High-speed device-independent quantum key distribution against collective attacks

beyond the current reach 12–24 . Here, both theoretical and experimental innovations yield the realization of device-independent QKD based on a photonic setup. On the theory side, to relax the threshold efﬁciency for practical device-independent QKD, we exploit the random post-selection 25 combined with adding noise 26 for preprocessing, and compute the entropy with complete nonlocal correlations 27 . On the experiment side, we develop a high-quality polarization-entangled photonic source and achieve state-of-the-art (heralded) detection efﬁciency of 87 . 49% , which outperforms previous experiments 12–24 and satisﬁes the threshold efﬁciency for the ﬁrst time. Together, we demonstrate device-independent QKD at a secret key rate of 466 bits/s over 20 m standard ﬁber in the asymptotic limit against collective attacks. Besides, we show the feasibility of generating secret keys at a ﬁber length of 220 meters. Importantly, our photonic implementation can generate entangled photons at a high rate and in the telecom wavelength, which is desirable for high-speed key generation over long distances. The results not only prove the feasibility of device-independent QKD with realistic devices, but also push the security of communication to an unprecedented level.

beyond the current reach [12][13][14][15][16][17][18][19][20][21][22][23][24] . Here, both theoretical and experimental innovations yield the realization of device-independent QKD based on a photonic setup. On the theory side, to relax the threshold efficiency for practical device-independent QKD, we exploit the random post-selection 25 combined with adding noise 26 for preprocessing, and compute the entropy with complete nonlocal correlations 27 . On the experiment side, we develop a high-quality polarization-entangled photonic source and achieve state-of-the-art (heralded) detection efficiency of 87.49%, which outperforms previous experiments [12][13][14][15][16][17][18][19][20][21][22][23][24] and satisfies the threshold efficiency for the first time. Together, we demonstrate device-independent QKD at a secret key rate of 466 bits/s over 20 m standard fiber in the asymptotic limit against collective attacks. Besides, we show the feasibility of generating secret keys at a fiber length of 220 meters. Importantly, our photonic implementation can generate entangled photons at a high rate and in the telecom wavelength, which is desirable for high-speed key generation over long distances. The results not only prove the feasibility of device-independent QKD with realistic devices, but also push the security of communication to an unprecedented level.
Introduction. -Quantum key distribution (QKD) 1, 2 allows two distant users to share a secret key with information-theoretical security 3 . The security of QKD usually relies on the assumption that the devices are trusted and well-characterized [28][29][30] . In practice, however, the imperfections in realistic devices may introduce potential backdoors or side channels 31,32 . Measurement-deviceindependent QKD 33,34 (see also an efficient version 35 ) was proposed to remove the side channels in measurement settings, but its state-preparation devices have to be precisely calibrated. Notably, device-independent QKD 4-7 relaxes conventional security assumption on the devices. With mini-mal assumptions satisfied 7 , e.g., the devices have no memory between trials 36, 37 and the classical processing units are trusted, the security of device-independent QKD can be guaranteed based solely on the violation of a Bell inequality.
Device-independent QKD is not an easy task with current technology. A realization typically requires that a Bell inequality is violated in a loophole-free fashion 38,39 . A key problem in the photonic implementation is the limited detection efficiency, e.g., the emitted photons in experiments may not be detected due to the losses in the transmission or the imperfect detectors.
Here we report the first experimental realization of device-independent QKD with entangled photons, thanks to the significant advancements at both theoretical and experimental sides. On the theoretical side, we propose a protocol to greatly enhance the loss tolerance in the practical case of device imperfections which requires a single-photon system efficiency of about 86%, and provide a security proof against collective attacks (see the Supplementary Information for details). The basic idea of our protocol is to extract secret keys in the post-selected strings of outcomes 25,47 and then add the noise 26 to the survived raw keys, where the lower bound of quantum conditional entropy can be computed based on the framework in ref. 27 . On the experimental side, we achieve a singlephoton system efficiency of greater than 87% which surpasses the values reported in previous loophole free Bell test experiments with photons 12-24 (see Table 2). Combining the experimental and theoretical advances, we present a proof-of-principle experimental demonstration of deviceindependent QKD over standard fiber distances up to 220 meters.
Protocol. Our protocol is constructed based on a Bell test. As shown in Fig. 1, a pair of entangled photons are shared between Alice and Bob. We consider the scenario that Alice's measurement has binary input x ∈ {1, 2} and binary outcome a and Bob's measurement has triple input y ∈ {1, 2, 3} and binary outcome b, where a, b = 0(1) if the respective detector does (not) register an event, i.e."click" (or "no-click"). We denote the probability of joint measurement with outcomes (a, b) conditioning upon the measurement inputs (x, y) as P (a, b|x, y).
Modified after Ref. 7 , our device-independent QKD protocol is readily to be implemented in the state-of-art quantum optical experiments with the addition of new features, which are briefly summarized here (see the Supplementary Information for details). Consider N −rounds of Bell test experiment described in Fig. 1, we randomly select a round of experiment whose measurement inputs are (x,ȳ) = (1, 3) as "key-generation rounds" and use the unselected rounds of experiments as "test rounds" to test nonlocal correlation. For the selected "key-generation rounds" of experiments, Alice and Bob each randomly and independently keep (or discard) a round of experiment with probability p (or 1 − p) if the respective measurement outcome is a "non-click" and keep a round of experiment if the respective outcome is a "click". After this post-selection procedure, both Alice and Bob announce the discarded rounds using an authenticated public channel. Those "key-generation rounds" of experiments which are not kept by Alice and Bob simultaneously are discarded. Then, Alice further performs a noisy preprocessing. She generates the noisy raw keyŝ ax by flipping each of her survived key bits independently with probability p N . The protocol is then proceeded with an error correction step that allows Bob to infer Alice's new (noisy) raw key.
The final secret key can be obtained after the privacy amplification. We compile an experimental procedure of our protocol which is listed in Table 1. We remark that the random post selection can effectively remove the no-detection events that contain little correlations but high errors, which can effectively reduce the information cost of error correction 25 . The noisy preprocessing can decrease the correlation between Alice and Eve by mixing the probability distributions with randomness 26 . These two additional processing steps can effectively facilitate the enhancement of loss tolerance (See the Supplementary Information for details).
Key rate from the preprocessed events. We consider the collective attack model 7 where the devices behave in an independent and identically distributed (i.i.d.) manner and the devices are memoryless 36, 37 at each step of the protocol. For the process of random post-selection, let p α = 1 · δ α,0 + p · δ α,1 such that a given event (a, b) can be kept with probability ω ab = p a · p b .
Suppose that for a given "key-generation round", the probability that it can be kept is p Vp = Assumptions 7 We focus on collective attacks and assume that the devices are memoryless and behave identically and independently at each step of the protocol.
Distribution A source, potentially controlled by Eve, distributes entangled photons to Alice and Bob.
Form the raw keys They use a fraction of strings corresponding to (x,ȳ) = (1, 3) as the "keygeneration round" to generate the raw keys, while all the other strings are used as the "test round" to characterize the nonlocal correlations.
Random post-selection 25 For the "key-generation round", Alice and Bob each randomly and independently discards the non-click bits with probability 1 − p, while they keep all the click bits.
Noisy preprocessing 26 Alice generates the noisy raw keysâx by flipping each of her survived key bits independently with probability p N .
Error correction and Privacy amplification A secret key is distilled asymptotically via a oneway error correction protocol and a privacy amplification procedure.
ab∈V ω ab P (a, b|x,ȳ), where V p represents the set of post-selected events. In the limit of infinite data size, for a given set of bipartite correlations {P (a, b|x, y)} that character the devices, the secret key rate r with optimal error correction can be lower-bounded by the Devetak-Winter rate 48 ,  Table 2). Furthermore, the values also surpass the efficiency threshold of 86.2% we place the PPKTP at a small angle with the light path. This will not significantly affect the upper limit of efficiency that the system could achieve, but it could effectively reduce the reflection of the 1560 nm photons on the inner surface of the PPKTP crystal when the devices are not perfect.
These enhancements lead that the non-maximally entangled state generated in our experiment has a better fidelity 99.52 ± 0.15% as compared to our previous work 20, 22,23 . b Alice and Bob, singlephoton polarization measurement: In the measurement sites, Alice (Bob) uses a HWP to project the single photon into pre-determined measurement bases. After being collected into the fiber, the single photons transmit through a certain length of fiber and then are detected by a superconducting nanowire single-photon detector (SNSPD) operating at 1K. HWP -half-wave plate; QWPquarter-wave plate; DM -dichroic mirror; PBS -polarizing beam splitter.  (Fig. 2). We experimentally measure a two-photon state fidelity of 99.52 ± 0.15% with respect to the ideal state and achieve a CHSH game winning probability of 0.7559, both substantially improving over previous results 16,17,20,22,23 (see the Supplementary Information for details). We repeat the experiment at a rate of 2 × 10 6 rounds per second.
In this proof-of-principle experimental demonstration, we place Alice and Bob in the same lab with a distance of 20 meters (mainly the fiber length). We have adopted the shielding assumption 22,50 to prohibit unnecessary communications between relevant events taking place in three modules and between these events and adversaries. We alternate the measurement settings instead of randomization to reduce experimental complexity.
We conduct 2.4 × 10 8 rounds of experiment for each of the six combinations of measurement settings (x, y) and perform data analysis following the protocol. With optimized parameters  Conclusion. -In conclusion, we have reported an experimental realization of deviceindependent QKD against collective attacks with a photonic setup. Our photonic implementation can generate entangled photons at a high rate and in the telecom wavelength, which is desirable for the practical applications. This photonic platform can be naturally combined with quantum memory and quantum repeaters to form a quantum internet. In future, by using the framework of entropy accumulation theorem 51 , our protocol and security analysis can be extended to the consideration of finite-key effects 11 . Overall, the successful implementation of device-independent QKD paves the way for the further realizations and applications of quantum communication and quantum information processing in a device-independence manner.
Note added. When we are completing the manuscript, we notice two concurrent proof-ofconcept device-independent QKD experiments based on trapped ions 52 and trapped atoms 53 . In contrast to those systems, our photonic implementation can generate entangled photons at a high rate in the telecom wavelength, which is suitable for high-speed key generation over long-haul optical fiber networks. Figure 1 An illustration of the device-independent QKD protocol. Figure 2