## Abstract

The device-independent (DI) quantum key distribution (QKD) protocol requires minimal assumptions about the devices and its security relies on the violation of Bell inequalities, making it hard to realize in real world. Semi-device-independent (SDI) QKD protocol confines quantum state within finite dimensional Hilbert space, thus easier for implementation with existing experimental technology. In this paper, we propose a practical SDI prepare-and-measure BB84 protocol. By introducing min entropy for security proof, we obtain a security bound under the practical condition with finite resources. Numerical simulations imply the finite-key effect can not be ignored in the forthcoming SDI QKD experiment.

© 2017 Optical Society of America

## 1. Introduction

Quantum key distribution (QKD), arising from the pioneer work obtained in 1984 (presently known as the BB84 protocol) [1], allows communicating parties to share secret key over open public channel. Since then, theoretical and experimental QKD has been made great progress in the past three decades [2–7]. In addition to QKD, other technologies of quantum communication like quantum secure direct communication [8–10], quantum teleportation [11–13] and quantum secret sharing [14–17], have also made strides growing out of the advances in basic scientific research and optoelectronic technology. However, taking real factors into consideration, practical QKD system undoubtedly faces sorts of real world problems such as drawbacks of significant instruments [18], unrigorous bound result from finite-size effect [19–21] and unauthenticated classical channel [22, 23]. For the drawbacks occurring in the instruments, security loopholes may arise and quantum hacking strategies will weaken the security level to some extent [24–26]. An thorough countermeasure is more attractive to the fully device-independent QKD (DI-QKD) system [27–29]. The security of DI-QKD can be ensured by the violation of certain Bell inequalities [30] without clear characterization of specific setups. However, with current technologies, DI-QKD is not easy for practical implementation since it should overcome the security loopholes inherently exist in the experimental verification activities of violation of Bell inequalities [31].

In practice, DI-QKD in its current design requires the entangled quantum systems between Alice and Bob to be realized by photons, which are distributed through an optical fiber. Thus, due to losses during the transmission, the success remote measurement events carried out by Alice and Bob only occur with small probability. Note that traditional (non-DI) QKD protocols, such as BB84 [1], are, however, usually implemented by the prepare-and-measure (PM) settings. In a PM setting, the sender, usually Alice, uses a source to prepare photons which are normally encoded by phase or polarization. Then, she sends them through a quantum channel to the receiver, usually Bob, who performs measurements on them. Since PM schemes do not require the manipulation of entanglement, most of the current products of commercial QKD system apply them. Semi-device-independent QKD (SDI-QKD) scheme [32] is one of the schemes [32–36] that are intermediate between non-DI QKD and DI-QKD. In SDI-QKD, the quantum states in preparation procedure are restricted in finite dimensional Hilbert space. Therefore, compared to DI-QKD, SDI-QKD is much easier for experimentalists to realize. Naturally, compared to entanglement-based SDI-QKD schemes [37], PM SDI-QKD schemes are more feasible in a theoretical scenario [38] and nevertheless should be taken into consideration for practical implementations. In 2011, based on dimension witnesses and random-access codes, Pawłowski et al. [32] proved the security of a PM SDI-QKD protocol with four input states and two measurement bases against individual attacks for one-way configuration. Then, Wang et al. [39] improved it by introducing an additional measurements, making it more suitable to be carried out in practice. For the eavesdropper under collective attacks, the security of a PM SDI-QKD protocol was studied numerically in [40] at a device-independent level where Alice’s source prepares unknown pure qubit states and Bob performs unknown projective qubit measurements. Recently, Woodhead and Pironio [38] derived a known universal tight upper-bound for estimating eavesdropper’s information gain under collective attack based on the min entropy in terms of the Clauser-Horne-Shimony-Holt Bell correlator. However, the statistical fluctuation due to finite-length keys, one of the practical imperfections, need to be taken into account in the security bound for the PM SDI-QKD schemes. One should note that several finite-key analysis [41–43] based on the composable security definition have been made to tackle this problem from the application scenario of measurement-device-independent protocol [44], B92 protocol [46] to that of one-sided DI-QKD [45]. Hence, when it comes to the case of PM SDI-QKD, how the statistical fluctuation from finite resources influences the performance of the protocol needs to be further studied.

Here, we first design a new practical PM SDI-QKD protocol with finite resources, which includes implementation schemes, ways for choice and proportion of preparation states, methods of measurement and parameter estimation, means of sifting and so on. By combining the analytical security bound derived by Woodhead and Pironio [38] with the finite-key analysis based on min entropy [19], we obtain the finite-key bound in terms of the value of dimension witnesses against collective attack for PM SDI-QKD. Besides, we numerically analyze the effect that how the number of pulses prepared by the sender influences the amount of secret key derived by both parties.

The paper is composed of as follows. In Sec. II, we propose a new practical PM SDI-QKD protocol with finite resources, where its execution steps are specified. Section III fixes the security notions and derives the formalism for bounding the achievable finite secret key rates for our PM SDI-QKD protocol. Section IV numerically simulates our results and the paper is concluded in Sec. V.

## 2. Semi-device-independent setting with violation of CHSH inequality

In standard device-independent (DI) settings, two remote parties, Alice and Bob, share two entangled subsystems in advance. Then they independently perform one of two measurements *x*, *y* ∈ {0, 1}, obtaining one of two measurements *a*, *b* ∈ {0, 1}. In this scenario, the Clauser-Horne-Shimony-Holt (CHSH) Bell correlator can be expressed by the expectation value [30]

*P*(

*ab*|

*xy*) denotes the joint probabilities for outcomes

*a*,

*b*given measurements

*x*,

*y*. Compared with the device-independent setting, semi-device-independent setting requires an additional assumption that the states are prepared in the the Hilbert space with finite dimension, which can brings the advantage of intentional state-preparation without entangled resources. Specially, one can consider a PM version of the above CHSH correlation, as is represented in Fig. 1.

In this PM scenario, Alice owns a source which can emit one of four different qubit states, expressed by *ρ*, *ρ*′, *σ*, and *σ*′, according to a respective choice of input (0, 1), (0, 1), (1, 0) and (1, 1). Alice randomly chooses the basis *x* ∈ {0, 1 (not necessarily with equal probability) and chooses the encoding message *a* ∈ {0, 1} randomly with equal probability. She then sends the encoded state to Bob, who performs one of two binary-outcome measurements indexed by the input *y* ∈ {0, 1} on them, yielding the result *b* ∈ {0, 1}. Under the above PM setting, Woodhead and Pironio creatively propose a modified CHSH correlator expressed as [38]

The security of the above PM SDI scenario against quantum eavesdropper is only guaranteed by the associated probability distribution *P*(*b* | *axy*), which can establish relations with quantum dimension witness [32]. Here, following the proof method derived by Woodhead and Pironio [38], we should consider the security bound raised from fidelity differences between source states. To be concrete, an eavesdropper may perform an arbitrary unitary operation on the states transmitted from Alice to Bob in the public channel, with the purpose of acquiring some useful information benefit for her hacking behaviors. Under this unitary attack strategy, the emitted state *ρ _{x,a}* is now shared between Bob and Eve, i.e., performs on a Hilbert space ℋ

*⊗ℋ*

_{B}*. It is assumed that the two differences*

_{E}*ρ*−

*ρ*′ and

*σ*−

*σ*′ between the source states have their support both on a common two-dimensional subspace ℋ

*⊗ℋ*

_{A}*. That is to say, the start point of our analysis is based on the assumption of qubit state preparation.*

_{B}## 3. SDI-QKD protocol with finite resources

Finite resources, one of the vital practical factors, is taken into consideration in our PM SDI-QKD protocol, which is parameterized by the secret key length *ℓ*, the classical postprocessing block size *M*_{CP}, the sample size of error-rate estimation *M*_{PE}, the local CHSH test sample size *M _{j}*, the tolerated CHSH value

*S*

_{tol}, the tolerated channel error rate

*Q*

_{tol}, the error-correction leakage leak

_{EC}, and the required correctness efficiency

*ε*

_{cor}. It should be noted that the SDI-QKD model with four input states and two measurements is equal to the (2, 1, 0.85)-quantum random access coding (QRAC) and the two-dimensional quantum witness can achieve the maximal value $2\sqrt{2}$ in (2, 1, 0.85)-QRAC [47, 48], while Eve always acquires exactly the same state as Bob. Hence, the tolerated CHSH value

*S*

_{tol}can be bounded by $2\sqrt{2}$. The protocol is depicted specifically as the following steps. One must recall that the first three steps are repeated until the conditions in the sifting step are all satisfied.

*State preparation and distribution.*For each run of the protocol, we label the modulation events with indices*i*. Alice selects the modulation*f*∈ {Ω_{i}_{CHSH}, Ω_{QKD}}, where Ω_{CHSH}is chosen with probability ${p}_{c}={M}_{j}/\left[{M}_{j}+{\left(\sqrt{{M}_{\text{CP}}}+\sqrt{{M}_{\text{PE}}}\right)}^{2}\right]$ and Ω_{QKD}is chosen with probability 1 −*p*_{c}. Let the state from {*ρ*,*σ*} represent the classical bit 0 and that from {*ρ*′,*σ*′} represent the classical 1, respectively. For the operation mode Ω_{CHSH}, Alice selects input (*x*,*a*) ∈ {(0, 1), (0, 1), (1, 0), (1, 1)} randomly, yielding to the qubit states*ρ*,*ρ*′,*σ*,*σ*′ respectively according to the map (2, 1, 0.85)-QRAC, where*ρ*= |*α*_{0,0}〉〈*α*_{0,0}| and*ρ*′ = |*α*_{1,1}〉〈*α*_{1,1}| constitute the*X*basis;*σ*= |*α*_{0,1}〉〈*α*_{0,1}| and*σ*′ = |*α*_{1,0}〉〈*α*_{1,0}| constitute the*Z*basis. Here,$$\begin{array}{l}|{\alpha}_{0,0}\u3009=\mathit{cos}\left(\pi /8\right)|0\u3009+\mathit{sin}\left(\pi /8\right)|1\u3009\\ |{\alpha}_{1,1}\u3009=\mathit{cos}\left(5\pi /8\right)|0\u3009+\mathit{sin}\left(5\pi /8\right)|1\u3009\\ |{\alpha}_{0,1}\u3009=\mathit{cos}\left(7\pi /8\right)|0\u3009+\mathit{sin}\left(7\pi /8\right)|1\u3009\\ |{\alpha}_{1,0}\u3009=\mathit{cos}\left(3\pi /8\right)|0\u3009+\mathit{sin}\left(3\pi /8\right)|1\u3009.\end{array}$$For the operation mode Ω_{QKD}, Alice randomly chooses*c*∈ {0, 1} to prepare the state_{i}*ρ*∈ {|0〉〈0|, |1〉〈1|}, respectively. She selects an subset, with probability of_{i}*p*_{q}, from $\mathbb{K}:=\left\{i:{f}_{i}={\mathrm{\Omega}}_{\text{QKD}}\right\}$ for channel error estimation. The event used for classical postprocessing is labeled by Ω_{CP}and that for error estimation is labeled by Ω_{PE}.Alice sends the states with encoded information to Bob through an open public quantum channel. For each state-preparation event, the basis information is represented by

*x*∈ {0, 1, 2}, where 0 denotes_{i}*X*basis, 1 denotes*Z*basis and 2 denotes ${T}_{0}=\left\{{M}_{0}^{0}=|0\u3009\u30080|,\phantom{\rule{0.2em}{0ex}}{M}_{0}^{1}=|1\u3009\u30081|\right\}$ basis.*State measurement.*For each state that Bob received, he randomly and independently chooses a basis from {*T*_{0},*T*_{1}} among the following POVMs: ${T}_{0}=\left\{{M}_{0}^{0}=|0\u3009\u30080|,\phantom{\rule{0.2em}{0ex}}{M}_{0}^{1}=|1\u3009\u30081|\right\}$ and ${T}_{1}=\left\{{M}_{1}^{0}=|+\u3009\u3008+|,\phantom{\rule{0.2em}{0ex}}{M}_{1}^{1}=|-\u3009\u3008-|\right\}$, where $|+\u3009=\left(|0\u3009+|1\u3009\right)/\sqrt{2}$, $|-\u3009=\left(|0\u3009-|1\u3009\right)/\sqrt{2}$. Bob records the choices of measurement bases*y*∈ {0, 1}, where 0 denotes_{i}*T*_{0}basis and 1 denotes*T*_{1}basis, and stores the measurement outcome*b*∈ {0, 1}._{i}*Sifting.*Bob announces his choices*y*over an authenticated classical channel. Alice identifies the following sets: key generation set $\mathbb{T}:=\left\{i:\left({f}_{i}={\mathrm{\Omega}}_{\text{CP}}\right)^\left({y}_{i}=0\right)\right\}$, error-rate estimation set $\mathbb{P}:=\left\{i:[\left({f}_{i}={\mathrm{\Omega}}_{\text{PE}}\right)^\left({y}_{i}=0\right)\right\}$ and the CHSH test set $\mathbb{J}:=\left\{i:{f}_{i}={\mathrm{\Omega}}_{\text{CHSH}}\right\}$._{i}Steps 1–3 are repeated as long as the sifting condition is not satisfied, i.e., $\left|\mathbb{T}\right|<{M}_{CP}$ or |ℙ|<

*M*_{PE}or $\left|\mathbb{J}\right|<{M}_{j}$, where*M*_{CP},*M*_{PE},*M*_{j}∈ ℕ.*Parameter estimation.*To compute the dimension witness value given by Eqs.(2) under finite resources, one can apply a statistical count for all possible events by the formula ${S}_{\text{test}}:\frac{1}{2\left|\mathbb{J}\right|}{\displaystyle \sum _{i\in \mathbb{J}}f\left({a}_{i},{b}_{i},{x}_{i},{y}_{i}\right)}$, where*f*(*a*_{i},*b*,_{i}*x*,_{i}*y*) = 1 if_{i}*a*⊕_{i}*b*=_{i}*x*; otherwise,_{i}y_{i}*f*(*a*,_{i}*b*,_{i}*x*,_{i}*y*) = −1. Then, both Alice and Bob publicly announce the corresponding bit strings {_{i}*c*}_{i}_{i}_{∈ℙ}and {*b*}_{i}_{i}_{∈ℙ}to calculate the channel error rate ${Q}_{\text{test}}:={\displaystyle \sum _{i\in \mathbb{P}}{c}_{i}\oplus {b}_{i}/\left|\mathbb{P}\right|}$. If*S*_{test}<*S*_{tol}or*Q*_{tol}<*Q*_{test}, they abort the protocol.*One way classical postprocessing.*Alice and Bob select a random subset of size*M*_{CP}of $\mathbb{T}$ for postprocessing. An error-correction protocol is conducted, which leaks at most leak_{EC}bits of information. Then, they perform an error-verification protocol that leaks ⌈log_{2}(1/*ε*_{cor})⌉ bits of information. They abort the protocol if the error verification fails. Finally, the procedure of privacy amplification with two-universal hashing is applied to their bit strings for extracting a secret key with length*ℓ*.

## 4. Security analysis

In this section, we analyze the security of the above finite-key SDI-QKD protocol. If the protocol is conducted correctly, a secret key pair (**S*** _{A}*,

**S**

*) with length*

_{B}*ℓ*is obtained. One should guarantee the security of the final key with quantified secrecy. To start with, we shall clarify the security criteria, which lays the foundation of our analysis. In this paper, we employ the notion of composable security, initially proposed by Renner [49], into our analysis.

#### Definition 1 (composable security definition)

The key pair (**S*** _{A}*,

**S**

*) that outputs from the protocol is considered to be*

_{B}*ε*− secure if it is both

*ε*

_{cor}-correct and

*ε*

_{sec}-secret.

*ε*

_{cor}-correct is satisfied only if

*Pr*(

**S**

*≠*

_{A}**S**

*) ≤*

_{B}*ε*

_{cor}, i.e., the probability of

**S**

*≠*

_{A}**S**

*will not exceed*

_{B}*ε*

_{cor}.

*ε*

_{sec}-secret is satisfied only if $\frac{{p}_{\text{pass}}}{2}{\Vert {\rho}_{\text{SE}}-{U}_{S}\otimes {\rho}_{E}\Vert}_{1}\le {\epsilon}_{\mathrm{sec}}$ where

*S*represents either of the keys

**S**

*and*

_{A}**S**

*,*

_{B}*ρ*is the system that the eavesdropper owns,

_{E}*ρ*is the classical-quantum state describing the joint state of

_{SE}*S*and

*E*,

*U*

_{S}is the uniform mixture of all possible values of

*S*, and

*p*

_{pass}is the probability that all steps of the protocol are successfully conducted.

Note that this security definition guarantees that the SDI-QKD protocol with universal composability. That is to say, the pair of key strings can be securely used in any application that requires a perfectly secure key. For better interpretation of our main result, the definition of smooth min-entropy should be introduced as the following [49]:

#### Definition 2 (smooth min-entropy)

Let *ε* ≥ 0, ${\sigma}_{B}\in \mathcal{S}\left({\mathscr{H}}_{B}\right)$ and ${\rho}_{AB}\in \mathcal{S}\u2a7d\left({\mathscr{H}}_{AB}\right)$. The smooth min-entropy ${H}_{min}^{\epsilon}\left(A|B\right)$, taken over a set of states ${\mathcal{B}}^{\epsilon}\left(\rho \right)$ that are *ε*-close to *ρ _{AB}*, is defined as the quantity

*is the identity operator on*

_{A}*A*, $C\left({\rho}_{AB},{\tilde{\rho}}_{AB}\right):=1-{\left(\text{tr}\left|\sqrt{\rho}\sqrt{\tilde{\rho}}\right|\right)}^{{2}^{1/2}}$ is a distance measure based on fidelity and

*ε*is called the smoothing parameter.

In what follows, we show the main result and a sketch of its proof.

#### Main result

The SDI-QKD protocol with parameters (*ℓ*, *M*_{CP}, *M*_{PE}, *M _{j}*,

*S*

_{tol},

*Q*

_{tol},

*ε*

_{cor}) is

*ε*

_{sec}− secret if

*ε*=

*ε*/6 and $2\le {S}_{\text{tol}}\le 2\sqrt{2}$, where

_{sec}*h*represents the binary entropy function,

#### Proof

Let Ω be the event that *S*_{test} ≥ *S*_{tol} or *Q*_{tol} ≥ *Q*_{test}. If the steps of the protocol are all successfully conducted, the secrecy will be established trivially. Let *p*_{pass} be the probability of all steps passing through, then *p _{pass}* =

*Pr*[Ω]. Conditioned on passing these tests, let

*A*and

^{n}*B*be the strings of length

^{n}*n*=

*M*

_{CP}that Alice and Bob gets from the set $\mathbb{T}$, and let

*E*represent the adversary’s information obtained by eavesdropping on the quantum channel. For one way error correction protocol, Alice should send a bit string

^{n}*C*of length leak

_{EC}to Bob over the public channel, hence, reducing Eve’s uncertainty by the same amount with a failure probability of

*ε*

_{cor}. Then, Alice and Bob apply privacy amplification, with a failure probability of

*ε*

_{pa}, to extract a key of length

*ℓ*. According to the privacy amplification method based on universal hashing [50], one can upper bound

*ℓ*by

*ε*

_{pa}. Here,

*ε*

_{pa}is the error probability of privacy amplification.

Note the fact that ⌈log_{2}(1/*ε*_{cor})⌉ ≤ log_{2}(2/*ε*_{cor}) and apply chain rules for smooth entropies [51], one can bound the min-entropy of the *A ^{n}* given

*CE*:

^{n}_{EC}=

*nh*(

*Q*

_{tol}+

*μ*).

*μ*is the statistical deviation between the actual quantum bit error rate (QBER) and observed one from the randomly chosen set used for error-rate estimation. By the Serfling theorem [52] and its corollary [29], one can obtain an estimation of

*μ*by

*ε*

_{Q}is the failure probability of estimating the QBER of events used for classical postprocessing by the observed one of set for error rate estimation.

In the following, it is of vital importance to bound the amount of ${H}_{\mathrm{min}}^{2{\epsilon}^{\prime}}\left({A}^{n}|{E}^{n}\right)$. Here, the eavesdropping strategy of collective attack is taken into account. Under Eve’s operations under collective attack, one can obtain a lower bound on ${H}_{\mathrm{min}}^{2{\epsilon}^{\prime}}\left({A}^{n}|{E}^{n}\right)$ [19], given that ${\sigma}_{\overline{A}\overline{E}}$ is contained in a set Γ compatible with the statistics *λ _{m}*, except with probability

*ε*. In our SDI-QKD protocol, the set $\mathbb{J}$ of maximal length

*M*is arrived for estimating CHSH inequality given by Eqs. (2), which is used to bound the Eve’s information gained during his listening activities. With

_{j}*m*=

*M*, the lower bound is represented by

_{j}*H*(Ā | Ē) is to use the lower bound derived from min-entropy, which is derived by Woodhead and Pironio [38] as

*S*with the observed CHSH value

*S*

_{tol}, i.e., $\mathrm{Pr}[({S}_{\text{tol}}-S\ge \sqrt{\frac{32}{{M}_{j}}\mathrm{ln}\frac{1}{{\epsilon}_{\text{PE}}}})|\mathrm{\Omega}]\le \frac{{\epsilon}_{\text{PE}}}{{p}_{\text{pass}}}$. Let $\lambda =\sqrt{\frac{32}{{M}_{j}}\mathrm{ln}\frac{1}{{\epsilon}_{\text{PE}}}}$, Then,

*σ*in set Γ

_{ĀĒ}*, a bound of ${H}_{\mathrm{min}}^{2{\epsilon}^{\prime}}({A}^{n}|{E}^{n})$ can be given as*

_{ξ}It should be noted that, in the asymptotic case when the total pulses sent by Alice are *N* →∞, a secret bound which is defined as *f*_{secr}: = *ℓ*/*M*_{CP} can be easily verified to reach

_{CHSH}and Ω

_{QKD}. The second term in the right hand of Eq. (13) provides a bound on the quality of the devices, and the latter term, apart from generating the actual key, is an estimation for the quality of the quantum channel.

## 5. Simulation and discussion

In our numerical simulation, we consider a depolarizing quantum channel with an error rate *Q*_{tol} = (1 − *V*)/2 and the CHSH value ${S}_{\text{tol}}=2\sqrt{2}V$, where *V* is the visibility of quantum channel. In the asymptotic case, one can obtain the secret rate as a function of *V* according to Eq. (13). A comparison to the standard PM BB84 protocol can be made to show the performance of our PM SDI-QKD protocol. Lower bound of the fraction of the secret key as a function of *V* can be plotted in Fig. 2. The simulation result represents that the secret key rate of the SDI-QKD protocol is apparently lower than the standard PM BB84 protocol. However, the minimum requirements of distilling secret key for the visibility is below 0.9, which is the best performance among existing SDI-QKD protocols. With the CHSH test in our secure bound, Alice and Bob can estimate how often their devices behave badly and thus determine the minimum tolerated error rate of the channel environment.

In the finite-key case, if we assume a proportion of *M*_{CP:} *M*_{PE:} *M _{j}* = 100: 10: 1, we can also obtain the secret rate as a function of

*V*for different values of

*M*

_{CP}. Under this assumption, lower bounds for the secret key rate of our SDI-QKD protocol with finite resources as a function of visibility

*V*can be interpreted in Fig. 3.

From Fig. 3, one can find that the secure bound is getting close to the asymptotic case when *M*_{CP} = 10^{10} and the minimum visibility of a depolarizing channel for obtaining positive secret rate is only about 0.926 with a practical block size of 10^{7}. From a practical point of view, it is certainly appealing to consider a small value of *V*, since it means that the maximal transmission distance between Alice and Bob can be made extensive soundly. The simulation results show the effectiveness of our secure bound. Accordingly, to achieve a practical experiment of SDI-QKD, our protocol may be an alternative approach for theoretical evidence.

## 6. Conclusion

In summary, we provide a practical prepare-and-measure protocol toward SDI-QKD, where a CHSH test is carried out to guarantee the reliability of the devices. Although it is a great challenge to implement a long-distance detection-loophole free Bell test, we believe an experimental demonstration of SDI-QKD with high-performance devices is plausible in the near future. On the conceptual level, by introducing min entropy for security proof, we obtain a security bound under the practical condition with finite resources. Numerical simulations imply the finite-key effect can not be ignored in the data analysis of SDI-QKD experiment.

## Funding

National Natural Science Foundation of China (NSFC) (61505261, 61675235 and 61605248); National Basic Research Program of China (2013CB338002).

## References and links

**1. **C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing (Bangalore, India, 1984) p. 175–179.

**2. **V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dusek, N. Lütkenhausand, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. **81**, 1301 (2009). [CrossRef]

**3. **A. R. Dixon, Z. L. Yuan, J. F. Dynes, A. W. Sharpe, and A. J. Shields, “Gigahertz decoy quantum key distribution with 1 Mbit/s secure key rate,” Opt. Express **16**, 18790–18979 (2008). [CrossRef]

**4. **J. F. Dynes, S. J. Kindness, S. W.-B. Tam, A. Plews, A. W. Sharpe, M. Lucamarini, B. Fröhlich, Z. L. Yuan, R. V. Penty, and A. J. Shields, “Quantum key distribution over multicore fiber,” Opt. Express **24**, 8081–8087 (2016). [CrossRef] [PubMed]

**5. **K. Lim, H. Ko, C. Suh, and J. K. Rhee, “Security analysis of quantum key distribution on passive optical networks,” Opt. Express **25**, 11894–11909 (2017). [CrossRef]

**6. **W. Y. Liu, X. F. Zhong, T. Wu, F. Z. Li, B. Jin, Y. Tang, H. M. Hu, Z. P. Li, L. Zhang, W. Q. Cai, S. K. Liao, Y. Cao, and C. Z. Peng, “Experimental free-space quantum key distribution with efficient error correction,” Opt. Express **25**, 10716–10723 (2017). [CrossRef]

**7. **P. Sibson, C. Erven, M. Godfrey, S. Miki, T. Yamashita, M. Fujiwara, M. Sasaki, H. Terai, M. G. Tanner, C. M. Natarajan, R. H. Hadfield, J. L. O’Brien, and M. G. Thompson, “Chip-based quantum key distribution,” Nat. Commun. **8**, 13984 (2017). [CrossRef] [PubMed]

**8. **G. L. Long and X. S. Liu, “Theoretically efficient high-capacity quantum-key-distribution scheme,” Phys. Rev. A **65**, 032302 (2002). [CrossRef]

**9. **J. Y. Hu, B. Yu, M. Y. Jing, L. T. Xiao, S. T. Jia, G. Q. Qin, and G. L. Long, “Experimental quantum secure direct communication with single photons,” Light: Science and Applications **5**, e16144 (2016). [CrossRef]

**10. **W. Zhang, D. S. Ding, Y. B. Sheng, L. Zhou, B. S. Shi, and G. C. Guo, “Quantum secure direct communication with quantum memory,” Phys. Rev. Lett. **118**, 220501 (2017). [CrossRef] [PubMed]

**11. **C. H. Bennett, G. Brassard, C. Crepeau, R. Jozsa, A. Peres, and W. K. Wootters, “Teleporting an unknown quantum state via dual classical and Einstein-Podolsky-Rosen channels,” Phys. Rev. Lett. **70**, 1895 (1993). [CrossRef] [PubMed]

**12. **J. Yin, J.-G. Ren, H. Lu, Y. Cao, H.-L. Yong, Y.-P. Wu, C. Liu, S.-K. Liao, F. Zhou, Y. Jiang, X.-D. Cai, P. Xu, G.-S. Pan, J.-J. Jia, Y.-M. Huang, H. Yin, J.-Y. Wang, Y.-A. Chen, C.-Z. Peng, and J.-W. Pan, “Quantum teleportation and entanglement distribution over 100-kilometre free-space channels,” Nature **488**, 185–188 (2012). [CrossRef] [PubMed]

**13. **X.-S. Ma, T. Herbst, T. Scheidl, D. Wang, S. Kropatschek, W. Naylor, B. Wittmann, A. Mech, J. Kofler, E. Anisimova, V. Makarov, T. Jennewein, R. Ursin, and A. Zeilinger, “Quantum teleportation over 143 kilometres using active feed-forward,” Nature **489**, 269–273 (2012). [CrossRef] [PubMed]

**14. **M. Hillery, V. Bužek, and A. Berthiaume, “Quantum secret sharing,” Phys. Rev. A **59**, 1829 (1999). [CrossRef]

**15. **W. Huang, Q. Su, B. J. Xu, B. Liu, F. Fan, H. Y. Jia, and Y. H. Yang, “Improved multiparty quantum key agreement in travelling mode,” Science China Physics, Mechanics and Astronomy **59**, 120311 (2016). [CrossRef]

**16. **D. Y. Cao, B. H. Liu, Z. Wang, Y. F. Huang, C. F. Li, and G. C. Guo, “Multiuser-to-multiuser entanglement distribution based on 1550 nm polarization-entangled photons,” Science Bulletin **60**, 1128–1132 (2015). [CrossRef]

**17. **R. K. Chen, W. S. Bao, C. Zhou, H. W. Li, Y. Wang, and H. Z. Bao, “Biased decoy-state measurement-device-independent quantum cryptographic conferencing with finite resources,” Opt. Express **24**, 6594–6605 (2016). [CrossRef] [PubMed]

**18. **D. Gottesman, H. K. Lo, N. Lükenhaus, and J. Preskill, “Security of quantum key distribution with imperfect devices,” Quant. Inf. Comp. **4**, 325 (2004).

**19. **V. Scarani and R. Renner, “Quantum cryptography with finite resources: Unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. **100**, 200501 (2008). [CrossRef] [PubMed]

**20. **M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, “Tight finite-key analysis for quantum cryptography,” Nat. Commun. **3**, 634 (2012). [CrossRef] [PubMed]

**21. **C. Zhou, W. S. Bao, H. W. Li, Y. Wang, Y. Li, Z. Q. Yin, W. Chen, and Z. F. Han, “Tight finite-key analysis for passive decoy-state quantum key distribution under general attacks,” Phys. Rev. A **89**, 052328 (2014). [CrossRef]

**22. **J. Cederlöf and J-Ä. Larsson, “ Security aspects of the authentication used in quantum cryptography,” IEEE Trans. Inf. Theory **54**, 1735 (2008). [CrossRef]

**23. **C. Zhou, W. S. Bao, H. W. Li, Y. Wang, and X. Q. Fu, “Key-leakage evaluation of authentication in quantum key distribution with finite resources,” Quantum Information Processing **13**, 935 (2014). [CrossRef]

**24. **Y. Zhao, C. H. F. Fung, B. Qi, K. Chen, and H. K. Lo, “Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems,” Phys. Rev. A **78**, 042333 (2008). [CrossRef]

**25. **L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nat. Photonics **4**, 686 (2010). [CrossRef]

**26. **H. W. Li, S. Wang, J. Z. Huang, W. Chen, Z. Q. Yin, F. Y. Li, Z. Zhou, D. Liu, Y. Zhang, G. C. Guo, W. S. Bao, and Z. F. Han, “Attacking a practical quantum-key-distribution system with wavelength-dependent beam-splitter and multiwavelength sources,” Phys. Rev. A **84**, 062308 (2011). [CrossRef]

**27. **A. Acín, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani, “Device-independent security of quantum cryptography against collective attacks,” Phys. Rev. Lett. **98**, 230501 (2007). [CrossRef] [PubMed]

**28. **N. Gisin, S. Pironio, and N. Sangouard, “Proposal for implementing device-independent quantum key distribution based on a heralded qubit amplifier,” Phys. Rev. Lett. **105**, 070501 (2010). [CrossRef] [PubMed]

**29. **C. C. W. Lim, C. Portmann, M. Tomamichel, R. Renner, and N. Gisin, “Device-independent quantum key distribution with local bell test,” Phys. Rev. X **3**, 031006 (2013).

**30. **J. F. Clauser, M. A. Horne, A. Shimony, and R. A. Holt, “Proposed experiment to test Local hidden-variable theories,” Phys. Rev. Lett. **23**, 880 (1969). [CrossRef]

**31. **I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, V. Scarani, V. Makarov, and C. Kurtsiefer, “Experimentally faking the violation of bell’s inequalities,” Phys. Rev. Lett. **107**, 170404 (2011). [CrossRef]

**32. **M. Pawłowski and N. Brunner, “Semi-device-independent security of one-way quantum key distribution,” Phys. Rev. A **84**, 010302 (2011). [CrossRef]

**33. **C. Branciard, E. G. Cavalcanti, S. P. Walborn, V. Scarani, and H. M. Wiseman, “One-sided device-independent quantum key distribution: Security, feasibility, and the connection with steering,” Phys. Rev. A **85**, 010301 (2012). [CrossRef]

**34. **H. K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett. **108**, 130503 (2012). [CrossRef] [PubMed]

**35. **S. L. Braunstein and S. Pirandola, “Side-channel-free quantum key distribution,” Phys. Rev. Lett. **108**, 130502 (2012). [CrossRef] [PubMed]

**36. **C. Zhou, W. S. Bao, W. Chen, H. W. Li, Z. Q. Yin, Y. Wang, and Z. F. Han, “Phase-encoded measurement-device-independent quantum key distribution with practical spontaneous-parametric-down-conversion sources,” Phys. Rev. A **88**, 052333 (2013). [CrossRef]

**37. **E. Woodhead, “Semi device independence of the BB84 protocol,” New J. Phys. **18**, 055010 (2016). [CrossRef]

**38. **E. Woodhead and S. Pironio, “Secrecy in prepare-and-measure clauser-horne-shimony-holt tests with a qubit bound,” Phys. Rev. Lett. **115**, 150501 (2015). [CrossRef] [PubMed]

**39. **Y. Wang, W. S. Bao, H. W. Li, C. Zhou, and Y. Li, “Security of a practical semi-device-independent quantum key distribution protocol against collective attacks,” Chin. Phys. B **23**, 080303 (2014). [CrossRef]

**40. **Z. Q. Yin, C. H. F. Fung, X. F. Ma, C. M. Zhang, H. W. Li, W. Chen, S. Wang, G. C. Guo, and Z. F. Han, “Mismatched-basis statistics enable quantum key distribution with uncharacterized qubit sources,” Phys. Rev. A **90**, 052319 (2014). [CrossRef]

**41. **M. Tomamichel and R. Renner, “Uncertainty relation for smooth entropies,” Phys. Rev. Lett. **106**, 110506 (2011). [CrossRef] [PubMed]

**42. **M. Curty, F. H. Xu, W. Cui, C. C. W. Lim, K. Tamaki, and H. K. Lo, “Finite-key analysis for measurement-device-independent quantum key distribution,” Nat. Commun. **5**, 3732 (2014). [CrossRef] [PubMed]

**43. **C. C. W. Lim, M. Curty, N. Walenta, F. H. Xu, and H. Zbinden, “Concise security bounds for practical decoy-state quantum key distribution,” Phys. Rev. A **89**, 022307 (2014). [CrossRef]

**44. **C. Zhou, W. S. Bao, H. L. Zhang, H. W. Li, Y. Wang, Y. Li, and X. Wang, “Biased decoy-state measurement-device-independent quantum key distribution with finite resources,” Phys. Rev. A **91**, 022313 (2015). [CrossRef]

**45. **Y. Wang, W. S. Bao, H. W. Li, C. Zhou, and Y. Li, “Finite-key analysis for one-sided device-independent quantum key distribution,” Phys. Rev. A **88**, 052322 (2013). [CrossRef]

**46. **M. Mafu, K. Garapo, and F. Petruccione, “Finite-size key in the Bennett 1992 quantum-key-distribution protocol for Rényi entropies,” Phys. Rev. A **88**, 062306 (2013). [CrossRef]

**47. **A. Ambainis, A. Nayak, A. Ta-Shma, and U. Vazirani, “Dense quantum coding and quantum finite automata,” J. ACM **49**, 496 (2002). [CrossRef]

**48. **M. Hayashi, K. Iwama, H. Nishimura, R. Raymond, and S. Yamashita, “(4,1)-Quantum random access coding does not exist-one qubit is not enough to recover one of four bits,” New J. Phys. **8**, 129 (2006). [CrossRef]

**49. **R. Renner, “Security of quantum key distribution,” Int. J. Quantum Inf. **6**, 1 (2008). [CrossRef]

**50. **R. Renner, N. Gisin, and B. Kraus, “Information-theoretic security proof for quantum-key-distribution protocols,” Phys. Rev. A **72**, 012332 (2005). [CrossRef]

**51. **A. Vitanov, F. Dupuis, M. Tomamichel, and R. Renner, “Chain rules for smooth min- and max-Entropies,” IEEE Trans. Inf. Theory **59**, 2603 (2013). [CrossRef]

**52. **R. Serfling, “Probability inequalities for the sum in sampling without replacement,” J Ann. Stat. **2**, 39 (1974). [CrossRef]

**53. **W. Hoeffding, “Probability inequalities for sums of bounded random variables,” J. Amer. Stat. Assoc. **58**, 13 (1963). [CrossRef]