Device-independent quantum key distribution with single-
photon sources
J. Kołodyński
1,2
, A. Máttar
2
, P. Skrzypczyk
3
, E. Woodhead
2,4
, D. Cavalcanti
2
, K. Banaszek
1,5
, and
A. Acín
2,6
1
Centre for Quantum Optical Technologies, Centre of New Technologies, University of Warsaw, Banacha 2c, 02-097 Warsaw, Poland
2
ICFO-Institut de Ciencies Fotoniques, The Barcelona Institute of Science and Technology, 08860 Castelldefels (Barcelona), Spain
3
H. H. Wills Physics Laboratory, University of Bristol, Tyndall Avenue, Bristol, BS8 1TL, United Kingdom
4
Laboratoire d’Information Quantique, Université libre de Bruxelles (ULB), 1050 Bruxelles, Belgium
5
Faculty of Physics, University of Warsaw, Pasteura 5, 02-093 Warszawa, Poland
6
ICREA-Institució Catalana de Recerca i Estudis Avançats, Lluis Companys 23, 08010 Barcelona, Spain
Device-independent quantum key distribu-
tion protocols allow two honest users to estab-
lish a secret key with minimal levels of trust on
the provider, as security is proven without any
assumption on the inner working of the de-
vices used for the distribution. Unfortunately,
the implementation of these protocols is chal-
lenging, as it requires the observation of a
large Bell-inequality violation between the two
distant users. Here, we introduce novel pho-
tonic protocols for device-independent quan-
tum key distribution exploiting single-photon
sources and heralding-type architectures. The
heralding process is designed so that trans-
mission losses become irrelevant for security.
We then show how the use of single-photon
sources for entanglement distribution in these
architectures, instead of standard entangled-
pair generation schemes, provides significant
improvements on the attainable key rates and
distances over previous proposals. Given the
current progress in single-photon sources, our
work opens up a promising avenue for device-
independent quantum key distribution imple-
mentations.
1 Introduction
The paradigm of device-independent quantum key dis-
tribution (DIQKD) offers the strongest form of se-
cure communication, relying only on the validity of
quantum mechanics, but not on any detailed descrip-
tion, or trust, of the inner workings of the users de-
vices [13]. On the theoretical side, the security of
DIQKD has been proven against increasingly power-
ful eavesdroppers [4, 5], culminating in proofs of se-
curity against attacks of the most general form [6, 7].
The main challenge facing experimental DIQKD
are its stringent demands on the observable data,
necessary for the security requirements to be met.
First, any DIQKD implementation should be based
on the observation of data that conclusively violates
a Bell inequality [8, 9]. In particular, the Bell ex-
periment should close the so-called detection loop-
hole [10], otherwise, hacking attacks can fake a vi-
olation at the level of the detected events when losses
are high enough [11]. Moreover, a detection-loophole-
free Bell violation is necessary but not sufficient for
secure DIQKD, as the necessary detection efficiencies
are significantly higher than those required for Bell
violation. For instance, while the detection efficiency
for observing a Bell violation of the Clauser-Horne-
Shimony-Holt (CHSH) [12] inequality can be as low
as 2/3 [13], a DIQKD protocol based on CHSH re-
quires an efficiency of the order of 90% [3]. This is,
in fact, a general feature of any noise parameter—
consider, e.g. the visibility [4]—that affects not only
the observed Bell violation, but also the correlations
between the users aiming to construct the secret key.
The first Bell experiments closing the detection
loophole used massive particles [1417]. Leaving
aside table-top [14, 15] and short-distance [16] exper-
iments, the Bell test of Hensen et al. [17] involved
labs separated by a distance of 1.3 km, which al-
lowed to close also the locality loophole [9]. Never-
theless, as the employed light-matter interaction pro-
cesses typically deteriorate the quality of the nonlo-
cal correlations generated between the users, the re-
ported violations would not have been sufficient for
secure DIQKD. Furthermore, the rates of key distri-
bution they could provide are seriously limited owing
to the measurements involved that, despite allowing
for near unit efficiency, take significant time [18, 19].
While improvements are to be expected in all these is-
sues, and massive particles may be essential for long-
distance schemes involving quantum repeaters [20],
photon-based schemes appear more suitable to obtain
high key rates with current or near-future technol-
ogy. Photonic losses, however, occurring at all of the
generation, transmission, and detection stages rep-
resent the main challenge in these schemes. Recent
advances have been made for photo-detection efficien-
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 1
arXiv:1803.07089v4 [quant-ph] 20 Apr 2020
cies, which allowed for the first loophole-free photonic
Bell inequality violations over short distances [2124].
Still, not only are the reported distances far from any
cryptographic use, but also the observed Bell viola-
tions are again not large enough for secure DIQKD.
In this work, we show that single-photon
sources [25] constitute a promising resource for ex-
perimental photonic DIQKD. Such sources have al-
ready allowed for nearly on-demand [26], highly effi-
cient [27] extraction of single photons (also in pulse
trains [28, 29] as well as at telecom wavelengths [30]),
while maintaining their purity and indistinguisha-
bility even above the 99% level [31, 32]. We pro-
pose novel DIQKD photonic schemes that thanks to
the replacement of the photon-pair creation process
(achieved, e.g. by parametric downconversion [33])
with single-photon sources allow to distribute the key
at significant rates over large distances. We believe
that, in view of the recent advances in the fabrica-
tion of single-photon sources, our results point out a
promising avenue for DIQKD implementations.
The remainder of the paper is organized as fol-
lows. In Sec. 2.2, we describe the technique of evading
transmission losses in DIQKD protocols by means of
heralding and, furthermore, discuss the crucial im-
plications the heralding method has for designing
photon-based architectures. Subsequently, in Sec. 3,
we introduce two heralded schemes employing single-
photon sources, which allow for fine-tuning of the fi-
nal shared entangled state, important for achieving
optimal efficiencies. We then discuss in Sec. 4 how to
quantify the attainable key rates within a heralded
scheme, which importantly are then guaranteed to
be fully secure. Finally, in Sec. 5 we apply our anal-
ysis to the two schemes proposed, in order to study
their performance, in particular, the key rates, sepa-
ration distances, as well as noise levels they allow for
in DIQKD. We conclude our work in Sec. 6.
2 Losses in DIQKD
For non-negligible key rates to be achievable over
large distances in DIQKD, solutions must be pro-
posed that pinpoint and disregard—without opening
the detection loophole—inconclusive protocol rounds
that arise due to photons being inevitably lost. From
the perspective of maintaining security (i.e. only the
question of non-zero key rate), it is convenient then to
divide photonic losses into two categories. Losses that
occur within the local surroundings—laboratories—of
the users should be differentiated from those that oc-
cur during the transmission of photons between the
labs. Laboratories represent then regions of space
from, and into which, the users control the informa-
tion flow, i.e. provide the local privacy requisite for
any secure communication [34].
As a result, one may design DIQKD protocols that
target explicitly the transmission losses and allow for
Bell violations over arbitrary distances between the
users [35, 36]. Other approaches have also been pro-
posed that, while stemming from novel entropic un-
certainty relations which account for quantum side
information [37, 38], require only local Bell violation
within one of the labs [39]. This, however, comes at
the price of security being guaranteed only up to a
finite distance separating the users for a given fixed,
even arbitrarily small, level of local losses (also in the
absence of detector dark-count events [40]). In this
work, our goal is to propose optical schemes where
the security can be guaranteed independently of the
distance between the users. Secondary to this, for
a scheme to be practical, we furthermore want the
resulting key rate to scale favourably with the sep-
aration, in order to achieve non-negligible key rates
over large distances.
2.1 Local losses
We parametrise local losses by the effective local ef-
ficiency, η
l
, which accounts for all photon-loss mech-
anisms inside the lab, including imperfect photo-
detection, any optical path and mode mismatch, fi-
nite photon-extraction efficiency of the sources locally
employed by a user, etc. To our knowledge, all known
DIQKD protocols require a high local efficiency, of
the order of 90% [36, 39, 4144]. While the existence
of practical DIQKD protocols tolerating lower local
efficiencies cannot be excluded, we do not expect any
significant improvement in this direction. This is a
consequence of the following simple argument.
A generic DIQKD protocol is based upon the ob-
servation of some ideal correlations described by a set
of joint probability distributions p = {P (ab|xy)}
abxy
shared by the two users, Alice and Bob, that aim to
establish the secret key. The input random variable, x
(y), labels the measurement setting, i.e. the measure-
ment that Alice (Bob) has chosen, while the output, a
(b), stands for the outcome of her (his) measurement.
In the presence of local losses, parametrised by η
l
,
there is an additional outcome, labelled by φ, corre-
sponding to the ‘no-detection’ event. The resulting
correlations observed, p
η
l
, where a and b refer only
to ‘conclusive’ events, are
P
η
l
(ab|xy) = η
l
2
P (ab|xy)
P
η
l
(|xy) = η
l
P
A
(a|x) (1 η
l
)
P
η
l
(φb|xy) = (1 η
l
) η
l
P
B
(b|y)
P
η
l
(φφ|xy) = (1 η
l
)
2
, (1)
where P
A
and P
B
denote the marginal probabilities
detected by Alice and Bob in the ideal case (with-
out loss). For simplicity, we take the local efficien-
cies equal for Alice and Bob and for all measurement
settings, but the results can be easily generalized to
non-equal local efficiencies.
In any DIQKD protocol, Alice and Bob construct
the key from the outputs of n
k
pairs of measurement
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 2
settings (typically n
k
= 1, and the key is generated
from the pair (x
, y
) [36, 4144]). In Ref. [45], a
successful eavesdropping attack was constructed for
a critical value of the losses equal to η
c
= 1/(n
k
+1) if
n
k
< m, where m is the total number of measurement
settings, and η
c
= 1/m when n
k
= m. To implement
this attack, Eve needs to be able to control the de-
tection efficiencies on one side, say Alice. Eve has
perfect knowledge of the outputs of the n
k
measure-
ments used by Alice for the key, while reproducing
the expected correlations (1) for η
l
= η
c
.
For detection efficiencies above this critical value,
η
l
> η
c
, Eve can use a combined strategy, in which the
previous attack is applied on Alice’s side with proba-
bility q
A
, while with probability 1q
A
Eve does noth-
ing on the measured state and shifts Alice’s detection
efficiency to one. This attack produces correlations
between Alice and Bob of the form (1) when q
A
is
chosen such that q
A
+ (1 q
A
)η
c
= η
l
.
At present, the asymptotic secret-key rate R of any
DIQKD protocol in which the key is established by
one-way classical communication reconciliation tech-
niques is determined by the best-known lower bound
of Arnon-Friedman et al. [7], which is valid for most
general eavesdropping attacks and reads:
R
˜
R = H(A|E) H(x
|y
). (2)
Here H(x
|y
) is the classical conditional Shannon
entropy between Alice and Bob outputs when choos-
ing any inputs (x
, y
) used for the key and H(A|E)
is the conditional von Neumann entropy between Al-
ice’s output and the quantum state in the hands of
the eavesdropper, Eve. Crucially, the Bell violation
observed by Alice and Bob allows them then to es-
timate (lower-bound) H(A|E) without making any
assumptions about Eve [27].
However, as Eq. (2) applies to any attack, we can
explicitly evaluate it for the strategy discussed above.
Returning to correlations (1) that incorporate losses,
we compute the conditional entropy H(x
|y
). For
the sake of simplicity, we perform this calculation for
the common case of two-output measurements, while
the correlations between Alice and Bob define a per-
fectly correlated bit in the absence of losses, so that
H(x
|y
) = 0 for η
l
= 1. For the above simple attack,
we easily see that H(A|E) = q
A
= (η
l
η
c
)/(1 η
c
)
for η
l
η
c
, as Eve has then complete knowledge with
probability (1 q
A
) and complete uncertainty with
probability q
A
. In contrast, for η
l
η
c
the attack of
Eve works all of the time, so that then H(A|E) = 0.
Within the inset of Fig. 1 we plot explicitly both these
conditional entropies for n
k
= 1 and m = 2.
In Fig. 1, we depict the critical values of the lo-
cal efficiency, η
l
, at which the key rate computed
through (2) becomes zero as a function of the num-
ber of bases, n
k
, used to construct the key. Note
that based on such an attack, the tolerable local effi-
ciency is forced to be at least 85.7% for any DIQKD
Figure 1: Lower bound on critical local efficiency, η
l
,
for DIQKD as a function of the number of measurement
settings, n
k
, that are used to generate the key. For each
n
k
and any η
l
< η
l
below the corresponding value (blue
dot), there exists a simple attack based on the eavesdropping
strategy introduced in Ref. [45] that prevents any protocol
based on two-party correlations (1) from being secure. The
most and the least optimistic critical efficiencies for n
k
and n
k
= 1, respectively, are also marked in blue. For n
k
=
1, the conditional entropies whose difference determines the
key rate (2) are explicitly shown in the inset.
scheme with n
k
= 1, e.g. the ones of Refs. [36, 4144]
employing one-way communication. Moreover, the
above simple attack—with its corresponding critical
local efficiencies applying to any DIQKD protocol
and any Bell inequality which uses the security proof
of Ref. [7]—demonstrates that even in the unrealistic
case of users employing an infinite number of bases
n
k
(see Fig. 1) the local efficiencies must nec-
essarily exceed 82.2% for a positive key rate to be
possible.
In view of these results, we expect that high effi-
ciencies will inevitably be needed in DIQKD proto-
cols, and the only solution we foresee is to develop
even more efficient photon sources [4648], better de-
tectors [4952] and improve all the couplings within
optical implementations to sufficiently decrease losses
within the users’ laboratories. Nevertheless, we ex-
pect Bell experiments with local losses of the order
of 90% to be within reach in the near future. In this
work, we work under this assumption, which is cur-
rently essential for any existing DIQKD implementa-
tion.
2.2 Transmission losses
The second type of losses occur while photons propa-
gate outside the labs and are quantified by the trans-
mission efficiency, η
t
, of the channel connecting the
users. In principle, they constitute the main hurdle
for long-distance DIQKD, as η
t
decreases rapidly with
distance, e.g. exponentially when transmitting sig-
nals over optical fibres. Moreover, even if fibre tech-
nology progresses, the exponential increase of losses
with distance will remain, due to unavoidable light
absorption and scattering. However, contrary to lo-
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 3
cal losses, transmission losses can be completely over-
come by adopting a carefully constructed protocol.
A viable route to do so is to record an additional
outcome, denoted by
X
, indicating in a heralded
way that the photons did not get lost [35, 36, 53].
Then,
X
assures that the required quantum state
was successfully transmitted between Alice and Bob
and the Bell test can be performed. If the herald-
ing outcome is causally disconnected from the choices
of measurement settings x, y by Alice and Bob dur-
ing each round of the protocol (see Fig. 2), trans-
mission losses become irrelevant with respect to the
security of the protocol, affecting only the key rate.
In fact, the heralding signal, when causally discon-
nected from the choice of measurements, can simply
be interpreted as a probabilistic preparation of the
required state which does not affect a Bell test, nor
any protocols based on it.
The heralding process can in principle be imple-
mented with the help of a quantum non-demolition
(QND) measurement allowing the number of pho-
tons to be measured without disturbing the quan-
tum state [54]. QND photon measurements are, how-
ever, challenging, requiring e.g. unrealistic optical
non-linearities. The solution is to replace them with
optical linear circuits that achieve the same goal in
a probabilistic fashion [55, 56]. The heralding signal
X
is then provided by a particular detection pattern
in the linear optics circuit indicating, as for the QND
measurement, that the outputs produced by the Bell
test are valid.
Within the side-heralding (SH) scenario depicted
in Fig. 2(a), the circuit is performed by one of the
users who records the rounds in which the positive
heralding pattern,
X
, has occurred, so that only
these are later used for key extraction. In contrast,
in the central-heralding (CH) scenario the heralding
is performed outside of the users labs, at a central
station (resembling the entanglement swapping con-
figuration [57]), by a third party who then publicly
announces which rounds should be considered suc-
cessful, as illustrated in Fig. 2(b). In either case,
the heralding scheme should be causally disconnected
from the measurements in the Bell test. This condi-
tion is more natural in the CH scheme, within which
it is naturally assured by the lack of information leak-
age from the secure user labs. On the contrary, in the
SH configuration it becomes the responsibility of the
user holding the heralding device within their lab,
who must then, e.g. ensure that the heralding sig-
nal occurs before a random choice of measurement is
made
1
. In any case, the heralding signal should work
as the ideal QND measurement and assure that, up to
the leading order, transmission losses have no effect
on the heralded Bell violation.
The importance of this requirement is best un-
1
Ideally, each user possesses an independent source of pri-
vate randomness [58].
S H
x
a
b
y
S
Alice
Bob
x
a
S
S
b
y
X
X
C H
Alice Bob
(a)
(b)
Figure 2: Efficient heralding schemes for DIQKD. Al-
ice and Bob are located at isolated labs (shaded regions)
from which they control information leaks. They locally use
sources S, to distribute a quantum state between their labs
and perform on it randomly sampled measurements labelled
x and y, producing outcomes a and b. The measurement
devices are treated as black-boxes that yield a joint prob-
ability distribution p = {P (ab|xy)}
abxy
compatible with
the laws of quantum physics. A heralding scheme is im-
plemented, such that, given its positive outcome
X
, the re-
sulting p(ab|xy
X
) shared between Alice and Bob becomes
effectively independent of the finite transmission efficiency.
In the side-heralding (SH) scenario, (a), this is achieved
by one of the users performing a (probabilistic) quantum
non-demolition measurement (QND) within their isolated
lab that verifies the arrival of the distributed state, without
disturbing it. In the central-heralding (CH) scheme, (b),
the heralding is performed by a third party that later pub-
licly announces the successful rounds that should be used
during the protocol.
derstood by considering existing proposals for pho-
tonic DIQKD that do not satisfy it, such as the
schemes using a noiseless qubit amplifier [36] or en-
tanglement swapping relays [4143]. In all these
schemes, entanglement between users is distributed
using spontaneous parametric down-conversion [33]
(SPDC) sources—a probabilistic process in which
multi-photon pair creation also takes place. For the
sake of argument, let us consider the state produced
by the SPDC to read: |0ih0| + ¯p|ψ
AB
ihψ
AB
|; after,
without loss of generality, ignoring its normalisation
and the higher-order terms in ¯p, i.e. the spurious con-
tributions arising when more than one photon-pair is
created within the process—see App. A. For all the
schemes, the state shared by the users after a success-
ful heralding takes a general form (up to irrelevant
normalisation):
ρ
AB|
X
= |0ih0| + λ η
t
¯p |ψ
AB
ihψ
AB
| + . . . , (3)
in which the detrimental terms of order ¯p that yield
deviations from the target |ψ
AB
i may also be omitted.
The parameter λ > 0 above is determined by the
particular heralding scheme [36, 4143], while η
t
is
the transmission efficiency dependent on the distance
between the users.
The key point is to notice that the contribution
of the maximally entangled state, |ψ
AB
i, in Eq. (3)
occurs at a higher order in ¯p than the vacuum con-
tribution and is influenced differently by the pres-
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 4
ence of transmission losses. Thus, for any fixed λ,
the Bell violation strongly depends on η
t
. That is,
contrary to when performing an ideal QND measure-
ment, transmission losses not only affect the key rate
but also the protocol security. In optical fibres, η
t
vanishes exponentially with the separation distance L
(η
t
= e
L/L
att
, with typical values of the attenuation
length L
att
20 km), and so the heralded state (3)
approaches the vacuum exponentially with L, while
rapidly ceasing to produce large enough Bell viola-
tions for DIQKD to be possible [44]. In particular,
this implies that in all such protocols there is always
a critical distance at which the protocol ceases to be
secure.
For the sake of clarity, we provide some simple es-
timations that make this point more explicit for the
scheme based on the qubit amplifier of Ref. [36]. As
discussed also in App. B, if one approximates for sim-
plicity 1 ¯p 1, the state after heralding can be put
in the form of Eq. (3) with λ = T/(1 T ), where T
is the transmittance of the beam-splitter used in the
qubit amplifier for the heralding process [36]. Even if
quite optimistic, we can take a value of T = 110
2
,
which gives λ 10
2
. This severely affects the key
rate, which is a function of 1 T , but here we focus
on the protocol security.
For any protocol based on the violation of the
CHSH inequality S
loc
2 (e.g. the one of Ref. [36]),
the heralded state (3) must lead to
S
1
1 + λ η
t
¯p
(2 + λ η
t
¯p 2
2). (4)
Following Ref. [2], the inequality (4) allows one to
lower-bound the term H(A|E) 1 χ(S) in Eq. (2),
where χ(S) = h[(1 +
p
(S/2)
2
1)/2] is the bi-
nary entropy. On the other hand, for key-generation
rounds, the conditional entropy H(x
|y
) = 1 h[
¯
λ]
where
¯
λ=λη
t
¯p/(1 + λη
t
¯p) is the effective probability
of sharing the target state |ψ
AB
i, given the state (3).
Putting all these terms together, using the expression
for the losses as an exponential function of the dis-
tance, and taking an optimistic value of ¯p = 10
2
for
SPDC [23, 24], the key rate (2) vanishes already for
distances of approximately one attenuation length,
L
att
20 km. This critical limit on user separation
can be improved by taking even smaller values of T or
larger values of ¯p, but the problem still remains: for
any given values, the weight of the entangled part in
the state obtained after successful heralding always
decreases exponentially with distance.
The key rates reported in Ref. [36] are much higher
than those obtained in the above. This arises due to
the fact that the authors of Ref. [36] make additional
assumptions on the attacks available to the eaves-
dropper (see for example the Supp. Mat. of Ref. [36]
and also the discussion in Ref. [44]). Using these as-
sumptions, they derive a different bound on the key
rate as a function of an observed CHSH Bell violation
and the rates at which one or both parties observe in-
conclusive events. The same bound was later used in
the protocols of Refs. [4143]. Unfortunately, it is
unclear whether these assumptions, and correspond-
ing rates, do not imply a loss of generality. In fact,
for a slightly different situation in which losses only
occur for one of the observers, these assumptions and
corresponding bounds can be explicitly proven not
to hold: for some value of the losses they predict a
strictly positive secret-key rate, while it is possible to
derive an explicit eavesdropping attack that breaks
the protocol. The details of this attack are shown
in App. C. This analysis implies that the assump-
tions used in Ref. [36], and later in Refs. [4143], do
not hold in full generality and, therefore, it is unclear
to what extent the secret-key rates reported in these
works are valid.
In what follows, we propose two DIQKD architec-
tures based on single-photon sources [25] that cru-
cially do not suffer from the above problems. They
are designed such that up to the leading order a pure
entangled state is shared between the users upon
successful heralding – independent of their separa-
tion (or transmission losses). Our protocols thus be-
have as the ideal QND measurement and allow high
key rates to be maintained over large communica-
tion distances. One of the schemes relies solely on
single photon sources and a CH-based implementa-
tion. Since single-photon sources are still an expen-
sive resource compared to widely used SPDC sources,
we furthermore consider a SH-based scheme in which
both source-types are used in conjunction. In order
to maintain generality and a degree of comparison
with the SPDC framework [33], each single-photon
source is modelled to produce a quantum state that,
when ignoring normalisation (see also App. A), reads
σ
SP
=
P
n=1
p
n1
|nihn| in the photon-number basis,
containing an infinite tail of high-order contributions
whose probability is parametrised by p.
3 DIQKD schemes with single-photon
sources
The SH scheme requires Bob to produce two sin-
gle photons with orthogonal polarizations H and V ,
while Alice has access to entangled photon-pairs pro-
duced by an SPDC source. It is inspired by the qubit-
amplifier implementation of Pitkanen et al. [44], as
shown in Fig. 3(a). Bob’s photons enter a beam-
splitter (BS) of transmittance T . Then, the re-
flected light component passes through a half-wave-
plate (HWP) before being detected in conjunction
with Alice’s transmitted photons via a partial Bell-
state measurement (BSM) depicted by the dashed re-
gion. The outcome of the BSM, c, signifies whether
the required heralding pattern, c =
X
, has occurred,
corresponding to two detector clicks that represent
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 5