Abstract
Recently, to bridge the gap between security of Measurementdeviceindependent quantum key distribution (MDIQKD) and a high key rate, a novel protocol, the socalled detectordeviceindependent QKD (DDIQKD), has been independently proposed by several groups and has attracted great interest. A higher key rate is obtained, since a single photon bell state measurement (BSM) setup is applied to DDIQKD. Subsequently, Qi has proposed two attacks for this protocol. However, the first attack, in which Bob’s BSM setup is assumed to be completely a “black box”, is easily prevented by using some additional monitoring devices or by specifically characterizing the BSM. The second attack, which combines the blinding attack and the detector wavelengthdependent efficiency, is not explicitly discussed, and its feasibility is not experimentally confirmed. Here, we show that the second attack is not technically viable because of an intrinsically wavelengthdependent property of a realistic beam splitter, which is an essential component in DDIQKD. Moreover, we propose a feasible attack that combines a wellknown attack—detector blinding attack with intrinsic imperfections of singlephoton detectors. The experimental measurement and proofofprinciple test results confirm that our attack can allow Eve to get a copy of quantum keys without being detected and that it is feasible with current technology.
Introduction
Quantum key distribution (QKD) enables two legitimate parties, usually called Alice and Bob, to share a private key through a quantum channel, which is possible in the presence of an eavesdropper, Eve^{1, 2}. Ideal QKD protocols, guaranteed by the laws of quantum mechanics, have been proved to be unconditionally secure without imposing any restrictions on the computational power of Eve^{3, 4}. However, reallife implementations of QKD inevitably contain certain imperfections leaving some vulnerable loopholes (the socalled side channels). Indeed, such loopholes have been exploited by Eve and have led to various subtle attacks for reallife QKD systems^{5,6,7,8,9,10,11,12,13,14,15,16}. For example, in the security proof of QKD, a key assumption is that two legitimate parties encode their signals without errors, which is violated in a real QKD system. Xu et al. have experimentally shown that Eve can exploit such loopholes to launch a phaseremapping attack to steal secure keys without being detected^{10}. See ref. 17 for a recent review.
To build loopholefree QKD systems, the one crucial solution is to develop deviceindependent QKD protocols^{18,19,20}, which can remove all loopholes due to imperfect devices. Among them, the measurementdeviceindependent (MDI) QKD protocol, which is more practical in comparison to other deviceindependent protocols, has received great attention. MDIQKD can automatically remove all side channels from measurement apparatus, which are undoubtedly the most critical part of QKD systems. Several groups have experimentally demonstrated the practicality of MDIQKD with current technology^{21,22,23,24,25,26,27}. Ref. 28 is a recent review on this topic. However, setups of MDIQKD, which require a twophoton interference from two individual lasers, are rather complicated and lead to a lower key rate comparing to conventional QKD, such as decoystate BB84 QKD^{29, 30}.
Recently, to bridge the gap between security of MDIQKD and a high key rate, a novel protocol, the socalled detectordeviceindependent QKD (DDIQKD)^{31}, has been independently proposed by several groups and has attracted great interest^{32,33,34}. Instead of exploiting twophoton interference in MDIQKD, this protocol utilizes an untrusted singlephoton Bell state measurement (BSM) setup^{35}. Consequently, as declared in DDIQKD, it can still be immune to all detector sidechannel attacks, which is the major advantage of MDIQKD, with a comparable performance of conventional QKD. Subsequently, Qi reported two attacks for this protocol and showed that additional assumptions on the BSM setup are required to reach the claimed DDIQKD security level^{36}. To launch the first attack, the BSM located inside Bob’s laboratory is assumed to be completely a “black box” (as the security assumption claimed in refs 32,33,34), which led to leak of “unwanted” information to Eve. Nevertheless, this attack is easily removed by either introducing additional apparatus to monitor Bob’s input signals^{32} or specifically characterizing the BSM^{34}. The second attack (we call it the wavelengthdependent attack since it exploits the detector wavelengthdependent efficiency), combining a wellknown detector blinding attack and the detector wavelengthdependent efficiency, allows Eve to learn the total key string without introducing any errors. In the attack, Eve employs bright light to blind Bob’s detectors and then controls which detector clicks by carefully tailoring the wavelength of a superimposed bright pulse into the bright light. If detectors in the BSM have different wavelengthdependent efficiencies, Eve exploits such an imperfection to cover unusual doubleclick rate s caused by her attack. However, ref. 36 does not explicitly discuss the second attack. For example, how can Eve blind four detectors? More importantly, it is unknown whether the attack employing the detector wavelengthdependent efficiency is experimentally feasible. We note that, more recently, a simple implementation of DDIQKD has been experimentally reported^{37}.
Here, we show that the wavelengthdependent attack in ref. 36 is not technically viable because of the harm caused by an intrinsically wavelengthdependent property of a realistic beam splitter, which is an essential component in DDIQKD. Moreover, we propose a feasible attack, the same as the wavelengthdependent attack that is based on the wellknown detectorblinding attack. We explain how Eve blind four detectors in detail. To avoid an unusual doubleclick rate, different from the wavelengthdependent attack, we utilize another imperfection that two practically blinded detectors respond differently to the same blinding power. Our experimental measurement and proofofprinciple test results confirm that our attack can allow Eve to get a copy of a quantum key without being detected and that it is feasible with current technology. We remark that our attack is not against the wavelengthdependent attack; strictly speaking, we propose an alternative solution to the problem of double clicks in the wavelengthdependent attack and experimentally confirm its feasibility.
Results
DDIQKD
In DDIQKD (as shown in Fig. 1(a)), Alice generates a single photon in one of the four BB84 polarization states ψ _{ A }〉_{ p } and then sends it to Bob over an insecure quantum channel. Once Bob receives the photon, he exploits a trusted linear optical network (LON), which includes some linear optical components for manipulating the state of an incoming photon, to encode his random bit ψ _{ B }〉_{ s } in a different degree (say spatial) of freedom of the photon. Afterwards, the photon is detected by an untrusted singlephoton BSM setup, which is considered to be a “black box” (this means that the BSM, for the worst case, is controlled by Eve), and the measurement result is reported to Bob. Finally, through an authenticated classical channel, Bob broadcasts, which photons have a successful BSM click together with the corresponding Bell state gained and the basis information. Then, Alice and Bob estimate the quantum bit error rate (QBER) for the data where they choose the same basis. If the QBER is below the secure threshold, they perform error correction and privacy amplification to distill the secure key. To clearly describe our attack, we use the proposed protocol in ref. 33 as an example. The implementation of the protocol is shown in Fig. 1(b). To encode the information in the spatial mode, Bob sends the receiving photon to a 50/50 beam slitter (BS) and applies a phase φ _{ B } on the lower arm (represented by l) by a phase modulator (PM). A singlephoton BSM setup contains a halfwave plate (HWP) on the upper arm (represented by u), followed by a 50/50 BS to combine the two arms, and two polarizing beam splitters (PBSs) followed by four singlephoton detectors (SPDs). With this structure shown in Fig. 1(b), a click on each SPD denotes the projection on one of the Bell states. In practice, Alice prepares ψ _{ A }〉_{ p } by generating phaserandomized weak coherent pulses which can be modelled as Poissonian (with parameter μ) mixture of photon number states in different BB84 polarization states^{1, 2, 29}. The density matrix of the state can be written as \({\rho }_{A}={\sum }_{i=0}^{\infty }\frac{{\mu }^{i}}{i!}{e}^{\mu }i\rangle \langle i\), where i〉 〈i is the density matrix of the i–photon state for i = 0, 1, …. When μ is small, the contribution of the n = 1 state to a mixture of the photon number states dominates that of the n > 2 multiphoton states. Although the possible implementations of the DDI protocol in refs 32,33,34 are somewhat different, our attack is feasible on all of them since they all employ four SPDs to perform the BSM.
Wavelengthdependent attack
To highlight the feasibility of our proposed attack, first, we show that the wavelength attack is failed because of its applied strategy (the detector wavelengthdependent efficiency) to remove an unusual doubleclick rate. As discussed in the wavelengthdependent attack^{36} or a similar analysis in the following subsection 2, Eve could use the imperfectiondetector wavelengthdependent efficiency in the BSM to deal with an unusual doubleclick rate resulted by detector controlling, i. e., Eve could reduce the doubleclick rate by carefully tailoring the wavelength of the superimposed light. This solution will work well if all fiberoptic components in Bob’s laboratory are wavelengthindependent. Unfortunately, in practice, a part of the fiberoptic components, such as BSs and PMs, are wavelengthdependent and affect which detector clicks with the varying wavelength of the superimposed light. For instance, a realistic BS is generally manufactured using fused biconical taper technology, and the coupling ratio is commonly wavelengthdependent. Figure 2 shows the relationship between the wavelength of a source and the coupling ratio of a fused biconical taper 50/50 BS. The coupling ratio can be easily checked to vary nonlinearly with the wavelength, and the optimal coupling ratio is reached at the central wavelength of 1550 nm. For simplicity, in the wavelengthdependent attack, to reduce the unusual doubleclick rate, the imperfection should satisfy that the detector D _{2}(D _{3}) clicks at the central wavelength and detector D _{1}(D _{4}) clicks at a different wavelengths λ with an unbalanced coupling ratio r. Here, we define r = P _{ i }/(P _{ i } + P _{ j }), where \(i\in \{u,a\}\) and \(j\in \{l,b\}\) represent the paths of BS in Fig. 1b. Suppose that the superimposed light that Eve resends to Bob are in the form 2α _{ e }〉, according to DDIQKD (a similar and detailed procedure is shown in following subsection 2), the intensities arriving at different detectors in the wavelengthdependent attack can be expressed as
where φ _{ e } and φ _{ B } represent the phase choices of Eve and Bob, respectively, and D _{ i }, with \(i\in \{1,2,3,4\}\), denote Bob’s detectors. From Eq. (1), we know that the intensities arriving at each detector are extremely dependent on the coupling ratio r. With random phase modulations, the counts of the four detectors are distributed evenly only if the coupling ratio r equals 0.5. For a sharp comparison, we suppose that r = 1 corresponds to the wavelength λ = 1260 nm in Fig. 2. Eq. (1) converts into
The light only arrives at the two detectors at the output a regardless of the basis choice of Bob and Alice. Consequently, Bob can easily detect the wavelengthdependent attack by checking whether the four detectors respond equally to the four Bell states.
Proposed attack
Our proposed attack can be summarized with the following three steps:
Step 1  Detector blinding
In DDIQKD, Alice prepares randomly quantum signals in the X or Y basis at a singlephoton level. However, in our attack, Eve employs bright light 2β _{ e }〉_{ α } in the Z basis to force Bob’s detectors into the socalled linear mode^{8}, where the subscript α denotes an eigenstate in the Z basis. In detail, Eve intercepts Alice’s signals and then sends bright light 2β _{ e }〉_{ H } (for simplicity, we assume the polarization of Eve’s light horizontal) to Bob. By using the LON, Bob can yield the BB84 states \({{\psi }_{B}\rangle }_{s}=(iu\rangle +{e}^{i{\phi }_{B}}l\rangle )/\sqrt{2}\) in spatial modes, where \({\phi }_{B}\in \{0,\pi \mathrm{/2},\pi ,3\pi \mathrm{/2}\}\). Therefore, after passing the LON, 2β _{ e }〉_{ H } becomes \({2{\beta }_{e}\rangle }_{H}\otimes {{\psi }_{B}\rangle }_{s}\). When the light enters the BSM setup, it first is made unitary transformations Hu〉 → Vu〉 and Vu〉 → Hu〉 on the upper arm by the HWP. Hence, the state transforms into \(i{\sqrt{2}{\beta }_{e}u\rangle }_{V}\otimes {e}^{i{\phi }_{B}}{\sqrt{2}{\beta }_{e}l\rangle }_{H}\). After transmitting through the second BS, according to the unitary transformation \(u\rangle \to (ia\rangle +b\rangle )/\sqrt{2}\) and \(l\rangle \to (a\rangle +ib\rangle )\sqrt{2}\), the state can be written as
In Eq. (3), it does not matter which modulated phase is chosen by Bob as the intensities entering the four SPDs are always the same. Thus, by elaborately tailoring the light, Eve can successfully blind Bob’s detectors, forcing the four detectors to work in the socalled linear operation mode. In this mode, the SPDs do not respond to a receiving single photon, but remain sensitive to bright light with a classical optical power threshold P _{ th }. We remark that this is not the only way to blind the detectors; alternative schemes, such as thermal blinding, have been reported^{38,39,40}.
Step 2  Detector controlling
After the blinding process in step 1, Eve performs an interceptresend attack on the signals transmitted from Alice. That is, she intercepts the transmitted signals and measures each of them in one randomly chosen basis from the BB84 bases, and then she prepares a new signal according to her measurement result and sends it to Bob. Bob will get a detection event only if his active basis choice coincides with that of Eve. Here, without any loss of generality, we suppose that Eve resends a superimposed light pulse 2α _{ e }〉_{ R } to control Bob’s detectors, where the subscript R represents the BB84 states \((H\rangle +{e}^{i{\phi }_{e}}V\rangle )/\sqrt{2}\) reprepared by Eve. With a similar analysis in step 1, after passing the LON and the second BS, the state becomes
According to the Eq. (4) above, we can obtain the observed intensity arriving at each of Bob’s four detectors. If Bob and Eve use the same basis, only two out of the four detectors have the same arriving intensity (onehalf of the total intensity). When they have an incompatible basis choice, all the four detectors share the intensity evenly (a quarter of the total intensity). To highlight it, as an example, Table 1 lists the observed intensities arriving at each of Bob’s four detectors when Eve sends +〉 and Bob measures it with different bases. Here, we suppose that the classical optical power threshold of Bob’s blinded detectors P _{ th } meets \({\alpha }^{2}\mathrm{/2} < {P}_{th} < {\alpha }^{2}\). From this table, we easily find that when Bob chooses ±i〉, which is a different basis from Eve, his blinded SPDs cannot have any detection events; when Bob chooses the same basis as Eve, two of his four SPDs may have clicks. However, it will cause an unusual doubleclick rate that ensures Bob is vigilantly aware of the presence of Eve and easily prevents our attack with random bit assignments for double clicks^{41}. Consequently, to successfully perform the attack, it is necessary to find a solution to ensure that only one detector has a click.
Step 3  Reducing the doubleclick rate
To reduce the usual doubleclick rate, in our attack, we apply an intrinsic imperfection of SPDs that real singlephoton detectors respond differently to the same blinding power. As shown in Fig. 3 (see Methods section for the detailed measurement setup), for a particular biased voltage of avalanche photodiodes (APDs) Vbias in two different SPDs, the click thresholds are different. In the original blinding attack, the blinding is caused by the drop of the bias voltage such that the APD operates in the linear mode. Hence, in our measurement, we directly change the bias voltage of the APDs in the two SPDs and record corresponding click thresholds. Especially, with the increase in Vbias, the click threshold curves for the two detectors cross (see the dashed line in Fig. 3). Before the dashed line, the threshold of detector C062 is less than that of detector C061; however, after the dashed line, the threshold of detector C062 is larger than that of detector C061. Hence, Eve can simply choose a combination of P and Vbias before (after) the dashed line, such that a click occurs only on detector C062 (C061) and no click occurs on detector C061 (C062). By doing this, Eve can easily reduce the usual doubleclick rate. To demonstrate the feasibility of our attack, we control the two detectors with two different combinations of P and Vbias. The results are shown in Fig. 4. The values P1 = 1.96 mW and V bias1 = 63.38 V cause a detection event in detector C061, however, never cause it in detector C062. In contrast, the values P2 = 2.7 mW and V bias2 = 59.38 V cause a detection event in detector C062, however, never cause it in detector C061.
It seems that Eve can use another independent imperfection of detectors—detector efficiency mismatch—to reduce an unusual doubleclick rate. However, there is no concrete proof that the detector still has the efficiency mismatch when it works in the linear mode. It is worth noting that DDIQKD is naturally secure against a timeshift attack^{7}, which is based on the fact that two practical SPDs have detectionefficiency mismatch in time domain and each SPD denotes respectively one of bits 0 and 1. However, such criterion are not suitable in DDIQKD, in which the bits each SPD denotes is varying with Alice’s and Bob’s chosen bases. A related scheme^{42}, in which Alice and Bob will get conclusive bits only when they used the different basis for measurement, is strongly similar to DDIQKD and is also immune to the timeshift attack. However, our attack is still working for this scheme, that is, detector will keep silence when Bob’s active basis choice did not coincide with that of Eve.
Schematics of hacking scheme
Figure 5 shows the proposed hacking scheme. Eve consists of copies of Alice (Alice’) and Bob (Bob’), which share bit and basis settings and a blinding laser. To perform our attack, Eve intercepts the state of Alice and randomly measures it in one of the two bases X and Y using the same devices as Bob. Eve then prepares new signals with detection results and the chosen basis from Bob’, overlaps them to a continuouswave blinding laser which keeps Bob blind via an optical coupler C. Such detector blinding procedure and detector controlling have been successfully tested in QKD systems under laboratory or realistic condition^{9, 43}. The critically implemented part of our attack is whether Eve can prepare the new signals to make only one of detectors in Bob have clicks. As we analyse in step 3, the answer is “yes”. For simplicity, suppose that Eve wants to force a click only on detector D _{1} and no click on detector D _{2} illustrated in Fig. 1(b). If the behaviour of the detector D _{1} (D _{2}) coincides with the red (black) curves illustrated in Fig. 3, the values P = 1.96 mW and V bias = 63.38 V are an combination that meet the requirements. Similarly, if P = 2.7 mW and V bias = 59.38 V, Eve can cause a detection event in detector D _{2}, however, never cause it in detector D _{1}. The corresponding experimental tests for these examples are shown in Fig. 4. In our experiment, a full demonstration of the proposed hacking scheme has not been performed. The detector blinding procedure, which had been successfully tested in previous works, has not been repeated. The detector controlling, proofing that Eve can reduce usual doubleclick rates, has been performed. It worth mentioning that, although the results shown in Fig. 3 are gained by measuring a homemade detector circuit, we note that, in a recent work, Huang et al.^{44} show that SPDs in commercial QKD system Clavis2 have similar behaviours. Futhermore, our attack is valid for the scheme proposed in ref. 34. It is easy to check that the intensities arriving at Bob’s four detectors are the same if the initial polarization of the bright light of Eve is \(R\rangle =(H\rangle +V\rangle )/\sqrt{2}\). By careful tailoring the intensities of the bright light and superimposed light pulse according to steps 2 and 3, Eve can successfully hack the scheme without being detected.
Discussion
In summary, we show that the wavelengthdependent attack in ref. 36 is not technically viable because of an intrinsically wavelengthdependent property of a realistic beam splitter, which is an essential component in DDIQKD. Moreover, we propose a feasible attack, the same as the wavelengthdependent attack that is based on the wellknown detectorblinding attack. We explain how Eve blinds four detectors in detail. To avoid an abnormal doubleclick rate, different from the wavelengthdependent attack, we utilize another imperfection in real singlephoton detectors. An experimental measurement and a proofofprinciple test are performed, and their results confirm that our attack is feasible with current technology. To prevent our attack as well as the wavelengthdependent attack, one specific countermeasure is that Bob introduces additional filtering and monitoring devices with the same idea of QKD with an untrusted source for plug & play system^{45}. Another countermeasure is the socalled randomdetector efficiency, in which the efficiency of SPDs is randomly varied^{46}. We remark that while DDIQKD is not strictly secure as MDIQKD, it is more secure than traditional QKD protocols, such as BB84, and is the best for certain practical applications.
Methods
Measurement method
Figure 6(a) shows the detector circuit diagram in our experiment. The APD is biased by a high voltage from analog tap T1 with a biased resistance of 1 MΩ. Tap T2 is an analog tap of avalanche signals with a load resistance of 50 Ω. We do not reengineer exact detector circuit in commercial SPDs, which contain filter circuits and a fast comparator. Figure 5(b) shows the measurement setup used to measure intrinsic imperfections of APDs. To produce trigger pulses, a laser diode sends light pulses, and then they are attenuated by an intensity modulator controlled by directly applying the pulsed voltage from a function generator (Tektronix AFG3022C). The detector blinding is simulated by directly applying a high voltage for tap T1 from a homemade DC power. An amplifier discriminator (ORTEC 9302) and an oscilloscope (Tektronix TDS 2024B) are used to monitor the avalanche signals. The two APDs are both from Princeton Lightwave. The breakdown voltage of the first APD (Serial number 1444C061), denoted as C061 in Fig. 3, is 72.41 V at 25 °C, and that of the second APD (Serial number 1444C062), denoted as C062, is 71.25 V at 25 °C. In the imperfection measurement, we record the click threshold in the biased voltage range from 56 V to 66 V, at which the APD works in the linear mode. The measurement results are shown in Fig. 3. In the feasibility test, we choose two points beside the dashed line and record whether the APDs have a click event as shown in Fig. 4.
Additional information
Publisher's note: Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
 1.
Bennett, C. H. & Brassard, G. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, vol. 175 (New York, 1984).
 2.
Gisin, N., Ribordy, G., Tittel, W. & Zbinden, H. Quantum cryptography. Rev. Mod. Phys. 74, 145 (2002).
 3.
Lo, H.K. & Chau, H. F. Unconditional security of quantum key distribution over arbitrarily long distances. Science 283, 2050–2056 (1999).
 4.
Shor, P. W. & Preskill, J. Simple proof of security of the bb84 quantum key distribution protocol. Phys. Rev. Lett. 85, 441–444 (2000).
 5.
Makarov, V. & Hjelme, D. R. Faked states attack on quantum cryptosystems. J. Mod. Optic. 52, 691–705 (2005).
 6.
Makarov, V., Anisimov, A. & Skaar, J. Effects of detector efficiency mismatch on security of quantum cryptosystems. Phys. Rev. A 74, 022313 (2006).
 7.
Zhao, Y., Fung, C.H. F., Qi, B., Chen, C. & Lo, H.K. Quantum hacking: Experimental demonstration of timeshift attack against practical quantumkeydistribution systems. Phys. Rev. A 78, 042333 (2008).
 8.
Lydersen, L. et al. Hacking commercial quantum cryptography systems by tailored bright illumination. Nat. Photon. 4, 686–689 (2010).
 9.
Xu, F., Qi, B. & Lo, H.K. Experimental demonstration of phaseremapping attack in a practical quantum key distribution system. New J. Phys. 12, 113026 (2010).
 10.
Jain, N. et al. Device calibration impacts security of quantum key distribution. Phys. Rev. Lett. 107, 110501 (2011).
 11.
Li, H.W. et al. Attacking a practical quantumkeydistribution system with wavelengthdependent beamsplitter and multiwavelength sources. Phys. Rev. A 84, 062308 (2011).
 12.
Sun, S.H., Jiang, M.S. & Liang, L.M. Passive faradaymirror attack in a practical twoway quantumkeydistribution system. Phys. Rev. A 83, 062331 (2011).
 13.
Liu, W.T., Sun, S.H., Liang, L.M. & Yuan, J.M. Proofofprinciple experiment of a modified photonnumbersplitting attack against quantum key distribution. Phys. Rev. A 83, 042326 (2011).
 14.
Sun, S.H., Gao, M., Jiang, M.S., Li, C.Y. & Liang, L.M. Partially random phase attack to the practical twoway quantumkeydistribution system. Phys. Rev. A 85, 032304 (2012).
 15.
Tang, Y.L. et al. Source attack of decoystate quantum key distribution using phase information. Phys. Rev. A 88, 022308 (2013).
 16.
Bugge, A. N. et al. Laser damage helps the eavesdropper in quantum cryptography. Phys. Rev. Lett. 112, 070503 (2014).
 17.
Lo, H.K., Curty, M. & Tamaki, K. Secure quantum key distribution. Nat. Photon. 8, 595–604 (2014).
 18.
Acn, A. et al. Deviceindependent security of quantum cryptography against collective attacks. Phys. Rev. Lett. 98, 230501 (2007).
 19.
Lo, H.K., Curty, M. & Qi, B. Measurementdeviceindependent quantum key distribution. Phys. Rev. Lett. 108, 130503 (2012).
 20.
Braunstein, S. L. & Pirandola, S. Sidechannelfree quantum key distribution. Phys. Rev. Lett. 108, 130502 (2012).
 21.
Ferreira da Silva, T. et al. Proofofprinciple demonstration of measurementdeviceindependent quantum key distribution using polarization qubits. Phys. Rev. A 88, 052303 (2013).
 22.
Liu, Y. et al. Experimental measurementdeviceindependent quantum key distribution. Phys. Rev. Lett. 111, 130502 (2013).
 23.
Rubenok, A., Slater, J. A., Chan, P., LucioMartinez, I. & Tittel, W. Realworld twophoton interference and proofofprinciple quantum key distribution immune to detector attacks. Phys. Rev. Lett. 111, 130501 (2013).
 24.
Tang, Z. et al. Experimental demonstration of polarization encoding measurementdeviceindependent quantum key distribution. Phys. Rev. Lett. 112, 190503 (2014).
 25.
Tang, Y.L. et al. Measurementdeviceindependent quantum key distribution over 200 km. Phys. Rev. Lett. 113, 190501 (2014).
 26.
Tang, Z., Wei, K., Bedroya, O., Qian, L. & Lo, H.K. Experimental measurementdeviceindependent quantum key distribution with imperfect sources. Phys. Rev. A 93, 042308 (2016).
 27.
Valivarthi, R. et al. Measurementdeviceindependent quantum key distribution: from idea towards application. Journal of Modern Optics 62, 1141–1150 (2015).
 28.
Feihu, X., Curty, M., Bing, Q. & HoiKwong, L. Measurementdeviceindependent quantum cryptography. IEEE. J. Sel. Top. Quant 21, 148–158 (2015).
 29.
Lo, H.K., Ma, X. & Chen, K. Decoy state quantum key distribution. Phys. Rev. Lett. 94, 230504 (2005).
 30.
Wang, X.B. Beating the photonnumbersplitting attack in practical quantum cryptography. Phys. Rev. Lett. 94, 230503 (2005).
 31.
Ma, X. & Lütkenhaus, N. Improved data postprocessing in quantum key distribution and application to loss thresholds in device independent qkd. Quant. Inf. Comput. 12, 203–214, URL http://www.rintonpress.com/xxqic12/qic1234/02030214.pdf (2012).
 32.
Cao, W.F. et al. Highly efficient quantum key distribution immune to all detector attacks. arXiv:1410.2928 (2014).
 33.
Lim, C. C. W. et al. Detectordeviceindependent quantum key distribution. Appl. Phys. Lett. 105, 221112 (2014).
 34.
González, P. et al. Quantum key distribution with untrusted detectors. Phys. Rev. A 92, 022337 (2015).
 35.
Walborn, S. P., Pádua, S. & Monken, C. H. Hyperentanglementassisted bellstate analysis. Phys. Rev. A 68, 042313 (2003).
 36.
Qi, B. Trustworthiness of detectors in quantum key distribution with untrusted detectors. Phys. Rev. A 91, 020303 (2015).
 37.
Liang, W.Y. et al. Simple implementation of quantum key distribution based on singlephoton bellstate measurement. Phys. Rev. A 92, 012319 (2015).
 38.
Lydersen, L. et al. Thermal blinding of gated detectors in quantum cryptography. Opt. Express 18, 27938–27954 (2010).
 39.
Wiechers, C. et al. Aftergate attack on a quantum cryptosystem. New J. Phys. 13, 013043 (2011).
 40.
Jiang, M.S. et al. Intrinsic imperfection of selfdifferencing singlephoton detectors harms the security of highspeed quantum cryptography systems. Phys. Rev. A 88, 062335 (2013).
 41.
Beaudry, N. J., Moroder, T. & Lutkenhaus, N. Squashing models for optical measurements in quantum communication. Phys. Rev. Lett. 101, 093601 (2008).
 42.
Ma, X. Quantum key distribution with key extracted from basis information. arXiv:1410.5260 (2014).
 43.
Gerhardt, I. et al. Fullfield implementation of a perfect eavesdropper on a quantum cryptography system. Nat. Commum. 2, 349, URL http://dx.doi.org/10.1038/ncomms1348 (2011).
 44.
Huang, A. et al. Testing randomdetectorefficiency countermeasure in a commercial system reveals a breakable unrealistic assumption. IEEE. J. Quantum. Elect 52, 1–11 (2016).
 45.
Zhao, Y., Qi, B. & Lo, H.K. Quantum key distribution with an unknown and untrusted source. Phys. Rev. A 77, 052327 (2008).
 46.
Lim, C. C. W., Walenta, N., Legre, M., Gisin, N. & Zbinden, H. Random variation of detector efficiency: A countermeasure against detector blinding attacks for quantum key distribution. IEEE. J. Sel. Top. Quant 21, 192–196 (2015).
Acknowledgements
The authors would like to thank Shihai Sun for helpful discussions. This work was supported by the Fund of State Key Laboratory of Information Photonics and Optical Communications (Beijing University of Posts and Telecommunications) No. IPOC2016ZT09, the National Natural Science Foundation of China Grants No. 61178010 and No. 11374042, and the Fundamental Research Funds for the Central Universities No. bupt2014TS01.
Author information
Author notes
Affiliations
Contributions
K.W. and H.M. conceived the idea; K.W., H.L., and Y.S. conducted the experiment; K.W., H.L., X.Y., and Y.Z. performed the theoretical analysis. H.M., J.X., and Y.J. supervised the project. K.W. wrote the manuscript with input from all the authors. All the authors reviewed the manuscript.
Competing Interests
The authors declare that they have no competing interests.
Corresponding author
Correspondence to Haiqiang Ma.
Rights and permissions
This work is licensed under a Creative Commons Attribution 4.0 International License. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in the credit line; if the material is not included under the Creative Commons license, users will need to obtain permission from the license holder to reproduce the material. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/
About this article
Received
Accepted
Published
DOI
Further reading

Multiparty MeasurementDeviceIndependent Quantum Key Distribution Based on Cluster States
International Journal of Theoretical Physics (2018)
Comments
By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.