Device-independent quantum key distribution with single-
photon sources
J. Kołodyński
1,2
, A. Máttar
2
, P. Skrzypczyk
3
, E. Woodhead
2,4
, D. Cavalcanti
2
, K. Banaszek
1,5
, and
A. Acín
2,6
1
Centre for Quantum Optical Technologies, Centre of New Technologies, University of Warsaw, Banacha 2c, 02-097 Warsaw, Poland
2
ICFO-Institut de Ciencies Fotoniques, The Barcelona Institute of Science and Technology, 08860 Castelldefels (Barcelona), Spain
3
H. H. Wills Physics Laboratory, University of Bristol, Tyndall Avenue, Bristol, BS8 1TL, United Kingdom
4
Laboratoire d’Information Quantique, Université libre de Bruxelles (ULB), 1050 Bruxelles, Belgium
5
Faculty of Physics, University of Warsaw, Pasteura 5, 02-093 Warszawa, Poland
6
ICREA-Institució Catalana de Recerca i Estudis Avançats, Lluis Companys 23, 08010 Barcelona, Spain
Device-independent quantum key distribu-
tion protocols allow two honest users to estab-
lish a secret key with minimal levels of trust on
the provider, as security is proven without any
assumption on the inner working of the de-
vices used for the distribution. Unfortunately,
the implementation of these protocols is chal-
lenging, as it requires the observation of a
large Bell-inequality violation between the two
distant users. Here, we introduce novel pho-
tonic protocols for device-independent quan-
tum key distribution exploiting single-photon
sources and heralding-type architectures. The
heralding process is designed so that trans-
mission losses become irrelevant for security.
We then show how the use of single-photon
sources for entanglement distribution in these
architectures, instead of standard entangled-
pair generation schemes, provides significant
improvements on the attainable key rates and
distances over previous proposals. Given the
current progress in single-photon sources, our
work opens up a promising avenue for device-
independent quantum key distribution imple-
mentations.
1 Introduction
The paradigm of device-independent quantum key dis-
tribution (DIQKD) offers the strongest form of se-
cure communication, relying only on the validity of
quantum mechanics, but not on any detailed descrip-
tion, or trust, of the inner workings of the users de-
vices [1–3]. On the theoretical side, the security of
DIQKD has been proven against increasingly power-
ful eavesdroppers [4, 5], culminating in proofs of se-
curity against attacks of the most general form [6, 7].
The main challenge facing experimental DIQKD
are its stringent demands on the observable data,
necessary for the security requirements to be met.
First, any DIQKD implementation should be based
on the observation of data that conclusively violates
a Bell inequality [8, 9]. In particular, the Bell ex-
periment should close the so-called detection loop-
hole [10], otherwise, hacking attacks can fake a vi-
olation at the level of the detected events when losses
are high enough [11]. Moreover, a detection-loophole-
free Bell violation is necessary but not sufficient for
secure DIQKD, as the necessary detection efficiencies
are significantly higher than those required for Bell
violation. For instance, while the detection efficiency
for observing a Bell violation of the Clauser-Horne-
Shimony-Holt (CHSH) [12] inequality can be as low
as 2/3 [13], a DIQKD protocol based on CHSH re-
quires an efficiency of the order of 90% [3]. This is,
in fact, a general feature of any noise parameter—
consider, e.g. the visibility [4]—that affects not only
the observed Bell violation, but also the correlations
between the users aiming to construct the secret key.
The first Bell experiments closing the detection
loophole used massive particles [14–17]. Leaving
aside table-top [14, 15] and short-distance [16] exper-
iments, the Bell test of Hensen et al. [17] involved
labs separated by a distance of 1.3 km, which al-
lowed to close also the locality loophole [9]. Never-
theless, as the employed light-matter interaction pro-
cesses typically deteriorate the quality of the nonlo-
cal correlations generated between the users, the re-
ported violations would not have been sufficient for
secure DIQKD. Furthermore, the rates of key distri-
bution they could provide are seriously limited owing
to the measurements involved that, despite allowing
for near unit efficiency, take significant time [18, 19].
While improvements are to be expected in all these is-
sues, and massive particles may be essential for long-
distance schemes involving quantum repeaters [20],
photon-based schemes appear more suitable to obtain
high key rates with current or near-future technol-
ogy. Photonic losses, however, occurring at all of the
generation, transmission, and detection stages rep-
resent the main challenge in these schemes. Recent
advances have been made for photo-detection efficien-
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 1
arXiv:1803.07089v4 [quant-ph] 20 Apr 2020
cies, which allowed for the first loophole-free photonic
Bell inequality violations over short distances [21–24].
Still, not only are the reported distances far from any
cryptographic use, but also the observed Bell viola-
tions are again not large enough for secure DIQKD.
In this work, we show that single-photon
sources [25] constitute a promising resource for ex-
perimental photonic DIQKD. Such sources have al-
ready allowed for nearly on-demand [26], highly effi-
cient [27] extraction of single photons (also in pulse
trains [28, 29] as well as at telecom wavelengths [30]),
while maintaining their purity and indistinguisha-
bility even above the 99% level [31, 32]. We pro-
pose novel DIQKD photonic schemes that thanks to
the replacement of the photon-pair creation process
(achieved, e.g. by parametric downconversion [33])
with single-photon sources allow to distribute the key
at significant rates over large distances. We believe
that, in view of the recent advances in the fabrica-
tion of single-photon sources, our results point out a
promising avenue for DIQKD implementations.
The remainder of the paper is organized as fol-
lows. In Sec. 2.2, we describe the technique of evading
transmission losses in DIQKD protocols by means of
heralding and, furthermore, discuss the crucial im-
plications the heralding method has for designing
photon-based architectures. Subsequently, in Sec. 3,
we introduce two heralded schemes employing single-
photon sources, which allow for fine-tuning of the fi-
nal shared entangled state, important for achieving
optimal efficiencies. We then discuss in Sec. 4 how to
quantify the attainable key rates within a heralded
scheme, which importantly are then guaranteed to
be fully secure. Finally, in Sec. 5 we apply our anal-
ysis to the two schemes proposed, in order to study
their performance, in particular, the key rates, sepa-
ration distances, as well as noise levels they allow for
in DIQKD. We conclude our work in Sec. 6.
2 Losses in DIQKD
For non-negligible key rates to be achievable over
large distances in DIQKD, solutions must be pro-
posed that pinpoint and disregard—without opening
the detection loophole—inconclusive protocol rounds
that arise due to photons being inevitably lost. From
the perspective of maintaining security (i.e. only the
question of non-zero key rate), it is convenient then to
divide photonic losses into two categories. Losses that
occur within the local surroundings—laboratories—of
the users should be differentiated from those that oc-
cur during the transmission of photons between the
labs. Laboratories represent then regions of space
from, and into which, the users control the informa-
tion flow, i.e. provide the local privacy requisite for
any secure communication [34].
As a result, one may design DIQKD protocols that
target explicitly the transmission losses and allow for
Bell violations over arbitrary distances between the
users [35, 36]. Other approaches have also been pro-
posed that, while stemming from novel entropic un-
certainty relations which account for quantum side
information [37, 38], require only local Bell violation
within one of the labs [39]. This, however, comes at
the price of security being guaranteed only up to a
finite distance separating the users for a given fixed,
even arbitrarily small, level of local losses (also in the
absence of detector dark-count events [40]). In this
work, our goal is to propose optical schemes where
the security can be guaranteed independently of the
distance between the users. Secondary to this, for
a scheme to be practical, we furthermore want the
resulting key rate to scale favourably with the sep-
aration, in order to achieve non-negligible key rates
over large distances.
2.1 Local losses
We parametrise local losses by the effective local ef-
ficiency, η
l
, which accounts for all photon-loss mech-
anisms inside the lab, including imperfect photo-
detection, any optical path and mode mismatch, fi-
nite photon-extraction efficiency of the sources locally
employed by a user, etc. To our knowledge, all known
DIQKD protocols require a high local efficiency, of
the order of 90% [36, 39, 41–44]. While the existence
of practical DIQKD protocols tolerating lower local
efficiencies cannot be excluded, we do not expect any
significant improvement in this direction. This is a
consequence of the following simple argument.
A generic DIQKD protocol is based upon the ob-
servation of some ideal correlations described by a set
of joint probability distributions p = {P (ab|xy)}
abxy
shared by the two users, Alice and Bob, that aim to
establish the secret key. The input random variable, x
(y), labels the measurement setting, i.e. the measure-
ment that Alice (Bob) has chosen, while the output, a
(b), stands for the outcome of her (his) measurement.
In the presence of local losses, parametrised by η
l
,
there is an additional outcome, labelled by φ, corre-
sponding to the ‘no-detection’ event. The resulting
correlations observed, p
η
l
, where a and b refer only
to ‘conclusive’ events, are
P
η
l
(ab|xy) = η
l
2
P (ab|xy)
P
η
l
(aφ|xy) = η
l
P
A
(a|x) (1 − η
l
)
P
η
l
(φb|xy) = (1 − η
l
) η
l
P
B
(b|y)
P
η
l
(φφ|xy) = (1 − η
l
)
2
, (1)
where P
A
and P
B
denote the marginal probabilities
detected by Alice and Bob in the ideal case (with-
out loss). For simplicity, we take the local efficien-
cies equal for Alice and Bob and for all measurement
settings, but the results can be easily generalized to
non-equal local efficiencies.
In any DIQKD protocol, Alice and Bob construct
the key from the outputs of n
k
pairs of measurement
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 2
settings (typically n
k
= 1, and the key is generated
from the pair (x
∗
, y
∗
) [36, 41–44]). In Ref. [45], a
successful eavesdropping attack was constructed for
a critical value of the losses equal to η
c
= 1/(n
k
+1) if
n
k
< m, where m is the total number of measurement
settings, and η
c
= 1/m when n
k
= m. To implement
this attack, Eve needs to be able to control the de-
tection efficiencies on one side, say Alice. Eve has
perfect knowledge of the outputs of the n
k
measure-
ments used by Alice for the key, while reproducing
the expected correlations (1) for η
l
= η
c
.
For detection efficiencies above this critical value,
η
l
> η
c
, Eve can use a combined strategy, in which the
previous attack is applied on Alice’s side with proba-
bility q
A
, while with probability 1−q
A
Eve does noth-
ing on the measured state and shifts Alice’s detection
efficiency to one. This attack produces correlations
between Alice and Bob of the form (1) when q
A
is
chosen such that q
A
+ (1 −q
A
)η
c
= η
l
.
At present, the asymptotic secret-key rate R of any
DIQKD protocol in which the key is established by
one-way classical communication reconciliation tech-
niques is determined by the best-known lower bound
of Arnon-Friedman et al. [7], which is valid for most
general eavesdropping attacks and reads:
R ≥
˜
R = H(A|E) − H(x
∗
|y
∗
). (2)
Here H(x
∗
|y
∗
) is the classical conditional Shannon
entropy between Alice and Bob outputs when choos-
ing any inputs (x
∗
, y
∗
) used for the key and H(A|E)
is the conditional von Neumann entropy between Al-
ice’s output and the quantum state in the hands of
the eavesdropper, Eve. Crucially, the Bell violation
observed by Alice and Bob allows them then to es-
timate (lower-bound) H(A|E) without making any
assumptions about Eve [2–7].
However, as Eq. (2) applies to any attack, we can
explicitly evaluate it for the strategy discussed above.
Returning to correlations (1) that incorporate losses,
we compute the conditional entropy H(x
∗
|y
∗
). For
the sake of simplicity, we perform this calculation for
the common case of two-output measurements, while
the correlations between Alice and Bob define a per-
fectly correlated bit in the absence of losses, so that
H(x
∗
|y
∗
) = 0 for η
l
= 1. For the above simple attack,
we easily see that H(A|E) = q
A
= (η
l
− η
c
)/(1 − η
c
)
for η
l
≥ η
c
, as Eve has then complete knowledge with
probability (1 − q
A
) and complete uncertainty with
probability q
A
. In contrast, for η
l
≤ η
c
the attack of
Eve works all of the time, so that then H(A|E) = 0.
Within the inset of Fig. 1 we plot explicitly both these
conditional entropies for n
k
= 1 and m = 2.
In Fig. 1, we depict the critical values of the lo-
cal efficiency, η
∗
l
, at which the key rate computed
through (2) becomes zero as a function of the num-
ber of bases, n
k
, used to construct the key. Note
that based on such an attack, the tolerable local effi-
ciency is forced to be at least 85.7% for any DIQKD
Figure 1: Lower bound on critical local efficiency, η
∗
l
,
for DIQKD as a function of the number of measurement
settings, n
k
, that are used to generate the key. For each
n
k
and any η
l
< η
∗
l
below the corresponding value (blue
dot), there exists a simple attack based on the eavesdropping
strategy introduced in Ref. [45] that prevents any protocol
based on two-party correlations (1) from being secure. The
most and the least optimistic critical efficiencies for n
k
→ ∞
and n
k
= 1, respectively, are also marked in blue. For n
k
=
1, the conditional entropies whose difference determines the
key rate (2) are explicitly shown in the inset.
scheme with n
k
= 1, e.g. the ones of Refs. [36, 41–44]
employing one-way communication. Moreover, the
above simple attack—with its corresponding critical
local efficiencies applying to any DIQKD protocol
and any Bell inequality which uses the security proof
of Ref. [7]—demonstrates that even in the unrealistic
case of users employing an infinite number of bases
n
k
→ ∞ (see Fig. 1) the local efficiencies must nec-
essarily exceed 82.2% for a positive key rate to be
possible.
In view of these results, we expect that high effi-
ciencies will inevitably be needed in DIQKD proto-
cols, and the only solution we foresee is to develop
even more efficient photon sources [46–48], better de-
tectors [49–52] and improve all the couplings within
optical implementations to sufficiently decrease losses
within the users’ laboratories. Nevertheless, we ex-
pect Bell experiments with local losses of the order
of 90% to be within reach in the near future. In this
work, we work under this assumption, which is cur-
rently essential for any existing DIQKD implementa-
tion.
2.2 Transmission losses
The second type of losses occur while photons propa-
gate outside the labs and are quantified by the trans-
mission efficiency, η
t
, of the channel connecting the
users. In principle, they constitute the main hurdle
for long-distance DIQKD, as η
t
decreases rapidly with
distance, e.g. exponentially when transmitting sig-
nals over optical fibres. Moreover, even if fibre tech-
nology progresses, the exponential increase of losses
with distance will remain, due to unavoidable light
absorption and scattering. However, contrary to lo-
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 3
cal losses, transmission losses can be completely over-
come by adopting a carefully constructed protocol.
A viable route to do so is to record an additional
outcome, denoted by
X
, indicating in a heralded
way that the photons did not get lost [35, 36, 53].
Then,
X
assures that the required quantum state
was successfully transmitted between Alice and Bob
and the Bell test can be performed. If the herald-
ing outcome is causally disconnected from the choices
of measurement settings x, y by Alice and Bob dur-
ing each round of the protocol (see Fig. 2), trans-
mission losses become irrelevant with respect to the
security of the protocol, affecting only the key rate.
In fact, the heralding signal, when causally discon-
nected from the choice of measurements, can simply
be interpreted as a probabilistic preparation of the
required state which does not affect a Bell test, nor
any protocols based on it.
The heralding process can in principle be imple-
mented with the help of a quantum non-demolition
(QND) measurement allowing the number of pho-
tons to be measured without disturbing the quan-
tum state [54]. QND photon measurements are, how-
ever, challenging, requiring e.g. unrealistic optical
non-linearities. The solution is to replace them with
optical linear circuits that achieve the same goal in
a probabilistic fashion [55, 56]. The heralding signal
X
is then provided by a particular detection pattern
in the linear optics circuit indicating, as for the QND
measurement, that the outputs produced by the Bell
test are valid.
Within the side-heralding (SH) scenario depicted
in Fig. 2(a), the circuit is performed by one of the
users who records the rounds in which the positive
heralding pattern,
X
, has occurred, so that only
these are later used for key extraction. In contrast,
in the central-heralding (CH) scenario the heralding
is performed outside of the users labs, at a central
station (resembling the entanglement swapping con-
figuration [57]), by a third party who then publicly
announces which rounds should be considered suc-
cessful, as illustrated in Fig. 2(b). In either case,
the heralding scheme should be causally disconnected
from the measurements in the Bell test. This condi-
tion is more natural in the CH scheme, within which
it is naturally assured by the lack of information leak-
age from the secure user labs. On the contrary, in the
SH configuration it becomes the responsibility of the
user holding the heralding device within their lab,
who must then, e.g. ensure that the heralding sig-
nal occurs before a random choice of measurement is
made
1
. In any case, the heralding signal should work
as the ideal QND measurement and assure that, up to
the leading order, transmission losses have no effect
on the heralded Bell violation.
The importance of this requirement is best un-
1
Ideally, each user possesses an independent source of pri-
vate randomness [58].
S H
x
a
b
y
S
Alice
Bob
x
a
S
S
b
y
X
X
C H
Alice Bob
(a)
(b)
Figure 2: Efficient heralding schemes for DIQKD. Al-
ice and Bob are located at isolated labs (shaded regions)
from which they control information leaks. They locally use
sources S, to distribute a quantum state between their labs
and perform on it randomly sampled measurements labelled
x and y, producing outcomes a and b. The measurement
devices are treated as black-boxes that yield a joint prob-
ability distribution p = {P (ab|xy)}
abxy
compatible with
the laws of quantum physics. A heralding scheme is im-
plemented, such that, given its positive outcome
X
, the re-
sulting p(ab|xy
X
) shared between Alice and Bob becomes
effectively independent of the finite transmission efficiency.
In the side-heralding (SH) scenario, (a), this is achieved
by one of the users performing a (probabilistic) quantum
non-demolition measurement (QND) within their isolated
lab that verifies the arrival of the distributed state, without
disturbing it. In the central-heralding (CH) scheme, (b),
the heralding is performed by a third party that later pub-
licly announces the successful rounds that should be used
during the protocol.
derstood by considering existing proposals for pho-
tonic DIQKD that do not satisfy it, such as the
schemes using a noiseless qubit amplifier [36] or en-
tanglement swapping relays [41–43]. In all these
schemes, entanglement between users is distributed
using spontaneous parametric down-conversion [33]
(SPDC) sources—a probabilistic process in which
multi-photon pair creation also takes place. For the
sake of argument, let us consider the state produced
by the SPDC to read: |0ih0| + ¯p|ψ
AB
ihψ
AB
|; after,
without loss of generality, ignoring its normalisation
and the higher-order terms in ¯p, i.e. the spurious con-
tributions arising when more than one photon-pair is
created within the process—see App. A. For all the
schemes, the state shared by the users after a success-
ful heralding takes a general form (up to irrelevant
normalisation):
ρ
AB|
X
= |0ih0| + λ η
t
¯p |ψ
AB
ihψ
AB
| + . . . , (3)
in which the detrimental terms of order ¯p that yield
deviations from the target |ψ
AB
i may also be omitted.
The parameter λ > 0 above is determined by the
particular heralding scheme [36, 41–43], while η
t
is
the transmission efficiency dependent on the distance
between the users.
The key point is to notice that the contribution
of the maximally entangled state, |ψ
AB
i, in Eq. (3)
occurs at a higher order in ¯p than the vacuum con-
tribution and is influenced differently by the pres-
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 4
ence of transmission losses. Thus, for any fixed λ,
the Bell violation strongly depends on η
t
. That is,
contrary to when performing an ideal QND measure-
ment, transmission losses not only affect the key rate
but also the protocol security. In optical fibres, η
t
vanishes exponentially with the separation distance L
(η
t
= e
−L/L
att
, with typical values of the attenuation
length L
att
≈ 20 km), and so the heralded state (3)
approaches the vacuum exponentially with L, while
rapidly ceasing to produce large enough Bell viola-
tions for DIQKD to be possible [44]. In particular,
this implies that in all such protocols there is always
a critical distance at which the protocol ceases to be
secure.
For the sake of clarity, we provide some simple es-
timations that make this point more explicit for the
scheme based on the qubit amplifier of Ref. [36]. As
discussed also in App. B, if one approximates for sim-
plicity 1 − ¯p ≈ 1, the state after heralding can be put
in the form of Eq. (3) with λ = T/(1 − T ), where T
is the transmittance of the beam-splitter used in the
qubit amplifier for the heralding process [36]. Even if
quite optimistic, we can take a value of T = 1−10
−2
,
which gives λ ≈ 10
2
. This severely affects the key
rate, which is a function of 1 − T , but here we focus
on the protocol security.
For any protocol based on the violation of the
CHSH inequality S
loc
≤ 2 (e.g. the one of Ref. [36]),
the heralded state (3) must lead to
S ≤
1
1 + λ η
t
¯p
(2 + λ η
t
¯p 2
√
2). (4)
Following Ref. [2], the inequality (4) allows one to
lower-bound the term H(A|E) ≥ 1 −χ(S) in Eq. (2),
where χ(S) = h[(1 +
p
(S/2)
2
− 1)/2] is the bi-
nary entropy. On the other hand, for key-generation
rounds, the conditional entropy H(x
∗
|y
∗
) = 1 − h[
¯
λ]
where
¯
λ=λη
t
¯p/(1 + λη
t
¯p) is the effective probability
of sharing the target state |ψ
AB
i, given the state (3).
Putting all these terms together, using the expression
for the losses as an exponential function of the dis-
tance, and taking an optimistic value of ¯p = 10
−2
for
SPDC [23, 24], the key rate (2) vanishes already for
distances of approximately one attenuation length,
L
att
≈ 20 km. This critical limit on user separation
can be improved by taking even smaller values of T or
larger values of ¯p, but the problem still remains: for
any given values, the weight of the entangled part in
the state obtained after successful heralding always
decreases exponentially with distance.
The key rates reported in Ref. [36] are much higher
than those obtained in the above. This arises due to
the fact that the authors of Ref. [36] make additional
assumptions on the attacks available to the eaves-
dropper (see for example the Supp. Mat. of Ref. [36]
and also the discussion in Ref. [44]). Using these as-
sumptions, they derive a different bound on the key
rate as a function of an observed CHSH Bell violation
and the rates at which one or both parties observe in-
conclusive events. The same bound was later used in
the protocols of Refs. [41–43]. Unfortunately, it is
unclear whether these assumptions, and correspond-
ing rates, do not imply a loss of generality. In fact,
for a slightly different situation in which losses only
occur for one of the observers, these assumptions and
corresponding bounds can be explicitly proven not
to hold: for some value of the losses they predict a
strictly positive secret-key rate, while it is possible to
derive an explicit eavesdropping attack that breaks
the protocol. The details of this attack are shown
in App. C. This analysis implies that the assump-
tions used in Ref. [36], and later in Refs. [41–43], do
not hold in full generality and, therefore, it is unclear
to what extent the secret-key rates reported in these
works are valid.
In what follows, we propose two DIQKD architec-
tures based on single-photon sources [25] that cru-
cially do not suffer from the above problems. They
are designed such that up to the leading order a pure
entangled state is shared between the users upon
successful heralding – independent of their separa-
tion (or transmission losses). Our protocols thus be-
have as the ideal QND measurement and allow high
key rates to be maintained over large communica-
tion distances. One of the schemes relies solely on
single photon sources and a CH-based implementa-
tion. Since single-photon sources are still an expen-
sive resource compared to widely used SPDC sources,
we furthermore consider a SH-based scheme in which
both source-types are used in conjunction. In order
to maintain generality and a degree of comparison
with the SPDC framework [33], each single-photon
source is modelled to produce a quantum state that,
when ignoring normalisation (see also App. A), reads
σ
SP
=
P
∞
n=1
p
n−1
|nihn| in the photon-number basis,
containing an infinite tail of high-order contributions
whose probability is parametrised by p.
3 DIQKD schemes with single-photon
sources
The SH scheme requires Bob to produce two sin-
gle photons with orthogonal polarizations H and V ,
while Alice has access to entangled photon-pairs pro-
duced by an SPDC source. It is inspired by the qubit-
amplifier implementation of Pitkanen et al. [44], as
shown in Fig. 3(a). Bob’s photons enter a beam-
splitter (BS) of transmittance T . Then, the re-
flected light component passes through a half-wave-
plate (HWP) before being detected in conjunction
with Alice’s transmitted photons via a partial Bell-
state measurement (BSM) depicted by the dashed re-
gion. The outcome of the BSM, c, signifies whether
the required heralding pattern, c =
X
, has occurred,
corresponding to two detector clicks that represent
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 5
Figure 3: DIQKD schemes with single-photon sources. (a): Side-heralding (SH) scheme employing two single-photons
sources. The SPDC source is kept close to Alice to avoid transmission losses on her side. Two single photons held by Bob and
encoded in orthogonal polarizations impinge a BS of transmittance T ≈ 1 located in his lab (shaded region). The reflected
mode is then jointly analysed with the system received from Alice by a partial Bell-state measurement (BSM, dashed region)
consisting of: a partial BS of transmittance t, polarizing-BSs (split squares) and binary on/off photodetectors (half-circles).
(b): Central-heralding (CH) scheme employing two single-photons sources. Both Alice and Bob project two single photons
encoded in orthogonal polarizations onto BSs of transmittance T ≈ 0 situated in their labs. A partial BSM is conducted this
time at the central station on the combined polarization components arriving from Alice and Bob after being passed through
HWPs (
λ
2
). In both schemes, the users apply their choice of the measurement settings x and y on the output modes by
means of a polarization analyser—a sequence of a quarter-wave plate (
λ
4
), HWP, polarizing BS and two binary detectors.
simultaneous detection of orthogonal polarizations.
Provided that the BS transmittance is kept close
to one (T ≈ 1),
X
occurs only when exactly one
photon is transmitted by the BS while the other pho-
ton is reflected, and the single photon-pair term of
the state produced in the SPDC by Alice reaches the
BSM. In this manner, the photons distributed to Al-
ice and Bob are prepared with orthogonal polariza-
tions, although the information about their concrete
polarization is erased by the partial BSM. The re-
sulting state shared by Alice and Bob conditioned on
X
corresponds to a partially (polarization-) entan-
gled two-qubit state with asymmetry dictated by the
BSM transmittance parameter t (in an unnormalised
form):
ρ
(SH)
AB|
X
=
η
t
T (1 − T )
8
|ψ
t
AB
ihψ
t
AB
| + O(¯p) , (5)
where ¯p parametrises the probability to produce mul-
tiple pairs in the SPDC process of Alice (see App. D).
The target state |ψ
t
AB
i = |ψ
−
AB
i + t|φ
−
AB
i in Eq. (5)
is a superposition of Bell states given, in second
quantization, by |ψ
−
AB
i =
1
√
2
(a
†
H
b
†
V
− a
†
V
b
†
H
)|0i and
|φ
−
AB
i =
1
√
2
(a
†
H
b
†
H
− a
†
V
b
†
V
)|0i.
The CH scheme depicted in Fig. 3(b) requires both
Alice and Bob to produce two single photons with or-
thogonal polarizations H and V , inspired by the en-
tanglement distribution scheme of Lasota et al. [59].
The photons produced on each side impinge separate
BSs of low transmittance (T ≈ 0) and, thus, reach
the central station with low probability. The herald-
ing is again provided by a partial BSM, performed
now by a third party, after passing both incoming
beams through separate HWPs. The signal
X
is ob-
served only when each party transmits exactly one
single photon and in such a case the reflected pho-
tons kept by Alice and Bob are again in a partially
(polarization-) entangled state with asymmetry de-
termined by the transmittance t of the partial BSM
performed at the central station (see App. D):
ρ
(CH)
AB|
X
=
η
t
T
2
(1 − T )
2
4
|ψ
t
AB
ihψ
t
AB
| + O(p) . (6)
Unlike previous proposals, see Eq. (3), in the above
two schemes the vacuum terms do not emerge after
heralding. Moreover, the unnormalised states (5) and
(6), to first significant order, are pure and propor-
tional to the transmission efficiency η
t
. This guar-
antees that, after normalisation, the states are inde-
pendent of η
t
(to first order). This, and the use of
single-photon sources instead of SPDC, are the cru-
cial ingredients that allow us to achieve significantly
higher secret key rates at larger distances than pre-
vious proposals.
The second advantage of our schemes is that, by
adjusting the transmittance t of the partial BSM,
the entanglement of the target state |ψ
t
AB
i can be
continuously tuned between the maximally entangled
(t = 0) and product (t = 1) extremes [13]. This can
then be used, in particular, to improve the local ef-
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 6
DIQKD Scheme:
Side-heralding
(SH)
Central-heralding
(CH)
Critical local efficiency η
∗
l
(diqkd) 94.9% 94.3%
Critical local efficiency η
∗
l
(nonloc.) 74.3% 69.2%
Noise robustness (nonloc.) 31.2% 35.7%
Secret key per heralded round (bit fraction ≤ 1) 0.82 0.95
Table 1: Performance of DIQKD schemes. Critical local efficiencies, η
∗
l
, only above which the secret key can be distributed
in a fully device-independent fashion, compared with ones above which the shared correlations exhibit nonlocality. For perfect
local efficiencies (η
l
= 1), robustness to mixing the joint probability distribution with a maximally uncorrelated one is listed,
as well as the bit fraction of the secret key generated per successfully heralded round, equal to one in the ideal case. The
probability of producing a single photon or an SPDC photon-pair is assumed as p = ¯p = 10
−4
for each source.
ficiencies, η
l
, required to meet the security require-
ments.
We notice that it is possible to reduce the number
of single photon sources in our schemes by using a
single source emitting a temporal stream of photons.
This would require, however, the stream to be de-
multiplexed either by active optics (which would add
extra noise) or probabilistically by passive elements
(which would decrease the final heralding rate).
4 Computing key rates in heralded
schemes
In standard DIQKD protocols, Alice and Bob mea-
sure their particles. A subset of these measurements
is publicly announced so that the users can count how
many times different outcomes (a, b) are obtained
for the different combinations of inputs (x, y). From
this information, they compute the amount of achiev-
able secret key and, if positive, distil it by means of
classical post-processing [60] from the remainder of
data being shared, specifically, from particular pre-
designed measurement settings (x
∗
, y
∗
) [2–4]. As
mentioned, in the asymptotic limit of infinitely many
rounds, the attainable key rate is given by Eq. (2),
which constitutes the best known lower bound, that,
crucially, is valid for the most general eavesdropping
attacks [7].
Calculating exactly H(A|E) in Eq. (2), for a given
observed correlation p or Bell inequality violation,
optimising over attacks of Eve, turns out to be ex-
tremely hard. The problem has only been solved for
the CHSH inequality [2], the simplest of all Bell in-
equalities. Here, we use a lower bound on H(A|E),
which in turn provides a lower bound on the key
rate, computable for any type of correlations. It
is obtained by replacing the von Neumann entropy
in Eq. (2) by the min-entropy [4]. This quantity
is then directly connected to the guessing probabil-
ity, G
p
(x
∗
), for Eve to correctly guess Alice’s out-
put when she performs the measurement x
∗
. It can
be computed for any Bell correlations exhibited by
p by means of semi-definite programming, as ex-
plained in App. E. The resulting bound on the key
rate (2), which has already appeared in previous se-
curity proofs [4, 5], reads
R ≥
˜
R ≥ R
↓
= −log
2
G
p
(x
∗
) − H(x
∗
|y
∗
). (7)
In an ideal scenario with two outcomes, there are no
errors between Alice and Bob, H(x
∗
|y
∗
) = 0, and Eve
has no information about Alice’s outputs, G
p
(x
∗
) =
1/2, so that R = R
↓
= 1. Because of its ease of
computation, R
↓
is the quantity used here to estimate
attainable key rates of the implementations proposed.
When considering protocols that incorporate a
heralding stage depending on an outcome c, with
rounds occurring at a repetition rate ν
rep
, we quan-
tify the effective key rate of secret bits certified per
time-unit as:
K = ν
rep
P (c =
X
) R
↓
, (8)
where P (c =
X
) is the probability of successful
heralding in each round.
5 Performance of the SH and CH
schemes
As a result, we may quantify the optimal DIQKD-
performance of the CH and SH schemes depicted
in Fig. 3, by conducting an unconstrained nonlinear
maximisation of K in Eq. (8) over all adjustable pa-
rameters. In particular, for each of the schemes, we
optimise over the source parameters p and ¯p, trans-
mittance values T and t, as well as polarization angles
specifying the user measurements. Still, we ensure
p, ¯p ≈ 0 and T ≈ 1 (or T ≈ 0) in case of the SH (or
CH) scheme, so that the distributed quantum states
can be truncated at a finite order in p, ¯p and 1 − T
(or T ). Nonetheless, in order to maintain security
we bypass such a truncation by giving full control
to the eavesdropper over the higher-order terms that
are neglected. Moreover, the critical noise parameters
can then also be determined by similar optimisation
procedures—conducted while increasing the noise un-
til the key rate (8) cannot be made strictly positive.
Explicit details about these optimization steps are
given in Apps. E, F and G.
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 7
We summarise the performance of the SH and CH
schemes in Table 1. Although the SH scheme is sim-
pler, requiring only two single-photon sources, its per-
formance is worse than the CH scheme for all figures
of merit considered. From here onwards, we thus fo-
cus on the CH scheme, which defines the ultimate
experimental requirements for DIQKD to be possi-
ble within our approach. In what follows, we show
that this scheme offers reasonable levels of robustness
against all relevant noise parameters.
The resistance to noise is estimated using a simple
noise model, in which the ideal correlations are mixed
with white-noise correlations with weight 1 − v and
v, and perfect local efficiency (η
l
= 1) is assumed.
The CH scheme yields nonlocal correlations up to
v = 35.7% level of mixing. Concerning imperfection
of the single-photon sources, for a realistic value of
multi-photon generation of p = 10
−4
(c.f. [32]) the
CH scheme generates up to 0.95 secret bits per (suc-
cessfully) heralded round—achieving close to the ul-
timate limit of 1 secret bit, applicable in a perfectly
noiseless scenario [61]. The critical local efficiencies,
η
∗
l
for the nonlocality to be observed are very close to
the ultimate bound of Eberhard [13], η
l
≥ 66.(6)%,
which can be approached due to the ability to pre-
pare pure partially entangled two-qubit states within
both the SH and CH schemes.
Most importantly, employing the CH scheme for
DIQKD, our work predicts that positive key rates can
be generated independently of the separation between
Alice and Bob, as long as the effective local efficiency,
η
l
, for each of the user labs is higher than 94.3%. As-
suming η
l
to be the product of the efficiencies of: pho-
ton extraction from each single-photon source em-
ployed (η
ls
), transmission between the sources and de-
tectors involved (η
lt
), and detection (η
ld
); fully secure
DIQKD is possible as long as η
l
= η
ls
η
lt
η
ld
≥ 0.943
can be attained by each user.
Taking, for instance, η
l
= 95% (see also Fig. 4),
the secret key can be securely distributed over large
distances while completely avoiding the transmis-
sion losses. In particular, assuming in Fig. 4 for
the CH scheme: realistic η
t
= e
−L/L
att
with L
att
=
22 km [36], the lab beam-splitters to exhibit trans-
mission T ≈ 10
−3
, and each of the sources em-
ployed to be producing photons at 100 MHz rate with
p = 10
−4
[32]; a key rate of 1 bit/s can be attained
over approximately 50 km. In Fig. 4, we consider also
the SH scheme, for which we then assume the SPDC
source to produce entangled photons also at 100 MHz
rate with ¯p ≈ 10
−4
—both theoretically within cur-
rent technological reach [23, 24, 62]—but also ensure
T ≈ 1 − 10
−3
to make the comparison fair.
However, let us note that the corresponding val-
ues of key-rates are primarily dictated by the fac-
tor K ∝ ν
rep
P (c =
X
) appearing in Eq. (8) with
the successful-heralding probability effectively equal
to T
2
and ¯p (1 − T ) at L = 0 for the CH and
Figure 4: DIQKD key rates attained with 95% (blue) and
96% (red) local efficiencies. In each case, the solid (dashed)
curve represents the key rate in bits per second attained by
the CH (SH) scheme. Each key rate is optimised over all
adjustable physical parameters, yet in the case of the single-
photon sources impurity parameter, p, its lowest possible
value is always favoured. Here, we fix p = 10
−4
, and con-
sider the repetition rate of photon extraction for each source
to be 100 MHz [32].
the SH scheme, respectively. In particular, as for
the single-photon sources we take p > 0 to account
solely for multi-photon events, its impact on the key
rates is negligible. Although in our analysis we were
motivated to use the least number of single-photon
sources, under such an assumption the limiting de-
pendence of key rates on how well T ≈ 0 (or T ≈ 1)
could, in principle, be avoided by creating more pho-
tons and performing within each lab extra (local) pre-
heralding [55, 56], which must importantly assure a
polarisation-entangled photon pair to be distributed.
When employing multiple SPDC sources such an ap-
proach may seem to be even less efficient [63–65],
however, rapid development of solid-state emitters
capable of producing on-demand entangled photons
could provide a breakthrough [66–68].
6 Conclusions and outlook
Two proposals for photonic implementations of
DIQKD schemes have been given here. They make
use of side- or central-heralding, and utilise two or
four single-photon sources, respectively. They are ca-
pable of maintaining security despite arbitrary trans-
mission losses, and distribute keys over large dis-
tances given sufficiently high local efficiencies.
The analysis proves the proposed photonic archi-
tectures to be almost optimal from the implemen-
tation perspective, as they allow to nearly perfectly
compensate for the impact of finite transmission, so
that devices can operate independently of the dis-
tance separating the users. In contrast, as shown to
be generally demanded within the context of DIQKD,
being a feature of current state-of-the-art security
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 8
proofs [7], the requirements on local efficiencies for
the protocols remain to be stringent. Hence, an im-
portant question that remains open is whether these
demanding requirements can be improved by devel-
oping more elaborate proofs that, in particular, allow
the users to perform two-way communication during
the protocol rather than only one-way error correc-
tion that is typically assumed [2–7]. Unfortunately,
recent progress in this direction has indicated that not
much room for improvement may be available in this
respect without jeopardising the full security [69, 70].
Another important future direction is to improve
the key-rate analysis presented here, while account-
ing in more detail for the limitations of particular
photonic components being employed [71]. On the
one hand, an explicit study of the impact of detec-
tor dark counts would be valuable, even though our
noise-robustness analysis suggests these not to play
a major role (see the values presented in Table 1).
On the other hand, the protocol repetition-rates have
been assumed to be primarily dictated by the capa-
bilities of the photon sources employed [32, 62], while
ignoring, e.g. the finite dead-time of the binary de-
tectors.
Nonetheless, while the requirements on local effi-
ciencies for the proposed protocols are currently chal-
lenging, based on the rapid technological improve-
ment and anticipated capabilities of single-photon
sources [46–48] and detectors [49–52], we hope that
the demands on fully secure DIQKD implementations
presented already here will be fulfilled in the future.
Note Added. After making this work publically
available online at arXiv:1803.07089 [quant-ph], an
alike study of CH and SH schemes for DIQKD has
been released [72], which by focusing on the Bell
violation of the CHSH inequality arrives at slightly
higher requirements for local efficiencies but goes be-
yond the asymptotic key-rate analysis—see also a
very recent work [73] that develops finite-key analysis
for DIQKD. Moreover, the model of the CH scheme
has been developed and explicitly verified against an
experimental implementation within the scenario in
which Alice and Bob possess an SPDC source of en-
tangled photons each (rather than two single-photon
sources) [74]. Although the theoretical predictions
have been demonstrated to accurately reproduce the
observed correlations, these currently do not exhibit
Bell violations strong enough for DIQKD, as the cor-
responding local efficiencies do not yet reach the strin-
gent regime of η
l
& 95% indicated by our work.
Acknowledgments
We thank Rotem Arnom-Friedman, Mikołaj Lasota,
Stefano Pironio and Nicolas Sangouard for help-
ful discussions. This work was supported by the
ERC CoG QITBOX and AdG CERQUTE, Spanish
MINECO (Severo Ochoa SEV-2015-0522), Fundacio
Cellex and Mir-Puig, the AXA Chair in Quantum
Information Science, the Generalitat de Catalunya
(SGR1381 and CERCA Program), the Royal Society
(URF UHQT), the EU Quantum Flagship projects
QRANGE and CiviQ, as well as by the Foundation
for Polish Science under the “Quantum Optical Tech-
nologies” project carried out within the International
Research Agendas programme co-financed by the Eu-
ropean Union under the European Regional Develop-
ment Fund.
A States produced by the SPDC and
single-photon sources
The process of spontaneous parametric down-
conversion [33] (SPDC) producing two-mode polar-
isation entangled photons is described by the Hamil-
tonian
ˆ
H = iκ(a
†
H
b
†
V
−a
†
V
b
†
H
)+h.c., where a
†
H
, a
†
V
, b
†
H
and b
†
V
are the bosonic creation operators of the two
spatial modes a and b, with H and V denoting their
orthogonal polarizations. Rewriting
ˆ
H with help of
the su(1, 1) algebra generators, i.e. ones that obey
[L
−
, L
+
] = 2L
0
and [L
0
, L
±
] = ±L
±
, it is straightfor-
ward to verify that the state produced via the SPDC
reads [75]:
|Ψ
SPDC
i = e
−i
ˆ
Ht
|0i = e
τ(L
+
−L
−
)
|0i (9)
=
1 − tanh
2
τ
e
tanh τ L
+
|0i, (10)
where L
+
= L
†
−
= a
†
H
b
†
V
− a
†
V
b
†
H
, |0i denotes the
vacuum state of all modes, while τ = κ t > 0 can be
assumed to be real.
Moreover, as throughout this work we consider
photonic schemes based on (binary, on/off) photode-
tection, the state Ψ
SPDC
should be interpreted as an
incoherent mixture of different photon-number states
due to lack of a global phase reference. Hence, defin-
ing q = tanh
2
τ as the effective parameter of the
SPDC process, one arrives at the expression:
%
SPDC
= (1 − q)
2
∞
X
n=0
(n + 1) q
n
|Ψ
n
ihΨ
n
| , (11)
where |Ψ
n
i =
1
n!
√
n+1
L
n
+
|0i is the pure state ob-
tained when n photon-pair excitations occur during
the down-conversion.
Nonetheless, for simplicity and the purpose of our
work, we redefine the state (11) in an unnormalised
fashion as,
ρ
SPDC
=
∞
X
n=0
n + 1
2
n
¯p
n
|Ψ
n
ihΨ
n
| (12)
= |0ih0| + ¯p |Ψ
1
ihΨ
1
| + O
¯p
2
, (13)
such that Tr[ρ
SPDC
] = 1/(1 − 2¯p)
2
, and so that the
parameter ¯p = 2q can now be directly associated with
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 9
the contribution of the desired singlet:
|Ψ
1
i =
1
√
2
(|1
H
i
a
|1
V
i
b
− |1
V
i
a
|1
H
i
b
) (14)
=
1
√
2
(|HV i − |V Hi) . (15)
Experimentally, the parameter ¯p is kept small (be-
low 10
−2
) and may be adjusted with squeezing tech-
niques [23, 24]. Although large values of ¯p increase
the production rate of the target maximally entan-
gled two-photon states, |Ψ
1
i, they also increase the
relative contribution of spurious higher-order terms,
|Ψ
n>1
i, to the SPDC process.
On the other hand, as stated in the main text,
whenever the single-photon (SP) sources [25] are
used, we represent states they produce in an anal-
ogous unnormalised, Tr[σ
SP
] = 1/(1 −p), manner as:
σ
SP
=
∞
X
n=1
p
n−1
|nihn| (16)
= |1ih1| + p |2ih2| + O
p
2
, (17)
where the desired single-photon is then produced at
the zeroth order in p (≈ 10
−4
in current experi-
ments [32])—in contrast to the SPDC process (12)
in which the target photon-pair (15) occurs at the
first order in ¯p in Eq. (13).
Finally, let us emphasise that throughout this work
we perform calculations for all the schemes beyond
their expected ideal working-order in ¯p and p, i.e. by
performing truncations of (13) and (17) at higher or-
ders. Still, it is crucial to mention that, when we
compute the results (key rates and figures of merit
presented in Table 1 of the main text), we never-
theless bypass such a truncation by assuming that
higher-order terms (those which were dropped) are
controlled by the eavesdropper to her own benefit.
We give the details of this technique in App. F be-
low.
B Heralded state produced by the
qubit amplifier of Gisin et al. [36]
The original scheme of Ref. [36] is of the SH type (see
Fig. 2(a) of the main text) and consists of an SPDC
source held by Alice and two single-photon sources
(emitting photons in H and V polarisation modes)
held by Bob. For the sake of the argument, let us
assume that all the sources do not produce multiple
pairs, which is only beneficial for the scheme.
The initial composite state of Alice and Bob before
communication and amplification reads [36]:
[(1 − ¯p) |0ih0| + ¯p |Ψ
1
ihΨ
1
|] ⊗ |1
H
ih1
H
| ⊗ |1
V
ih1
V
| .
(18)
Bob’s photons enter a beam-splitter of transmittance
T , so that the reflected mode can then be combined
with the mode received from Alice within an imple-
mentation of the Bell-state measurement (BSM). As
a consequence, the final unnormalized state that is
shared by Alice and Bob, conditioned on the (herald-
ing) success of the BSM performed by Bob, reads:
(1 − ¯p)(1 − T )
2
|0ih0| + ¯pη
t
T (1 − T ) |Ψ
1
ihΨ
1
| + ...,
(19)
where we have already ignored all irrelevant terms
that do not yield any correlations apart from the
vacuum—which occurs with probability proportional
to (1 −T )
2
, since both of Bob’s photons are reflected
and detected. The second term in Eq. (19) corre-
sponds to the case when Alice produces the singlet
(15), which is transmitted with probability η
t
, and
only one of Bob’s photons is reflected. One can see
that Eq. (19) is of the form of Eq. (3) in the main
text with the effective λ = T/(1 − T ).
Such a feature will always emerge as long as the
singlet (target) state is proportional to η
t
, while
the vacuum component remains unaffected by the fi-
nite transmission efficiency. In particular, it natu-
rally generalises to scenarios based on ‘entanglement-
swapping’ or ‘teleportation’ [41–43] and hence, as
explained in the main text, constitutes the main
limitation of all these schemes. The only excep-
tion is the ‘quantum-relay’-based scheme proposed
in Ref. [41] that, however, due to SPDC sources being
employed yields a conditional state still containing
undesired terms in apart from the singlet contribu-
tion in Eq. (5).
C Secret-key rate under losses
In this appendix, we present a rather natural scenario
in which the bound on the key rate derived by Gisin
et al. [36] can be proven not to hold. In the supple-
mental material of Ref. [36], the situation is studied in
which Alice and Bob implement lossy measurements
on an entangled state. The goal is to establish an up-
per bound on the information that an eavesdropper
can possess about the outcomes used for generation
of the secret key, given that the non-detected events
have already been discarded.
A bound based only upon the statistics of the
conclusive events is not possible, as it would open
the detection loophole. In Ref. [36] a method is
given for bounding Eve’s knowledge about the con-
clusive correlations, based upon the full (lossy) corre-
lations. The main result, see Eq. (10) in their work,
is the following bound on the mutual information,
I(A : E) = H(A) − H(A|E), between Alice and Eve:
I(A : E) ≤ I
E
(S
cc
, µ) = (1 − µ) χ
S
cc
− 4µ
1 − µ
+ µ.
(20)
Here, µ is a parameter defined by the ratio of the rates
of conclusive-conclusive events, µ
cc
, and conclusive-
inconclusive events, µ
ci
and µ
ic
, from Alice’s and
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 10
Bob’s perspective, respectively, and reads
µ =
µ
ci
+ µ
ic
µ
cc
. (21)
The parameter S
cc
, on the other hand, denotes the
value of the CHSH inequality when computed only
from the conclusive events. Finally, the function
χ(S) = h
1 +
p
(S/2)
2
− 1
2
!
(22)
with h(x) = −x log
2
x−(1−x) log
2
(1−x) has already
been employed in the main text, see below Eq. (4),
and follows from Ref. [2]. For what follows, the prop-
erty to remember is that χ(S) < 1 if S > 2. We
also emphasise that the bound (20) depends on the
lossy correlations: while the Bell parameter used in
I
E
in Eq. (20) is estimated only from the conclusive
events, I
E
depends also on the rates of conclusive and
inconclusive events via the parameter µ.
Let’s apply the bound (20) to a situation in which
losses only appear on Alice’s side. The corresponding
correlations, p
η
l
, between Alice and Bob then read
analogously to Eq. (1) of the main text:
P
η
l
(ab|xy) = η
l
P (ab|xy)
P
η
l
(φb|xy) = (1 − η
l
)P
B
(b|y), (23)
where again a and b refer only to conclusive ‘detec-
tion’ events, while P
A
and P
B
denote the marginal
probabilities detected by Alice and Bob (in the ideal
lossless case). We consider the standard situation in
which Alice and Bob implement the optimal measure-
ments to violate the CHSH inequality, given a singlet
is shared, while the key is generated from one of these
measurements, say x = 0. Therefore, Eve’s goal is to
guess the output of this measurement on Alice’s side.
The correlations (23) can be conveniently arranged
in a table as follows
p
η
l
=
η
l
s η
l
t η
l
s η
l
t
η
l
t η
l
s η
l
t η
l
s
1−η
l
2
1−η
l
2
1−η
l
2
1−η
l
2
η
l
s η
l
t η
l
t η
l
s
η
l
t η
l
s η
l
s η
l
t
1−η
l
2
1−η
l
2
1−η
l
2
1−η
l
2
, (24)
where within each of the four blocks the columns
are labelled by the two possible conclusive outputs
of Bob, and the rows by the three outputs of Al-
ice that include the non-detected outcome. The four
blocks above correspond then to the four combina-
tions of measurement settings x, y = {0, 1}, where
s = (1+cos(π/4))/4 and t = (1−cos(π/4))/4. When-
ever the local efficiency is unity, η
l
= 1, the corre-
lations (24) violate maximally the CHSH inequality
and are referred to as the ‘Tsirelson correlations’.
It can be verified that the correlations (24) are local
whenever η
l
≤ 1/
√
2. On the other hand, when using
them to evaluate the bound (20) for any of Alice’s
measurement, say x = 0, one obtains I
E
(S
cc
, µ) < 1
whenever η
l
> 1/
√
2. The result is intuitively satis-
factory: if the initial correlations are non-local, there
is some uncertainty left for Eve about Alice’s outcome
after discarding the non-conclusive events. Unfortu-
nately, this conclusion, and therefore the bound (20)
used to derive it, is not universally valid, as proven
by the following attack of Eve, whereby she has per-
fect knowledge of Alice’s outcome for some values of
η
l
larger than 1/
√
2.
Eve prepares a mixture of the following three dis-
tributions:
p
1
=
s t s t
t s t s
0 0 0 0
ps pt pt ps
pt ps ps pt
1
2
(1 − p)
1
2
(1 − p)
1
2
(1 − p)
1
2
(1 − p)
(25)
with p =
√
2 − 1 ≈ 0.41, which is local and, hence,
can be further decomposed in terms of deterministic
strategies; and
p
2
=
s t s t
0 0 0 0
t s t s
s t t s
t s s t
0 0 0 0
, p
3
=
0 0 0 0
t s t s
s t s t
s t t s
t s s t
0 0 0 0
.
(26)
The correlations (26) constitute ideal Tsirelson corre-
lations (Eq. (24) with η
l
= 1 and re-labelled outcomes
for Alice) and, therefore, are as non-local as the quan-
tum mechanics allows. The important fact to notice
is that for all p
1
, p
2
and p
3
, if the no-click events are
discarded, Eve has perfect knowledge on Alice’s out-
comes for x = 0, as can be seen by inspection from
the tables.
We consider the following mixture
p
λ
= λp
1
+ (1 − λ)
1
2
(p
2
+ p
3
) (27)
and require the local efficiency to be outcome-
independent. In particular, in order to reproduce the
correlations (24), we solve
η
l
= λ + (1 − λ)
1
2
= λp + (1 − λ) (28)
for λ, so that p
λ
= p
η
l
. As a result, for λ =
1
3−2p
=
5+2
√
2
17
we obtain an attack for which the correlations
(24) are recovered with local efficiency:
η
l
=
11 +
√
2
17
≈ 0.73
> 1/
√
2 ≈ 0.707
. (29)
As, once the non-conclusive events are discarded,
Eve can then predict with certainty Alice’s outcome
for the setting x = 0, the above attack invalidates the
upper bound (20) that predicts this to be impossible
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 11
for any η
l
> 1/
√
2 ≈ 0.707. Although the bound (20)
cannot thus hold in complete generality for situations
including losses (as already speculated in Ref. [41]),
it still remains to be proven whether Eq. (20) can
be considered to be valid for the specific correlations
arising in the protocol of Ref. [36].
D Heralded states produced by the SH
and CH schemes
In Fig. 5 we depict once more the SH scheme—see its
implementation in Fig. 3(a)—while separating explic-
itly the photonic modes involved, i.e. distinct modes
originating from the labs of Alice and Bob (A and B)
distinguished also by their polarisations (H and V ),
as well as the auxiliary modes (labelled as primed
"
0
") that effectively are the ones to reach the herald-
ing station, and are measured to obtain the heralding
signal c. A protocol round is then accepted within the
SH (and also CH, see below) scheme only if the click
pattern c = 0110 =:
X
is observed with only the two
middle detectors in Fig. 5 clicking.
Within the SH scheme Alice uses the SPDC pro-
cess to produce a pair of entangled photons in modes
A
H/V
and A
0
H/V
described by the state (12), ρ
SPDC
.
Bob employs on-demand sources in order to simulta-
neously prepare single photons (SPs) in modes B
H
and B
V
, each described by the state (16), σ
SP
, see
Fig. 5. Inspecting the expressions (12) and (16), the
SH scheme ideally works at first order in ¯p and ze-
roth order in p, respectively, with higher orders being
negligible due to ¯p . 10
−2
[23, 24] and p . 10
−4
[32].
For completeness, however, we perform the analysis
up to second order in both p and ¯p by considering the
initial (unnormalised and uncorrelated) state of Alice
and Bob—i.e. the overall one present initially in the
modes A
H/V
, A
0
H/V
and B
H/V
in Fig. 5—to read:
ρ
(SH)
AB
= |0
AA
0
, 1
B
H
1
B
V
ih...| + p |0
AA
0
, 1
B
H
2
B
V
ih...| +
p |0
AA
0
, 2
B
H
1
B
V
ih...| + p
2
|0
AA
0
, 2
B
H
2
B
V
ih...| +
p
2
|0
AA
0
, 1
B
H
3
B
V
ih...| + p
2
|0
AA
0
, 3
B
H
1
B
V
ih...| +
¯p |Ψ
AA
0
1
, 1
B
H
1
B
V
ih...| +
p¯p |Ψ
AA
0
1
, 1
B
H
2
B
V
ih...| + p¯p |Ψ
AA
0
1
, 2
B
H
1
B
V
ih...| +
3
4
¯p
2
|Ψ
AA
0
2
, 1
B
H
1
B
V
ih...| + O
p
i
¯p
j
i+j=3
(30)
with higher-order terms yielding negligible contri-
butions, which nonetheless must be later accounted
for (see App. F) when assuring the security of the
DIQKD protocol.
Inspecting Eq. (30), it is the seventh term occur-
ring at ¯p-order which is the desired one, containing
an entangled pair |Ψ
1
i in modes A
H/V
and A
0
H/V
and single photons in both modes B
H/V
. All other
terms are spurious: the first six are associated with
the vacuum production rounds of the SPDC source
held by Alice; the eighth and ninth correspond to
cases in which the SPDC process succeeds but one
of the SPs emits two photons instead; while the last
term appears due to double-pair production of the
SPDC. In order to compute the state ρ
(SH)
AB|c
marked
in Fig. 5, we propagate the initial state (30) “term
by term” through the relevant parts of the circuit
and account for the photon-detection measurement
in modes A
0
H/V
and B
0
H/V
, while assuming the detec-
tors to be binary (on/off), i.e. clicking with efficiency
η
h
, without distinguishing the exact photon number.
Although we omit here the explicit expression for
ρ
(SH)
AB|c
that we obtain for c =
X
(i.e. when only two
out of the four relevant detectors in Fig. 5 click),
we note that the leading order of ρ
(SH)
AB|
X
stated in
Eq. (5) of the main text is the result of the desired
contribution—the seventh term in Eq. (30). Cru-
cially, contributions of all the other terms in Eq. (30)
are suppressed due to p, ¯p 1. Moreover, the impact
of finite detection efficiency, η
h
< 1, can be assumed
to affect only the probability of successful heralding,
i.e. P (c=
X
) that corresponds to the norm of ρ
(SH)
AB|
X
,
because we ensure that T ≈ 1 within the SH scheme.
As a result, the SPs produced by Bob hardly enter
the modes B
0
H/V
in Fig. 5 or, in other words, leave
the lab of Bob in Fig. 3(a).
Importantly, we use the full expression for ρ
(SH)
AB|
X
incorporating all the contributions of Eq. (30) to com-
pute the resulting correlations shared by Alice and
Bob after they measure photons in modes A
H/V
and
B
H/V
in Fig. 5, respectively, i.e.:
P
(SH)
a, b
x={φ
A
, θ
A
}, y ={φ
B
, θ
B
}, t, η
d
, c=
X
η
h
, η
t
, T ≈ 1, p ≈ 0, ¯p ≈ 0
,
(31)
which similarly to the initial state (30) is valid up to
O
p
i
¯p
j
i+j=3
. The form of the joint probability dis-
tribution (31) depends strongly on the measurement
settings controlled by the angles (φ, θ) of polarization
dual-rail qubits [76] detected by Alice and Bob, the
efficiency η
d
of the binary detectors they employ, as
well as the t-parameter controlling the asymmetry of
the heralding BSM (see Fig. 5) and, hence, the par-
tial entanglement of the target state |ψ
t
AB
i in Eq. (5).
Nonetheless, we also list in the second row in Eq. (31)
all the other parameters that the shared correlations
formally depend on due to higher-order terms taken
into account within the initial state (30).
However, in practice—as verified also by our nu-
merical analysis—the dependence on the transmis-
sion loss parameter, η
t
, as well as the efficiency
of heralding detectors, η
h
, can be completely disre-
garded as they enter Eq. (31) at higher order in p
and 1−T , respectively. Nonetheless, let us emphasise
that to compute both the critical local efficiencies, η
∗
l
,
stated in Table 1 and the DIQKD key rates presented
in Fig. 4, we use the full expression for the joint prob-
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 12
Figure 5: SH scheme of Fig. 3(a) with all the photonic modes separated. Alice employs a SPDC source to prepare
entangled photon pairs in modes A
H/V
and A
0
H/V
described by the state ρ
SPDC
in Eq. (12). Bob uses two SP sources
instead to simultaneously prepare single photons in modes B
H/V
, each described by the state σ
SP
in Eq. (16). The whole
SH scheme corresponds to a linear-optics circuit involving beamsplitters (BSs), half- and quarter-wave plates (
λ
4
and
λ
4
),
polarising beamsplitters (PBSs), and binary detectors yielding "0" (for no photons) or "1" (when one or more photons are
detected). The finite efficiency of heralding detectors, as well as ones held by Alice and Bob, is accounted for by loss
parameters η
h
and η
d
, respectively, which similarly to the transmission loss, η
t
, correspond to a BS-transformation with the
vacuum state impinging the empty input port. In our analysis we consider the overall initial state ρ
(SH)
AB
to be adequately
described by its lowest-order expansion (30). We propagate it then through the circuit in order to compute the resulting state
shared by Alice and Bob conditioned on successful heralding outcome, i.e. ρ
(SH)
AB|c
with c = 0110 =:
X
when only the middle
two of the heralding detectors click. ρ
AB|
X
is then the state spanning modes A
H/V
and B
H/V
that Alice and Bob perform
dual-rail polarisation qubit measurements on, whose settings are completely parametrised by the angles x = {φ
A
, θ
A
} and
y = {φ
B
, θ
B
} [76]. Finally, the outcomes a and b correspond to the four possible click patterns observed by Alice and Bob,
respectively.
ability (31). In particular, we set the efficiency of the
heralding detectors to be equal to the ones of Alice
and Bob, i.e. η
h
= η
d
=: η
l
, which in practice af-
fects then only the key rate with P (c =
X
) ∝ η
2
h
in
Eq. (8). Moreover, in order to determine the highest
key rates K in Eq. (8) that yield the lowest critical
local efficiency, η
∗
l
= η
∗
d
, we also fine-tune the source
parameters {¯p, p, T }, whose orders of magnitude we
importantly constrain to ¯p ≈ 10
−2
, p ≈ 10
−4
and
(1 −T ) ≈ 10
−3
for the lowest-order expansion analy-
sis to always be valid.
For the CH scheme depicted Fig. 3(b), we follow
exactly the same analysis as stated above for the SH
scheme. The CH scheme can be presented as a similar
linear optics circuit, where now the A-modes consti-
tute just a copy (mirror image) of the B-modes drawn
in Fig. 5. Within the CH scheme both Alice and
Bob possess two on-demand SP sources. The only
difference—due to the heralding station in Fig. 3(b)
being held outside of the labs—are the transmission
losses, η
t
, that must now be accounted for not only
in the A
0
H/V
(see Fig. 5) but also in the B
0
H/V
modes.
However, for the CH scheme the initial state pre-
pared by Alice and Bob (this time using only the
four modes A
H/V
and B
H/V
in Fig. 5 with others
containing vacuum) no longer contains spurious vac-
uum contributions, due to the SPDC process being
absent, i.e.:
ρ
(CH)
AB
= |1
A
H
1
A
V
, 1
B
H
1
B
V
ih...| + p |1
A
H
1
A
V
, 1
B
H
2
B
V
ih...| +
p |1
A
H
1
A
V
, 2
B
H
1
B
V
ih...| + p |1
A
H
2
A
V
, 1
B
H
1
B
V
ih...| +
p |2
A
H
1
A
V
, 1
B
H
1
B
V
ih...| + O
p
2
, (32)
where, in contrast to Eq. (32), the ideal contribution
occurs at zeroth order in p, that is, when each of the
four SPs produces a single photon. Still, similarly to
the SH scheme, we include higher-order contributions
(now, at first order in p) in our analysis.
In particular, we compute the corresponding state
ρ
(CH)
AB|
X
conditioned on successful heralding, whose
main contribution comes from the zeroth-order in
Eq. (32) stated in Eq. (6) of the main text. As in
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 13
Eq. (31), while keeping all the contributions of the
initial state (32), we compute the shared correlations
of Alice and Bob after they perform their measure-
ments, i.e.:
P
(CH)
a, b
x={φ
A
, θ
A
}, y ={φ
B
, θ
B
}, t, η
d
, c=
X
˜η
t
= η
h
η
t
, T ≈ 0, p ≈ 0
,
(33)
where in contrast to Eq. (31) the efficiency of the
heralding detectors η
h
—appearing in Eq. (33) again
only due to higher-order terms in Eq. (32)—can be
interpreted as just another source of effective trans-
mission loss, ˜η
t
. As a result, in order for comparison
of the key rates in Fig. 4 between the SH and CH
schemes to be fair, we rescale η
t
→ η
t
η
l
in case of
the latter to account for the heralding detectors to
have the same efficiency as the ones held by Alice
and Bob (i.e., η
h
= η
d
= η
l
in Fig. 5). Otherwise, we
perform exactly the same analysis for the joint dis-
tribution (33) as for Eq. (31), in order to determine
the maximal key rate, K in Eq. (4), and critical local
efficiencies, η
∗
l
in Table 1, where we ensure now that
T ≈ 10
−3
and p / 10
−3
throughout the numerical
optimisation, so that our perturbative approach (in
photon number) assumed by Eq. (32) always holds.
Finally, let us note that within both the SH and CH
schemes we may naturally account for the finite effi-
ciency of the on-demand sources employed [25], which
produce the SPs in the state (16), i.e. σ
SP
marked in
Fig. 5 for the SH scheme. Inspecting Fig. 5 and, in
particular, modes B
H/V
—and similarly for the A
H/V
modes in case of the CH scheme, in which they are
equivalent—it becomes clear that one may propagate
beam-splitters responsible for the finite detection, η
d
,
all the way through the circuit onto the initial state
without altering the scheme on the whole. Hence,
given that each SP-source works with η
s
-efficiency,
all our analysis applies with now simply the overall
local efficiency reading η
l
= η
s
η
d
, so that it accounts
for the finite efficiency of both the sources and detec-
tors contained within the lab of Alice or Bob, or both
(as summarised in the main text while including also
finite transmission between these components, η
lt
).
E Guessing probability
The min-entropy term −log
2
G
p
(x
∗
) in Eq. (7)
of the main text is expressed with help of the
device-independent guessing probability, i.e. the aver-
age probability that the eavesdropper Eve correctly
guesses the output of Alice using an optimal strat-
egy: [77]
G
p
(x
∗
) := max
{p
e
}
X
e
P (e) P (a = e|x
∗
, e) (34)
s.t.
X
e
p
e
= p and ∀e : p
e
∈
e
Q.
Here, P (e) denotes the probability that Eve observes
the outcome e, while P (a = e|x
∗
, e) effectively repre-
sents the probability that Alice obtains an outcome
a coinciding with e, given to be the one observed by
Eve.
Any strategy of Eve in Eq. (34) can be seen as a
measurement that she performs on her system, which
then produces a decomposition (a collection) of un-
normalized behaviours {p
e
} distributed between Al-
ice and Bob. The guessing probability (34) is then
obtained by maximising the success of Eve’s strategy
over all such possible decompositions that, however,
must reproduce on average the behaviour p observed
by Alice and Bob and be compatible with quantum
mechanics (see the second line of Eq. (34)). Formally,
each of them must belong to the set of unnormalised
behaviours
e
Q which stem from the Born’s rule when
valid quantum measurements act on an unnormal-
ized, yet unspecified, quantum state. Thus, to en-
force the quantumness of Eve’s strategy, the second
constraint in Eq. (34) demands that all p
e
belong to
e
Q.
Imposing membership in
e
Q is difficult since a pre-
cise characterization of
e
Q is unknown. However,
semi-definite programming (SDP) relaxations similar
to the ones presented by Navascués et al. [78] can be
introduced to bound G
p
(x
∗
) from above [77]. One de-
fines a convergent hierarchy of convex sets that have a
precise characterization and obey
e
Q
1
⊇
e
Q
2
⊇ ... ⊇
e
Q.
This hierarchy approximates the quantum set
e
Q from
outside, so that any optimisation over the quantum
set can be relaxed (to some order k) by replacing
e
Q
in Eq. (34) with
e
Q
k
. Hence, the program presented
in Eq. (34) becomes an SDP when relaxations of the
set
e
Q are employed—in our work we mostly consider
relaxations to the order 1 + AB, i.e, an intermediary
order between first and second orders.
Finally, let us note that from the dual formula-
tion [79] of the SDP program employed, we are also
always able to retrieve the Bell inequality that is op-
timal for bounding the degree of predictability that a
quantum eavesdropper may have about the string of
Alice’s outcomes [77].
F Dealing with higher-order multi-
photon contributions
In order to deal with quantum states produced
by SPDC and single-photon sources (presented in
App. D), one typically truncates the global state pro-
duced by all sources in the setup up to a certain order
n [36, 41, 42]. Since any setup we consider is pow-
ered by SPDC sources parameterized by ¯p and single-
photon sources parametrized by p, a truncation to the
order, e.g. n = 2 of the global state—which is the ten-
sor product of the states of each source—would keep
all terms up to order O
p
2
, O(p¯p) and O
¯p
2
.
Nevertheless, this perturbative approximation may
yield misleading conclusions about the nonlocal char-
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 14
acter of the observed correlations and compromise
DIQKD security for a given setup. In fact, one has
to guarantee that contributions not considered in the
truncation will not contradict the conclusions about
the nonlocal character of the behaviour in question.
To avoid this problem, we develop here a method
based on SDP techniques where all high-order contri-
butions (>n) that are not taken into account are fully
controlled by Eve, to her benefit. This may seem too
conservative, but the method turns out to be efficient
and not overly pessimistic, since the contribution of
high-order terms becomes irrelevant for sufficiently
low values of p and ¯p.
The key idea is to conceive higher-order contribu-
tions as producing an unknown and uncharacterized
quantum behaviour p
Q
prepared by Eve for Alice
and Bob. If p
est
n
denotes the estimation of the be-
haviour of Alice and Bob constructed to the order n
(e.g. one derived basing on states (30) or (32) for SH
and CH-schemes, respectively), then the first step of
the method is to write the observed behaviour p as a
convex decomposition: p = (1 −
n
)p
est
n
+
n
p
Q
.
At the quantum level, the total state being shared,
given a collection of sources producing a perturba-
tive state such as (12), may be written as a convex
mixture p(n)ρ
n
+ p(¯n)ρ
¯n
, where ρ
n
is the truncated
state according to the estimation made at some or-
der n. ρ
¯n
is thus the remaining “tail” of high-order
contributions, and p(¯n) = 1 − p(n). Moving to the
level of probability distributions, linearity of Born’s
rule with respect to ρ implies that the elements of the
observed behaviour p conditioned on the outcome c
employed in the heralding stage (see App. D) may be
decomposed in a similar fashion, i.e.:
P (a, b|c) = p(n|c) P (a, b|c, n) + p(¯n|c) P (a, b|c, ¯n).
(35)
The probabilities P (a, b|c, n) above are then nothing
but the elements of the estimated behaviour p
est
n
com-
puted up to the nth order.
We rewrite p(n|c) employing the Bayes rule:
p(n|c) =
p(c|n)p(n)
p(c)
. (36)
The numerator in Eq. (36) is known, as p(c|n) is
merely the probability of observing the heralding out-
come c while assuming the nth order truncation at
the level of the sources. The denominator, however,
is unknown and corresponds to the probability of ob-
serving the outcome c, without assuming any trunca-
tion.
Still, it is possible to set an upper bound on p(c):
p(c) =
∞
X
~
k=
~
0
p(
~
k)p(c|
~
k)
≤ p
~
K
n
(c) :=
~
K
n
X
~
k=
~
0
p(
~
k)p(c|
~
k) +
∞
X
~
k>
~
K
n
p(
~
k), (37)
where the vector of variables
~
k = (k
1
, k
2
, ..., k
s
) de-
scribes the possible number of photons produced by
each of the s sources. In particular, p(
~
k) gives the dis-
tribution for each of the possible combinations of pho-
tons (or photon pairs) occurring, when produced by
the sources. Vector
~
K
n
contains the numbers of pho-
tons that each source can maximally produce, given
a particular order n of the truncation.
Bounding Eq. (36) with help of Eq. (37), one gets
the desired upper bound on
n
= 1 − p(n|c), i.e.,
n
≤
↑
n
:= 1 −
p(c|n)p(n)
p
~
K
n
(c)
, (38)
which can be importantly computed for a given opti-
cal scheme and the order n assumed. Consistently,
↑
n
(and, hence,
n
) goes to zero as the order n increases,
so that p
est
n
converges to p in the limit n → ∞.
In an analogous way to Eq. (34), we define the
device-independent guessing probability to the order
n as:
G
p
est
n
(x
∗
, ) := max
{p
e
}
X
e
P (e, a = e|x
∗
) (39)
s.t.
X
e
p
e
= (1 − )p
est
n
+ p
Q
,
p
Q
∈ Q and ∀e : p
e
∈
e
Q,
where (
e
Q)Q denotes the set of (un)normalized quan-
tum behaviours. The crucial difference between
Eqs. (34) and (39) is that Eve is now not obliged to
reproduce exactly the behaviour p with her collection
of unnormalised behaviours {p
e
}. Instead, she pos-
sesses a supplementary quantum behaviour p
Q
that
she can tailor, so that it is easier for her to reproduce
the behaviour p
est
n
for a given fixed value of and,
hence, better guess the outcome of Alice’s box.
Now, the following inequalities must hold:
G
p
est
n
(x
∗
) ≤ G
p
est
n
(x
∗
,
n
) ≤ G
p
est
n
(x
∗
,
↑
n
), (40)
where the first one is guaranteed to be saturated
whenever it is optimal to set p
Q
= p
est
n
in Eq. (39)
(i.e. the truncation plays no role), while the second
one whenever the bound (38) is tight. As a result,
we may always upper-bound Eve’s optimal guessing
probability by G
p
est
n
(x
∗
,
↑
n
), and by doing so we can
only underestimate the attainable key rate of the
DIQKD protocol—see Eq. (7) of the main text.
Let us stress that the method presented above is
quite general, as it can be applied to any other un-
characterised imperfection parametrised by , such
that its action arises as convex decomposition of the
form p = (1 − )p
est
+ p
Q
. In particular, it allows
to upper-bound the guessing probability for any type
of noise that may be represented as a convex mixture
at the level of a quantum state, given that the corre-
sponding mixing probability can also be bound from
above by a known
↑
< 1.
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 15
G Noise robustness for nonlocality
We analyze the robustness to white noise of the es-
timated behaviours p
est
that our two schemes pro-
duce. We determine the maximal value w
∗
of white
noise 1
p
—a distribution in which all the outcomes
are equally likely, independently of the measurement
choices—which can be convexly added such that the
behaviour (1 − w)p
est
+ w1
p
remains nonlocal.
Membership of a probability distribution to the set
of local behaviours [9] is an instance of a linear pro-
gram [79]. Geometrically speaking, the set of local
behaviours is a polytope in the space of probabil-
ity distributions, whose extremal points correspond
to particular deterministic strategies {D
µ
}
µ
that are
sufficient to decompose any local behaviour. In fact,
there is a finite number of such deterministic strate-
gies, and the white noise tolerance of p
est
is given by
the solution of the following linear program:
w
∗
= min
{q
µ
}
w (41)
s.t. (1 − w)p
est
+ w1
p
=
X
µ
q
µ
D
µ
,
X
µ
q
µ
= 1 and ∀µ : q
µ
≥ 0.
The white-noise tolerance threshold, w
∗
, should be
interpreted as deviations from the desired correla-
tions at the level of probability distributions. This
is the worst-case approach in which the experimental
imperfections not accounted for in p
est
provide Alice
and Bob with completely uncorrelated results. The
fact that our schemes tolerate high amounts of white
noise (see Table 1 of the main text) ensures that our
results will not be strongly affected when introduc-
ing other sources of noise, not accounted for in the
analysis.
References
[1] D. Mayers and A. Yao. Quantum cryptography
with imperfect apparatus. In Proceedings of the
39th IEEE Conference on Foundations of Com-
puter Science, 1998.
[2] Antonio Acín, Nicolas Brunner, Nicolas Gisin,
Serge Massar, Stefano Pironio, and Valerio
Scarani. Device-Independent Security of Quan-
tum Cryptography against Collective Attacks.
Phys. Rev. Lett., 98:230501, June 2007. DOI:
10.1103/PhysRevLett.98.230501.
[3] Stefano Pironio, Antonio Acín, Nicolas Brun-
ner, Nicolas Gisin, Serge Massar, and Vale-
rio Scarani. Device-independent quantum key
distribution secure against collective attacks.
New J. Phys., 11(4):045021, April 2009. DOI:
10.1088/1367-2630/11/4/045021.
[4] Lluis Masanes, Stefano Pironio, and Antonio
Acin. Secure device-independent quantum key
distribution with causally independent measure-
ment devices. Nat. Commun., 2:238–, March
2011. DOI: 10.1038/ncomms1244.
[5] S. Pironio, Ll. Masanes, A. Leverrier, and
A. Acín. Security of Device-Independent Quan-
tum Key Distribution in the Bounded-Quantum-
Storage Model. Phys. Rev. X, 3:031007, August
2013. DOI: 10.1103/PhysRevX.3.031007.
[6] Umesh Vazirani and Thomas Vidick. Fully
device-independent quantum key distribution.
Phys. Rev. Lett., 113:140501, September 2014.
DOI: 10.1103/PhysRevLett.113.140501.
[7] R. Arnon-Friedman, R. Renner, and T. Vidick.
Simple and tight device-independent security
proofs. SIAM J. Comput., 48(1):181–225, 2019.
DOI: 10.1137/18M1174726.
[8] John Bell. On the Einstein-Podolsky-Rosen
Paradox. Physics, 1:195–200, 1964. DOI:
10.1103/physicsphysiquefizika.1.195.
[9] Nicolas Brunner, Daniel Cavalcanti, Stefano
Pironio, Valerio Scarani, and Stephanie Wehner.
Bell nonlocality. Rev. Mod. Phys., 86:419–478,
April 2014. DOI: 10.1103/RevModPhys.86.419.
[10] Philip M. Pearle. Hidden-variable example based
upon data rejection. Phys. Rev. D, 2:1418–1425,
October 1970. DOI: 10.1103/PhysRevD.2.1418.
[11] Ilja Gerhardt, Qin Liu, Antía Lamas-Linares, Jo-
hannes Skaar, Valerio Scarani, Vadim Makarov,
and Christian Kurtsiefer. Experimentally Fak-
ing the Violation of Bell’s Inequalities. Phys.
Rev. Lett., 107:170404, October 2011. DOI:
10.1103/PhysRevLett.107.170404.
[12] John F. Clauser, Michael A. Horne, Abner Shi-
mony, and Richard A. Holt. Proposed experi-
ment to test local hidden-variable theories. Phys.
Rev. Lett., 23:880–884, October 1969. DOI:
10.1103/PhysRevLett.23.880.
[13] Philippe H. Eberhard. Background level and
counter efficiencies required for a loophole-
free Einstein-Podolsky-Rosen experiment. Phys.
Rev. A, 47:R747–R750, February 1993. DOI:
10.1103/PhysRevA.47.R747.
[14] M. A. Rowe, D. Kielpinski, V. Meyer, W. M..
Itano, C. Monroe, and D. J. Wineland. Exper-
imental violation of a Bell’s inequality with ef-
ficient detection. Nature, 409, February 2001.
DOI: 10.1038/35057215.
[15] D. N. Matsukevich, P. Maunz, D. L. Moehring,
S. Olmschenk, and C. Monroe. Bell inequal-
ity violation with two remote atomic qubits.
Phys. Rev. Lett., 100:150404, April 2008. DOI:
10.1103/PhysRevLett.100.150404.
[16] Julian Hofmann, Michael Krug, Norbert Or-
tegel, Lea Gérard, Markus Weber, Wenjamin
Rosenfeld, and Harald Weinfurter. Her-
alded entanglement between widely separated
atoms. Science, 337(6090):72–75, 2012. DOI:
10.1126/science.1221856.
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 16
[17] B. Hensen, H. Bernien, A. E. Dreau, A. Reiserer,
N. Kalb, M. S. Blok, J. Ruitenberg, R. F. L. Ver-
meulen, R. N. Schouten, C. Abellan, W. Amaya,
V. Pruneri, M. W. Mitchell, M. Markham,
D. J. Twitchen, D. Elkouss, S. Wehner, T. H.
Taminiau, and R. Hanson. Loophole-free Bell in-
equality violation using electron spins separated
by 1.3 kilometres. Nature, 526:682–686, October
2015. DOI: 10.1038/nature15759.
[18] Alejandro Máttar, Jonatan Bohr Brask, and An-
tonio Acín. Device-independent quantum key
distribution with spin-coupled cavities. Phys.
Rev. A, 88:062319, December 2013. DOI:
10.1103/PhysRevA.88.062319.
[19] Nicolas Brunner, Andrew B Young, Chengyong
Hu, and John G Rarity. Proposal for a loophole-
free Bell test based on spin–photon interactions
in cavities. New J. Phys., 15(10):105006, 2013.
DOI: 10.1088/1367-2630/15/10/105006.
[20] N. Sangouard, J.-D. Bancal, N. Gisin, W. Rosen-
feld, P. Sekatski, M. Weber, and H. Weinfurter.
Loophole-free Bell test with one atom and less
than one photon on average. Phys. Rev. A, 84:
052122, November 2011. DOI: 10.1103/Phys-
RevA.84.052122.
[21] Marissa Giustina, Alexandra Mech, Sven
Ramelow, Bernhard Wittmann, Johannes
Kofler, Jorn Beyer, Adriana Lita, Brice Calkins,
Thomas Gerrits, Sae Woo Nam, Rupert Ursin,
and Anton Zeilinger. Bell violation using
entangled photons without the fair-sampling
assumption. Nature, 497:227–230, September
2013. DOI: 10.1038/nature12012.
[22] B. G. Christensen, K. T. McCusker, J. B. Al-
tepeter, B. Calkins, T. Gerrits, A. E. Lita,
A. Miller, L. K. Shalm, Y. Zhang, S. W. Nam,
N. Brunner, C. C. W. Lim, N. Gisin, and
P. G. Kwiat. Detection-loophole-free test of
quantum nonlocality, and applications. Phys.
Rev. Lett., 111:130406, September 2013. DOI:
10.1103/PhysRevLett.111.130406.
[23] Marissa Giustina, Marijn A. M. Versteegh, Sören
Wengerowsky, Johannes Handsteiner, Armin
Hochrainer, Kevin Phelan, Fabian Steinlechner,
Johannes Kofler, Jan-Åke Larsson, Carlos Abel-
lán, Waldimar Amaya, Valerio Pruneri, Mor-
gan W. Mitchell, Jörn Beyer, Thomas Gerrits,
Adriana E. Lita, Lynden K. Shalm, Sae Woo
Nam, Thomas Scheidl, Rupert Ursin, Bernhard
Wittmann, and Anton Zeilinger. Significant-
Loophole-Free Test of Bell’s Theorem with
Entangled Photons. Phys. Rev. Lett., 115:
250401, December 2015. DOI: 10.1103/Phys-
RevLett.115.250401.
[24] Lynden K. Shalm, Evan Meyer-Scott,
Bradley G. Christensen, Peter Bierhorst,
Michael A. Wayne, Martin J. Stevens,
Thomas Gerrits, Scott Glancy, Deny R.
Hamel, Michael S. Allman, Kevin J. Coakley,
Shellee D. Dyer, Carson Hodge, Adriana E.
Lita, Varun B. Verma, Camilla Lambrocco,
Edward Tortorici, Alan L. Migdall, Yanbao
Zhang, Daniel R. Kumor, William H. Farr,
Francesco Marsili, Matthew D. Shaw, Jeffrey A.
Stern, Carlos Abellán, Waldimar Amaya, Va-
lerio Pruneri, Thomas Jennewein, Morgan W.
Mitchell, Paul G. Kwiat, Joshua C. Bienfang,
Richard P. Mirin, Emanuel Knill, and Sae Woo
Nam. Strong Loophole-Free Test of Local Re-
alism. Phys. Rev. Lett., 115:250402, December
2015. DOI: 10.1103/PhysRevLett.115.250402.
[25] Igor Aharonovich, Dirk Englund, and Milos
Toth. Solid-state single-photon emitters. Nat.
Photonics, 10(10):631–641, October 2016. ISSN
1749-4885. DOI: 10.1038/nphoton.2016.186.
[26] Markus Müller, Samir Bounouar, Klaus D Jöns,
M Glässl, and P Michler. On-demand generation
of indistinguishable polarization-entangled pho-
ton pairs. Nat. Photonics, 8(3):224–228, March
2014. ISSN 1749-4885. DOI: 10.1038/npho-
ton.2013.377.
[27] Julien Claudon, Joel Bleuse, Nitin Singh
Malik, Maela Bazin, Perine Jaffrennou, Niels
Gregersen, Christophe Sauvan, Philippe
Lalanne, and Jean-Michel Gerard. A highly effi-
cient single-photon source based on a quantum
dot in a photonic nanowire. Nat. Photonics,
4(3):174–177, March 2010. ISSN 1749-4885.
DOI: 10.1038/nphoton.2009.287.
[28] Juan C Loredo, Nor A Zakaria, Niccolo So-
maschi, Carlos Anton, Lorenzo De Santis, Va-
lerian Giesz, Thomas Grange, Matthew A
Broome, Olivier Gazzano, Guillaume Coppola,
et al. Scalable performance in solid-state single-
photon sources. Optica, 3(4):433–440, 2016.
DOI: 10.1364/OPTICA.3.000433.
[29] Hui Wang, Z.-C. Duan, Y.-H. Li, Si Chen, J.-
P. Li, Y.-M. He, M.-C. Chen, Yu He, X. Ding,
Cheng-Zhi Peng, Christian Schneider, Martin
Kamp, Sven Höfling, Chao-Yang Lu, and Jian-
Wei Pan. Near-transform-limited single photons
from an efficient solid-state quantum emitter.
Phys. Rev. Lett., 116:213601, May 2016. DOI:
10.1103/PhysRevLett.116.213601.
[30] Je-Hyung Kim, Tao Cai, Christopher J. K.
Richardson, Richard P. Leavitt, and Edo Waks.
Two-photon interference from a bright single-
photon source at telecom wavelengths. Optica,
3(6):577–584, June 2016. DOI: 10.1364/OP-
TICA.3.000577.
[31] N. Somaschi, V. Giesz, L. De Santis, J. C.
Loredo, M. P. Almeida, G. Hornecker, S. L.
Portalupi, T. Grange, C. Anton, J. Demory,
C. Gomez, I. Sagnes, N. D. Lanzillotti-Kimura,
A. Lemaitre, A. Auffeves, A. G. White, L. Lanco,
and P. Senellart. Near-optimal single-photon
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 17
sources in the solid state. Nat. Photonics, March
2016. DOI: 10.1038/nphoton.2016.23.
[32] Xing Ding, Yu He, Z.-C. Duan, Niels Gregersen,
M.-C. Chen, S. Unsleber, S. Maier, Christian
Schneider, Martin Kamp, Sven Höfling, Chao-
Yang Lu, and Jian-Wei Pan. On-demand sin-
gle photons with high extraction efficiency and
near-unity indistinguishability from a resonantly
driven quantum dot in a micropillar. Phys.
Rev. Lett., 116:020401, January 2016. DOI:
10.1103/PhysRevLett.116.020401.
[33] Paul G. Kwiat, Klaus Mattle, Harald Wein-
furter, Anton Zeilinger, Alexander V. Sergienko,
and Yanhua Shih. New high-intensity source
of polarization-entangled photon pairs. Phys.
Rev. Lett., 75:4337–4341, December 1995. DOI:
10.1103/PhysRevLett.75.4337.
[34] Claude E Shannon. Communication theory of se-
crecy systems. Bell Labs Tech. J., 28(4):656–715,
1949. DOI: 10.1002/j.1538-7305.1949.tb00928.x.
[35] Alejandro Máttar and Antonio Acín. Implemen-
tations for device-independent quantum key dis-
tribution. Phys. Scr., 91(4):043003, 2016. DOI:
10.1088/0031-8949/91/4/043003.
[36] Nicolas Gisin, Stefano Pironio, and Nicolas San-
gouard. Proposal for implementing device-
independent quantum key distribution based on
a heralded qubit amplifier. Phys. Rev. Lett.,
105:070501, August 2010. DOI: 10.1103/Phys-
RevLett.105.070501.
[37] Mario Berta, Matthias Christandl, Roger Col-
beck, Joseph M. Renes, and Renato Renner. The
uncertainty principle in the presence of quan-
tum memory. Nat. Phys., 6(9):659–662, Septem-
ber 2010. ISSN 1745-2473, 1745-2481. DOI:
10.1038/nphys1734.
[38] Marco Tomamichel and Esther Hänggi. The
link between entropic uncertainty and nonlocal-
ity. J. Phys. A: Math. Theor., 46(5):055301, Jan-
uary 2013. ISSN 1751-8121. DOI: 10.1088/1751-
8113/46/5/055301.
[39] Charles Ci Wen Lim, Christopher Portmann,
Marco Tomamichel, Renato Renner, and Nico-
las Gisin. Device-independent quantum key
distribution with local bell test. Phys. Rev.
X, 3:031006, July 2013. DOI: 10.1103/Phys-
RevX.3.031006.
[40] Gilles Brassard, Norbert Lütkenhaus, Tal Mor,
and Barry C. Sanders. Limitations on Practical
Quantum Cryptography. Phys. Rev. Lett., 85(6):
1330–1333, August 2000. DOI: 10.1103/Phys-
RevLett.85.1330.
[41] Marcos Curty and Tobias Moroder. Heralded-
qubit amplifiers for practical device-independent
quantum key distribution. Phys. Rev. A,
84:010304, July 2011. DOI: 10.1103/Phys-
RevA.84.010304.
[42] Evan Meyer-Scott, Marek Bula, Karol
Bartkiewicz, Antonín Černoch, Jan Sou-
busta, Thomas Jennewein, and Karel Lemr.
Entanglement-based linear-optical qubit ampli-
fier. Phys. Rev. A, 88:012327, July 2013. DOI:
10.1103/PhysRevA.88.012327.
[43] Kaushik P. Seshadreesan, Masahiro Takeoka,
and Masahide Sasaki. Progress towards practical
device-independent quantum key distribution
with spontaneous parametric down-conversion
sources, on-off photodetectors, and entangle-
ment swapping. Phys. Rev. A, 93:042328, April
2016. DOI: 10.1103/PhysRevA.93.042328.
[44] David Pitkanen, Xiongfeng Ma, Ricardo Wick-
ert, Peter van Loock, and Norbert Lütkenhaus.
Efficient heralding of photonic qubits with appli-
cations to device-independent quantum key dis-
tribution. Phys. Rev. A, 84:022325, August 2011.
DOI: 10.1103/PhysRevA.84.022325.
[45] Antonio Acín, Daniel Cavalcanti, Elsa Passaro,
Stefano Pironio, and Paul Skrzypczyk. Nec-
essary detection efficiencies for secure quan-
tum key distribution and bound randomness.
Phys. Rev. A, 93:012319, January 2016. DOI:
10.1103/PhysRevA.93.012319.
[46] M. Arcari, I. Söllner, A. Javadi, S. Lind-
skov Hansen, S. Mahmoodian, J. Liu,
H. Thyrrestrup, E. H. Lee, J. D. Song, S. Stobbe,
and P. Lodahl. Near-unity coupling efficiency of
a quantum emitter to a photonic crystal waveg-
uide. Phys. Rev. Lett., 113:093603, August
2014. DOI: 10.1103/PhysRevLett.113.093603.
[47] Stephen Wein, Nikolai Lauk, Roohollah
Ghobadi, and Christoph Simon. Feasibility of
efficient room-temperature solid-state sources of
indistinguishable single photons using ultrasmall
mode volume cavities. Phys. Rev. B, 97:205418,
May 2018. DOI: 10.1103/PhysRevB.97.205418.
[48] Chris Gustin and Stephen Hughes. Influence
of electron-phonon scattering for an on-demand
quantum dot single-photon source using cavity-
assisted adiabatic passage. Phys. Rev. B, 96:
085305, August 2017. DOI: 10.1103/Phys-
RevB.96.085305.
[49] F. Marsili, V. B. Verma, J. A. Stern, S. Har-
rington, A. E. Lita, T. Gerrits, I. Vayshenker,
B. Baek, M. D. Shaw, R. P. Mirin, and S. W.
Nam. Detecting single infrared photons with
93% system efficiency. Nat. Photonics, 7(3):
210–214, March 2013. ISSN 1749-4893. DOI:
10.1038/nphoton.2013.13.
[50] Jun Zhang, Mark A. Itzler, Hugo Zbinden, and
Jian-Wei Pan. Advances in InGaAs/InP single-
photon detector systems for quantum commu-
nication. Light Sci. Appl., 4:e286, 2015. ISSN
2047-7538. DOI: 10.1038/lsa.2015.59.
[51] Shigehito Miki, Masahiro Yabuno, Taro Ya-
mashita, and Hirotaka Terai. Stable, high-
performance operation of a fiber-coupled super-
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 18
conducting nanowire avalanche photon detec-
tor. Opt. Express, 25(6):6796–6804, March 2017.
ISSN 1094-4087. DOI: 10.1364/OE.25.006796.
[52] Maria Moshkova, Alexander Divochiy, Pavel
Morozov, Yury Vakhtomin, Andrey Antipov,
Philipp Zolotov, Vitaly Seleznev, Marat Ah-
metov, and Konstantin Smirnov. High-
performance superconducting photon-number-
resolving detectors with 86% system efficiency
at telecom range. J. Opt. Soc. Am. B,
JOSAB, 36(3):B20–B25, March 2019. DOI:
10.1364/JOSAB.36.000B20.
[53] Lan Zhou, Yu-Bo Sheng, and Gui-Lu Long.
Device-independent quantum secure direct com-
munication against collective attacks. Science
Bulletin, 65(1):12–20, 2020. ISSN 2095-9273.
DOI: 10.1016/j.scib.2019.10.025.
[54] Philippe Grangier, Juan Ariel Levenson, and
Jean-Philippe Poizat. Quantum non-demolition
measurements in optics. Nature, 396(6711):537–
542, December 1998. ISSN 0028-0836. DOI:
10.1038/25059.
[55] B. C. Jacobs, T. B. Pittman, and J. D. Franson.
Quantum relays and noise suppression using lin-
ear optics. Phys. Rev. A, 66:052307, November
2002. DOI: 10.1103/PhysRevA.66.052307.
[56] Pieter Kok, Hwang Lee, and Jonathan P.
Dowling. Single-photon quantum-nondemolition
detectors constructed with linear optics and
projective measurements. Phys. Rev. A, 66:
063814, December 2002. DOI: 10.1103/Phys-
RevA.66.063814.
[57] Jian-Wei Pan, Dik Bouwmeester, Harald Wein-
furter, and Anton Zeilinger. Experimental en-
tanglement swapping: Entangling photons that
never interacted. Phys. Rev. Lett., 80:3891–3894,
May 1998. DOI: 10.1103/PhysRevLett.80.3891.
[58] S. Pironio, A. Acín, S. Massar, A. Boyer de la
Giroday, D. N. Matsukevich, P. Maunz, S. Olm-
schenk, D. FHayes, L. Luo, T. A. Manning,
and C. Monroe. Random numbers certified by
Bell’s theorem. Nature, 464, April 2010. DOI:
10.1038/nature09008.
[59] Mikołaj Lasota, Czesław Radzewicz, Konrad
Banaszek, and Rob Thew. Linear optics
schemes for entanglement distribution with re-
alistic single-photon sources. Phys. Rev. A, 90:
033836, September 2014. DOI: 10.1103/Phys-
RevA.90.033836.
[60] Valerio Scarani, Helle Bechmann-Pasquinucci,
Nicolas J. Cerf, Miloslav Dušek, Norbert Lütken-
haus, and Momtchil Peev. The security of
practical quantum key distribution. Rev. Mod.
Phys., 81:1301–1350, September 2009. DOI:
10.1103/RevModPhys.81.1301.
[61] Antonio Acín, Serge Massar, and Stefano Piro-
nio. Randomness versus nonlocality and entan-
glement. Phys. Rev. Lett., 108:100402, March
2012. DOI: 10.1103/PhysRevLett.108.100402.
[62] Qiang Zhang, Xiuping Xie, Hiroki Takesue,
Sae Woo Nam, Carsten Langrock, M. M. Fejer,
and Yoshihisa Yamamoto. Correlated photon-
pair generation in reverse-proton-exchange ppln
waveguides with integrated mode demultiplexer
at 10 ghz clock. Opt. Express, 15(16):10288–
10293, August 2007. DOI: 10.1364/oe.15.010288.
[63] Cezary Śliwa and Konrad Banaszek. Conditional
preparation of maximal polarization entangle-
ment. Phys. Rev. A, 67(3):030101, March 2003.
DOI: 10.1103/PhysRevA.67.030101.
[64] Stefanie Barz, Gunther Cronenberg, Anton
Zeilinger, and Philip Walther. Heralded gener-
ation of entangled photon pairs. Nat. Photon-
ics, 4(8):553–556, August 2010. ISSN 1749-4893.
DOI: 10.1038/nphoton.2010.156.
[65] Claudia Wagenknecht, Che-Ming Li, Andreas
Reingruber, Xiao-Hui Bao, Alexander Goebel,
Yu-Ao Chen, Qiang Zhang, Kai Chen, and Jian-
Wei Pan. Experimental demonstration of a her-
alded entanglement source. Nat. Photonics, 4(8):
549–552, August 2010. ISSN 1749-4893. DOI:
10.1038/nphoton.2010.123.
[66] C. L. Salter, R. M. Stevenson, I. Farrer, C. A.
Nicoll, D. A. Ritchie, and A. J. Shields. An
entangled-light-emitting diode. Nature, 465
(7298):594–597, June 2010. ISSN 1476-4687.
DOI: 10.1038/nature09078.
[67] R. M. Stevenson, C. L. Salter, J. Nilsson, A. J.
Bennett, M. B. Ward, I. Farrer, D. A. Ritchie,
and A. J. Shields. Indistinguishable Entangled
Photons Generated by a Light-Emitting Diode.
Phys. Rev. Lett., 108(4):040503, January 2012.
DOI: 10.1103/PhysRevLett.108.040503.
[68] Rinaldo Trotta, Johannes S. Wildmann, Eu-
genio Zallo, Oliver G. Schmidt, and Armando
Rastelli. Highly Entangled Photons from Hybrid
Piezoelectric-Semiconductor Quantum Dot De-
vices. Nano Lett., 14(6):3439–3444, June 2014.
ISSN 1530-6984. DOI: 10.1021/nl500968k.
[69] Le Phuc Thinh, Gonzalo de la Torre, Jean-
Daniel Bancal, Stefano Pironio, and Valerio
Scarani. Randomness in post-selected events.
New J. Phys., 18(3):035007, 2016. DOI:
10.1088/1367-2630/18/3/035007.
[70] Ernest Y.-Z. Tan, Charles C.-W. Lim, and Re-
nato Renner. Advantage distillation for device-
independent quantum key distribution. Phys.
Rev. Lett., 124(2):020502, January 2020. DOI:
10.1103/PhysRevLett.124.020502.
[71] S. Pirandola, U. L. Andersen, L. Banchi,
M. Berta, D. Bunandar, R. Colbeck, D. Englund,
T. Gehring, C. Lupo, C. Ottaviani, J. Pereira,
M. Razavi, J. S. Shaari, M. Tomamichel, V. C.
Usenko, G. Vallone, P. Villoresi, and P. Wallden.
Advances in quantum cryptography. Adv. Opt.
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 19
Photonics, 2019. DOI: 10.1364/aop.361502.
URL https://arxiv.org/abs/1906.01645.
[72] Víctor Zapatero and Marcos Curty. Long-
distance device-independent quantum key distri-
bution. Sci. Rep., 9, 2019. ISSN 2045-2322. DOI:
10.1038/s41598-019-53803-0.
[73] G. Murta, S. B. van Dam, J. Ribeiro, R. Hanson,
and S. Wehner. Towards a realization of device-
independent quantum key distribution. Quan-
tum Sci. Technol., 4(3):035011, July 2019. DOI:
10.1088/2058-9565/ab2819.
[74] Yoshiaki Tsujimoto, Chenglong You, Kentaro
Wakui, Mikio Fujiwara, Kazuhiro Hayasaka,
Shigehito Miki, Hirotaka Terai, Masahide
Sasaki, Jonathan P Dowling, and Masahiro
Takeoka. Heralded amplification of nonlocality
via entanglement swapping. New J. Phys., 22
(2):023008, February 2020. DOI: 10.1088/1367-
2630/ab61da.
[75] Pieter Kok and Samuel L. Braunstein. Post-
selected versus nonpostselected quantum tele-
portation using parametric down-conversion.
Phys. Rev. A, 61:042304, March 2000. DOI:
10.1103/PhysRevA.61.042304.
[76] Tim C. Ralph and Geoff J. Pryde. Chapter 4 -
Optical Quantum Computation. In Progress in
Optics, volume 54, pages 209–269. Elsevier, Jan-
uary 2010. DOI: 10.1016/S0079-6638(10)05409-
0.
[77] O. Nieto-Silleras, S. Pironio, and J. Silman. Us-
ing complete measurement statistics for opti-
mal device-independent randomness evaluation.
New J. Phys., 16(1):013035, January 2014. DOI:
10.1088/1367-2630/16/1/013035.
[78] Miguel Navascués, Stefano Pironio, and Antonio
Acin. Bounding the set of quantum correlations.
Phys. Rev. Lett., 98:010401, January 2007. DOI:
10.1103/PhysRevLett.98.010401.
[79] Stephen Boyd and Lieven Vandenberghe. Con-
vex Optimization. Cambridge University Press,
New York, NY, USA, 2004. ISBN 0521833787.
DOI: 10.1017/cbo9780511804441.
Accepted in Quantum 2020-04-15, click title to verify. Published under CC-BY 4.0. 20