## Abstract

The prepare-and-measure quantum key distribution (QKD) has the merits of fast speed, high key generation rate, and easy implementation. However, the detector side channel attacks greatly undermine the security of the key bits. The eavesdropper, Eve, exploits the flaws of the detectors to obtain illegal information without violating quantum principles. It means that she can intervene in the communication without being detected. A prepare-and-measure Bell test protocol will be proposed. By randomly carrying out Bell test at the side of the information receiver, Bob, Eve’s illegal information gain within the detector side channel attack can be well bounded. This protocol does not require any improvement on the detectors used in available prepare-and-measure QKD. Though we only illustrate its application in the BB84 protocol, it is applicable for any prepare-and-measure QKD.

## Introduction

QKD is a real-time art of generating secure key bit string between remote partners^{1,2,3}. Its security is not based on the computational complexity, but on the correctness of physical principles^{4,5,6,7}. In practical conditions where imperfectly experimental devices are used, it is proven that secure key bit string can still be generated when the tagged key bits are well restricted^{8}. For example, phase-randomized weaken coherent sources are used in practical QKD. There are multi-photon pulses emitted from the source. Eve can launch the photon-number-splitting (PNS) to tag the multi-photon events^{9,10}. If the amount of the tagged event can be well bounded, with decoy state technology for example, secure key bits can be generated between remote partners^{11,12,13,14}.

Recently, the detector side channel attacks have attracted great attention. Eve exploits the drawbacks of the detectors to control the detections. Moreover, the photons registered by the detectors may be not the ones expected by Bob, but well devised by Eve to obtained illegal information. In the fake state attack, Eve intercepts the photons from Alice and reads out the bit values on them. According to her measurement outcomes, she exploits the detection efficiency mismatches and prepares a fake state to be detected by Bob^{15}. The time-shift attack uses the detection efficiency mismatches to eavesdrop on the communication without intercepting on Alice’s photons^{16,17}. Furthermore, the problem of information leaking from the detector side channels also exists in the blinding attack^{18,19,20} and the phase re-mapping attack^{21,22}.

The detector side channel attacks do great harm to the security of QKD because Eve’s illegal information gain obtained in the attacks cannot be well bounded^{8}. Great improvement must be made on the detectors to avoid the detector side channel attacks^{19,23,24,25}. It has been shown that alternative ways of measurements can be used to beat these attacks^{26,27,28,29,30,31,32}. In this case, the security of the measurement outcomes relies on the monogamy of entanglement^{33,34}. Accordingly, the experimental realization is more complex and the key generation rate is lower when compared with the prepare-and-measure QKD. An easy way to beat the detector side channel attack from the physics principle is expected.

Quantum theory is exclusive with the local hidden variable (lhv) theory^{35,36,37}. Loophole-free Bell violation means that the lhv theory can be excluded. Or else, if no Bell violation can be obtained in the loophole-free Bell test, the quantum theory is incorrect. Recently, Bell violation is experimentally obtained with all loopholes are closed^{38,39,40}. These significant results mean the lhvs do not exist. Based on this fact, the detector side channel attack in the prepare-and-measure QKD can be beat with a simple but efficient way. Random Bell test is required to be carried out at Bob’s side to check the quantum correlations between Alice and Bob. Though this protocol is devised for the BB84 protocol^{1}, it is applicable to any prepare-and-measure QKD.

## The prepare-and-measure Bell test

In the Bell test, a parametric-down-conversion (PDC) source is set between Alice and Bob. Entangled photon pairs are generated and distributed to them. Alice has two sets of two-channel measurement devices, *A*_{1} and *A*_{2}. Similarly, Bob has two sets of two-channel measurement settings, *B*_{1} and *B*_{2}. Alice and Bob randomly choose their measurement settings to measure their incoming photons. The binarily possible measurement outcomes obtained from the measurement settings are assigned with −1 and 1. Alice and Bob use their basis choices and measurement outcomes to calculate the CHSH polynomial^{37}

Here 〈*A*_{i}〉, 〈*B*_{j}〉 are the average values generated on *A*_{i} and *B*_{j}, with *i*, *j* ∈ {1, 2}.

In local hidden variable theory and classical physics, the measurement outcomes at Alice’s side cannot be affected by those at Bob’s side. Similarly, the measurement outcomes at Bob’s side cannot be affected by those at Alice’s side, namely, the relation 〈*A*_{i}*B*_{j}〉 = 〈*A*_{i}〉 〈*B*_{j}〉 obeys^{41}. Because −1 ≤ 〈*A*_{i}〉 ≤ 1 and −1 ≤ 〈*B*_{j}〉 ≤ 1 should be satisfied, *S*_{CHSH} varies from −2 to 2. Quantum-mechanically, its lower bound and upper bound are and , respectively^{42}. Now that the Bell violation has been obtained with loophole-free Bell test^{38,39,40}, the lhv theory does not need to be considered. If the experiment is not artificially controlled, Bell violation certifies the existence of entanglement.

Suppose that the entangled photon pair generated from the PDC source is encoded with , where the subscripts *A* and *B* denote Photon *A* and Photon *B*, respectively. After the photon pairs generated from the PDC source, Photon *A* is distributed to Alice, while Photon *B* is sent to Bob. In order to maximize the Bell violation, confinements are put on their basis choices. Without loss of any generality, one can assume that , , , and , where and are the Pauli operators. Because the state is rotationally invariant in the *X* − *Z* plane, one can obtain that , with and . In this case, it is easy to verify that .

Traditionally, the PDC source is usually set between Alice and Bob to exclude the locality loophole. Because the lhv theory is refuted, it is not necessary to care about this loophole. Alice can set the PDC source in her laboratory. When the entangled photon pair is generated, she keeps one of them and transfers the other to Bob. As there is no need to care about the locality loophole, the measurement sequences of Alice and Bob do not affect their experimental results. Alice’s measurement can be implemented before that of Bob, and vise versa. If Eve does not intervene, Bell violation must be obtained.

The moment Alice measures on Photon *A*, the state on Photon *B* collapses accordingly. It means that Alice prepares the state on Photon *B* the moment she measures on Photon *A*. Because the photon pair is prepared with the state , the state on Photon *B* should correlate with what Alice obtains in her measurement. The same correlation can also be obtained with prepare-and-measure procedure: Suppose that single photon is generated from Alice’s source. She randomly chooses the rectilinear basis or the diagonal basis , together with random bit value −1 or 1, to prepare Photon *B*. Before Photon *B* is measured, its state correlates with the state chosen by Alice.

If Alice’s basis choices and bit value choices on Photon *B* are totally random, the item 〈*A*_{1}*B*_{1}〉 in (1) can be calculated as

Similarly, one can obtain

Substituting *B*_{1} and *B*_{2} with and , one can obtain that , , , and . The value of the CHSH polynomial is calculated to be . It is the same as that when the entangled state is used. This is because the correlations between the state on Photon *B* and that of Alice are the same in these two cases.

## BB84 protocol with the prepare-and-measure Bell test

The BB84 protocol is a prepare-and-measure QKD protocol. Alice prepares the state on Photon *B* and transfers it to Bob. Bob measures it in randomly chosen basis to read its state. The states |0〉_{B} and |+〉_{B} are used to encode the bit value 0, while the states |1〉_{B} and |−〉_{B} are used to encode the bit value 1 (Here the definitions of the bit values in the quantum key distribution and those of the Bell test are different).

The prepare-and-measure BB84 protocol is characterized as follows:

(a) *N* single photons are generated in Alice’s laboratory. She randomly chooses between the diagonal basis and rectilinear basis and the random bit values 0 and 1 to prepare her state on the photon. Then the photon is transferred to Bob.

(b) Bob has two modes: with probability *p* he chooses the signal mode and with probability 1 − *p* he chooses the test mode (Only Bob himself is aware of the value of *p*). In the signal mode, Bob’s measurement bases are randomly chosen from and . In the test mode, his measurement bases are randomly chosen between , and .

(b′) When Bob chooses the signal mode, Alice and Bob publish their measurement bases through the public channel. They keep their measurement outcomes in the same bases as the sifted key bits.

(b″) When Bob chooses the test mode, Alice and Bob announce their basis choices and measurement outcomes through the public channel to calculate the value of *S*_{CHSH}.

(c) After the key distribution, Alice and Bob implement error correction (EC) and privacy amplification (PA) on their sift key bits. If secure key bits can be generated, their key distribution task is fulfilled. Or else, their task is failed.

Because Alice randomly chooses her basis and bit values on Photon *B*, the state on it is for any third party. The state is uniformly prepared in the conjugated bases. Eve cannot differentiate which state is prepared. If she carries out state distinguishing task on the photon, disturbance must be introduced^{43,44}. Without loss of any generality, one can assume that Eve interacts on Photon *B* with a probe. If the interaction between the probe and Photon *B* can be characterized as a unitary process, one can obtain

Here |*E*〉 is the blank state on Eve’s probe. *f* and *e* correspond to the probability that the state on Photon *B* is intact and the probability that the state on Photon *B* is changed, respectively. It means that Eve’s intervention introduces quantum bit error rate (QBER) with probability *e*. The amount of information for Alice and Bob used to correct the errors on their bit string is *h*(*e*), with *h*(*x*) = −*x*log_{2}*x* − (1 − *x*)log_{2}*x* the binary entropy. In the prepare-and-measure QKD, Eve’s ability to attack on the communication can be bounded with the collective attack^{3,45}. In this case, the rate for Eve to tag Bob’s key bits is upper bounded with^{46,47}

After Eve’s intervention, 〈*A*_{1}*B*_{1}〉 is recalculated to be

Similarly, one has

It means Alice’s and Bob’s states are correlated with probability *f*, and anti-correlated with probability *e* that is also known as the QBER. After Eve’s intervention, is obtained.

## Refute the detector side channel attack

In the BB84 protocol, Eve’s illegal information is also bounded as^{3,4,7}

Here *e* is the phase error rate gained on Bob’s state. Strictly speaking, phase error rate is the concept of entangled states. Because of the symmetry of BB84 protocol, however, the phase error rate is estimated from the bit error rate on the results generated from the conjugated bases^{4,7}. Within the process of Eve’s attack, if she can hide the bit error rates of both bases, Alice and Bob cannot find her existence. In the detector side channel attack, for instance, it is possible for Eve to intervene without introducing any bit error rate.

If Bob’s detectors are imperfect, the detector side channel information leaking problem may exist. Eve can exploit the flaws of Bob’s detectors to carry out the detector side channel attacks.

**Theorem 1** *The detector side channel attacks can be successfully carried out if and only if Eve’s information of Alice’s bit value conditioned on Bob’s measurement outcome is partially or totally certain*. Proof: In the BB84 protocol, Eve interacts with Photon *B* to extract Alice’s state on it. After Bob measuring on the incoming photons, he and Alice declare their basis choices. When considering the individual attack, Eve’s information gain from Alice is bounded by her entropy decrease on her state^{3}

In the detector side channel attack, though drawbacks exist on Bob’s detectors, it is indispensable to assume that no unwanted information can leak out of his laboratory. Or else, the security of QKD cannot be ensured. It means that Eve should control the information leaking from the detectors indirectly. If Alice’s state on Photon *B* is uniformly prepared, *H*_{a priori} = 1 is obtained.

Consider that *H*_{a posteriori} = ∑_{r}*P*(*r*)*H*(*i*|*r*), with *P*(*r*) the probability Eve obtains the measurement result *r*, and *H*(*i*|*r*) the information gain of *i* conditioned on *r*. If Eve does not interact with Photon *B*, *H*_{a posteriori} = 1 after Bob declaring his basis choices. Thus *I*_{E} = 0 and Eve cannot obtain any illegal information on Alice’s state. In the detector side channel attack, *r* has two possible values: the registered and the unregistered, and ∑_{r}*P*(*r*) = 1 is satisfied. Whether for the registered pulses or for the unregistered pulses, Bob’s measurement outcomes are controlled to be bit value biased. Bob announces Alice the values of *r* after his measurements. The bias of Bob’s measurement outcomes is known to Eve in the detector side channel attack and *H*(*i*|*r*) should be less than 1. Correspondingly, *H*_{a posteriori} < 1 and *I*_{E} > 0 are satisfied. In some detector side channel attacks, Eve’s uncertainty on Alice’s states is eliminated with the intercept-resend attack. However, only the pulses encoded with Eve’s expected bit values and expected bases are forced to be detected by Bob. Or else, Alice and Bob can find Eve’s presentence according to the correlations between them. In any case, Bob’s measurement outcomes are partially or totally certain to Eve. Thus we end the proof.

In order to refute the detector side channel attack, Alice and Bob should estimate Eve’s information gain from the attack. In practical QKD, time-windows is set for the detectors so that their dark count rate can be decreased. Thus their detection efficiencies are time-dependent. If the time windows of the two detectors are not the same, there are detection mismatches between them. This can be exploited by Eve to launch the so-called time-shift attack. Furthermore, the detector flaws may also be used by Eve to control the detectors to detect unwanted signals. Taking the blinding attack for instance, the detectors can be blinded with strong illuminations so that they are insensitive to single-photon pulses but to strong pulses. Both in the time-shift attack and in the blinding attack, Eve’s *a posteriori* information on Alice’s bit value is partially or even totally deterministic.

In practical Bell test with EPR pairs, the quantum channel is lossy and one has to consider the detection loophole. It means that any pulse in quantum channel cannot represent the others in violating the CHSH inequality. If the devices are inefficient, fair-sampling assumption must be made to obtain the Bell violation. If Alice and Bob can implement quantum non-demolition measurement on the photon number, they differentiate the vacuum pulses from the non-vacuum pulses. With this technique, they can remove the channel loss. Now that the lhv theory has be excluded by recent experiments, it is reasonable to assume that the movements all pulses obey the quantum principles and all photon pulses experience the same transmission situation. Thus one can sample the behaviors of some of the incoming pulses on the behalf of those of the others.

We consider the QKD with active basis choice. Bob has two detectors *D*_{0} and *D*_{1} to decode the key bits 0 and 1 encoded on Alice’s pulses. Their detection efficiencies are assumed to be *η*_{0} and *η*_{1}, respectively. *D*_{0} and *D*_{1} are manufactured to be the same so that *η*_{0} = *η*_{1} = *η* is satisfied when there is no detector side channel attack. We assume that Bob has another detector *D*_{t} whose detection efficiency is *η*_{t}. *D*_{t} is also the same as *D*_{0} and *D*_{1} apart from its big time window. The time window of *D*_{t} is big enough so that its detection efficiency is stably kept within the whole time windows of both *D*_{0} and *D*_{1}. This can be realized by keeping *D*_{t} switched on within this period of time. When Bob receives the pulses from Alice, she randomly detect them directly with *D*_{t} or decode their key bits with *D*_{0} and *D*_{1} in randomly chosen bases. When detector side channel attacks randomly happen on *D*_{0} and *D*_{1}, *η*_{0} and *η*_{1} decrease. For Bob, the detection efficiency he can observe for *D*_{0} and *D*_{1} is . According to Eqs (2) and (3), the value of the CHSH polynomial should be normalized as

This relation can also be explained with the theory raised by Garg and Mermin where the photons that can be detected by *D*_{t} but are missed by *D*_{0} and *D*_{1} can only be assigned with the bit value 0^{48}. Accordingly, the illegal information gain Eve obtained within her detector side channel attack is calculated to be

## The performance of the present protocol

In practical QKD, instead of single-photon source, weaken coherent sources are used for Alice to encode her key bits. Compared with single-photon source, multi-photon pulses exist. It is proven that Eve can exploit the multi-photon pulses to launch the so-called PNS attack. Thus decoy states are usually added in practical QKD protocol to beat this attack^{12,13,14}. We consider the practical decoy state protocol raised by Ma *et al*. where a signal source, a weaker decoy source and a vacuum decoy source are used^{14}. The intensities of the signal source and the weaker decoy source are *μ* and *ν*, respectively. After randomization of the phase, the photon number distributions of the sources obey

Here *i* is the photon number in the pulses.

Alice randomly chooses the signal source and the decoy sources to encode her bit values and transfers them to Bob. When Bob takes the pulses from Alice, with probability *p* he chooses the signal mode that he measures the incoming pulses randomly in and to extract the key bits on them. With probability *p*^{′}, he chooses the test mode that his measurement bases are randomly chosen between , and . With probability 1 − *p* − *p*′, however, Bob directly measures Alice’s pulses in his detector *D*_{t}. The gains on the detectors *D*_{0}/*D*_{1}, and *D*_{t} write

Here *Y*_{0} and are the dark counts on *D*_{0}/*D*_{1} and *D*_{t} that can be estimated from the vacuum decoy state. After Bob’s measurements, Alice announces Bob her state choices with which Bob can calculate the values of *η* and *η*_{t}.

After the EC and PA, the final key generation rate is

where is the gain on the untagged pulses of the weaker decoy source, *f*(*E*_{ν}) is error correction efficiency, and *E*_{ν} is the total QBER on the sifted key bits generated from the decoy source. Here we choose the weaker decoy source for key generation because the multi-photon pulses affect the value of the CHSH polynomial greatly. Numerical results shows that no Bell violation can be obtained when the intensity of the signal source is greater than 0.659 even if *D*_{0} and *D*_{1} have perfect detection efficiency. The fraction of the multi-photon pulses in the decoy source is comparably small, however, thus we assume Alice and Bob use it to generate the key bits.

We will give some numerical simulations on the performance of the QKD with prepare-and-measure Bell test. We will use the setup parameters from the QKD experiment completed by Gobby, Yuan and Shields (GYS)^{49} that has also been taken used for numerical simulation in ref. 14. Namely, the transferring coefficient is *β* = 0.21d*B*/*km*, the detector’s detection efficiency is *η*_{B} = 4.5%, the misalignment coefficient is *e*_{d} = 3.3%, and the dark count rate *Y*_{0} = 1.7 × 10^{−6}. The intensities of the signal pulses, weaker decoy pulses and vacuum pulses are 0.48, 0.1 and 0, respectively. One thing should be pointed out that we will not consider the contribution of the misalignment to the value of the CHSH polynomial.

Firstly, we want to show the performances of the present protocol under the blinding attack and the time-shift attack. For blinding attack, Eve controls the basis of Bob. When Bob’s basis choices coincide with hers, there are efficient registers on his measurement settings. Or else, no clicking event happens. Thus one can obtain *η*_{t} = 2*η*, and the value of CHSH polynomial is for perfect single-photon source. It means that no secure key bits can be generated between Alice and Bob. For the time-shift attack, the CHSH inequality after the time-shift attack is calculated to be . In this attack, however, Eve’s illegal information gain is calculated to be , with . For simplicity of discussion, one can assume that *η*_{0} < *η*_{1}. It is apparent that the big the value is, the more key bits should be sacrificed for PA. The amount of information Alice and Bob should sacrifice for PA is .

From Fig. 1, it is apparent that the amount of information (dash line) Alice and Bob sacrificed for PA is greater than that (solid line) Eve obtained in her time-shift attack. Thus the present protocol is secure under the time-shift attack. The value of *r* begins from 0.414 because required that . When , however, one can obtain *S*_{CHSH} ≤ 2. It means that the classical bound of the CHSH inequality cannot be violated and no secure key bit can be generated. We can also compare the key generation rate of the present protocol with that of the practical decoy state QKD^{14}. In Fig. 2, one can see that the key generation rate of the present protocol is small than that in ref. 14. This is because we generate the key bits from the weaker decoy state whose intensity is smaller than that of the signal state. Furthermore, the transmission distance of the present protocol can reach about 103 km (solid line). This distance is also shorter than that in ref. 14 (dash line).

## Discussion and Conclusion

In this paper, the QKD protocol with prepare-and-measure Bell test has been proposed. Though the security of the present protocol is based on Bell’s theorem, it is different with the DI-QKD protocol^{46,47} and the Ekert91 protocol^{2}. First, there is no need to care about the detection efficiency. In the present protocol, only the registered photons are used to calculate the CHSH polynomial. Second, entanglement is not required in the present protocol. The protocol is implemented in a prepare-and-measure way. Furthermore, the Bell test in the present protocol is only carried out at Bob’s side. Our protocol is also different with the detection device-independent QKD protocols of the ref. 50. In the detection device-independent protocols, Alice and Bob have characterized sources but uncharacterized detectors. In the present protocol, however, Bob’s detectors are partially characterized. We assume that the detectors have the same attributions. Furthermore, Bob can control the time window of the testing detector.

## Additional Information

**How to cite this article**: Tan, Y.-g. Quantum key distribution with prepare-and-measure Bell test. *Sci. Rep*. **6**, 35032; doi: 10.1038/srep35032 (2016).

## References

Bennett, C. H. Quantum cryptography: Public key distribution and coin tossing.

*Proceedings of the International Conference on Computer System and Signal Processing*,*IEEE*, 1984, 175–179 (1984).Ekert, A. K. Quantum cryptography based on Bells theorem. Phys. Rev. Lett. 67, 661 (1991).

Gisin, N., Ribordy, G., Tittel, W. & Zbinden, H. Quantum cryptography. Rev. Mod. Phys. 74, 145 (2002).

Lo, H.-K. & Chau, H. F. Unconditional security of quantum key distribution over arbitrarily long distances. Science 283, 2050–2056 (1999).

Mayers, D. Unconditional security in quantum cryptography. Journal of the ACM (JACM) 48, 351–406 (2001).

Biham, E., Boyer, M., Boykin, P. O., Mor, T. & Roychowdhury, V. A proof of the security of quantum key distribution. J. Cryptol. 19, 381–439 (2006).

Shor, P. W. & Preskill, J. Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett. 85, 441 (2000).

Gottesman, D., Lo, H.-K., Ltkenhaus, N. & Preskill, J. Security of quantum key distribution with imperfect devices.

*Proceedings of the Information Theory*,*2004. ISIT 2004. Proceedings. International Symposium on, IEEE*, 2004, 136.Huttner, B., Imoto, N., Gisin, N. & Mor, T. Quantum cryptography with coherent states. Phys. Rev. A 51, 1863 (1995).

Lütkenhaus, N. & Jahma, M. Quantum key distribution with realistic states: photon-number statistics in the photon-number splitting attack. New Journal of Physics 4, 44 (2002).

Hwang, W.-Y. Quantum key distribution with high loss: toward global secure communication. Phys. Rev. Lett. 91, 057901 (2003).

Lo, H.-K., Ma, X. & Chen, K. Decoy state quantum key distribution. Phys. Rev. Lett. 94, 230504 (2005).

Wang, X.-B. Beating the photon-number-splitting attack in practical quantum cryptography. Phys. Rev. Lett. 94, 230503 (2005).

Ma, X., Qi, B., Zhao, Y. & Lo, H.-K. Practical decoy state for quantum key distribution. Phys. Rev. A 72, 012326 (2005).

Makarov, V. & Hjelme, D. R. Faked states attack on quantum cryptosystems. J. Mod. Optic. 52, 691–705 (2005).

Qi, B., Fung, C.-H. F., Lo, H.-K. & Ma, X. Time-shift attack in practical quantum cryptosystems. Quantum Information and Computation 7, 073 (2007).

Zhao, Y., Fung, C.-H. F., Qi, B., Chen, C. & Lo, H.-K. Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems. Phys. Rev. A 78, 042333 (2008).

Makarov, V. Controlling passively quenched single photon detectors by bright light. New Journal of Physics 11, 065003 (2009).

Lydersen, L. et al. Hacking commercial quantum cryptography systems by tailored bright illumination. Nature photonics 4, 686–689 (2010).

Gerhardt, I. et al. Full-field implementation of a perfect eavesdropper on a quantum cryptography system. Nature communications 2, 349 (2011).

Fung, C.-H. F., Qi, B., Tamaki, K. & Lo, H.-K. Phase-remapping attack in practical quantum-key-distribution systems. Phys. Rev. A 75, 032314 (2007).

Xu, F., Qi, B. & Lo, H.-K. Experimental demonstration of phase-remapping attack in a practical quantum key distribution system. New Journal of Physics 12, 113026 (2010).

Yuan, Z., Dynes, J. & Shields, A. Avoiding the blinding attack in QKD. Nature Photonics 4, 800–801 (2010).

Lydersen, L. et al. Avoiding the blinding attack in QKD. Nature Photonics 4, 801–801 (2010).

Zhang, J., Itzler, M. A., Zbinden, H. & Pan, J.-W. Advances in InGaAs/InP single-photon detector systems for quantum communication. Light: Science & Applications 4, e286 (2015).

Biham, E., Huttner, B. & Mor, T. Quantum cryptographic network based on quantum memories. Phys. Rev. A 54, 2651 (1996).

Inamori, H. Security of practical time-reversed EPR quantum key distribution. Algorithmica. 34, 340–365 (2002).

Lo, H.-K., Curty, M. & Qi, B. Measurement-device-independent quantum key distribution. Phys. Rev. Lett. 108, 130503 (2012).

Braunstein, S. L. & Pirandola, S. Side-channel-free quantum key distribution. Phys. Rev. Lett. 108, 130502 (2012).

Ma, X., Fung, C.-H. F. & Razavi, M. Statistical fluctuation analysis for measurement-device-independent quantum key distribution. Phys. Rev. A 86, 052305 (2012).

Ma, X. & Razavi, M. Alternative schemes for measurement-device-independent quantum key distribution. Phys. Rev. A 86, 062319 (2012).

Xu, F., Curty, M., Qi, B. & Lo, H.-K. Practical aspects of measurement-device-independent quantum key distribution. New Journal of Physics 15, 113007 (2013).

Wootters, W. K. Entanglement of formation of an arbitrary state of two qubits. Phys. Rev. Lett. 80, 2245 (1998).

Coffman, V., Kundu, J. & Wootters, W. K. Distributed entanglement. Phys. Rev. A 61, 052306 (2000).

Einstein, A., Podolsky, B. & Rosen, N. Can quantum-mechanical description of physical reality be considered complete? Phys. Rev. 47, 777 (1935).

Bell, J. S. On the einstein podolsky rosen paradox [M] (1964).

Clauser, J. F., Horne, M. A., Shimony, A. & Holt, R. A. Proposed experiment to test local hidden-variable theories. Phys. Rev. Lett. 23, 880 (1969).

Hensen, B. et al. Loophole-free Bell inequality violation using electron spins separated by 1.3 kilometres. Nature 526, 682–686 (2015).

Giustina, M. et al. Significant-loophole-free test of Bells theorem with entangled photons. Phys. Rev. Lett. 115, 250401 (2015).

Shalm, L. K. et al. Strong loophole-free test of local realism. Phys. Rev. Lett. 115, 250402 (2015).

Barrett, J., Hardy, L. & Kent, A. No signaling and quantum key distribution. Phys. Rev. Lett. 95, 010503 (2005).

Cirel’son, B. S. Quantum generalizations of Bell’s inequality. Lett. Math. Phys. 4, 93–100 (1980).

Ivanovic, I. D. How to differentiate between non-orthogonal states. Phys. Lett. A 123, 257–259 (1987).

Peres, A. How to differentiate between non-orthogonal states. Phys. Lett. A 128, 19 (1988).

Renner, R. Security of quantum key distribution. International Journal of Quantum Information 6, 1–127 (2008).

Acn, A. et al. Device-independent security of quantum cryptography against collective attacks. Phys. Rev. Lett. 98, 230501 (2007).

Pironio, S. et al. Device-independent quantum key distribution secure against collective attacks. New Journal of Physics 11, 045021 (2009).

Garg, A. & Mermin, N. D. Detector inefficiencies in the Einstein-Podolsky-Rosen experiment. Phys. Rev. D 35, 3831 (1987).

Gobby, C., Yuan, Z. & Shields, A. Quantum key distribution over 122 km of standard telecom fiber. Appl. Phys. Lett. 84, 3762–3764 (2004).

Ma, X. & Lütkenhaus, N. Improved data post-processing in quantum key distribution and application to loss thresholds in device independent QKD. Quantum Information and Computation 12, 203 (2012).

## Acknowledgements

This work is supported by MOST 2013CB922003 of the National Key Basic Research Program of China, and NSFC under Grant No. 61378011. Tan thanks Qing-yu Cai for helpful discussion and partial preparation of the paper.

## Author information

### Affiliations

### Contributions

Y.-g.T. wrote the paper.

## Ethics declarations

### Competing interests

The author declares no competing financial interests.

## Rights and permissions

This work is licensed under a Creative Commons Attribution 4.0 International License. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in the credit line; if the material is not included under the Creative Commons license, users will need to obtain permission from the license holder to reproduce the material. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

## About this article

### Cite this article

Tan, Yg. Quantum key distribution with prepare-and-measure Bell test.
*Sci Rep* **6, **35032 (2016). https://doi.org/10.1038/srep35032

Received:

Accepted:

Published:

## Comments

By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.