Introduction

There has been much interest in the subject of quantum key distribution (QKD) in recent years because it holds the promise of providing information-theoretically secure communications based on the laws of quantum physics.1,2 There is, however, a big gap between the theory3,4 and the practice5,6,7,8 of QKD, and the security of QKD implementations is seriously threatened by quantum hacking.9,10,11,12,13 To solve this problem, the ultimate solution is device-independent (DI)-QKD,14,15,16,17 which allows the legitimate users of the system (typically called Alice and Bob) to treat their quantum devices as “black boxes”. The security of DI-QKD is based on a loophole-free Bell test.18,19 Although no experimental implementation of DI-QKD has been realised yet, the recent demonstrations of loophole-free Bell tests20,21,22,23,24 might bring DI-QKD closer to experimental realisation.

Despite its conceptual beauty, DI-QKD is however not foolproof. Indeed, one cannot expect that all QKD users will have expertise in experimental quantum optics and electronics. So, unless Alice and Bob manufacture their own QKD devices themselves, it could be very hard for them to guarantee that the QKD “black boxes” bought from a vendor are indeed honest, as it is assumed in the security proofs. For instance, it was shown in ref. 25 that DI-QKD is highly vulnerable to the so-called memory attacks, where a hidden memory device (planted by the eavesdropper, Eve, in say Alice’s setup) stores up the key material generated in each QKD session and then leaks this information to Eve in subsequent QKD runs. This situation is illustrated in Fig. 1. Obviously, this is a fatal loss of security for DI-QKD. Whenever a QKD system is reused for subsequent QKD sessions, the security of the keys generated in previous QKD runs might be compromised. Note that this is particularly problematic in a network setting with multiple users (who may not all be trustworthy) due to the impostor attack.25

Fig. 1
figure 1

Schematic representation of a memory attack. In the ith QKD run, Alice and Bob’s QKD modules, QKDA and QKDB, use a quantum channel to produce a raw key, \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\), as well as certain protocol information, pAi,info and pBi,info, respectively. The content of pAi,info and pBi,info depends on the particular QKD protocol implemented. For instance, in the standard decoy-state BB84 scheme,81,82,83 pA,info contains the basis and the decoy setting information per emitted signal, while pB,info contains Bob’s measurement basis and it also indicates which signals produced a click in his measurement apparatus. The raw key and the protocol information is sent to Alice and Bob’s classical post-processing units, CPA and CPB, which are connected via an authenticated classical channel. These units generate a secret key, kAi and kBi, by applying various post-processing techniques. In a memory attack, Eve hides a memory in say Alice’s module QKDA to first store up the key material generated in each QKD run and then leak this information to her by hiding it in say the decision of abort or not abort of a subsequent QKD session. For example, if a particular bit value, say the jth bit, of the key generated in the first QKD run is 0, then this memory makes that a permuted σ(j)th QKD run aborts. (Here, σ is a permutation and σ(j) is the permuted value of j.) This could be achieved, for instance, by outputting a raw key with a high quantum bit error rate (QBER). And, if the jth bit value of the key is 1, then the σ(j)th QKD run does not abort. That is, by simply learning whether or not the σ(j)th QKD round has aborted, Eve could obtain the jth bit value of the first QKD session key. Alternatively, Eve might also leak the key material produced in a certain QKD round by simply hiding it in the public discussion of subsequent QKD runs. We refer the reader to ref. 25 for more details. Memory attacks are a fundamental threat to the security of DI-QKD

Full size image

Moreover, we remark that, in principle, memory attacks also work against non-DI-QKD. This is so because, in practice, it could be quite challenging to check whether or not a purchased QKD setup contains such memory. In the following, whenever we refer to a QKD system, it will be implicitly understood that it could be either DI-QKD or non-DI-QKD; our results apply to both frameworks.

The existence of memory attacks in DI-QKD shows that quantum mechanics alone is not enough to guarantee security. Indeed, in the presence of malicious devices, the resulting secret key is fundamentally insecure due to causality. The only reliable way to assure that covert communication is not happening is for the legitimate QKD users and Eve to be space-like separated. Once a key is generated in a QKD session, it is a classical object and thus is subject to copying. Once copied, QKD modules and classical post-processing units have plenty of time and opportunities to covertly leak the key to Eve.

More generally, covert channels26 have attracted massive attention in conventional security of computing and communication systems.27,28,29 With covert channels, seemingly innocent communications in a protocol could leak crucial information that is fatal to its security. Indeed, there are plenty of covert ways of leaking information to Eve in QKD. Even if Alice and Bob’s devices are shielded in a Faraday’s cage, it could be hard for them to find a perfect Faraday’s cage in practice. In fact, industrial-grade electromagnetic shielding can provide only about say 100 dB shielding for a certain wavelength range of electromagnetic emissions.30 Also, these shields are ineffective against covert channels that exploit for example low-frequency magnetic fields, low-energy acoustic or ultrasonic emissions, gamma rays, neutrons, not to mention multiplexing a covert signal onto the device’s unavoidable electricity consumption and heat generation. Note that memory attacks are simply one example of covert channels. One main motivation of our work is indeed to find a new and general paradigm of security that can reduce the risk due to not only memory attacks, but also due to any type of covert channels in QKD.

Another key weakness in standard QKD security proofs is that they all implicitly assume that the classical post-processing units are trusted. These units are supposed to distil a secure secret key from the raw data generated by the QKD modules by applying techniques, such as post-selection of data (or so-called sifting), parameter estimation, error correction, error verification and privacy amplification. However, in view of the many hardware31,32,33,34 and software35 Trojan Horse attacks that have been performed recently in conventional cryptographic systems, such trust is a very strong and unjustified assumption. This scenario is illustrated in Fig. 2. Hardware and software Trojans constitute today a key threat to the security of conventional cryptographic devices34,36 and this threat is expected to only rise with time, so it cannot be neglected when analysing the security of a QKD implementation.

Fig. 2
figure 2

Schematic representation of a hardware/software Trojan Horse attack. In QKD, it is commonly and implicitly assumed that the classical post-processing units CPA and CPB are trusted. However, due to the many hardware31,32,33,34 and software35 Trojan Horse attacks that have been performed against conventional cryptographic systems, this trust is a very strong and unjustified assumption. For instance, Eve could modify a chip, or infect the software with malware, to make it fail at a crucial time, or to hide a backdoor in say Alice’s unit CPA that leaks the final key, kAi, generated in say the ith QKD run to her.69,70 Due to the complexity and fabrication costs of current chips, these devices are typically designed by different parties, manufactured by an external foundry, and packaged and distributed by separate companies. This gives Eve multiple opportunities to meddle with the hardware. More importantly, hardware Trojans can be very hard to detect in practice. This is so because even slight adjustments to the electrical properties of a few transistors (from the billions of them contained in today’s chips) could already compromise the security. Also, Eve could easily bypass post-fabrication tests by crafting attack triggers that require a sequence of unlikely events, or by altering only a subset of the chips in question.32,33 Similar arguments apply as well to software malware. This shows the weaknesses of the classical post-processing units. We refer the reader to the caption of Fig. 1 for the meaning of the different elements in this figure

Full size image

In summary, the current paradigm for the security of QKD essentially relies on Alice and Bob trusting all their devices including both their quantum communication components and classical post-processing units and all ancillary components, such as, for example, power regulators. Since even trusted vendors often do not build their chips and power regulators themselves, but rely on secondary and tertiary supplies, it is a fact of life that no one could possibly check and verify the security of all components in QKD. Even the US military does not have the time or capability to check the security of every component used in its hardware.31,37 How could one expect any vendor to have such a capability? This seems like an impossible situation for the security of practical QKD systems. So, here comes the key question: How do we address covert channels and prove security in QKD with untrusted classical post-processing units?

In this paper, we address the above key question directly. We propose a simple, but important paradigm shift in the field of QKD. Instead of the standard approach of buying a QKD “black-box” from vendors (which is purged by many aforementioned real-life security pitfalls due to covert channels and untrusted classical post-processing units), we propose that it is important for Alice and Bob to employ redundancies.

For this, we draw inspiration from classical error correction via redundancy, where one can correct up to a certain amount of errors by adding enough redundant information to the messages. In so doing, it is possible to achieve reliable data transmission through noisy channels given that the noise is not too high. Analogously, due to the difficulty of verifying whether or not a device can be trusted, we might assume that, for Eve, it might be more difficult to tamper with several devices from different vendors than corrupting just one QKD device from a single vendor. While this is an assumption, it is probably the best Alice and Bob can hope for, as it is clear that if they cannot trust any of their devices, no security is possible, while to simply trust all the devices is very risky. Then, assuming that the number of corrupted devices is limited, and given that Alice and Bob have enough redundant devices, it might be possible for them to achieve secure secret key distribution.

More formally, we use the idea of secure multiparty computation.38,39,40,41 In conventional cryptography, an important question is how to achieve unconditional security in the presence of cheaters. Clearly, if everyone is a cheater, security is impossible to achieve. However, it is still good to achieve security when the number of cheaters is bounded. Verificable secret sharing (VSS)42,43 is an important primitive in multiparty secure computation. It allows a dealer to split a message between several parties such that only authorised groups of parties can collaborate and reconstruct the message. Importantly, VSS ensures that even if the dealer is malicious there is a well-defined message that the parties can later reconstruct (see Methods section). We remark that secret sharing (SS) is commonly deployed in most modern hardware secure modules,44,45,46 and is the current strategy employed to stop hardware Trojans in conventional hardware design.31 Since the QKD application is supposed to provide the strongest link of security, our view is that it is very natural for QKD to employ ideas in SS. Also, we note that the use of SS schemes to split the secret information in shares seems to be unavoidable to prevent the malicious devices to have full information about the key to begin with.

The price that we pay is that now Alice and Bob have to use a redundant number of QKD modules and classical post-processing units. Fortunately, however, with the recent development of measurement-device-independent QKD (MDI-QKD),47,48,49,50,51 and chip-based QKD,52,53,54 as well as low-cost laptops, it is reasonable to expect that the cost of QKD modules and classical post-processing units might decrease dramatically over time (see Fig. 3). So, it is not unrealistic to consider that each of Alice and Bob could possess a few QKD modules and classical post-processing units, each of them purchased from a different vendor.

Fig. 3
figure 3

Schematic representation of a MDI-QKD network with multiple QKD transmitter modules and classical post-processing units. Note that the measurement devices are often the most expensive components of an entire QKD system because single photon detection is highly non-trivial. MDI-QKD47 allows measurement modules to be totally untrusted, which means that there is no need for redundant measurement modules if our proposal is employed with MDI-QKD. The users just need to have multiple transmitters and classical post-processing units, which thanks to the development of cheap chip-based QKD systems52,53,54 and low-cost laptops, we believe, could render our proposal cost effective in the future. We remark that our approach is also fully compatible with quantum relays and quantum repeaters

Full size image

Moreover, as the interest in building a Quantum Internet55,56 grows exponentially over time, more quantum networks are currently built in the world.57,58,59,60,61,62 In a quantum network, it may be natural that two users are connected by multiple QKD paths. In this case, it is rather natural to employ SS schemes to enhance communication security in quantum networks.

Now, provided that the majority of the vendors (or QKD paths) are honest and careful in the manufacturing of their devices, it might not be entirely unreasonable to assume that at least one pair of QKD modules (or QKD paths) is honest/reliable and the number of malicious classical post-processing units is strictly less than one-third of the total number of them. Like in the classical error correction scenario, in standard conventional cryptography it is up to Alice and Bob to determine their security policy and to decide in advance how many corrupt parties they want to be secure against.

With these assumptions in place, we can then prove security in different QKD scenarios with malicious devices by applying privacy amplification techniques63 in combination with VSS42,43 from secure multiparty computation38 in conventional cryptography.39,40,41 Importantly, if we disregard the cost of authenticating the classical communications, our protocols are optimal with respect to the resulting secret key rate. Moreover, the operations involved are based on simple functions in linear algebra, such as bit-wise XOR and multiplication of matrices. So, they are conceptually simple and easy to implement.

We remark that naive solutions based on directly taking the XOR between various keys suffer from two main drawbacks, as we show later. First, they cannot guarantee the correctness of the resulting key. And, second, if the classical post-processing unit that performs this operation is malicious, the secrecy of the key is not guaranteed either. In contrast to this naive approach, our solution can guarantee both the correctness and the secrecy of the final key.

Results

Let us start by describing in more detail the general scenario that we consider. It is illustrated in Fig. 4a. Alice and Bob have n pairs of QKD modules, and say Alice (Bob) has s (r) classical post-processing units at their disposal. Alice’s modules QKDAi, with i = 1,…,n, are connected to the classical post-processing units CPAi, with i′ = 1,…,s, via secure channels (i.e., channels that provide both secrecy and authentication). Also, all the units CPAi are connected to each other via secure channels. The same applies to Bob. Importantly, since all these secure channels are located only within Alice and Bob’s labs, in practice they could be implemented, for instance, by using physically protected paths (e.g., physical wires that are mechanically and electrically protected against damage and intrusion) which connect only the prescribed devices. Furthermore, each QKDAi is connected to its partner QKDBi via a quantum channel, and each CPAi is connected to all CPBi′′, with i′′ = 1,…,r, via authenticated classical channels.64,65

Fig. 4
figure 4

Schematic representation of the general scenario considered. a A QKD setup with multiple QKD modules and classical post-processing units. We assume that up to t < n pairs of QKD modules, up to t < s/3 units CPAi and t′′ < r/3 units CPBi′′ could be corrupted. The goal is to distil shares of an ε-secure key, kA and kB. In the figure, the thin red solid lines represent secure classical channels, the thin red dashed lines denote authenticated classical channels, and the blue thick dashed lines are quantum channels. b General strategy to distil shares of kA and kB. First, each pair QKDAi and QKDBi outputs a raw key, \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\), together with the protocol information, and sends them to the CP units at Alice and Bob’s side, respectively. From \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\), these units distil a supposedly (εcor/n)-correct and (εsec/n)-secret key, \(k_{{\mathrm{A}}i}^{\prime\prime}\) and \(k_{{\mathrm{B}}i}^{\prime\prime}\), and then concatenate these keys to form \(k_{\mathrm{A}}^\prime = [k_{{\mathrm{A}}1}^{\prime\prime} ,k_{{\mathrm{A}}2}^{\prime\prime} , \ldots ,k_{{\mathrm{A}}n}^{\prime\prime} ]\) and \(k_{\mathrm{B}}^\prime = [k_{{\mathrm{B}}1}^{\prime\prime} ,k_{{\mathrm{B}}2}^{\prime\prime} , \ldots ,k_{{\mathrm{B}}n}^{\prime\prime} ]\). Finally, the CP units apply privacy amplification to \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\) to remove the information held by the corrupted QKD modules and obtain kA and kB. In the presence of corrupted CP units, all these steps are realised in a distributed setting by acting on data shares generated with a VSS scheme

Full size image

Moreover, for simplicity, we shall consider a so-called threshold active adversary structure. That is, we will assume that up to t < n pairs of QKD modules, up to t′ < s/3 units CPAi and up to t′′ < r/3 units CPBi′′ could be corrupted. We say that a pair of QKD modules is corrupted when at least one of them is corrupted. Also, we conservatively assume that corrupted devices do not necessarily follow the prescriptions of the protocol but their behaviour is fully controlled by Eve, who could access all their internal information. We refer the reader to the Supplementary Notes 3 and 4 for the definition of general mixed adversary structure66 and the security analysis of QKD against this type of general adversary. Also, we note that less conservative adversarial models like e.g., those studied in ref. 25 might be also valid in certain scenarios.

The final goal is to generate a composable ε-secure key, kA and kB. That is, kA and kB should be identical except for a minuscule probability εcor, and say kA should be completely random and decoupled from Eve except for a minuscule probability εsec, with εcor + εsec ε .67,68 Importantly, since now some QKD modules and classical post-processing units could be corrupted, the secrecy condition also implies that kA and kB must be independent of any information held by the corrupted devices after the execution of the protocol. Otherwise, such corrupted devices could directly leak that information to Eve. Obviously, at the end of the day, some parties might need to have access to the final key, and thus one necessarily must assume that such parties are trusted and located in secure labs. In this regard, our work suggests that when the classical post-processing units at the key distillation layer are untrusted, they should not output the final key kA and kB but they should output shares of it to the key management layer.58,59 There, kA and kB could be either reconstructed by say Alice and Bob in secure labs, or their shares could be stored in distributed memories for later use, or they could be employed for instance for encryption purposes via say the one-time pad. Importantly, however, all the key generation process at the key distillation layer can be performed with corrupted devices. Also, we note that, if necessary, operations like storage or encryption at the key management layer could also be performed in the presence of corrupted devices by using techniques from secure multiparty computation.38 The actual management and storage of the shares of kA and kB generated by the key distillation layer is responsibility of the key management layer and depends on the particular application. We remark, however, that such layer structure is introduced here mainly for illustrative purposes, as in this paper we consider the key distillation problem, which is the task of the key distillation layer. Our results are rather general and similar techniques could be applied as well to other applications without the need of any particular layer structure.

Before we go to the specifics of our result. We remark that our idea is general and does not depend on the specific verifiable SS scheme used. This is an important strength of our idea. Let us start by providing an overview of the general strategy that we follow to achieve our goal, which uses as main ingredients VSS schemes41,42,43 and privacy amplification techniques63 (see Methods section). The former is employed to defeat corrupted classical post-processing units. Indeed, given that t < s/3 and t′′ < r/3, the use of VSS schemes allows to post-process the raw keys generated by the QKD modules in a distributed setting by acting only on raw key shares. Obviously, if a pair of QKD modules is corrupted, the generated raw key shares could be known to Eve. Importantly, however, we can prove security also in this scenario mainly because VSS does not require the dealer to be honest, and the use of privacy amplification techniques can remove any information about the final key which could be known to the corrupted pairs of QKD modules (as it is explained in more detail below). In addition, we remark that the post-processing of raw key shares can be performed such that no set of corrupted classical post-processing units can reconstruct kA and kB. Also, VSS guarantees that kA and kB is a correct key independently of the misbehaviour of the corrupted QKD modules and classical post-processing units which might wish to purposely introduce errors. Another key insight of our paper is to show that, since all the classical post-processing techniques that are typically applied in QKD are “linear” in nature (i.e., they involve simple functions in linear algebra, such as bit-wise XOR and multiplications of matrices), they are easily implementable in a distributed setting.

Let us illustrate this last point with a simple example. In particular, let us consider, for instance, the error correction step in QKD. Here, say Bob wants to correct a certain bit string, kB,key, to match that of Alice, which we shall denote by kA,key. In general, this process requires that both Alice and Bob first apply certain error correction matrices, MEC, to kA,key and kB,key to obtain the syndrome information sA = MECkA,key and sB = MECkB,key, respectively. Afterward, if sA ≠ sB Bob modifies kB,key accordingly. This process might be repeated a few times until it is guaranteed that kB,key = kA,key with high probability. Let us now consider again the same procedure but now acting on shares, kAj,key and kBj,key, of kA,key and kB,key, respectively. That is, say \(k_{{\mathrm{A,key}}} = \oplus _j^qk_{{\mathrm{A}}j,{\mathrm{key}}}\) and \(k_{{\mathrm{B}},{\mathrm{key}}} = \oplus _j^qk_{{\mathrm{B}}j,{\mathrm{key}}}\), with q being the total number of shares. For this, Alice and Bob first apply MEC to kAj,key and kBj,key to obtain sAj = MECkAj,key and sBj = MECkBj,key, respectively, for all j. Next, Alice sends sAj to Bob who obtains \(s_{\mathrm{A}} = \oplus _{j = 1}^qs_{{\mathrm{A}}j}\) and \(s_{\mathrm{B}} = \oplus _{j = 1}^qs_{{\mathrm{B}}j}\). This is so because \(\oplus _{j = 1}^qs_{{\mathrm{A}}j} = \oplus _{j = 1}^qM_{{\mathrm{EC}}}k_{{\mathrm{A}}j,{\mathrm{key}}} = M_{{\mathrm{EC}}} \oplus _{j = 1}^qk_{{\mathrm{A}}j,{\mathrm{key}}} = M_{{\mathrm{EC}}}k_{{\mathrm{A}},{\mathrm{key}}} = s_{\mathrm{A}}\), and a similar argument applies to sB. Finally, if sA ≠ sB Bob corrects kB,key by acting on its shares kBj,key. Note that to flip certain bits in kB,key is equivalent to flip the corresponding bits in one of its shares kBj,key. That is, error correction in QKD can be easily performed in a distributed setting by acting only on shares of kA,key and kB,key. The same argument applies as well to the other classical post-processing techniques in QKD, as all of them involve only linear operations.

To defeat corrupted QKD modules, on the other hand, we use privacy amplification techniques. Suppose, for instance, that each pair QKDAi and QKDBi outputs a raw key, \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\). Moreover, suppose for the moment that the classical post-processing units are trusted and they distil a supposedly (εcor/n)-correct and (εsec/n)-secret key, \(k_{{\mathrm{A}}i}^{\prime\prime}\) and \(k_{{\mathrm{B}}i}^{\prime\prime}\), of length N bits from each pair \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\). Then, the n × N bit strings \(k_{\mathrm{A}}^\prime = \left[ {k_{{\mathrm{A}}1}^{\prime\prime} , \ldots ,k_{{\mathrm{A}}n}^{\prime\prime} } \right]\) and \(k_{\mathrm{B}}^\prime = [k_{{\mathrm{B}}1}^{\prime\prime} , \ldots ,k_{{\mathrm{B}}n}^{\prime\prime} ]\) are for certain εcor-correct. The secrecy condition, however, only holds if all the QKD modules are trusted. If say the pair QKDAi and QKDBi is corrupted then the key strings \(k_{{\mathrm{A}}i^\prime }^{\prime\prime}\) and \(k_{{\mathrm{B}}i^\prime }^{\prime\prime}\) are compromised. So, given that t < n the classical post-processing units can apply privacy amplification to \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\) to extract two shorter (n − t) × N bit strings, kA and kB, which are εsec-secret and thus ε-secure. In the presence of untrusted classical post-processing units, this process can be performed in a distributed manner by acting on data shares.

In short, the general strategy can be decomposed in three main steps, which are illustrated in Fig. 4b. First, each pair of QKD modules generates a raw key and the protocol information and sends them to the CP units. Second, the CP units distil a supposedly (εcor/n)-correct and (εsec/n)-secret key from each raw key received and concatenate the resulting keys to form a longer key bit string, which, in the absence of malicious QKD modules, would be then ε-secure. Finally, in the third step, the CP units apply privacy amplification to this longer bit string to remove any information that could be known to Eve due to the presence of malicious QKD modules. If the CP units are untrusted, these steps are performed in a distributed setting by acting on data shares produced by a VSS scheme.

Next we evaluate three different scenarios of practical interest in this context. For concreteness, in these examples we use the VSS scheme introduced in ref. 41 and which is described in the Methods section.

QKD with malicious QKD modules

We begin by analysing the situation where Alice and Bob have n pairs of QKD modules and up to t < n of them could be corrupted, and each of Alice and Bob has one honest classical post-processing unit. This scenario is illustrated in Fig. 5 and corresponds to the case s = r = 1 and t′ = t′′ = 0 in Fig. 4a.

Fig. 5
figure 5

QKD with malicious QKD modules. Alice and Bob have n pairs of QKD modules, and up to t < n of them could be corrupted. Alice’s (Bob’s) ith QKD module is supposed to generate a raw key \(k_{{\mathrm{A}}i}^\prime\) \(\left( {k_{{\mathrm{B}}i}^\prime } \right)\) and the protocol information pAi,info (pBi,info), with i = 1,…,n. Also, they have one classical post-processing unit each, which is assumed to be honest. The goal is to distil an ε-secure key, kA and kB. This can be achieved by using Protocol 1. See the main text for further details

Full size image

A possible solution to this scenario is rather simple; see Protocol 1 below. This protocol follows the spirit of “countermeasure 3” in ref. 25 However, in contrast to ref.,25 which is restricted to measurement devices in a DI-QKD setting, Protocol 1 applies to both DI-QKD and non-DI-QKD, and considers the whole QKD key generation devices, which include the sources.

Protocol 1:

  1. 1.

    Generation of raw keys and protocol information: Each pair QKDAi and QKDBi outputs, respectively, the bit strings \(k_{{\mathrm{A}}i}^\prime\) and pAi,info, and \(k_{{\mathrm{B}}i}^\prime\) and pBi,info, or the abort symbol i, i = 1,…,n.

  2. 2.

    Generation of an εcor-correct key: The units CPA and CPB use the key distillation procedure prescribed by the QKD protocol to generate an (εcor/n)-correct and (εsec/n)-secret key, \(k_{{\mathrm{A}}i}^{\prime\prime}\) and \(k_{{\mathrm{B}}i}^{\prime\prime}\), from each pair \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\), or they generate the abort symbol i, i = 1,…,n. Afterward, CPA (CPB) concatenates the M ≤ n keys \(k_{{\mathrm{A}}i}^{\prime\prime}\) \(\left( {k_{{\mathrm{B}}i}^{\prime\prime} } \right)\) which are different from i to form the bit string \(k_{\mathrm{A}}^\prime = [k_{{\mathrm{A}}1}^{\prime\prime} , \ldots ,k_{{\mathrm{AM}}}^{\prime\prime} ]\) \(\left( {k_{\mathrm{B}}^\prime = [k_{{\mathrm{B}}1}^{\prime\prime} , \ldots ,k_{{\mathrm{BM}}}^{\prime\prime} ]} \right)\). Since by assumption CPA and CPB are trusted, \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\) are for certain εcor-correct. The secrecy condition only holds if all \(k_{{\mathrm{A}}i}^{\prime\prime}\) and \(k_{{\mathrm{B}}i}^{\prime\prime}\) originate from raw keys output by honest QKD modules. For simplicity, let the length of \(k_{{\mathrm{A}}i}^{\prime\prime}\) and \(k_{{\mathrm{B}}i}^{\prime\prime}\) be N bits i.

  3. 3.

    Generation of an ε-secure key: CPA and CPB apply a randomly selected universal2 hash function to \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\) to extract two bit strings, kA and kB, of length (M − t) × N bits. kA and kB are by definition εsec-secret, and thus, from step 2, they are ε-secure.

Note that in step 3 of Protocol 1 we consider the worst-case scenario where all \(k_{{\mathrm{A}}i}^{\prime\prime}\) and \(k_{{\mathrm{B}}i}^{\prime\prime}\) generated by corrupted QKD modules contribute to \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\), respectively, as Alice and Bob cannot discard this case. Most importantly, Protocol 1 allows Alice and Bob to defeat any covert channel (including, e.g., memory attacks) from the QKD modules, as this protocol guarantees that none of the malicious QKD modules can access kA or kB. Our results are summarised in the following Claim, whose proof is directly from the definition of Protocol 1.

Claim 1.

Suppose that Alice and Bob have n pairs of QKD modules and up to t < n of them could be corrupted. Also, suppose that they have one trusted classical post-processing unit each. Let M ≤ n denote the number of pairs of QKD modules that do not abort and whose raw key could in principle be transformed into an (ε/n)-secure key, and let N bits be the length of such supposedly secure key. Protocol 1 allows Alice and Bob to distil an ε-secure key of length (M − t) × N bits. Moreover, the re-use of the devices does not compromise the security of the keys distilled in previous QKD runs.

Importantly, we remark that Protocol 1 is basically optimal with respect to the resulting secret key rate, in the sense that there is no protocol which can deliver a higher key rate in the scenario considered. This is so because of the following. If no pair of QKD modules aborts and its raw data could in principle be transformed into a secure key we have, by definition, that the maximum total final key length is at most n × N bits. Also, we know that up to t × N bits of such key could be compromised by the t pairs of corrupted QKD modules. That is, the maximum secure key length is at most (n − t) × N bits. Moreover, as discussed above, if some pairs of QKD modules abort we must necessarily assume the worst-case scenario where they are honest. This is so because through her interaction with the quantum signals in the channel, Eve could always force honest QKD modules to abort by simply increasing the resulting QBER or phase error rate. That is, in this scenario it is not possible to distil a key length greater than (M − t) × N bits.

QKD with malicious classical post-processing units

We now consider the situation where Alice and Bob have one trusted QKD module each, and Alice (Bob) has s (r) classical post-processing units CPAi (CPBi), with i = 1,…,s (i′ = 1,…,r), and up to t′ < s/3 (t′′ < r/3) of them could be corrupted. This is illustrated in Fig. 6 and corresponds to the case n = 1 and t = 0 in Fig. 4a.

Fig. 6
figure 6

QKD with malicious classical post-processing units. Alice and Bob have one trusted QKD module each, QKDA and QKDB, which generate, respectively, the raw key \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\) and the protocol information pA,info and pB,info. Also, Alice (Bob) has s (r) classical post-processing units CPAi (CPBi) with i = 1,…,s (i′ = 1,…,r), and up to t′ < s/3 (t′′ < r/3) of these units could be corrupted. The goal is to produce shares of an ε-secure key, kA and kB, from which the final key could be reconstructed. This can be achieved by using Protocol 2. See the Methods section for a detailed description of this protocol. In the figure, \(k_{{\mathrm{A}}ij}^\prime\) \(\left( {k_{{\mathrm{B}}i^{\prime}j}^\prime } \right)\) denotes the jth share of \(k_{\mathrm{A}}^\prime\) \(\left( {k_{\mathrm{B}}^\prime } \right)\) which QKDA (QKDB) sends to CPAi (CPBi), and kAij (kBi'j) identifies the jth share of kA (kB) that is produced by CPAi (CPBi). Since QKDA (QKDB) is honest, note that the shares \(k_{{\mathrm{A}}ij}^\prime\) \(\left( {k_{{\mathrm{B}}i^{\prime}j}^\prime } \right)\) are equal for all i (i')

Full size image

Since now the units CPAi and CPBi could be malicious, we aim to generate shares of an ε-secure key, kA and kB. A possible solution to this scenario is given by Protocol 2, which is described in detail in the Methods section. The main result is summarised in the following Claim, whose proof is directly from the description of Protocol 2:

Claim 2.

Suppose that Alice and Bob have one trusted QKD module each, and each of them has, respectively, s and r classical post-processing units. Also, suppose that up to t′ < s/3 of Alice’s units and up to t′′ < r/3 of Bob’s units could be corrupted. Then, if we disregard the cost of authenticating the classical channels between Alice and Bob’s classical post-processing units, Protocol 2 allows them to distil an ε-secure key of the same length as would be possible in a completely trusted scenario. Moreover, the re-use of the devices does not compromise the security of the keys distilled in previous QKD runs.

That is, if we ignore the cost of authenticating the classical channels between the units CPAi and CPBi, Claim 2 implies that Protocol 2 is optimal with respect to the resulting secret key length, in the sense that there is no protocol which can deliver a higher key rate in the scenario considered. This is so because this protocol allows Alice and Bob to obtain a secret key of the same length as it would be possible if all devices are trusted. We refer the reader to the Supplementary Note 2 for a simpler but less efficient protocol to achieve the same task.

Also, we remark that in Protocol 2 the cost due to authenticating the classical channels is relatively small even when s and r are reasonable large. Indeed, if we assume for simplicity the symmetric scenario where s = r and t′ = t′′ (i.e., each of Alice and Bob has s CP units and up to t′ < s/3 of them are malicious), it can be shown that this authentication cost is basically s(2t′ + 1)kau bits, where kau denotes the authentication cost in the trusted scenario (i.e., when s = 1 and t′ = 0). That is, the overall cost of authentication is only s(2t′ + 1) times that of a standard QKD scheme with honest devices. This is so because in the untrusted scenario, for any message that has to be authenticated (say for instance from Alice), it is enough that 2t′ + 1 units CPAi send that message authenticated to all the s CPBi units at Bob’s side. In so doing, it is guaranteed that Bob’s units can reconstruct the message correctly by using say majority voting. Importantly, the parameter kau is logarithmic in the size of the messages sent, which assures that the cost of authentication in Protocol 2 is small.

QKD with malicious QKD modules and classical post-processing units

Finally, here we consider the situation where Alice and Bob have n pairs of QKD modules, QKDAi and QKDBi with i = 1,…,n, and Alice (Bob) has s (r) classical post-processing units CPAi (CPBi′′), with i′ = 1,…,s (i′′ = 1,…,r), and up to t < n pairs of QKD modules, up to t′ < s/3 units CPAi and up to t′′ < r/3 units CPBi′′ could be corrupted. This scenario is illustrated in Fig. 7 and corresponds to the most general case considered in Fig. 4a.

Fig. 7
figure 7

QKD with malicious QKD modules and classical post-processing units. Alice and Bob have n pairs of QKD modules, QKDAi and QKDBi, and up to t < n of them could be corrupted. They generate, respectively, the raw key \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\) and the protocol information pAi,info and pBi,info. Also, Alice (Bob) has s (r) classical post-processing units CPAi (CPBi′′) with i′ = 1,…,s (i′′ = 1,…,r), and up to t′ < s/3 (t′′ < r/3) of these units could be corrupted. The goal is to produce shares of an ε-secure key, kA and kB, from which the final key could be reconstructed. This can be achieved by using Protocol 3. See the main text for further details. In the figure, \(k_{{\mathrm{A}}i^{\prime}ij}^\prime\) \(( {k_{{\mathrm{B}}i^{\prime\prime}ij}^\prime } )\) denotes the jth share of \(k_{{\mathrm{A}}i}^\prime\) \(\left( {k_{{\mathrm{B}}i}^\prime } \right)\) which QKDAi (QKDBi) sends to CPAi (CPBi′′), and kAiij (kBi′′ij) identifies the shares of kA (kB) that are produced by CPAi (CPBi′′)

Full size image

For illustrative purposes, let us discuss first a naive protocol that fails to achieve the goal. In particular, suppose for simplicity that s = r = n, and, moreover, we have that up to t < n groups of devices Gi ≡ {QKDAi, QKDBi, CPAi, CPBi} could be corrupted, where we say that a group Gi is corrupted if at least one of its elements is corrupted. Then, if one disregards efficiency issues, a straightforward solution to this scenario might appear to be as follows. Each Gi generates a supposedly ε-secure key, kAi and kBi, and then this key is simply considered as the ith share of the final key, kA and kB. That is, \(k_{\mathrm{A}} = \oplus _{i = 1}^nk_{{\mathrm{A}}i}\) and \(k_{\mathrm{B}} = \oplus _{i = 1}^nk_{{\mathrm{B}}i}\). Indeed, given that t < n, kA and kB is for certain εsec-secret. However, the main problem of this naive approach is that kA and kB might not be correct because a corrupted Gi could output kAi ≠ kBi and thus kA ≠ kB.

Below we provide a simple solution (Protocol 3) to the general scenario. It builds on Protocols 1 and 2, and it consists of three main steps.

Protocol 3:

  1. 1.

    Generation and distribution of shares of (ε/n)-secure keys: Each pair QKDAi and QKDBi uses say Protocol 2 to distribute shares of an (ε/n)-secure key, kAi and kBi, or the abort symbol i, between CPAi and CPBi′′, respectively. Let \(\tilde k_{{\mathrm{A}}i^{\prime}ij}\) \(( {\tilde k_{{\mathrm{B}}i^{\prime\prime}ij^{\prime}}} )\) be the jth (j′th) share of kAi (kBi) obtained by CPAi (CPBi′′). For simplicity, we will suppose that the length of kAi and kBi is N bits i.

  2. 2.

    Generation of shares of an εcor-correct key: Let \(\vec {0}\) be the N-bit zero vector, and M be the number of kAi and kBi which are different from i. Each CPAi defines \(k_{{\mathrm{A}}i^{\prime} ij}^{{\prime}{\prime}} = \left[ {\vec 0_{1}, \ldots ,\vec 0_{i - 1},\tilde k_{{\mathrm{A}}i^{\prime}ij},\vec 0_{i + 1}, \ldots ,\vec 0_{M}} \right]\). Likewise, the CPBi′′ form \(k_{{\mathrm{B}}i^{\prime\prime} ij^{\prime} }^{\prime\prime}\) from \(\tilde k_{{\mathrm{B}}i^{\prime\prime} ij^{\prime} }\). \(k_{{\mathrm{A}}i^{\prime} ij}^{\prime\prime}\) and \(k^{\prime\prime}_{{\mathrm{B}}i^{\prime\prime} ij^{\prime} }\) are by definition shares of an εcor-correct key. The secrecy condition only holds if all kAi and kBi originate from honest QKD modules.

  3. 3.

    Generation of shares of an ε-secure key: The CPAi use the RBS scheme (see Methods section) to randomly select a universal2 hash function, hP. Next, they obtain shares, \(k_{{\mathrm{A}}i^{\prime}ij} = h_{\mathrm{P}}(k_{{\mathrm{A}}i^{\prime}ij}^{\prime\prime} )\) of length (M − t) × N bits of a final key kA, and say the first 2t′ + 1 CPAi' send hP to all CPBi′′, which use majority voting to determine hP from the information received, and then obtain shares \(k_{{\mathrm{B}}i^{\prime\prime}ij^{\prime}} = h_{\mathrm{P}}(k_{{\mathrm{B}}i^{\prime\prime}ij^{\prime}}^{\prime\prime} )\) of the final key kB.

Indeed, given that t′ < MAi/3 and t′′ < MBi/3 for all i = 1,…,M, where MAi (MBi) denotes the number of CPAi (CPBi′′) that do not produce i but output post-processed shares, kAiij (kBi′′ij), from kAi (kBi), then the final key, kA and kB, is ε-secure. Also, Alice (Bob) could obtain kA (kB) by using the reconstruct protocol of a VSS (see Methods section). That is, Alice (Bob) could use majority voting to obtain the shares kAij and kBij of kA (kB) from kAiij (kBi′′ij) for all i = 1,…,M and j = 1,…,q (j′ = 1,…,q′), and she (he) calculates \(k_{\mathrm{A}} = \oplus _{i = 1}^M \oplus _{j = 1}^qk_{{\mathrm{A}}ij}\) \(( {k_{\mathrm{B}} = \oplus _{i = 1}^M \oplus _{j^{\prime} = 1}^{q^{\prime}}k_{{\mathrm{B}}ij^{\prime}}} )\) where q (q′) is the total number of shares of kAi (kBi) for each i.

Our results are summarised in the following Claim, whose proof is directly from the definition of Protocol 3:

Claim 3.

Suppose that Alice and Bob have n pairs of QKD modules and Alice (Bob) has s (r) classical post-processing units. Suppose that up to t < n pairs of QKD modules, up to t′ < s/3 classical post-processing units of Alice, and up to t′′ < r/3 classical post-processing units of Bob could be corrupted. Let M ≤ n denote the number of pairs of QKD modules that do not abort and whose raw key can be transformed into a supposedly (ε/n)-secure key, and let N bits be the length of such key. Then Protocol 3 allows Alice and Bob to distil an ε-secure key of length (M − t) × N bits. Moreover, the re-use of the devices does not compromise the security of the keys distilled in previous QKD runs.

We remark that if we disregard the cost of authenticating the classical channels between Alice and Bob’s classical post-processing units, Protocol 3 is optimal with respect to the resulting secret key length, in the sense that no other protocol can deliver a higher key rate for the scenario considered. The argument follows directly from that used in the subsection above that evaluates QKD with malicious QKD modules, where we showed that if the classical post-processing units are trusted the secret key rate is upper bounded by (M − t) × N bits. So, in the presence of corrupted classical post-processing units this upper bound also trivially holds.

Moreover, we note that, like in the case of Protocol 2, the cost of authenticating the classical channels between the units CPAi and CPBi′′ in Protocol 3 is also relatively small even when n, s and r are fairly large. Indeed, if we assume again the symmetric scenario where s = r and t′ = t′′, it can be shown that this authentication cost is now roughly \(\approx s(2t^\prime + 1)(nk_{{\mathrm{au}}} + k_{{\mathrm{pa}}}^\prime )\) bits, where kau denotes again the authentication cost in the trusted scenario (i.e., when n = s = 1 and t = t′ = 0). The term ns(2t′ + 1)kau comes mainly because here we run n times Protocol 2, each time for a different pair of modules QKDAi and QKDBi. The term s(2t′ + 1)\(k_{{\mathrm{pa}}}^\prime\), on the other hand, considers the authentication cost of step 3 in Protocol 3. This step requires that 2t′ + 1 units CPAi' send the function hP to all the s CPBi'′′, being the term \(k_{{\mathrm{pa}}}^\prime\) logarithmic in the size of the message sent. That is, the overall cost of authentication of Protocol 3 is only about ≈ns(2t′ + 1) times that of a standard QKD scheme with honest devices, which demonstrates the practical feasibility of our approach.

Discussion

Security proofs of QKD typically assume that all devices are honest and there are no covert channels that leak information to Eve. Unfortunately, however, these assumptions are very hard, if not impossible, to guarantee in practice. Indeed, our work highlights the folly of bringing an untrusted device into a trusted lab, which has been known since the time of the Trojans.

Memory attacks25 constitute an example of how covert channels can severely jeopardise the security of both DI-QKD and non-DI-QKD. These attacks demonstrate that quantum mechanics alone is not enough to guarantee the security of practical QKD realisations but, for this, one needs to resort to additional assumptions. Also, recent results on Trojan Horse attacks31,32,33,34,35,36,69,70 against conventional cryptography underline the vulnerabilities of the classical post-processing units in QKD, and this threat is expected to only rise with time.

In this paper, we have introduced a simple method to reduce the risk due to this type of attacks; it is based on the idea of classical error correction via redundancy. We use the assumption that, for Eve, it might be more difficult to tamper with several devices from different vendors than corrupting just one QKD device from a single vendor, which indeed is probably the best Alice and Bob can hope for. With this assumption in place, and given that there is at least one pair of honest QKD modules and that the number of corrupted classical post-processing units is less than one-third of them, we have shown how VSS schemes, together with privacy amplification techniques, could be used to reliable distribute a secret key in the presence of malicious devices and thus re-establish the security of QKD.

VSS and SS techniques have been used previously in quantum information.71,72,73 For instance, the authors of refs. 71,72 proposed a quantum version of VSS to achieve secure multiparty quantum computation, while in ref. 73 classical SS schemes are combined with QKD to achieve information-theoretically secure distributed storage systems.

A key insight of our paper is very simple yet potentially very useful: the typical classical post-processing in QKD involves only operations which are “linear” in nature, and thus they could be easily implemented in a distributed setting by acting on data shares from say a linear VSS scheme. Also, our results suggest that the way QKD is sometimes envisioned commercially (e.g., as a single “box” which directly outputs the final keys),74 should perhaps be replaced with a “modular design”, where one divides up a QKD system into various modules (e.g., purely quantum modules and classical post-processing units) and use them to cross-check each other for security, which can be done in an independent manner as we have shown above.

To illustrate our results, we have proposed specific protocols for three scenarios of practical interest. They assume that either the QKD modules, the classical post-processing units, or both of them together could be corrupted. Remarkably, if we disregard the cost of classical authentication, all these protocols are optimal with respect to the secret key rate. They use the VSS scheme introduced in ref. 41 which is very simple to implement. Its main drawback is, however, that, for a given number of corrupted parties, the number of shares grows exponentially with the total number of parties. Nevertheless, for a small number of parties (which is the scenario that we are interested in QKD), the protocol is efficient in terms of computational complexity. Also, we remark that there exist efficient three-round VSS protocols where the computation and communication required is polynomial in the total number of parties.75 Moreover, these schemes use a minimum number of communication rounds,76 and they could also be used here. It would be interesting to further investigate the most resource efficient protocols to be used in the QKD framework.

Finally, we would like to emphasise that our approach does not jeopardise the potential practical advantages of QKD over classical competitors in any way. Indeed, as we have already mentioned previously, covert channels constitute a fundamental problem for conventional cryptography as well. To foil covert channels is therefore equally essential for both frameworks. This means that redundancy will be needed in both scenarios and, thus, our work does not shift the balance of power between them in any sense.

Methods

Secure multiparty computation toolbox

Here we briefly introduce some definitions and cryptographic protocols that are used in the main text; they are mainly taken from refs. 38,41

We consider a scenario with a dealer and n parties, and we suppose a threshold active adversary structure where Eve can actively corrupt the dealer and up to t of the parties. Active corruption means that Eve can fully control the corrupted parties whose behaviour can deviate arbitrarily from the protocol’s prescriptions. We refer the reader to the Supplementary Note 3 for the modelling of more general adversary structures. For simplicity, we assume that all messages are binary strings and the symbol below denotes bit-wise XOR or bit-wise addition modulo 2. We remark, however, that the the protocols below work as well over any finite field or ring.

In this scenario, a n-out-of-q threshold SS scheme77,78 is a protocol that allows the dealer to split a message m between n parties such that, if he is honest, any group of q or more parties can collaborate to reconstruct m but no group with less than q parties can obtain any information about m. If n = q, this could be achieved by splitting m into a random sum of q shares mi. That is, one selects the first q − 1 shares mi of m at random, and then chooses mq = m m1 mq−1.38

A drawback of SS schemes is that they do not guarantee the consistency of the shares, which is essential to assure the correctness of the keys delivered by the QKD protocols in the main text. That is, during the reconstruct phase of a SS scheme, corrupted parties could send different mi to the honest parties such that they obtain different values for m. This problem can be solved with VSS schemes,42,43 which distribute mi in a redundant manner such that the honest parties can use error correction to obtain the correct values. Indeed, provided that the necessary and sufficient conditon t < n/3 is satisfied, a VSS scheme guarantees that there exists a well-defined m that all honest parties obtain from their shares.39,40,41

The share and reconstruct protocols of a VSS scheme satisfy three conditions. First, independently of whether or not the dealer is honest, if the share protocol is successful then the reconstruct protocol delivers the same m to all the honest parties. Second, if the dealer is honest, the value of the reconstructed m coincides with that provided by the dealer. And third, if the dealer is honest, the information obtained by any set of t or less parties after the share (reconstruct) protocol is independent of any previous information that they held before the protocol (is just the reconstructed bit string m). Below we present a simple VSS scheme that builds on the q-out-of-q threshold SS protocol above,41 and which we use in Protocols 2 and 3. Importantly, given that t < n/3, this scheme provides information-theoretic security.41 See the Supplementary Note 1 and the Supplementary Figure 1 for a graphical representation of its share and reconstruct protocols.

Share protocol:

  1. 1.

    The dealer uses a q-out-of-q SS scheme to split m into \(q = \left( {\begin{array}{*{20}{c}} n \\ {n - t} \end{array}} \right)\) shares mi, with i = 1,…,q.

  2. 2.

    Let {σ1,…,σq} denote all (n − t)-combinations of the set of n parties. Then, for each i = 1,…,q, the dealer sends mi over a secure channel (i.e., a channel that provides secrecy and authentication) to each party in σi. If a party does not receive his share, he takes as default share say a zero bit string.

  3. 3.

    All pairs of parties in σi send each other their shares mi over a secure channel to check if they are indeed equal. If an inconsistency is found, they complain using a broadcast channel.

  4. 4.

    If a complaint is raised in σi, the dealer broadcasts mi to all parties and they accept the share received. Otherwise, the protocol aborts.

Reconstruct protocol:

  1. 1.

    All pairs of parties send each other their shares over an authenticated channel.

  2. 2.

    Each party uses majority voting to reconstruct the shares mi i, and then obtains \(m = \oplus _{i = 1}^qm_i\).

From the description above, it is guaranteed that when the share protocol is successful (i.e., it does not abort), all the honest parties who received the ith share of m obtain exactly the same bit string mi. Also, this protocol assures that any share mi of m is distributed to at least 2t + 1 different parties. This is so because this is the minimum size of any set σi. This means, in particular, that, since the number of corrupted parties is at most t, the use of a decision rule based on majority voting in the reconstruct protocol permits all the honest parties to obtain the same fixed mi for all i. Moreover, it is straightforward to show that when the dealer is honest, the reconstructed message m is equal to his original message. Furthermore, we have that m is only revealed to the parties once the reconstruct phase ends. This is so because at least one bit string mi is only shared by honest parties since there is at least one set σi which does not contain any corrupted party. Also, note that if a complaint is raised in a certain σi during the share protocol, the fact that the dealer broadcast mi to all parties does not violate secrecy. This is so because a complaint can only occur if either the dealer is corrupted or σi contains at least one corrupted player, hence the adversary knew mi already.

We remark that the broadcast channel which is required in steps 3 and 4 of the share protocol can be a simulated channel. Indeed, given that t < n/3, there exist efficient poly(n) protocols that can simulate a broadcast channel with information-theoretic security in an optimal number of t + 1 communication rounds.79,80 Furthermore, if a physical broadcast channel is actually available, there exist efficient information-theoretically secure VSS schemes that only require a majority of honest parties (i.e., t < n/2) and which could also be used in this context.43

Next we present a simple scheme to generate a common perfectly unbiased random l-bit string (RBS) r between n parties when up to t < n/3 of them could be corrupted. It follows directly from VSS.39,40,41 For convenience, we call it the RBS protocol. We use it to randomly select universal2 hash functions in Protocols 2 and 3 in the main text, where we cannot assume the existence of an external honest dealer which provides them to the QKD devices. The RBS scheme allows mutually untrusted parties to generate and share random numbers through discussions.

RBS protocol:

  1. 1.

    Say each of the first t + 1 parties produces locally a random l-bit string ri and sends it to all the other parties using the share protocol above.

  2. 2.

    Each party uses a broadcast channel to confirm that they have received all their shares from the first t + 1 parties. Otherwise, the protocol aborts.

  3. 3.

    All parties use the reconstruct protocol above to obtain ri for all i = 1,…,t + 1. Afterward, each of them calculates locally \(r = \oplus _{i = 1}^{t + 1}r_i\).

It is straightforward to show that this protocol guarantees that all honest parties share a perfectly unbiased random bit string r. The use of the share and the reconstruct protocols of a VSS scheme assures that all honest parties reconstruct the same ri i and thus the same r. In addition, step 2 of the protocol guarantees that the first t + 1 parties generate and distribute their strings ri before knowing the strings of the other parties. Moreover, since the number of corrupted parties is at most t, we have that at least one honest party generates a truly random bit string ri, and thus r is also random.

Protocol 2

Here we present the different steps of Protocol 2 in detail. For concreteness, whenever we refer to the share and reconstruct protocols of a VSS scheme we mean those presented in the previous section, which have been introduced in ref. 41 but in principle any VSS scheme could be used.

Also, to simplify the discussion, in Protocol 2 we consider the case where pA,info and pB,info determine the sifting procedure of the QKD scheme in a deterministic way. That is, there is no random post-selection of data from the raw key. In addition, we assume that Alice and Bob do not estimate the actual QBER but they apply error correction for a pre-fixed QBER value followed by an error verification step. However, we remark that Protocol 2 could be straightforwardly adapted to cover also these two scenarios.

  1. 1.

    Generation and distribution of shares of raw keys and protocol information: QKDA and QKDB obtain, respectively, the raw keys \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\) and the protocol information pA,info and pB,info, or the abort symbol . If the result is different from , QKDA uses the share protocol of a VSS scheme to create \(q = \left( {\begin{array}{*{20}{c}} s \\ {s - t^{\prime} } \end{array}} \right)\) shares of \(k_{\mathrm{A}}^\prime\) and distributes them among the CPAi, with i = 1,…,s. Likewise, QKDB creates \(q^\prime = \left( {\begin{array}{*{20}{c}} r \\ {r - t^{\prime\prime} } \end{array}} \right)\) shares of \(k_{\mathrm{B}}^\prime\) and distributes them among the CPBi, with i′ = 1,…,r. Let \(k_{{\mathrm{A}}ij}^\prime\) (\(k_{{\mathrm{B}}i^\prime j^{\prime} }^\prime\)) be the jth (j′th) share of \(k_{\mathrm{A}}^\prime\) \(\left( {k_{\mathrm{B}}^\prime } \right)\) received by CPAi (CPBi), with j = 1,…,q (j′ = 1,…,q′). Also, QKDA (QKDB) sends pA,info (pB,info) to all CPAi (CPBi). Since by assumption QKDA (QKDB) is honest, all CPAi (CPBi) receive the same pA,info (pB,info) and the shares \(k_{{\mathrm{A}}ij}^\prime\) \(( {k_{{\mathrm{B}}i^\prime j^\prime }^\prime } )\) are equal for all i (i′). Next, say the first 2t′′ + 1 CPBi send pB,info to all CPAi. Likewise, say the first 2t′ + 1 CPAi send pA,info (for the detected events) to all CPBi. Each CPAi (CPBi) uses majority voting to determine pB,info (pA,info) from the information received. Note that since by assumption the number of corrupted units CPAi (CPBi) is at most t′ (t′′), 2t′ + 1 (2t′′ + 1) copies of pA,info (pB,info) is enough for the honest parties to be able to reconstruct the correct value of these bit strings by using majority voting.

  2. 2.

    Sifting Each CPAi uses pA,info and pB,info to obtain two bit strings, kAij,key and kAij,est, from \(k_{{\mathrm{A}}ij}^\prime\). The former (latter) bit string is the part of \(k_{{\mathrm{A}}ij}^\prime\) that is used for key generation (parameter estimation). Likewise, Bob’s CPBi do the same with kBij and obtain kBij′,key and kBij′,est.

  3. 3.

    Parameter estimation: All CPAi (CPBi) use the reconstruct protocol of a VSS scheme to obtain kA,est (kB,est), which is the part of \(k_{\mathrm{A}}^\prime\) \(\left( {k_{\mathrm{B}}^\prime } \right)\) that is used for parameter estimation. For this, they send each other their shares kAij,est (kBij′,est), and each of them uses majority voting to obtain kAj,est (kBj′,est) for all j = 1,…,q (j′ = 1,…,q′). Afterward, they calculate \(k_{{\mathrm{A}},est} = \oplus _{j = 1}^qk_{{\mathrm{A}}j,est}\) (\(k_{{\mathrm{B}},est} = \oplus _{j^{\prime} = 1}^{q^{\prime}}k_{{\mathrm{B}}j^{\prime},est}\)). Next, say the first 2t′′ + 1 CPBi send kB,est to all CPAi. Likewise, say the first 2t′ + 1 CPAi send kA,est to all CPBi. Finally, by using majority voting each CPAi (CPBi) determines kB,est (kA,est). With pA,info, pB,info, kA,est and kB,est, each CPAi and CPBi performs locally the parameter estimation step of the protocol (e.g., they estimate the phase error rate). If the estimated values exceed certain tolerated values, they abort.

  4. 4.

    Error correction: The CPAi and CPBi perform error correction (for a pre-fixed QBER value) on the parts of \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\) that are used for key distillation, which we denote by kA,key and kB,key, by acting on their shares kAij,key and kBij′,key respectively. For this, each CPAi (CPBi) applies certain matrices MEC to kAij,key (kBij′,key) to obtain sAij = MECkAij,key (sBij = MECkBij′,key). Afterward, the CPAi (CPBi) use the reconstruct protocol of a VSS scheme to obtain sA = MECkA,key (sB = MECkB,key). That is, all CPAi (CPBi) first send to each other the bit strings sAij (sBij), and each of them uses majority voting to reconstruct locally sAj (sBj) j (j′) from sAij (sBij). Then, each CPAi (CPBi) obtains \(s_{\mathrm{A}} = \oplus _{j = 1}^qs_{{\mathrm{A}}j}\) \(\left( {s_{\mathrm{B}} = \oplus _{j^{\prime} = 1}^{q^{\prime}}s_{{\mathrm{B}}j^{\prime}}} \right)\). Next, say the first 2t′ + 1 CPAi send sA to all CPBi, and each CPBi uses majority voting to determine sA from the information received. Finally, Bob corrects kB,key. For this, say all CPBi which have the j′th share kBij′,key for a pre-fixed index j′ = 1,…,q′, flip certain bits of this share depending on the actual values of sA and sB. This whole process is repeated until the error correction procedure ends. Let \(\hat k_{{\mathrm{A}}ij,{\mathrm{key}}}\) and \({\hat k}_{{\mathrm{B}}i^{\prime}j^{\prime},{\mathrm{key}}}\) denote the shares kAij,key and kBij′,key after error correction, and let leakEC bits be the syndrome information interchanged between Alice and Bob during this step. That is, \(\hat k_{{\mathrm{A}}ij,{\mathrm{key}}}\) and \({\hat k}_{{\mathrm{B}}i^{\prime}j^{\prime},{\mathrm{key}}}\) are actually equal to kAij,key and kBij′,key except for the bit strings kBij′,key whose bits have been flipped during error correction.

  5. 5.

    Error verification: All CPAi and CPBi check that the error correction step was indeed successful. For this, the CPAi use the RBS scheme introduced in the previous section to randomly select a universal2 hash function, hV. Then, they compute a hash \(h_{{\mathrm{A}}ij} = h_{\mathrm{V}}(\hat k_{{\mathrm{A}}ij,{\mathrm{key}}})\) of length [log2 (1/εcor)] bits, and each CPAi uses the reconstruct protocol of a VSS scheme to obtain \(h_{\mathrm{A}} = \oplus _{j = 1}^qh_{{\mathrm{A}}j}\) from hAij. That is, they send each other hAij and they use majority voting to determine hAj j from hAij. Next, say the first 2t′ + 1 CPAi send hV and hA to all CPBi, which determine the correct values of these two quantities by means of majority voting. Also, the units CPBi use the reconstruct protocol of a VSS scheme to obtain \(h_{\mathrm{B}} = \oplus _{j^{\prime} = 1}^{q^{\prime}}h_{{\mathrm{B}}j^{\prime}}\). Finally, each unit CPBi checks locally whether or not hA = hB. If they are not equal, the protocol aborts. If they are equal, it is guaranteed that the bit strings \(\hat k_{{\mathrm{A}},{\mathrm{key}}} = \oplus _{j = 1}^q\hat k_{{\mathrm{A}}j,{\mathrm{key}}}\) and \(\hat k_{{\mathrm{B}},{\mathrm{key}}} = \oplus _{j^{\prime} = 1}^{q^{\prime}}\hat k_{{\mathrm{B}}j^{\prime},{\mathrm{key}}}\) are equal except for a minuscule probability εcor, where \(\hat k_{{\mathrm{A}}j,{\mathrm{key}}}\) \(( {\hat k_{{\mathrm{B}}j^{\prime},{\mathrm{key}}}})\) are obtained from \(\hat k_{{\mathrm{A}}ij,{\mathrm{key}}}\) \(( {\hat k_{{\mathrm{B}}i^{\prime}j^{\prime},{\mathrm{key}}}} )\) by using majority voting.

  6. 6.

    Generation of shares of an ε-secure key: All CPAi and CPBi extract from \(\hat k_{{\mathrm{A}},{\mathrm{key}}}\) and \(\hat k_{{\mathrm{B}},{\mathrm{key}}}\) the shares of an εsec-secret key, kA and kB. For this, the CPAi use the RBS scheme to randomly select a proper universal2 hash function, hP. Next, they obtain \(k_{{\mathrm{A}}ij} = h_{\mathrm{P}}(\hat k_{{\mathrm{A}}ij,{\mathrm{key}}})\) and say the first 2t′ + 1 CPAi send hP to all CPBi. Bob’s CP units use majority voting to determine hP from the information received and they calculate \(k_{{\mathrm{B}}i^{\prime}j^{\prime}} = h_{\mathrm{P}}(\hat k_{{\mathrm{B}}i^\prime j^\prime ,{\mathrm{key}}})\). The function hP removes Eve’s information from \(\hat k_{{\mathrm{A}},{\mathrm{key}}}\), which includes the syndrome information leakEC disclosed during error correction, the hash value of length [log2 (1/εcor)] bits disclosed during error verification, and Eve’s information about the key according to the estimated phase error rate.

From the description of Protocol 2 we have that when t′ < MA/3 and t′′ < MB/3, where MA (MB) denotes the number of CPAi (CPBi) that do not abort, then the final key, kA and kB, is ε-secure. This is so because the condition t′ < MA/3 (or, equivalently, s − t′ − (s − MA) > 2t′) guarantees that for all j = 1,…,q, there are at least 2t′ + 1 units CPAi which send shares kAij to Alice. To see this, note that each share kAj, for all j, is held by s − t′ units CPAi, and by assumption we have that at most s − MA of them could have aborted. A similar argument applies to the condition t′′ < MB/3.