In short

Every QKD protocol you have seen so far — BB84, E91, decoy-state BB84 — assumes you trust the physical devices. You trust that Alice's laser prepares the state the datasheet claims. You trust that Bob's detectors fire in a way that depends only on the incoming photon, not on anything Eve has planted. In real life, trusting devices is a nightmare: detector blinding, Trojan-horse attacks, source-side leakage, and simple vendor malice are all real threats. Device-independent QKD (DIQKD), proposed by Acín, Brunner, Gisin, Masanes, Pironio, and Scarani in 2007, asks: what if we throw that trust away? Alice and Bob treat their measurement boxes as black boxes — inputs x, y (the measurement settings) go in, outputs a, b (classical bits) come out, and nothing else is assumed. The security certificate comes from Bell's theorem (chapter 150): if the observed input-output statistics violate the CHSH inequality, S > 2, then the correlations are genuinely quantum, could not have been produced by any classical conspiracy between the device manufacturers, and Eve's information on the key is strictly bounded by the amount of CHSH violation. DIQKD is the most paranoid security model in cryptography — and also the hardest to realise. The first proof-of-principle DIQKD experiments landed in 2022 at Oxford/LMU (Nadlinger et al.) and USTC (Zhang et al.), running at rates of a few bits per second over metre-scale distances. DIQKD is a research frontier, not a deployable technology — yet. This chapter tells you why.

Every cryptographic protocol you have ever read about has a trust boundary somewhere. In classical RSA, you trust your operating system's random-number generator and the hardness of factoring. In BB84, you trust that the laser at Alice's end actually emits photons polarised where the datasheet says. In decoy-state BB84, you trust that Alice's attenuator actually produces the intensities she claims and that Bob's detectors do not have back-channels.

The trust in BB84 is small but not zero. And "small but not zero" is exactly where attackers live. Real QKD systems have been broken, over the past two decades, by detector blinding (shine a bright laser, turn a single-photon detector into a classical photodetector, then control its clicks), Trojan-horse attacks (shine light into Alice's box, read its optical fingerprint), and source-side leakage (tiny timing or wavelength imprints that reveal the basis choice). None of these breaks the BB84 security theorem; they all break the implementation.

Device-independent QKD is the response: remove the trust entirely. The devices can be built by anyone — including Eve — and as long as the observed correlations violate a Bell inequality, the key is secure. It is the most uncompromising security model anyone has ever seriously proposed for cryptography, and for a long time it was considered a theoretical curiosity because no-one knew how to realise it experimentally. In 2022, three groups did. This chapter explains how and at what cost.

The black-box picture

Forget everything you know about the inside of a QKD device. Pretend you are a purchaser who bought a pair of sealed boxes — one for Alice, one for Bob — from a vendor you do not trust. Each box has two buttons (x = 0 or x = 1 for Alice; y = 0 or y = 1 for Bob) and a one-bit display (a for Alice; b for Bob). That is it. You press a button, the box shows a bit.

Alice and Bob each run many rounds. In each round i, they privately and independently choose their inputs x_i, y_i (say with a quantum random number generator — see the next chapter), press the buttons, record the outputs a_i, b_i.

Black-box devices in DIQKDTwo sealed boxes side by side. Alice's box on the left has an input x going in from above and an output a coming out below. Bob's box on the right has input y going in and output b coming out. Both boxes are connected inside by a dashed line labelled entangled state possibly compromised by Eve. The outside of each box is opaque; a label reads not trusted. On top, a random number generator supplies x and y. On the bottom, a table collects outputs a, b over many rounds.Alice and Bob's view: two sealed black boxesALICEblack boxinternals not trustedBOBblack boxinternals not trustedinput x ∈ {0, 1}input y ∈ {0, 1}output a ∈ {0, 1}output b ∈ {0, 1}entanglement channel (possibly Eve's)Security comes from correlations P(ab|xy), not from what's inside the boxes.
The DIQKD threat model. Alice and Bob do not look inside their measurement devices. They only choose inputs $x$ and $y$ (random measurement settings) and observe outputs $a$ and $b$ (classical bits). The entanglement channel connecting the two devices — the "guts" of whatever protocol is inside — may have been built by Eve. Security will follow from a statistical test on the observed joint distribution $P(ab|xy)$.

The vendor (who is Eve, in the paranoid threat model) may have built the boxes with anything inside: genuine entangled photon pairs, a pre-shared classical random table, a hidden radio link, a list of numbers the devices will read out in sequence. Alice and Bob do not know and cannot look.

Their only data is the observed probability distribution P(a, b \mid x, y) — the joint probability of outcomes a, b given inputs x, y. After many rounds they have an accurate estimate of this distribution.

If that distribution is compatible with any local classical strategy (any conspiracy between the two boxes that doesn't involve real entanglement), then Eve can always reproduce it — with the key already in her pocket. But if the distribution cannot be reproduced by any local classical strategy, then the boxes must contain genuine quantum entanglement, and — this is the crucial step — the amount of entanglement bounds Eve's knowledge of Alice's output.

That "cannot be reproduced classically" test is exactly what a Bell inequality detects.

CHSH as a security test

The simplest Bell inequality is CHSH (Clauser-Horne-Shimony-Holt, 1969; see chapter 150). Define the CHSH correlator:

S = \langle A_0 B_0 \rangle + \langle A_0 B_1 \rangle + \langle A_1 B_0 \rangle - \langle A_1 B_1 \rangle,

where \langle A_x B_y \rangle = P(a = b \mid x, y) - P(a \ne b \mid x, y) is the correlation at settings (x, y) (outputs encoded as \pm 1 instead of 0, 1).

Bell's theorem states:

CHSH setup for DIQKDA horizontal axis labelled CHSH value S from zero to three. A shaded region from zero to two is labelled classical strategies S less than or equal to two. A shaded region from two to two square root two is labelled quantum region with the annotation Eve info less than one bit. The point two square root two is marked Tsirelson bound. An arrow points from S equals 2.4 to the label DIQKD secure region. An arrow points from S equals 1.9 to no DIQKD key possible.CHSH value S — the security certificateclassical (S ≤ 2)Eve may know full keyquantum (2 < S ≤ 2√2)Eve information bounded by SS = 2local-realism bound2√2 ≈ 2.828Tsirelson bound03S = 2.5DIQKD secure
The CHSH line. Any local classical strategy lies below $S = 2$. Quantum correlations can reach $2\sqrt 2$. Between these two values, the gap is a continuous measure of how quantum the correlation is — and how little information Eve can have.

The DIQKD insight (Acín et al. 2007) is that if Alice and Bob estimate S from a public subset of their rounds and find S > 2, then the remaining rounds can be used to extract a secret key — and the rate at which the key can be extracted grows with how far above 2 the CHSH value is.

The precise bound, for optimal coherent attacks, is:

r \ge 1 - h\!\left(\tfrac{1}{2} + \tfrac{1}{2}\sqrt{(S/2)^2 - 1}\right) - h(Q),

where r is the asymptotic secret-bit rate per round, h(x) = -x\log_2 x - (1-x)\log_2(1-x) is the binary entropy, and Q is the bit-error rate between Alice and Bob on key-generation rounds. The first term is Alice's secrecy (bound on Eve's information); the second is the error-correction cost.

Notice the structure. At S = 2\sqrt 2 (maximal violation) the argument of the first h becomes \tfrac{1}{2} + \tfrac{1}{2}\sqrt{(2\sqrt 2 / 2)^2 - 1} = \tfrac{1}{2} + \tfrac{1}{2} = 1, so h(1) = 0 and the first term is 1 — Eve has zero information. At S = 2 exactly, the square root is 0, h(1/2) = 1, and the first term is 0 — Eve may know everything. DIQKD is tight: the key rate drops to zero exactly when the CHSH value drops to the classical bound.

Why this is qualitatively different from BB84/E91

E91 (chapter 153) also uses CHSH — but it uses it as a trust-but-verify check that the entangled pair is good. The security proof of E91, like BB84, assumes Alice and Bob's measurement devices do what the datasheet claims (e.g. the polarising beam splitters have specific angles).

DIQKD is different. It only uses the input-output statistics P(a, b \mid x, y). If Alice and Bob observe a given S, the security follows, even if the devices are performing completely different measurements from what was advertised. Eve could have built the devices to measure at secret angles she chose; as long as Alice and Bob observe S > 2, Eve's information is bounded by the formula above.

The contrapositive is equally strong. If Eve has a successful attack on DIQKD, that attack must produce S \le 2 — which would be detected and the run aborted.

Trust models in QKDA two-column comparison. Left column BB84 and E91: trusted items listed: Alice's state preparation, Bob's measurement devices, classical random number generators, authenticated classical channel. Right column DIQKD: trusted items listed: only local random number generators, authenticated classical channel, spacelike-separated no-signalling assumption between boxes. A red arrow shows devices dropped from the trusted list in DIQKD.Trust boundaries: BB84 / E91 vs. DIQKDBB84 / E91 — trust required in:• Alice's source (state preparation)• Bob's detectors (measurement basis)• Optical path (no Trojan horse)• Classical RNG at both ends• Authenticated classical channelDevices assumed "honest but quantum."DIQKD — trust required in:• Local RNG (truly random inputs)• Authenticated classical channel• No-signalling between boxes(spacelike separation or shielding)• Quantum mechanics itselfDevices assumed "possibly adversarial."
The trust boundary has shrunk. BB84 and E91 require a long list of assumptions about the physical behaviour of the devices. DIQKD drops all of them, keeping only three: a truly random local input, an authenticated classical channel, and no-signalling between the two boxes. The Bell test does the rest.

What a DIQKD round looks like

Example 1 — one DIQKD round, step by step

Setup. Alice and Bob are running a DIQKD session. They have agreed that they will use inputs x, y \in \{0, 1\} and observe outputs a, b \in \{0, 1\}. Each has a local quantum RNG to pick inputs and has authenticated the classical channel with a pre-shared seed. They have no knowledge of the devices' internals.

Step 1 — input selection. Alice flips her RNG, gets x = 0. Bob flips his RNG, gets y = 1. Neither tells the other yet.

Step 2 — press buttons, record outputs. Alice presses her button with setting x = 0; the display reads a = 1. Bob presses his button with setting y = 1; his display reads b = 1. They write (x, y, a, b) = (0, 1, 1, 1) into their private logs.

Step 3 — repeat many rounds. They do this for N rounds. For each round, (x_i, y_i, a_i, b_i) is logged locally.

Step 4 — publicly announce a random subset for Bell test. After all rounds, Alice and Bob publicly select a random subset of rounds (say 10%) for the Bell test. On these rounds they reveal their inputs and outputs over the classical channel.

Step 5 — compute CHSH. From the test rounds, they estimate:

\hat S = \hat{\langle A_0 B_0 \rangle} + \hat{\langle A_0 B_1 \rangle} + \hat{\langle A_1 B_0 \rangle} - \hat{\langle A_1 B_1 \rangle}.

Suppose they observe \hat S = 2.50 \pm 0.03. Why this number could arise: if the boxes share a maximally entangled pair |\Phi^+\rangle = (|00\rangle + |11\rangle)/\sqrt 2 and measure in the Tsirelson-optimal settings, the theoretical S is 2\sqrt 2 \approx 2.828. Real devices have noise; detector inefficiency, imperfect alignment, and background photons drag S down toward 2. S = 2.5 is a plausible value for a good but imperfect demonstration.

Step 6 — secure rate. Plug S = 2.50 into the Acín bound:

\tfrac{1}{2}\sqrt{(S/2)^2 - 1} = \tfrac{1}{2}\sqrt{(1.25)^2 - 1} = \tfrac{1}{2}\sqrt{0.5625} = \tfrac{1}{2} \times 0.75 = 0.375.

So the first-term argument is 0.5 + 0.375 = 0.875, giving h(0.875) \approx 0.544. Secret rate per round (before error correction): 1 - 0.544 = 0.456 bits. After correcting for Q \approx 2.5\% error (classical bit error between Alice and Bob), h(0.025) \approx 0.168. Net rate: \approx 0.288 bits per round.

Step 7 — key-generation rounds. The 90% of rounds not used for the Bell test are the key-generation rounds. Alice takes her outputs a_i on those rounds and runs information reconciliation and privacy amplification to produce a final key of length \approx 0.288 \times 0.9 \times N bits.

One DIQKD round and the full runA flow diagram. Box one labelled RNG supplies x equal zero to Alice and y equal one to Bob. Arrow to box two the devices. Alice's box emits output a equal one; Bob's box emits output b equal one. Arrow to box three log the tuple x y a b. Arrow to box four after many rounds compute S equals two point five. Arrow to box five plug into Acín formula, rate equals zero point two nine bits per round.One DIQKD round, then the Bell test1. RNGAlice: x=0Bob: y=12. DevicesAlice gets a=1Bob gets b=13. Log(x,y,a,b)=(0,1,1,1)4. Many roundsEstimate SS ≈ 2.505. Acín formula → secret bit rater ≥ 1 − h(0.875) − h(0.025) ≈ 0.29 bits/round(no device trust needed)
A single DIQKD round plus the Bell-test post-processing. The critical arithmetic happens only in step 5, after many rounds have been accumulated. The devices themselves are never inspected.

What this shows. DIQKD in practice reduces to a statistical test plus a key-extraction formula. You do not need to know what is inside the boxes; you only need to know that S > 2 was observed. At S = 2.5 each round yields about 0.29 secret bits — much less than BB84 at the same round count, but against a much stronger adversary.

Security from data — a closer look

Example 2 — from $S = 2.5$ to Eve's information

Setup. Alice and Bob have observed S = 2.5 and Q = 2.5\% (error rate between their paired outputs on key-generation rounds). What can Eve possibly know?

Step 1 — Eve's bound via Pinsker / Fano argument. The Acín et al. security proof uses the observation that any distribution compatible with a given CHSH value S has bounded conditional entropy on Alice's output. Specifically, for any quantum state \rho_{ABE} (Alice, Bob, Eve's purifying system) such that the observed CHSH value on \rho_{AB} is S,

H(A \mid E) \ge 1 - h\!\left(\tfrac{1}{2} + \tfrac{1}{2}\sqrt{(S/2)^2 - 1}\right).

The left side is Eve's ignorance about A (in entropy units); the right side is a computable function of S alone.

Step 2 — plug in S = 2.5. (S/2)^2 - 1 = 1.5625 - 1 = 0.5625; \sqrt{0.5625} = 0.75; argument is 0.5 + 0.375 = 0.875. h(0.875) = -0.875\log_2 0.875 - 0.125\log_2 0.125 \approx -0.875 \times (-0.193) - 0.125 \times (-3) = 0.169 + 0.375 = 0.544.

So H(A \mid E) \ge 1 - 0.544 = 0.456 bits. Eve has at most 1 - 0.456 = 0.544 bits of information about Alice's output bit, on average.

Step 3 — error correction subtracts information. Alice and Bob run information reconciliation to fix the 2.5\% error rate. This requires Alice to send about h(0.025) \approx 0.168 bits of error-syndrome information per round over the classical channel — which Eve can see.

Step 4 — privacy amplification shrinks Eve's information to negligible. The raw secret rate is H(A \mid E) - h(Q) = 0.456 - 0.168 = 0.288 bits per round. Privacy amplification uses a universal hash function to extract an \sim 0.288 \times N-bit string from the N-bit raw key such that Eve's information on the final string is exponentially small in the security parameter.

Step 5 — compare with BB84. For the same QBER of 2.5\%, BB84 achieves a secret rate of approximately 1 - 2h(0.025) \approx 1 - 0.336 = 0.664 bits per signal click — more than twice the DIQKD rate. The factor-of-two gap is the price Alice and Bob pay for not trusting their devices.

DIQKD information budgetA horizontal stacked bar chart. One bar total length one bit. First segment labelled Eve could know, length zero point five four four. Second segment labelled error correction cost, length zero point one six eight. Third segment labelled net secret per round, length zero point two eight eight, highlighted in accent. A comparison bar above for BB84 at the same QBER shows only error correction cost zero point three three six and secret zero point six six four.Per-round information budget at S = 2.5, Q = 2.5%BB84 (trusted devices):EC: 0.336net secret: 0.664DIQKD (no trust):Eve could know: 0.544EC: 0.168secret: 0.288DIQKD "pays" for zero device trust by ceding more than half the raw information to Eve.
The information budget. BB84 at $2.5\%$ QBER extracts $0.664$ secret bits per signal; DIQKD at $S = 2.5$ and the same error rate extracts $0.288$ bits. The difference is the cost of the no-trust security model — Eve could know up to $0.544$ bits per round, and privacy amplification must hash those away.

What this shows. DIQKD security is quantitative, not qualitative. As S \to 2\sqrt 2 the rate recovers toward the ideal, and as S \to 2 it collapses to zero. The arithmetic that converts observed CHSH value into a bits-per-round secret rate is all there is to the security proof — once the Bell test is closed.

The loophole-free requirement

There is one mandatory catch that makes DIQKD experimentally harder than any other QKD protocol: the Bell test must be loophole-free. A Bell test can be undermined by three loopholes:

  1. Locality loophole. If Alice's and Bob's measurements are not spacelike-separated, a sub-lightspeed signal between the boxes could mimic quantum correlations classically. Fix: separate the measurement events far enough in space, and close them fast enough in time, that a light signal could not travel between them during measurement. Hensen et al. (2015) achieved this with NV centres in diamond at 1.3\,\text{km} separation; Giustina et al. and Shalm et al. (2015) did it with photons.

  2. Detection / fair-sampling loophole. If detectors miss a substantial fraction of events, Eve can design a local-hidden-variable strategy that exploits which events are detected to reproduce a spurious S > 2. The Eberhard bound (1993) states that for a two-photon experiment, detection efficiency must exceed approximately \eta > 2/(1 + \sqrt 2) \approx 82.8\% to close the detection loophole at the quantum optimum. Below that, fair-sampling has to be assumed — but DIQKD cannot assume it (that would be trusting the devices).

  3. Freedom-of-choice / independence loophole. If Alice's and Bob's input choices (x, y) are correlated with anything that could influence the boxes (including things in the common past of both boxes), the Bell test is compromised. Fix: use independent, fresh quantum randomness for each round's inputs. See the next chapter on quantum RNG.

All three loopholes must be closed simultaneously in a single experiment to certify DIQKD security. This is extraordinarily hard. As of 2022, only a handful of laboratories have pulled it off.

The 2022 experiments

Three groups reported DIQKD keys within months of each other in 2022.

Oxford / LMU / ETH Zurich (Nadlinger, Drmota, Nichol, Araneda, et al., Nature 2022) [2] used two trapped ion qubits in separate vacuum chambers two metres apart, entangled via a photonic Bell-state measurement. Detection efficiency: \sim 99\% per ion (trapped ions are the world champions of detector loophole closure). Observed CHSH value: S = 2.64 \pm 0.01. Secret key rate: \sim 95 bits per block, generating a demonstration key of 95\,884 bits over \sim 8 hours. This was the first DIQKD key to be extracted with all three loopholes closed.

USTC Hefei (Zhang, Liu, Xu, Yuan, et al., Physical Review Letters 2022) [6] used entangled photon pairs and high-efficiency superconducting nanowire detectors. Separation: \sim 220\,\text{metres} in a single-building free-space link. Observed S = 2.48 \pm 0.02, key rate \sim 466 bits per second. Photon-based DIQKD at a rate suitable for limited practical use; still a laboratory demonstration.

Munich / LMU Ludwig-Maximilians (Zhang, Zeuner, Mičuda, et al., 2022) closed the detection loophole with auxiliary measurements and achieved DIQKD at similar rates.

The pattern across all three: small distances (metres to hundreds of metres), low rates (tens to hundreds of bits per second), extreme experimental heroics. A commercially useful DIQKD link covering tens of kilometres at kilobit-per-second rates does not exist yet and is unlikely to exist before the 2030s.

Experimental DIQKD timelineA horizontal timeline from 2007 to 2024. Milestones plotted as labelled dots: 2007 Acín et al. theory paper; 2015 loophole-free Bell tests by Hensen, Giustina, Shalm; 2019 first DIQKD security proofs against coherent attacks; 2022 first DIQKD keys at Oxford LMU and USTC; 2024 DIQKD over 400 metres with photons. Two separate curves plot CHSH violation achieved and demonstration distance.DIQKD timeline: theory to first keys20072012201520222024Acín et al.DIQKD theoryHensen, Giustina,Shalm 2015loophole-free Bell2019 proofagainst coherentattacks2022: first keysOxford/LMU (ions, 2 m)USTC (photons, 220 m)S ≈ 2.5–2.62024:400 m
Fifteen years from the Acín et al. theory paper to the first DIQKD key. The bottleneck was the detection-loophole requirement — which trapped ions finally solved at the cost of tiny distances, and entangled photon experiments are now slowly stretching to hundreds of metres.

Indian context

Device-independent protocols sit at the frontier of Indian quantum research. The Raman Research Institute (RRI) in Bangalore has been a long-standing centre of quantum-optics experiments and has contributed to Bell-test theory and experiments since the 1990s; RRI's quantum communication group, which collaborated with ISRO on the 2022 Bengaluru–Mount Abu satellite demonstration, is exploring DIQKD-adjacent protocols (though that demonstration itself was decoy-state BB84, not DIQKD).

The National Quantum Mission (NQM, 2023, ₹6003 crore) lists device-independent protocols as a long-term (8-year) research goal rather than a near-term deployable technology. The mission's Quantum Communication pillar explicitly prioritises BB84 and E91 for short-term deployment and DIQKD for the research horizon. This mirrors the international picture: DIQKD is what you build when you are already running BB84 at kilobit rates and want the strongest possible security model for the most sensitive applications.

IISc Bangalore and IIT Madras have theoretical groups working on finite-key DIQKD security proofs and on self-testing — the related idea that entangled states can be characterised purely from observed statistics without device assumptions. Self-testing, formalised by Mayers and Yao in 2004, is the pre-requisite for DIQKD: it says Bell violation not only certifies non-classicality but identifies which entangled state (up to isometry) the devices must be using.

Common confusions

Going deeper

If you understand that DIQKD treats measurement devices as black boxes, that security comes from observing a CHSH violation S > 2 rather than from trusting the hardware, that the Acín et al. key-rate formula r \ge 1 - h(\tfrac{1}{2} + \tfrac{1}{2}\sqrt{(S/2)^2 - 1}) - h(Q) converts CHSH violation into secret bits per round, and that the 2022 Oxford/LMU and USTC experiments were the first proof-of-principle demonstrations — you have chapter 156. The material below is for readers who want the sharper version: the Acín et al. proof sketch, the loophole-free Bell test history in detail, the Eberhard bound derivation, randomness amplification, and RRI's Indian Bell-test contributions.

The Acín et al. security proof sketch

The Acín-Brunner-Gisin-Masanes-Pironio-Scarani (ABGMPS) 2007 paper [1] establishes the key rate for DIQKD against collective attacks (Eve attacks each round independently with the same quantum strategy, and measures jointly at the end). The argument proceeds in three steps.

Step 1 — Tsirelson-type bound on Eve. For any quantum state \rho_{ABE} such that Alice and Bob's marginal state \rho_{AB} gives CHSH value S, the conditional entropy of Alice's output A given Eve's quantum side-information E satisfies

H(A \mid E) \ge 1 - h\!\left(\tfrac{1}{2} + \tfrac{1}{2}\sqrt{(S/2)^2 - 1}\right).

This is proved by showing that for any fixed S, the worst-case \rho_{ABE} (the one minimising H(A|E)) has a specific form (two-qubit + ancilla) and can be parameterised by one real number; the entropy minimisation over this one-parameter family gives the closed-form bound.

Step 2 — Devetak-Winter rate. The secret key rate against collective attacks is the Devetak-Winter (2005) formula

r = H(A \mid E) - H(A \mid B),

where H(A|B) is estimated directly from the observed Alice-Bob correlations. The first term is Eve's ignorance; the second term is the error-correction cost. Substituting the CHSH bound gives the formula in the main text.

Step 3 — coherent-attack extension. Coherent attacks, where Eve can entangle her ancilla across rounds, were shown by Vázquez-Castro, Renner, Pironio and others (2019) to give the same asymptotic rate via a de Finetti-style reduction. Finite-key analysis (Arnon-Friedman et al. 2019) adds concentration penalties but preserves the structure.

Eberhard bound derivation

The Eberhard bound governs the detection-loophole. Consider a two-photon Bell experiment with detection efficiency \eta per photon. If a photon is not detected, the measurement event is simply missing from the record. Without fair-sampling, any local strategy can produce arbitrary correlations on the missing events — Eve can pre-arrange for undetected photons to carry exactly the bits needed to fake a Bell violation.

The tightest local strategy, using Eberhard's 1993 optimisation, reaches the quantum CHSH bound of 2\sqrt 2 if and only if \eta \ge 2/(1 + \sqrt 2) \approx 82.8\%. At lower efficiencies, Bell violation can be classically faked by choosing which events to "lose." In a photon experiment, 82.8\% single-photon detection is extremely demanding — superconducting nanowire detectors now achieve > 95\% on-chip efficiency, but coupling losses drop that to 7085\% end-to-end in fibre. This is why DIQKD demonstrations either use trapped ions (near-unit detection) or require detection-loophole-closed photon sources with near-perfect coupling.

Loophole-free Bell tests (2015)

Three simultaneous 2015 experiments closed all three Bell-test loopholes for the first time:

These experiments validated Bell's theorem to high statistical confidence and opened the door to DIQKD. But they were proof-of-violation, not key extraction; turning them into actual DIQKD keys took another seven years.

Randomness amplification

A sibling of DIQKD is device-independent randomness amplification / expansion: using a Bell test to convert a small amount of local randomness into a larger amount, with certification. Colbeck (2006) and later Pironio, Acín, and others showed that an observed CHSH violation not only bounds Eve's information about the outputs but also guarantees that the outputs themselves contain fresh randomness beyond whatever the inputs supplied. This is the core idea behind the next chapter on quantum RNG: outputs of a Bell-test-certified device are certifiably random in a way that classical RNGs can never match.

RRI India and Indian Bell-test research

The Raman Research Institute's Quantum Information and Computing Group, led over the years by Urbasi Sinha, has run polarisation-entanglement Bell-test experiments as the foundational hardware for India's satellite-QKD programme. The 2022 ISRO demonstration involved RRI-developed sources and detector subsystems. While the satellite protocol was decoy-state BB84, the same hardware is the basis for follow-on work on E91-type protocols and, longer term, DIQKD-compatible Bell-test sources.

The NQM roadmap lists "device-independent QKD research" as an 8-year milestone — research, not deployment. This is realistic: even in 2026, DIQKD is a laboratory protocol, not a product, and the Indian ecosystem is at the right stage (experimental Bell tests, theoretical finite-key bounds, self-testing research at IISc and RRI) to participate in the international effort to close that gap over the next decade.

Where this leads next

References

  1. Antonio Acín, Nicolas Brunner, Nicolas Gisin, Serge Massar, Stefano Pironio and Valerio Scarani, Device-Independent Security of Quantum Cryptography against Collective Attacks (2007) — arXiv:quant-ph/0702152.
  2. D. P. Nadlinger, P. Drmota, B. C. Nichol et al., Experimental quantum key distribution certified by Bell's theorem (2022) — Nature 607, 682 / arXiv:2109.14600.
  3. Wikipedia, Device-independent quantum cryptography.
  4. John Preskill, Lecture Notes on Quantum Computation, Chapter 8 — theory.caltech.edu/~preskill/ph229.
  5. John S. Bell, On the Einstein Podolsky Rosen paradox, Physics 1, 195 (1964) — CERN scanned copy.
  6. Wei Zhang, Tim van Leent, Kai Redeker et al., A device-independent quantum key distribution system for distant users (2022) — Nature 607, 687 / arXiv:2110.00575.