Secure quantum key distribution with a subset of malicious devices

The malicious manipulation of quantum key distribution (QKD) hardware is a serious threat to its security, as, typically, neither end users nor QKD manufacturers can validate the integrity of every component of their QKD system in practice. One possible approach to re-establish the security of QKD is to use a redundant number of devices. Following this idea, we address various corruption models of the possibly malicious devices and show that, compared to the most conservative model of active and collaborative corrupted devices, natural assumptions allow to significantly enhance the secret key rate or considerably reduce the necessary resources. Furthermore, we show that, for most practical situations, the resulting finite-size secret key rate is similar to that of the standard scenario assuming trusted devices.


I. INTRODUCTION
Quantum key distribution [1][2][3][4] (QKD) allows for information-theoretically secure communications, unaffected by the long-term security weakening inherent to public-key cryptography [5,6].Its security relies on fundamental physical principles and various assumptions, a crucial one being that the legitimate QKD users, say Alice and Bob, hold honest devices that stick to the QKD protocol and do not intentionally leak their private information to an eavesdropper (Eve).However, this strong assumption is probably unjustified, considering the amount of hardware and software Trojan horse attacks (THAs) against conventional cryptographic systems reported in the last years [7][8][9][10][11].After all, likewise conventional security hardware, QKD devices incorporate many sophisticated components typically provided by specialised companies, and neither QKD vendors nor users are capable of validating the security of all these components in practice [12].However, a malicious component can totally compromise the security of QKD.Indeed, the fabrication process of QKD systems might provide Eve with plenty of opportunities to meddle with the QKD hardware, including both the optical equipment and the classical post-processing (CP) units.Moreover, Eve could even sidestep post-fabrication tests by arranging attack triggers that depend on a sequence of unlikely events [10,13].
Remarkably, not even device-independent (DI) QKD [14][15][16][17][18] can provide security against malicious devices, as shown in [19].It is the classical nature of the secret keys that makes QKD systems vulnerable to classical hacking in both the DI and the non-DI scenarios, because classical keys are susceptible to copying.
A possible solution to foil malicious hardware and software in QKD was recently presented in [20], and then experimentally demonstrated in [21].The triggering idea is that it might be more difficult for Eve to corrupt various * Electronic address: vzapatero@com.uvigo.esdevices than a single device, for example, if they originate from different providers.Therefore, one can use a redundant number of devices for both the raw key generation and the post-processing of QKD.As shown in [20], under the assumption that the number of devices controlled by Eve is restricted, secure QKD is possible by combining verifiable secret sharing (VSS) [22][23][24][25][26]-whose essential building block is secret sharing [27,28], a standard technique in secure hardware design [29]-and privacy amplification (PA) [30,31].Of course, both tools operate on top of DI and non-DI security analyses, which determine the secret key length that one can extract from the honest optical apparatuses.
However, a major limitation of the proposal in [20] is that it is conceived for the case where all the corrupted devices fully obey a single Eve who can access their internal information and make them arbitrarily misbehave from the protocol.This scenario, which we refer to as the active collaborative (AC) model, might be overconservative in many practical situations.For instance, if Alice and Bob purchase devices from different vendors, it might be reasonable to expect that, even if they are corrupted, they do not collaborate, meaning that they do not share their private information with each other or cooperate in any way.Also, if the information delivered by a certain device is different from the one prescribed by the protocol, it might be detected by Alice and Bob a posteriori.In this sense, some QKD users might only request security against non-collaborative (rather than collaborative) or passive (rather than active) corrupted devices.
Crucially, when applied in more sensible corruption models like these, the proposal in [20] provides no advantage at all with respect to the AC model.One major contribution of this work is to prove that some of these models actually enable a significant enhancement of the secret key rate, require fewer honest devices and classical communications than the AC model, or allow to remarkably diminish the post-processing time, a severe bottleneck in QKD.In particular, we introduce conditional VSS, a weaker version of VSS that is more suitable for the task of QKD.In addition, we present a general distributed QKD post-processing protocol appropri-ate for all the corruption models.Lastly, we evaluate the performance of two well-known QKD schemes in the presence of malicious devices.The simulations corroborate that notably improved non-asymptotic key rates can be reached by replacing the AC model by less conservative and probably more realistic models.Furthermore, in all the considered models, we find that the increased authentication cost of our protocol (compared to that of standard QKD post-processing) is negligible with respect to the secret key length for practical data block-sizes and moderate numbers of corrupted devices.

II. RESULTS
We start by describing the general formalism we consider.Without loss of generality, a standard QKD setup can be divided into two parts with separate roles: a QKD module and a classical post-processing (CP) unit.Alice's and Bob's QKD modules form a so-called QKD pair, whose role is to generate raw correlated data between the parties via quantum communication.Each module transfers its raw data to its local CP unit, and the two distant CP units distill a pair of secret keys from the raw data via coordinated classical post-processing and authenticated classical communication.
The focus of this work is the general scenario where not all the devices are trusted, thus forcing the parties to use a redundant number of them [20].Throughout the paper, we shall consider that Alice and Bob share n q QKD pairs (or simply "pairs"), and that each of them holds n c CP units (or simply "units").Similarly, we assume that up to t q QKD pairs are corrupted (a QKD pair is corrupted when at least one of its modules is) and up to t c CP units are corrupted per lab.Nevertheless, our results could be easily adapted to contemplate different numbers of honest and corrupted units in each lab.For j = 1, . . ., n q , Alice's (Bob's) module QKD Aj (QKD Bj ) is connected to all her (his) units {CP A l } nc l=1 ({CP B l } nc l =1 ) via secure channels, i.e., channels that provide both privacy and authentication.Also, all of Alice's (Bob's) units are pairwise connected by secure channels too.Since all these links take place within Alice's (Bob's) lab, in practice security could be enforced by using, say, physically protected cables.Similarly, the CP A l are connected to the CP B l by authenticated classical channels.And lastly, as usual, a quantum channel fully accessible to an eavesdropper links QKD Aj to its partner QKD Bj .A schematic of this QKD setup is given in Fig. 1.

A. AC corruption
In the first place, let us briefly summarize the proposal in [20], which establishes the security of QKD in the AC model using the setup of Fig. 1.On the one hand, given that n q > t q , PA allows to "remove" not only the information Eve gains through her intervention FIG.1: Proposal of a QKD setup with redundant devices suggested in [20].The areas surrounded by dashed lines define Alice's and Bob's labs.Alice's (Bob's) lab contains n q QKD modules (yellow boxes).Each module of Alice is linked to a single module of Bob through a quantum channel (dashed blue lines), forming a so-called QKD pair, and t q pairs are possibly malicious at most.In addition, Alice (Bob) holds n c CP units (grey boxes), t c of them being possibly malicious at most.In each lab, all the CP units are connected to each other and to all n q local QKD modules via secure channels that provide both privacy and authentication (black solid arrows).Also, every unit of Alice is linked to every unit of Bob through an authenticated classical channel (all of them together symbolised by the red double-end arrow).
in the quantum channel (as it is done in standard QKD post-processing), but also the information she learns from the corrupted QKD pairs.On the other hand, given that n c > 3t c [26], VSS enables an honest QKD module to split a raw key into shares and redundantly allocate them among its local CP units for distributed post-processing.Crucially, the properties of VSS may guarantee the secrecy and the correctness of the final keys reconstructible by Alice and Bob at the end of this post-processing.Before we analyse alternative corruption models, it is convenient to tight up some few loose ends affecting the proposal in [20].In the first place, it requires the execution of n q + 1 separate PA steps to distill a secret key.On the contrary, in Sec.II B we show that a single PA step suffices, which actually applies to all possible corruption models (see also Sec.IV C for a distributed post-processing protocol that implements PA in a single step).
In the second place, the use of standard VSS assures that the post-processing is resilient to the misbehaving of the CP units at the price of relying on simulated broadcast, better known as byzantine agreement [32].However, this is a very stringent task: it requires the exchange of an exponentially increasing number of classical messages, say C ∼ O(n tc c ), among the units that want to reach the agreement [32].What is more, the achieved resiliency is probably not relevant for QKD.After all, Eve has unrestricted access to the quantum channel and thus may induce the abortion of the QKD protocol at will.For these reasons, in all corruption models we replace VSS by a weaker cryptographic primitive, namely, conditional VSS (defined in Sec.IV), which circumvents simulated broadcast by simply allowing the CP units to abort the protocol.As seen in Sec.II B below, this replacement is not only advantageous in the AC model, but whenever actively corrupted CP units are considered, whether they collaborate or not.

B. Alternative corruption models
In what follows, we address various adversarial scenarios alternative to the AC model.In particular, three looser non-mixed corruption models exist: passive and collaborative (PC), active and non-collaborative (AN) and passive and non-collaborative (PN), where non-collaboration is obviously only defined if multiple corrupted devices exist.Importantly, we decouple the analysis of the different corruption models for the QKD modules and the CP units, such that the results we present for the QKD modules do not assume a specific model for the CP units and vice versa.In addition, we maintain the general QKD setup presented in Fig. 1.
Let us discuss the QKD modules first.In virtue of the privacy of conditional/standard VSS (see the Methods section), a distributed QKD post-processing protocol using VSS guarantees that the extractable secret key length does not depend on the corruption model of the CP units, but only on that of the QKD pairs.What is more, let us assume for now that the parties select the AC model as their preferred model for the QKD pairs.For j = 1, . . ., n q , the j-th QKD pair runs an independent QKD session.As shown in Supplementary Note 1, for n q = t q + 1 (minimum valid choice of n q for a given t q ), the cor -correct, sec -secret key length l extractable via one-step PA from all these sessions is given by where h j ε is a hypothetical lower bound on the ε-smooth min-entropy of Bob's j-th raw key conditioned on the information held by Eve up to the parameter estimation (PE) step, and the smooth parameter ε depends on the PE procedure.As explained in Supplementary Note 1, the term "hypothetical" here refers to the fact that the information delivered by corrupted QKD modules cannot be trusted.Similarly, λ j is the public syndrome information required for the reconciliation of the j-th pair of raw keys, and ˆ cor = cor − AU for a pre-agreed authentication error AU , such that AU < cor and AU < sec .Lastly, PA is the error probability of the PA step and δ > 0, such that sec ≥ 2ε + δ + PA + AU . ( As one would expect, from Eq. ( 1) we see that, if a single honest QKD pair exists, "a single key" can be extracted from all n q raw keys in the AC model.Notably, the generalization of Eq. ( 1) to n q −t q > 1 is straightforward.Now, let us address the alternative models, PC, AN and PN.As long as the malicious QKD pairs are collaborative, an omniscient Eve could learn all the information they hold about the keys, and as long as they are active, they can deliver untrustworthy protocol information unsuitable for correct PE.Hence, although for different reasons, the intermediate scenarios PC and AN cannot lead to an enhancement of the secret key length with respect to the AC model: they also require to remove all the key material that comes from corrupted QKD pairs via PA, thus demanding n q > t q as well.In particular, the extractable key length for n q = t q + 1 in the PC (AN) corruption model is given by Eq. ( 1) too.
In the PN corruption model, one assumes an independent Eve per malicious QKD pair who does not collaborate with the eavesdroppers possibly controlling the other pairs.Moreover, passivity implies that corrupted pairs deliver trustworthy protocol information which allows to quantify the "ignorance" (in secret bits) that the Eves possibly corrupting other pairs have about their raw data.Thus, it suffices to remove the information held by the most knowledgeable eavesdropper via PA in order to provide security against all of them.As a consequence, secure QKD is possible even if all the QKD pairs are corrupted in the PN model, i.e., even if n q = t q .In this setting, one can show that the cor -correct, sec -secret key length l extractable via one-step PA in the PN model (see Supplementary Note 2) is given by where H ε min (s j B |E v ) denotes the ε-smooth min-entropy of Bob's j-th raw key, s j B , conditioned on the information E v held by the v-th eavesdropper (i.e., the one that corrupts the v-th QKD pair, with v = 1, . . ., n q ).The remaining parameters were introduced in Eq. ( 1), and the secrecy parameter now satisfies Remarkably, Eq. ( 3) trivially outperforms Eq. ( 1) for any given t q > 1 (and we recall that non-collaboration is only defined in this case).
In what follows, we discuss the CP units.Although the corruption model of the CP units does not affect the extractable key length, l, it determines the necessary resources to securely implement a distributed postprocessing using conditional VSS: the number of units per party, n c , the number R of copies per share of raw key to be delivered by any given QKD module, and the total number of raw key shares managed per CP unit, say r, originating from a given QKD module.On the one hand, n c and R determine the necessary classical communications both between labs and inside each lab, and the total authentication cost of the former, say l AU .On the other hand, r strongly affects the post-processing time, a usual concern in the performance of QKD.In Table 1 we list the minimum values of n c , R and r required for distributed QKD post-processing, depending on the corruption model of the CP units.nc, R, r active passive collaborative The entries of the table follow from the requirements of conditional VSS and are established in Proposition 1 of Sec.IV (see Supplementary Note 3 for a proof of this proposition).As we observe, all the restricted models allow to reduce the resources with respect to the AC model.For instance, note that the number r of shares per unit grows exponentially with n c for a fixed fraction of corrupted units in the AC model.This might lead to prohibitively long post-processing times even for small values of n c .Nevertheless, this problem disappears if one assumes that the possibly corrupted units are noncollaborative, thus moving to the AN model.Also in this model, it is worth noting that conditional VSS tolerates n c = 2t c + 2, while standard VSS would still require n c = 3t c + 1, a constraint imposed by the necessity to allow for simulated broadcast.
Within the passive models (PC and PN), the distributed post-processing has the extra advantage that the PE and the lab-to-lab classical communications can be conducted by a single CP unit per lab.On the contrary, the active models require the participation of R = 2t c + 1 units per lab for these tasks, in order to assure the presence of a majority of honest units.
Remarkably, in Sec.IV, we formulate a distributed QKD post-processing protocol adequate for all the corruption models, matching the entries of Table 1 in each case.The security of this protocol, established in Proposition 3 (see Sec. IV C), is proven in Supplementary Note 4 combining conditional VSS with a standard QKD security analysis.
Lastly, as stated above, the corruption model of the CP units also determines the authentication cost, l AU , of the distributed post-processing.The classical communications require to select R distinct CP A l and R distinct CP B l , such that each of the former pre-shares a dedicated pool of secret key bits with each of the latter for authentication purposes.Thus, denoting the common size of every key pool by |k|, it follows that where R is given in Table 1 for each model.A possible estimation of |k| using a typical authentication scheme [33] is presented in Supplementary Note 5. Within this scheme, the authentication cost of a message scales logarithmically with its length, meaning that for most practical situations l AU << l, as we shall corroborate in the next section.

C. Performance evaluation
To complete the analysis, we calculate explicit secret key rates in various significant corruption models, and in the finite key regime.The secret key rate is defined as where we recall that l (l AU ) is the extractable secret key length (authentication cost) and n q (N ) is the number of QKD pairs (number of signals transmitted per pair).For illustration purposes, l AU is computed according to the classical communications of the distributed post-processing presented in the Methods section.
For concreteness, we assume the same corruption model for the QKD modules and the CP units, a natural supposition in practice.Moreover, we restrict ourselves to the extreme corruption models, AC and PN, as the intermediate scenarios (AN and PC) do not allow to enhance the secret key rate, disregarding the authentication cost (see Sec. II B).We also assume that Alice and Bob use the minimum number of devices that allows for K > 0, which depends on the corruption model they consider.For AC corruption, this means that they agree on the number t q ≥ 0 (t c ≥ 0) of malicious QKD pairs (CP units per lab) they want to be protected against, and use n q = t q + 1 pairs (n c = 3t c + 1 units per lab).Alternatively, for PN corruption, they use n q = 2 QKD pairs and n c = 2 CP units per party, which suffices to achieve K > 0 even if all the devices are possibly malicious (see Sec. II B).
We consider two practical QKD protocols with decoy states: an efficient MDI-QKD scheme [34] with three decoy intensities in the basis X (devoted to PE) and one signal intensity in the basis Z (devoted to key distillation), and the standard decoy-state BB84 scheme [54] with three decoy intensities per basis.Detailed analyses of these protocols are provided in Supplementary Notes 6 and 7, respectively.For each protocol, we compute estimates of l (given by Eq. ( 1) for the AC model and by Eq. ( 3) for the PN model) and l AU (given by Eq. ( 25)), by setting the observables to their expected values according to respective channel models described in the cited Supplementary Notes.These channel models depend on various common experimental parameters: the efficiency of the photo-detectors, set to η det = 65%, their dark count probability, set to p d = 7.2 × 10 −8 (both values matching the recent MDI-QKD experiment reported in [36]), and the polarization misalignment, set to, say δ mis = 0.08 for illustration purposes.Moreover, in both the MDI-QKD and the BB84 schemes, the weakest decoy intensity is set to ω = 10 −3 for the numerics.In each case, we optimise the remaining protocol inputs (i.e., intensity settings, and basis and decoy probabilities) to maximize K as a function of the channel loss between Alice and Bob.
For the finite key analysis, we select a post-processing block-size of M bits.Then, for every value of the channel loss, we choose the smallest number of transmission rounds per QKD pair, N , that assures that all n q sifted keys reach this block-size except with a probability of, say γ sift = 5 × 10 −3 , according to the channel model.
Regarding the EC leakage, we assume the typical model |sy s j B = M f EC h(E tol ) for every EC syndrome, where f EC = 1.16 is the efficiency of the EC protocol, h(•) is the binary entropy function, and E tol is a prefixed threshold QBER.In particular, E tol is an upper bound on the QBER that any pair of sifted keys can reach according to the channel model, except with an error probability of γ EC = 5 × 10 −3 .
Finally, the security parameters are set to cor = sec = 10 −8 and AU = 5 × 10 −9 .As shown in Supplementary Note 5, AU determines the individual authentication error probability γ AU via AU = (t c + 1) 2 (n q + 1)γ AU ( AU = (n q + 1)γ AU ) in the presence of actively (passively) corrupted CP units.Given sec and AU , the remaining parameters, PA and δ, entering the extractable key length, l, are determined by imposing a common value, γ sec , for every error term that contributes to ˆ sec = sec − AU (given by Eq. (2) and Eq. ( 4)).In particular, from the PE procedure presented in Supplementary Note 6 (Supplementary Note 7), it follows that γ sec = ˆ sec /48 (γ sec = ˆ sec /20) in the MDI-QKD (BB84) scheme within both the AC and the PN scenarios, where we used the fact that n q = 2 in the latter case.
Adhering to all the above, in Fig. 2, we plot the secret key rate as a function of the total channel loss for the MDI-QKD scheme, considering that Alice and Bob are at the same distance of the central untrusted node.Similarly, the secret key rate of the BB84 scheme is plotted in Supplementary Figure 4.In both cases, for illustration purposes two different block-sizes are considered, M ∈ {10 5 , 10 6 }.Within the AC corruption model, for concreteness we only address the symmetric case t q = t c = t, such that n q = t + 1 and n c = 3t + 1.Hence, we use the notation K AC,t (l AC,t ) for the secret key rate (length) secure against t corrupted devices of each kind in this model.Similarly, K PN (l PN ) denotes the secret key rate (length) in the PN model, which, as explained above, FIG.2: Secret key rate, K of a decoy-state MDI-QKD scheme [34] in various adversarial scenarios with malicious devices, as a function of the total channel loss between Alice and Bob (assumed to be at the same distance of the untrusted measurement node).Two finite block-sizes are considered, (a) M = 10 5 and (b) M = 10 6 , and the authentication cost is computed according to the distributed post-processing protocol of the Methods section.In both figures, the purple line is the secret key rate in the standard scenario -where each party holds one QKD module and one classical post-processing (CP) unit, both of them trusted-and green lines denote different corruption models.In particular, the dashed-dotted phosphorescent line is the secret key rate assuming passive and non-collaborative corrupted devices, which requires the use of two QKD pairs and two CP units per lab (all of them being possibly malicious) to provide security.A more conservative scenario is represented by the solid non-phosphorescent green lines, which assume active and collaborative corrupted devices.These lines further assume the same number, say t, of malicious QKD pairs and malicious CP units per lab, which requires the use of at least n q = t + 1 QKD pairs and n c = 3t + 1 CP units per party to provide security.Specifically, the dark (light) green line corresponds to t = 3 (t = 5).
unambiguously requires n q = n c = 2. Lastly, K honest (l honest ) denotes the secret key rate (length) in the standard situation where each party holds one trusted QKD module and one trusted CP unit, i.e., K honest = K AC,0 (l honest = l AC,0 ).
The conclusions gathered from Fig. 2 are readily understood in view of the results of Sec.II.In the first place, for both M = 10 5 and M = 10 6 , we find that K PN ≈ K AC,1 to a precision that cannot be distinguished in the figure.This follows from the fact that, in both cases, two raw keys are generated (as n q = 2) and the parties need to remove the information from one of them via PA.Indeed, comparing Eq. (1) and Eq. ( 2) with Eq. (3) and Eq. ( 4), one observes that i.e., the secret key lengths coincide exactly for fixed security parameters, fixed experimental inputs (N and E tol ), and average observables.Thus, the minuscule difference between K PN and K AC,1 comes from the authentication cost, as l AU ∝ R 2 with R = 2t + 1 (R = 1) in the AC (PN) model.The same argument relates K AC,t and K honest /(t + 1) for all t.On the one hand, for the specifications above, for all t, which corresponds to the key material coming from the honest QKD pair.On the other hand, in the presence of t malicious QKD pairs, the extraction of the above key length requires the generation of t+1 raw keys in the AC model.Thus, from Eq. ( 6), it follows that in the simulations, where δl AU denotes the extra authentication cost of the AC model with t q = t c = t, compared to the honest scenario.Due to the factor N −1 in the right-hand side of Eq. ( 9), larger block sizes lead to smaller differences K honest /(t + 1) − K AC,t .Finally, since K AC,t ∝ (l honest − l AU ) and l AU ∝ (2t + 1) 2 in the AC model, K AC,t vanishes for any given block size if a large enough number of CP units is considered, as eventually l AU > l honest .This is the case for M = 10 5 and t = 5 in Fig. 2.

III. DISCUSSION
QKD security today requires every QKD component to be honest and follow the protocol steps.Nevertheless, our experience in classical cryptography indicates that this might be very hard to certify in practice.Even in the DI setting, where the QKD devices are often referred to as uncharacterised black boxes, it is mandatory to assure that, beyond the reception of quantum signals from an untrusted source, the only interaction these boxes have with the outside world is the exchange of inputs and outputs with the legitimate parties.This assumption, despite weak, is still very hard to verify.Fortunately, as pointed out in [20], one can protect QKD against malicious equipment by using redundant devices to combine VSS with PA, an approach that we follow in this work.
However, a major limitation of the proposal in [20] is that it relies on simulated broadcast, a very high-priced task in terms of total communication, especially for large numbers of CP units.What is more, the scheme presented in [20] requires the execution of n q + 1 PA steps, where n q is the total number of QKD pairs.In this work, we eliminate the limitation of simulated broadcast and show that a single PA step suffices, thus turning the approach in [20] into practical.
Moreover, the proposal in [20] assumes that the malicious devices may actively deviate from the protocol and collaborate with each other, which is probably overpessimistic.For instance, an archetypical security breach consists of a malicious item implanted by an eavesdropper in an honest apparatus, leading to a passively corrupted device that may leak private information but sticks to the protocol prescriptions.Likewise, if the devices originate from different vendors, it is reasonable to expect that possibly corrupted apparatuses do not collaborate.In this work, we show that very natural assumptions like these allow to achieve a better performance than the activecollaborative model, both in terms of secret key rate and necessary resources.
Also, it is often stated in the QKD community that one could simply bitwise XOR the final keys generated by different QKD systems to defeat malicious equipment.Although this alternative may assure the privacy of the output, it has the major problem of generally requiring more devices than actually necessary to establish security, due to the non-distributed post-processing.For instance, note that not only the QKD module but also the CP unit in any given QKD system learns the raw key in the XOR approach, leading to a double-trouble situation where one must contemplate the worst possible combination of modules and units to guarantee the privacy of the raw key material.Similarly, the XOR approach does not prevent an actively malicious unit from jeopardizing the post-processing of the raw key generated by its module.
Furthermore, we would like to note that secret-sharingtype techniques are in fact the standard tool to guarantee security against untrusted devices.For instance, it is the adopted solution in modern hardware secure modules [37][38][39].Likewise, similar ideas to those we present here may be deployed in QKD to relax the security assumptions in trusted node network architectures, such that one can establish the security of the final keys even if some intermediate nodes are compromised [40].
Another contribution of this work is to evaluate the finite secret key rate of practical QKD schemes in the presence of malicious devices, for different corruption models and accounting for the authentication cost of the redundant classical communications.Particularly, based on our theoretical results, we devise an efficient distributed QKD post-processing protocol adequate for all the corruption models we examine.The simulations confirm that our techniques may achieve finite secret key rates comparable to those of standard QKD with trusted devices.Putting it all together, this work is a fundamental step towards the development of practical QKD systems secure against malicious devices possibly sabotaged by a third party, a major threat against classical cryptography today that cannot be put aside in the quantum-safe era.

A. Conditional verifiable secret sharing
Here, we introduce a modified version of the VSS scheme presented in [26] that contemplates the possibility of aborting, thus providing a weaker cryptographic primitive than standard VSS.For this reason, we refer to it as conditional VSS.
We consider a scenario with one possibly dishonest dealer, D, and a set of n parties, P = {P 1 , . . ., P n }, t of which are possibly corrupted.In this setting, a conditional VSS scheme is a pair of protocols, (Share, Reconstruct), satisfying three properties: privacy, conditional commitment and conditional correctness (defined below).In full generality, Share and Reconstruct run as follows.During Share, D distributes an input m among the n parties, which pairwise perform consistency tests on their common information via secure channels and possibly abort.Upon non-abortion of Share, during Reconstruct the parties collaborate to retrieve m.The defining properties of conditional VSS are given below: 1. Privacy.If D is honest, the information obtained by any set of t or less parties prior to Reconstruct is independent of m.
2. Conditional commitment.Upon non-abortion of Share, Reconstruct yields the same output for all non-actively corrupted parties.
3. Conditional correctness.Upon non-abortion of Share, if D is honest the common output of all nonactively corrupted parties is the input m.
Regarding the parties, all four non-mixed corruption models presented in the main text shall be addressed: AC, AN, PC and PN.However, we do not restrict to any of them yet.Also, note that the set of non-actively corrupted parties includes all the parties (and not only the honest ones) in the passive models.As for the dealer, D is said to be dishonest if it may distribute incorrect/inconsistent information about his input to the parties or directly reveal it to them.In particular, this means that if the QKD modules belong to the PN model, even corrupted modules are honest dealers.
In what follows, we describe a pair of protocols, (Share, Reconstruct), that depend on various settings, and such that adequate choices of these settings confer the pair the category of a conditional VSS scheme.We remark that the adequacy of some given settings depends on the corruption model one assumes for the parties.As in the main text, the protocol definitions below assume that the parties and the dealer do not misbehave, whether or not these protocols are robust against active corruption.Also, the dealer's input m is assumed to be a binary string, and we recall that the symbol "⊕" denotes bitwise XOR.In addition, this operation is generalised to a pair of strings with different lengths by padding the shortest one with as many zeros as necessary for the lengths to match.This said, Share runs as follows.
1. D uses a q-out-of-q SS scheme to split a message m into q random shares, by selecting the first q − 1 shares m i at random and then choosing 2. For i = 1, . . ., q, D sends m i to all the parties in a certain subset, say σ i P, via secure channels.If any of these parties does not receive the share, she takes a zero bit string as default share.

If |σ
all pairs of parties in σ i perform a consistency test: they send each other their copies of m i over secure channels to check if they are equal.
If any party finds an inconsistency, she aborts the protocol.
Importantly, abortion proceeds in two steps: the aborting party sends an abortion order to all other parties, and each receiving party resends the order to all the rest.Upon reception of an abortion order, the parties abort.
Step two assures that the non-actively corrupted parties always abort collectively.Upon non-abortion of Share, Reconstruct runs as follows.
1.All pairs of parties send each other their shares through authenticated channels.
2. For i = 1, . . ., q, each party uses MV to reconstruct the share m i , and then obtains m = ⊕ q i=1 m i .
In general, in order for MV to be well-defined, the output must be set to a default value in case of a tie.Nevertheless, ties never occur for the adequate choices of the parameters n and q and the subsets σ i we present next.Proposition 1.Let t be the maximum number of corrupted parties, and let {T 1 , . . ., T ( n t ) } be any ordered list of all possible combinations of t parties.Under the following settings, (Share, Reconstruct) defines a conditional VSS scheme: 1. n = 3t+1, q = n t and σ i = P/T i (AC corruption).2. n = 2t + 2, q = n and σ i = P/P i (AN corruption).
What is more, the above settings are optimal in the number of parties.
The reader is referred to Supplementary Note 3 for a proof of Proposition 1. Also, note that, by definition of R (see Sec. (II B)), we have that R = |σ i | for all i.
Finally, we remark that the above conditional VSS scheme enables secure multiparty computation of linear functions of the shared private input in a very simple way.Let L(•) be the linear function to be computed on m.Upon non-abortion of Share, each party applies L to its shares of m, in so obtaining shares of L(m).Since this step requires null communication, privacy, conditional commitment and conditional correctness are trivially maintained.

B. Generation of random bit strings
Distributed QKD post-processing also relies on the possibility to generate unbiased random bit strings (RBS) of a pre-fixed length L among n parties, when up to t of them are possibly corrupted.Here, we describe a RBS generation protocol suitable for the active corruption models, AC and AN, that builds on conditional VSS to safeguard the randomness of its output string (the passive models shall be addressed afterwards).
Let us set the total number of parties, n, the total number of shares, q, and the subsets of parties, σ i , as specified in Proposition 1 for the considered model (AC or AN).The RBS generation protocol runs as follows.
1.For k = 1, . . ., t + 1, P k creates a random L-bit string, R k , and distributes it among all n parties (including itself) using Share.If, for some k, Share aborts, the RBS generation protocol aborts.If a party receives any share whose length differs from L, she aborts.

Upon non-abortion of step 1, the parties use Recon
Proposition 2. The RBS generation protocol outputs a common random L-bits string for all non-actively corrupted parties.
The reader is referred to Supplementary Note 3 for a proof of Proposition 2.
Finally, using the standard notion of passivity given in the main text, one can avoid the use of conditional VSS for RBS generation in the passive models (PC and PN).Instead, any given unit can generate the strings directly, and such strings are truly random by assumption.
C. Distributed QKD post-processing protocol Making use of our theoretical results, here we present a distributed QKD post-processing protocol based on conditional VSS that is appropriate for all non-mixed corruption models introduced in Sec.II.We refer to it simply as Protocol.
In the first place, the parties agree on the corruption models they assume for the QKD modules and the CP units (which might be different in general), and also select the numbers t q and t c of corrupted devices they want to be protected against.In case they choose AC, AN or PC corruption (PN corruption) for the modules, they must hold n q = t q + 1 (n q = 2) QKD pairs in totalgiven that they stick to the rule of using the minimum valid amount of devices-and the secret key length l is given by Eq. (1) (Eq.( 3)).Similarly, they provide themselves with as many CP units as specified in Table 1 for their preferred model.Coming next, they agree on a correctness (secrecy) parameter, cor ( sec ), and a total authentication error AU , such that AU < cor and AU < sec .
For j = 1, . . ., n q , the pair (QKD Aj , QKD Bj ) runs a QKD session to generate the basis Z raw key strings, (r j A , r j B ), to be kept private, and some non-private protocol information, (info j A , info j B ), typically including the basis and intensity settings, detection events, etc. Crucially, (info j A , info j B ) includes all the raw key material required for parameter estimation.The post-processing procedure (namely, Protocol) starts next and is described below.Although the description assumes that the possibly corrupted devices do not deviate from the protocol prescriptions, Protocol is indeed secure against active eavesdroppers, as established in Proposition 3 below.Finally, although not explicitly stated, in case of abortion, the aborting party must notify the other party.This said, Protocol runs as follows.
Let us focus on, say, the j-th QKD pair.
1. Distribution of data.QKD Aj (QKD Bj ) distributes shares of its raw key r j A (r j B ) among the CP A l following the Share protocol of a conditional VSS scheme (see Sec. IV A) for the selected corruption model of the CP units.We denote the set of units that receive the i-th share of r j A (r j B ) by σ A i (σ B i ), which without loss of generality is common for all j = 1, . . ., n q .In addition, QKD Aj (QKD Bj ) sends the protocol information info , and the latter perform a consistency test on this data: they pairwise check that their copies of info j A (info j B ) match via authenticated channels.If a CP A l (CP B l ) finds an inconsistency, it aborts the protocol (see the Share protocol in the section devoted to conditional VSS for the two-step abortion procedure we consider).

Sifting. Each CP
1 sends its copy of info j A to all CP B l ∈ σ B 1 , which individually apply major-ity voting (MV) to decide on a single copy.Then, the CP B l ∈ σ B 1 forward some sifting information, sift j , computable from the pair (info j A , info j B ), to the CP B l / ∈ σ B 1 , which apply MV too.Using sift j , every CP B l discards some key bits from their shares of r j B to obtain shares of the sifted key, s j B .Alternative sifting schemes that require to discard random subsets of the data could easily be adapted by including a random bit string (RBS) generation protocol (see Sec. IV B).

Parameter estimation. Using (info j
A , info j B ), each CP B l ∈ σ B 1 computes a hypothetical lower bound h j ε (see Supplementary Notes 1 and 2 for the details) on the ε-smooth min-entropy of s j B conditioned on the information held by an eavesdropper up to the parameter estimation (PE) step, for a certain ε that depends on the PE procedure.
Once steps 1 to 3 are implemented for j = 1, . . .n q , all CP B l construct their shares of the concatenated sifted key s B = [s 1 B , . . ., s nq B ], such that the k-th share of s B is simply given by the concatenation of the k-th share of s 1 B , the k-th share of s 2 B , and so on.In addition, from all n q values h j ε , every CP B l ∈ σ B 1 computes a lower bound l on the secret key length extractable from s B via PA.If a CP B l ∈ σ B 1 finds l ≤ 0, it aborts the protocol.Otherwise, the post-processing proceeds as follows.

RBS generation. Every CP
, which apply MV.All CP B l perform a RBS generation protocol to select two random 2-universal hash functions, h EV and h PA , respectively devoted to error verification (EV) and PA.

Information reconciliation.
Every CP B l computes its shares of the string of concatenated syndromes, sy B = [sy(s 1 B ), . . ., sy(s nq B )], and the EV tag h EV,B = h EV (s B ). Here, sy(•) is a linear function specified by an error correction (EC) protocol for a pre-agreed quantum bit error rate (QBER).All together, the CP B l reconstruct sy B and h EV,B via the Reconstruct protocol of a conditional VSS scheme (see Sec. IV A).Each CP B l ∈ σ B 1 sends the following items to every CP A l ∈ σ For all 3 items, each CP A l ∈ σ A 1 applies MV to decide on a single copy.Then, it forwards {sift j } nq j=1 , h EV and h PA to the CP A l / ∈ σ A 1 (which apply MV too), and every CP A l sifts its shares of the raw keys r j A to obtain shares of the concatenated sifted key . Following the EC protocol, all CP A l compute their shares of the concatenated syndrome string, sy A = [sy(s 1 A ), . . ., sy(s nq A )], and jointly reconstruct it via the Reconstruct protocol of a conditional VSS scheme.From sy B and sy A , each CP A l ∈ σ A 1 computes the error pattern ê and updates its copy of the first share of s A by XORing it with ê.Thus, by construction, Alice's corrected key is ŝA = s A ⊕ ê, "⊕" denoting bitwise XOR.Then, all CP A l compute their shares of the EV tag h EV,A = h EV (ŝ A ) and jointly reconstruct it via the Reconstruct protocol of a conditional VSS scheme.Finally, every CP A l ∈ σ A 1 checks that h EV,A = h EV,B .Otherwise, it aborts the protocol.
6. Privacy amplification.In case of not aborting, every CP A l (CP B l ) computes its shares of the final key In Supplementary Note 4, we prove that the following security claim holds for all (non-mixed) corruption models of the QKD modules and the CP units.Proposition 3. Suppose that Protocol does not abort.Then, Alice and Bob can unambiguously determine unique cor -correct and sec -secret final keys.
Importantly, the determination of such final keys by Alice and Bob can be done by simply applying MV on the key shares held by their respective CP units, followed by an XOR operation.More generally, in the presence of actively corrupted units, the CP A l (CP B l ) can forward their final shares to a local key management layer [41,42].There, they could be stored in distributed memories or employed for applications such as message encryption, which in turn can be performed share-wise too.

V. DATA AVAILABILITY
No datasets were generated or analysed during the current study.
VII. AUTHOR CONTRIBUTIONS M.C. conceived the initial idea and triggered the consideration of this research project.V.Z. made the theoretical analysis and performed the numerical simulations, with inputs from both authors.M.C. and V.Z.analysed the results and prepared the manuscript.

VIII. COMPETING INTERESTS
The authors declare no competing interests.

IX. SUPPLEMENTARY INFORMATION
Supplementary Note 1: secret key length in the AC, AN and PN models for the QKD modules In this section, we derive the extractable secret key length under the assumption that the QKD modules belong to the AC model and n q = t q + 1, and its validity for the intermediate models AN and PC is therefore trivial.
In what follows, asterisks will be used to denote the well-defined versions of certain quantities to which the QKD modules are committed with respect to the honest CP units in the distributed QKD post-processing, in virtue of the properties of standard/conditional VSS and the redundancy of the classical communications.For a detailed proof of the well-definiteness of many of these quantities in a specific distributed post-processing scheme, the reader is referred to Protocol in the Methods section of the main text and Supplementary Note 4.
In any case, despite the misbehaving of the possibly corrupted QKD modules and CP units, the distributed postprocessing can guarantee the existence of a well-defined sifted key at Bob's lab, s * B , reconstructible through the Reconstruct protocol of a standard/conditional VSS scheme (see the Methods section in the main text), and given by the concatenation of all well-defined sifted keys from the different QKD pairs.Namely, . By applying PA with 2-universal hashing [31], a ˆ sec -secret key can be extracted from s * B as long as its length l * verifies [43] for all ˆ sec ≥ + PA , where H min (s * B |E ) is the -smooth min-entropy of s * B conditioned on the (possibly quantum) information E held by Eve -the omniscient eavesdropper controlling all corrupted QKD modules-, and PA is the error probability of PA.
Crucially, note that no adversary may have access to more information about the final keys than the omniscient Eve just presented, so it suffices to refer to this Eve.To be precise, such an Eve potentially knows all the raw key material coming from corrupted QKD pairs, and all the information about the key of the honest pair revealed by the public discussion and her interaction with the quantum channel.In particular, possible adversaries corrupting the CP units do not have access to any more information about the honest pair's keys than the Eve above, because a distributed post-processing -say, Protocol in the main text-may assure that, since these keys are delivered by two honest dealers, i.e., the honest QKD modules, they are kept private to the CP units.The reader is referred to the Methods section of the main text for a definition of the privacy property of conditional VSS.This said, the derivation goes as follows.
Without loss of generality, E can be decomposed as E = CE, where C denotes the information gained by Eve when she learns the syndrome, sy * B , and the EV tag, h * EV,B , and E denotes the information she holds in advance of that.Assuming that EC is applied individually on each s j * A to reconcile it with the corresponding s j * B , the well-defined syndrome information sent to Bob in the information reconciliation (IR) step (see for instance Protocol in the main text) splits as sy * B = [sy * (s If we use the decomposition s * B = s h * B s d * B (where s d * B includes all the substrings of s * B that come from dishonest QKD pairs), the following chain rule holds [44].For all ε, ε ≥ 0 and for all such that > 2ε + ε , where ε and ε are the smoothing parameters of the corresponding smooth min-entropies [43].We recall that ε depends on the parameter estimation (PE) procedure followed by Alice and Bob.Also, one can set ε = 0 and use the trivial bound H ε min (s d * B |E) ≥ 0 valid for all ε ≥ 0, as s d * B could be entirely known to Eve.This amounts to say that From these two results, inserting Eq. ( 12) in Eq. ( 11) one finds where we use the fact that log 2 (2/ cor ) ≤ log 2 (4/ cor ) and also define the slack variable δ = − 2ε, such that δ > 0.
Further inserting the previous equation in Eq. (10), it follows that one can extract ˆ sec -secret key bits for all and δ > 0.
Notably, the analysis above is conditioned on the successful authentication of all the classical communications.Thus, for a given total authentication error AU , the overall secrecy parameter is given by Crucially, the honest QKD pair is unknown and thus Eq. ( 14) cannot be evaluated in practice.However, it implies a looser but more convenient bound that does not rely on the knowledge of the honest pair by assuming a worst case scenario.Precisely, let h j * ε denote the hypothetical lower bound on H ε min (s j * B |E) determined by the well-defined protocol information, say (info j * A , info j * B ), delivered by the j-th QKD module.We use the term hypothetical here because, even though the distributed QKD post-processing can assure that the j-th QKD pair is committed to a single value h j * ε via (info j * A , info j * B ), one cannot assure that such h j * ε is a valid lower bound on H ε min (s j * B |E) unless j = h.Let us further explain this point.On the one hand, if j = h, (info j * A , info j * B ) might be unfaithful information -thus, unsuitable for correct PE-and all one can guarantee is that the trivial bound H min (s j * B |E) = 0 holds for all .On the other hand, let us focus on the case j = h.QKD A h and QKD B h indeed create a pair of raw keys via quantum communication to be delivered in the post processing (see the correctness of conditional VSS in the Methods section of the main text), and indeed generate the related faithful protocol information.Then, distributed QKD post-processing (for instance, the protocol based on conditional VSS presented in the main text, whose security is addressed in Supplementary Note 4) allows to assure that the pair of keys coming from QKD A h and QKD B h is sifted, reconciled and subjected to PA correctly by an honest majority of CP units in each lab.In particular, h h * ε is a valid lower bound on H ε min (s h * B |E), such that the more convenient lower bound on H ε min (s h * B |E) − sy * (s h * B ) that we referred to above is the straightforward bound min j {h j * ε − sy * (s j * B ) }. Defining λ * j = sy * (s j * B ) to match the notation in the main text, we have that the well defined l * reached by all honest CP units reads Also note that, for simplicity of the notation, the asterisks are omitted in the main text.
Supplementary Note 2: secret key length in the PN corruption model for the QKD modules In this section we derive the secret key length that one can extract via distributed QKD post-processing (say, Protocol in the main text) under the assumption that the possibly corrupted QKD pairs belong to the PN corruption model.
As explained in the main text, in this scenario we can assume n q = t q .This choice allows to fairly compare the performance of the AC and the PN corruption models in terms of the secret key rate, and it means that every QKD pair might be corrupted by an independent eavesdropper, say Eve j (see Supplementary Figure 3), with j = 1, . . .n q .Let us focus on one of them, say Eve v .We denote by E v the information held by Eve v prior to the IR step.Defining, for instance, for j = 2, . . ., v and Z j = s j * B for j = v + 1, . . ., n q , the next holds: 1.
2. H j min (Z j |Z j−1 . . .Z 1 E v ) = H j min (Z j |E v ) for all j and j = 2, . . ., n q .Therefore, one can apply the simplified version, Eq. (99), of the generalised chain rule for conditional smooth minentropies presented in Supplementary Note 9.This yields, with ε, δ > 0 and n q ≥ 2. Coming next, we account for the information that Eve v gains at the IR step.The total information held by Eve v a posteriori of IR can be decomposed as where C v denotes the information she learns during IR.Precisely, C v contemplates all the syndromes, sy * (s j * B ), with j = v, and the EV tag h * EV,B , such that |h * EV,B | = log 2 (2/ˆ cor ) .Note that we are assuming that EC (but not EV) is implemented separately for each j = 1, . . .n q in the post-processing.From a chain inequality for smooth entropies [43] previously used in Supplementary Note 1, we have that By applying PA with 2-universal hashing [31], a key that is ˆ sec -secret with respect to E v can be extracted from s * B , as long as the output length satisfies [43] for all Note that all the parameters above are defined as in Supplementary Note 1. Lastly, composing the total authentication error AU (pre-agreed by the parties), the overall secrecy parameter reads FIG. 3: Supplementary Figure 1.Depiction of a setting where n q − 1 non-collaborative eavesdroppers, {Eve v } v =j (where Eve v is the eavesdropper controlling the v-th QKD pair), attack the quantum communication between QKD Aj and QKD Bj .The assumption that the possibly corrupted QKD pairs are passive implies that Eve j has total access to the internal information of QKD Aj and QKD Bj , but the latter deliver faithful key material and protocol information.
Finally, note that Eq. ( 20) determines the extractable key length that provides security with respect to the information E v held by Eve v .Nevertheless, one can provide security against all {Eve v } nq v=1 by taking where we defined λ * j = sy * s j * B to match the notation in the main text.To conclude this part, we remark that, in the AC corruption model, h j * ε does not necessarily pose a lower bound on H ε min (s j * B |E).However, by assumption, in the PN model the j-th QKD pair indeed creates a pair of raw keys via quantum communication to be delivered in the post-processing (see the correctness of conditional VSS in the Methods section of the main text), and is committed to a value h j * ε that poses a lower bound on H ε min (s j * B |E v ) for all v = j (in the main text the asterisks are omitted for simplicity).Finally, we recall that these bounds also hold against those "Eves" possibly corrupting the CP units, as long as one implements a distributed post-processing (say, Protocol in the main text).This is so because, since in the PN model all the QKD modules are honest dealers, in particular they keep their secret key material private to the CP units during the distribution stage (see the privacy of conditional VSS in the Methods section of the main text).
Supplementary Note 3: proof of propositions 1 and 2 Here, we give detailed proofs of propositions 1 and 2 in the Methods section of the main text.
Proposition 1. Proposition 1 establishes adequate settings under which the pair of protocols (Share, Reconstruct) presented in the Methods section of the main text defines a conditional VSS scheme for every non-mixed corruption model of the parties.Here, we address all four scenarios one by one.
1. AC corruption (t > 0).The considered settings are n = 3t + 1, q = n t and σ i = P/T i for i = 1, . . ., q.Let {T 1 , . . ., T ( n t ) } be an ordered list of all possible combinations of t parties.Since an honest D distributes m according to the previous settings, every combination of t parties is missing exactly one distinct share.Thus, privacy follows.Let us now assume that, for some i, two honest parties in σ i receive different copies of m i -note that such parties are guaranteed to exist for all i, because |σ i | = n−t = 2t+1 ≥ t+2 for all t > 0-.Then, Share certainly aborts.Conversely, upon non-abortion of Share, all honest parties in each σ i hold identical copies of m i (possibly, a default zero string).What is more, |σ i | = 2t + 1 implies that every σ i contains a majority of honest parties, such that conditional commitment follows from the use of MV in Reconstruct.Conditional commitment implies that, upon non-abortion of Share, D is committed to an input with respect to the honest parties.Conditional correctness follows identically as conditional commitment, given the fact that an honest D commits to his actual input value m.This completes the proof.
Note that, in the AC model, n > 3t is necessary to assure conditional commitment by enforcing the success of MV during Reconstruct.In fact, it is known to be a general necessary condition for secure MPC [23][24][25] in the AC model, such that setting n = 3t + 1 is optimal.What is more, within our conditional VSS scheme, any attempt to reduce the total number of shares, q, comes at the price of increasing the number of parties, n.To see this, let us assume that such improved settings exist, satisfying all three properties of conditional VSS while keeping q < n t for a given number of parties, n.On the one hand, privacy implies that every combination of t parties is missing one share at least.On the other hand, by the pigeonhole principle, q < n t implies that at least two distinct combinations of t parties, say T k and T l , have one common missing share, say m s , for some s = 1, . . ., q.Since |T k ∪ T l | ≥ t + 1, it follows that |σ s | ≤ n − t − 1, and thus conditional commitment requires n ≥ 3t + 2 at least, in order for MV to certainly succeed when applied to all copies of m s .

AN corruption (t > 1)
. The considered settings are n = 2t + 2, q = n and σ i = P/P i for i = 1, . . ., q.Since an honest D distributes m according to the previous settings, every party is missing exactly one distinct share.This suffices to establish privacy in a non-collaborative setting.Let us now assume that, for some i, two honest parties in σ i receive different copies of m i -note that such parties are guaranteed to exist for all i, because |σ i | = n − 1 = 2t + 1 > t + 2 for all t > 1-.Then, Share certainly aborts.Conversely, upon non-abortion of Share, all honest parties in each σ i hold identical copies of m i (possibly, a default zero string), and since every σ i contains a majority of honest parties, conditional commitment follows from the use of MV in Reconstruct.
Conditional correctness follows identically as in the AC model.
The optimality of the setting n = 2t + 2 for the pair of protocols (Share, Reconstruct) in the AN model follows from the next lemma.
Lemma.If, for some i = 1, . . ., q, |σ i | < 2t + 1, the pair of protocols (Share, Reconstruct) does not provide a conditional VSS scheme in the AN model.
For the AC model, such an assertion is straightforward.However, at a first glance, it seems reasonable that noncollaboration of the corrupted parties may allow to overcome the restriction that each share is held by an honest majority of parties.This is so because, for any given share m i , the values declared by any two corrupted parties in σ i that misbehave during Reconstruct are not expected to coincide, except with the minuscule probability of a random match.Nevertheless, Lemma states that this is not the case, and we prove it in what follows.For this purpose, let us consider that D is corrupted, and let us assume the worst-case scenario where, for some i, σ i contains all t corrupted parties.With a non-negligible probability of success, D could, for instance, select two distinct versions of the share m i , say m h i and m d i , and deliver m h i (m d i ) to all honest (dishonest) parties in σ i .Note that this does not necessarily imply the abortion of Share, as the dishonest parties in σ i can simply declare the copy m h i they receive from the honest ones during the consistency test of m i .If, in addition, |σ i | < 2t + 1, σ i does not contain a majority of honest parties and thus conditional commitment is compromised, because one cannot assure the consistency of the copies of m i reached by all honest parties via MV.This completes the proof.
From the lemma, |σ i | ≥ 2t + 1 is necessary for (Share, Reconstruct) to define a conditional VSS scheme in the AN model.Since, in addition, σ i P, the requirement n ≥ 2t + 2 follows, which means that our setting n = 2t + 2 is optimal.Indeed, our setting σ i = P/P i is such that |σ i | = n − 1 = 2t + 1, which is optimal too according to the lemma.Lastly, as in the AC model, direct application of the pigeonhole principle implies that any attempt to reduce the total number of shares, q, comes at the price of increasing the number of parties, n, in order to maintain the defining properties of conditional VSS.
Since an honest D distributes m according to the previous settings, every combination of t = n − 1 parties is missing exactly one distinct share.Thus, privacy follows.In addition, conditional commitment holds due to passive corruption of the parties and the fact that |σ i | = 1 for all i (which implies that MV trivially succeeds).
Conditional correctness follows identically as in the previous models.
Note that the optimality of n = t + 1 in the PC model is obvious in full generality, and not only within our specific protocols Share and Reconstruct.This is so because setting n = t would compromise privacy in the presence of collaborative corrupted parties.Also, as in the previous models, any attempt to reduce the total number of shares, q, comes at the price of increasing the number of parties (if one aims to preserve conditional VSS).Remarkably, as a consequence of considering passive corruption, |σ i | = 1 suffices for all i = 1, . . ., q, in which case step 3 of Share vanishes and thus Share never aborts.This being the case, in the PC model, (Share, Reconstruct) with the above settings not only provides a conditional VSS scheme, but also a standard VSS scheme.Moreover, in the absence of step 3 of Share, no consistency test occurs, which means that VSS reduces to secret sharing (SS) by definition.

PN corruption (t > 1)
. The considered settings are n = 2, q = n and σ i = P i for i = 1, 2. We clarify that n = 2 for all t means that it suffices to select two parties out of all corrupted parties in order for (Share, Reconstruct) to define a conditional VSS scheme.An honest D splits m into two random shares and delivers each of them to a different party.Privacy holds because each party is missing one share and they do not collaborate.
Conditional commitment follows due to passivity and the fact that |σ i | = 1 for i = 1, 2. Conditional correctness follows identically as in the previous models.
The optimality of n = 2 and q = 2 is trivial, and it is not restricted to our pair of protocols (Share, Reconstruct).
Proposition 2. Proposition 2 asserts that the RBS generation protocol yields a common random L-bits string for all non-actively corrupted parties.The proposition refers to the active corruption models, and since non-mixed corruption is assumed, all non-actively corrupted parties are honest.
The reasoning is identical for both the AC and the AN model.Let the settings be selected as prescribed by Proposition 1 and assume that the RBS generation protocol does not abort.This implies that Share terminated successfully for all k = 1, . . ., t + 1.In virtue of conditional commitment, non-abortion of Share for, say P k , means that all honest parties reach a common string R k via Reconstruct.Thus, all of them output a common final string R = ⊕ t+1 k=1 R k .What is more, non-abortion implies that |R k | = L bits for all k, such that |R| = L too.Then, Proposition 2 follows if we prove the randomness of R. On the one hand, since at least one dealer party is honest, say P h , for some h ∈ {1, . . ., t + 1}, conditional correctness assures that R h is random.What is more, in virtue of privacy and disregarding the honest dealer party P h itself, the information obtained by any set of t or less parties prior to Reconstruct is statistically uncorrelated to R h .In particular, the string to which every dealer different from P h is committed upon non-abortion of its Share protocol is uncorrelated to R h .Therefore, R = ⊕ t+1 k=1 R k is indeed random.
Notably, since the parties do not collaborate in the AN model, one could feel tempted to select two dealers instead of t + 1, as the strings they would generate would be uncorrelated to each other.Nevertheless, their bitwise XOR would not be necessarily random due to the active character of the two dealers.

Supplementary Note 4: proof of proposition 3
In what follows, we give a detailed proof of Proposition 3, which establishes the security of Protocol (see the Methods section in the main text) within all non-mixed corruption models of the QKD modules and the CP units.
For ease of understanding, we shall refer to the AC model for both kinds of devices hereafter, and the security of Protocol follows identically for all the alternative models we consider, as it builds on (1) the defining properties of conditional VSS (established for each corruption model of the CP units in the main text), (2) the extractable secret key length (established for each corruption model of the QKD pairs in the main text), and (3) the redundancy of the classical communications (set to the adequate value for each corruption model of the CP units in the protocol description).
Below, as we did in Supplementary Note 1, we use asterisks to denote the well-defined versions of quantities to which the QKD modules are committed with respect to the honest CP units in the distributed QKD post-processing, in virtue of the properties of conditional VSS and the redundancy of the classical communications.These quantities include the raw keys, the sifted keys, the EC syndromes, the EV and PA hash functions, the corrected keys, the EV tags and the final keys, together with some other quantities which are not divided into shares: the protocol information, the sifting information, the hypothetical lower bounds computed in the PE step, the error pattern and the secret key length.
Correctness.We first prove the correctness established in Proposition 3. Precisely, Proposition 3 asserts the cor -correctness of the output keys upon non-abortion of Protocol (if Protocol aborts, correctness follows trivially).Hence, let us assume Protocol does not abort and refer to conditional commitment (conditional correctness) simply as commitment (correctness) for conciseness.
In the first place, the Share protocol in step 1 guarantees the commitment of the raw keys.In the second place, given the commitment of the raw keys, the commitment of the sifted keys follows from the uniqueness of the sifting information, say {sift * j } nq j=1 , used by the honest CP units to sift their shares of the raw keys.And, in particular, the uniqueness of {sift j * } nq j=1 is trivially enforced by the consistency tests and the redundancy of the communications in step 2. In the third place, given the commitment of the sifted keys, the commitment of the corrected keys is enforced by the uniqueness of the error pattern ê * that all honest CP A l ∈ σ A 1 apply on their copies of the first share of the sifted key.In turn, the uniqueness of ê * follows from the commitment of the syndrome strings sy A and sy B , ensured by the commitment of the sifted keys and the redundancy of the communications.Fourthly, the commitment of the EV tags h EV,A (h EV,B ) follows from the commitment of the corrected keys and that of the function h EV (assured by the RBS generation protocol).In particular, due to the redundancy of the classical communications in step 5, all honest CP B l ∈ σ B 1 reach the well-defined copies h * EV,A and h * EV,B , where ) is the well-defined EV tag reached by all honest CP A l (CP B l ), computed on the well-defined corrected key ŝ * A (sifted key s * B ). Furthermore, from step 5 of Protocol it follows that EV aborts if h * EV,A = h * EV,B .Conversely, no abortion of the EV step guarantees that h * EV,A = h * EV,B .The ˆ cor -correctness follows from this fact as long as h * EV (well-defined EV function reached by all honest CP B l at the RBS generation protocol) is a random 2-universal hash function with output length log 2 (2/ˆ cor ) at least [43].But this is indeed ensured by the correctness of conditional VSS within the RBS generation protocol.To finish with, the commitment of the final keys, k A and k B , follows from the commitment of the corrected keys and that of the function h PA .In turn, the latter follows from the commitment of conditional VSS within the RBS generation protocol, in which all honest CP B l ∈ σ B 1 select a unique length l * due to the consistency tests in step 1 and the redundancy of the classical communications.Also note that the commitment of h PA (plus the redundancy of the communications) guarantees that correctness is not compromised in the final PA step.
Notably, one should not confuse the correctness of conditional VSS (see the Methods section in the main text) with the correctness of the output keys of Protocol.In fact, except from the implicit use of correctness in the RBS generation protocol, only the commitment (but not the correctness or the privacy) of conditional VSS is required to establish the correctness of the final keys.
Lastly, we remark that an authentication error may allow a corrupted CP unit to impersonate an honest one, thus possibly compromising the correctness.Therefore, one must compose the error probability, ˆ cor , of the EC -which presumes the successful authentication of all the classical communications-with the total error probability of the authentication, AU , pre-selected by Alice and Bob.In this way, the overall correctness parameter is Secrecy.In what follows, we prove the secrecy of Protocol, established in Proposition 3. Importantly, the reasoning we present below does not assume a specific QKD scheme, but it applies to a wide variety of them.
6. Privacy amplification.In case of not aborting, all the CP A l compute their shares of Alice's final key S A = h PA (ŝ A ). Similarly, if no abortion is notified, all the CP B l compute their shares of Bob's final key Secret key length formula in the AC, AN and PC corruption models for the QKD modules.In this section, we particularize the extractable key length (Eq.( 17)) for the decoy-state MDI-QKD protocol presented above.As seen in the main text, this formula is tight within the AC, AN and PC corruption models for the QKD modules, and to evaluate it, it suffices to derive the explicit formula of h j * ε .Assuming perfect state preparation, the entropic uncertainty relation [48] gives where h(•) is the binary entropy function, n h,L * 11,Z stands for a lower bound on n h * 11,Z and φ h,U * 11,Z stands for an upper bound on φ h * 11,Z , n j 11,Z and φ j 11,Z being defined in the QKD protocol description at the beginning of this note.From the definition of the smooth min-entropies, it follows that ε is upper-bounded by the sum of the error probabilities of the estimates of n h,L * 11,Z and φ h,U * 11,Z .Eq. (31) implies that, for all j = 1, . . ., n q , one should define which indeed determines a lower bound on H ε min (s j * B |E) if the j-th QKD pair delivers faithful protocol information.Putting it all together, the extractable key length of the protocol reads where we recall that |sy * (s j * B )| is the size of the j-th EC syndrome, ˆ cor is the correctness parameter, PA is the error probability of the privacy amplification and δ > 0. Also, as shown in Supplementary Note 1, the above key length is sec -secret for all sec = ˆ sec + AU , where ˆ sec ≥ 2ε + δ + PA and AU is the total error probability of the authentication, which is selected by the parties a priori.
Explicit expressions of n j,L * 11,Z and φ j,U * 11,Z in terms of the observables of the protocol are given in the next section, together with an upper bound on the smooth-parameter ε.
Secret key length formula in the PN corruption model for the QKD modules.In Supplementary Note 2, we derived a tighter secret key length formula valid for the PN corruption model, given by Eq. (20).When particularized in our MDI-QKD scheme, this formula reads with sec = ˆ sec + AU and ˆ sec ≥ (n q − 1)(2ε + δ) + PA .Also, we recall that AU is pre-determined by Alice and Bob.
Parameter estimation.Here, we compute the bounds n j,L * 11,Z (n j,L 11,Z ) and φ j,U * 11,Z (φ j,U 11,Z ) that enter the secret key length, Eq. ( 33) (Eq.( 34)).Since the analysis below is common for every j = 1, . . ., n q , for simplicity of notation we drop the QKD pair index j and refer to any of the QKD pairs.PE is divided into two steps.In a first step, we use the observables of the protocol to calculate bounds on the number S 11,X (E 11,X ) of single-photon successes (errors) in X = ∪ a,b X a,b .For this purpose, we apply the decoy-state bounds presented in [47], although a slightly simpler technique is used to estimate the expected sizes of the sets X a,b given their realisations (see Supplementary Note 8).In a second step, since PE is only performed with the basis X data in the protocol (see the protocol description at the beginning of this note), we use basis-indistinguishability arguments for the single-photon contributions and standard results from large deviation theory to compute a lower bound on n 11,Z and an upper bound on φ 11,Z given the former bounds on S 11,X and E 11,X .
In the first place, let us write down the relevant bounds on S 11,X and E 11,X , respectively denoted by S L 11,X and E U 11,X .Let A = {µ, ν, ω} be the set of intensities that the parties use when they select the basis X, such that µ > ν > ω, and let p µ , p ν and p ω be the corresponding probabilities.Also, let us introduce a list V = {(v i , v i )} 9 i=1 of pairs of vectors given by: Then, the lower bound S L 11,X is given by [47] S L 11,X = max except with probability at most 11,X = a,b a,b , for a series of error terms { a,b } a,b∈A specified by the parties, and some specific quantities τ 11 , c 11 , J vv , and Γ vv that we define in what follows.First, where p a,b,X stands for the probability of a basis X coincidence with intensity settings a ∈ A for Alice and b ∈ A for Bob.That is, p a,b,X = p a p b q 2 X .Regarding c 11 , J vv , and Γ vv , we distinguish two cases depending on the sign of (a 0 + a 1 )/(a 0 + In this case, the definitions are with , Lastly, where For this case, and ), (45) where the definitions of G v , G v , Γa,b and Γ a,b are the same as in Case 1.
Coming next, we compute an upper bound E U 11,X on E 11,X .For this, let us introduce the list of vectors except with probability at most 11,X = a,b a,b , for a series of error terms a,b a,b∈A specified by the parties and some specific quantities F v , and Γ v that we define in what follows: with ẽa,b = e a+b e a,b /p a,b,X , and In what follows, given S L 11,X and E U 11,X , we derive bounds on n 11,Z and φ 11,Z (the quantities that enter the secret key length) via random sampling arguments.Let N 11,Z (N 11,X ) be the number of rounds where both Alice and Bob sent single photons and used the basis Z (X).Of course, N 11 = N 11,Z + N 11,X is the overall number of rounds where a basis match occurred and both parties sent single photons.In the absence of state preparation flaws, the quantum states sent by Alice and Bob that contain single photons on both sides are basis independent, meaning that Eve cannot distinguish in which basis they are prepared.As a consequence, the probability that Charles declares a successful BSM cannot depend on the basis choice.Thus, given the number S 11,X of rounds where both parties sent single photons in the basis X and Charles declared a successful BSM, one can estimate the corresponding number for the basis Z, S 11,Z , via Serfling's inequality [49].Of course, this requires the knowledge of N 11,Z and N 11,X as well.Precisely, holds for any 0 < ε < 1 if we choose the deviation term Υ(N 11,Z , N 11,X , ε) to be defined by the function Υ(x, y, z) = (x + 1) ln(z −1 )/(2y(x + y)).
For simplicity, we shall set a common error probability, ε = S , for each usage of Serfling's inequality in this section.
Note that, as the quantities N 11,Z , N 11,X , and S 11,X are not known, one should derive statistical bounds on them and assume the worst-case scenario, i.e., the one that minimises the value of S 11,Z .For the first two quantities one can use the standard Chernoff bound [50], as their expected values are known to be µ 11,Z = E [N 11,Z ] = N q 2 Z p 2 1|λ and µ 11,X = E [N 11,X ] = N q 2 X p µ p 1|µ + p ν p 1|ν + p ω p 1|ω 2 , where p n|a stands for the poissonian photon-number distribution with mean value a. Importantly, these expected values do not rely on the assumption of a particular channel model, but only on Alice's and Bob's state preparation process.Regarding, for instance, N 11,Z , we have that P N 11,Z > N U 11,Z < ε and P N 11,Z < N L 11,Z < ε respectively hold for any ε , ε ∈ (0, 1) if we set where the deviation functions are given by [50] ∆ U (x, y) = ln y −1 2 1 + 1 + 8x ln y −1 and ∆ L (x, y) = 2x ln y −1 .
As usual, the superscript "L" ("U") stands for "lower" ("upper") bound, and the bounds on N 11,X are obtained substituting µ Z by µ X in Eq. (51).For simplicity, we shall set a common error probability, C , for each usage of the Chernoff bound, as we already did for Serfling's inequality.In particular, we set ε = ε = C .
Regarding S 11,X , a lower bound S L 11,X was already derived in the first part of this note, and the corresponding error probability is denoted by 11,X .Coming next, we update the claim of Eq. ( 49) by replacing N 11,Z , N 11,X and S 11,X with the appropriate bounds minimising S 11,Z , and by adding the corresponding error terms on the right-hand side.This yields P S 11,Z ≤ S L 11,Z ≤ S + 11,X + 2 C , for Finally, using Serfling's inequality [49] one can easily relate the lower bound on the number n 11,Z of single-photon successes in the random sample Z ⊂ Z, with the lower bound on the number S 11,Z of single-photon successes in the original set Z (see the protocol description at the beginning of this note).Already incorporating Eq. ( 53), it follows that P n where Λ(x, y, z) = (x − y + 1) ln(z −1 )/(2xy) and M is again the size of Z , which defines the post-processing block size (i.e., the size of the sifted keys).
In the derivation above, we used a basis indistinguishability argument to relate the ratio S 11,Z /N 11,Z to the ratio S 11,X /N 11,X via Serfling's inequality [49].The same argument also relates the ratio e 11,Z /n 11,Z to the ratio E 11,X /S 11,X , where e 11,Z (E 11,X ) denotes the number of single-photon phase errors (bit errors) in the rounds indexed by Z To finish with, note that the single-photon phase error rate is, by definition, given by φ where n L 11,Z is given by Eq. ( 54) and e U 11,Z is given by Eq. ( 56).From the above PE procedure, it follows that the smooth parameter ε (defined in Eq. ( 31)) is upper-bounded as Authentication cost.Following the authentication scheme presented in Supplementary Note 5, in order to quantify the total authentication cost of the lab-to-lab communications it suffices to specify the lengths of the different messages exchanged during the protocol.This is what we do next.According to the protocol description above in this note, we have where the expected sizes of a j | c j and r j A | c j ,X for a typical channel model are given at the end of this note, |s Z | = nq j=1 r j A | c j ,Z (the expected sizes of all r j A | c j ,Z being given at the end of the note too), the size of the syndrome |sy(s B )| depends on the EC protocol (and a typical model is given in the Results section of the main text), |h EV (s B )| = log 2 (2/ˆ cor ) bits, |h EV description| = 2 log 2 (2/ˆ cor ) bits and |h PA description| = M n q + l − 1 bits, l denoting the extractable secret key length, given by Eq. (33) (Eq.( 34)) in the AC, AN and PC corruption models (PN corruption model) of the QKD modules.
Calculation of N and E tol for the simulations.Here, we derive proper values for the number of transmission rounds per QKD pair, N , and for the threshold bit error rate of the EC protocol, E tol , based on respective restrictions on the abortion probabilities of the sifting step and the error verification step.The analysis relies on a typical channel model presented below in this note.
We calculate N first.For this purpose, let us impose a common abortion probability γ sift /n q for each sifting step (n q of them in total).That is, we demand that P (|Z j | < M ) ≤ γ sift /n q for all j = 1, . . ., n q , where |Z j | is the set of detection events when both parties use basis Z and M is the pre-specified size of the sifted keys (i.e., the block size).Using the Chernoff's inequality [50], this condition is met if we set the number of signals transmitted per module in each QKD pair to N = ζ(M, G λ,λ Z,Z , γ sift /n q ), where and G λ,λ Z,Z is the probability that any given round of the QKD session between QKD Aj and QKD Bj contributes to Z j .An expression of G λ,λ Z,Z for a typical channel model is given at the end of this note.Now, let us calculate E tol .Following the MDI-QKD protocol given at the beginning of this note, the reconciliation of s A with s B is performed separately on each s j A .If, for simplicity, one assumes that the EC protocol corrects up to a fraction E tol of bit errors (and no more) with certainty, either E j ≤ E tol for all j or the (single) EV step aborts, where E j denotes the actual error rate between s j A and s j B .Thus, applying Chernoff's inequality [50], P (EV aborts) ≤ γ EC holds for any γ EC ∈ (0, 1) if where E λ,λ Z,Z is the expected bit error rate for the basis Z and the common intensity λ, and the deviation function ∆ U (x, y) is defined in Eq. ( 52).An expression of E λ,λ Z,Z for a typical channel model is given at the end of this note.
Channel model.In this section, we derive expressions for the expected values of the observables of the protocol, considering the setup illustrated in Supplementary Figure 4. To begin with, let us elaborate on the mathematical models we use.
1. Laser sources.Alice's and Bob's photon sources emit PR-WCP of the form where |τ = exp τ a † − τ * a |0 is a coherent state, with amplitude τ = |τ |e iγ ∈ C. Here, a † (a) and |0 are the creation (annihilation) operator and the vacuum state for mode a, such that a Fock state with n photons in this mode is given by |n = a †n /n! |0 .
2. Channel and detector loss.An effective beam-splitter with transmittance η = η ch η det is used to jointly model channel loss (η ch ) and detector loss (η det ) on each side.The transformation reads where the quantum signal enters through the input port p, a vacuum state enters through the input port q, the output port r leads to unit detection efficiency detectors, and the output port s represents channel and detection loss.In turn, η ch = 10 −αattL/10 , α att being the attenuation coefficient of the channel (in dB/km), and L being the transmission length between each party and the central node (in km).
3. Basis choice and polarization misalignment.Let a † h (a † v ) denote the creation operator of a photon with horizontal (vertical) polarization in a pre-fixed basis Z.For each party, the selection of the basis setting θ ∈ {0, π/4} and the occurrence of a polarization misalignment δ mis > 0 jointly transform a † h and a † v according to the following unitary operation: In short, for any given δ mis , setting θ = 0 (θ = π/4) in Eq. (64) jointly models that the party selected basis Z (X) and a polarization misalignment δ mis occurred in the channel.
4. Photo-detectors.Threshold detectors are considered, meaning that each of them is modeled with a POVM consisting of only two elements: {E no click , E click }.As the detector loss is already accounted for in the channel model, the POVM here must describe unit efficiency photo-detectors, but having a non-zero dark count probability p d .That is, The operator 1 1 denotes the identitiy operator in the photon-number basis, i.e., 1 1 = ∞ n=0 |n n|.
Relevant experimental parameters.First of all, let us introduce some convenient notation.At every round of the protocol, θ A (θ B ) ∈ {0, π/4} denotes Alice's (Bob's) basis setting, where, as usual, 0 (π/4) stands for basis Z (X).Similarly, i and j ∈ {1, 2} respectively denote Alice's and Bob's polarization states, such that, for basis Z (X), 1 means "h" ("+") and 2 means "v" ("-").Regarding the photo-detectors, they are numbered by w ∈ {1, 2, 3, 4} as shown in Supplementary Figure 4. Also, for each photo-detector w, it is convenient to introduce an "arm index" s w ∈ {1, 2} specifying whether it is on the right arm (s w = 1) or the left arm (s w = 2) of the detection scheme, and another "polarization index" k w ∈ {1, 2} specifying whether they detect the horizontal (k w = 1) or the vertical (k w = 2) component of the pulses coming from the polarizing beam-splitters (tagged by the symbol "⊗") in Supplementary Figure 4.The overall one-sided efficiency is denoted by η = η ch η det , where η det is the detector efficiency (set to a common value for all the photo-detectors) and η ch = 10 −αL/10 is the transmission efficiency, α (dB/km) being the attenuation coefficient of the channel and L (km) being the common transmission length between each party and the central node.The angle δ A (δ B ) ≥ 0 denotes the polarization misalignment occurring in the left (right) arm of the setup (denoted by δ mis in Eq. ( 64)) and the symbol "⊗" stands for polarizing beam-splitter (PBS).Blue color is used for the intensities |ξ i,j w | 2 that arrive at the detectors (w ∈ {1, 2, 3, 4}).Each detector has an "arm index" s w ∈ {1, 2} that specifies whether it is on the right arm (s w = 1) or the left arm (s w = 2) of the detection scheme, and a polarization index k w ∈ {1, 2} specifying whether it detects the horizontal (k w = 1) or the vertical (k w = 2) component of the pulses coming from the PBSs.For simplicity, this last index is not shown in the figure.
Let us assume for the moment that Alice's (Bob's) laser emits pure coherent states with complex amplitude α (β) in the BB84 state defined by i and θ A (j and θ B ).The quantum state at the input port of the detectors also factors as the product of four coherent states, |φ det = ξ i,j w denoting the incoming amplitude to detector w for settings i and j (the dependence on the intensity settings, α and β, and the basis settings, θ A and θ B , is omitted for readability).Precisely, it can be shown that where η = η ch η det is the overall one-sided efficiency (accounting for both the transmission efficiency of the channel, η ch , and the detection efficiency of Charles' detectors, η det ), and Θ A,l,m (Θ B,l,m ) is the (l, m)-th element of the matrix Θ A (Θ B ), which incorporates Alice's (Bob's) measurement setting, θ A (θ B ), and the polarization misalignment occurring in her (his) side of the channel, δ A ≥ 0 (δ B ≥ 0): Since a success at the central node is heralded by the click of exactly two detectors referred to orthogonal polarizations, the set of possible successful events reads Ω = {(1, 2), (3,4), (1,4), (2, 3)} . (69) As an example, let us compute the probability P i,j (1,2) of the successful event (1,2).This probability factors as (73) Recalling that P i,j (u,v) was computed assuming pure coherent states, one needs to average over phase values in order to derive the resulting probability for PR-WCPs, which we denote by p i,j (u,v),α,β,θA,θB = 1 2π 2π 0 P i,j (u,v) dγ.For convenience, this notation explicitly shows that, in any round of the protocol, the probability of a successful detection event (u, v) ∈ Ω depends on all the protocol settings.The explicit calculation of this integral yields  (82) where τ 1 = µe −µ p µ + νe −ν p ν + ωe −ω p ω and δ(x, y) = (x/2) ln y −1 is the deviation term that follows from the use of Hoeffding's inequality [55].Such inequality is used three times in Eq. (82) (with a common error probability, H ) to obtain adequate one-sided bounds on the expected values of Z µ , Z ν and Z ω , respectively, given their realisations.Note that, for this task, one could also apply the inverse Chernoff-bound given in Supplementary Note 8.
Similarly, X µ , X ν and X ω determine a lower bound on the number S L 1,X of rounds in X = ∪ a∈A X a where Alice sent single photons.Precisely, P S 1,X < S L 1,X < 3 H holds for where we assumed a common error probability, H , for each usage of Hoeffding's inequality [55] again.
Regarding the number E 1,X of single-photon errors in X , it turns out that P E 1,X > E U 1,X < 2 H holds for where we recall that e a is the observed number of errors in X a (a ∈ A) and we defined e = a e a .Also, the error probability 2 H follows from the composition of two usages of Hoeffding's inequality [55].Finally, as we did for the parameter estimation in the MDI-QKD protocol, we use Serfling's inequality [49] to relate the number e 1,Z of single-photon errors in Z with the number E 1,X of single-photon errors in X .To be precise, it follows that P e 1,Z > e U 1,Z < 8 H + S holds for where the deviation function Υ(x, y, z) is given by Eq. ( 50) and S is the error probability of Serfling's inequality [49].
Equivalently, the single-photon phase error rate φ 1,Z verifies P φ 1,Z ≥ φ U 1,Z ≤ 8 H + S for where n L 1,Z is given in Eq. ( 82) and e U 1,Z is given in Eq. (85).From the above PE procedure it follows that the smooth parameter ε (presented below Eq. ( 80)) is upper-bounded as ε ≤ 8 H + S . (87) Authentication cost.Following Supplementary Note 5, in order to quantify the overall authentication cost it suffices to specify the lengths of the classical messages exchanged in the lab-to-lab communications, as we did for the MDI-QKD protocol.In particular, from the protocol description above, we have (88) calculation of Q α and E α using this model yields where η = η det η ch and we defined h η,α,δA = e −η|α| 2 cos 2 (δA) − e −η|α| 2 sin 2 (δA) /2.These expressions account for the fact that multiple clicks are randomly assigned to a specific detection outcome (see the caption of Supplementary Figure 5 for more details).
Finally, we write down the expected values of the observables required for the simulations.For this purpose, we introduce the quantities G a Z,Z = q 2 Z p a Q √ a , G a X,X = q 2 X p a Q √ a , Êa = E √ a where a ∈ A and p a is the probability that Alice uses the intensity setting a. From these quantities, it follows that X,X N, and E e j a = Êa G a X,X N, where we recall that N is the number of signals transmitted per QKD pair and M is the size of each sifted key.Also note that, for each j = 1, . . ., n q all three sets Z a j contribute to the j-th sifted key.Thus, averaging over all three intensity settings, the expected QBER in the basis Z is Remarkably, the formula above corresponds to the a priori expected bit error rate between any pair of sifted keys, i.e., the expected error rate without using the knowledge of the actual set sizes Z a j .The knowledge of the set sizes indeed provides slightly more accurate values of the expected bit error rates, but these would be different for each j.Thus, for simplicity, we use the common a priori expected bit error rate for all j.
Performance evaluation.In Supplementary Figure 6, we plot the secret key rate that one can extract combining Protocol with the decoy-state QKD scheme presented in this note, as a function of the channel loss between Alice and Bob.Both the security and the experimental parameters are set following the criteria described in the Results section of the main text, that is, they are common with the simulations of MDI-QKD presented in Fig. 2 there.As in that figure, two different block sizes are considered, (a) M = 10 5 and (b) M = 10 6 , and various distinct adversarial scenarios are included.The reader is referred to the discussion of Fig. 2 in the main text for a comment on the results presented in Fig. 6 (such discussion is common for both figures).

A 1 :
(a) The total sifting information, {sift j } nq j=1 .(b) The syndrome information, sy B , a description of h EV and the EV tag, h EV,B .(c)A description of h PA .
) and | X a,b | = e a+b |X a,b |/p a,b,X .
Γa,b = e a+b ∆(|X a,b |, a,b )/p a,b,X and Γ a,b = e a+b ∆(|X a,b |, a,b )/p a,b,X .The functions ∆(x, y) and ∆(x, y) are defined in Supplementary Note 8. There, we explain the technique we use to relate the observed set sizes, |X a,b |, with their expected values, in order to set statistical bounds on the latter.Case 2: (a 0 + a 1 )/(a 0 + a 1 ) ≤ (b 0 + b 1 )/(b 0 + b 1 ).
with Γ a,b = e a+b ∆(e a,b , a,b )/p a,b,X and Γ a,b = e a+b ∆(e a,b , a,b )/p a,b,X .Also, we remind the reader that, for every a, b ∈ A, e a,b is the observed number of bit errors in the set X a,b .

FIG. 4 :
FIG.4: Supplementary Figure2.Schematic of the decoy-state MDI-QKD setup.Alice (Bob) holds a laser source that emits PR-WCPs in any of the four BB84 states, defined by a polarization setting i (j) ∈ {1, 2} and a basis setting θ A (θ B ) ∈ {0, π/4}.An intensity modulator (IM) selects the amplitude |α| (|β|) of Alice's (Bob's) laser pulse.The overall one-sided efficiency is denoted by η = η ch η det , where η det is the detector efficiency (set to a common value for all the photo-detectors) and η ch = 10 −αL/10 is the transmission efficiency, α (dB/km) being the attenuation coefficient of the channel and L (km) being the common transmission length between each party and the central node.The angle δ A (δ B ) ≥ 0 denotes the polarization misalignment occurring in the left (right) arm of the setup (denoted by δ mis in Eq. (64)) and the symbol "⊗" stands for polarizing beam-splitter (PBS).Blue color is used for the intensities |ξ i,j w | 2 that arrive at the detectors (w ∈ {1, 2, 3, 4}).Each detector has an "arm index" s w ∈ {1, 2} that specifies whether it is on the right arm (s w = 1) or the left arm (s w = 2) of the detection scheme, and a polarization index k w ∈ {1, 2} specifying whether it detects the horizontal (k w = 1) or the vertical (k w = 2) component of the pulses coming from the PBSs.For simplicity, this last index is not shown in the figure.

TABLE I :
Minimum resources of a distributed QKD post-processing protocol based on conditional VSS, depending on the corruption model of the CP units.While n c is the total number of units per party, R is the redundancy of each raw key share and r is the number of key shares managed per CP unit from each of its local QKD modules.The number t c of possibly corrupted units per lab is at least two for the non-collaborative models (AN and PN), as non-collaboration is only defined in this case.
[43]rly, all n q items in sy B but the one that comes from the honest QKD pair are possibly known to Eve a priori.If we denote the pair index of the honest QKD pair by "h", this implies that only sy * (s h * B ) contributes to C, together with the error verification tag h * EV,B , whose size is |h * EV,B | = log 2 (2/ˆ cor ) bits.Then, from a chain inequality for smooth entropies[43], H min (s * B |E ) ≥ H min (s * B |E) − |C| and therefore 1 * B ), . . ., sy * (s nq * B )].