Introduction

Quantum key distribution1,2,3,4 (QKD) allows for information theoretically secure communications, unaffected by the long-term security weakening inherent to public-key cryptography5,6. Its security relies on fundamental physical principles and various assumptions, a crucial one being that the legitimate QKD users, say Alice and Bob, hold honest devices that stick to the QKD protocol and do not intentionally leak their private information to an eavesdropper (Eve). However, this strong assumption is probably unjustified, considering the amount of hardware and software Trojan horse attacks against conventional cryptographic systems reported in the past years7,8,9,10,11. After all, likewise conventional security hardware, QKD devices incorporate many sophisticated components typically provided by specialized companies, and neither QKD vendors nor users are capable of validating the security of all these components in practice12. However, a malicious component can totally compromise the security of QKD. Indeed, the fabrication process of QKD systems might provide Eve with plenty of opportunities to meddle with the QKD hardware, including both the optical equipment and the classical post-processing (CP) units. Moreover, Eve could even sidestep post-fabrication tests by arranging attack triggers that depend on a sequence of unlikely events10,13.

Remarkably, not even device-independent (DI) QKD14,15,16,17,18 can provide security against malicious devices, as shown in ref. 19. It is the classical nature of the secret keys that makes QKD systems vulnerable to classical hacking in both the DI and the non-DI scenarios because classical keys are susceptible to copying.

A possible solution to foil malicious hardware and software in QKD was recently presented in ref. 20, and then experimentally demonstrated in ref. 21. The triggering idea is that it might be more difficult for Eve to corrupt various devices than a single device; for example, if they originate from different providers. Therefore, one can use a redundant number of devices for both the raw key generation and the post-processing of QKD. As shown in ref. 20, under the assumption that the number of devices controlled by Eve is restricted, secure QKD is possible by combining verifiable secret sharing (VSS)22,23,24,25,26—whose essential building block is secret sharing27,28, a standard technique in secure hardware design29—and privacy amplification (PA)30,31. Of course, both tools operate on top of DI and non-DI security analyses, which determine the secret key length that one can extract from the honest optical apparatuses.

However, a major limitation of the proposal in ref. 20 is that it is conceived for the case where all the corrupted devices fully obey a single Eve who can access their internal information and make them arbitrarily misbehave from the protocol. This scenario, which we refer to as the active-collaborative (AC) model, might be over-conservative in many practical situations. For instance, if Alice and Bob purchase devices from different vendors, it might be reasonable to expect that, even if they are corrupted, they do not collaborate, meaning that they do not share their private information with each other or cooperate in any way. Also, if the information delivered by a certain device is different from the one prescribed by the protocol, it might be detected by Alice and Bob a posteriori. In this sense, some QKD users might only request security against non-collaborative (rather than collaborative) or passive (rather than active) corrupted devices.

Crucially, when applied in more sensible corruption models like these, the proposal in ref. 20 provides no advantage at all with respect to the AC model. One major contribution of this work is to prove that some of these models actually enable a significant enhancement of the secret key rate, require fewer honest devices and classical communications than the AC model, or allow to remarkably diminish the post-processing time, a severe bottleneck in QKD. In particular, we introduce conditional VSS, a weaker version of VSS that is more suitable for the task of QKD. In addition, we present a general distributed QKD post-processing protocol appropriate for all the corruption models. Lastly, we evaluate the performance of two well-known QKD schemes in the presence of malicious devices. The simulations corroborate that notably improved non-asymptotic key rates can be reached by replacing the AC model by less conservative and probably more realistic models. Furthermore, in all the considered models, we find that the increased authentication cost of our protocol (compared to that of standard QKD post-processing) is negligible with respect to the secret key length for practical data block sizes and moderate numbers of corrupted devices.

Results

We start by describing the general formalism we consider. Without loss of generality, a standard QKD setup can be divided into two parts with separate roles: a QKD module and a CP unit. Alice’s and Bob’s QKD modules form a so-called QKD pair, whose role is to generate raw correlated data between the parties via quantum communication. Each module transfers its raw data to its local CP unit, and the two distant CP units distill a pair of secret keys from the raw data via coordinated classical post-processing and authenticated classical communication.

The focus of this work is the general scenario where not all the devices are trusted, thus forcing the parties to use a redundant number of them20. Throughout the paper, we shall consider that Alice and Bob share nq QKD pairs (or simply “pairs”), and that each of them holds nc CP units (or simply “units”). Similarly, we assume that up to tq QKD pairs are corrupted (a QKD pair is corrupted when at least one of its modules is) and up to tc CP units are corrupted per lab. Nevertheless, our results could be easily adapted to contemplate different numbers of honest and corrupted units in each lab. For j = 1, …, nq, Alice’s (Bob’s) module \({{\rm{QKD}}}_{{{\rm{A}}}_{j}}\) (\({{\rm{QKD}}}_{{{\rm{B}}}_{j}}\)) is connected to all her (his) units \({\{{{\rm{CP}}}_{{{\rm{A}}}_{l}}\}}_{l = 1}^{{n}_{{\rm{c}}}}\) (\({\{{{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\}}_{l^{\prime} = 1}^{{n}_{{\rm{c}}}}\)) via secure channels, that is, channels that provide both privacy and authentication. Also, all of Alice’s (Bob’s) units are pairwise connected by secure channels too. Since all these links take place within Alice’s (Bob’s) lab, in practice security could be enforced by using, say, physically protected cables. Similarly, the \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\) are connected to the \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\) by authenticated classical channels. Lastly, as usual, a quantum channel fully accessible to an eavesdropper links \({{\rm{QKD}}}_{{{\rm{A}}}_{j}}\) to its partner \({{\rm{QKD}}}_{{{\rm{B}}}_{j}}\). A schematic of this QKD setup is given in Fig. 1.

Fig. 1: QKD setup with multiple devices.
figure 1

Proposal of a QKD setup with redundant devices suggested in20. The areas surrounded by dashed lines define Alice’s and Bob’s labs. Alice’s (Bob’s) lab contains nq QKD modules (yellow boxes). Each module of Alice is linked to a single module of Bob through a quantum channel (dashed blue lines), forming a so-called QKD pair, and tq pairs are possibly malicious at most. In addition, Alice (Bob) holds nc CP units (grey boxes), tc of them being possibly malicious at most. In each lab, all the CP units are connected to each other and to all nq local QKD modules via secure channels that provide both privacy and authentication (black solid arrows). Also, every unit of Alice is linked to every unit of Bob through an authenticated classical channel (all of them together symbolized by the red double-end arrow).

Full size image

AC corruption

In the first place, let us briefly summarize the proposal in ref. 20, which establishes the security of QKD in the AC model using the setup of Fig. 1. On the one hand, given that nq > tq, PA allows to “remove” not only the information Eve gains through her intervention in the quantum channel (as it is done in standard QKD post-processing), but also the information she learns from the corrupted QKD pairs. On the other hand, given that nc > 3tc26, VSS enables an honest QKD module to split a raw key into shares and redundantly allocate them among its local CP units for distributed post-processing. Crucially, the properties of VSS may guarantee the secrecy and the correctness of the final keys reconstructible by Alice and Bob at the end of this post-processing.

Before we analyse alternative corruption models, it is convenient to tight up some few loose ends affecting the proposal in ref. 20. In the first place, it requires the execution of nq + 1 separate PA steps to distill a secret key. On the contrary, in section “Alternative corruption models” we show that a single PA step suffices, which actually applies to all possible corruption models (see also section “Distributed QKD post-processing protocol” for a distributed post-processing protocol that implements PA in a single step).

In the second place, the use of standard VSS assures that the post-processing is resilient to the misbehaving of the CP units at the price of relying on simulated broadcast, better known as byzantine agreement32. However, this is a very stringent task: it requires the exchange of an exponentially increasing number of classical messages, say \(C \sim O({n}_{{\rm{c}}}^{{t}_{{\rm{c}}}})\), among the units that want to reach the agreement32. What is more, the achieved resiliency is probably not relevant for QKD. After all, Eve has unrestricted access to the quantum channel and thus may induce the abortion of the QKD protocol at will. For these reasons, in all corruption models we replace VSS by a weaker cryptographic primitive, namely, conditional VSS (defined in the “Methods” section), which circumvents simulated broadcast by simply allowing the CP units to abort the protocol. As seen in section “Alternative corruption models” below, this replacement is not only advantageous in the AC model, but whenever actively corrupted CP units are considered, whether they collaborate or not.

Alternative corruption models

In what follows, we address various adversarial scenarios alternative to the AC model. In particular, three looser non-mixed corruption models exist: passive and collaborative (PC), active and non-collaborative (AN) and passive and non-collaborative (PN), where non-collaboration is obviously only defined if multiple corrupted devices exist. Importantly, we decouple the analysis of the different corruption models for the QKD modules and the CP units, such that the results we present for the QKD modules do not assume a specific model for the CP units and vice versa. In addition, we maintain the general QKD setup presented in Fig. 1.

Let us discuss the QKD modules first. In virtue of the privacy of conditional/standard VSS (see the “Methods” section), a distributed QKD post-processing protocol using VSS guarantees that the extractable secret key length does not depend on the corruption model of the CP units, but only on that of the QKD pairs. What is more, let us assume for now that the parties select the AC model as their preferred model for the QKD pairs. For j = 1, …, nq, the j-th QKD pair runs an independent QKD session. As shown in Supplementary Note 1, for nq = tq + 1 (minimum valid choice of nq for a given tq), the ϵcor-correct, \({\epsilon }_{\sec }\)-secret key lengthlextractable via one-step PA from all these sessions is given by

$$l=\left\lfloor \mathop{\min }\limits_{j}\left\{{h}_{\varepsilon }^{j}-{\lambda }_{j}\right\}-{\mathrm{log}\,}_{2}\left(\frac{1}{{\hat{\epsilon }}_{{\rm{cor}}}{\epsilon }_{{\rm{PA}}}^{2}\delta }\right)\right\rfloor,$$
(1)

where \({h}_{\varepsilon }^{j}\) is a hypothetical lower bound on the ε-smooth min-entropy of Bob’s j-th raw key conditioned on the information held by Eve up to the parameter estimation (PE) step, and the smooth parameter ε depends on the PE procedure. As explained in Supplementary Note 1, the term “hypothetical” here refers to the fact that the information delivered by corrupted QKD modules cannot be trusted. Similarly, λj is the public syndrome information required for the reconciliation of the j-th pair of raw keys, and \({\hat{\epsilon }}_{{\rm{cor}}}={\epsilon }_{{\rm{cor}}}-{\epsilon }_{{\rm{AU}}}\) for a pre-agreed authentication error ϵAU, such that ϵAU < ϵcor and \({\epsilon }_{\mathrm{AU}}\,<\,{\epsilon }_{\mathrm{sec}}\). Lastly, ϵPA is the error probability of the PA step and δ > 0 is arbitrary, such that

$${\epsilon }_{\mathrm{sec}}\ge 2\varepsilon +\delta +{\epsilon }_{\mathrm{PA}}+{\epsilon }_{\mathrm{AU}}.$$
(2)

As one would expect, from Eq. (1) we see that, if a single honest QKD pair exists, “a single key” can be extracted from all nq raw keys in the AC model. Notably, the generalization of Eq. (1) to nq − tq > 1 is straightforward.

Now, let us address the alternative models, PC, AN and PN. As long as the malicious QKD pairs are collaborative, an omniscient Eve could learn all the information they hold about the keys, and as long as they are active, they can deliver untrustworthy protocol information unsuitable for correct PE. Hence, although for different reasons, the intermediate scenarios PC and AN cannot lead to an enhancement of the secret key length with respect to the AC model: they also require to remove all the key material that comes from corrupted QKD pairs via PA, thus demanding nq > tq as well. In particular, the extractable key length for nq = tq + 1 in the PC (AN) corruption model is given by Eq. (1) too.

In the PN corruption model, one assumes an independent Eve per malicious QKD pair that does not collaborate with the eavesdroppers possibly controlling the other pairs. Moreover, passivity implies that corrupted pairs deliver trustworthy protocol information that allows to quantify the “ignorance” (in secret bits) that the Eves possibly corrupting other pairs have about their raw data. Thus, it suffices to remove the information held by the most knowledgeable eavesdropper via PA in order to provide security against all of them. As a consequence, secure QKD is possible even if all the QKD pairs are corrupted in the PN model, that is, even if nq = tq. In this setting, one can show that the ϵcor-correct, \({\epsilon}_{\mathrm{sec}}\)-secret key length extractable via one-step PA (see Supplementary Note 2) is given by

$$l=\left\lfloor \mathop{\min }\limits_{v}\mathop{\sum }\limits_{j\ne v}^{{n}_{{\rm{q}}}}\left\{{H}_{\min }^{\varepsilon }({s}_{{\rm{B}}}^{j}| {E}_{v})-{\lambda }_{j}\right\}-{\mathrm{log}\,}_{2}\left(\frac{1}{{\hat{\epsilon }}_{{\rm{cor}}}{\epsilon }_{{\rm{PA}}}^{2}{\delta }^{{n}_{{\rm{q}}}-1}}\right)\right\rfloor ,$$
(3)

where \({H}_{\min }^{\varepsilon }({s}_{{\rm{B}}}^{j}| {E}_{v})\) denotes the ε-smooth min-entropy of Bob’s j-th sifted key, \({s}_{{\rm{B}}}^{j}\), conditioned on the information Ev held by the v-th eavesdropper (i.e. the one that corrupts the v-th QKD pair, with v = 1, …, nq). The remaining parameters were introduced in Eq. (1), and the secrecy parameter now satisfies

$${\epsilon}_{\mathrm{sec}}\ge ({n}_{\mathrm{q}}-1)(2\varepsilon +\delta )+{\epsilon }_{\mathrm{PA}}+{\epsilon }_{\mathrm{AU}}.$$
(4)

Remarkably, Eq. (3) trivially outperforms Eq. (1) for any given tq > 1 (and we recall that non-collaboration is only defined in this case).

In what follows, we discuss the CP units. Although the corruption model of the CP units does not affect the extractable key length, l, it determines the necessary resources to securely implement a distributed post-processing using conditional VSS: the number of units per party, nc, the number R of copies per share of raw key to be delivered by any given QKD module, and the total number of raw key shares managed per CP unit, say r, originating from a given QKD module. On the one hand, nc and R determine the necessary classical communications both between labs and inside each lab, and the total authentication cost of the former, say lAU. On the other hand, r strongly affects the post-processing time, a usual concern in the performance of QKD. In Table 1 we list the minimum values of nc, R and r required for distributed QKD post-processing, depending on the corruption model of the CP units.

Table 1 Conditional VSS with non-mixed corruption.
Full size table

The entries of the table follow from the requirements of conditional VSS and are established in Proposition 1 in the “Methods” section (see Supplementary Note 3 for a proof of this proposition). As we observe, all the restricted models allow to reduce the resources with respect to the AC model. For instance, note that the number r of shares per unit grows exponentially with nc for a fixed fraction of corrupted units in the AC model. This might lead to prohibitively long post-processing times even for small values of nc. Nevertheless, this problem disappears if one assumes that the possibly corrupted units are non-collaborative, thus moving to the AN model. Also in this model, it is worth noting that conditional VSS tolerates nc = 2tc + 2, while standard VSS would still require nc = 3tc + 1, a constraint imposed by the necessity to allow for simulated broadcast.

Within the passive models (PC and PN), the distributed post-processing has the extra advantage that the PE and the lab-to-lab classical communications can be conducted by a single CP unit per lab. On the contrary, the active models require the participation of R = 2tc + 1 units per lab for these tasks, in order to assure the presence of a majority of honest units.

Remarkably, in the “Methods” section, we formulate a distributed QKD post-processing protocol adequate for all the corruption models, matching the entries of Table 1 in each case. The security of this protocol, established in Proposition 3 (see section “Distributed QKD post-processing protocol”), is proven in Supplementary Note 4 combining conditional VSS with a standard QKD security analysis.

Lastly, as stated above, the corruption model of the CP units also determines the authentication cost, lAU, of the distributed post-processing. The classical communications require to select R distinct \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\) and R distinct \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\), such that each of the former pre-shares a dedicated pool of secret key bits with each of the latter for authentication purposes. Thus, denoting the common size of every key pool by \(\left|k\right|\), it follows that

$${l}_{{\rm{AU}}}={R}^{2}\times \left|k\right|,$$
(5)

where R is given in Table 1 for each model. A possible estimation of \(\left|k\right|\) using a typical authentication scheme33 is presented in Supplementary Note 5. Within this scheme, the authentication cost of a message scales logarithmically with its length, suggesting that for most practical situations lAUl, as we shall corroborate in the next section.

Performance evaluation

To complete the analysis, we calculate explicit secret key rates in various significant corruption models, and in the finite key regime. The secret key rate is defined as

$$K=\frac{l-{l}_{{\rm{AU}}}}{{n}_{{\rm{q}}}N},$$
(6)

where we recall that l (lAU) is the extractable secret key length (authentication cost) and nq (N) is the number of QKD pairs (number of transmission rounds per pair). For illustration purposes, lAU is computed according to the classical communications of the distributed post-processing presented in the “Methods” section.

For concreteness, we assume the same corruption model for the QKD modules and the CP units, a natural supposition in practice. Moreover, we restrict ourselves to the extreme corruption models, AC and PN, as the intermediate scenarios (AN and PC) do not allow to enhance the secret key rate, disregarding the authentication cost (see section “Alternative corruption models”). We also assume that Alice and Bob use the minimum number of devices that allows for K > 0, which depends on the corruption model they consider. For AC corruption, this means that they agree on the number tq ≥ 0 (tc ≥ 0) of malicious QKD pairs (CP units per lab) they want to be protected against, and use nq = tq + 1 pairs (nc = 3tc + 1 units per lab). Alternatively, for PN corruption, they use nq = 2 QKD pairs and nc = 2 CP units per party, which suffices to achieve K > 0 even if all the devices are possibly malicious (see section “Alternative corruption models”).

We consider two practical QKD protocols with decoy states: an efficient measurement-device-independent quantum key distribution (MDI-QKD) scheme34 with three decoy intensities in the basis X (devoted to PE) and one signal intensity in the basis Z (devoted to key distillation), and the standard decoy-state BB84 scheme35 with three decoy intensities per basis. Detailed analyses of these protocols are provided in Supplementary Notes 6 and 7, respectively. For each protocol, we compute estimates of l (given by Eq. (1) for the AC model and by Eq. (3) for the PN model) and lAU (given by Eq. (5)), by setting the observables to their expected values according to respective channel models described in the cited Supplementary Notes. These channel models depend on various common experimental parameters: the efficiency of the photo-detectors, set to \({\eta }_{\det }=65 \%\), their dark count probability, set to pd = 7.2 × 10−8 (both values matching the recent MDI-QKD experiment reported in ref. 36) and the polarization misalignment, set to say δmis = 0.08, for illustration purposes. Moreover, in both the MDI-QKD and the BB84 schemes, the weakest decoy intensity is set to ω = 10−3 for the numerics. In each case, we optimize the remaining protocol inputs (i.e. intensity settings, and basis and decoy probabilities) to maximize K as a function of the channel loss between Alice and Bob.

For the finite key analysis, we select a post-processing block size of M bits. Then, for every value of the channel loss, we choose the smallest number of transmission rounds per QKD pair, N, that assures that all nq sifted keys reach this block size except with a probability of, say γsift = 5 × 10−3, according to the channel model.

Regarding the error correction (EC) leakage, we assume the typical model \(\left|sy({s}_{{\rm{B}}}^{j})\right|=M{f}_{{\rm{EC}}}h({E}_{{\rm{tol}}})\) for every EC syndrome, where fEC = 1.16 is the efficiency of the EC protocol, h() is the binary entropy function, and Etol is a pre-fixed threshold quantum bit error rate (QBER). In particular, Etol is an upper bound on the QBER that any pair of sifted keys can reach according to the channel model, except with an error probability of γEC = 5 × 10−3.

Finally, the security parameters are set to \({\epsilon}_{\mathrm{cor}}={\epsilon}_{\mathrm{sec}}={10}^{-8}\) and ϵAU = 5 × 10−9. As shown in Supplementary Note 5, ϵAU determines the individual authentication error probability γAU via \({\epsilon }_{{\rm{AU}}}={({t}_{{\rm{c}}}+1)}^{2}({n}_{{\rm{q}}}+1){\gamma }_{{\rm{AU}}}\) (ϵAU = (nq + 1)γAU) in the presence of actively (passively) corrupted CP units. Given \({\epsilon }_{\sec }\) and ϵAU, the remaining parameters, ϵPA and δ, entering the extractable key length, l, are determined by imposing a common value, \({\gamma }_{\sec }\), for every error term that contributes to \({\hat{\epsilon }}_{\mathrm{sec}}={\epsilon}_{\mathrm{sec}}-{\epsilon}_{\mathrm{AU}}\) (given by Eqs. (2) and (4)). In particular, from the PE procedure presented in Supplementary Note 6 (Supplementary Note 7), it follows that \({\gamma}_{\mathrm{sec}}={\hat{\epsilon}}_{\mathrm{sec}}/48\) (\({\gamma }_{\mathrm{sec}}={\hat{\epsilon}}_{\mathrm{sec}}/20\)) in the MDI-QKD (BB84) scheme within both the AC and the PN scenarios, where we used the fact that nq = 2 in the latter case.

Adhering to all the above, in Fig. 2, we plot the secret key rate as a function of the total channel loss for the MDI-QKD scheme, considering that Alice and Bob are at the same distance of the central untrusted node. Similarly, the secret key rate of the BB84 scheme is plotted in Supplementary Fig. 4. In both cases, for illustration purposes, two different block sizes are considered, M {105,106}. Within the AC corruption model, for concreteness, we only address the symmetric case tq = tc = t, such that nq = t + 1 and nc = 3t + 1. Hence, we use the notation KAC,t (lAC,t) for the secret key rate (length) secure against t corrupted devices of each kind in this model. Similarly, KPN (lPN) denotes the secret key rate (length) in the PN model, which, as explained above, unambiguously requires nq = nc = 2. Lastly, Khonest (lhonest) denotes the secret key rate (length) in the standard situation where each party holds one trusted QKD module and one trusted CP unit, that is, Khonest = KAC,0 (lhonest = lAC,0).

Fig. 2: Performance evaluation.
figure 2

Secret key rate, K of a decoy-state MDI-QKD scheme34 in various adversarial scenarios with malicious devices, as a function of the total channel loss between Alice and Bob (assumed to be at the same distance of the untrusted measurement node). Two finite block sizes are considered, a M = 105 and b M = 106, and the authentication cost is computed according to the distributed post-processing protocol of the “Methods” section. In both figures, the purple line is the secret key rate in the standard scenario—where each party holds one QKD module and one classical post-processing (CP) unit, both of them trusted—and green lines denote different corruption models. In particular, the dashed-dotted phosphorescent line is the secret key rate assuming passive and non-collaborative corrupted devices, which requires the use of two QKD pairs and two CP units per lab (all of them being possibly malicious) to provide security. A more conservative scenario is represented by the solid non-phosphorescent green lines, which assume active and collaborative corrupted devices. These lines further assume the same number, say t, of malicious QKD pairs and malicious CP units per lab, which requires the use of at least nq = t + 1 QKD pairs and nc = 3t + 1 CP units per party to provide security. Specifically, the dark (light) green line corresponds to t = 3 (t = 5).

Full size image

The conclusions gathered from Fig. 2 are readily understood in view of the results of section “Results”. In the first place, for both M = 105 and M = 106, we find that KPN ≈ KAC,1 to a precision that cannot be distinguished in the figure. This follows from the fact that, in both cases, two raw keys are generated (as nq = 2) and the parties need to remove the information from one of them via PA. Indeed, comparing Eqs. (1) and (2) with Eqs. (3) and (4), one observes that

$${l}_{{\rm{PN}}}={l}_{{\rm{AC}},1},$$
(7)

that is, the secret key lengths coincide exactly for fixed security parameters, fixed experimental inputs (N and Etol) and average observables. Thus, the minuscule difference between KPN and KAC,1 comes from the authentication cost, as lAUR2 with R = 2t + 1 (R = 1) in the AC (PN) model.

The same argument relates KAC,t and Khonest/(t + 1) for all t. On the one hand, for the specifications above,

$${l}_{{\rm{AC}},t}={l}_{{\rm{honest}}}$$
(8)

for all t, which corresponds to the key material coming from the honest QKD pair. On the other hand, in the presence of t malicious QKD pairs, the extraction of the above key length requires the generation of t + 1 raw keys in the AC model. Thus, from Eq. (6), it follows that

$$\frac{{K}_{{\rm{honest}}}}{t+1}-{K}_{{\rm{AC}},t}=\frac{{\delta l}_{{\rm{AU}}}}{(t+1)N}$$
(9)

in the simulations, where δlAU denotes the extra authentication cost of the AC model with tq = tc = t, compared to the honest scenario. Due to the factor N−1 in the right-hand side of Eq. (9), larger block sizes lead to smaller differences Khonest/(t + 1) − KAC,t.

Finally, since KAC,t (lhonest − lAU) and lAU (2t + 1)2 in the AC model, KAC,t vanishes for any given block size if a large enough number of CP units is considered, as eventually lAU > lhonest. This is the case for M = 105 and t = 5 in Fig. 2.

Discussion

QKD security today requires every QKD component to be honest and follow the protocol steps. Nevertheless, our experience in classical cryptography indicates that this might be very hard to certify in practice. Even in the DI setting, where the QKD devices are often referred to as uncharacterized black boxes, it is mandatory to assure that, beyond the reception of quantum signals from an untrusted source, the only interaction these boxes have with the outside world is the exchange of inputs and outputs with the legitimate parties. This assumption, despite weak, is still very hard to verify. Fortunately, as pointed out in ref. 20, one can protect QKD against malicious equipment by using redundant devices to combine VSS with PA, an approach that we follow in this work.

However, a major limitation of the proposal in ref. 20 is that it relies on simulated broadcast, a very high-priced task in terms of total communication, especially for large numbers of CP units. What is more, the scheme presented in ref. 20 requires the execution of nq + 1 PA steps, where nq is the total number of QKD pairs. In this work, we eliminate the limitation of simulated broadcast and show that a single PA step suffices, thus turning the approach in ref. 20 into practical.

Moreover, the proposal in ref. 20 assumes that the malicious devices may actively deviate from the protocol and collaborate with each other, which is probably over-pessimistic. For instance, an archetypical security breach consists of a malicious item implanted by an eavesdropper in an honest apparatus, leading to a passively corrupted device that may leak private information but sticks to the protocol prescriptions. Likewise, if the devices originate from different vendors, it is reasonable to expect that possibly corrupted apparatuses do not collaborate. In this work, we show that very natural assumptions like these allow to achieve a better performance than the AC model, both in terms of secret key rate and necessary resources.

Also, it is often stated in the QKD community that one could simply bitwise add modulo 2 (XOR) the final keys generated by different QKD systems to defeat malicious equipment. Although this alternative may assure the privacy of the output, it has the major problem of generally requiring more devices than actually necessary to establish security, due to the non-distributed post-processing. For instance, note that not only the QKD module but also the CP unit in any given QKD system learns the raw key in the XOR approach, leading to a double-trouble situation where one must contemplate the worst possible combination of modules and units to guarantee the privacy of the raw key material. Similarly, the XOR approach does not prevent an actively malicious unit from jeopardizing the post-processing of the raw key generated by its module.

Furthermore, we would like to note that secret-sharing-type techniques are, in fact, the standard tool to guarantee security against untrusted devices. For instance, it is the adopted solution in modern hardware secure modules37,38,39. Likewise, similar ideas to those we present here may be deployed in QKD to relax the security assumptions in trusted node network architectures, such that one can establish the security of the final keys even if some intermediate nodes are compromised40.

Another contribution of this work is to evaluate the finite secret key rate of practical QKD schemes in the presence of malicious devices, for different corruption models and accounting for the authentication cost of the redundant classical communications. Particularly, based on our theoretical results, we devise an efficient distributed QKD post-processing protocol adequate for all the corruption models we examine. The simulations confirm that our techniques may achieve finite secret key rates comparable to those of standard QKD with trusted devices. Putting it all together, this work is a fundamental step towards the development of practical QKD systems secure against malicious devices possibly sabotaged by a third party, a major threat against classical cryptography today that cannot be put aside in the quantum-safe era.

Methods

Conditional VSS

Here, we introduce a modified version of the VSS scheme presented in ref. 26 that contemplates the possibility of aborting, thus providing a weaker cryptographic primitive than standard VSS. For this reason, we refer to it as conditional VSS.

We consider a scenario with one possibly dishonest dealer, D, and a set of n parties, \({\Bbb{P}}=\{{P}_{1},\ldots ,{P}_{n}\}\), t of which are possibly corrupted. In this setting, a conditional VSS scheme is a pair of protocols, (Share, Reconstruct), satisfying three properties: privacy, conditional commitment and conditional correctness (defined below). In full generality, Share and Reconstruct run as follows. During Share, D distributes an input m among the n parties, which pairwise perform consistency tests on their common information via secure channels and possibly abort. Upon non-abortion of Share, during Reconstruct the parties collaborate to retrieve m. The defining properties of conditional VSS are given below:

  1. 1.

    Privacy: If D is honest, the information obtained by any set of t or less parties prior to Reconstruct is independent of m.

  2. 2.

    Conditional commitment: Upon non-abortion of Share, Reconstruct yields the same output for all non-actively corrupted parties.

  3. 3.

    Conditional correctness: Upon non-abortion of Share, if D is honest the common output of all non-actively corrupted parties is the input m.

Regarding the parties, all four non-mixed corruption models presented in the main text shall be addressed: AC, AN, PC and PN. However, we do not restrict to any of them yet. Also, note that the set of non-actively corrupted parties includes all the parties (and not only the honest ones) in the passive models. As for the dealer, D is said to be dishonest if it may distribute incorrect/inconsistent information about his input to the parties or directly reveal it to them. In particular, this means that if the QKD modules belong to the PN model, even corrupted modules are honest dealers.

In what follows, we describe a pair of protocols, (Share, Reconstruct), that depend on various settings, and such that adequate choices of these settings confer the pair the category of a conditional VSS scheme. We remark that the adequacy of some given settings depends on the corruption model one assumes for the parties. Also, the protocol definitions below assume that the parties and the dealer do not misbehave, whether or not these protocols are robust against active corruption. The dealer’s input m is assumed to be a binary string, and we recall that the symbol “” denotes bitwise XOR. In addition, this operation is generalized to a pair of strings with different lengths by padding the shortest one with as many zeros as necessary for the lengths to match. This said, Share runs as follows:

  1. 1.

    D uses a q-out-of-q SS scheme to split a message m into q random shares, by selecting the first q − 1 shares mi at random and then choosing mq = mm1 … mq−1.

  2. 2.

    For i = 1, …, q, D sends mi to all the parties in a certain subset, say \({\sigma }_{i}\subsetneq {\Bbb{P}}\), via secure channels. If any of these parties does not receive the share, she takes a zero bit string as default share.

  3. 3.

    If σi > 1, all pairs of parties in σi perform a consistency test: they send each other their copies of mi over secure channels to check if they are equal. If any party finds an inconsistency, she aborts the protocol.

Importantly, abortion proceeds in two steps: the aborting party sends an abortion order to all other parties, and each receiving party resends the order to all the rest. Upon reception of an abortion order, the parties abort. Step two assures that the non-actively corrupted parties always abort collectively. Upon non-abortion of Share, Reconstruct runs as follows:

  1. 1.

    All pairs of parties send each other their shares through authenticated channels.

  2. 2.

    For i = 1, …, q, each party uses MV to reconstruct the share mi, and then obtains \(m={\oplus }_{i = 1}^{q}{m}_{i}\).

In general, in order for MV to be well defined, the output must be set to a default value in case of a tie. Nevertheless, ties never occur for the adequate choices of the parameters n and q and the subsets σi we present next.

Proposition 1 Let t be the maximum number of corrupted parties, and let \(\{{T}_{1},\ldots ,{T}_{\left({n\atop t}\right)}\}\) be any ordered list of all possible combinations of t parties. Under the following settings, (Share, Reconstruct) defines a conditional VSS scheme:

  1. 1.

    n = 3t + 1, \(q=\left({n\atop t}\right)\) and \({\sigma }_{i}={\mathbb{P}}/{T}_{i}\) (AC corruption).

  2. 2.

    n = 2t + 2, q = n and \({\sigma }_{i}={\mathbb{P}}/{P}_{i}\) (AN corruption).

  3. 3.

    n = t + 1, q = n and \(\sigma_{i}=P_{i}\) (PC corruption).

  4. 4.

    n = 2, q = n and \(\sigma_{i}=P_{i}\) (PN corruption).

What is more, the above settings are optimal in the number of parties.

The reader is referred to Supplementary Note 3 for a proof of Proposition 1. Also, note that, by definition of R (see section “Alternative corruption models”), we have that R = σi for all i.

Finally, we remark that the above conditional VSS scheme enables secure multiparty computation of linear functions of the shared private input in a very simple way. Let L() be the linear function to be computed on m. Upon non-abortion of Share, each party applies L to its shares of m, in so obtaining shares of L(m). Since this step requires null communication, privacy, conditional commitment and conditional correctness are trivially maintained.

Generation of random bit strings (RBSs)

Distributed QKD post-processing also relies on the possibility to generate unbiased random bit strings (RBSs) of a pre-fixed length L among n parties, when up to t of them are possibly corrupted. Here, we describe an RBS generation protocol suitable for the active corruption models, AC and AN, that builds on conditional VSS to safeguard the randomness of its output string (the passive models shall be addressed afterwards).

Let us set the total number of parties, n, the total number of shares, q, and the subsets of parties, σi, as specified in Proposition 1 for the considered model (AC or AN). The RBS generation protocol runs as follows:

  1. 1.

    For k = 1, …, t + 1, Pk creates a random L-bit string, Rk, and distributes it among all n parties (including itself) using Share. If, for some k, Share aborts, the RBS generation protocol aborts. If a party receives any share whose length differs from L, she aborts.

  2. 2.

    Upon non-abortion of step 1, the parties use Reconstruct to obtain Rk for all k = 1, …, t + 1. Then, each of them individually calculates \(R={\oplus }_{k = 1}^{t+1}{R}_{k}\).

Proposition 2 The RBS generation protocol outputs a common random L-bits string for all non-actively corrupted parties.

The reader is referred to Supplementary Note 3 for a proof of Proposition 2.

Finally, using the standard notion of passivity given in the main text, one can avoid the use of conditional VSS for RBS generation in the passive models (PC and PN). Instead, any given unit can generate the strings directly, and such strings are truly random by assumption.

Distributed QKD post-processing protocol

Making use of our theoretical results, here we present a distributed QKD post-processing protocol based on conditional VSS that is appropriate for all non-mixed corruption models introduced in section “Results”. We refer to it simply as Protocol.

In the first place, the parties agree on the corruption models they assume for the QKD modules and the CP units (which might be different in general), and also select the numbers tq and tc of corrupted devices they want to be protected against. In case they choose AC, AN or PC corruption (PN corruption) for the modules, they must hold nq = tq + 1 (nq = 2) QKD pairs in total—given that they stick to the rule of using the minimum valid amount of devices—and the secret key length l is given by Eq. (1) (Eq. (3)). Similarly, they provide themselves with as many CP units as specified in Table 1 for their preferred model. Coming next, they agree on a correctness (secrecy) parameter, ϵcor (\({\epsilon }_{\mathrm{sec}}\)), and a total authentication error ϵAU, such that ϵAU < ϵcor and \({\epsilon }_{\mathrm{AU}}<{\epsilon }_{\mathrm{sec}}\).

For j = 1, …, nq, the pair \(({{\rm{QKD}}}_{{{\rm{A}}}_{j}},{{\rm{QKD}}}_{{{\rm{B}}}_{j}})\) runs a QKD session to generate the basis Z raw key strings, \(({r}_{{\rm{A}}}^{j},{r}_{{\rm{B}}}^{j})\), to be kept private, and some non-private protocol information, \(({{\rm{info}}}_{{\rm{A}}}^{j},{{\rm{info}}}_{{\rm{B}}}^{j})\), typically including the basis and intensity settings, detection events and so on. Crucially, \(({{\rm{info}}}_{{\rm{A}}}^{j},{{\rm{info}}}_{{\rm{B}}}^{j})\) includes all the raw key material required for PE. The post-processing procedure (namely, Protocol) starts next and is described below. Although the description assumes that the possibly corrupted devices do not deviate from the protocol steps, Protocol is indeed secure against active eavesdroppers, as established in Proposition 3 below. Finally, although not explicitly stated, in case of abortion, the aborting party must notify the other party. This said, Protocol runs as follows.

Let us focus on, say, the j-th QKD pair:

  1. 1.

    Distribution of data: \({{\rm{QKD}}}_{{{\rm{A}}}_{j}}\) (\({{\rm{QKD}}}_{{{\rm{B}}}_{j}}\)) distributes shares of its raw key \({r}_{{\rm{A}}}^{j}\) (\({r}_{{\rm{B}}}^{j}\)) among the \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\) following the Share protocol of a conditional VSS scheme (see section “Conditional VSS”) for the selected corruption model of the CP units. We denote the set of units that receive the i-th share of \({r}_{{\rm{A}}}^{j}\) (\({r}_{{\rm{B}}}^{j}\)) by \({\sigma }_{i}^{{\rm{A}}}\) (\({\sigma }_{i}^{{\rm{B}}}\)), which without loss of generality is common for all j = 1, …, nq. In addition, \({{\rm{QKD}}}_{{{\rm{A}}}_{j}}\) (\({{\rm{QKD}}}_{{{\rm{B}}}_{j}}\)) sends the protocol information \({{\rm{info}}}_{{\rm{A}}}^{j}\) (\({{\rm{info}}}_{{\rm{B}}}^{j}\)) to all \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\in {\sigma }_{1}^{{\rm{A}}}\) (\({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\in {\sigma }_{1}^{{\rm{B}}}\)), and the latter perform a consistency test on this data: they pairwise check that their copies of \({{\rm{info}}}_{{\rm{A}}}^{j}\) (\({{\rm{info}}}_{{\rm{B}}}^{j}\)) match via authenticated channels. If a \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\) (\({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\)) finds an inconsistency, it aborts the protocol (see the Share protocol in the section devoted to conditional VSS for the two-step abortion procedure we consider).

  2. 2.

    Sifting: Each \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\in {\sigma }_{1}^{{\rm{A}}}\) sends its copy of \({{\rm{info}}}_{{\rm{A}}}^{j}\) to all \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\in {\sigma }_{1}^{{\rm{B}}}\), which individually apply majority voting (MV) to decide on a single copy. Then, the \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\in {\sigma }_{1}^{{\rm{B}}}\) forward some sifting information, siftj, computable from the pair \(({{\rm{info}}}_{{\rm{A}}}^{j},{{\rm{info}}}_{{\rm{B}}}^{j})\), to the \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\notin {\sigma }_{1}^{{\rm{B}}}\), which apply MV too. Using siftj, every \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\) discards some key bits from their shares of \({r}_{{\rm{B}}}^{j}\) to obtain shares of the sifted key, \({s}_{{\rm{B}}}^{j}\). Alternative sifting schemes that require to discard random subsets of the data could easily be adapted by including an RBS generation protocol (see section “Generation of random bit strings (RBSs)”).

  3. 3.

    PE: Using \(({{\rm{info}}}_{{\rm{A}}}^{j},{{\rm{info}}}_{{\rm{B}}}^{j})\), each \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\in {\sigma }_{1}^{{\rm{B}}}\) computes a hypothetical lower bound \({h}_{\varepsilon }^{j}\) (see Supplementary Notes 1 and 2 for the details) on the ε-smooth min-entropy of \({s}_{{\rm{B}}}^{j}\) conditioned on the information held by an eavesdropper up to the PE step, for a certain ε that depends on the PE procedure.

Once steps 1 to 3 are implemented for j = 1, …, nq, all \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\) construct their shares of the concatenated sifted key \({s}_{{\rm{B}}}=[{s}_{{\rm{B}}}^{1},\ldots ,{s}_{{\rm{B}}}^{{n}_{{\rm{q}}}}]\), such that the kth share of sB is simply given by the concatenation of the kth share of \({s}_{{\rm{B}}}^{1}\), the kth share of \({s}_{{\rm{B}}}^{2}\) and so on. In addition, from all nq values \({h}_{\varepsilon }^{j}\), every \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\in {\sigma }_{1}^{{\rm{B}}}\) computes a lower bound l on the secret key length extractable from sB via PA. If a \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\in {\sigma }_{1}^{{\rm{B}}}\) finds l ≤ 0, it aborts the protocol. Otherwise, the post-processing proceeds as follows:

  1. 4.

    RBS generation: Every \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\in {\sigma }_{1}^{{\rm{B}}}\) forwards l to the \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\notin {\sigma }_{1}^{{\rm{B}}}\), which apply MV. All \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\) perform an RBS generation protocol to select two random 2-universal hash functions, hEV and hPA, respectively devoted to error verification (EV) and PA.

  2. 5.

    Information reconciliation: Every \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\) computes its shares of the string of concatenated syndromes, \(s{y}_{{\rm{B}}}=[sy({s}_{{\rm{B}}}^{1}),\ldots ,sy({s}_{{\rm{B}}}^{{n}_{{\rm{q}}}})]\), and the EV tag hEV,B = hEV(sB). Here, sy() is a linear function specified by an EC protocol for a pre-agreed QBER. Altogether, the \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\) reconstruct syB and hEV,B via the Reconstruct protocol of a conditional VSS scheme (see section “Conditional VSS”). Each \({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\in {\sigma }_{1}^{{\rm{B}}}\) sends the following items to every \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\in {\sigma }_{1}^{{\rm{A}}}\):

    1. (a)

      The total sifting information, \({\{{{\rm{sift}}}^{j}\}}_{j = 1}^{{n}_{{\rm{q}}}}\).

    2. (b)

      The syndrome information, syB, a description of hEV and the EV tag, hEV,B.

    3. (c)

      A description of hPA.

    For all three items, each \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\in {\sigma }_{1}^{{\rm{A}}}\) applies MV to decide on a single copy. Then, it forwards \({\{{{\rm{sift}}}^{j}\}}_{j = 1}^{{n}_{{\rm{q}}}}\), hEV and hPA to the \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\,\notin\, {\sigma }_{1}^{{\rm{A}}}\) (which apply MV too), and every \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\) sifts its shares of the raw keys \({r}_{{\rm{A}}}^{j}\) to obtain shares of the concatenated sifted key \({s}_{{\rm{A}}}=[{s}_{{\rm{A}}}^{1},\cdots ,{s}_{{\rm{A}}}^{{n}_{{\rm{q}}}}]\). Following the EC protocol, all \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\) compute their shares of the concatenated syndrome string, \(s{y}_{{\rm{A}}}=[sy({s}_{{\rm{A}}}^{1}),\ldots ,sy({s}_{{\rm{A}}}^{{n}_{{\rm{q}}}})]\), and jointly reconstruct it via the Reconstruct protocol of a conditional VSS scheme. From syB and syA, each \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\in {\sigma }_{1}^{{\rm{A}}}\) computes the error pattern \(\hat{e}\) and updates its copy of the first share of sA by XOR-ing it with \(\hat{e}\). Thus, by construction, Alice’s corrected key is \({\hat{s}}_{{\rm{A}}}={s}_{{\rm{A}}}\oplus \hat{e}\). Then, all \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\) compute their shares of the EV tag \({h}_{{\rm{EV,A}}}={h}_{{\rm{EV}}}({\hat{s}}_{{\rm{A}}})\) and jointly reconstruct it via the Reconstruct protocol of a conditional VSS scheme. Finally, every \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\in {\sigma }_{1}^{{\rm{A}}}\) checks that hEV,A = hEV,B. Otherwise, it aborts the protocol.

  3. 6.

    PA: In case of not aborting, every \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\) (\({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\)) computes its shares of the final key \({k}_{{\rm{A}}}={h}_{{\rm{PA}}}({\hat{s}}_{{\rm{A}}})\) (kB = hPA(sB)).

In Supplementary Note 4, we prove that the following security claim holds for all (non-mixed) corruption models of the QKD modules and the CP units.

Proposition 3 Suppose that Protocol does not abort. Then, Alice and Bob can unambiguously determine unique ϵcor-correct and \({\epsilon }_{\mathrm{sec}}\)-secret final keys.

Importantly, the determination of such final keys by Alice and Bob can be done by simply applying MV on the key shares held by their respective CP units, followed by an XOR operation. More generally, in the presence of actively corrupted units, the \({{\rm{CP}}}_{{{\rm{A}}}_{l}}\) (\({{\rm{CP}}}_{{{\rm{B}}}_{l^{\prime} }}\)) can forward their final shares to a local key management layer41,42. There, they could be stored in distributed memories or employed for applications such as message encryption, which in turn can be performed share-wise too.