One-sided Device-Independent Quantum KeyDistribution: Security, feasibility,andthe connection with steering CyrilBranciard1,EricG.Cavalcanti2,StephenP.Walborn3, ValerioScarani4,5,andHowardM.Wiseman2,5 1 School ofMathematicsandPhysics, TheUniversityofQueensland, StLucia, QLD4072, Australia 2 Centre for Quantum Dynamics, GriffithUniversity, Brisbane QLD 4111, Australia 3 Instituto de F´ısica, Universidade Federal do Rio de Janeiro, Caixa Postal 68528, Rio de Janeiro, RJ 21941-972, Brazil 4 CentreforQuantumTechnologiesandDepartmentofPhysics,NationalUniversityofSingapore, Singapore117543 5ARCCentreforQuantumComputationandCommunicationTechnology,GriffithUniversity,BrisbaneQLD4111,Australia (Dated:January24,2012) WeanalyzethesecurityandfeasibilityofaprotocolforQuantumKeyDistribution(QKD),inacontextwhere 2 only one of the two parties trusts his measurement apparatus. This scenario lies naturally between standard 1 QKD,wherebothpartiestrusttheirmeasurementapparatuses,andDevice-IndependentQKD(DI-QKD),where 0 neither does, and can be a natural assumption in some practical situations. We show that the requirements 2 for obtaining secure keys are much easier to meet than for DI-QKD, which opens promising experimental n opportunities.Weclarifythelinkbetweenthesecurityofthisone-sidedDI-QKDscenarioandthedemonstration a ofquantumsteering,inanalogytothelinkbetweenDI-QKDandtheviolationofBellinequalities. J 3 PACSnumbers:03.67.Dd,03.65.Ud,03.67.Mn 2 ] QuantumKey Distribution (QKD) allows two parties(Al- Intermediate scenarios between S-QKD and DI-QKD re- h ice and Bob) to establish secret keys at a distance, with se- quirelesstrustthantheformerandwillbeeasiertoimplement p curityguaranteedbythelawsofQuantumMechanics[1]. In thanthelatter[11]. Imagineforinstancethatabankwantsto - t standardQKD (S-QKD),the securityistypicallyprovedun- establish secretkeys with its clients; the bank couldinvesta n a der the assumption that Alice and Bob can trust the physi- lot of money to establish one trustworthy measurement de- u cal functioning of their preparation and measurement appa- vice,buttheclientsattheotherendofthechannelwouldcer- q ratuses. For instance, standard security proofsfor the BB84 tainlygetcheap(andinsecure)detectionterminals.Thisleads [ protocol[2]assumethatAlicesendsqubitstoBob,prepared usto studyone-sidedDI-QKD(1sDI-QKD):we consideran 3 in some eigenstatesof theσ orσ Paulioperators, andthat entanglement-based scenario in which Bob’s measurement z x v Bobmeasurestheminoneofthosetwobases. Recentdemon- apparatusistrusted,whileAlice’sisnot.Intheentanglement- 5 strationsofhackingofthedeviceshasshowntheimportance basedsetupthesourceisalsountrusted,althoughwewillalso 3 and weaknessof this assumption[3]. Moreover,since QKD discuss prepare-and-measure(P&M) implementationswhere 4 1 isbecomingcommerciallyavailable,AliceandBobmayend thesourceistrusted. Wepresentasecurityboundagainstco- . upbuyingtheirdevicesfromuntrustedproviders. herentattackswith similar assumptionsas in Refs. [7, 8], in 9 particularthatthedevicesarememoryless,asthisenablesthe 0 1 Remarkably, there are ways to guarantee security with strongest security analysis presently available. Focusing on 1 fewerassumptions.Theminimalsetofassumptionsistheone practicalimplementations,weshowthatthedetectorefficien- v: used in Device-IndependentQKD (DI-QKD) [4, 5]. There, ciesrequiredforapracticalimplementationof1sDI-QKDare i AliceandBobcancertifythesecurityofQKDbasedonlyon muchlower thanfor DI-QKD,makingit feasible with exist- X the observed violation of Bell inequalities [6]: the measure- ingdevices. Beforethat,letusstartbystressingalinkwitha r mentapparatusesareuntrustedblackboxes,withaknobsup- hierarchyoftestsofquantumnonlocality[12]. a posedly related to the measurementsettings. Alice and Bob have only to trust the random number generator with which QKD and quantum nonlocality.— It is known that no se- they vary the positions of the knob, and of course the in- cret key can be extracted in a QKD experiment if the chan- tegrityoftheirlocations. Whilethequalitativeunderstanding nel between Alice and Bob is entanglement-breaking [13]. “Bellviolationimpliessecurity”iscertainlytrue, thederiva- Hence, in order to demonstratesecurity, one must show that tionofquantitativesecurityboundsischallenging. Themost the channel preserves entanglement. The three different as- recent results report on security against the most general at- sumptionsonAlice’sandBob’sdevicesmentionedabovecor- tacks(“coherentattacks”)undertheassumptionthatprevious respondnaturallytothreedifferentcriteriaforquantumnon- measurementsdonotfeedanyinformationforwardtosubse- locality [12] (see Figure 1): S-QKD or DI-QKD require the quent ones [7, 8] (or, to put it simply: that the devices are observed correlations to violate a separability criterion or a memoryless). Inadditiontothese(hopefullytemporary)lim- Bell inequalityrespectively; 1sDI-QKDrequiresthe correla- itationsof the theoreticalstudies, DI-QKD imposesveryde- tionstoviolateanEPR-steeringinequalityasdefinedin[14]. manding requirements on practical demonstrations. In par- Thatis, if oneimaginesthatBob’ssystem has a definite (al- ticular, the Bell test would need to close the detection loop- beitunknowntohim)quantumstate,theprotocolmustprove hole[9],whichrequiresveryhighdetectionefficiencies[10]. thatAlice,byherchoiceofmeasurement,canaffectthisstate. 2 tions. Ontheotherhand,sinceAlice’smeasurementdeviceis (i) untrusted, Eve could control whether her detectors click de- pendingon the state she receives and on her choice of mea- surement setting. We can therefore not simply discard Al- ice’s no-detection events. In case her detectors don’t click, (ii) sherecordsabitvalueofherchoiceastheresultofhermea- surement, keeps track of the fact that her detectors did not click,andtellsBob(sothattheycanlaterpost-selecttheraw keyonAlice’sdetections);Evehasaccesstothatinformation. (iii) We denote by A and B the strings of classical bits Al- i i ice and Bob get from measurements A and B (and where i i Bobgota detection,as discussedabove). Amongthebitsof FIG.1: Linkbetweenthethreeconceptsofquantumnonlocalityas A ,somecorrespondtoactualdetectionsbyAlice,andsome, 1 classifiedin[12]andthethreescenariosofS-QKD,1sDI-QKD(this correspondingto non-detections,were simplychosen byAl- paper)andDI-QKD.Inordertoobtainasecretkey,(i)ifAliceand ice herself. Everyoneknowswhichonesare which. Thede- Bobtrusttheir measurement devices (transparent boxes), thenthey tectedbitsformastringAps(they’llbepost-selectedbyAlice mustnecessarilydemonstrateentanglement; (ii)ifAlice’smeasure- 1 mentdeviceisuntrusted(blackbox),whileBob’sistrusted,thenAl- andBob),whilethosethatwerenotactuallydetectedforma icemustdemonstratesteeringofBob’sstate;(iii)ifbothAlice’sand string Adis (they’ll be discarded for the key extraction), so 1 Bob’s measurement devices are untrusted, then they must demon- that A = (Aps,Adis). Bob’s correspondingbit strings are 1 1 1 strateBell-nonlocality. Inallcases, AliceandBobmusttrusttheir Bps andBdis, resp., so thatB = (Bps,Bdis). We denote 1 1 1 1 1 randomnumbergenerator(RNG),andtheintegrityoftheirlocation. byN thelengthofthestringsA andB ,andbynthatofthe 1 1 stringsApsandBps. 1 1 Security proof and key rate.— Recently, Tomamichel and Renner[20], togetheralso withLim andGisin [22] havede- Thissortofnonlocality,firstdiscussedbyEinstein,Podolsky veloped an approach to QKD based on an uncertainty rela- andRosen[15],wascalled‘steering’bySchro¨dinger[16]. In tionforsmoothentropies,whichenablesonetoprovesecurity Ref.[12]theseconceptsofnonlocalityarosefromconsidering againstcoherentattacksinpreciselythis1sDI-QKDscenario; entanglement verification with untrusted parties. However, notehoweverthatonealsoneeds(asin[7,8])theassumption evenifAliceandBobtrusteachother,asinQKD,theymay that the devices are memoryless [23]. To prove the security nottrusttheirdevices,whichisananalogoussituation. From of our protocolin realistic implementations, we extend their thisperspective,ourscenarioof1sDI-QKDcanthusbeseen analysisbyconsideringimperfectdetectionefficiencies[24]. asapracticalapplicationoftheconceptofquantumsteering. From the n-bit strings Aps and Bps, on which Eve may 1 1 A 1sDI-QKD protocol.— We consider the following 1sDI havesome(possiblyquantum)informationE,AliceandBob versionoftheBBM92entanglement-basedprotocol[17]: Al- canextract,throughclassicalerrorcorrectionandprivacyam- ice andBob receivesome(typically,photonic)quantumsys- plification(fromBobtoAlice),asecretkeyoflength[25] temsfromanexternalsource. Alicecanchoosebetweentwo ℓ Hǫ (Bps E) nh(Qps). (1) binarymeasurements,A1andA2;sinceshedoesnottrusther ≈ min 1 | − 1 measurementdevice,shetreatsitasablackboxwithtwopos- Here Hǫ (Bps E) denotes the smooth min-entropy [26] of siblesettings,yieldingeachtimeoneoftwopossibleoutputs. Bps,comndinition1ed|onquantumsideinformationE;histhebi- Bob, on the other hand, trusts his device to make projective 1 naryentropyfunction:h(Q) Qlog Q (1 Q)log (1 measurements B1 or B2 in some qubit subspace, typically Q);andQpsisthebiterrorra≡te−betwee2nA−psan−dBps. 2 − corresponding to the operators σz and σx respectively. Af- Toboun1dHǫ (Bps E), we willuse the1uncertai1ntyrela- ter publicly announcingwhich measurements they chose for min 1 | tion introduced in [20], which bounds Eve’s information on each system, Alice and Bob will try to extract a secret key B givenAlice’sinformationontheincompatibleobservable 1 fromtheconclusiveresultsofthemeasurementsA1 andB1; B . However,weneedtousethefullstringsB ,B ,aspost- 2 1 2 as explained below, the results of measurements A and B 2 2 selectionmayleadtoanapparentviolationoftheuncertainty willallowthemtoestimateEve’sinformation. relation.Usingthechainrule[25]andthedata-processingin- AliceandBobmightnotalwaysdetectthephotonssentby equality[27]forsmoothmin-entropies,wefirstboundEve’s the source, because of losses or inefficient detectors. Since informationonBpsrelativetoherinformationonB : 1 1 Bobtrustshisdetectors,hetruststhatEvecannotcontrolhis detections. Also,Evecannotgetanyusefulinformationfrom Hmǫin(B1|E) = Hmǫin(B1ps,B1dis|E) (2) Bob’s (null) result if the photons going to him are lost or if Hǫ (Bps BdisE)+log Bdis (3) ≤ min 1 | 1 2| 1 | she keeps them. Cases where Bob gets ambiguous results Hǫ (Bps E)+N n. (4) (e.g. doubleclicks)canbedealtwithusingthetechniquesof ≤ min 1 | − Ref.[18]–seeSupplementalMaterial[19]fordetails. Hence, Now,considerahypotheticalrunoftheprotocolwherethe we cansafelyconsideronlythecaseswhereBobgetsdetec- bitsofA andB wouldbemeasuredinthesecondbasis;we 1 1 3 denotebyA andB thecorrespondinghypotheticalstrings. 1.0 2 2 r Fromthegeneralizeduncertaintyrelationof[20],onehas e at 0.8 r Hmǫin(B1|E) ≥ qN −Hmǫax(B2|A2). (5) key et 0.6 where q is a measure of how distinct Bob’s two measure- cr e s mentsare; fororthogonalqubitmeasurements,q = 1. Here, he 0.4 tHiomǫnaexd(Bon2A|A22.)Itissathtiesfisemsotohtehfmolaloxw-einntgro[p2y2][26]ofB2,condi- ndont 0.2 u o Hǫ (B A ) . Nh(Q ), (6) B max 2| 2 2 0.0 0.65 0.70 0.75 0.80 0.85 0.90 0.95 1.00 whereQ isthebiterrorratebetweenA andB .Now,since 2 2 2 Alice'sdetectionefficiencyΗ A the choice of basis was made randomly, Q is the same as 2 thebiterrorrateobserved—withoutpost-selection—whenthe FIG.2: Solidcurves: bounds(8)onthesecretkeyrater inatypi- second basis was actually chosen (no matter how rarely) by calimplementationof1sDI-QKD,asafunctionofAlice’sdetection bothAliceandBob. efficiency ηA, for visibilitiesV = 1,0.99,0.98,0.95 (from top to Substituting(4),(5)and(6)inEq.(1),weobtain bottom) and q = 1. Dashed curve: for comparison, bounds (for V = 1)forDI-QKD,obtainedbyadaptingthesecurityanalysisof ℓ & n[1 h(Qps)] N[h(Q )+1 q]. (7) Ref.[7], whenBobhasthesamedetection efficiencyηB = ηA as − 1 − 2 − Alice(seeSupplementalMaterial[19]). In the asymptotic limit of infinite key lengths, the aboveap- proximate inequality becomes exact [21, 22]. The fraction n/N ofphotonswhichAlicedetects,giventhatBobdetected one,willbedenotedη . Thisallowsustowritethesecretkey key from the non-post-selected data. If the key is extracted A rater ℓ/N (thenumberofsecretbitsobtainedperphoton fromthe post-selecteddata (asweconsideredherefor1sDI- detecte≡dbyBob,measuredinthefirstbasis),as QKD), the threshold remains quite high, η > 91.1% (see Figure 2 and SupplementalMaterial [19]). The much lower r η [1 h(Qps)] h(Q ) (1 q). (8) efficiency threshold for 1sDI-QKD compared with DI-QKD ≥ A − 1 − 2 − − is related to the fact that it is much easier to close the de- RelationtoEPR-steering.—Aswerecalledbefore,these- tection loophole in a steering experiment [28–30] than in a cretkeyrateabovecanonlybepositiveifAliceandBobcan Bell test, for whichthereare no photonicdetection-loophole checkthattheyshareentanglement.Inour1sDIscenario,this freedemonstrationstodate. Heraldingefficienciesof 62% amounts to demonstrating quantum steering. Hence, the in- have recently been reported [30], in an experiment d∼emon- equalityηA[1−h(Qp1s)]−h(Q2)−(1−q)≤0canbeunder- strating detection-loophole-freequantumsteering; our 1sDI- stoodasanEPR-steeringinequality[14].IntheSupplemental QKDprotocolcouldbedemonstratedwithaverysimilar(but Material[19],wegiveamoredirectproofofthisclaim,start- slightlyimproved)experimentalsetup. ingfromtheso-calledLocalHiddenStatemodel[12]. Notealsothatinthe1sDI-QKDcase,thelossesbetweenthe Experimental prospects.— We now turn to the feasibil- sourceandBob’slabdonotaffectthesecurityoftheprotocol; ity analysis. Consider a typical experimental setup, where theyonlydecreasethekeyrateproportionallytothedecrease a source sends maximally entangled 2-qubit states to Alice ofBob’sdetectionrate(aslongasthenoiseinBob’sdetectors and Bob, through a depolarizing channel with visibility V, does not become prominent). Hence, long distances can in and where, as in the BBM92 protocol, A = B = σ and 1 1 z principlebereachedifthesourcestaysclosetoAlice;thisis A =B =σ ,withAlice’sdetectionefficiencybeingη as 2 2 x A in contrastto the fully DI-QKD case, where the limit on the above. (WeemphasizethatthisissimplyamodelforAlice’s detectionefficienciesimposesalimitonthealloweddistance measurements,whichareimplementedinablackbox.) betweenAlice andBob (althoughsome proposalshavebeen The secret key rate that Alice and Bob can extractis then suggestedtoovercomethisproblem[31–33]). boundedby(8),withq =1and Comparison of different scenarios.— Key rate boundsfor Qps =(1 V)/2, Q =(1 η V)/2. entanglement-based QKD also apply to P&M schemes, as 1 − 2 − A long as the preparation device can be trusted to produce a Figure2showsthevaluesofthebound(8)asafunctionofη , certainaveragestateindependentofAlice’s(orBob’s,asthe A andfordifferentvaluesofV. ForaperfectvisibilityV = 1, casemaybe)choiceofpreparationbasis(e.g. thecompletely onegetsapositivesecretkeyrateforallη >65.9%. mixedstate,regardlessofwhetherσ orσ isthechosenba- A x z This detection probability threshold is much lower than sis). A preparation device with this property can be envis- those required for DI-QKD. For instance, if Alice and Bob aged as a trusted entanglementsource situated in Alice’s (or have the same detection efficiency η, then they require η > Bob’s) laboratory, with a trusted channel between it and the 94.6%fortheprotocolstudiedin[7],whentheyextracttheir localdetector. In this pictureitstill makessense to consider 4 thecasewherethelocal“hypothetical”detectorisuntrusted, Basedon AD C S C BD Keyratebound Eff.Thresh. asthisisequivalenttosayingthatwecannottrusttheprepa- P&M T T T U T r0(Qp1s,Qp2s) none r(awtihoinchdweveicweiltlodpenreoptearaestηh∗e)doefstihreedhystpaoteth.eHtiecraeldtheeteecftfiorcimenocdy- P&M U T T U T r1(Qp1s,Q2) ηA∗ >65.9% elstheprobabilitythatthepreparationdeviceregisterstothe P&M U U T T T r1(Qp1s,Q2) ηA >65.9% senderwhichofthetwostates(inthechosenbasis)wassent. P&M U U T T U r2(Qp1s,S) ηA >83.3% Forawell-functioningdevicethiscanbeclosetounity;even Entang. T U U U T r0(Qp1s,Qp2s) none ifthepreparationdoesuseaprobabilisticphoton-pairsource Steering U U U U T r1(Qp1s,Q2) ηA >65.9% andadetector,thesendercangeneratemanypairswithinthe Bell U U U U U r2(Qp1s,S) η>91.1% timewindowforeachsystem,andswitchoutthesystem(one photon,ideally)onlywhenits preparationis heraldedbythe TABLEI:BestknownboundsonsecretkeyratesforQKD(secure againstcoherentattacks)withprivacyamplificationfromBobtoAl- detection of the other. A greater experimental challenge is ice and memoryless devices, both P&M and entanglement-based. thelossoftheheraldedphoton(withinthesender’slaboren Thesecond column tellswhich of the components—Alice’s detec- route),whichmustbefactoredintothereceiver’sefficiency. tors(AD),thesource(S),Bob’sdetector(BD)andeachofthechan- Considering all non-trivial permutations of device trust- nels (C) between the source and the detectors—are trusted (T) or worthiness,thereareeightP&Mscenarios,andfourgenuine untrusted(U).ThickverticallinesineachrowseparateAlice’slab, entanglement-based scenarios, whose security can be anal- thechannelopentoEve,andBob’slab. IntheP&Mcases,thede- ysed using the methods of Refs. [20] or [7]. We remove tectorplussourceinalabisaformalmodelforapreparationdevice; theefficiencyη∗inthesecasesmodelstheprobabilitythattheprepa- mirror-imagescenariosbykeepingonlytheversionwhichis rationdeviceregisterswhichstateisprepared, andwould typically better (or equally good)underthe assumption of the privacy beclosetounity(fordetailsseetext). Incolumnthree,thebounds amplification being from Bob to Alice, as shown in Table I. onkeyrates(here,perphotonpairproducedbythesource, i.e.per NotethatP&MbyBobwithafullytrustedpreparationdevice preparationeventintheP&Mcases)aregivenintermsofthefunc- (row 3) does not improve the threshold efficiency required tionsr0(Qp1s,Qp2s) ≡ ηBηA[1−h(Qp1s)−h(Qp2s)]fromS-QKD, forAlice’suntrusteddetector,ascomparedto steering-based r1(Qp1s,Q2) ≡ ηB{ηA[1−h(Qp1s)]−h(Q2)}from Eq. (8), and 1sDI-QKDwithanuntrustedentanglementsource(row6). r2(Qp1s,S) ≡ ηAηB[1−h(Qp1s)]−log2(cid:2)1+p2−(S/2)2(cid:3)(see Conclusion.— We have introduced the scenario of 1sDI- SupplementalMaterial[19]).HereSisthevalueoftheCHSHpoly- QKD and analyzed its security against coherent attacks in nomial[34],whileQ1andQ2arebiterrorrates.Thesuperscriptps a practical situation where losses are taken into account. meanspost-selectiononcoincidentdetections;Q2inr1(Qp1s,Q2)is post-selectedonBob’sdetections,butnotonAlice’s;Smustbeesti- Ouranalysisshowsthattheassumptionsof1sDI-QKDallow matedfromthewholenon-postselecteddata.TheEfficiencyThresh- onetosignificantlylowerthenecessarydetectionefficiencies olds(columnfour)arecalculatedwitheverythingelseperfect.Inrow comparedtofullyDI-QKD,andthattherequirementsforob- 4,weassumedηB∗ →1(thethresholdwequoteisthereforealower tainingsecurekeyratesinanexperimentarewithintherange boundonthethresholdsforηB∗ <1),whileinrow7,ηA =ηB =η. ofcurrenttechnology. Wehavealsostressedthat1sDI-QKDrequirestheviolation of an EPR-steering inequality, in analogy with the require- Noteadded.—Whilefinishingwritingthismanuscript,we mentofviolationofaBellinequalityforsecurityofDI-QKD. becameawareofarelatedwork[35]wheresimilarboundson TherelationbetweentheQKDhierarchyandthenonlocality thedetectionefficiencythresholdsarederived. hierarchyintroducessomeopenquestions: (i)Ithasrecently beenshownthatsteeringcanbedemonstratedwitharbitrarily lowefficiencies[28]. Canonefind(andprovethesecurityof) 1sDI-QKD protocols that would also tolerate arbitrarily low efficiencies?(ii)With2measurementsettingsperparty,steer- [1] V.Scaranietal.,Rev.Mod.Phys.81,13011350(2009). ingcanbedemonstratedforefficienciesη > 50%[28,30]. [2] C.H.Bennett,G.Brassard,Proc.oftheIEEEInternationalCon- A Thereisalargegapbetweenthisandthethresholdof 66% ference on Computers, Systems and Signal Processing, Banga- ∼ lore,India(IEEE,NewYork,1984),p.175. for our 1sDI-QKD protocol. The same situation occurs for [3] L.Lydersenetal.,Nat.Photon.4,686(2010);I.Gerhardtetal., fullyDI-QKD,wherethereisalso agapbetweenthethresh- Nat.Commun.2,349(2011) oldofη >82.8%foraviolationoftheCHSHinequality[34] [4] D.Mayers,A.Yao,Proc.ofthe39thIEEEConf.onFoundations andthatforthesecurityofDI-QKD.Howsmallcanthesebe ofComputerScience(IEEE,LosAlamitos,1998),p.503. madeingeneral? Anothertopicforfurtherresearchistoex- [5] A.Ac´ınetal.,Phys.Rev.Lett.98,230501(2007). tend ourresults to finite keys, forinstance alongthe linesof [6] J.S.Bell,Physics1,195(1964). Ref.[22]. [7] L.Masanes,S.Pironio,A.Acin,Nat.Comm.2,238(2011). [8] E.Ha¨nggi,R.Renner,arXiv:1009.1833. Acknowledgements.— This work was supported by the [9] P.M.Pearle,Phys.Rev.D2,1418(1970). Australian Research Council Programs CE110001027 and [10] S.Pironioetal.,NewJ.Phys.11,045021(2009). DP0984863,theNationalResearchFoundationandtheMin- [11] M.Pawlowski,N.Brunner,Phys.Rev.A84,010302(R)(2011). istry of Education, Singapore, the Brazilian agencies CNPq, [12] H.M.Wiseman,S.J.Jones,A.C.Doherty,Phys.Rev.Lett.98, FAPERJ,andtheINCT-Informac¸a˜oQuaˆntica. 140402(2007). 5 [13] M.Curty,M.Lewenstein,N.Lu¨tkenhaus, Phys.Rev.Lett.92, [23] S.FehrandR.Renner,privatecommunication. 217903(2004). [24] Toavoidanyconfusion,wenotethatherewehavereversedthe [14] E.G. Cavalcanti, S. J. Jones, H. M. Wiseman &M. D. Reid, roles of Alice and Bob compared to that in Refs. [20, 22], in Phys.Rev.A.80,032112(2009). ordertobeconsistentwithearlierworkonsteering[12,14],in [15] A.Einstein,B.Podolsky,N.Rosen,Phys.Rev.47,777(1935). whichAlice’sdetectorsarenottrusted,whileBob’sare. [16] E.Schro¨dinger,Proc.Camb.Phil.Soc.31,555(1935). [25] J.M.Renes,R.Renner,arXiv:1008:0452. [17] C.H.Bennett,G.BrassardandN.D.Mermin,Phys.Rev.Lett. [26] R. Renner and S. Wolf, in Advances in Cryptology - ASI- 68,557(1992). ACRYPT,vol.3788ofLNCS(Springer),199(2005); R.Ren- [18] T.Moroder, O.Guhne, N.Beaudry, M.Piani, N.Lutkenhaus, ner,Int.J.QuantumInf.6,1(2008). Phys.Rev.A81,052342(2010). [27] M.Tomamichel,R.Colbeck,R.Renner,IEEETrans.Inf.The- [19] See Supplemental Material below for more details on practi- ory56,4674(2010). caldetectorsandmultiplecounts, adirectproof ofthesteering [28] A.J.Bennetetal.,arXiv:1111:0739. inequality, and a more detailed comparison of our results with [29] B.Wittmannetal.,arXiv:1111:0760. thoseforDI-QKD. [30] D.H.Smithetal.,Nat.Commun.3,625(2012). [20] M. Tomamichel, R. Renner, Phys. Rev. Lett. 106, 110506 [31] N. Gisin, S. Pironio and N. Sangouard, Phys. Rev. Lett. 105, (2011). 070501(2010). [21] Theapproximate(in)equalitiesinthederivationofEq.(7)ac- [32] M.Curty,T.Moroder,Phys.Rev.A84,010304(2011). countforadditionalcorrectingtermsthatappearintheequations [33] D.Pitka¨nenetal.,Phys.Rev.A84,022325(2011). inthecaseoffinitekeylengths.Onetypicallyfindsthatforraw [34] J.F.Clauser,M.A.Horne,A.ShimonyandR.Holt,Phys.Rev. keylengthslonger than104 −105 bits, significant fractionsof Lett.23,880(1969). theasymptoticsecretkeyratesareobtained[22]. [35] X.Ma,N.Lu¨tkenhaus,arXiv:1109.1203. [22] M. Tomamichel, C. C. W. Lim, N. Gisin, R. Renner, arXiv:1103:4130. 6 Supplemental Material Practicaldetectorsandmultiplecounts.—Inpracticalim- with H(B a˜ ) = P(b a˜ )log P(b a˜ ) and i| i −Pbi i| i 2 i| i plementations with photons, Bob’s detector comprises two H(B λ)= P (b λ)log P (b λ). i| −Pbi Q i| 2 Q i| photon counters, corresponding to his two possible outputs. Now,Bob’sstatistics,conditionedonλ,arebyassumption Becauseofdarkcountsorimperfectstatepreparation(i.e. the givenbyaquantumstate;theymustthereforesatisfyallquan- presence of multi-photonstates) there will be rare occasions tumuncertaintyrelations,andinparticular wherebothcountersclick.Insuchcases,ourprotocolrequires Bobtooutputarandomresult. Thisisastandardwaytotreat H(B1 λ)+H(B2 λ) q, (S4) | | ≥ doubleclicksinthecontextofQKD[S1]. WhenBobimple- whereqquantifieshowdifferentthemeasurementsB andB ments the σ or σ measurements, his detection scheme has 1 2 z x are[S5]. Togetherwith(S3),weobtain a “squashing property” that should allow one to extend the present theoreticalsecurity proof for perfectqubit states (on H(B A˜ )+H(B A˜ ) q. (S5) 1 1 2 2 Bob’sside)toimperfectimplementations[S2]. | | ≥ Denoting Aps for A when s = 1 and Adis for A when i i i i i Direct proof that “r 0” is a steering inequality.— We s = 0, and assuming that P(s = 1) = η independently ≤ i i A obtained in Eq. (8) in the main text a bound on the secret ofA (asshouldbethecaseifitisadetectorefficiency),we i key rate of our 1sDI-QKD protocol. As we argued, a posi- have tivesecretkeyratecanbeobtainedonlyifAliceandBobcan demonstrate steering. That is, if they violate the inequality H(B A˜ )=η H(Bps Aps)+(1 η )H(Bdis Adis). (S6) i| i A i | i − A i | i “r.h.sofEq.(8) 0”,ormoreexplicitly ≤ Now,onecaneasilycheck(usingforinstancetheconcavity ηh(Qp1s)+h(Q2)+(1−η) ≥ q, (S1) ofthebinaryentropyfunction)thatforbinaryvariablesAand B,onehas thentheycanconcludethattheyhavedemonstratedsteering: Eq.(S1)thusdefinesanEPR-steeringinequality[S3]. H(B A) h(Q), (S7) | ≤ Hereweshowinadifferentwaythat(S1)isindeedanEPR- where Q is the bit errorrate relativeto A and B (the proba- steeringinequality,startingmoredirectlyfromtheLocalHid- bilitythatA=B). Applyingthisto(S6)fori=1,itfollows den State model [S3]—a local model whereby the statistics 6 that observedbyAliceandBobcanbedecomposedas[S4] H(B A˜ ) η h(Qps)+(1 η ), (S8) P(a˜i,bj)=XP(λ)P(a˜i λ)PQ(bj λ), (S2) 1| 1 ≤ A 1 − A | | λ whileontheotherhand ewxhpeerreima˜ien=tal(aoiu,tsc)o,mweisthcaoirr=esp±o1ndainndgbtjo=me±as1udreemnoetnintsgAthe, H(B2|A˜2)≤H(B2|A2)≤h(Q2). (S9) i B ,andsdenotingwhetherAlicegetsadetection(s = 1)or Substituting (S8) and (S9) in (S5) we finally obtain (S1), as j not(s = 0);recallthatincaseofnodetection,Alice’sresult desired. a ischosentobeapre-establishedbitinour1sDI-QKDpro- Note that for the purpose of deriving an EPR-steering in- i tocolandwillcontributetothebitstringAdis. Thesubscript equality, there is no need to follow the last steps of the i Q indicates that Bob’s statistics are determined by quantum above procedure where we treat and bound H(B A˜ ) and 1 1 mechanics: P (b λ) = Tr[E ρ ], where ρ is some quan- H(B A˜ ) differently. Rather we can use Eq. (S5)| directly Q j j λ λ 2 2 | | tumstate(inourcase,aqubitstate)and E arethepositive asanEPR-steeringinequality. Undertheusualconditionsfor j { } operatorssummingtounitywhichdescribehismeasurements. QKD as discussed in the main text, q = 1 and Eq. (S8) be- The variable λ fully specifies the quantum state received comesatightinequality,soEq.(S5)thenbecomes byBob. Asaconsequence,Alicecanhavenomoreinforma- tiononaverageaboutBob’sresultsthanwhatonecouldknow ηA[2−h(Qp1s)−h(Qp2s)]≤1. (S10) throughλ. Intermsofconditionalentropies,thisimpliesthat For perfect correlations(Qps = Qps = 0), this will be vio- 1 2 H(Bi A˜i) H(Bi Λ), (S3) lated(indicatingEPR-steering)providedthatηA > 21. Thisis | ≥ | the minimum possible efficiency threshold for EPR-steering where H(B A˜ ) = P(a˜ )H(B a˜ ) and usingtwosettings[S6]. i| i Pa˜i i i| i H(B Λ) = P(λ)H(B λ) are the average en- i| Pλ i| tropies of Bob’s measurement B conditioned on the Comparison with DI-QKD.— In the DI-QKD case, the i knowledge of the result of A˜ and of λ, respectively, strongestsecurityanalysisavailabletodayisthatofMasanes, i 7 Pironio and Ac´ın [S7], who showed the security of a large arethefiguresappearinginTable1inthemaintext. Inboth class ofprotocolsagainstcoherentattacks(underthe techni- cases, butespecially the P&M case, using ourpost-selection calassumptionthatthedevicesarememoryless). Inthesim- techniqueyieldssubstantiallybetterefficiencythresholdsthan plest version, the protocol they consider involves Alice and thenon-post-selectedprotocols.Wenotethatsomewhatlower Bob measuringin bases that enable a CHSH inequality[S8] efficiency thresholds for DI-QKD (η > 92.3% and η > to be tested, where one of Bob’s bases is that which is used 88.9%fortheentanglement-basedschemes,withandwithout (togetherwithadifferentoneofAlice’sbases)toyieldthese- post-selection, resp.) can be obtained using the analysis of cretsharedkey. Letthe CHSH polynomialhavethe valueS Ref.[S9]. However,thisanalysisshowssecurityonlyagainst (suchthat S < 2√2forquantumcorrelations,and S > 2 collectiveattacks (which includes, in particular, the assump- | | | | indicatesaviolationoftheCHSHinequality),andletthenon- tionthatthedevicesarememoryless). post-selectedquantumbiterror rate for measurementsin the In the main text we presented only the post-selected ver- basesthatwillyieldthekeybeQ1. ThenRef.[S7]showsthat sion of 1sDI-QKD. However one can also consider a non- thefinalkeyratecanbeboundedfrombelowby post-selected version of that, in which Alice and Bob try to extract a secret key directly from the non-post-selected data rMPA =1−h(Q1)−log2(cid:2)1+p2−(S/2)2(cid:3). (S11) A1,B1 (rather than from Ap1s,B1ps; note however that we still post-select on a detection by Bob). In this case the ForavisibilityV andinefficienciesη andη ,wehavearaw A B key rate per detection by Bob is bounded from below by sharedrandomkeywithbiterrorrateQ =[1 (1 η )(1 1 A 1 h(Q ) h(Q )forsecurityagainstcoherentattacks.Here − − − 1 2 η ) Vη η ]/2,andaCHSHparameterS =2√2Vη η + − − B A B A B foratypicalimplementationthebiterrorratesarebothgiven − 2(1 η )(1 η ). The latter is obtainedif Alice and Bob − A − B by Qi = (1 VηA)/2, and with V = 1, we get a positive use the same predeterminedlist of random results whenever − rate for η > 78.0%. Recall that when Alice and Bob use A they fail to detect a photon. With V = 1 and η = η = A B the post-selected data, the threshold is η > 65.9%, so the A η, Eq. (S11) yields a positive key rate for η > 94.5%. In improvementisevenmoredramaticthaninthefullyDIcase. thesituationofprepare-and-measure(P&M),wherethereisa trustedsourceinBob’slab,buthisdetectorisstilluntrusted, we replace η by η∗, Bob’s preparation efficiency. Taking B B η∗ 1,Eq.(S11)givesalowerboundη− >89.6%. B → A [S1] N.Lu¨tkenhaus,Phys.Rev.A59,3301(1999);ibid.,61,052304 We now show that Alice and Bob can improve their se- (2000). cretkeyratebyextractingtheirsecretkeyfromthedatapost- [S2] T.Moroder, O.Guhne, N.Beaudry, M.Piani,N.Lutkenhaus, selected oncoincidencedetections, as we suggestedhere for Phys.Rev.A81,052342(2010). thecaseof1sDI-QKD.Indeed,onecanapplyouranalysisto [S3] E.G. Cavalcanti, S.J. Jones, H. M. Wiseman& M. D.Reid, that of Ref. [S7] to find a new secret key rate boundedfrom Phys.Rev.A.80,032112(2009). belowby [S4] H.M.Wiseman,S.J.Jones,A.C.Doherty,Phys.Rev.Lett.98, 140402(2007). r2 =ηAηB[1−h(Qp1s)]−log2(cid:2)1+p2−(S/2)2(cid:3). (S12) [S5]RDev..DDe.u3ts5c,h3,0P7h0y(s1.9R8e7v).;LHe.ttM.5a0a,ss6e3n1a(n1d98J.3)U;fKfin.kK,rPahuys,s.PRhyevs.. Lett.60,1103(1988). Here S is unchanged from above (it must still be estimated [S6] A.J.Bennetetal.,arXiv:1111:0739. from the whole non-postselected data), while Qp1s = (1 − [S7] L.Masanes,S.Pironio,A.Acin,Nat.Comm.2,238(2011). V)/2. WithV = 1andηA = ηB = η, thisyieldsapositive [S8] J.F.Clauser,M.A.Horne,A.ShimonyandR.Holt,Phys.Rev. key rate for η > 91.1%. Considering again the P&M case Lett.23,880(1969). withη∗ 1,weobtainthelowerboundη− >83.3%.These [S9] S.Pironioetal.,NewJ.Phys.11,045021(2009). B → A