Quantum key distribution (QKD) utilizes the laws of quantum mechanics to
achieve information-theoretically secure key generation. This field is now
approaching the stage of commercialization, but many practical QKD systems
still suffer from security loopholes due to imperfect devices. In fact,
practical attacks have successfully been demonstrated. Fortunately, most of
them only exploit detection-side loopholes which are now closed by the recent
idea of measurement-device-independent QKD. On the other hand, little attention
is paid to the source which may still leave QKD systems insecure. In this work,
we propose and demonstrate an attack that exploits a source-side loophole
existing in qubit-based QKD systems using a weak coherent state source and
decoy states. Specifically, by implementing a linear-optics
unambiguous-state-discrimination measurement, we show that the security of a
system without phase randomization --- which is a step assumed in conventional
security analyses but sometimes neglected in practice --- can be compromised.
We conclude that implementing phase randomization is essential to the security
of decoy-state QKD systems under current security analyses.Comment: 12 pages, 5 figure