Let us start by describing in more detail the general scenario that we consider. It is illustrated in Fig. 4a. Alice and Bob have n pairs of QKD modules, and say Alice (Bob) has s (r) classical post-processing units at their disposal. Alice’s modules QKD Ai , with i = 1,…,n, are connected to the classical post-processing units CP Ai′ , with i′ = 1,…,s, via secure channels (i.e., channels that provide both secrecy and authentication). Also, all the units CP Ai′ are connected to each other via secure channels. The same applies to Bob. Importantly, since all these secure channels are located only within Alice and Bob’s labs, in practice they could be implemented, for instance, by using physically protected paths (e.g., physical wires that are mechanically and electrically protected against damage and intrusion) which connect only the prescribed devices. Furthermore, each QKD Ai is connected to its partner QKD Bi via a quantum channel, and each CP Ai′ is connected to all CP Bi′′ , with i′′ = 1,…,r, via authenticated classical channels.64,65

Fig. 4 Schematic representation of the general scenario considered. a A QKD setup with multiple QKD modules and classical post-processing units. We assume that up to t < n pairs of QKD modules, up to t′ < s/3 units CP Ai′ and t′′ < r/3 units CP Bi′′ could be corrupted. The goal is to distil shares of an ε-secure key, k A and k B . In the figure, the thin red solid lines represent secure classical channels, the thin red dashed lines denote authenticated classical channels, and the blue thick dashed lines are quantum channels. b General strategy to distil shares of k A and k B . First, each pair QKD Ai and QKD Bi outputs a raw key, \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\), together with the protocol information, and sends them to the CP units at Alice and Bob’s side, respectively. From \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\), these units distil a supposedly (ε cor /n)-correct and (ε sec /n)-secret key, \(k_{{\mathrm{A}}i}^{\prime\prime}\) and \(k_{{\mathrm{B}}i}^{\prime\prime}\), and then concatenate these keys to form \(k_{\mathrm{A}}^\prime = [k_{{\mathrm{A}}1}^{\prime\prime} ,k_{{\mathrm{A}}2}^{\prime\prime} , \ldots ,k_{{\mathrm{A}}n}^{\prime\prime} ]\) and \(k_{\mathrm{B}}^\prime = [k_{{\mathrm{B}}1}^{\prime\prime} ,k_{{\mathrm{B}}2}^{\prime\prime} , \ldots ,k_{{\mathrm{B}}n}^{\prime\prime} ]\). Finally, the CP units apply privacy amplification to \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\) to remove the information held by the corrupted QKD modules and obtain k A and k B . In the presence of corrupted CP units, all these steps are realised in a distributed setting by acting on data shares generated with a VSS scheme Full size image

Moreover, for simplicity, we shall consider a so-called threshold active adversary structure. That is, we will assume that up to t < n pairs of QKD modules, up to t′ < s/3 units CP Ai′ and up to t′′ < r/3 units CP Bi′′ could be corrupted. We say that a pair of QKD modules is corrupted when at least one of them is corrupted. Also, we conservatively assume that corrupted devices do not necessarily follow the prescriptions of the protocol but their behaviour is fully controlled by Eve, who could access all their internal information. We refer the reader to the Supplementary Notes 3 and 4 for the definition of general mixed adversary structure66 and the security analysis of QKD against this type of general adversary. Also, we note that less conservative adversarial models like e.g., those studied in ref. 25 might be also valid in certain scenarios.

The final goal is to generate a composable ε-secure key, k A and k B . That is, k A and k B should be identical except for a minuscule probability ε cor , and say k A should be completely random and decoupled from Eve except for a minuscule probability ε sec , with ε cor + ε sec ≤ε .67,68 Importantly, since now some QKD modules and classical post-processing units could be corrupted, the secrecy condition also implies that k A and k B must be independent of any information held by the corrupted devices after the execution of the protocol. Otherwise, such corrupted devices could directly leak that information to Eve. Obviously, at the end of the day, some parties might need to have access to the final key, and thus one necessarily must assume that such parties are trusted and located in secure labs. In this regard, our work suggests that when the classical post-processing units at the key distillation layer are untrusted, they should not output the final key k A and k B but they should output shares of it to the key management layer.58,59 There, k A and k B could be either reconstructed by say Alice and Bob in secure labs, or their shares could be stored in distributed memories for later use, or they could be employed for instance for encryption purposes via say the one-time pad. Importantly, however, all the key generation process at the key distillation layer can be performed with corrupted devices. Also, we note that, if necessary, operations like storage or encryption at the key management layer could also be performed in the presence of corrupted devices by using techniques from secure multiparty computation.38 The actual management and storage of the shares of k A and k B generated by the key distillation layer is responsibility of the key management layer and depends on the particular application. We remark, however, that such layer structure is introduced here mainly for illustrative purposes, as in this paper we consider the key distillation problem, which is the task of the key distillation layer. Our results are rather general and similar techniques could be applied as well to other applications without the need of any particular layer structure.

Before we go to the specifics of our result. We remark that our idea is general and does not depend on the specific verifiable SS scheme used. This is an important strength of our idea. Let us start by providing an overview of the general strategy that we follow to achieve our goal, which uses as main ingredients VSS schemes41,42,43 and privacy amplification techniques63 (see Methods section). The former is employed to defeat corrupted classical post-processing units. Indeed, given that t′ < s/3 and t′′ < r/3, the use of VSS schemes allows to post-process the raw keys generated by the QKD modules in a distributed setting by acting only on raw key shares. Obviously, if a pair of QKD modules is corrupted, the generated raw key shares could be known to Eve. Importantly, however, we can prove security also in this scenario mainly because VSS does not require the dealer to be honest, and the use of privacy amplification techniques can remove any information about the final key which could be known to the corrupted pairs of QKD modules (as it is explained in more detail below). In addition, we remark that the post-processing of raw key shares can be performed such that no set of corrupted classical post-processing units can reconstruct k A and k B . Also, VSS guarantees that k A and k B is a correct key independently of the misbehaviour of the corrupted QKD modules and classical post-processing units which might wish to purposely introduce errors. Another key insight of our paper is to show that, since all the classical post-processing techniques that are typically applied in QKD are “linear” in nature (i.e., they involve simple functions in linear algebra, such as bit-wise XOR and multiplications of matrices), they are easily implementable in a distributed setting.

Let us illustrate this last point with a simple example. In particular, let us consider, for instance, the error correction step in QKD. Here, say Bob wants to correct a certain bit string, k B,key , to match that of Alice, which we shall denote by k A,key . In general, this process requires that both Alice and Bob first apply certain error correction matrices, M EC , to k A,key and k B,key to obtain the syndrome information s A = M EC k A,key and s B = M EC k B,key , respectively. Afterward, if s A ≠ s B Bob modifies k B,key accordingly. This process might be repeated a few times until it is guaranteed that k B,key = k A,key with high probability. Let us now consider again the same procedure but now acting on shares, k Aj,key and k Bj,key , of k A,key and k B,key , respectively. That is, say \(k_{{\mathrm{A,key}}} = \oplus _j^qk_{{\mathrm{A}}j,{\mathrm{key}}}\) and \(k_{{\mathrm{B}},{\mathrm{key}}} = \oplus _j^qk_{{\mathrm{B}}j,{\mathrm{key}}}\), with q being the total number of shares. For this, Alice and Bob first apply M EC to k Aj,key and k Bj,key to obtain s Aj = M EC k Aj,key and s Bj = M EC k Bj,key , respectively, for all j. Next, Alice sends s Aj to Bob who obtains \(s_{\mathrm{A}} = \oplus _{j = 1}^qs_{{\mathrm{A}}j}\) and \(s_{\mathrm{B}} = \oplus _{j = 1}^qs_{{\mathrm{B}}j}\). This is so because \(\oplus _{j = 1}^qs_{{\mathrm{A}}j} = \oplus _{j = 1}^qM_{{\mathrm{EC}}}k_{{\mathrm{A}}j,{\mathrm{key}}} = M_{{\mathrm{EC}}} \oplus _{j = 1}^qk_{{\mathrm{A}}j,{\mathrm{key}}} = M_{{\mathrm{EC}}}k_{{\mathrm{A}},{\mathrm{key}}} = s_{\mathrm{A}}\), and a similar argument applies to s B . Finally, if s A ≠ s B Bob corrects k B,key by acting on its shares k Bj,key . Note that to flip certain bits in k B,key is equivalent to flip the corresponding bits in one of its shares k Bj,key . That is, error correction in QKD can be easily performed in a distributed setting by acting only on shares of k A,key and k B,key . The same argument applies as well to the other classical post-processing techniques in QKD, as all of them involve only linear operations.

To defeat corrupted QKD modules, on the other hand, we use privacy amplification techniques. Suppose, for instance, that each pair QKD Ai and QKD Bi outputs a raw key, \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\). Moreover, suppose for the moment that the classical post-processing units are trusted and they distil a supposedly (ε cor /n)-correct and (ε sec /n)-secret key, \(k_{{\mathrm{A}}i}^{\prime\prime}\) and \(k_{{\mathrm{B}}i}^{\prime\prime}\), of length N bits from each pair \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\). Then, the n × N bit strings \(k_{\mathrm{A}}^\prime = \left[ {k_{{\mathrm{A}}1}^{\prime\prime} , \ldots ,k_{{\mathrm{A}}n}^{\prime\prime} } \right]\) and \(k_{\mathrm{B}}^\prime = [k_{{\mathrm{B}}1}^{\prime\prime} , \ldots ,k_{{\mathrm{B}}n}^{\prime\prime} ]\) are for certain ε cor -correct. The secrecy condition, however, only holds if all the QKD modules are trusted. If say the pair QKD Ai′ and QKD Bi′ is corrupted then the key strings \(k_{{\mathrm{A}}i^\prime }^{\prime\prime}\) and \(k_{{\mathrm{B}}i^\prime }^{\prime\prime}\) are compromised. So, given that t < n the classical post-processing units can apply privacy amplification to \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\) to extract two shorter (n − t) × N bit strings, k A and k B , which are ε sec -secret and thus ε-secure. In the presence of untrusted classical post-processing units, this process can be performed in a distributed manner by acting on data shares.

In short, the general strategy can be decomposed in three main steps, which are illustrated in Fig. 4b. First, each pair of QKD modules generates a raw key and the protocol information and sends them to the CP units. Second, the CP units distil a supposedly (ε cor /n)-correct and (ε sec /n)-secret key from each raw key received and concatenate the resulting keys to form a longer key bit string, which, in the absence of malicious QKD modules, would be then ε-secure. Finally, in the third step, the CP units apply privacy amplification to this longer bit string to remove any information that could be known to Eve due to the presence of malicious QKD modules. If the CP units are untrusted, these steps are performed in a distributed setting by acting on data shares produced by a VSS scheme.

Next we evaluate three different scenarios of practical interest in this context. For concreteness, in these examples we use the VSS scheme introduced in ref. 41 and which is described in the Methods section.

QKD with malicious QKD modules

We begin by analysing the situation where Alice and Bob have n pairs of QKD modules and up to t < n of them could be corrupted, and each of Alice and Bob has one honest classical post-processing unit. This scenario is illustrated in Fig. 5 and corresponds to the case s = r = 1 and t′ = t′′ = 0 in Fig. 4a.

Fig. 5 QKD with malicious QKD modules. Alice and Bob have n pairs of QKD modules, and up to t < n of them could be corrupted. Alice’s (Bob’s) ith QKD module is supposed to generate a raw key \(k_{{\mathrm{A}}i}^\prime\) \(\left( {k_{{\mathrm{B}}i}^\prime } \right)\) and the protocol information p Ai,info (p Bi,info ), with i = 1,…,n. Also, they have one classical post-processing unit each, which is assumed to be honest. The goal is to distil an ε-secure key, k A and k B . This can be achieved by using Protocol 1. See the main text for further details Full size image

A possible solution to this scenario is rather simple; see Protocol 1 below. This protocol follows the spirit of “countermeasure 3” in ref. 25 However, in contrast to ref.,25 which is restricted to measurement devices in a DI-QKD setting, Protocol 1 applies to both DI-QKD and non-DI-QKD, and considers the whole QKD key generation devices, which include the sources.

Protocol 1:

1. Generation of raw keys and protocol information: Each pair QKD Ai and QKD Bi outputs, respectively, the bit strings \(k_{{\mathrm{A}}i}^\prime\) and p Ai,info , and \(k_{{\mathrm{B}}i}^\prime\) and p Bi,info , or the abort symbol ⊥ i , ∀i = 1,…,n. 2. Generation of an ε cor -correct key: The units CP A and CP B use the key distillation procedure prescribed by the QKD protocol to generate an (ε cor /n)-correct and (ε sec /n)-secret key, \(k_{{\mathrm{A}}i}^{\prime\prime}\) and \(k_{{\mathrm{B}}i}^{\prime\prime}\), from each pair \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\), or they generate the abort symbol ⊥ i , ∀i = 1,…,n. Afterward, CP A (CP B ) concatenates the M ≤ n keys \(k_{{\mathrm{A}}i}^{\prime\prime}\) \(\left( {k_{{\mathrm{B}}i}^{\prime\prime} } \right)\) which are different from ⊥ i to form the bit string \(k_{\mathrm{A}}^\prime = [k_{{\mathrm{A}}1}^{\prime\prime} , \ldots ,k_{{\mathrm{AM}}}^{\prime\prime} ]\) \(\left( {k_{\mathrm{B}}^\prime = [k_{{\mathrm{B}}1}^{\prime\prime} , \ldots ,k_{{\mathrm{BM}}}^{\prime\prime} ]} \right)\). Since by assumption CP A and CP B are trusted, \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\) are for certain ε cor -correct. The secrecy condition only holds if all \(k_{{\mathrm{A}}i}^{\prime\prime}\) and \(k_{{\mathrm{B}}i}^{\prime\prime}\) originate from raw keys output by honest QKD modules. For simplicity, let the length of \(k_{{\mathrm{A}}i}^{\prime\prime}\) and \(k_{{\mathrm{B}}i}^{\prime\prime}\) be N bits ∀i. 3. Generation of an ε-secure key: CP A and CP B apply a randomly selected universal 2 hash function to \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\) to extract two bit strings, k A and k B , of length (M − t) × N bits. k A and k B are by definition ε sec -secret, and thus, from step 2, they are ε-secure.

Note that in step 3 of Protocol 1 we consider the worst-case scenario where all \(k_{{\mathrm{A}}i}^{\prime\prime}\) and \(k_{{\mathrm{B}}i}^{\prime\prime}\) generated by corrupted QKD modules contribute to \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\), respectively, as Alice and Bob cannot discard this case. Most importantly, Protocol 1 allows Alice and Bob to defeat any covert channel (including, e.g., memory attacks) from the QKD modules, as this protocol guarantees that none of the malicious QKD modules can access k A or k B . Our results are summarised in the following Claim, whose proof is directly from the definition of Protocol 1.

Claim 1.

Suppose that Alice and Bob have n pairs of QKD modules and up to t < n of them could be corrupted. Also, suppose that they have one trusted classical post-processing unit each. Let M ≤ n denote the number of pairs of QKD modules that do not abort and whose raw key could in principle be transformed into an (ε/n)-secure key, and let N bits be the length of such supposedly secure key. Protocol 1 allows Alice and Bob to distil an ε-secure key of length (M − t) × N bits. Moreover, the re-use of the devices does not compromise the security of the keys distilled in previous QKD runs.

Importantly, we remark that Protocol 1 is basically optimal with respect to the resulting secret key rate, in the sense that there is no protocol which can deliver a higher key rate in the scenario considered. This is so because of the following. If no pair of QKD modules aborts and its raw data could in principle be transformed into a secure key we have, by definition, that the maximum total final key length is at most n × N bits. Also, we know that up to t × N bits of such key could be compromised by the t pairs of corrupted QKD modules. That is, the maximum secure key length is at most (n − t) × N bits. Moreover, as discussed above, if some pairs of QKD modules abort we must necessarily assume the worst-case scenario where they are honest. This is so because through her interaction with the quantum signals in the channel, Eve could always force honest QKD modules to abort by simply increasing the resulting QBER or phase error rate. That is, in this scenario it is not possible to distil a key length greater than (M − t) × N bits.

QKD with malicious classical post-processing units

We now consider the situation where Alice and Bob have one trusted QKD module each, and Alice (Bob) has s (r) classical post-processing units CP Ai (CP Bi′ ), with i = 1,…,s (i′ = 1,…,r), and up to t′ < s/3 (t′′ < r/3) of them could be corrupted. This is illustrated in Fig. 6 and corresponds to the case n = 1 and t = 0 in Fig. 4a.

Fig. 6 QKD with malicious classical post-processing units. Alice and Bob have one trusted QKD module each, QKD A and QKD B , which generate, respectively, the raw key \(k_{\mathrm{A}}^\prime\) and \(k_{\mathrm{B}}^\prime\) and the protocol information p A,info and p B,info . Also, Alice (Bob) has s (r) classical post-processing units CP Ai (CP Bi′ ) with i = 1,…,s (i′ = 1,…,r), and up to t′ < s/3 (t′′ < r/3) of these units could be corrupted. The goal is to produce shares of an ε-secure key, k A and k B , from which the final key could be reconstructed. This can be achieved by using Protocol 2. See the Methods section for a detailed description of this protocol. In the figure, \(k_{{\mathrm{A}}ij}^\prime\) \(\left( {k_{{\mathrm{B}}i^{\prime}j}^\prime } \right)\) denotes the jth share of \(k_{\mathrm{A}}^\prime\) \(\left( {k_{\mathrm{B}}^\prime } \right)\) which QKD A (QKD B ) sends to CP Ai (CP Bi′ ), and k Aij (k Bi'j ) identifies the jth share of k A (k B ) that is produced by CP Ai (CP Bi′ ). Since QKD A (QKD B ) is honest, note that the shares \(k_{{\mathrm{A}}ij}^\prime\) \(\left( {k_{{\mathrm{B}}i^{\prime}j}^\prime } \right)\) are equal for all i (i') Full size image

Since now the units CP Ai and CP Bi′ could be malicious, we aim to generate shares of an ε-secure key, k A and k B . A possible solution to this scenario is given by Protocol 2, which is described in detail in the Methods section. The main result is summarised in the following Claim, whose proof is directly from the description of Protocol 2:

Claim 2.

Suppose that Alice and Bob have one trusted QKD module each, and each of them has, respectively, s and r classical post-processing units. Also, suppose that up to t′ < s/3 of Alice’s units and up to t′′ < r/3 of Bob’s units could be corrupted. Then, if we disregard the cost of authenticating the classical channels between Alice and Bob’s classical post-processing units, Protocol 2 allows them to distil an ε-secure key of the same length as would be possible in a completely trusted scenario. Moreover, the re-use of the devices does not compromise the security of the keys distilled in previous QKD runs.

That is, if we ignore the cost of authenticating the classical channels between the units CP Ai and CP Bi′ , Claim 2 implies that Protocol 2 is optimal with respect to the resulting secret key length, in the sense that there is no protocol which can deliver a higher key rate in the scenario considered. This is so because this protocol allows Alice and Bob to obtain a secret key of the same length as it would be possible if all devices are trusted. We refer the reader to the Supplementary Note 2 for a simpler but less efficient protocol to achieve the same task.

Also, we remark that in Protocol 2 the cost due to authenticating the classical channels is relatively small even when s and r are reasonable large. Indeed, if we assume for simplicity the symmetric scenario where s = r and t′ = t′′ (i.e., each of Alice and Bob has s CP units and up to t′ < s/3 of them are malicious), it can be shown that this authentication cost is basically s(2t′ + 1)k au bits, where k au denotes the authentication cost in the trusted scenario (i.e., when s = 1 and t′ = 0). That is, the overall cost of authentication is only s(2t′ + 1) times that of a standard QKD scheme with honest devices. This is so because in the untrusted scenario, for any message that has to be authenticated (say for instance from Alice), it is enough that 2t′ + 1 units CP Ai send that message authenticated to all the s CP Bi′ units at Bob’s side. In so doing, it is guaranteed that Bob’s units can reconstruct the message correctly by using say majority voting. Importantly, the parameter k au is logarithmic in the size of the messages sent, which assures that the cost of authentication in Protocol 2 is small.

QKD with malicious QKD modules and classical post-processing units

Finally, here we consider the situation where Alice and Bob have n pairs of QKD modules, QKD Ai and QKD Bi with i = 1,…,n, and Alice (Bob) has s (r) classical post-processing units CP Ai′ (CP Bi′′ ), with i′ = 1,…,s (i′′ = 1,…,r), and up to t < n pairs of QKD modules, up to t′ < s/3 units CP Ai′ and up to t′′ < r/3 units CP Bi′′ could be corrupted. This scenario is illustrated in Fig. 7 and corresponds to the most general case considered in Fig. 4a.

Fig. 7 QKD with malicious QKD modules and classical post-processing units. Alice and Bob have n pairs of QKD modules, QKD Ai and QKD Bi , and up to t < n of them could be corrupted. They generate, respectively, the raw key \(k_{{\mathrm{A}}i}^\prime\) and \(k_{{\mathrm{B}}i}^\prime\) and the protocol information p Ai,info and p Bi,info . Also, Alice (Bob) has s (r) classical post-processing units CP Ai′ (CP Bi′′ ) with i′ = 1,…,s (i′′ = 1,…,r), and up to t′ < s/3 (t′′ < r/3) of these units could be corrupted. The goal is to produce shares of an ε-secure key, k A and k B , from which the final key could be reconstructed. This can be achieved by using Protocol 3. See the main text for further details. In the figure, \(k_{{\mathrm{A}}i^{\prime}ij}^\prime\) \(( {k_{{\mathrm{B}}i^{\prime\prime}ij}^\prime } )\) denotes the jth share of \(k_{{\mathrm{A}}i}^\prime\) \(\left( {k_{{\mathrm{B}}i}^\prime } \right)\) which QKD Ai (QKD Bi ) sends to CP Ai′ (CP Bi′′ ), and k Ai′ij (k Bi′′ij ) identifies the shares of k A (k B ) that are produced by CP Ai′ (CP Bi′′ ) Full size image

For illustrative purposes, let us discuss first a naive protocol that fails to achieve the goal. In particular, suppose for simplicity that s = r = n, and, moreover, we have that up to t < n groups of devices G i ≡ {QKD Ai , QKD Bi , CP Ai , CP Bi } could be corrupted, where we say that a group G i is corrupted if at least one of its elements is corrupted. Then, if one disregards efficiency issues, a straightforward solution to this scenario might appear to be as follows. Each G i generates a supposedly ε-secure key, k Ai and k Bi , and then this key is simply considered as the ith share of the final key, k A and k B . That is, \(k_{\mathrm{A}} = \oplus _{i = 1}^nk_{{\mathrm{A}}i}\) and \(k_{\mathrm{B}} = \oplus _{i = 1}^nk_{{\mathrm{B}}i}\). Indeed, given that t < n, k A and k B is for certain ε sec -secret. However, the main problem of this naive approach is that k A and k B might not be correct because a corrupted G i could output k Ai ≠ k Bi and thus k A ≠ k B .

Below we provide a simple solution (Protocol 3) to the general scenario. It builds on Protocols 1 and 2, and it consists of three main steps.

Protocol 3:

1. Generation and distribution of shares of (ε/n)-secure keys: Each pair QKD Ai and QKD Bi uses say Protocol 2 to distribute shares of an (ε/n)-secure key, k Ai and k Bi , or the abort symbol ⊥ i , between CP Ai′ and CP Bi′′ , respectively. Let \(\tilde k_{{\mathrm{A}}i^{\prime}ij}\) \(( {\tilde k_{{\mathrm{B}}i^{\prime\prime}ij^{\prime}}} )\) be the jth (j′th) share of k Ai (k Bi ) obtained by CP Ai′ (CP Bi′′ ). For simplicity, we will suppose that the length of k Ai and k Bi is N bits ∀i. 2. Generation of shares of an ε cor -correct key: Let \(\vec {0}\) be the N-bit zero vector, and M be the number of k Ai and k Bi which are different from ⊥ i . Each CP Ai′ defines \(k_{{\mathrm{A}}i^{\prime} ij}^{{\prime}{\prime}} = \left[ {\vec 0_{1}, \ldots ,\vec 0_{i - 1},\tilde k_{{\mathrm{A}}i^{\prime}ij},\vec 0_{i + 1}, \ldots ,\vec 0_{M}} \right]\). Likewise, the CP Bi′′ form \(k_{{\mathrm{B}}i^{\prime\prime} ij^{\prime} }^{\prime\prime}\) from \(\tilde k_{{\mathrm{B}}i^{\prime\prime} ij^{\prime} }\). \(k_{{\mathrm{A}}i^{\prime} ij}^{\prime\prime}\) and \(k^{\prime\prime}_{{\mathrm{B}}i^{\prime\prime} ij^{\prime} }\) are by definition shares of an ε cor -correct key. The secrecy condition only holds if all k Ai and k Bi originate from honest QKD modules. 3. Generation of shares of an ε-secure key: The CP Ai′ use the RBS scheme (see Methods section) to randomly select a universal 2 hash function, h P . Next, they obtain shares, \(k_{{\mathrm{A}}i^{\prime}ij} = h_{\mathrm{P}}(k_{{\mathrm{A}}i^{\prime}ij}^{\prime\prime} )\) of length (M − t) × N bits of a final key k A , and say the first 2t′ + 1 CP Ai' send h P to all CP Bi′′ , which use majority voting to determine h P from the information received, and then obtain shares \(k_{{\mathrm{B}}i^{\prime\prime}ij^{\prime}} = h_{\mathrm{P}}(k_{{\mathrm{B}}i^{\prime\prime}ij^{\prime}}^{\prime\prime} )\) of the final key k B .

Indeed, given that t′ < M Ai /3 and t′′ < M Bi /3 for all i = 1,…,M, where M Ai (M Bi ) denotes the number of CP Ai′ (CP Bi′′ ) that do not produce ⊥ i but output post-processed shares, k Ai′ij (k Bi′′ij′ ), from k Ai (k Bi ), then the final key, k A and k B , is ε-secure. Also, Alice (Bob) could obtain k A (k B ) by using the reconstruct protocol of a VSS (see Methods section). That is, Alice (Bob) could use majority voting to obtain the shares k Aij and k Bij′ of k A (k B ) from k Ai′ij (k Bi′′ij′ ) for all i = 1,…,M and j = 1,…,q (j′ = 1,…,q′), and she (he) calculates \(k_{\mathrm{A}} = \oplus _{i = 1}^M \oplus _{j = 1}^qk_{{\mathrm{A}}ij}\) \(( {k_{\mathrm{B}} = \oplus _{i = 1}^M \oplus _{j^{\prime} = 1}^{q^{\prime}}k_{{\mathrm{B}}ij^{\prime}}} )\) where q (q′) is the total number of shares of k Ai (k Bi ) for each i.

Our results are summarised in the following Claim, whose proof is directly from the definition of Protocol 3:

Claim 3.

Suppose that Alice and Bob have n pairs of QKD modules and Alice (Bob) has s (r) classical post-processing units. Suppose that up to t < n pairs of QKD modules, up to t′ < s/3 classical post-processing units of Alice, and up to t′′ < r/3 classical post-processing units of Bob could be corrupted. Let M ≤ n denote the number of pairs of QKD modules that do not abort and whose raw key can be transformed into a supposedly (ε/n)-secure key, and let N bits be the length of such key. Then Protocol 3 allows Alice and Bob to distil an ε-secure key of length (M − t) × N bits. Moreover, the re-use of the devices does not compromise the security of the keys distilled in previous QKD runs.

We remark that if we disregard the cost of authenticating the classical channels between Alice and Bob’s classical post-processing units, Protocol 3 is optimal with respect to the resulting secret key length, in the sense that no other protocol can deliver a higher key rate for the scenario considered. The argument follows directly from that used in the subsection above that evaluates QKD with malicious QKD modules, where we showed that if the classical post-processing units are trusted the secret key rate is upper bounded by (M − t) × N bits. So, in the presence of corrupted classical post-processing units this upper bound also trivially holds.