One-Sided Device-Independent QKD

Updated 7 February 2026

One-Sided Device-Independent QKD is a quantum key distribution protocol where only one party’s measurement device is fully trusted, using EPR steering to certify security.
It employs both discrete- and continuous-variable implementations with tailored steering inequalities that enable secure key rates even in low-efficiency detection environments.
Experimental results demonstrate that 1SDI-QKD achieves robust, composable security against individual, collective, and coherent attacks, making it a practical compromise between device-dependent and fully device-independent QKD.

One-sided device-independent quantum key distribution (1SDI-QKD) refers to quantum cryptographic protocols in which only one party’s measurement device requires trust and full characterization, while the other party’s measurement device remains untrusted and is treated as a black box subject only to the laws of quantum mechanics. Security is certified by demonstrating quantum steering—a form of nonlocality intermediate between entanglement and Bell nonlocality—which allows key distribution with much lower detection efficiency and fewer experimental demands than fully device-independent (DI) QKD. 1SDI-QKD frameworks encompass both discrete-variable and continuous-variable realizations, and support composable security against various classes of attacks, including individual, collective, and coherent strategies.

1. Security Model and Foundational Principles

In the one-sided device-independent scenario, the standard model involves two parties (typically Alice and Bob) sharing quantum correlations via distributed entangled or prepared systems. One side (e.g., the “trusted” Bob) employs fully characterized qubit projective measurements or calibrated continuous-variable detectors, while the other side (e.g., Alice) uses an uncharacterized measurement device, modeled as a black box producing classical outcomes conditional on a chosen input.

Security is based on verifying EPR steering: the trusted party’s measurements and outcomes calibrate and certify the irreducibly quantum nature of the bipartite correlations, ruling out local-hidden-state (LHS) models for the untrusted device. Eve, the adversary, is assumed to have unrestricted control over the untrusted device, side-channels, and the source, but is constrained by quantum mechanics. In the strongest results, collective and even coherent (non-i.i.d.) attacks are handled via entropy accumulation theorems (Roy et al., 24 Jul 2025, &&&1&&&, Branciard et al., 2011).

A representative trust model is as follows:

The untrusted station/device (e.g. Alice) is modeled as a black box, possibly memoryless or memory-free across rounds.
The trusted measurement station (e.g. Bob) is fully characterized; in discrete-variable protocols, this means projective Pauli measurements ( $\sigma_x$ , $\sigma_y$ , $\sigma_z$ ); in continuous-variable (CV) protocols, calibrated homodyne detection with fixed phase and quantum efficiency.
Security certification against arbitrary attacks utilizes quantum steering inequalities tailored to the protocol dimension, measurement set, and outcome distribution.

2. Steering Inequalities and Security Certification

Quantum steering is formalized via the impossibility for the observed conditional statistics to admit an LHS model. This is verified through linear steering inequalities involving measured correlations $\langle A_i \otimes B_i \rangle$ for suitably chosen measurement settings.

Discrete-variable protocols:

The two-setting Branciard-Wiseman steering inequality (Branciard et al., 2011, Arslan et al., 31 Jan 2026):

$S_2 = \frac{1}{2} \left( \langle \sigma_z \otimes \sigma_z \rangle + \langle \sigma_x \otimes \sigma_x \rangle \right), \quad S_2 > 1/\sqrt{2}$

The three-setting CJWR (Cavalcanti–Jones–Wiseman–Reid) steering inequality (Roy et al., 24 Jul 2025):

$\mathcal{F}_3 = \frac{1}{\sqrt{3}} \left| \langle \sigma_x \otimes \sigma_x \rangle - \langle \sigma_y \otimes \sigma_y \rangle + \langle \sigma_z \otimes \sigma_z \rangle \right|, \quad \mathcal{F}_3 > 1$

Continuous-variable (Gaussian) protocols:

The Reid criterion for EPR steering in Gaussian states (Walk et al., 2014):

$\mathcal{E}_{A\rightarrow B} = V_{X_B|X_A} \cdot V_{P_B|P_A} < 1$

where $V_{X_B|X_A}$ is the conditional variance of Bob’s $X$ quadrature given Alice’s measurement, and likewise for $P$ .

Violating the corresponding steering bound is necessary and sufficient for security in one-sided device-independent protocols: it guarantees that the quantum channel and the untrusted device cannot be explained via a classical LHS model and enforces monogamy of steering, thus bounding Eve's side information.

3. Protocols, Key Rates, and Noise Robustness

Discrete-Variable Protocols: The most general structure involves randomly chosen incompatible measurements on both sides, with basis choices, outcomes, and sifting orchestrated so that certain rounds are used for key generation and others for estimating the steering parameter. Core protocol steps, exemplified in (Masini et al., 2024, Roy et al., 24 Jul 2025, Branciard et al., 2011), are:

State distribution (typically entangled qubits $|\psi(\theta)\rangle = \cos \theta |00\rangle + \sin \theta |11\rangle$ or Werner states).
Measurement selection; trusted side employs known projective bases, untrusted side a black box.
Sifting to isolate valid rounds (detector “clicks”), estimation of error rates and steering parameter.
Classical post-processing: one-way error correction (often from the trusted side) and privacy amplification.

The secret key rate per channel use (asymptotic regime) is lower-bounded via the Devetak–Winter formula (Roy et al., 24 Jul 2025, Arslan et al., 31 Jan 2026, Masini et al., 2024):

$r \geq I(A:B) - \chi(B:E)$

with protocol-dependent evaluation of the mutual information $I(A:B)$ and Holevo quantity $\chi(B:E)$ . For the CJWR-based protocol (Roy et al., 24 Jul 2025):

$r \geq 1 - h(Q) - h\left( \frac{1 + \sqrt{(\mathcal{F}_3^2-1)/2}}{2} \right)$

where $Q$ is the quantum bit error rate and $h(\cdot)$ is binary entropy.

The attainable quantum bit error rate (QBER) threshold for positive key rates is intermediate between DD- and DI-QKD: up to 8.62% QBER for 1SDI-CJWR, compared to 7.1% for CHSH-based DI-QKD and 11% for device-dependent BB84 (Roy et al., 24 Jul 2025). Detection efficiency requirements are dramatically reduced: for optimized two-setting protocols, security persists down to $50.1\%$ efficiency on the untrusted side without post-selection (Masini et al., 2024).

Continuous-Variable Protocols: In the Gaussian 1SDI setting (both prepare-and-measure and entanglement-based), violation of a conditional variance product gives the relevant security witness (Walk et al., 2014, Gehring et al., 2014). Secret key rates under one-sided device independence are given for direct and reverse reconciliation by:

$K_\mathrm{RR} \geq \ln\left( \frac{2}{e \sqrt{V_{X_B|X_A} V_{P_B|P_A}}} \right)$

A positive key requires $\mathcal{E}_{A \to B} < 2^2/e^2 \approx 0.54$ , a significantly stricter criterion than EPR steering alone. Different protocol variants and their maximal loss tolerances are summarized in (Walk et al., 2014), with secure implementations demonstrated up to 7.5 km for two-mode squeezed states and 3.5 km for coherent-state protocols.

Noise and Entanglement Considerations: Security is dictated by the observed steering violation, not simply the presence of entanglement. Under amplitude damping or depolarizing noise, key rates drop to zero long before entanglement vanishes (concurrence $C \approx 0.7-0.8$ ) (Arslan et al., 31 Jan 2026). This “security–entanglement gap” underscores the sufficiency, but not necessity, of entanglement for steering-based security.

4. Experimental Implementations and Performance

Experimental 1SDI-QKD has been established in both discrete-variable and continuous-variable architectures, with high-efficiency single-photon or homodyne detectors at the trusted station, and flexible black-box implementations for the untrusted side (Walk et al., 2014, Gehring et al., 2014, Arslan et al., 31 Jan 2026). Key features include:

Homodyne/homodyne and heterodyne/homodyne combinations in CV schemes, with loss tolerance up to 70% and finite-key rates demonstrated using EPR light sources and modern error reconciliation (Walk et al., 2014, Gehring et al., 2014).
For discrete-variable systems, detection efficiencies as low as 50.1% at the untrusted station permit secure key rates under realistic channel and device noise (Masini et al., 2024, Arslan et al., 31 Jan 2026).
Entanglement purification (BBPSSW) mitigates noise and loss, with 2–4 rounds yielding effective recovery of steering violation and restoration of positive key rates, vital for practical metropolitan-scale networks (Arslan et al., 31 Jan 2026).

A summary of experimental and theoretical parameters for recent 1SDI-QKD implementations is presented below.

Protocol Type	Loss Tolerance	Detection Efficiency (Untrusted Side)	Key Rate Reference
DV, two-setting	$\approx$ QBER 8–9%, $>50\%$	$50.1\%$ (no post-selection)	(Masini et al., 2024, Arslan et al., 31 Jan 2026)
CV, EPR-based	up to $T>0.27$ (14 dB, 70 km)	$92\%$ (demonstrated)	(Walk et al., 2014, Gehring et al., 2014)
DV, CJWR 3-set	QBER up to 8.62%, $\eta_A > 74.5\%$	$74.5\%$ (post-selection)	(Roy et al., 24 Jul 2025)

Performance is consistently superior to fully DI-QKD (lower QBER, much lower detection efficiency), and approaches the practical regime of standard (device-dependent) QKD.

5. Robustness Against Attacks and Composability

One-sided device-independent security extends to collective and coherent attacks, including adversaries exploiting full quantum side information, thanks to the entropy accumulation theorem and finite-size composable security proofs (Gehring et al., 2014, Masini et al., 2024, Ghoreishi et al., 8 Apr 2025).

Key assumptions include:

Trust in the characterization and shielding of the “trusted” device (including station calibration, phase noise, and detector behavior).
Black-box modeling of the untrusted side, possibly with memorylessness, or memoryful devices analyzed using generalized entropy accumulation.
Eligibility for one-way classical post-processing (error correction and privacy amplification), with the trusted side typically providing error correction information.

Critically, 1SDI-QKD protocols are not immune to all possible side-channel attacks—especially if the trusted station is compromised—but are provably robust against device-side and channel vulnerabilities endemic to fully device-dependent implementations.

6. Comparison with Other Device-Independence Paradigms

1SDI-QKD occupies an intermediate tier in the device-trust hierarchy.

Security Model	Devices Trusted	Certified Nonlocality	Critical Detection Eff.	Leading Reference
Standard QKD	All	Entanglement witness	Unbounded	(Branciard et al., 2011)
1SDI-QKD	One party	EPR steering violation	$\gtrsim50.1\%$	(Branciard et al., 2011, Masini et al., 2024)
Device-Independent	None	CHSH violation	$\gtrsim91\%$	(Ghoreishi et al., 8 Apr 2025)
Measurement DI-QKD	Sources	Entanglement swapping	Low	(Lo et al., 2011)

A plausible implication is that 1SDI-QKD provides a practical and scalable compromise: critically reduced experimental overhead relative to full DI-QKD, high tolerance to channel loss and device imperfections, and operational security suitable for near-term quantum networks and asymmetric communication architectures (Ghoreishi et al., 8 Apr 2025).

7. Applications, Limitations, and Outlook

Practical deployment of 1SDI-QKD is compelling for settings where one party operates in a highly controlled (e.g., institutional) environment and the other party’s hardware is inexpensive, portable, or potentially exposed (e.g., network clients, mobile terminals). The ability to achieve composable security with moderate detection efficiencies, resilience to channel noise, and moderate purification overhead establishes clear operational boundaries for field deployment over 10–50 km fiber spans with existing superconducting nanowire or homodyne detector technology (Arslan et al., 31 Jan 2026).

Limitations include:

Need for robust trust and ongoing calibration in the trusted station.
Residual demands for device independence on the untrusted side (memoryless operation in the strongest proofs).
Steep resource overhead if excessive rounds of purification are required.
Security is lost at noise levels where entanglement is still significant; hence, protocols must ensure not just entanglement, but steering violation, is maintained.

Open challenges involve extending protocols to memoryful and finite-block scenarios, harnessing higher-dimensional quantum systems for increased key rates, integrating with quantum repeaters for extended distances, and developing standardized test routines for widespread certification (Ghoreishi et al., 8 Apr 2025).

Key references: (Branciard et al., 2011, Walk et al., 2014, Gehring et al., 2014, Masini et al., 2024, Roy et al., 24 Jul 2025, Arslan et al., 31 Jan 2026, Ghoreishi et al., 8 Apr 2025, Lo et al., 2011).