key rate $r$ is lower bounded by $r_{\mathrm{rev}}$, $$r\ge r_{\mathrm{rev}}=Q_{*,0}+\sum _{m=1}^{\infty }{Q}_{m,m}[1-h(e_{m,m}^X)]-f{Q}^{Z}h(e^Z),$$(12)where $Q_{m,m}$ and $e_{m,m}^X$ denote the gain and the phase-error rate in the rounds where $m$ photons are sent and $m$ photons are accepted, $Q^Z$ is the $Z$-basis gain, $e^Z$ is the bit-error rate, and $f$ is the efficiency of information reconciliation. $Q_{*,0}$ represents the gain of the rounds where Bob accepts a vacuum state for whatever state is sent by Alice.

We now evaluate the key-rate formula in Eq. (12) with Fock-basis observables [5]. The bit-error rate $e^Z$ can be directly measured, as the $Z$-measurement statistics in the entanglement-based squashing model are the same as the realistic statistics. To evaluate the gains and phase-error probabilities, we first determine the state before the phase-error measurement under each photon-number tag. Define ${\widehat{P}}_m$ as the projector onto the $m$-photon state on modes $A_1$ and $A_2$. When sending $m$ photons, the source in Fig. 2(b) collapses to $${\widehat{P}}_m^{A_1{A}_2}{\widehat{\rho }}_{A^{\prime }{A}_1{A}_2}{\widehat{P}}_m^{A_1{A}_2}={\mathrm{Pr}}_{\mu }(m){|{\mathrm{\Psi }}_m⟩}_{A^{\prime }{A}_1{A}_2}⟨{\mathrm{\Psi }}_m|,$$(13)where $$\begin{gathered} {|{\mathrm{\Psi }}_m⟩}_{A^{\prime }{A}_1{A}_2}=\frac{1}{\sqrt{2}}({|0⟩}_{A^{\prime }}{|0m⟩}_{A_1{A}_2}+{|1⟩}_{A^{\prime }}{|m0⟩}_{A_1{A}_2}), \\ {\mathrm{Pr}}_{\mu }(m)=\frac{e^{-\mu }{\mu }^m}{m!}. \end{gathered}$$(14)Upon transmitting the $m$-photon state, ${|{\mathrm{\Psi }}_m⟩}_{A^{\prime }{A}_1{A}_2}$, the $n$-photon state is selected on the detection side after the squashing channel, $$\begin{gathered} {\mathcal{F}}_{\mathrm{rand}}^{B_1{B}_2\to B^{\prime }}\{{\widehat{P}}_n^{B_1{B}_2}{\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}[{\mathrm{Pr}}_{\mu }(m){|{\mathrm{\Psi }}_m⟩}_{A^{\prime }{A}_1{A}_2}⟨{\mathrm{\Psi }}_m|]{\widehat{P}}_n^{B_1{B}_2}\} \\ =Q_{m,n}{\widehat{\rho }}_{A^{\prime }{B}^{\prime }}^{(m,n)}, \end{gathered}$$(15)where ${\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}$ represents Eve’s channel, and $Q_{m,n}$ denotes the probability of sending an $m$-photon state and accepting an $n$-photon state, namely, the gain for the states tagged by the photon-number tuple, $(m,n)$. Note that the probability that Bob aborts the signal is reflected in $Q_{m,n}$. The normalized state, ${\widehat{\rho }}_{A^{\prime }{B}^{\prime }}^{(m,n)}$, is a bipartite qubit, with which we evaluate the phase-error probability, $$e_{m,n}^X=\mathrm{Tr}[{\widehat{\rho }}_{A^{\prime }{B}^{\prime }}^{(m,n)}({|+-⟩}_{A^{\prime }{B}^{\prime }}⟨+-|+{|-+⟩}_{A^{\prime }{B}^{\prime }}⟨-+|)].$$(16)With respect to the complementary-basis measurement result on the qubit $A^{\prime }$, $+$ or $-$, the state on modes $A_1$ and $A_2$ collapses to $${|{\mathrm{\Psi }}_m^{\pm }⟩}_{A_1{A}_2}=\frac{1}{\sqrt{2}}{(|0m⟩\pm |m0⟩)}_{A_1{A}_2}$$(17)with equal probabilities. For the state on Bob’s systems $B_1$ and $B_2$ under tag $(m,n)$, ${\widehat{\rho }}_{B_1{B}_2}^{(m,n)}$, the statistics of the complementary measurement are given by $$\begin{gathered} {}_{B^{\prime }}⟨\pm |{\mathcal{F}}_{\mathrm{rand}}^{B_1{B}_2\to B^{\prime }}[{\widehat{\rho }}_{B_1{B}_2}^{(m,n)}]{|\pm ⟩}_{B^{\prime }}=\mathrm{Tr}[{\widehat{\rho }}_{B_1{B}_2}^{(m,n)}{\widehat{M}}_{\pm }] \\ =\mathrm{Tr}[{\widehat{\rho }}_{B_1{B}_2}^{(m,n)}{\widehat{P}}_n{\widehat{M}}_{\pm }{\widehat{P}}_n], \end{gathered}$$(18)where $${\widehat{M}}_{\pm }=\frac{1}{2}{\int }_{{\mathbf{R}}_0}\mathrm{d}{q}_1\mathrm{d}{q}_2{\int }_0^{2\pi }\frac{\mathrm{d}{\phi }_b}{2\pi }[|q_1({\phi }_b),q_2({\phi }_b)⟩\pm |q_2({\phi }_b),q_1({\phi }_b)⟩][⟨q_1({\phi }_b),q_2({\phi }_b)|\pm ⟨q_2({\phi }_b),q_1({\phi }_b)|].$$(19)In the last equation in Eq. (18), we utilize the fact that ${\widehat{\rho }}_{B_1{B}_2}^{(m,n)}$ acts on the $n$-photon space of system $B_1{B}_2$. Combining the above results, we can express the phase-error rate for each tag with observables on optical modes:

Proposition 1. The phase-error rate $e_{m,n}^X$ of the rounds where $m$ photons are sent and $n$ photons are accepted can be calculated by $$\begin{gathered} \frac{Q_{m,n}{e}_{m,n}^X}{\underset{\mu }{\mathrm{Pr}}(m)}=\frac{1}{2}\mathrm{Tr}[{\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}({|{\mathrm{\Psi }}_m^{+}⟩}_{A_1{A}_2}⟨{\mathrm{\Psi }}_m^{+}|){\widehat{P}}_n{\widehat{M}}_{-}{\widehat{P}}_n \\ +{\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}({|{\mathrm{\Psi }}_m^{-}⟩}_{A_1{A}_2}⟨{\mathrm{\Psi }}_m^{-}|){\widehat{P}}_n{\widehat{M}}_{+}{\widehat{P}}_n], \end{gathered}$$(20)where $Q_{m,n}$ denotes the probability of sending an $m$-photon state and accepting an $n$-photon state, and ${\mathrm{Pr}}_{\mu }(m)$ is the probability of the source emitting $m$ photons. ${\mathcal{N}}_E$ denotes Eve’s channel on the two optical modes and ${\widehat{P}}_n$ denotes the projector onto the $n$-photon subspace. $|{\mathrm{\Psi }}_m^{\pm }⟩$ and ${\widehat{M}}_{\pm }$ are defined in Eq. (17) and Eq. (19) respectively.

We can write ${\widehat{P}}_n{\widehat{M}}_{+(-)}{\widehat{P}}_n$ on the Fock basis using Eq. (9), expressing the phase-error rate as quantities on optical modes. Here, we list the final results for a protocol that utilizes up to the two-photon components. The detailed calculation is placed in Appendix C. For the single-photon component, $$\begin{gathered} \frac{Q_{1,1}{e}_{1,1}^X}{{\mathrm{Pr}}_{\mu }(1)}=\frac{c_1}{2}\{\mathrm{Tr}[{\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}({|{\mathrm{\Psi }}_1^{+}⟩}_{A_1{A}_2}⟨{\mathrm{\Psi }}_1^{+}|)\frac{1}{2}({|01⟩}_{B_1{B}_2}-{|10⟩}_{B_1{B}_2})(⟨01{|}_{B_1{B}_2}-⟨10{|}_{B_1{B}_2})] \\ +\mathrm{Tr}[{\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}({|{\mathrm{\Psi }}_1^{-}⟩}_{A_1{A}_2}⟨{\mathrm{\Psi }}_1^{-}|)\frac{1}{2}({|01⟩}_{B_1{B}_2}+{|10⟩}_{B_1{B}_2})(⟨01{|}_{B_1{B}_2}+⟨10{|}_{B_1{B}_2})]\}, \end{gathered}$$(21)where $$c_1={\int }_{{\mathbf{R}}_0}\mathrm{d}{q}_1\mathrm{d}{q}_2[{\psi }_0^2(q_1){\psi }_1^2(q_2)+{\psi }_0^2(q_2){\psi }_1^2(q_1)],$$(22)and gain $Q_{1,1}$ is given by $$\begin{gathered} \frac{Q_{1,1}}{{\mathrm{Pr}}_{\mu }(1)}=c_1\mathrm{Tr}\{{\mathcal{N}}_E[{\mathrm{Tr}}_{A^{\prime }}({|{\mathrm{\Psi }}_1⟩}_{A^{\prime }{A}_1{A}_2}⟨{\mathrm{\Psi }}_1|)] \\ ({|01⟩}_{B_1{B}_2}⟨01|+{|10⟩}_{B_1{B}_2}⟨10|)\}. \end{gathered}$$(23)Up to the less-than-unity factor $c_1$ that arises from the data post-selection in key mapping, the formulae are the same as the complementary-basis result in the coherent-state-based BB84 protocol [50]. It can also be seen that the phase-error rate of the rounds where Alice transmits two photons and Bob accepts one photon involves the probability where Alice transmits $(|02⟩\pm |20⟩)/\sqrt{2}$ and Bob receives $(|01⟩\mp |10⟩)/\sqrt{2}$. In a pure-loss channel, the superimposed two-photon state $(|02⟩\pm |20⟩)/\sqrt{2}$ would lose coherence if one photon is lost during the channel, thus giving 50% phase-error rate. This observation validates the intuition of the PNS attack. For the two-photon subspace, based on Eqs. (9) and (20), we have $$\begin{gathered} \frac{Q_{2,2}{e}_{2,2}^X}{{\mathrm{Pr}}_{\mu }(2)}=\frac{1}{2}{c}_2^{-}\mathrm{Tr}[{\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}({|{\mathrm{\Psi }}_2^{+}⟩}_{A_1{A}_2}⟨{\mathrm{\Psi }}_2^{+}|)\frac{1}{2}({|02⟩}_{B_1{B}_2}-{|20⟩}_{B_1{B}_2})(⟨02{|}_{B_1{B}_2}-⟨20{|}_{B_1{B}_2})] \\ +\frac{1}{2}{c}_2^{+}\mathrm{Tr}[{\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}({|{\mathrm{\Psi }}_2^{-}⟩}_{A_1{A}_2}⟨{\mathrm{\Psi }}_2^{-}|)\frac{1}{2}({|02⟩}_{B_1{B}_2}+{|20⟩}_{B_1{B}_2})(⟨02{|}_{B_1{B}_2}+⟨20{|}_{B_1{B}_2})] \\ +c_2^{11}\mathrm{Tr}[{\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}({|{\mathrm{\Psi }}_2^{-}⟩}_{A_1{A}_2}⟨{\mathrm{\Psi }}_2^{-}|){|11⟩}_{B_1{B}_2}⟨11|], \end{gathered}$$(24)where $$\begin{gathered} c_2^{+}={\int }_{{\mathbf{R}}_0}\mathrm{d}{q}_1\mathrm{d}{q}_2{[{\psi }_0(q_1){\psi }_2(q_2)+{\psi }_2(q_1){\psi }_0(q_2)]}^2, \\ {c}_2^{-}={\int }_{{\mathbf{R}}_0}\mathrm{d}{q}_1\mathrm{d}{q}_2{[{\psi }_0(q_1){\psi }_2(q_2)-{\psi }_2(q_1){\psi }_0(q_2)]}^2, \\ {c}_2^{11}={\int }_{{\mathbf{R}}_0}\mathrm{d}{q}_1\mathrm{d}{q}_2[2{\psi }_1^2(q_1){\psi }_1^2(q_2)], \end{gathered}$$(25)and the two-photon gain is given by $$\begin{gathered} \frac{Q_{2,2}}{{\mathrm{Pr}}_{\mu }(2)}=c_2^{+}\mathrm{Tr}\{{\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}[{\mathrm{Tr}}_{A^{\prime }}({|{\mathrm{\Psi }}_2⟩}_{A^{\prime }{A}_1{A}_2}⟨{\mathrm{\Psi }}_2|)]\frac{1}{2}({|02⟩}_{B_1{B}_2}+{|20⟩}_{B_1{B}_2})(⟨02{|}_{B_1{B}_2}+⟨20{|}_{B_1{B}_2})\} \\ +c_2^{-}\mathrm{Tr}\{{\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}[{\mathrm{Tr}}_{A^{\prime }}({|{\mathrm{\Psi }}_2⟩}_{A^{\prime }{A}_1{A}_2}⟨{\mathrm{\Psi }}_2|)]\frac{1}{2}({|02⟩}_{B_1{B}_2}-{|20⟩}_{B_1{B}_2})(⟨02{|}_{B_1{B}_2}-⟨20{|}_{B_1{B}_2})\}+2c_2^{11}\mathrm{Tr}\{{\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}[{\mathrm{Tr}}_{A^{\prime }}({|{\mathrm{\Psi }}_2⟩}_{A^{\prime }{A}_1{A}_2}⟨{\mathrm{\Psi }}_2|)]{|11⟩}_{B_1{B}_2}⟨11|\}. \end{gathered}$$(26)The probability of accepting a vacuum state when employing reverse reconciliation is given by $$Q_{*,0}=c_0\mathrm{Tr}[{\widehat{P}}_0^{B_1{B}_2}{\mathcal{N}}_E^{A_1{A}_2\to B_1{B}_2}({\widehat{\rho }}^Z){\widehat{P}}_0^{B_1{B}_2}],$$(27)where $$c_0={\int }_{{\mathbf{R}}_0}2{\psi }_0^2(q_1){\psi }_0^2(q_2)\mathrm{d}{q}_1\mathrm{d}{q}_2,$$(28)and ${\widehat{\rho }}^Z$ is the $Z$-basis state sent by the source given in Eq. (8); hence $Q_{*,0}$ is given by the product of the probability of receiving a vacuum-state in the $Z$-basis rounds and a post-selection-related integration factor. Note that the former value is independent of the post-selection.

We briefly show how to estimate the parameters derived in Section 3.C with a practical setup. In the actual protocol, we do not have photon-number-resolving detectors, with which one can directly measure the above parameters. In addition, the phase-error probabilities and gains are defined by particular Fock-basis states, yet the actual photon source emits coherent states. Nevertheless, we can construct unbiased estimators with the available states and detection settings to evaluate these values. On the detection side, we apply the homodyne tomography technique to evaluate the photon-number observables [36–41]. The homodyne tomography allows unbiased estimation of the expected value of a variety of observables, including the photon-number observables, of measuring an unknown quantum state. On the source side, we extend the decoy-state method [29,30,51] to evaluate the statistics defined by the non-classical Fock states with the use of the coherent states at hand. We will give a practical version of the protocol at the end of this section. A fully detailed discussion is placed in Ref. [52] on how the specific parameters related to key rate calculation can be practically estimated.

Since the eigenstates of the quadrature observables, $|q(\phi )⟩$, form a complete basis on an optical mode, one can reconstruct a general observable on an optical mode with homodyne measurements. In our study, the parameters to be estimated involve photon-number measurements on two modes in the form of ${\widehat{O}}_1\otimes {\widehat{O}}_2={|n_1⟩}_{B_1}⟨m_1|\otimes {|n_2⟩}_{B_2}⟨m_2|$. Their measurements on an arbitrary state, $\widehat{\rho }$, can be obtained from two independent homodyne measurements with randomized LO phases, $$\begin{gathered} ⟨{\widehat{O}}_1\otimes {\widehat{O}}_2⟩=\mathrm{Tr}[({\widehat{O}}_1\otimes {\widehat{O}}_2)\widehat{\rho }] \\ ≔{\int }_0^{\pi }\frac{\mathrm{d}{\phi }_1}{\pi }{\int }_{-\infty }^{\infty }\mathrm{d}{q}_1{\int }_0^{\pi }\frac{\mathrm{d}{\phi }_2}{\pi }{\int }_{-\infty }^{\infty }\mathrm{d}{q}_2 \\ \mathcal{R}[{\widehat{O}}_1](q_1,{\phi }_1)\mathcal{R}[{\widehat{O}}_2](q_2,{\phi }_2)p(q_1,q_2|{\phi }_1,{\phi }_2), \end{gathered}$$(29)where $p(q_1,q_2|{\phi }_1,{\phi }_2)$ is the joint probability of the quadrature measurements on the two modes conditioned on phases ${\phi }_1$ and ${\phi }_2$. The estimators, $\mathcal{R}[{\widehat{O}}_1](q_1,{\phi }_1)$ and $\mathcal{R}[{\widehat{O}}_2](q_2,{\phi }_2)$, link the quadrature measurement statistics with $⟨{\widehat{O}}_1\otimes {\widehat{O}}_2⟩$. For a homodyne detector with efficiency $\eta$, the estimator for observable $|n⟩⟨n+d|$ is given by $$\begin{gathered} {\mathcal{R}}_{\eta }[|n⟩⟨n+d|](q,\phi )=e^{id(\phi +\frac{\pi }{2})}\sqrt{\frac{n!}{(n+d)!}}{\int }_{-\infty }^{\infty }\mathrm{d}k|k| \\ \exp (\frac{1-2\eta }{2\eta }{k}^2-ikq)k^d{L}_n^d(k^2), \end{gathered}$$(30)where $L_n^d$ is the generalized Laguerre polynomial. The estimator is shown to be bounded for detector efficiency $\eta >1/2$ [39,41], a mild requirement for current technologies [53,54]. Consequently, repeated measurements allow the users to obtain an unbiased estimation of the photon-number observables that converges in probability. Note that the detector imperfection does not need to be trusted. The homodyne tomography is valid as long as the detector is well-calibrated so that the quadrature measurement is genuine. In Ref. [52], we shall provide more details of the homodyne tomography techniques.

To effectively realize the non-classical states on the source side, we extend the standard decoy-state method [29,30]. We take advantage of two-mode coherent states with simultaneous phase randomization on the two modes. We denote the state with phase difference $\phi$ as $$\begin{gathered} {\widehat{\rho }}_{\mu }^{\phi }={\int }_0^{2\pi }\frac{\mathrm{d}\theta }{2\pi }|\sqrt{\frac{\mu }{2}}{e}^{i\theta }⟩⟨\sqrt{\frac{\mu }{2}}{e}^{i\theta }|\otimes |\sqrt{\frac{\mu }{2}}{e}^{i(\theta +\phi )}⟩⟨\sqrt{\frac{\mu }{2}}{e}^{i(\theta +\phi )}| \\ =\sum _{m=0}^{\infty }\sum _{k=0,l=0}^m\frac{e^{-\mu }{\left(\frac{\mu }{2}\right)}^m{e}^{i(l-k)\phi }}{\sqrt{k!l!(m-k)!(m-l)!}}|k,m-k⟩⟨l,m-l|, \end{gathered}$$(31)where we specify the light intensity with the subscript, $\mu$. With proper linear combination of these states, we can effectively construct the photon-number-cat states that we are interested in. It is well-known that $(|01⟩\pm |10⟩)/\sqrt{2}$ is the single-photon component of ${\widehat{\rho }}_{\mu }^{0(\pi )}$, $${\mathrm{Pr}}_{\mu }(1)|{\mathrm{\Psi }}_1^{+(-)}⟩⟨{\mathrm{\Psi }}_1^{+(-)}|={\widehat{P}}_1{\widehat{\rho }}_{\mu }^{0(\pi )}{\widehat{P}}_1,$$(32)where ${\mathrm{Pr}}_{\mu }$ represents the Poisson distribution determined by light intensity $\mu$, as given in Eq. (14). Thus, the estimation problem is transformed into the estimation of the single-photon yields of ${\widehat{\rho }}_{\mu }^0$ and ${\widehat{\rho }}_{\mu }^{\pi }$. For the multi-photon components $(|0m⟩\pm |m0⟩)/\sqrt{2}$, a direct calculation shows $$\begin{gathered} {\mathrm{Pr}}_{\mu }(m)|{\mathrm{\Psi }}_m^{+}⟩⟨{\mathrm{\Psi }}_m^{+}| \\ ={\widehat{P}}_m({\widehat{\rho }}_{\mu }^Z+\frac{2^{m-2}}{m}\sum _{k=0}^{m-1}{\widehat{\rho }}_{\mu }^{\frac{2\pi k}{m}}-\frac{2^{m-2}}{m}\sum _{k=0}^{m-1}{\widehat{\rho }}_{\mu }^{\frac{2\pi k}{m}+\delta }){\widehat{P}}_m, \end{gathered}$$(33)$$\begin{gathered} {\mathrm{Pr}}_{\mu }(m)|{\mathrm{\Psi }}_m^{-}⟩⟨{\mathrm{\Psi }}_m^{-}| \\ ={\widehat{P}}_m({\widehat{\rho }}_{\mu }^Z-\frac{2^{m-2}}{m}\sum _{k=0}^{m-1}{\widehat{\rho }}_{\mu }^{\frac{2\pi k}{m}}+\frac{2^{m-2}}{m}\sum _{k=0}^{m-1}{\widehat{\rho }}_{\mu }^{\frac{2\pi k}{m}+\delta }){\widehat{P}}_m, \end{gathered}$$(34)where $\delta =\pi$ for odd $m$ and $\pi /2$ for even $m$, and ${\widehat{\rho }}_{\mu }^Z$ is the state emitted from the source in a key generation round. Consequently, the terms that define $e_{m,m}^X$ and $Q_{m,m}$ can be constructed from the statistics when emitting the states of ${\widehat{\rho }}_{\mu }^Z$ and ${\widehat{\rho }}_{\mu }^{\phi }$ with $\phi \in {\{2\pi k/m,2\pi k/m+\delta \}}_{k=0}^{m-1}$. Notably, the extended decoy method allows estimating the gains with the number of parameters increasing only linearly in the photon number. In later discussions, we shall utilize up to the two-photon components. Specifically, for $m=2$, $$\begin{gathered} {\mathrm{Pr}}_{\mu }(2)|{\mathrm{\Psi }}_2^{\pm }⟩⟨{\mathrm{\Psi }}_2^{\pm }|={\widehat{P}}_2[{\widehat{\rho }}_{\mu }^Z\pm (\frac{1}{2}{\widehat{\rho }}_{\mu }^0+\frac{1}{2}{\widehat{\rho }}_{\mu }^{\pi }) \\ \mp (\frac{1}{2}{\widehat{\rho }}_{\mu }^{\frac{\pi }{2}}+\frac{1}{2}{\widehat{\rho }}_{\mu }^{\frac{3\pi }{2}})]{\widehat{P}}_2. \end{gathered}$$(35)