Draft:Measurement-device-independent quantum key distribution

File:MDI-QKD conceptual new.svg and polarizing beamsplitters to perform Bell measurements.]]

The original MDI-QKD consists of three main stages. In each of these, it is assumed that the communicating parties Alice and Bob are in separate laboratories, and that Alice and Bob can send quantum systems to an intermediary Eve using (possibly compromised) quantum channels, and also that Alice and Bob can communicate with each other and with Eve using a public classical channel.{{cn}} The three stages are as follows.

1. Preparation: Alice and Bob each prepare a sequence of two-level quantum systems (qubits) similar to the BB84 protocol. In particular, each system should be prepared in one of four quantum states, with the four states forming a pair of mutually unbiased bases (in the case of polarization qubits, these may be horizontally and vertically polarized states, as well as right- and left-hand circular polarizations). Each party should keep a private record of the prepared state for each qubit.{{cn}}
2. Measurement: Alice and Bob send the quantum systems one at a time to Eve, who performs particular measurements on the two systems. Before sending the next qubit, Alice and Bob wait for a message from Eve indicating the measurement result. Alice and Bob also keep a record of the measurement result corresponding to each qubit.{{cn}}
3. Security verification: Alice and Bob share the basis (but not the particular state) used for each qubit over the classical channel. For all qubit pairs whose bases did not match, Alice and Bob discard the associated data. For the remaining qubits, Alice and Bob reconcile their information on the prepared states based on Eve's measurement result (the exact process for this is detailed below). Alice and Bob can now expect to possess identical information on the prepared states, with any mismatch their state information indicating a flaw in either Eve's measurements or in the quantum channels themselves. Alice and Bob share a fraction of their values on the prepared states to verify this assumption; if the values agree, they know the protocol was secure and use the remaining values as a secret key.{{cn}}

Suppose that Alice and Bob are in separate laboratories, that each can prepare a qubit in any desired pure state, and that neither laboratory has any undesired communication channels with the outside world. The goal of the protocol is to overcome any detector side-channels; that is, the protocol should prevent a hostile actor from modifying the detectors so as to gain information about the key. For example, the detectors may perform additional measurements on the quantum systems in order to learn about the random values Alice and Bob use to establish a secret key, or may communicate all measurement results to an eavesdropper. We therefore consider the extreme case in which a third-party Eve (who may be malicious) has exclusive access to all detectors used in the protocol. Alice and Bob are both connected to Eve by quantum channels, and furthermore all parties can share classical information over a public authenticated channel. The goal of the MDI-QKD protocol is for Alice and Bob to prepare and send quantum systems to Eve, who performs measurements and publicly announces a result; based on the Eve's responses and their public communications, Alice and Bob either create a shared private key or, if this is not possible, abort the protocol.

The protocol now proceeds as follows.

1. Alice and Bob each select a random value $\backslash mathcal\; B^\{(x)\}\backslash in\backslash \{0,1\backslash \}$, where $x$ denotes either Alice or Bob. This value is used to choose between one of two mutually-unbiased qubit bases; for concreteness, we will use $\backslash$

   0\rangle, |1\rangle\} and $\backslash \{|+\backslash rangle\; \backslash equiv\; 2^\{-1/2\}(|0\backslash rangle+|1\backslash rangle),$
   \rangle \equiv 2^{-1/2}(|0\rangle-|1\rangle)\}. Alice and Bob each select a second random value $\backslash mathcal\; Z^\{(x)\}\; \backslash in\; \backslash \{0,1\backslash \}$, corresponding to either the first or second element of the basis $\backslash mathcal\; B^\{(x)\}$. Each party prepares the chosen state and sends it to Eve, who (in the ideal case) receives the two-qubit state $|\backslash mathcal\; Z^\{(A)\}\backslash rangle\; \backslash otimes\; |\backslash mathcal\; Z^\{(B)\}\backslash rangle$. Eve measures the two-qubit state in the Bell basis $|\backslash Phi^+\backslash rangle\; \backslash equiv\; \backslash frac\{1\}\{\backslash sqrt\{2\}\}\; \backslash left(|0\backslash rangle\; \backslash otimes\; |0\backslash rangle\; +\; |1\backslash rangle\; \backslash otimes\; |1\backslash rangle\backslash right)\; =\; \backslash frac\{1\}\{\backslash sqrt2\}\backslash left(|+\backslash rangle\backslash otimes|+\backslash rangle\; +$
   \rangle\otimes
   \rangle\right), $|\backslash Phi^-\backslash rangle\; \backslash equiv\; \backslash frac\{1\}\{\backslash sqrt\{2\}\}\; \backslash left(|0\backslash rangle\; \backslash otimes\; |0\backslash rangle\; -\; |1\backslash rangle\; \backslash otimes\; |1\backslash rangle\backslash right)\; =\; \backslash frac\{1\}\{\backslash sqrt2\}\backslash left(|+\backslash rangle\backslash otimes$
   \rangle +
   \rangle\otimes|+\rangle\right), $|\backslash Psi^+\backslash rangle\; \backslash equiv\; \backslash frac\{1\}\{\backslash sqrt\{2\}\}\; \backslash left(|0\backslash rangle\; \backslash otimes\; |1\backslash rangle\; +\; |1\backslash rangle\; \backslash otimes\; |0\backslash rangle\backslash right)\; =\; \backslash frac\{1\}\{\backslash sqrt2\}\backslash left(|+\backslash rangle\backslash otimes|+\backslash rangle\; -$
   \rangle\otimes
   \rangle\right), $|\backslash Psi^-\; \backslash rangle\; \backslash equiv\; \backslash frac\{1\}\{\backslash sqrt\{2\}\}\; \backslash left(|0\backslash rangle\; \backslash otimes\; |1\backslash rangle\; -\; |1\backslash rangle\; \backslash otimes\; |0\backslash rangle\backslash right)\; =\; \backslash frac\{-1\}\{\backslash sqrt2\}\backslash left(|+\backslash rangle\backslash otimes$
   \rangle -
   \rangle\otimes|+\rangle\right) and announces the result to Alice and Bob over a public channel. Alice, Bob, and Eve repeat the previous steps $N$ times, recording the measurement results and (for Alice and Bob) the selected basis $\backslash mathcal\; B\_i^\{(x)\}$ and state $\backslash mathcal\; Z\_i^\{(x)\}$ for each trial. Alice and Bob share their preparation bases over the public channel and discard any trials in which they used different bases. The remaining trials involve eight possible input states $|\backslash mathcal\; Z\_i^\{(A)\}\backslash rangle\; \backslash otimes\; |\backslash mathcal\; Z\_i^\{(B)\}\backslash rangle$, four for each of the two bases. The following table shows the probabilities for each Bell measurement result given a particular input state. {| class="wikitable" style="margin:auto"
   $\backslash mathcal\; Z^\{(A)\}$	$\backslash mathcal\; Z^\{(B)\}$	$P(\backslash Phi^+)$	$P(\backslash Phi^-)$	$P(\backslash Psi^+)$	$P(\backslash Psi^-)$
   rowspan="2" |$0$ ! $0$ |$1/2$ |$1/2$ |$0$ |$0$
   $1$ |$0$ |$0$ |$1/2$ |$1/2$
   rowspan="2" |$1$ !$0$ |$0$ |$0$ |$1/2$ |$1/2$
   $1$ |$1/2$ |$1/2$ |$0$ |$0$
   rowspan="2" |$+$ !$+$ |$1/2$ |$0$ |$1/2$ |$0$
   $-$ |$0$ |$1/2$ |$0$ |$1/2$
   rowspan="2" |$-$ !$+$ |$0$ |$1/2$ |$0$ |$1/2$
   $-$ |$1/2$ |$0$ |$1/2$ |$0$

   In the cases where the qubits were prepared in the $\backslash \{|0\backslash rangle,\; |1\backslash rangle\backslash \}$ basis and the result is $|\backslash Psi^\backslash pm\backslash rangle$, and where the qubits were prepared in the $\backslash \{|+\backslash rangle,\; |-\backslash rangle\backslash \}$ basis and the result is one of $|\backslash Phi^-\backslash rangle$ or $|\backslash Psi^-\backslash rangle$, then either Alice or Bob flips the value of their bit $\backslash mathcal\; Z\_i^\{(x)\}$. In any case, so long as Eve truthfully reports the results of a Bell measurement, after the flip Alice and Bob possess the same bit values, $\backslash mathcal\; Z\_i^\{(A)\}\; =\; \backslash mathcal\; Z\_i^\{(B)\}$.

2. Alice and Bob publicly share their bit values $\backslash mathcal\; Z\_i^\{(x)\}$ for a subset of the trials $i$. If the bit values for this subset do not agree, it indicates that Eve may have tampered with the measurement process or falsely reported some measurement results.

3. If Alice and Bob find that a sufficient number of the bit values that were compared agree, then they perform information reconciliation and privacy amplification to determine a secret key that is unknown to Eve.

The Bell measurement performed by Eve thus postselects onto those scenarios in which Alice and Bob possess correlated bit values, and those scenarios in which they possess anticorrelated bit values. Despite this, since Eve is unaware of the preparation basis of the qubits, any attempt to mimic the outcomes of the Bell measurement while extracting additional information about the quantum states will, for some choice of basis, unavoidably degrade the correlations between Alice and Bob. The protocol therefore relies on Eve's ability to induce correlations between Alice and Bob while possessing no information of their states.{{cn}}

For instance, suppose that Alice and Bob both use the $\backslash \{|0\backslash rangle,\; |1\backslash rangle\backslash \}$ basis to send a bit. We will assume for simplicity that Eve performs a projective measurement on the qubits. Then Eve's measurement falls into one of the following cases.{{cn}}

1. Eve performs only a Bell measurement. Then Eve gains no information about the bit values used; since Alice and Bob reveal the basis after the measurement, she can tell whether Alice and Bob had identical or opposite bit values (corresponding to $|\backslash Phi^\backslash pm\backslash rangle$ and $|\backslash Psi^\backslash pm\backslash rangle$ outcomes, respectively), but the particular Bell state she obtains is completely uncorrelated with the exact bit values they send.
2. Eve measures the qubits individually and also performs a Bell measurement. If Eve knew the basis of the two qubits, she could perform a measurement in this basis before doing the Bell state projection, and therefore obtain the bit values without disturbing the states. However, the fact that Alice and Bob choose randomly between two bases means that Eve's measurement necessarily scrambles the qubit states, similar to an eavesdropper in the BB84 protocol. Eve may perform a Bell measurement afterwards, but due to this change in the qubits' states, her results will sometimes differ from that of a true Bell measurement, which Alice and Bob can detect.
3. Eve performs an arbitrary two-qubit projective measurement. We again assume that Alice and Bob send states in the $\backslash \{|0\backslash rangle,\; |1\backslash rangle\backslash \}$ basis. If Eve knew the basis of the qubits, then she could project onto the two-qubit basis formed by any two states in the subspace spanned by $|\backslash Phi^\backslash pm\backslash rangle$ together with any two states in the subspace spanned by $|\backslash Psi^\backslash pm\backslash rangle$, since these pairs give the same outcome; any four projectors chosen this way will yield the correct outcomes as far as Alice and Bob are concerned. Once again, however, the attack is foiled by the use of random bases: if Alice and Bob use the $\backslash \{|+\backslash rangle,\; |-\backslash rangle\backslash \}$, then it is the $\backslash \{|\backslash Phi^+\backslash rangle,\; |\backslash Psi^+\backslash rangle\backslash \}$ and $\backslash \{|\backslash Phi^-\backslash rangle,\; |\backslash Psi^-\backslash rangle\backslash \}$ pairs that have the same outcomes, so a projection onto a superposition of $|\backslash Phi^\backslash pm\backslash rangle$ will sometimes yield the wrong outcome in this situation. The only projective measurement that always will always provide the correct outcome to Alice and Bob regardless of their basis is therefore the Bell measurement.

While this argument assumes that Eve restricts herself to projective measurements on the two qubits, a more comprehensive analysis of MDI-QKD shows that the protocol is secure even against arbitrary attacks by Eve..{{Cite journal |last1=Curty |first1=Marcos |last2=Xu |first2=Feihu |last3=Cui |first3=Wei |last4=Lim |first4=Charles Ci Wen |last5=Tamaki |first5=Kiyoshi |last6=Lo |first6=Hoi-Kwong |date=2014-04-29 |title=Finite-key analysis for measurement-device-independent quantum key distribution |url=https://www.nature.com/articles/ncomms4732 |journal=Nature Communications |language=en |volume=5 |issue=1 |pages=3732 |doi=10.1038/ncomms4732 |pmid=24776959 |arxiv=1307.1081 |bibcode=2014NatCo...5.3732C |issn=2041-1723}}.

The simple model presented above is not sufficient for a practical implementation of QKD. In addition to the stated assumptions of a secure laboratory environment and reliable preparation of quantum states, the protocol also assumes that complete Bell measurements can be performed, and that the quantum state exists in a two-dimensional Hilbert space, as is the case for the polarization of a single photon. In practice, optical qubits, in particular polarization qubits, are typically used as the quantum system. When restricted to linear optics, no measurement of these qubits can reliably distinguish between all four Bell states; the best one can do is to distinguish between the three cases of (1) the $|\backslash Psi^+\backslash rangle$ state, (2) the $|\backslash Psi^-\backslash rangle$ state, and (3) one of the $|\backslash Phi^\backslash pm\backslash rangle$ states{{Cite book |last1=Kok |first1=Pieter |title=Introduction to optical quantum information processing |last2=Lovett |first2=Brendon W. |date=2010 |publisher=Cambridge University Press |isbn=978-1-139-19365-8 |location=Cambridge New York}}. This is still sufficient to perform the MDI-QKD protocol, since one can generate a key using the $|\backslash Psi^+\backslash rangle$ and $|\backslash Psi^-\backslash rangle$ outcomes and discard the remaining trials, at the cost of reducing the key generation rate by a factor of two. The requirement of single photons is more problematic since all practical sources will sometimes produce multiphoton states, which allows an adversary to perform a photon number splitting attack. However, this vulnerability can be overcome by incorporating the decoy-state method into the MDI-QKD protocol.

While MDI-QKD involves the use of an intermediate station between Alice and Bob, this protocol does not enable the use of long-distance communication using quantum repeaters, as would occur in a quantum network. In particular, the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound{{Cite journal |last1=Pirandola |first1=Stefano |last2=Laurenza |first2=Riccardo |last3=Ottaviani |first3=Carlo |last4=Banchi |first4=Leonardo |date=2017-04-26 |title=Fundamental limits of repeaterless quantum communications |journal=Nature Communications |language=en |volume=8 |issue=1 |page=15043 |doi=10.1038/ncomms15043 |issn=2041-1723 |pmc=5414096 |pmid=28443624|arxiv=1512.04945 |bibcode=2017NatCo...815043P }} limits the secret key rate across a repeaterless channel with transmissivity $\backslash eta$ to $-\backslash log\_2(1-\backslash eta)$ bits per channel use, or approximately $1.44\backslash eta$ bits per channel use for high loss. By comparison, a channel involving $N$ equidistant repeaters has a secret key rate bound of $-\backslash log\_2(1-\backslash eta^\{1/(N+1)\})$, so that the use of many repeaters can offset the effects of channel loss{{Cite journal |last=Pirandola |first=Stefano |date=2019-05-17 |title=End-to-end capacities of a quantum communication network |url=https://www.nature.com/articles/s42005-019-0147-3 |journal=Communications Physics |language=en |volume=2 |issue=1 |page=51 |doi=10.1038/s42005-019-0147-3 |arxiv=1905.12674 |bibcode=2019CmPhy...2...51P |issn=2399-3650}}. After including the effects of loss the MDI-QKD protocol achieves a secret key rate of $\backslash eta/(2e^2)\; \backslash approx\; 0.068\backslash eta$ (the factor of two is due to imperfect Bell measurements for photonic qubits). Despite using an intermediary station between Alice and Bob, MDI-QKD therefore has a shorter achievable range than repeaterless QKD protocols. While MDI-QKD provides a conceptual advance in its immunity to detector-side attacks, it fails in its goal to extend the range of QKD. However, Xu et al have argued that with sufficiently high repetition rates, MDI-QKD may still be of practical use for metropolitan use{{Cite journal |last1=Xu |first1=Feihu |last2=Curty |first2=Marcos |last3=Qi |first3=Bing |last4=Qian |first4=Li |last5=Lo |first5=Hoi-Kwong |date=2015-11-16 |title=Discrete and continuous variables for measurement-device-independent quantum cryptography |url=https://www.nature.com/articles/nphoton.2015.206 |journal=Nature Photonics |language=en |volume=9 |issue=12 |pages=772–773 |doi=10.1038/nphoton.2015.206 |arxiv=1506.04819 |bibcode=2015NaPho...9..772X |issn=1749-4885}}.

File:MDI-QKD secret key rate (corrected).svg. By comparison, implementations of MDI-QKD using continuous variables ("qunats") performs better than BB84 over short distances, but much worse than even discrete MDI-QKD over long distances.]]

More recently, features of MDI-QKD have been implemented in more advanced protocols such as twin-field QKD{{Cite journal |last1=Lucamarini |first1=M. |last2=Yuan |first2=Z. L. |last3=Dynes |first3=J. F. |last4=Shields |first4=A. J. |date=2018-05-02 |title=Overcoming the rate–distance limit of quantum key distribution without quantum repeaters |url=https://www.nature.com/articles/s41586-018-0066-6 |journal=Nature |language=en |volume=557 |issue=7705 |pages=400–403 |doi=10.1038/s41586-018-0066-6 |pmid=29720656 |arxiv=1811.06826 |bibcode=2018Natur.557..400L |issn=0028-0836}}. The twin-field protocol keeps the intermediary measurement station of MDI-QKD, but relies on phase-randomized optical fields sent by Alice and Bob, rather than single photons. Since the interference at Eve is first-order interference of the fields, rather than (intensity) interference between two photons, the secret key rate scales as $\backslash sqrt\{\backslash eta\}$ for high losses, as opposed to the $\backslash eta$-scaling of MDI-QKD. As a result, twin-field QKD has a long-distance key rate that lies between the PLOB bound and the single-repeater bound. Twin-field QKD may be viewed as a type of MDI-QKD in which the states of interest are the vacuum and single-photon Fock states{{Cite journal |last1=Yin |first1=Hua-Lei |last2=Fu |first2=Yao |date=2019-02-28 |title=Measurement-Device-Independent Twin-Field Quantum Key Distribution |journal=Scientific Reports |language=en |volume=9 |issue=1 |pages=3045 |doi=10.1038/s41598-019-39454-1 |issn=2045-2322 |pmc=6395703 |pmid=30816262|arxiv=1805.12004 |bibcode=2019NatSR...9.3045Y }}.

The concept of device-independent quantum key distribution (DI-QKD) was described by Mayers and Yao{{Cite arXiv |eprint=quant-ph/0307205 |first1=Dominic |last1=Mayers |first2=Andrew |last2=Yao |title=Self testing quantum apparatus |date=2003-07-28}}, which relies on "self-checking" devices which can certify their own correct operation. An early proposal for fully device-independent quantum key distribution, described in a paper by Acín et al{{Cite journal |last1=Acín |first1=Antonio |last2=Massar |first2=Serge |last3=Pironio |first3=Stefano |date=2006-08-02 |title=Efficient quantum key distribution secure against no-signalling eavesdroppers |url=https://iopscience.iop.org/article/10.1088/1367-2630/8/8/126 |journal=New Journal of Physics |volume=8 |issue=8 |pages=126 |doi=10.1088/1367-2630/8/8/126 |arxiv=quant-ph/0605246 |bibcode=2006NJPh....8..126A |issn=1367-2630}}, relies on violations of a Bell inequality in order to establish security.

So long as no unwanted information leaves Alice's and Bob's labs (as might occur, for example, if an eavesdropper broadcasts the results of each of their measurements), any violation of a Bell inequality by their measurement results implies that Alice and Bob share nonlocal correlations. A third party may modify Alice's and Bob's devices in such a way so as to mimic the outputs of a secure key distribution protocol, but without additional communication channels these modified devices can produce only locally-correlated outputs{{Cite journal |last1=Pirandola |first1=S. |last2=Andersen |first2=U. L. |last3=Banchi |first3=L. |last4=Berta |first4=M. |last5=Bunandar |first5=D. |last6=Colbeck |first6=R. |last7=Englund |first7=D. |last8=Gehring |first8=T. |last9=Lupo |first9=C. |last10=Ottaviani |first10=C. |last11=Pereira |first11=J. L. |last12=Razavi |first12=M. |last13=Shaari |first13=J. Shamsul |last14=Tomamichel |first14=M. |last15=Usenko |first15=V. C. |date=2020-12-14 |title=Advances in quantum cryptography |url=https://opg.optica.org/aop/abstract.cfm?uri=aop-12-4-1012 |journal=Advances in Optics and Photonics |language=EN |volume=12 |issue=4 |pages=1012–1236 |doi=10.1364/AOP.361502 |arxiv=1906.01645 |bibcode=2020AdOP...12.1012P |issn=1943-8206}}. By testing a statistic such as the Clauser-Horne-Shimony-Holt (CHSH) inequality, Alice and Bob can verify whether nonlocal correlations exist and therefore rule out the presence of such modifications (or, at least, modifications which might provide a third party with useful information about the key).{{cn}}

Like other implementations of Bell inequality tests, DI-QKD is subject to so-called loopholes, of which the most important is the detection loophole; to overcome this, the detectors used in the protocol must have very high efficiencies. This strong requirement on detector is both technologically challenging and means that Alice and Bob generate a secret key at a low rate{{Cite journal |last=Liu |first=Wen-Zhao |date=2022-07-27 |title=Toward a Photonic Demonstration of Device-Independent Quantum Key Distribution |url=https://journals.aps.org/prl/abstract/10.1103/PhysRevLett.129.050502 |journal=Physical Review Letters |volume=129 |issue=5 |page=050502 |doi=10.1103/PhysRevLett.129.050502|pmid=35960585 |bibcode=2022PhRvL.129e0502L }}

Measurement-device-independent QKD was proposed in 2012 by Lo et al as a workaround to this situation{{Cite journal |last=Lo |first=Hoi-Kwong |date=2012-03-30 |title=Measurement-Device-Independent Quantum Key Distribution |url=https://journals.aps.org/prl/abstract/10.1103/PhysRevLett.108.130503 |journal=Physical Review Letters |volume=108 |issue=13 |page=130503 |doi=10.1103/PhysRevLett.108.130503|pmid=22540686 |arxiv=1109.1473 |bibcode=2012PhRvL.108m0503L }}. Since MDI-QKD relies on reliable preparation of quantum states, it makes stronger assumptions about the workings of devices than fully DI-QKD, and so reintroduces possible side-channels in the preparation device. However, this comes with much less stringent requirements for technical implementations, and allows for the use of conventional detectors with lower quantum efficiency while still being immune to detector side-channel attacks. Preparation side-channels can still be overcome using techniques such as the decoy-state method{{Cite journal |last=Liu |first=Yang |date=2013 |title=Experimental Measurement-Device-Independent Quantum Key Distribution |url=https://journals.aps.org/prl/abstract/10.1103/PhysRevLett.111.130502 |journal=Physical Review Letters |volume=111 |issue=13 |page=130502 |doi=10.1103/PhysRevLett.111.130502|pmid=24116758 |arxiv=1209.6178 |bibcode=2013PhRvL.111m0502L }}. An early proof-of-principle experimental demonstration using a polarization encoding was performed in 2013 by Rubenok el al{{Cite journal |last=Rubenok |first=A. |date=2013-09-23 |title=Real-World Two-Photon Interference and Proof-of-Principle Quantum Key Distribution Immune to Detector Attacks |url=https://journals.aps.org/prl/abstract/10.1103/PhysRevLett.111.130501 |journal=Physical Review Letters |volume=111 |issue=13 |page=130501 |doi=10.1103/PhysRevLett.111.130501|pmid=24116757 |arxiv=1304.2463 |bibcode=2013PhRvL.111m0501R }}; later experiments have implemented MDI-QKD across more than 400 km of optical fiber{{Cite journal |last=Yin |first=Hua-Lei |date=2016-11-02 |title=Measurement-Device-Independent Quantum Key Distribution Over a 404 km Optical Fiber |url=https://journals.aps.org/prl/abstract/10.1103/PhysRevLett.117.190501 |journal=Physical Review Letters |volume=117 |issue=19 |page=190501 |doi=10.1103/PhysRevLett.117.190501|pmid=27858431 |arxiv=1606.06821 |bibcode=2016PhRvL.117s0501Y }}. A continuous-variable version of MDI-QKD presented by Pirandola et al is capable of achieving higher secret key rates over distances of a few kilometers in standard optical fiber, but performs much worse over large distances{{Cite journal |last1=Pirandola |first1=Stefano |last2=Ottaviani |first2=Carlo |last3=Spedalieri |first3=Gaetana |last4=Weedbrook |first4=Christian |last5=Braunstein |first5=Samuel L. |last6=Lloyd |first6=Seth |last7=Gehring |first7=Tobias |last8=Jacobsen |first8=Christian S. |last9=Andersen |first9=Ulrik L. |date=2015-05-25 |title=High-rate measurement-device-independent quantum cryptography |url=https://www.nature.com/articles/nphoton.2015.83 |journal=Nature Photonics |language=en |volume=9 |issue=6 |pages=397–402 |doi=10.1038/nphoton.2015.83 |arxiv=1312.4104 |bibcode=2015NaPho...9..397P |issn=1749-4893}}

• Quantum key distribution
• Quantum network
• Quantum cryptography
• Quantum nonlocality

{{Reflist}}

• Ramona Wolf, Quantum Key Distribution: An Introduction with Exercises (Springer, 2021)
• Feihu Xu, Marcos Curty, Bing Qi and Hoi-Kwong Lo (2013), "[https://iopscience.iop.org/article/10.1088/1367-2630/15/11/113007/pdf Practical aspects of measurement-device-independent quantum key distribution]"
• Yan-Lin Tang, Hua-Lei Yin, Qi Zhao, Hui Liu, Xiang-Xiang Sun, Ming-Qi Huang, Wei-Jun Zhang, Si-Jing Chen, and Lu Zhang et al (2016), "[https://journals.aps.org/prx/pdf/10.1103/PhysRevX.6.011024 Measurement-Device-Independent Quantum Key Distribution over Untrustful Metropolitan Network]"