Foiling covert channels and malicious classical post-processing units in quantum key distribution

The existing paradigm for the security of quantum key distribution (QKD) suffers from two fundamental weaknesses. First, covert channels have emerged as an important threat and have attracted a lot of attention in security research in conventional information and communication systems. Covert channels (e.g. memory attacks) can fatally break the security of even device-independent quantum key distribution (DI-QKD), whenever QKD devices are re-used. Second, it is often implicitly assumed that the classical post-processing units of a QKD system are trusted. This is a rather strong assumption and is very hard to justify in practice. Here, we propose a new paradigm for the security of QKD that addresses these two fundamental problems. Specifically, we show that by using verifiable secret sharing and multiple optical devices and classical post-processing units, one could re-establish the security of QKD. Our techniques are rather general and they apply to both DI-QKD and non-DI-QKD.

Despite its conceptual beauty, DI-QKD is however not foolproof.Indeed, one cannot expect that all QKD users will have expertise in experimental quantum optics and electronics.So, unless Alice and Bob manufacture their own QKD devices themselves, it could be very hard for them to guarantee that the devices are indeed honest.For instance, it was shown in [27] that DI-QKD is highly vulnerable to the so-called memory attacks.In this type of attacks, a hidden memory device (planted by the eavesdropper, Eve, in say Alice's setup during the manufacturing or initial installation of the QKD system) stores up the key material generated in each QKD session and then leaks this information to Eve in subsequent QKD runs.This situation is illustrated in Fig. 1.Importantly, such leakage of key information could be done very slowly over many subsequent QKD runs, and thus it could be very difficult to detect [27].Obviously, this is a fatal * mcurty@com.uvigo.esloss of security for DI-QKD.Whenever a QKD system is reused for subsequent QKD sessions, the security of the keys generated in previous QKD runs might be compromised.This is particularly problematic in a network setting with multiple users (who may not all be trustworthy) due to the impostor attack [27,31].Moreover, note that in principle memory attacks could also work for non-DI-QKD.This is so because, in practice, it could be quite challenging to check wether or not a purchased QKD setup contains such memory.Therefore, in the following, whenever we refer to a QKD system, it will be implicitly understood that it could be either a DI-QKD scheme or a non-DI-QKD scheme, as our results apply to both frameworks.
Our view is that memory attacks constitute an example of covert channels [32], which have attracted massive attention in conventional cryptography.With covert channels, seemingly innocent communications in a protocol could leak crucial information that is fatal to its security.One main motivation of our work is indeed to counter covert channels, such as memory attacks, in QKD.
Another key weakness in standard QKD security proofs is that they all implicitly assume that the classical post-processing units are trusted.These units are supposed to distill a secure secret key from the raw data generated by the QKD modules by applying techniques such as post-selection of data (or so-called sifting), parameter estimation, error correction, error verification and privacy amplification.However, in view of the many hardware [33][34][35] and software [36] Trojan Horse attacks that have been performed recently in conventional cryptographic systems, such trust is a very strong and unjustified assumption.This scenario is illustrated in Fig. 2. Indeed, hardware and software Trojans constitute today a key threat to the security of conventional cryptographic devices and this threat is expected to only rise with time, 1. Schematic representation of a memory attack against a DI-QKD system [27].In the i-th QKD run, Alice and Bob's QKD modules, QKDA and QKDB, use a quantum channel to produce a raw key, k Ai and k Bi , as well as certain protocol information, p Ai,info and p Bi,info , respectively.The content of p Ai,info and p Bi,info depends on the particular QKD protocol implemented.For instance, in the standard decoy-state BB84 scheme [28][29][30], p A,info contains the basis and the decoy setting information per emitted signal, while p B,info contains Bob's measurement basis and it also indicates which signals produced a click in his measurement apparatus.The raw key and the protocol information is sent to Alice and Bob's classical post-processing units, CPA and CPB, which are connected via an authenticated classical channel.These units generate a secret key, kAi and kBi, by applying various post-processing techniques.In a memory attack, Eve hides a memory in say Alice's module QKDA to first store up the key material generated in each QKD run and then leak this information to her by hiding it in say the decision of abort or not abort of a subsequent QKD session.For example, if a particular bit value, say the j-th bit, of the key generated in the first QKD run is 0, then this memory makes that a permuted σ(j)-th QKD run aborts.(Here, σ is a permutation and σ(j) is the permuted value of j.)This could be achieved, for instance, by outputting a raw key with a high quantum bit error rate (QBER).And, if the j-th bit value of the key is 1, then the σ(j)-th QKD run does not abort.That is, by simply learning whether or not the σ(j)-th QKD round has aborted, Eve could obtain the j-th bit value of the first QKD session key.Alternatively, Eve might also leak the key material produced in a certain QKD round by simply hiding it in the public discussion of subsequent QKD runs.We refer the reader to Ref. [27] for more details.Memory attacks are a fundamental threat to the security of DI-QKD.
so it cannot be neglected when analysing the security of a QKD implementation.And so the key question is: how do we address covert channels and prove security in QKD with untrusted classical post-processing units?The existence of memory attacks in DI-QKD shows that quantum mechanics alone is not enough.Clearly, we need to include some additional assumptions.To solve this problem, we draw inspiration from the idea of verifiable secret sharing (VSS) [39,40] and the existence of secure multiparty computations [41] in conventional cryptography, where it is known that one can achieve information-theoretic security in a n-party cryptographic setup if the number of cheaters is less than n/3 [42][43][44].
Standard VSS schemes, however, assume that all channels are classical, so by using error correction and authentication techniques one can basically make these chan- Alice Bob FIG. 2. Schematic representation of a hardware/software Trojan Horse attack against a QKD system.In QKD, it is commonly and implicitly assumed that the classical postprocessing units CPA and CPB are trusted.However, due to the many hardware [33][34][35] and software [36] Trojan Horse attacks that have been performed against conventional cryptographic systems, this trust is a very strong and unjustified assumption.For instance, Eve could modify a chip, or infect the software with malware, to make it fail at a crucial time, or to hide a backdoor in say Alice's unit CPA that leaks the final key, kAi, generated in say the i-th QKD run to her [37,38].
Due to the complexity and fabrication costs of current chips, these devices are typically designed by different parties, manufactured by an external foundry, and packaged and distributed by separate companies.This gives Eve multiple opportunities to meddle with the hardware.More importantly, hardware Trojans can be very hard to detect in practice.This is so because even slight adjustments to the electrical properties of a few transistors (from the billions of them contained in today's chips) could already compromise the security.Also, Eve could easily bypass post-fabrication tests by crafting attack triggers that require a sequence of unlikely events, or by altering only a subset of the chips in question [34,35].Similar arguments apply as well to software malware.This shows the weaknesses of the classical post-processing units.We refer the reader to the caption of Fig. 1 for the meaning of the different elements in this figure .nels perfect.In contrast, in QKD, owing to the noisy and lossy quantum channels controlled by Eve and the quantum no-cloning theorem, to distill a final key Alice and Bob need to apply several classical post-processing steps to the raw data produced by the QKD modules in a setting where both the QKD modules and the classical post-processing units might be corrupted.
A key contribution of this paper is thus to show how, despite these obstacles, such VSS approach could be adapted to QKD to re-establish its security.The price that we pay is that now Alice and Bob have to use a redundant number of QKD modules and classical postprocessing units.Fortunately, however, with the recent development of measurement-device-independent QKD (MDI-QKD) [45][46][47][48][49] and chip-based QKD [50][51][52], the cost of QKD modules might decrease dramatically over time, see Fig. 3. So, it is not unrealistic to consider that each of Alice and Bob could possess a few QKD modules and classical post-processing units, each of them purchased from a different vendor.Now, provided that the majority of the vendors are honest and careful in the manufacturing of their devices, it might not be entirely unreasonable to assume that at least one pair of QKD  [45] in which each user has multiple QKD transmitter modules and classical post-processing units.Note that the measurement devices are often the most expensive components of an entire QKD system because single photon detection is highly non-trivial.MDI-QKD allows measurement modules to be totally untrusted, which means that there is no need for redundant measurement modules if our proposal is employed with MDI-QKD.The users just need to have multiple transmitters and classical post-processing units, which thanks to the development of cheap chip-based QKD systems [50][51][52], we believe, could render our proposal cost effective in the future.We remark that our approach is also fully compatible with quantum relays and quantum repeaters.
modules is honest and the number of malicious/flawed classical post-processing units is strictly less than one third of the total number of them.With these assumptions in place, we can then apply techniques in conventional multiparty secure computation to prove security in different QKD scenarios with malicious devices.Importantly, if we disregard the cost of authenticating the classical communications, our protocols are optimal with respect to the resulting secret key rate.Moreover, the operations involved are based on simple functions in linear algebra such as bit-wise XOR and multiplication of matrices.So, they are conceptually simple and easy to implement.

II. QKD WITH MALICIOUS DEVICES
Let us start by describing the general scenario that we consider in more detail.It is illustrated in Fig. 4(a).Alice and Bob have n pairs of QKD modules, and, in addition, say Alice (Bob) has s (r) classical post-processing units at their disposal, each of them ideally purchased from a different provider.Alice's modules QKD Ai , with i = 1, . . ., n, are connected to the classical post-processing units CP Ai , with i = 1, . . ., s, via secure channels (i.e., channels that provide both secrecy and authentication).Also, all the units CP Ai are connected to each other via secure channels.The same applies to Bob.Importantly, since all these secure channels are located only within Alice and Bob's labs, in practice they could be implemented, for instance, by using physically protected paths (e.g., physical wires that are mechanically and electrically protected against damage and intrusion) which connect only the prescribed devices.Furthermore, each QKD Ai is connected to its partner QKD Bi via a quantum channel, and each CP Ai is connected to all CP Bi , with i = 1, . . ., s and i = 1, . . ., r, via authenticated classical channels [53,54].
Moreover, for simplicity, we shall consider a so-called threshold active adversary structure.That is, we will assume that up to t < n pairs of QKD modules, up to t < s/3 units CP Ai and up to t < r/3 independent units CP Bi could be corrupted.We say that a pair of QKD modules is corrupted when at least one of them is corrupted.Also, we conservatively assume that corrupted devices do not have to necessarily follow the prescriptions of the protocol but their behaviour is fully controlled by Eve, who could also access all their internal information.We refer the reader to Appendix E for the security analysis of QKD against a general mixed adversary structure [55].
The goal is to generate a composable -secure key, k A and k B .That is, k A and k B should be identical except for a minuscule probability cor , and say k A should be completely random and decoupled from Eve except for a minuscule probability sec , with cor + sec ≤ [56,57].Importantly, since now some QKD modules and classical post-processing units could be corrupted, the secrecy condition also implies that k A and k B must be independent of any information held by the corrupted devices after the execution of the protocol.Otherwise, such corrupted devices could directly leak k A and k B to Eve.Obviously, at the end of the day, some parties might need to have access to the final key, and thus one necessarily must assume that such parties are trusted and located in secure labs.In this regard, our work suggests that when the classical post-processing units at the key distillation layer are untrusted, they should not output the final key k A and k B but they should output shares of it to the key management layer [58,59].There, k A and k B could be either reconstructed by say Alice and Bob in secure labs, or its shares could be stored in distributed memories for later use, or they could be employed for instance for encryption purposes via say the one-time pad.Importantly, however, all the key generation process at the key distillation layer can be performed with corrupted devices.Also, we note that, if necessary, operations like storage or encryption at the key management layer could also be performed with corrupted devices by using techniques from secure multiparty computation [41].In any case, the actual management and storage of the shares of k A and k B generated by the key distillation layer is responsibility of the key management layer and depends on the particular application.
Before we address specific scenarios in detail, let us provide an overview of the general strategy that we follow to achieve our goal, which uses as main ingredients VSS schemes [39,40,44] and privacy amplification techniques (see Appendix A).The former is employed to defeat corrupted classical post-processing units.Indeed, given that t < s/3 and t < r/3, the use of VSS schemes allows to post-process the raw keys generated by the QKD modules in a distributed setting by acting only on raw key shares.More importantly, this post-processing of raw key shares can be performed such that no set of corrupted classical post-processing units can reconstruct k A and k B and, moreover, it is also guaranteed that k A and k B is a correct key independently of the misbehaviour of the corrupted units which might wish to purposely introduce errors.In this regard, a key insight of our paper is to show that, since all the classical post-processing techniques that are typically applied in QKD are "linear" in nature (i.e., they involve simple functions in linear algebra such as bit-wise XOR and multiplications of matrices), they are easily implementable in a distributed setting.
Let us illustrate this point with a simple example.In particular, let us consider, for instance, the error correction step in QKD.Here, say Bob wants to correct a certain bit string, k B,key , to match that of Alice, which we shall denote by k A,key .In general, this process requires that both Alice and Bob first apply certain error correction matrices, M EC , to k B,key and k A,key to obtain the syndrome information s A = M EC k A,key and s B = M EC k B,key , respectively.Afterward, if s A = s B Bob modifies k B,key accordingly.This process is then repeated a few times until it is guaranteed that k B,key = k A,key with high probability.Let us now consider again the same procedure but now acting on shares, k Aj ,key and k Bj ,key , of k A,key and k B,key respectively.That is, say k A,key = ⊕ q j k Aj ,key and k B,key = ⊕ q j k Bj ,key , with q being the total number of shares.For this, Alice and Bob first apply M EC to k Aj ,key and k Bj ,key to obtain s Aj = M EC k Aj ,key and s Bj = M EC k Bj ,key , respectively, for all j.Next, Alice sends s Aj to Bob who obtains s A = ⊕ q j=1 s Aj and s B = ⊕ q j=1 s Bj .This is so because and a similar argument applies to s B .Finally, if s A = s B Bob corrects k B,key by acting on its shares k Bj ,key .This is so because to flip certain bits in k B,key is equivalent to flip the corresponding bits in one of its shares k Bj ,key .That is, the error correction step in QKD can be easily performed in a distributed setting by acting only on shares of k A,key and k B,key .The same argument applies as well to the other classical postprocessing techniques in QKD, as all of them involve only linear operations.
To defeat corrupted QKD modules, on the other hand, we use privacy amplification techniques.Suppose, for  Finally, the CP units apply privacy amplification to k A and k B to remove the information held by the corrupted QKD modules and obtain kA and kB.In the presence of corrupted CP units, all these steps are realised in a distributed setting by acting on data shares generated with a VSS scheme.
instance, that each pair of QKD modules, QKD Ai and QKD Bi , output a raw key, k Ai and k Bi .Moreover, suppose for the moment that the classical post-processing units are trusted and they distill a supposedly ( /n)secure key, k Ai and k Bi , of length N bits from each pair k Ai and k Bi .Then, we have that the n × N bit strings  describe above.
In short, the general strategy can be decomposed in three main steps, which are illustrated in Fig. 4(b).First, each pair of QKD modules generates a raw key and the protocol information and sends them to the CP units.Then, in a second step, the CP units distill a supposedly ( /n)-secure key from each raw key received and concatenate the resulting keys to form a longer key bit string.Finally, in the third step, the CP units apply privacy amplification to remove the information that could be known to Eve due to the presence of corrupted QKD modules.Importantly, if the CP units are untrusted, all these steps are performed in a distributed setting by acting on data shares produced by a VSS scheme.
Next we evaluate three different scenarios of practical interest in this context.For concreteness, in these examples we use the VSS scheme introduced in [44] and described in Appendix A.

A. QKD with malicious QKD modules and honest classical post-processing units
We begin by analysing the situation where Alice and Bob have n pairs of QKD modules and up to t < n of them could be corrupted, and each of Alice and Bob has one classical post-processing unit which is assumed to be honest.This scenario is illustrated in Fig. 5 and corresponds to the case s = r = 1 and t = t = 0 in Fig. 4(a).
A possible solution to this scenario is rather simple.It is given by Protocol 1 below, which consists of three main steps.

Generation of raw keys and protocol information:
Each pair QKD Ai and QKD Bi outputs, respectively, the bit strings k Ai and p Ai,info , and k Bi and p Bi,info , or the symbol ⊥ i to indicate abort, for all i = 1, . . ., n.Note that in step 3 of Protocol 1 we consider the worst-case scenario where all k Ai and k Bi generated by corrupted QKD modules contribute to k A and k B respectively, as Alice and Bob cannot discard this case.Most importantly, Protocol 1 allows Alice and Bob to defeat covert channels such as memory attacks in QKD, as this protocol guarantees that none of the corrupted QKD modules can access k A or k B .Our results are summarised in the following Claim, whose proof is direct from the definition of Protocol 1.

Generation of an
Claim 1. Suppose that Alice and Bob have n pairs of QKD modules and up to t < n of them could be corrupted.Also, suppose that they have one trusted classical post-processing unit each.Let M ≤ n denote the number of pairs of QKD modules that do not abort and whose raw key could in principle be transformed into an ( /n)-secure key, and let N bits be the length of such supposedly secure key.Protocol 1 allows Alice and Bob to distill an -secure key of length (M − t) × N bits.Moreover, the re-use of the devices does not compromise the security of the keys distilled in previous QKD runs.
Importantly, we remark that Protocol 1 is optimal with respect to the resulting secret key rate.This is so because of the following.If no pair of QKD modules aborts and its raw data could in principle be transformed into a secure key we have, by definition, that the maximum total final key length is at most n×N bits.Also, we know that up to t×N bits of such key could be compromised by the t pairs of corrupted QKD modules.That is, the maximum secure key length is at most (n−t)×N bits.Moreover, as discussed above, if some pairs of QKD modules abort we must necessarily assume the worst-case scenario where they are honest.This is so because through her interaction with the quantum signals in the channel, Eve could always force honest QKD modules to abort by simply increasing the resulting QBER or phase error rate.That is, in the scenario considered it is not possible to distill a key length greater than (M − t) × N bits.
B. QKD with honest QKD modules and malicious classical post-processing units We now consider the situation where Alice and Bob have one trusted QKD module each, and Alice (Bob) has s (r) classical post-processing units CP Ai (CP Bi ), with i = 1, . . ., s (i = 1, . . ., r), and up to t < s/3 (t < r/3) of them could be corrupted.This scenario is illustrated in Fig. 6 and corresponds to the case n = 1 and t = 0 in Fig. 4(a).
Since now the units CP Ai and CP Bi could be malicious, we aim to generate shares of an -secure key, k A and k B .A possible solution to this scenario is given by Protocol 2, which uses the VSS protocol introduced in [44].These protocols are described in Appendices A and B respectively.Below we provide a sketch of Protocol 2 where, for easy of presentation, we assume r = s.It consists of six main steps.

Error correction:
The CP Ai and CP Bi correct the parts of k A and k B that are used for key distillation, k A,key and k B,key , by acting on their shares k Aij ,key and k Bi j ,key .Let kAij,key and kBi j ,key denote the resulting shares of the corrected keys kA,key and kB,key , and let leak EC bits be the syndrome information interchanged during this step.

Error verification:
The CP Ai use the RBS scheme (see Appendix A) to randomly select a universal 2 hash function, h V , that is sent to all CP Bi .The CP Ai (CP Bi ) compute h Aij = h V ( kAij,key ) (h Bi j = h V ( kBi j ,key )) of length log 2 (4/ cor ) bits, and they use the reconstruct protocol of a VSS scheme to obtain both a hash, h A , of kA,key and a hash, h B , of kB,key from the shares h Aij and h Bi j .Finally, each CP Ai and CP Bi aborts if h A = h B .
6. Generation of shares of an -secure key: The CP Ai use the RBS scheme to randomly select a universal 2 hash function, h P , that is sent to all CP Bi .Each CP Ai (CP Bi ) obtains the shares, Given that t < M A /3 and t < M B /3, where M A (M B ) denotes the number of CP Ai (CP Bi ) that do not abort, we have that the final key, k A and k B , is -secure (see Appendix B).If they wish so, Alice (Bob) can obtain k A (k B ) by using the reconstruct protocol of a VSS scheme.That is, Alice (Bob) can use majority voting to obtain first the j-th share, k Aj (k Bj ), of k A (k B ) from k Aij (k Bi j ) for all j = 1, . . ., q, and then she (he) calculates k A = ⊕ q j=1 k Aj (k B = ⊕ q j=1 k Bj ), where q is the total number of shares.
Our results are summarised in the following Claim, whose proof is direct from the definition of Protocol 2: Claim 2. Suppose that Alice and Bob have one trusted QKD module each, and each of them has, respectively, s and r classical post-processing units.Also, suppose that up to t < s/3 of Alice's units and up to t < r/3 of Bob's units could be corrupted.Then, if we disregard the cost of authenticating the classical channels between Alice and Bob's classical post-processing units, Protocol 2 allows them to distill an -secure key of the same length as would be possible in a completely trusted scenario.Moreover, the re-use of the devices does not compromise the security of the keys distilled in previous QKD runs.
We remark that if we ignore the cost of authenticating the classical channels between the units CP Ai and CP Bi , Claim 2 implies directly that Protocol 2 is optimal with respect to the resulting secret key length.Also, we refer the reader to Appendix C for a simpler but less efficient protocol to achieve the same task.
C. QKD with malicious QKD modules and malicious classical post-processing units Finally, here we consider the situation where Alice and Bob have n pairs of QKD modules, QKD Ai and QKD Bi with i = 1, . . ., n, and Alice (Bob) has s (r) classical postprocessing units CP Ai (CP Bi ), with i = 1, . . ., s (i = 1, . . ., r), and up to t < n pairs of QKD modules, up to t < s/3 units CP Ai and up to t < r/3 units CP Bi could be corrupted.This scenario is illustrated in Fig. 7 and corresponds to the most general case considered in Fig. 4(a).
For illustrative purposes, let us discuss first a naive protocol that fails to achieve the goal.
In particular, suppose for simplicity that s = r = n, and, moreover, we have that up to t < n groups G i ≡ {QKD Ai , QKD Bi , CP Ai , CP Bi } could be corrupted, where we say that a group G i is corrupted if at least one of its elements is corrupted.Then, if one disregards efficiency issues, a straightforward solution to this scenario might appear to be as follows.Each G i simply generates a supposedly -secure key, k Ai and k Bi , and this key is then considered as the i-th share of a final key, k A and k B .That is, k A = ⊕ n i=1 k Ai and k B = ⊕ n i=1 k Bi .Indeed, given that t < n, k A and k B is for certain sec -secret.However, the main problem of this naive approach is that k A and k B might not be correct because a corrupted G i could simple output k Ai = k Bi and thus Below we provide a simple solution (Protocol 3) to the general scenario.It builds on Protocols 1 and 2 above, and it consists of three main steps.
Protocol 3: 1. Generation and distribution of shares of ( /n)secure keys: Each pair QKD Ai and QKD Bi uses say Protocol 2 to distribute shares of an ( /n)-secure key, k Ai and k Bi , or the abort symbol ⊥ i , between CP Ai and CP Bi , respectively.Let kAi ij ( kBi ij ) be the j-th (j -th) share of k Ai (k Bi ) obtained by CP Ai (CP Bi ).For simplicity, we will suppose that the length of k Ai and k Bi is N bits for all i.
2. Generation of shares of an cor -correct key: Let 0 be the N -bit zero vector, and M be the number of k Ai and k Bi which are different from k Ai ij and k Bi ij are by definition shares of an corcorrect key.The secrecy condition only holds if all k Ai and k Bi originate from honest QKD modules.

Generation of shares of an -secure key:
The CP Ai use the RBS scheme (see Appendix A) to randomly select a universal 2 hash function, h P , that is sent to all CP Bi .Each CP Ai (CP Bi ) obtains shares, Indeed, given that t < M Ai /3 and t < M Bi /3 for all i = 1, . . ., M , where M Ai (M Bi ) denotes the number of CP Ai (CP Bi ) that do not produce ⊥ i but output postprocessed shares, k Ai ij (k Bi ij ), from k Ai (k Bi ), then the final key, k A and k B , is -secure.Also, Alice (Bob) could obtain k A (k B ) by using the reconstruct protocol of a VSS (see Appendix A).That is, Alice (Bob) could use majority voting to obtain the shares k Aij and k Bij of k A (k B ) from k Ai ij (k Bi ij ) for all i = 1, . . ., M and j = 1, . . ., q (j = 1, . . ., q ), and she (he where q (q ) is the total number of shares of k Ai (k Bi ) for each i.
Our results are summarised in the following Claim, whose proof is direct from the definition of Protocol 3: Claim 3. Suppose that Alice and Bob have n pairs of QKD modules and Alice (Bob) has s (r) classical postprocessing units.Suppose that up to t < n pairs of QKD modules, up to t < s/3 classical post-processing units of Alice, and up to t < r/3 classical post-processing units of Bob could be corrupted.Let M ≤ n denote the number of pairs of QKD modules that do not abort and whose raw key can be transformed into a supposedly ( /n)-secure key, and let N bits be the length of such key.Then Protocol 3 allows Alice and Bob to distill an -secure key of length (M − t) × N bits.Moreover, the re-use of the devices does not compromise the security of the keys distilled in previous QKD runs.
We remark that if we disregard the cost of authenticating the classical channels between Alice and Bob's classical post-processing units, Protocol 3 is optimal with respect to the resulting secret key length.The argument follows directly from that used in Sec.II A, where we showed that if the classical post-processing units are trusted the secret key rate is upper bounded by (M − t) × N bits.So, in the presence of corrupted classical post-processing units this upper bound also trivially holds.

III. DISCUSSION AND CONCLUSIONS
Security proofs of QKD assume that there are no covert channels and the classical post-processing units are trusted.Unfortunately, however, both assumptions are very hard, if not impossible, to guarantee in practice.
Indeed, memory attacks [27] constitute a fundamental practical threat to the security of both DI-QKD and non-DI-QKD.They highlight that quantum mechanics alone is not enough to guarantee the security of practical QKD realisations but, for this, one needs to resort to additional assumptions.Also, recent results on Trojan Horse attacks [33][34][35][36][37][38] against conventional cryptographic systems underline the vulnerabilities of the classical postprocessing units, and this threat is expected to only rise with time.
In this paper we have introduced a simple solution to overcome these two fundamental security problems and restore the security of QKD.The price to pay is that now Alice and Bob need to have various QKD modules and classical post-processing units at their disposal, bought for example from different vendors.Given that there is at least one pair of honest QKD modules and that the number of corrupted classical post-processing units is less than one third of them, we have shown how VSS schemes, together with privacy amplification techniques, could be used to re-establish the security of QKD.
Indeed, VSS and secret sharing techniques have been used previously in quantum information [60][61][62].For instance, the authors of [60,61] proposed a quantum version of VSS to achieve secure multiparty quantum computation, while in [62] classical secret sharing schemes are combined with QKD to achieve information-theoretically secure distributed storage systems.
A key insight of our paper is very simple yet potentially very useful: the typical classical post-processing in QKD only involves operations which are "linear" in nature, and thus they could be easily implemented in a distributed setting by acting on data shares from say a linear VSS scheme.
To illustrate our results, we have proposed specific protocols for three scenarios of practical interest.They assume that either the QKD modules, the classical-portprocessing units, or both of them together could be corrupted.Remarkably, if we disregard the cost of classical authentication, all these protocols are optimal with respect to the secret key rate.They use the VSS scheme introduced in [44], which is very simple to implement.Its main drawback is, however, that, for a given number of corrupted parties, the number of shares grows exponentially with the total number of parties.Nevertheless, for a small number of parties (which is the scenario that we are interested in QKD), the protocol is efficient in terms of computational complexity.Also, we remark that there exist efficient three-round VSS protocols where the computation and communication required is polynomial in the total number of parties [63].Moreover, these schemes use a minimum number of communication rounds [64], and they could also be used here.It would be interesting to further investigate the most resource efficient protocols to be used in the QKD framework.Here we briefly introduce some definitions and cryptographic protocols that are used in the main text; they are mainly taken from [41,44].
We consider a scenario with a dealer and n parties, and we suppose a threshold active adversary structure where Eve can actively corrupt the dealer and up to t of the parties.Active corruption means that Eve can fully control the corrupted parties whose behaviour can deviate arbitrarily from the protocol's prescriptions.We refer the reader to Appendix D for the modeling of more general adversary structures.For simplicity, we assume that all messages are binary strings and the symbol ⊕ below denotes bit-wise XOR or bit-wise addition modulo 2. We remark, however, that the the protocols below work as well over any finite field or ring.
In this scenario, a n-out-of-q threshold secret sharing (SS) scheme [65,66] is a protocol that allows the dealer to split a message m between n parties such that, if he is honest, any group of q or more parties can collaborate to reconstruct m but no group with less than q parties can obtain any information about m.If n = q, this could be achieved by splitting m into a random sum of q shares m i .That is, one selects the first q − 1 shares m i of m at random, and then chooses m q = m⊕m 1 ⊕. ..⊕m q−1 [41].
A drawback of SS schemes is that they do not guarantee the consistency of the shares, which is essential to assure the correctness of the keys delivered by the QKD protocols in the main text.That is, during the reconstruct phase of a SS scheme, corrupted parties could send different m i to the honest parties such that they obtain different values for m.This problem can be solved with verifiable secret sharing (VSS) schemes [39,40], which distribute m i in a redundant manner such that the honest parties can use error correction to obtain the correct values.Indeed, provided that the necessary and sufficient conditon t < n/3 is satisfied, a VSS scheme guarantees that there exists a well-defined m that all honest parties obtain from their shares [42][43][44].
The share and reconstruct protocols of a VSS scheme satisfy three conditions.First, independently of whether or not the dealer is honest, if the share protocol is successful then the reconstruct protocol delivers the same m to all the honest parties.Second, if the dealer is honest, the value of the reconstructed m coincides with that provided by the dealer.And third, if the dealer is honest, the information obtained by any set of t of less parties after the share (reconstruct) protocol is independent of any previous information that they held before the protocol (is just the reconstructed bit string m).Below we present a simple VSS scheme that builds on the q-out-of-q threshold SS protocol above [44], and which we use in Protocols 2 and 3 in the main text.Importantly, given that t < n/3, this scheme provides information-theoretic security [44].See Fig. 8 for a graphical representation of its share and reconstruct protocols.for the case n = 4 and t = 1.The sets σi are given by σ1 = {P2, P3, P4}, σ2 = {P1, P3, P4}, σ3 = {P1, P2, P4} and σ4 = {P1, P2, P3}, with Pi denoting the i-th party.In the share protocol, the dealer uses a 4-out-of-4 SS scheme to split the message m into shares mi, with i = 1, . . ., 4.Then, he sends each mi over a secure channel to all parties in σi.For instance, he sends m1 to P2, P3, and P4, and similarly for the other shares.Afterward, all parties in σi send each other their shares mi to check that they are indeed equal.If no inconsistency is found then, in the reconstruct protocol, each party sends all his shares to all the other parties over an authenticated channel.Finally, each party uses majority voting to obtain mi ∀i and then reconstructs m = ⊕ 4 i=1 mi.In the figure, m i={x,y,z} and m i={x,y} denote, respectively, the bit strings {mx, my, mz} and {mx, my} with x, y, z ∈ {1, 2, 3, 4}, the red solid lines represent secure classical channels (i.e., channels which guarantee both secrecy and authentication), the red dashed lines are authenticated classical channels, and the blue solid lines refer to the output of the reconstruct protocol.
Share protocol: 1.The dealer uses a q-out-of-q SS scheme to split m into q = n n−t shares m i , with i = 1, . . ., q. 2. Let {σ 1 , . . ., σ q } denote all (n − t)-combinations of the set of n parties.Then, for each i = 1, . . ., q, the dealer sends m i over a secure channel (i.e., a channel that provides secrecy and authentication) to each party in σ i .If a party does not receive his share, he takes as default share say a zero bit string.
3. All pairs of parties in σ i send each other their shares m i over a secure channel to check if they are indeed equal.If an inconsistency is found, they complain using a broadcast channel.
4. If a complaint is raised in σ i , the dealer broadcasts m i to all parties and they accept the share received.Otherwise, the protocol aborts.
Reconstruct protocol: 1.All pairs of parties send each other their shares over an authenticated channel.
2. Each party uses majority voting to reconstruct the shares m i ∀i, and then obtains m = ⊕ q i=1 m i .From the description above, it is guaranteed that when the share protocol is successful (i.e., it does not abort), all the honest parties who received the i-th share of m obtain exactly the same bit string m i .Also, this protocol assures that any share m i of m is distributed to at least 2t + 1 different parties.This is so because this is the minimum size of any set σ i .This means, in particular, that, since the number of corrupted parties is at most t, the use of a decision rule based on majority voting in the reconstruct protocol permits all the honest parties to obtain the same fixed m i for all i.Moreover, it is straightforward to show that when the dealer is honest, the reconstructed message m is equal to his original message.Furthermore, we have that m is only revealed to the parties once the reconstruct phase ends.This is so because at least one bit string m i is only shared by honest parties since there is at least one set σ i which does not contain any corrupted party.Also, note that if a complaint is raised in a certain σ i during the share protocol, the fact that the dealer broadcast m i to all parties does not violate secrecy.This is so because a complaint can only occur if either the dealer is corrupted or σ i contains at least one corrupted player, hence the adversary knew m i already.
We remark that the broadcast channel which is required in steps 3 and 4 of the share protocol can be a simulated channel.Indeed, given that t < n/3, there exist efficient poly(n) protocols that can simulate a broadcast channel with information-theoretic security in an optimal number of t + 1 communication rounds [67,68].Furthermore, if a physical broadcast channel is actually available, there exist efficient information-theoretically secure VSS schemes that only require a majority of honest parties (i.e., t < n/2) and which could also be used in this context [69].
Next we present a simple scheme to generate a common perfectly unbiased random l-bit string (RBS) r between n parties when up to t < n/3 of them could be corrupted.It follows directly from VSS [42][43][44].For convenience, we call it the RBS protocol.We use it to randomly select universal 2 hash functions in Protocols 2 and 3 in the main text, where we cannot assume the existence of an external honest dealer which provides them to the QKD devices.The RBS scheme allows mutually untrusted parties to generate and share random numbers through discussions.

RBS protocol:
1. Say each of the first t + 1 parties produces locally a random l-bit string r i and sends it to all the other parties using the share protocol above.
2. Each party uses a broadcast channel to confirm that they have received all their shares from the first t+1 parties.Otherwise, the protocol aborts.
3. All parties use the reconstruct protocol above to obtain r i for all i = 1, . . ., t + 1. Afterward, each of them calculates locally r = ⊕ t+1 i=1 r i .It is straightforward to show that this protocol guarantees that all honest parties share a perfectly unbiased random bit string r.The use of the share and the reconstruct protocols of a VSS scheme assures that all honest parties reconstruct the same r i ∀i and thus the same r.In addition, step 2 of the protocol guarantees that the first t + 1 parties generate and distribute their strings r i before knowing the strings of the other parties.Moreover, since the number of corrupted parties is at most t, we have that at least one honest party generates a truly random bit string r i , and thus r is also random.

Appendix B: Protocol 2
Here we present the different steps of Protocol 2 in detail.For concreteness, whenever we refer to the share and reconstruct protocols of a VSS scheme we mean those presented in Appendix A, which have been introduced in [44].
Also, to simplify the discussion, in Protocol 2 we consider the case where p A,info and p B,info determine the sifting procedure of the QKD scheme in a deterministic way.That is, there is no random post-selection of data from the raw key.In addition, we assume that Alice and Bob do not estimate the actual QBER but they apply error correction for a pre-fixed QBER value followed by an error verification step.However, we remark that Protocol 2 could be adapted to cover also these two scenarios.

Generation and distribution of shares of raw keys
and protocol information: QKD A and QKD B obtain, respectively, the raw keys k A and k B and the protocol information p A,info and p B,info , or the abort symbol ⊥.If the result is different from ⊥, QKD A uses the share protocol of a VSS scheme to create q = s s−t shares of k A and distributes them among the CP Ai , with i = 1, . . ., s.Likewise, QKD B creates q = r r−t shares of k B and distributes them among the CP Bi , with i = 1, . . ., r.Let k Aij (k Bi j ) be the j-th (j -th) share of k A (k B ) received by CP Ai (CP Bi ), with j = 1, . . ., q (j = 1, . . ., q ).Also, QKD A (QKD B ) sends p A,info (p B,info ) to all CP Ai (CP Bi ).Since by assumption QKD A (QKD B ) is honest, all CP Ai (CP Bi ) receive the same p A,info (p B,info ) and the shares k Aij (k Bi j ) are equal for all i (i ).Next, say the first 2t +1 CP Bi send p B,info to all CP Ai .Likewise, say the first 2t + 1 CP Ai send p A,info (for the detected events) to all CP Bi .Each CP Ai (CP Bi ) uses majority voting to determine p B,info (p A,info ) from the information received.Note that since by assumption the number of corrupted units CP Ai (CP Bi ) is at most t (t ), 2t + 1 (2t + 1) copies of p A,info (p B,info ) is enough for the honest parties to be able to reconstruct the correct value of these bit strings by using majority voting.for all j and j , from s Aij and s Bi j .Finally, they obtain s A = ⊕ q j=1 s Aj and s B = ⊕ q j =1 s Bj .Next, Bob corrects k B,key .For this, say all CP Bi which have the j -th share k Bi j ,key for a pre-fixed index j = 1, . . ., q , flip certain bits of this share depending on the actual values of s A and s B .This whole process is repeated until the error correction procedure ends.Let kAij,key and kBi j ,key denote the shares k Aij ,key and k Bi j ,key after error correction, and let leak EC bits be the syndrome information interchanged between Alice and Bob during this step.That is, kAij,key and kBi j ,key are actually equal to k Aij ,key and k Bi j ,key except for the bit strings k Bi j ,key whose bits have been flipped during error correction.

5.
Error verification: All CP Ai and CP Bi check that the error correction step was indeed successful.For this, the CP Ai use the RBS scheme introduced in Appendix A to randomly select a universal 2 hash function, h V .Then, they compute a hash h Aij = h V ( kAij,key ) of length log 2 (4/ cor ) bits, and say the first 2t + 1 CP Ai send the hash function to all CP Bi .Bob's CP units reconstruct the hash function by using majority voting and then they calculate h Bi j = h V ( kBi j ,key ).Afterward, all CP Ai and CP Bi use the reconstruct protocol of a VSS scheme to obtain h A = ⊕ q j=1 h Aj and h B = ⊕ q j =1 h Bj from h Aij and h Bi j .That is, they send each other h Aij and h Bi j and they use majority voting to determine h Aj and h Bj , for all j and j , from h Aij and h Bi j .Finally, each of them checks locally whether or not h A = h B .If they are not equal, they abort.In so doing, we have that the bit strings kA,key = ⊕ q j=1 kAj,key and kB,key = ⊕ q j =1 kBj ,key are equal except for a minuscule probability cor , where kAj,key ( kBj ,key ) are obtained from kAij,key ( kBi j ,key ) by using majority voting.
6. Generation of shares of an -secure key: All CP Ai and CP Bi extract from kA,key and kB,key the shares of an sec -secret key, k A and k B .For this, the CP Ai use the RBS scheme to randomly select a proper universal 2 hash function, h P .Next, they obtain k Aij = h P ( kAij,key ) and say the first 2t + 1 CP Ai send h P to all CP Bi .Bob's CP units use majority voting to determine h P from the information received and they calculate k Bi j = h P ( kBi j ,key ).The function h P removes Eve's information from kA,key , which includes the syndrome information leak EC disclosed during error correction, the hash value of length log 2 (4/ cor ) bits disclosed during error verification, and Eve's information about the key according to the estimated phase error rate.
As stated in Sec.II B, when t < M A /3 and t < M B /3, where M A (M B ) is the number of CP Ai (CP Bi ) that do not abort, k Aij and k Bi j are shares of an -secure key, k A and k B .This is so because the condition t < M A /3 (or, equivalently, s − t − (s − M A ) > 2t ) guarantees that for all j = 1, . . ., q, there are at least 2t + 1 units CP Ai which send shares k Aij to Alice.To see this, note that each share k Aj , for all j, is held by s − t units CP Ai , and by assumption we have that at most s − M A of them could have aborted.A similar argument applies to the condition t < M B /3.
To reconstruct k A and k B , Alice and Bob can use majority voting to obtain k Aj and k Bj from k Aij and k Bi j , respectively, and afterward they calculate k A = ⊕ q j=1 k Aj and k B = ⊕ q j =1 k Bj .
Appendix C: Alternative solution for QKD with honest QKD modules and malicious classical post-processing units In this Appendix we present a conceptually simple, although less efficient, solution than Protocol 2 for the case where r = s.
The main idea runs as follows.First, QKD A and QKD B perform s independent QKD sessions, each of them is realised with a different pair of units CP Ai and CP Bi to generate a supposedly ( /s)-secure key, k Ai and k Bi , or the abort symbol ⊥ i .For easy of illustration, we shall assume that the length of each k Ai and k Bi is N bits for all i.Of course, if say CP Ai and/or CP Bi is corrupted then we have that k Ai and k Bi could be compromised and known to Eve.Then, in a second step, the keys k Ai and k Bi are concatenated to form kA = [k A1 , . . ., k AM ] and kB = [k B1 , . . ., k BM ], where M denotes the number of keys k Ai and k Bi which are different from the abort symbol.Finally, we apply error verification and privacy amplification to kA and kB to obtain an -secure key, k A and k B .Importantly, this last step is performed by the classical post-processing units in a distributed setting by acting only on shares of kA and kB .Below we describe the different steps of the protocol in more detail.
Alternative solution to Protocol 2: 1. Generation of ( /s)-secure keys: QKD A and QKD B perform s independent QKD sessions, each of which with a different pair of units CP Ai and CP Bi , with i = 1, . . ., s, to obtain the bit strings k Ai and k Bi , which are supposed to be ( /s)-secure, or the abort symbol ⊥ i .
2. Distribution of shares of ( /s)-secure keys: Each CP Ai sends k Ai to the other classical postprocessing units at Alice's side by using the share protocol of a VSS scheme, and all CP Ai confirm to each other that they have received their shares.
Let k Ai ij be the j-th share of k Ai received by CP Ai .Likewise, the units CP Bi act similarly with k Bi .Let k Bi ij be the j-th share of k Bi received by CP Bi .Each CP Ai defines locally the bit strings The reason for reducing the size of k Ai ij and k Bi ij by 2t × N bits in the last step of the protocol is due to the following.In the worst-case scenario, we have that all corrupted CP Ai could be partnered with honest CP Bi (and vice versa).This means, in particular, that there could 2t keys k Ai and k Bi which could be compromised and, more importantly, Alice and Bob cannot discard that these keys contribute to k Ai ij and k Bi ij .
Given that t < M Ai /3 and t < M Bi /3 for all i = 1, . . ., M , where M Ai (M Bi ) denotes the number of CP Ai (CP Bi ) that do not produce ⊥ i but output postprocessed shares, k Ai ij (k Bi ij ), from k Ai (k Bi ), then the final key, k A and k B , is -secure.Once again, to reconstruct it, Alice (Bob) can use majority voting to obtain k To conclude this Appendix, let us briefly compare the solution above with that provided by Protocol 2. For this, we first note that the approach above runs s independent QKD sessions while Protocol 2 can distill an -secure key from one single QKD run.The second main difference is related to the resulting secret key rate.To simplify our discussion, we shall assume, like above, that the length of each k Ai and k Bi is N bits for all i.After running s QKD sessions, the alternative protocol above can deliver a final key of length roughly ≈ (M − 2t ) × N bits, while if we run Protocol 2 s times the length of the final key would be roughly s × N secret bits.That is, even if we consider the best-case scenario for the alternative approach above (i.e., M = s), Protocol 2 provides a secret key rate that is ≈ s/(s − 2t ) times higher than that provided by this alternative method.

Appendix D: General adversary structures
In the main text we have considered the security of QKD against a so-called threshold active adversary structure.As we have already seen, active corruption means that there could exist a central adversary, Eve, who fully controls the behaviour of all the corrupted parties, which do not have to necessarily follow the prescriptions of the protocol.On the other hand, by a threshold adversary structure we refer to an adversary who can corrupt up to t (but not more) of the parties.This is, however, a particular case of what is called a general mixed adversary structure [55].By mixed corruption we mean that some of the corrupted parties could also be passively (in contrast to actively) corrupted.Passive corruption indicates that the parties could leak all their information to the adversary, but otherwise they follow all the indications of the protocol correctly.General adversary structures, on the other hand, refer to the fact that the subsets that contain all the potentially corrupted parties could have an arbitrary distribution, i.e., they do not need to consists on all possible combinations of up to t parties.
To model the corruption capability of a general adversary one can use a so-called (Σ, Ω)-adversary structure.This is basically a set that contains all the potentially corruptible subsets of parties.More precisely, let P denote the set of all parties, and let Σ and Ω be structures for P satisfying Σ ⊆ P(P ) and Ω ⊆ Σ with P(P ) being the power set of P .Here, a structure for P means a subset Γ of P(P ) that is closed under taking subsets.That is, if S ∈ Γ and S ⊆ S then S ∈ Γ.Then, a (Σ, Ω)-adversary is an adversary that can passively (actively) corrupt a set σ (ω) of parties with σ ∪ ω ∈ Σ and ω ∈ Ω. Below, for ease of notation, whenever we describe a structure, we only list its maximal sets.That is, it is implicitly understood (even if it is not explicitly written) that its subsets also belong to the structure.
Next, we introduce the share and the reconstruct protocols of a VSS scheme [44] that provides informationtheoretic security against a general (Σ, Ω)-adversary given that P / ∈ Σ Ω Ω, which can be proven to be a necessary and sufficient condition to achieve security in this framework [44].That is, the VSS below is optimal in this sense.Here, is an operation on structures defined as Γ 1 Γ 2 = {S 1 ∪ S 2 : S 1 ∈ Γ 1 , S 2 ∈ Γ 2 }.That is, Γ 1 Γ 2 is a structure that contains all unions of one element of Γ 1 and one element of Γ 2 .If Σ = Ω (i.e., when all corrupted parties are active), note that the condition P / ∈ Σ Ω Ω coincides with that introduced in [42,43].Without loss of generality, below we assume that Σ contains q maximal sets σ i , i.e., Σ = {σ 1 , σ 2 , . . ., σ q }.Share protocol: 1.The dealer uses a q-out-of-q SS scheme to split the message m into q shares m i , with i = 1, . . ., q.
2. For each i = 1, . . ., q, the dealer sends m i over a secure channel to each party in the set σ i , where σ i is defined as the complement of σ i .If a party does not receive his share, he takes as default share say a zero bit string.
3. All pairs of parties in σ i send each other their shares m i over a secure channel to check that their shares are indeed equal.If an inconsistency is found, they complain using a broadcast channel.
4. If there is a complaint in σ i , the dealer broadcasts m i to all parties and they accept the share received.Otherwise, the protocol aborts.
Reconstruct protocol: 1.All parties send their shares to all other parties over an authenticated channel.
2. Each party reconstructs locally the shares m i ∀i, and obtains m = ⊕ q i=1 m i .For this, let m li be the value for m i sent by the l-th party in σ i .Then, each party chooses the unique value m i such that there exists a ω ∈ Ω satisfying m li = m i for all l ∈ σ i − ω.
As in the case of the share protocol presented in the main text, the share protocol above also requires the availability of a broadcast channel.Fortunately, however, in this framework it is also possible to simulate such a channel by efficient protocols, with polynomial message and computation complexity, between the different parties [70].For this, the requirement is that P / ∈ Ω Ω Ω [44].
To conclude this Appendix, let us mention that the simple RBS protocol described in the main text can be straightforwardly adapted to be secure also against a general (Σ, Ω)-adversary given that P / ∈ Σ Ω Ω.For this, we only need to make two modifications.First, we replace the share and reconstruct protocols with the ones described above.And, second, now we do not employ the first t + 1 parties P i ∈ P to produce a random bit string each (see step 1 of the RBS protocol in the main text).Instead, these random bit strings are produced by all the parties in one set ρ ∈ P(P ) such that ρ Σ.In so doing, we guarantee that there is at least one honest party that generates a random bit string.Here, one could take, for instance, the set ρ with the minimum number of parties.

FIG. 4 .
FIG. 4. (a) Schematic representation of a QKD setup with multiple QKD modules and classical post-processing units.We assume that up to t < n pairs of QKD modules, up to t < s/3 units CP Ai and t < r/3 units CP Bi could be corrupted.The goal is to distill shares of an -secure key, kA and kB.In the figure, the thin red solid lines represent secure classical channels, the thin red dashed lines denote authenticated classical channels, and the blue thick dashed lines are quantum channels.(b) General strategy to distill shares of kA and kB.First, each pair QKDAi and QKDBi outputs a raw key, k Ai and k Bi , together with the protocol information, and sends them to the CP units at Alice and Bob's side respectively.From k Ai and k Bi , these units distill a supposedly ( /n)-secure key, k Ai and k Bi , and then concatenate these keys to form k A = [k A1 , k A2 , . . ., k An ] and k B = [k B1 , k B2 , . . ., k Bn ].Finally, the CP units apply privacy amplification to k A and k B to remove the information held by the corrupted QKD modules and obtain kA and kB.In the presence of corrupted CP units, all these steps are realised in a distributed setting by acting on data shares generated with a VSS scheme.

FIG. 5 .
FIG.5.QKD with malicious QKD modules and honest classical post-processing units.Alice and Bob have n pairs of QKD modules, and up to t < n of them could be corrupted.Alice's (Bob's) i-th QKD module is supposed to generate a raw key k Ai (k Bi ) and the protocol information p Ai,info (p Bi,info ), with i = 1, . . ., n.Also, they have one classical post-processing unit each, which is assumed to be honest.The goal is to distill an -secure key, kA and kB.This can be achieved by using Protocol 1. See the main text for further details.
cor -correct key: The units CP A and CP B use the key distillation procedure prescribed by the QKD protocol to generate an ( /n)secure key, k Ai and k Bi , from each raw key pair k Ai and k Bi , or they generate the abort symbol ⊥ i , for all i = 1, . . ., n. Afterward, CP A (CP B ) concatenates the M ≤ n keys k Ai (k Bi ) which are different from ⊥ i to form the bit string k A = [k A1 , . . ., k AM ] (k B = [k B1 , . . ., k BM ]).Since the units CP A and CP B are trusted, k Ai and k Bi are for certain ( cor /n)-correct ∀i and thus k A and k B are cor -correct.The secrecy condition only holds if all k Ai and k Bi originate from raw keys output by honest QKD modules.For simplicity, we will suppose that the length of k Ai and k Bi is N bits ∀i.

FIG. 6 .
FIG.6.QKD with honest QKD modules and malicious classical post-processing units.Alice and Bob have one trusted QKD module each, QKDA and QKDB, which generate, respectively, the raw key k A and k B and the protocol information p A,info and p B,info .Also, Alice (Bob) has s (r) classical post-processing units CPAi (CP Bi ) with i = 1, . . ., s (i = 1, . . ., r), and up to t < s/3 (t < r/3) of these units could be corrupted.The goal is to produce shares of ansecure key, kA and kB, from which the final key could be reconstructed.This can be achieved by using Protocol 2. See the main text and Appendix B for further details.In the figure, k Aij (k Bi j ) denotes the j-th share of k A (k B ) which QKDA (QKDB) sends to CPAi (CP Bi ), and kAij (kBij) identifies the j-th share of kA (kB) that is produced by CPAi (CP Bi ).Since QKDA (QKDB) is honest, note that the shares k Aij (k Bij ) are equal for all i.
FIG.7.QKD with malicious QKD modules and malicious classical post-processing units.Alice and Bob have n pairs of QKD modules, QKDAi and QKDBi, and up to t < n of them could be corrupted.They generate, respectively, the raw key k Ai and k Bi and the protocol information p Ai,info and p Bi,info .Also, Alice (Bob) has s (r) classical post-processing units CP Ai (CP Bi ) with i = 1, . . ., s (i = 1, . . ., r), and up to t < s/3 (t < r/3) of these units could be corrupted.The goal is to produce shares of an -secure key, kA and kB, from which the final key could be reconstructed.This can be achieved by using Protocol 3. See the main text for further details.In the figure, k Ai ij (k Bi ij ) denotes the j-th share of k Ai (k Bi ) which QKDAi (QKDBi) sends to CP Ai (CP Bi ), and k Ai ij (k Bi ij ) identifies the shares of kA (kB) that are produced by CP Ai (CP Bi ).
Appendix A: Secure multiparty computation toolbox

FIG. 8 .
FIG.8.Schematic representation of the share and the reconstruct protocols of the VSS scheme introduced in[44] for the case n = 4 and t = 1.The sets σi are given by σ1 = {P2, P3, P4}, σ2 = {P1, P3, P4}, σ3 = {P1, P2, P4} and σ4 = {P1, P2, P3}, with Pi denoting the i-th party.In the share protocol, the dealer uses a 4-out-of-4 SS scheme to split the message m into shares mi, with i = 1, . . ., 4.Then, he sends each mi over a secure channel to all parties in σi.For instance, he sends m1 to P2, P3, and P4, and similarly for the other shares.Afterward, all parties in σi send each other their shares mi to check that they are indeed equal.If no inconsistency is found then, in the reconstruct protocol, each party sends all his shares to all the other parties over an authenticated channel.Finally, each party uses majority voting to obtain mi ∀i and then reconstructs m = ⊕ 4 i=1 mi.In the figure, m i={x,y,z} and m i={x,y} denote, respectively, the bit strings {mx, my, mz} and {mx, my} with x, y, z ∈ {1, 2, 3, 4}, the red solid lines represent secure classical channels (i.e., channels which guarantee both secrecy and authentication), the red dashed lines are authenticated classical channels, and the blue solid lines refer to the output of the reconstruct protocol.
k Bn ] are for certain cor -correct.The secrecy condition, however, only holds if all the QKD modules are trusted.If say the pair QKD Ai and QKD Bi is corrupted then the key strings k Ai and k Bi are compromised.So, given that t < n the classical post-processing units can apply privacy amplification to k A and k B to extract two shorter (n − t) × N bit strings, k A and k B , which are for certain sec -secret and thus -secure.In the presence of untrusted classical post-processing units, this process can be performed in a distributed manner by acting on data shares, just as we Generation and distribution of shares of raw keys and protocol information: QKD A and QKD B output, respectively, k A and p A,info , and k B and p B,info , or the abort symbol ⊥.If the output is different from ⊥, QKD A sends p A,info to all CP Ai and uses a VSS scheme to distribute shares of k A between the CP Ai .Likewise, QKD B does the same with p B,info , k B and the units CP Bi .Let k Aij (k Bi j ) be the j-th share of k A (k B ) received by CP Ai (CP Bi ).Next, the CP Ai and CP Bi send to each other p A,info and p B,info .2. Sifting: Each CP Ai uses p A,info and p B,info to obtain two bit strings, k Aij ,key and k Aij ,est , from k Aij .k Aij ,key (k Aij ,est ) is used for key generation (parameter estimation).Likewise, Bob's CP Bi do the same with k Bi j .3. Parameter estimation: The CP Ai and CP Bi use the reconstruct protocol of a VSS scheme to obtain the parts of k A and k B that are used for parameter estimation, k A,est and k B,est , from their shares k Aij ,est and k Bi j ,est .Next, each CP Ai and CP Bi performs locally parameter estimation (e.g., they estimate the phase error rate).If the estimated values exceed certain tolerated values, they abort.

2 .
Sifting: Each CP Ai uses p A,info and p B,info to obtain two bit strings, k Aij ,key and k Aij ,est , from k Aij .The former (latter) bit string is the part of k Aij that is used for key generation (parameter estimation).Likewise, Bob's CP Bi do the same with k Bi j and obtain k Bi j ,key and k Bi j ,est .3.Parameter estimation: All CP Ai and CP Bi use the reconstruct protocol of a VSS scheme to obtain both k A,est and k B,est , which are the parts of k A and k B that are used for parameter estimation.For this, they send each other their shares k Aij ,est and k Bi j ,est , and each of them uses majority voting to obtain k Aj ,est and k Bj ,est for all j = 1, ..., q and j = 1, ..., q .Afterward, they calculate k A,est = ⊕ q j=1 k Aj ,est and k B,est = ⊕ q j =1 k Bj ,est .With p A,info , p B,info , k A,est and k B,est , each CP Ai and CP Bi performs locally the parameter estimation step of the protocol (e.g., they estimate the phase error rate).If the estimated values exceed certain tolerated values, they abort.4.Error correction:The CP Ai and CP Bi perform error correction (for a pre-fixed QBER value) on the parts of k A and k B that are used for key distillation, which we denote by k A,key and k B,key , by acting on their shares k Aij ,key and k Bi j ,key respectively.For this, each CP Ai (CP Bi ) applies certain matrices M EC to k Aij ,key (k Bi j ,key ) to obtain s Aij = M EC k Aij ,key (s Bi j = M EC k Bi j ,key ).Afterward, they use the reconstruct protocol of a VSS scheme to guarantee that all CP Bi obtain s A = M EC k A,key and s B = M EC k B,key .That is, all CP Ai and CP Bi first send to all the classical post-processing units at Bob's side the bit strings s Aij and s Bi j .Then, each of Bob's CP units uses majority voting to reconstruct locally s Aj and s Bj , Error verification: The CP Ai use the RBS scheme to randomly select a universal 2 hash function, h V .Then, each of them computes locally a hash h Ai ij = h V (k Ai ij ) of length log 2 (4/ cor ) bits for all its bit strings k Ai ij , and say the first 2t + 1 CP Ai send the hash function to all CP units at Bob's side.Each CP Bi reconstructs locally the hash function by using majority voting and obtains h Bi ij = h V (k Bi ij ) for all its bit strings k Bi ij .Next, all CP Ai and CP Bi use the reconstruct protocol of a VSS scheme to obtain bothh A = ⊕ M i=1 ⊕ q j=1 h Aij and h B = ⊕ M i=1 ⊕ q j=1 h Bij .That is,they send each other the bit strings h Ai ij and h Bi ij , and each of them uses majority voting to obtain h Aij and h Bij from h Ai ij and h Bi ij .Finally, each CP Ai and CP Bi checks locally if h A = h B .If they are not equal, they output the abort symbol ⊥ i .If they are equal, they proceed to the next step.This error verification step guarantees that kA = ⊕ M i=1 ⊕ q j=1 k Aij and k B = ⊕ M i=1 ⊕ q j=1 k Bij are equal except for a minuscule probability cor ,where k Aij (k Bij ) denote the bit strings that could be obtained from k Ai ij (k Bi ij ) by using majority voting.4.Generation of shares of an -secure key: The CP Ai use the RBS scheme to randomly select a universal 2 hash function, h P , and they compute k Ai ij = h P (k Ai ij ).Then, say the first 2t + 1 CP Ai send h P to all CP at Bob's side which reconstruct locally the hash function by using majority voting, and each CP Bi computes k Bi ij = h where 0 is the N -bit zero vector and M is the number of keys k Ai and k Bi which are different from ⊥ i .Likewise, the CP Bi form k Bi ij from k Bi ij .3. P (k Bi ij ).The function h P maps each (M × N )-bit string k Ai ij (k Bi ij ) to a shorter bit string k Ai ij (k Bi ij ) of size (M − 2t ) × N − log 2 (4/ cor ) bits.