Abstract
Deviceindependent quantum key distribution (DIQKD) enables the generation of secret keys over an untrusted channel using uncharacterized and potentially untrusted devices^{1,2,3,4,5,6,7,8,9}. The proper and secure functioning of the devices can be certified by a statistical test using a Bell inequality^{10,11,12}. This test originates from the foundations of quantum physics and also ensures robustness against implementation loopholes^{13}, thereby leaving only the integrity of the users’ locations to be guaranteed by other means. The realization of DIQKD, however, is extremely challenging—mainly because it is difficult to establish highquality entangled states between two remote locations with high detection efficiency. Here we present an experimental system that enables for DIQKD between two distant users. The experiment is based on the generation and analysis of eventready entanglement between two independently trapped single rubidium atoms located in buildings 400 metre apart^{14}. By achieving an entanglement fidelity of \( {\mathcal F} \,\ge 0.892(23)\) and implementing a DIQKD protocol with random key basis^{15}, we observe a significant violation of a Bell inequality of S = 2.578(75)—above the classical limit of 2—and a quantum bit error rate of only 0.078(9). For the protocol, this results in a secret key rate of 0.07 bits per entanglement generation event in the asymptotic limit, and thus demonstrates the system’s capability to generate secret keys. Our results of secure key exchange with potentially untrusted devices pave the way to the ultimate form of quantum secure communications in future quantum networks.
Main
Secure communication over public channels requires the users to share a common secret key. Today, this crucial task faces major challenges from quantumbased attacks and implementation vulnerabilities. A promising solution is to use quantum key distribution (QKD), which uses the laws of quantum physics to assess eavesdropping attempts on the public channel^{16,17}. However, in its standard form, QKD is prone to implementation side channels, like all modern information systems^{13,18}. In particular, the security of QKD is also based on the mathematical models of the devices, so it is absolutely essential that the quantum devices are behaving as specified during the protocol execution.
Deviceindependent QKD^{1,2,3,4,5,6,7,8,9} (DIQKD) is an advanced form of QKD. First proposed by Mayers and Yao^{1}, it warrants the proper and secure functioning of the underlying devices by a Bell test^{11}, in which the users only need to analyse their input–output measurement data to establish an upper limit on the amount of information that an eavesdropper could have gained during the protocol. Importantly, this verification step eliminates the need to characterize the quantum devices and hence DIQKD is naturally robust against implementation flaws.
To implement DIQKD, a system is required that distributes highquality entangled states with high detection efficiency between two remote locations. More specifically, the system needs to achieve both high Bell violation and low quantum bit error rate (QBER) to generate secret keys. Stateoftheart systems can achieve high Bell violations between distant particles^{14,19,20,21}, but are not good enough to generate a secret key in the deviceindependent setting^{22}. In a recent effort to relax the system requirements various improved designs of the original DIQKD protocol^{2,3} were introduced, for example, on the basis of noisy preprocessing^{23}, randomized key settings^{15} and random postselection^{24}. Simultaneously to this work, two proofofconcept DIQKD experiments were performed: one demonstrated finitekey distribution over 2 m using trapped ions^{25} and the other verified that a photonic implementation over up to 220 m of fibre is within reach^{26}.
Here, we report on an experimental system that enables DIQKD between two distant users. It combines experimental advances in a previous loopholefree Bell test experiment^{14} with the DIQKD protocol proposed in ref. ^{15}. The quantum channel is formed by two single ^{87}Rb atoms, trapped and manipulated individually in buildings approximately 400 m lineofsight apart. More specifically, entanglement between the two atoms is created through an eventready entanglement swapping scheme, which is performed across a 700 m long optical fibre connecting the two buildings. Substantial improvements in the entanglement quality, entanglement generation rate and noise tolerance of the protocol enable the system to achieve a positive secret key rate (the ratio of achievable secret key length to the total number of heralded events) of 0.07 bits in a fully deviceindependent configuration.
DIQKD protocol
Let us first review the basic assumptions of DIQKD. The two users, Alice and Bob, should (1) each hold a device that is able to receive an input and then respond with an unambiguous output that can be used to generate a secure key (Fig. 1). The communication between their devices is limited to what is necessary to generate a secure key, namely, (2) the users control when their respective devices communicate with each other^{27}; and (3) the devices do not send unauthorized classical information to an eavesdropper. Finally, as it is with any QKD protocol, it is required that (4a) quantum mechanics is correct, (4b) the users’ inputs are private and random and (4c) the users are connected by an authenticated classical channel and use trusted postprocessing methods. For more details, we refer the interested reader to Supplementary Appendix A.
The DIQKD protocol considered here is similar to the original DIQKD protocol^{2,3}, except that two measurement settings are used for key generation instead of one. Importantly, in doing so, the protocol can tolerate more system noise—the critical QBER increases from 0.071 to 0.082 (ref. ^{15}). The protocol considers that Alice and Bob each hold a device, which are connected by a quantum channel (Fig. 1). In each ith of N measurement rounds, one of four different inputs \({X}_{i}\in \{0,1,2,3\}\) is given to Alice’s device, whereas Bob’s device receives one of two possible values \({Y}_{i}\in \{0,1\}\). The input for each round is provided by a trusted local source of randomness. Both devices output two possible values, \({A}_{i}\in \{\uparrow ,\downarrow \}\) at Alice’s side and \({B}_{i}\in \{\uparrow ,\downarrow \}\) at Bob’s side. The input and output values are recorded and stored in independent, local secured storage.
After N rounds classical postprocessing starts, with Alice and Bob revealing their inputs for each round over an authenticated public channel. For the rounds with differing input settings, that is, \({X}_{i}\in \{2,3\}\) together with \({Y}_{i}\in \{0,1\}\), the outputs are shared over the public channel to compute the Clauser–Horne–Shimony–Holt (CHSH)^{28} value using
where the correlation functions are defined as \({E}_{X,Y}:= {p}_{X,\,Y}^{A=B}{p}_{X,\,Y}^{A\ne B}\). Probabilities of the form \({p}_{X,\,Y}^{A,B}\) are estimated by the ratio \({N}_{X,\,Y}^{A,B}/{N}_{X,Y}\) of the number of rounds with outcomes (A, B) for input combination (X, Y), to the total number of rounds with those inputs. Provided that the devices share a sufficiently entangled state, the Bell inequality can be violated, that is, S > 2.
The raw data are sifted so that only the outputs of measurement rounds with identical input settings are kept for further processing. The QBERs for both key settings are denoted by \({Q}_{0}={N}_{0,0}^{A\,=\,B}/{N}_{0,0}\) for X_{i} = Y_{i} = 0 and \({Q}_{1}={N}_{1,1}^{A\,=\,B}/{N}_{1,1}\) for X_{i} = Y_{i} = 1. Note that the key pairs are anticorrelated when using anticorrelated entangled states. Both the QBERs (Q_{0}, Q_{1}) and the CHSH value S are used to determine the amount of information about the sifted key that could have been obtained by an eavesdropper^{29}. Next, by applying a technique known as leftover hashing, the eavesdroppers (quantum) information about the final key can be reduced to an arbitrary low level, defined by the security error of the protocol^{30}. In this experiment, we focus on estimating the asymptotic security performance of the considered DIQKD protocol. For this purpose, we note that in the asymptotic limit and in case of a depolarizing quantum channel, positive key rates can be achieved when the expected CHSH value satisfies S > 2.362 (or equivalently, Q < 0.082 with Q_{0} = Q_{1} = Q)^{15}.
Quantum network link
A quantum network link (QNL) generates the entanglement to implement the DIQKD protocol. In our setup, eventready entanglement is generated between two optically trapped single ^{87}Rb atoms located in laboratories 400 m apart and connected by a 700 metre long optical fibre channel (Fig. 2). The atoms act as quantum memories in which a qubit is encoded in the Zeeman substates of the \(5{{\rm{S}}}_{1/2}F=1,{m}_{F}=\pm 1\rangle \) ground state, with m_{F} = +1 and m_{F} = −1 designated as computational basis states, \({\uparrow \rangle }_{z}\) and \({\downarrow \rangle }_{z}\), respectively, and where the quantization axis \(\hat{z}\) is defined by the fluorescence collection setup.
The two distant atoms are entangled using an entanglement swapping protocol^{31}. The sequence starts by synchronously exciting the single atom in each trap to the state \({5}^{2}{{\rm{P}}}_{3/2}F{\prime} =0,{m}_{{F}^{{\prime} }}=0\rangle \); when decaying to the ground state, each of the atomic qubits becomes entangled with the polarization of the respective spontaneously emitted single photon (Fig. 3a). The two photons are then guided to a Bellstate measurement (BSM) setup using twophoton interference. Projection of the photons onto a \({\Psi }^{+}\rangle \) state heralds the creation of the maximally entangled atom–atom state
Given a successful projection, a ‘ready’ signal is sent to the trap setups, initiating the next measurement round for which, depending on input values X_{i} and Y_{i}, the two atomic qubits are independently analysed by stateselective ionization (Fig. 3b)^{32}. There, a particular state of the atomic qubit is ionized and leaves the trap depending on the polarization \(\zeta =\,\cos (\gamma )V+{{\rm{e}}}^{i\varphi }\,\sin (\gamma )H\) of a readout laser pulse (γ = α for Alice’s and γ = β for Bob’s device). If the atom is still in the trap, it is thus projected onto the state
The presence of the atom is then tested using fluorescence collection at 780 nm, which yields the final measurement outcomes A_{i} and B_{i}, respectively. On Alice’s side, the singlephoton detectors of the BSM detect the fluorescence of the atom, whereas on Bob’s side an unbalanced beam splitter directs a small fraction of the florescence light onto a single singlephoton detector (Fig. 2). As the results are reported every time, the detection efficiencies of Alice’s and Bob’s measurements are effectively one. Any component loss or ionization inefficiency contributes to the noise in the quantum channel.
The requirements for DIQKD implementation are less stringent with the newly proposed protocols; however, substantial improvements over existing loopholefree Bell experiments were still required. To that end, we enhanced the entanglement generation rate, coherence of atomic states and entanglement swapping fidelity (Methods).
DIQKD implementation
The independent random inputs to the devices (requirement (4b)) are provided by independent quantum random number generators with a bias lower than 10^{−5} located in each laboratory^{14,33}. At Alice’s side, two random bits are used to select the input, whereas at Bob’s side only one random bit is used, leading to uniformly distributed input combination choices. For the generated entangled state equation (2) and the atomicstate measurement scheme equation (3), the input values \(X\in \{0,1,2,3\}\) convert to measurement angles \(\alpha \in \{{22.5}^{\circ },+\,{22.5}^{\circ },\,{45}^{\circ },{0}^{\circ }\}\) for Alice’s device, whereas \(Y\in \{0,1\}\) translates to \(\beta \in \{+{22.5}^{\circ },\,{22.5}^{\circ }\}\) for Bob’s device. The capability for fast switching between various readout settings is achieved by overlapping multiple readout beams with different polarization and individually controllable intensities^{14}. The outputs \(A,B\in \{\uparrow ,\downarrow \}\) are derived from the fluorescence counts after the stateselective ionization. Finally, the users’ inputs and outcomes are stored in two independent, trusted secure storages (requirement 4c).
Unauthorized incoming and outgoing communication of the laboratories can be prevented with prudent steps (requirements (2) and (3)). Especially on Bob’s side, extra measures are taken to prevent information leakage from the laboratory: a freespace shutter is closed during the readout process to keep the leakage of fluorescence light into the optical fibre and the outside environment to well below one photon per readout event (Fig. 2), and the trap is always emptied before reopening the shutter. Owing to the approximate 5 ms reaction time of the shutter, a spectral filter (10^{−6} transmission at 795 nm) is deployed to block the readout pulse after interacting with the atom and to prevent unintentional transmission of the readout setting. For Alice’s side, such countermeasures are not needed as the BSM setup already serves as a natural blocker^{34}.
System measurements and performance
The inputs and outputs of the devices were recorded for N = 3,342 rounds over a measurement period of 75 h. The resulting output (anti)correlation probabilities for the eight different input combinations, that is, \({N}_{X,\,Y}^{A\,=\,B}/{N}_{X,Y}\) and \({N}_{X,\,Y}^{A\,\ne \,B}/{N}_{X,Y}\), are shown in Fig. 4.
It is instructive to first review the increased performance of the QNL independently of the DIQKD protocol. Here, the figure of merit is the fidelity of the observed entangled atom–atom state relative to a maximally entangled state. By fitting the data (Fig. 4) with sinusoidal functions, the estimated visibility for input combinations X = 2, 0, 3, 1 and Y = 0 (respectively X = 2, 0, 3, 1 and Y = 1) is 0.869(25) (respectively 0.888(45)). Then, averaging the found visibilities and taking into account that a third atomic groundlevel spin state can be populated \(({5}^{2}{{\rm{S}}}_{1/2}F=1,{m}_{F}=0\rangle )\), a lower bound on the fidelity is given by \( {\mathcal F} \ge 0.892(23)\) (ref. ^{35}).
The CHSH value is found to be S = 2.578(75) using equation (1) with E_{2,0} = −0.599(41), E_{3,0} = −0.664(36), E_{2,1} = 0.618(39) and E_{3,1} = −0.697(35). The QBERs are given by the correlation data for X = Y, that is, Q_{0} = 0.0781(127) and Q_{1} = 0.0777(132), which gives an average error rate of Q = 0.078(9). For the considered DIQKD protocol and the uniformly distributed measurement settings, the observed S value and QBER result in a secret key rate of 0.07 bits in the asymptotic limit, out of a maximum achievable value of 0.25—showing that the system is capable of performing DIQKD between two users 400 m apart. To quantify the confidence of this estimate, we assume that underlying input–output probability distributions are independent and identically distributed and use standard Bayesian methods to determine the uncertainties of the estimated parameters. We find that taking the worstcase estimates of S (2.4256), Q_{1} (0.107) and Q_{2} (0.107) using a common probability error of 3% still give a positive rate. We note that, thanks to the highquality entanglement, also the original DIQKD protocol^{2,3} achieves a positive key rate for the observed S and Q_{0} (or Q_{1}), but only for a larger common probability error.
In addition, using stateoftheart finitekey analysis^{30} for the protocol, we find that for a typical security error value of ε_{DI} = 10^{−5} a secure key can be obtained with a minimum block length of 1.75 × 10^{5}, as shown in Fig. 5. Here, ε_{DI} is the security error of the protocol and can be seen as the probability that the protocol fails in its task, for example, that the final key pair is not secret^{36}. In the simulation, we consider collective attacks, an error correction efficiency of 1.15 and uniformly distributed measurement settings for Alice and Bob.
Discussion and outlook
In this work, we present an experimental system that is capable of achieving positive asymptotic key rates between users separated by 400 m lineofsight (700 m fibre length) in a fully deviceindependent setting. Although the current setup outperforms existing loopholefree Bell setups, there are still several areas that require improvements for implementing DIQKD with finitekey security and longer reach.
For one, a higher event rate is required to obtain finitekey security within a practical time. The event rate critically depends on the entanglement generation efficiency and the repetition rate. To increase the former, several improvements are possible, for example, improving the BSM setup fidelity to include the \({\Psi }^{}\rangle \) state projection would increase the entanglement generation rate by a factor of 2. Furthermore, it is possible to scale up the number of atom traps using multidimensional arrays^{37,38,39}, which, combined with time multiplexing techniques^{40}, could increase the event rate by several orders of magnitude (Supplementary Appendix H).
Another direction is to improve the reach of the QNL. Here, a limiting factor is attenuation loss of the 780 nm photons in long optical fibres, which is already 50% for a 700 m long link. To overcome losses in longer fibre links, a promising solution is to convert the entangled single photons to the lowloss telecom band by polarizationpreserving quantum frequency conversion^{32}. Recent results demonstrate extension of the QNL to 33 km fibre length^{35} and show that highquality entanglement over distances up to 100 km is achievable.
In summary, our results represent a major step towards the goal of ultimate secure communication based solely on the laws of physics. They indicate that stateoftheart quantum links are capable of generating secret keys. Moreover, they show that future quantum networks distributing entanglement between their nodes can harness this quantum advantage, making DIQKD the standard for secure communications.
Methods
Increased entanglement generation rate
Customdesigned highnumerical aperture objectives are installed in each trap to increase the singlephoton collection efficiency by a factor greater than 2.5. This ultimately leads to an atom–atom entanglement generation efficiency of 0.49 × 10^{−6} following an excitation attempt. Together with a duty cycle of approximately ½ and a repetition rate of the entanglement generation tries of 52 kHz, this results in an event rate of 1/82 s^{−1}. Note that for eventready entanglement generation schemes the repetition rate of the experiment is limited by the communication times between the two devices and the BSM^{35}. For DIQKD protocols, this results in a tradeoff between the maximum separation of the users and the achieved secret key rate.
Atomic coherence time
The coherence and stability of the atomic qubit states are limited by the fluctuations of local magnetic fields and positiondependent vector light shifts, which are introduced by the tight focus of the optical dipole traps. The latter is especially crucial as it enables a highfidelity state measurement only when the atom has completed a full transverse oscillation in the trap^{42}. Here, the better optical components of the new collection setup, which is also used to focus the trapping laser, improve the spatial symmetry of the trapping potential and thereby enable a better cancellation of dephasing effects. In combination with lowering the atom temperatures and applying a magnetic bias field, this extends the coherence time to approximately 330 μs. This results in a lower bound on the atom–photon entanglement fidelity of 0.952(7) and 0.941(7) (relative to a maximally entangled state) for Alice’s and Bob’s setups, respectively. We refer the interested reader to Supplementary Appendix B for more details.
BSM fidelity
The quality of the entangled atom–atom state is further improved by optimizing the twophoton interference of the BSM on the basis of a rigorous analysis of the atom–photon entanglement generation process. Here, the multilevel structure of ^{87}Rb, the finite duration of the excitation pulse and experimental imperfections lead to the possibility of twophoton emission from one atom. Crucially, these multiphoton events reduce the fidelity of the BSM result. To overcome this, only photons that are emitted after the end of the previous excitation pulse are accepted in the BSM. This time filtering reduces the entanglement generation rate by a factor of 4 (resulting in the entanglement generation rate mentioned before), but greatly increases the fidelity of the generated state (see Supplementary Appendix C for more details).
Data availability
The datasets generated and/or analysed during the experiment are available from the corresponding authors on reasonable request.
Code availability
The code supporting the plots within this paper is available from the corresponding authors upon reasonable request.
References
Mayers, D. and Yao, A. Quantum cryptography with imperfect apparatus. In Proc. 39th Annual Symposium on Foundations of Computer Science 503–509 (IEEE, 1998).
Acn, A. et al. Deviceindependent security of quantum cryptography against collective attacks. Phys. Rev. Lett. 98, 230501 (2007).
Pironio, S. Deviceindependent quantum key distribution secure against collective attacks. New J. Phys. 11, 045021 (2009).
Barrett, J., Hardy, L. & Kent, A. No signaling and quantum key distribution. Phys. Rev. Lett. 95, 010503 (2005).
Reichardt, B. W., Unger, F. & Vazirani, U. Classical command of quantum systems. Nature 496, 456–460 (2013).
Lim, C. C. W., Portmann, C., Tomamichel, M., Renner, R. & Gisin, N. Deviceindependent quantum key distribution with local Bell test. Phys. Rev. X 3, 031006 (2013).
Vazirani, U. & Vidick, T. Fully deviceindependent quantum key distribution. Phys. Rev. Lett. 113, 140501 (2014).
Miller, C. A. & Shi, Y. Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices. J. ACM 63, 1–63 (2016).
ArnonFriedman, R. et al. Practical deviceindependent quantum cryptography via entropy accumulation. Nat. Commun. 9, 459 (2018).
Bell, J. S. On the Einstein Podolsky Rosen paradox. Phys. Phys. Fizik. 1, 195–200 (1965).
Brunner, N., Cavalcanti, D., Pironio, S., Scarani, V. & Wehner, S. Bell nonlocality. Rev. Mod. Phys. 86, 419–478 (2014).
Scarani, V. Bell Nonlocality (Oxford Univ. Press, 2019).
Xu, F., Ma, X., Zhang, Q., Lo, H.K. & Pan, J.W. Secure quantum key distribution with realistic devices. Rev. Mod. Phys. 92, 025002 (2020).
Rosenfeld, W. et al. Eventready Bell test using entangled atoms simultaneously closing detection and locality loopholes. Phys. Rev. Lett. 119, 010402 (2017).
Schwonnek, R. et al. Deviceindependent quantum key distribution with random key basis. Nat. Commun. 12, 2880 (2021).
Bennett, C. H. & Brassard, G. Quantum cryptography: public key distribution and coin tossing. Theor. Comput. Sci. 560, 7–11 (2014).
Ekert, A. K. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67, 661663 (1991).
Scarani, V. et al. The security of practical quantum key distribution. Rev. Mod. Phys. 81, 1301–1350 (2009).
Hensen, B. et al. Loopholefree Bell inequality violation using electron spins separated by 1.3 kilometres. Nature 526, 682–686 (2015).
Giustina, M. et al. Significantloopholefree test of Bell’s theorem with entangled photons. Phys. Rev. Lett. 115, 250401 (2015).
Shalm, L. K. et al. Strong loopholefree test of local realism. Phys. Rev. Lett. 115, 250402 (2015).
Murta, G. et al. Towards a realization of deviceindependent quantum key distribution. Quantum Sci. Technol. 4, 035011 (2019).
Ho, M. et al. Noisy preprocessing facilitates a photonic realization of deviceindependent quantum key distribution. Phys. Rev. Lett. 124, 230502 (2020).
Xu, F., Zhang, Y.Z., Zhang, Q. & Pan, J.W. Deviceindependent quantum key distribution with random postselection. Phys. Rev. Lett. 128, 110506 (2022).
Nadlinger, D. P. et al. Experimental quantum key distribution certified by Bell's theorem. Nature https://doi.org/10.1038/s41586022049415 (2002).
Liu, W.Z. et al. Photonic verification of deviceindependent quantum key distribution against collective attacks. Preprint at https://arxiv.org/abs/2110.01480 (2021).
ArnonFriedman, R., Renner, R. & Vidick, T. Simple and tight deviceindependent security proofs. SIAM J. Comput. 48, 181–225 (2019).
Clauser, J. F. et al. Proposed experiment to test local hiddenvariable theories. Phys. Rev. Lett. 23, 880884 (1969).
Renner, R. Security of quantum key distribution. Int. J. Quantum Inf. 6, 1–127 (2008).
Tan, E. Y. Z. et al. Improved DIQKD protocols with finitesize analysis. Preprint at https://arxiv.org/abs/2012.08714 (2020).
Hofmann, J. et al. Heralded entanglement between widely separated atoms. Science 337, 72–75 (2012).
van Leent, T. et al. Longdistance distribution of atomphoton entanglement at telecom wavelength. Phys. Rev. Lett. 124, 010510 (2020).
Fürst, M. High speed optical quantum random number generation. Opt. Express 18, 1302913037 (2010).
Braunstein, S. L. & Pirandola, S. Sidechannelfree quantum key distribution. Phys. Rev. Lett. 108, 130502 (2012).
van Leent, T. et al. Entangling single atoms over 33 km telecom fibre. Nature https://doi.org/10.1038/s41586022047644 (2022).
Portmann, C. & Renner, R. Security in quantum cryptography. Preprint at https://arxiv.org/abs/2102.00021 (2021).
Endres, M. et al. Atombyatom assembly of defectfree onedimensional cold atom arrays. Science 354, 1024–1027 (2016).
Barredo, D., De Léséleuc, S., Lienhard, V., Lahaye, T. & Browaeys, A. An atombyatom assembler of defectfree arbitrary twodimensional atomic arrays. Science 354, 1021–1023 (2016).
Ohl de Mello, D. et al. Defectfree assembly of 2D clusters of more than 100 singleatom quantum systems. Phys. Rev. Lett. 122, 203601 (2019).
Schupp, J. et al. Interface between trappedion qubits and traveling photons with closetooptimal efficiency. PRX Quantum 2, 020331 (2021).
Volz, J. et al. Observation of entanglement of a single photon with a trapped atom. Phys. Rev. Lett. 96, 030404 (2006).
Rosenfeld, W. Experiments with an Entangled System of a Single Atom and a Single Photon. PhD thesis, LudwigMaximiliansUniversität München (2008).
Acknowledgements
We thank I. W. Primaatmaja, E. Y.Z. Tan and K. T. Goh for useful inputs and discussions. W.Z., T.v.L., K.R., R.G., F.F., S.E., W.R. and H.W. acknowledge funding by the German Federal Ministry of Education and Research (Bundesministerium für Bildung und Forschung (BMBF)) within the project Q.Link.X (16KIS0880), QR.X (16KISQ002) the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy (EXC2111–390814868) and the Alexander von Humboldt foundation. C.C.W.L. and R.S. are funded by the National Research Foundation, Singapore, under its NRF Fellowship programme (NRFF1120190001) and NRF Quantum Engineering Programme 1.0 (QEPP2). V.S. and C.C.W.L. acknowledge support from the National Research Foundation and the Ministry of Education, Singapore, under the Research Centres of Excellence programme.
Author information
Authors and Affiliations
Contributions
C.C.W.L. proposed the project and collaboration. W.Z., T.v.L., R.G., K.R., R.S., W.R., C.C.W.L. and H.W. designed the experiment. W.Z., T.v.L. and R.G. performed the experiments, together with F.F. and S.E. T.v.L. analysed the data. R.S. and C.C.W.L. performed the key rate simulations. T.v.L., K.R., C.C.W.L., V.S. and H.W. wrote the manuscript based on input from all other authors.
Corresponding authors
Ethics declarations
Competing interests
The authors declare no competing interests.
Peer review information
Peer review information
Nature thanks Lynden Shalm and the other, anonymous, reviewer(s) for their contribution to the peer review of this work.
Additional information
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Supplementary information
Supplementary Information
Supplementary figures, Appendices A–H, tables and references.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Zhang, W., van Leent, T., Redeker, K. et al. A deviceindependent quantum key distribution system for distant users. Nature 607, 687–691 (2022). https://doi.org/10.1038/s4158602204891y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1038/s4158602204891y
Further reading

Quantum entanglement provides a key to improved security
Nature (2022)
Comments
By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.